Monday, December 29, 2008

Phishing

Phishing is now a common source of computer crime. The trend of phishing through email and websites is growing at high speed. It has become a threat to computer users as a major source of malicious software as well as a way to steal personal information. Scientific American published an article recently on how to foil phishing scams which provided some useful information on how to protect yourself.

First of all, upon a phish attack, do not blame your lack of computer knowledge or the complicated procedures of using anti-virus software. Phishing is not based on computer tricks. It is based on human greed and carelessness. You have yourself to blame if you are phished.

Here are some examples: E-mail from a bank warning you that your online banking services was in danger of being deactivated, from Apple complaining that you had unpaid bills for music downloads, from an airline offering you the opportunity to earn a quick $50 for filling out a survey, and from the Red Cross asking you to contribute money to help earthquake victims in China. These messages are all very convincing and looked authentic, but they are all fraudulent e-mail known as phish.

Phish e-mail are written by professionals to resemble legitimate communications, often from reputable companies familiar to you. They usually create a sense of urgency and ask you to take immediate action to avoid a consequence or receive a reward. The response commonly required is for you to log in to a web site or call a phone number to provide personal information. Sometimes you only need to click on links or open e-mail attachment for your computer to become infected by malicious software. The details of phishing scams may vary, but their aim is to trick you into giving away information which can be used to break into your accounts and steal your money or identity. Phishing exploits human vulnerabilities and uses simple psychology targeting inattention or misdirecting attention.

As the phishing email do not contain malicious codes, the common techniques used by anti-virus software do not normally work. However, computer security experts are still able to develop phish filters aiming at the characteristics of phishing email. They include:
- Age of domain. Newly created domain less than 12 months are suspectable;
- Known logo images. Page contains known logos but is not a domain owned by the logo owners;
- Suspicious URL. URL contains @ sign, hyphen, an IP address or more than five dots;
- Suspicious links. Link on page contains @ or hyphen;
- Forms. Page contain a text entry field;
- Lexical signature search result. URL does not match address or Google-ranked legitimate page.

The filters use a combination of these signs to identify phish. However, some legitimate email may also have such characteristics. When the filter is not sure, a warning may be displayed so that the recipient of the email may exercise judgment. Other signs include a sender who is not familiar to you, an urgent message which is suspicious, or a threat which may not be realistic. You should also take a look at the website address appearing at the browser's status bar when you place the cursor over a link to see if it is suspicious.

The computer security experts noted that the major vulnerability is the lack of awareness of users towards phishing. A research showed that many users did not take notice of the warning sent by the phish filter. The experts considered that anti-phishing training should be improved. The combined efforts of law enforcement, computer security experts and computer users are needed to reduce the success of phishing.

Friday, December 26, 2008

Earth Rise 1968 -- 更正

更正。為要確實地球的位置,我再詳細閱讀美國太空總署提供的亞波羅八號的飛行日誌,看看拍攝這幅地出歷史照片時太空船的飛行情況。

原來當時太空船是沿著月球赤道的軌道飛行。太空人見到的景象,是月球表面垂直在太空船的右面,而地球就在左面,上方是正北。下面這幅調整後的照片是我們常 見的北上南下的地球。

這樣看來,東面的陸地就是位於非洲西部的摩洛哥西岸,面對大西洋;而西面的陸地就是南美洲的巴西海岸。地球下方更可看到南極洲的冰原。

Earth Rise

Thursday, December 25, 2008

Earth Rise 1968

今年聖誕節,美國太空總署發表這幅令人讚嘆的照片,以紀念亞波羅登月計劃。

這幅照片是太空人在亞波羅八號上於1968年12月24日聖誕前夕拍攝,是人類史上第一次拍攝到地出,即地球在月球的水平線升起。2008是它的四十歲生日。當時人類還未能登陸月球,亞波羅八號只是在繞月軌道上。

根據美國太空總署報導,我們常看到的那幅標準地出照片,地球有如一顆藍色的大理石珠,並非是第一幅照片。下面這一幅歷史照片因為是黑白照而在當年沒有被選為新聞發佈的附圖。現今終於重見天日。

我覺得地球上較下的位置的陸地似乎是澳洲,而上面無雲的地方應該是中國海岸線,而香港約在雲層的邊緣。

Earth Rise

Wednesday, December 17, 2008

Tramway 1967

1967年其實並不太年代久遠;雖然當年我仍是學生,但有不少年輕朋友卻還未出世。我剛在網上看到下面這一段1967年的錄影,是在港島沿著電車線走;景象和今天已大大不同,但仍有些建築可以保留至今。

比較印象深刻的有三個地點。第一是軒尼詩道與莊士敦道交界,那個地標油站當時還未擴建。第二是金鐘道軍營;當年由非常嘈吵的灣仔區進入金鐘道,商店行人忽然全部不見了,兩面只有窗戶緊閉的建築,感覺有點詭異。第三是上環街市,即現今西港城;電車由此轉出海旁,就看到三角碼頭,這個海旁區現已變成陸地。

Monday, December 15, 2008

Internet security suite

I read from e-zone this week an article on the latest trend in the Internet security scene. It is a suite of topics and many of them are well known. But the article provides the current situation which is worthy of refreshing our awareness of the problem.

Statistics collected by Kaspersky Lab show that, in 2008, the highest computer intrusion events were caused by Trojan-ware, 92.56%, followed by viruses, 3.96% and other malicious software, 3.48%. The Trojan Horse software mainly came from network games and phish website. Other malicious software include advertising software, risk software, hoax, pornographic software and fraud tools. Among them, fraud tools have the highest growth. Some of them are even disguised as security software.

According to the anti-virus software company, Symantec, the common traps leading to Internet security breaches in 2009 could likely be the following.

Trap 1: Mutated hostile software. Newly developed hostile software are able to mutate by themselves. They will change their form and then be distributed to other users.

Trap 2: Social network threats. The latest trend is phishing software spreading on the popular social network sites. Many third party software linked to social network are phishing for the account information of users.

Trap 3: False financial institutions website. Taking the opportunity of the global financial crisis, many phishing websites and email are targeting such concern of users. They would disguise as financial institutions and phish for financial account information.

Trap 4: Junk mail. Owing to the economy downturn, many companies are more willing to put in resources for the development of junk mail for the purpose of advertising as well as increasing click-counts.

E-zone conducted a survey on the level of worry of Internet users regarding the problem of Internet security. The survey results show that the biggest worry is on Trojan. 40% of all users are worried that they could be attacked. The overall results are:
Trojan -- 40%
Keylogger -- 23%
Virus -- 15%
Adware -- 12%
Spyware -- 10%

The reason for the relatively low worry level of other attacks is that anti-virus software are quite common and useful nowadays. Many users feel that a computer well protected by such software could effectively eliminate the risk of viruses, adware and spyware to a large extent. However, more covert attacks such as Trojan Horse and Keylogger are not easy to detect and thus cause more worry.

A security expert from the Hong Kong Computer Emergency Response Team offers some additional tips on Internet security:

1. Windows automatic update. Microsoft Windows is the most commonly used operating system. It is also the most attacked system and vulnerabilities are found frequently. Luckily Microsoft also has a good defense system and any known vulnerability is dealt with quickly. Program patches are issued frequently to update the Windows system. One should set the Windows operating system to automatic update for effective protection. Many other software do not issue program patches at all. This does not mean they are safe. It is just that the companies do not fix the software vulnerability.

2. Browser automatic update. Internet browser is one of the major gateways to the Internet. Many malicious software exploit vulnerability of browsers for attack. An up-to-date browser will provide better security. At present, Firefox 3.0 offers automatic update for its browser.

3. False website. A current trend of computer fraud is from false websites of financial institutions. Extra attention must be paid when visiting such websites, including your favourite banks. It is advisable to access these websites only from your own bookmarks.

4. Email links. Many phishing websites and malicious software hide their links in email. It is important to check whether the email sent to you is from a reliable source, and whether the addresses of the links are suspicious.

5. Browse for security news. The expert recommends browsing HKCERT for update news on Internet security. This is probably an advertisement for HKCERT, but it does provide useful information. There are many other such information centres around the world.

6. ActiveX. The expert suggests de-activating ActiveX in your browser which may open a loophole for attack. But many useful software use ActiveX. It is a personal judgment whether you like to take the risk. I only de-activate ActiveX temporarily whenever I found something suspicious.

Friday, December 12, 2008

Grade Structure Reviews

The LegCo Panel on Public Service will discuss a paper on grade structure reviews on 15 December, next Monday. This is a very useful subject for HR managers as it is an essential topic of civil service human resource management. There are three reviews: one on the directorate, one on disciplined services and one on two civilian grades. If you are interested on the reviews, you can go to the JSSCS website to read the full reports. If you only have a little reading time, you can choose the read the LegCo paper which has a gist of the recommendations of the review reports.

The reports are published under the name of the Standing Committee on Directorate Salaries and Conditions of Service, the Standing Committee on Disciplined Services Salaries and Conditions of Service and the Standing Commission on Civil Service Salaries and Conditions of Service. But the reviews were conducted by a team of experienced executive officers in the JSSCS, or more accurately a team of retired officers. Grade structure review is a large and complex exercise which occurs infrequently at large interval. Under the present thinking of GGO, this is additional work of a temporary nature on a project basis which could be undertaken by NCSC staff. But where can you hire very experienced NCSC staff for such high level complex work. The only answer is the experienced retired officers who were engaged in previous grade structure review exercises. I must congratulate on a job well done. I also hope there were many serving officers working in the team, lest the experience would be lost with the retired officers really retiring.

The two civilian grades under review are the government lawyer grades and the veterinary officer grade. For the lawyer grades, there would be no improvement to the grade structure nor the pay scale. There are recommendations not related to the grade structure: viz. to conduct regular establishment reviews, to be more responsive to staff concerns about the working environment, to streamline and expedite the recruitment process, and to provide more continuing professional development opportunities. All these are applicable to all grades not under review.

I think it is very hard to compare the pay of a government lawyer to those in private practice. For a good lawyer in private practice, the reward could be astronomical. This is the same everywhere. For government lawyers, there is the commitment to serve for the justice of the people rather than the justice of the private clients.

The review report recommends that the starting pay of the Veterinary Officer rank should be raised by two points from MPS29 to MPS31. This would bring it on par to medical doctors. Two more recommendations are worthy of noting. One is the bonded traineeships to veterinary students in universities. This is actually the same practice some years ago in the form of government training scholarship which I think is quite feasible. Some serving officers are such government trainees. This could ensure a supply of veterinary officers for a few years, and increase the pool of veterinary surgeons in Hong Kong in the long run.

The other recommendation is to explore with local universities the desirability and feasibility of introducing veterinary training in Hong Kong. This is narrow thinking. Local universities should explore introducing academic subjects based on the need of Hong Kong rather than the recruitment difficulties of government officials. Hong Kong is a city with limited agriculture and husbandry. Its civilian veterinary needs are mainly on pets, plus some limited requirements by the Jockey Club and Ocean Park. With reasonable reward, Hong Kong people returning from overseas with veterinary training may be sufficient.

Sunday, December 7, 2008

四川變面

四川著名技藝:變面。連劉德華都要學。在四川看文藝 表演一定有這個項目。變面表演又一定包括噴火。火焰一閃即逝,拍得一張清晰的照片已很幸運。

face10

變面是魔術表演。如果千多年前表演者說這是神蹟就會多一個變面教。這個表演要有高度技巧,而其中秘密無人能知,包括劉德華,所以充滿神秘色彩。由一個面變到另一個面,速度高、手法巧妙,我用高速連環快拍都捉不到。

請看看連環快拍的變面效果。

face

Wednesday, December 3, 2008

生死戀 Love is a many-splendored thing



睇戲。生死戀 Love is a many-splendored thing; 由威廉荷頓和珍妮花鍾斯主演。睇下睇下竟然唔知佢講乜。原來呢套戲於1949年在香港實地拍攝,有不少49年香港景色。網上短片將有香港景色的片段剪輯起來,一段段不連戲。如果真係想睇戲就中計。如果想懷舊一下歷史就好岩睇。