Henry's Points

Some Vertical Search Engines

hengdu — Mon, 14 Nov 2011 18:32:20 +0000

According to search engine wiki pedia, Google, Yahoo and Bing share almost 98% search engine market. However, there are still 2% underground search engines. They provide search in particular area, some of them may be banned by the universal search engine like Duckduckgo.com. I tried to input “Porn” and there is nothing returned. I remember Matt Cutt’s first job in Google is to find porn sites, then keep them “safe”. So, Here we go.

Torrent Search Engine: torrent-finder.info/
House Foreclosures: realestate.aol.com/blog/foreclosures/
Pornography: www.booble.com
Public Record: www.publicrecordcenter.com

Share on Facebook

McAfee SiteAdvisor Overview

hengdu — Tue, 18 Oct 2011 22:29:56 +0000

When I read some papers related classifying malicious/benign web sites, it mentioned McAfee SiteAdvisor. I went through the official website and installed plug-in to play around. I found it is a good adviser because it not only provides nuisance sore also provide how does malicious software modify our own system. The other nice feature the SiteAdvisor provided is “Are you the owner of this site? Leave a comment”. By using this, website owner may have chance to let SiteAdvisor to re-evaluate.

We could install a McAfee SiteAdvisor plug-in to our web browser. When we search some web site by key words, the SiteAdvisor will advice us by four levels mark: green one is Safe, means very low or no risk issue; yellow one is Caution, means minor risk issue; red one is warning, means serious risk issue.

I input key words “kylogger”, the result is shown on below. As we can see, some websites are safe but some are risky.

We can view site report by clicking on the red mark icon. One part of report is download test.

SiteAdvisor also provides mark for each dowload files. There is a Nuisance Score related with the file. The most attractive part is How does it modify my system.

On the report, the SiteAdvisor also provides the online affiliations for the link, which give the web user overall picture about the website and its affiliations.

The backend of the SiteAdvisor maybe more interesting but I’d like to leave it for a while. Later, I may go through other similar product.

Share on Facebook

Steve Jobs 1955-2011

hengdu — Thu, 06 Oct 2011 04:40:29 +0000

Share on Facebook

HandBrake for MP4

hengdu — Sun, 17 Jul 2011 22:06:12 +0000

Thanks Jeffrey Ai who told me a nice tool to convert many formats of Movies to MP4(MV4) format. Especially, it can be working on Mac OS and Linux platform. The download link and details are listed at: http://handbrake.fr/

Share on Facebook

True Nobility

hengdu — Fri, 18 Feb 2011 05:46:04 +0000

by Ernest Hemingway

In a calm sea every man is a pilot.But all sunshine without shade, all pleasure without pain, is not life at all.

Take the lot of the happiest–it is a tangled yarn. Bereavements and blessings,one following another, make us sad and blessed by turns. Even death itself makes life more loving. Men come closest to their true selves in the sober moments of life,under the shadows of sorrow and loss.

In the affairs of life or of business, it is not intellect that tells so much as character,not brains so much as heart, not genius so much as self-control, patience, and discipline, regulated by judgment.

I have always believed that the man who has begun to live more seriously within begins to live more simply without. In an age of extravagance and waste, I wish I could show to the world how few the real wants of humanity are.

To regret one’s errors to the point of not repeating them is true repentance. There is nothing noble in being superior to some other man. The true nobility is in being superior to your previous self.

Share on Facebook

Apple Think Different Ad in 1997

hengdu — Sun, 30 Jan 2011 03:28:26 +0000

Share on Facebook

Why Facebook

hengdu — Thu, 09 Dec 2010 23:49:48 +0000

Why people like social on Fackbook? I asked my friend.

Q: hey, my co-worker wants to know, why people like facebook more than others, like QQ, myspace, etc.

A: cuz everyone is using them, lol

Q: so, why everyone using it? more fancy?

A: easier to communicate and share, i guess. and you can pick whatever you want to see.

Q: but why I don’t login so often?

A: cuz you are too busy, facebook is for the bored office dudes like me.

Share on Facebook

router-traffic for CBAC

hengdu — Tue, 07 Dec 2010 21:40:33 +0000

CBAC is the upgrade version of flexible access control. Since access list is not stateful control, which means, if very strict access list applied in Outside interface for inbound traffic, most of traffic initialized from Inside subnet will be blocked. CBAC help us to inspect specified outgress traffic and put state in the state table. When the traffic comes back, the Outside interface won’t block them out.

However, the interesting problem is, if the traffic initilized from local router, the inspection won’t take effect. Like we want to capture transit package by issue “no ip route-cache”, we need to add “router-traffic” option when define CBAC.

ip inspect name INSIDE_OUT tcp router-traffic

Share on Facebook

Sand Artist

hengdu — Thu, 02 Dec 2010 06:29:27 +0000

First time I realize it is the most beautiful art in the world. It’s really touched.

Share on Facebook

IPSec over GRE and IPSec VTI

hengdu — Wed, 03 Nov 2010 01:07:35 +0000

When reviewing the topic of IPSEC over GRE Tunnel, I have observed that we have several ways to implement it. However, some posts are confusing people. For example, this post is named IPSEC over GRE Tunnel, the actual configuration is IPSec static VTI (Virtual Tunnel Interface), because the configuration under tunnel interface has one line, which indicated that the tunnel mode is changed.

tunnel mode ipsec ipv4

So, in this post, I would like to clarify some misunderstanding.

GRE as IPSec interested traffic

This is the first, and probably less-used solution for IPSec over GRE. We setup Lan-to-Lan IPSec between two physical interface of two routers. Under the crypto map, we set the interested traffic as

access-list 105 permit gre

After ping traffic between each end of the tunnel, the IPSec tunnel is setup. The following are the basic configuration of two routers.

!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key CISCO address 150.1.12.2
!
!
crypto ipsec transform-set R1_TO_R2 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile TEST
set transform-set R1_TO_R2
!
!
crypto map CRYPTO_MAP 10 ipsec-isakmp
set peer 150.1.12.2
set transform-set R1_TO_R2
match address 105
!
interface Tunnel0
ip address 150.1.121.1 255.255.255.0
tunnel source 150.1.12.1
tunnel destination 150.1.12.2
!
interface Serial1/0
ip address 150.1.12.1 255.255.255.0
crypto map CRYPTO_MAP
!
access-list 105 permit gre 150.1.12.0 0.0.0.255 150.1.12.0 0.0.0.255
!

!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key CISCO address 150.1.12.1
!
!
crypto ipsec transform-set R2_TO_R1 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile TEST
set transform-set R2_TO_R1
!
!
crypto map CRYPTO_MAP 10 ipsec-isakmp
set peer 150.1.12.1
set transform-set R2_TO_R1
match address 105
!
interface Tunnel0
ip address 150.1.121.2 255.255.255.0
tunnel source 150.1.12.2
tunnel destination 150.1.12.1
!
interface Serial1/0
ip address 150.1.12.2 255.255.255.0
crypto map CRYPTO_MAP
!
access-list 105 permit gre 150.1.12.0 0.0.0.255 150.1.12.0 0.0.0.255
!

GRE Tunnel Protection

Since we use tunnel protection command under tunnel interface, we don’t need to define crypto map, instead, we need to define ipsec profile. Then, we need apply ipsec protection profile to the tunnel interface. The following are the basic configuration. Please note that, there is no “tunnel mode ipsec ipv4” command, which means, the tunnel mode is still GRE.

!
crypto ipsec transform-set R1_TO_R2 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile TEST
set transform-set R1_TO_R2
!
interface Tunnel0
ip address 150.1.121.1 255.255.255.0
tunnel source 150.1.12.1
tunnel destination 150.1.12.2
tunnel protection ipsec profile TEST
!
interface Serial1/0
ip address 150.1.12.1 255.255.255.0
!

!
crypto ipsec transform-set R2_TO_R1 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile TEST
set transform-set R2_TO_R1
!
interface Tunnel0
ip address 150.1.121.2 255.255.255.0
tunnel source 150.1.12.2
tunnel destination 150.1.12.1
tunnel protection ipsec profile TEST
!
interface Serial1/0
ip address 150.1.12.2 255.255.255.0
!

Removing 4-Bytes GRE header ???

Cisco brought us IPSec VTI (virtual tunnel interface) in IOS 12.3T. The purpose of that is to have a new tunnel mode to reduce 4 bytes GRE header in the traffic. However, different tunnel mode can apply different application. Here are some considerations for IPSec VTI. The IPsec VTI is limited to IP unicast and multicast traffic only, as opposed to GRE tunnels, which have a wider application for IPsec implementation. Thus, for some non-IP traffic, we still need IPSec over GRE.

!
crypto ipsec transform-set R1_TO_R2 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile TEST
set transform-set R1_TO_R2
!
interface Tunnel0
ip address 150.1.121.1 255.255.255.0
tunnel source 150.1.12.1
tunnel destination 150.1.12.2
tunnel protection ipsec profile TEST
tunnel mode ipsec ipv4
!
interface Serial1/0
ip address 150.1.12.1 255.255.255.0
!

!
crypto ipsec transform-set R2_TO_R1 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile TEST
set transform-set R2_TO_R1
!
interface Tunnel0
ip address 150.1.121.2 255.255.255.0
tunnel source 150.1.12.2
tunnel destination 150.1.12.1
tunnel protection ipsec profile TEST
tunnel mode ipsec ipv4
!
interface Serial1/0
ip address 150.1.12.2 255.255.255.0
!

Share on Facebook