Monday, December 29, 2008


Phishing is now a common source of computer crime. The trend of phishing through email and websites is growing at high speed. It has become a threat to computer users as a major source of malicious software as well as a way to steal personal information. Scientific American published an article recently on how to foil phishing scams which provided some useful information on how to protect yourself.

First of all, upon a phish attack, do not blame your lack of computer knowledge or the complicated procedures of using anti-virus software. Phishing is not based on computer tricks. It is based on human greed and carelessness. You have yourself to blame if you are phished.

Here are some examples: E-mail from a bank warning you that your online banking services was in danger of being deactivated, from Apple complaining that you had unpaid bills for music downloads, from an airline offering you the opportunity to earn a quick $50 for filling out a survey, and from the Red Cross asking you to contribute money to help earthquake victims in China. These messages are all very convincing and looked authentic, but they are all fraudulent e-mail known as phish.

Phish e-mail are written by professionals to resemble legitimate communications, often from reputable companies familiar to you. They usually create a sense of urgency and ask you to take immediate action to avoid a consequence or receive a reward. The response commonly required is for you to log in to a web site or call a phone number to provide personal information. Sometimes you only need to click on links or open e-mail attachment for your computer to become infected by malicious software. The details of phishing scams may vary, but their aim is to trick you into giving away information which can be used to break into your accounts and steal your money or identity. Phishing exploits human vulnerabilities and uses simple psychology targeting inattention or misdirecting attention.

As the phishing email do not contain malicious codes, the common techniques used by anti-virus software do not normally work. However, computer security experts are still able to develop phish filters aiming at the characteristics of phishing email. They include:
- Age of domain. Newly created domain less than 12 months are suspectable;
- Known logo images. Page contains known logos but is not a domain owned by the logo owners;
- Suspicious URL. URL contains @ sign, hyphen, an IP address or more than five dots;
- Suspicious links. Link on page contains @ or hyphen;
- Forms. Page contain a text entry field;
- Lexical signature search result. URL does not match address or Google-ranked legitimate page.

The filters use a combination of these signs to identify phish. However, some legitimate email may also have such characteristics. When the filter is not sure, a warning may be displayed so that the recipient of the email may exercise judgment. Other signs include a sender who is not familiar to you, an urgent message which is suspicious, or a threat which may not be realistic. You should also take a look at the website address appearing at the browser's status bar when you place the cursor over a link to see if it is suspicious.

The computer security experts noted that the major vulnerability is the lack of awareness of users towards phishing. A research showed that many users did not take notice of the warning sent by the phish filter. The experts considered that anti-phishing training should be improved. The combined efforts of law enforcement, computer security experts and computer users are needed to reduce the success of phishing.

Friday, December 26, 2008

Earth Rise 1968 -- 更正


原來當時太空船是沿著月球赤道的軌道飛行。太空人見到的景象,是月球表面垂直在太空船的右面,而地球就在左面,上方是正北。下面這幅調整後的照片是我們常 見的北上南下的地球。


Earth Rise

Thursday, December 25, 2008

Earth Rise 1968





Earth Rise

Wednesday, December 17, 2008

Tramway 1967



Monday, December 15, 2008

Internet security suite

I read from e-zone this week an article on the latest trend in the Internet security scene. It is a suite of topics and many of them are well known. But the article provides the current situation which is worthy of refreshing our awareness of the problem.

Statistics collected by Kaspersky Lab show that, in 2008, the highest computer intrusion events were caused by Trojan-ware, 92.56%, followed by viruses, 3.96% and other malicious software, 3.48%. The Trojan Horse software mainly came from network games and phish website. Other malicious software include advertising software, risk software, hoax, pornographic software and fraud tools. Among them, fraud tools have the highest growth. Some of them are even disguised as security software.

According to the anti-virus software company, Symantec, the common traps leading to Internet security breaches in 2009 could likely be the following.

Trap 1: Mutated hostile software. Newly developed hostile software are able to mutate by themselves. They will change their form and then be distributed to other users.

Trap 2: Social network threats. The latest trend is phishing software spreading on the popular social network sites. Many third party software linked to social network are phishing for the account information of users.

Trap 3: False financial institutions website. Taking the opportunity of the global financial crisis, many phishing websites and email are targeting such concern of users. They would disguise as financial institutions and phish for financial account information.

Trap 4: Junk mail. Owing to the economy downturn, many companies are more willing to put in resources for the development of junk mail for the purpose of advertising as well as increasing click-counts.

E-zone conducted a survey on the level of worry of Internet users regarding the problem of Internet security. The survey results show that the biggest worry is on Trojan. 40% of all users are worried that they could be attacked. The overall results are:
Trojan -- 40%
Keylogger -- 23%
Virus -- 15%
Adware -- 12%
Spyware -- 10%

The reason for the relatively low worry level of other attacks is that anti-virus software are quite common and useful nowadays. Many users feel that a computer well protected by such software could effectively eliminate the risk of viruses, adware and spyware to a large extent. However, more covert attacks such as Trojan Horse and Keylogger are not easy to detect and thus cause more worry.

A security expert from the Hong Kong Computer Emergency Response Team offers some additional tips on Internet security:

1. Windows automatic update. Microsoft Windows is the most commonly used operating system. It is also the most attacked system and vulnerabilities are found frequently. Luckily Microsoft also has a good defense system and any known vulnerability is dealt with quickly. Program patches are issued frequently to update the Windows system. One should set the Windows operating system to automatic update for effective protection. Many other software do not issue program patches at all. This does not mean they are safe. It is just that the companies do not fix the software vulnerability.

2. Browser automatic update. Internet browser is one of the major gateways to the Internet. Many malicious software exploit vulnerability of browsers for attack. An up-to-date browser will provide better security. At present, Firefox 3.0 offers automatic update for its browser.

3. False website. A current trend of computer fraud is from false websites of financial institutions. Extra attention must be paid when visiting such websites, including your favourite banks. It is advisable to access these websites only from your own bookmarks.

4. Email links. Many phishing websites and malicious software hide their links in email. It is important to check whether the email sent to you is from a reliable source, and whether the addresses of the links are suspicious.

5. Browse for security news. The expert recommends browsing HKCERT for update news on Internet security. This is probably an advertisement for HKCERT, but it does provide useful information. There are many other such information centres around the world.

6. ActiveX. The expert suggests de-activating ActiveX in your browser which may open a loophole for attack. But many useful software use ActiveX. It is a personal judgment whether you like to take the risk. I only de-activate ActiveX temporarily whenever I found something suspicious.

Friday, December 12, 2008

Grade Structure Reviews

The LegCo Panel on Public Service will discuss a paper on grade structure reviews on 15 December, next Monday. This is a very useful subject for HR managers as it is an essential topic of civil service human resource management. There are three reviews: one on the directorate, one on disciplined services and one on two civilian grades. If you are interested on the reviews, you can go to the JSSCS website to read the full reports. If you only have a little reading time, you can choose the read the LegCo paper which has a gist of the recommendations of the review reports.

The reports are published under the name of the Standing Committee on Directorate Salaries and Conditions of Service, the Standing Committee on Disciplined Services Salaries and Conditions of Service and the Standing Commission on Civil Service Salaries and Conditions of Service. But the reviews were conducted by a team of experienced executive officers in the JSSCS, or more accurately a team of retired officers. Grade structure review is a large and complex exercise which occurs infrequently at large interval. Under the present thinking of GGO, this is additional work of a temporary nature on a project basis which could be undertaken by NCSC staff. But where can you hire very experienced NCSC staff for such high level complex work. The only answer is the experienced retired officers who were engaged in previous grade structure review exercises. I must congratulate on a job well done. I also hope there were many serving officers working in the team, lest the experience would be lost with the retired officers really retiring.

The two civilian grades under review are the government lawyer grades and the veterinary officer grade. For the lawyer grades, there would be no improvement to the grade structure nor the pay scale. There are recommendations not related to the grade structure: viz. to conduct regular establishment reviews, to be more responsive to staff concerns about the working environment, to streamline and expedite the recruitment process, and to provide more continuing professional development opportunities. All these are applicable to all grades not under review.

I think it is very hard to compare the pay of a government lawyer to those in private practice. For a good lawyer in private practice, the reward could be astronomical. This is the same everywhere. For government lawyers, there is the commitment to serve for the justice of the people rather than the justice of the private clients.

The review report recommends that the starting pay of the Veterinary Officer rank should be raised by two points from MPS29 to MPS31. This would bring it on par to medical doctors. Two more recommendations are worthy of noting. One is the bonded traineeships to veterinary students in universities. This is actually the same practice some years ago in the form of government training scholarship which I think is quite feasible. Some serving officers are such government trainees. This could ensure a supply of veterinary officers for a few years, and increase the pool of veterinary surgeons in Hong Kong in the long run.

The other recommendation is to explore with local universities the desirability and feasibility of introducing veterinary training in Hong Kong. This is narrow thinking. Local universities should explore introducing academic subjects based on the need of Hong Kong rather than the recruitment difficulties of government officials. Hong Kong is a city with limited agriculture and husbandry. Its civilian veterinary needs are mainly on pets, plus some limited requirements by the Jockey Club and Ocean Park. With reasonable reward, Hong Kong people returning from overseas with veterinary training may be sufficient.

Sunday, December 7, 2008


四川著名技藝:變面。連劉德華都要學。在四川看文藝 表演一定有這個項目。變面表演又一定包括噴火。火焰一閃即逝,拍得一張清晰的照片已很幸運。





Wednesday, December 3, 2008

生死戀 Love is a many-splendored thing

睇戲。生死戀 Love is a many-splendored thing; 由威廉荷頓和珍妮花鍾斯主演。睇下睇下竟然唔知佢講乜。原來呢套戲於1949年在香港實地拍攝,有不少49年香港景色。網上短片將有香港景色的片段剪輯起來,一段段不連戲。如果真係想睇戲就中計。如果想懷舊一下歷史就好岩睇。