樂蜀浮雕

慘極！具3500 年的樂蜀浮雕，已被「丁錦昊到此一遊」7個中文字摧毁了歴史文物價值，除了強國人外，外國遊客絕不會做出這種野蠻行為。

http://news.now.com/home/international/player?newsId=68895

No privacy protection if you are using Gmail account

Gmail scans content of my incoming emails. I can not do anything to stop such privacy intrusion.

----- Transcript of session follows ----- 
... while talking to gmail-smtp-in.l.google.com.: 
>>> DATA 
<<< 550-5.7.1 [2401:300:0:1::8080 7] Our system has detected that this message
<<< 550-5.7.1 is likely unsolicited mail. To reduce the amount of spam sent to
<<< 550-5.7.1 Gmail, this message has been blocked. Please visit
<<< 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for
<<< 550 5.7.1 more information. ps11si2916950pab.141 - gsmtp
554 5.0.0 Service unavailable

Always leave office on time

ALWAYS LEAVE OFFICE ON TIME

1.            Work is never ending process. It can never be completed.

2.            Interest of a client is important, so is your family.

3.            If you fall in life, neither your boss or client will offer you a helping hand; your friends and family will.

4.            Life is not only about work, office and client.  There is more to life. You need to socialize, entertain, relax and exercise. Don't let life be meaningless.

5.            A person who stays late the office is not a hard-working person.  Instead he/she may be a fool who does not know how to manage work within the stipulated time.  He/She is a loser who does not have a personal or social life.  He/She is inefficient and incompetent in his/her worrk.

6.            You did not study hard and struggle to become a machine.

7.            If your boss forces you to work late, he/she may be ineffective and have a meaninngless life too; so forward this to him or her.

Leaving office on time = efficient, good social life, quality family life.

Leaving office late = inefficient and incompetent, no social life, less family time. 

Gmail is now fully dual-stack

Gmail has finally enabled IPv6 channel in the outgoing path, not just the incoming path alone. That’s say, Gmail is now fully dual-stack. I have been waiting for this moment since World IPv6 Launch (6 June 2012). Thanks to Google.

Blog CAPTCHA

I have recently received a lot of blog spam, most of which deal with medicine.  Presumably, the messages are generated by some automatic scripts and these spam messages disturb a lot of bloggers.  This leaves me no choice but to activate CAPTCHA verification.  I hate deleting spam messages manually one by one and I hope that with the use of CAPTCHA,  the number of blog spam can be reduced to a minimum.

ssh client on a tablet

So finally I have SSH terminal on a tablet.  I can do some less keyboard-intensive tasks such as checking logs and minor config changes.  It is Juice SSH client.  No need to root the tablet.

Change of IP address in Root Server D

Root Server D has changed its IP address on 3 Jan 2013. I have done my job to align with the change.  The file to change is "/var/named/chroot/var/named/named.ca".

The old IP address will retire in the next 6 months. Just wonder how many ISPs and network administrators have done their work diligently?

http://d.root-servers.org/

Google map offline

When I was in Dubai 2 months ago, I relied on Google Map to guide me from various Metro-stations and main streets to shopping malls and hotels.  This was done in online mode and sometimes the responses were slow if the connected 3G network was congested, not to mention the data usage charges.

I just discovered that Google Map offers offline cache though the  area is restricted to 10 miles x 10 miles for each cache map.  That would save me a lot of time and cost next time if I travel in another city.  Without delay, I have downloaded cached maps of Shenzhen, Macau, Zhuhai and Beijing.  It would be better to view  the offline maps in a 7-inch Android tablet than a small smartphone .  Google is very thoughtful.  Thanks.

Google public DNS can support DNSSEC

Google has completed a marvelous job. Its four public resolvers at "8.8.8.8", "8.8.4.4", "2001:4860:4860::8888" and "2001:4860:4860::8844" can now support DNSSEC and perform signature validation.

[warren@dnssec ~]# dig +dnssec ds icann.org @2001:4860:4860::8844 | grep ad
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
[warren@dnssec ~]# dig +dnssec ds icann.org @2001:4860:4860::8888 | grep ad
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
[warren@dnssec ~]# dig +dnssec ds icann.org @8.8.8.8 | grep ad
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
[warren@dnssec ~]# dig +dnssec ds icann.org @8.8.4.4 | grep ad
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

My double thumb up to Google.

Full house of network devices

This is the picture of my home full house of network devices. They are : two 802.11n routers, four 802.11n client devices, a pair of Powerline Ethernet adpators, two 3G USB dongles and other. I am a TP-LINK super fan.  

Dibbler for Windows XP

For those who are using Windows XP, they know that there is not yet a DHCPv6 client even IPv6 stack is manually installed.  The good news is Dibbler DHCPv6 portable client is available free of charge at http://klub.com.pl/dhcpv6/dibbler/.  I don't have the chance to experience this add-on DHCPv6 client as all my desktop and notebook PCs are running Windows 7.  Have fun.

China generated 32 % of global network attack traffic

China generated 32 % of global network attack traffic, according to Akamai's State of the Internet 3Q 2012 Report.  It is really a champion and a shame.

The second worst country is US, responsible for 13 % of the total.  Some nice pictures of the situation can be seen from:

http://www.akamai.com/dl/akamai/q3_2012_soti_infographic.pdf

Fake HKCERT email

By now, it has been widely reported in the media that there was a fake HKCERT email advising recipients to patch the recent Adobe Flash vulnerability and a fake patch was attached.  I tried to look at what HKCERT has been taking in order to protect its email domain.  Unfortunately, HKCERT does not use Sender Policy Framework to specify what IP addresses and domains can use "hkcert.org" as the sender domain in the email header.    HKCERT has learnt a lesson in hard way.

Gmail over IPv6

An overseas network administrator contacted me to discuss the problem when conducting IPv6 email tests with Gmail.  Understandably, some administrators think that Google Gmail can help to test IPv6 email setup.   The fact is Gmail receives incoming emails from dual-stack mail servers based on the rule that v6 channel has priority over v4, but in sending out emails to dual-stack mail server, Gmail always selects the v4 path.  I also doubt if Gmail can send out to IPv6 only mail servers. In the past, my IT colleagues thought our dual-stack mail server was wrongly configured after testing with Gmail and  spent many hours of trouble-shooting with no clue of what happened.  In the end, it was Gmail that used its own means of v4/v6 path selection without adhering to the dual-stack rule.  I think this fact is now well-known to the IPv6 technical community. 

Reverse lookup of a /64 prefix

Reverse lookup is necessary for IPv6 address assigned to SMTP Server otherwise the emails sent out will be treated as spam by other SMTP servers.  To this end, I have asked my serving ISP to dedicate the reverse lookup of  the prefix 2401:300:0:1::/64 to me.  The configuration at my side is tested ok and perfect.

[localhost ~]# dig -x 2401:300:0:1::8080

; <<>> DiG 9.5.2-RedHat-9.5.2-1.fc10 <<>> -x 2401:300:0:1::8080

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- 36584="36584" font="font" id:="id:" noerror="noerror" opcode:="opcode:" query="query" status:="status:">

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:

;0.8.0.8.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.0.0.3.0.1.0.4.2.ip6.arpa. IN PTR

;; ANSWER SECTION:

0.8.0.8.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.0.0.3.0.1.0.4.2.ip6.arpa. 86400IN PTR v6-mail.com.

;; AUTHORITY SECTION:

1.0.0.0.0.0.0.0.0.0.3.0.1.0.4.2.ip6.arpa. 86400 IN NS ns2.i3way.net.

1.0.0.0.0.0.0.0.0.0.3.0.1.0.4.2.ip6.arpa. 86400 IN NS ns1.i3way.net.

;; ADDITIONAL SECTION:

ns1.i3way.net.          3600    IN      A       202.81.252.116

ns1.i3way.net.          3600    IN      AAAA    2401:300:0:1::8080

ns2.i3way.net.          3600    IN      A       202.81.252.117

ns2.i3way.net.          3600    IN      AAAA    2001:470:18:16c::2

;; Query time: 1 msec

;; SERVER: 202.81.252.116#53(202.81.252.116)

;; WHEN: Mon Jan 14 09:07:46 2013

;; MSG SIZE  rcvd: 248

Bank's e-statement should not be attached with email

Shame on Citibank.  It violated the security practice promulgated by the banking authority in HK.  Over the past 12 months, I found that Citibank attached a monthly e-statement pdf to me via email though the attached pdf was password protected.  Fraudsters can disguise themselves as a bank and attach malicious code in pdf.  The chance of success is high as e-statements are so important that target recipients will open and read them to see how much they need to pay.  As far as I know, other banks just alert their users that e-statements are ready online without providing any clickable links in the email.  Until today, Citibank notified me about a new arrangement of no more e-statement attachment.  Unfortunately, Citibank did not offer apology to its customers for ignoring this important security matter previously.

Greylisting and dual-stack mail servers

I notice that some network administrators are now using greylisting on their IPv6 mail server as there is no other IPv6 anti-spam solutions in the market.  They should be minded that that greylisting might not work as expected in a dual-stack configuration.  Why not ?  It is because if the v6 channel does not accept the mail, the sending side will fall back immediately to deliver the same mail over v4  channel.  Unless the greylisting is also employed on IPv4, I do not see the effectiveness of greylisting on IPv6 only for a dual-stack configured mail server.   I have no idea whether this is a weakness or not. 

Targeted Geographical Banner Ads

Today I visited BBC UK website and the banner on the right hand corner was an advertisement of CSL LTE service.  Hey, this is really smart.  BBC detected that the IP address was from Hong Kong and it could select an ad banner of Hong Kong clients.  However, this Internet marketing strategy will fail if I access BBC through a proxy server or VPN.

Install Flash on Nexus 7

Just found out that flash is absent from default Chrome browser of Nexus 7 (Android Jelly Bean OS).  Too bad, I need to browse quite a number of websites running flash.

On googling, I got great hints (http://www.howtogeek.com/120277/how-to-install-flash-on-the-nexus-7-and-other-jelly-bean-devices/)

First download the flash apk from XDA developer forum (http://forum.xda-developers.com/attachment.php?attachmentid=1199371&d=1342343609)

Second, download and install Firefox-beta from Google Play.

Third, before installation of the flash apk, set the security of Nexus 7 to allow running app from other untrusted sources other than Google Play.

So that's all.  Afterward, use Firefox to browse flash websites.  One important step is to change back to the original security settings otherwise one will get into trouble of getting malicious applications installed. 

Netgear 802.11ac adapter

802.11ac client devices are still rarely seen in the market as the ac standard has not been ratified by IEEE yet.  However, I recently come across Netgear A6200 which the manufacturer said can support 867 Mbps if operated on 802.11ac.  This sounds quite OK to me as the device can only have 2 built-in antennas.  However, the USB interface works on USB 2.0 which can operate at maximum of 480 Mbps.  In that case, whatever high speeds in the air interface are then capped to 480 Mbps.  Should manufacturers better claim 802.11ac client devices can have a maximum throughput of 480 Mbps instead of 867 Mbps.