From: Digest To: "OS/2GenAu Digest" Date: Sun, 12 Dec 2004 00:01:09 EST-10EDT,10,-1,0,7200,3,-1,0,7200,3600 Subject: [os2genau_digest] No. 1000 Reply-To: X-List-Unsubscribe: www.os2site.com/list/ ************************************************** Saturday 11 December 2004 Number 1000 ************************************************** Subjects for today 1 Browser vulnerability report by Secunia Window Injection : John Angelico" 2 Re: ECD's? : Gavin Miller 3 Re: Telstra WebMail now only accessible via IE : Ed Durrant 4 Re: Browser vulnerability report by Secunia Window Injection : Ken Laurie 5 Re: Browser vulnerability report by Secunia Window Injection : John Angelico" 6 Re: Browser vulnerability report by Secunia Window Injection : Ken Laurie 7 Virus Myths : Ken Laurie 8 Re: Browser vulnerability report by Secunia Window Injection : Gavin Miller 9 Re: Browser vulnerability report by Secunia Window Injection : Ken Laurie **= Email 1 ==========================** Date: Sat, 11 Dec 2004 00:16:32 +1100 (AEDT) From: "John Angelico" Subject: Browser vulnerability report by Secunia Window Injection following a link from The Register site http://www.theregister.co.uk/2004/12/09/secunia_browser_exploit_warning/ I went to the Secunia site to test http://secunia dot com/multiple_browsers_window_injection_vulnerability_test This also needs the Citibank site www.citibank dot com/ Using tabbed browsing in Firefox 1.0 refreshed approx 24 hours ago (OS/2-eCS version now compatible with Thunderbird 1.0) and with popups blocked I was shown Citibank data not Secunia data, indicating prima facie that my Firefox is not vulnerable here. Browser version info: Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.7.5) Gecko/20041207 Firefox/1.0 It may be wise to check your browser, and assure yourself of where you stand. My version of Firefox is available at www.os2site dot com Best regards John Angelico OS/2 SIG os2 at melbpc dot org dot au or talldad at kepl dot com dot au ___________________ ---------------------------------------------------------------------------------- **= Email 2 ==========================** Date: Sat, 11 Dec 2004 07:57:13 +1100 From: Gavin Miller Subject: Re: ECD's? Oh sorry Chris, forgot you asked :-[ . ECD's are enhanced Cd's, ie have 'x' amount of music tracks and a data track, usually a movie or somthing like that. What's been happening is OS/2's cd player can read the music tracks but the drive five system reports the disk is not formatted correctly. The commercial Ecd's are reportedly only readable from Win and Mac. I do remember that my Warp 4 system could read Ecd's but Ecs can't, or at least I could not get it to, even with JJS. There is a nagging thought about fat32 ifs interferring, but I can't confirm or deny this. It's just a faint rattling upstairs ;-) PS. Audio CD creator identifies there is an extra track. Can't do much with it, but it's listed. Cheers G Chris_neeson wrote: >Actually, what is an 'enhanced' CD? >( while this topic is within recent memory ). > > >Regards >Chris > >------------- G started the sequence with ------------- > >Hi All, > >Does anyone know how to read enhanced CD's in OS/2? I'm sure I could >many moons ago, but have forgotten how since the move to Ecs. > >Cheers >G > >=========================================== > > > ---------------------------------------------------------------------------------- **= Email 3 ==========================** Date: Sat, 11 Dec 2004 08:12:10 +1100 From: Ed Durrant Subject: Re: Telstra WebMail now only accessible via IE I don't have any issues with you posting it to the Linux community. By the way, as yet, I have had no reply except the automatic acknowledgement of receipt. When Telstra reply, they usually take 2 or 3 working days anyway ! Cheers/2 Ed. Kev wrote: > Hi Ed > > Would you mind if I repost this message (in its entirity) to the PLUG > list? I'm sure the Linux community would be glad to lobby Telstra too. > > Cheers > Kev Downes > > Ed Durrant wrote: > > Telstra updated their webmail system a few days ago and > > guess what .... If you have a telstra cable account you can > > now ONLY log into it with Microsoft IE ! > > > > I've tried Mozilla (various versions), IBM Web Browser, > > Opera/2 and Netscape Communicator on OS/2 plus Mozilla 1.7 > > on Windoze. All reject my password as being invalid. > > However .... when I try with IE - guess what everything > > works !! (same userid and password). > > > > Here's my letter to Telstra : > > > > > > > > Do you realise that the new Webmail system *IS NOT > > ACCESSIBLE* from Mozilla, Firefox, Netscape Communicator and > > Opera browsers !! > > The login screen always returns userid or password invalid > > when it is not ! > > The *ONLY* browser that access can be obtained through is > > Microsofts virus ridden, badly written, inefficient Internet > > explorer, which is not available for Linux or OS/2 hence > > cutting off this part of your customer base. > > > > I am taking legal advise about this restrictive practice on > > your part as well as considering the contractual terms > > regarding removal of service. > > > > I am prepared to give TELSTRA the benefit of the doubt if > > you are able to rectify the situation within a short period > > of time, otherwise I will be forced to take further action, > > possibly switching telco supplier. > > > > > > I wonder what reply I'll get ..... > > > > > > Surely the Linux community (and possibly MAC OSX ?) will > > also complain ?? > > > > > > Cheers/2 > > > > Ed. > > > > > > > > > > > > > ---------------------------------------------------------------------------------- **= Email 4 ==========================** Date: Sat, 11 Dec 2004 09:17:05 +1100 From: Ken Laurie Subject: Re: Browser vulnerability report by Secunia Window Injection Hi John Remember this vulnerability is for all web browsers and you are only 'secure' because you are not allowing the web site being used to demonstrate the vulnerability to open a popup. If you use Citibank then you would need to allow it to open popups and would then have the vulnerability. The best defense for this vulnerability, until it is resolved, is when visiting trusted sites that you permit to open popups (such as most bank sites) not to visit other sites at the same time. I tend to have the habit of only doing my banking without any other sites open. My advice to all is to make sure they have no other web sites open when doing their banking, even if this vulnerability is resolved. regards Ken John Angelico wrote: >following a link from The Register site >http://www.theregister.co.uk/2004/12/09/secunia_browser_exploit_warning/ > >I went to the Secunia site to test >http://secunia dot com/multiple_browsers_window_injection_vulnerability_test >This also needs the Citibank site www.citibank dot com/ > >Using tabbed browsing in Firefox 1.0 refreshed approx 24 hours ago (OS/2-eCS >version now compatible with Thunderbird 1.0) and with popups blocked I was >shown Citibank data not Secunia data, indicating prima facie that my Firefox >is not vulnerable here. > >Browser version info: >Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.7.5) Gecko/20041207 Firefox/1.0 > >It may be wise to check your browser, and assure yourself of where you stand. > >My version of Firefox is available at www.os2site dot com > > >Best regards >John Angelico >OS/2 SIG >os2 at melbpc dot org dot au or >talldad at kepl dot com dot au >___________________ > > > > > ---------------------------------------------------------------------------------- **= Email 5 ==========================** Date: Sat, 11 Dec 2004 12:06:29 +1100 (AEDT) From: "John Angelico" Subject: Re: Browser vulnerability report by Secunia Window Injection On Sat, 11 Dec 2004 09:17:05 +1100, Ken Laurie wrote: >Hi John Hi Ken. >Remember this vulnerability is for all web browsers and you are only >'secure' because you are not allowing the web site being used to >demonstrate the vulnerability to open a popup. If you use Citibank then >you would need to allow it to open popups and would then have the >vulnerability. Hmm, interesting. Once of my bank sites doesn't open popups (one page for login then same page for activities), and the other opens another page where I login, and that's all. > >The best defense for this vulnerability, until it is resolved, is when >visiting trusted sites that you permit to open popups (such as most bank >sites) not to visit other sites at the same time. I would be mounting a challenge to Citibank about popups. I would refer them to Jakob Neilsen's site: useit dot com on usability guidelines or a less polite rant style page like: http://members.optusnet dot com dot au/~night.owl/morons.html where yes, he has an attitude, but he puts a lot into it about better web authoring. >I tend to have the >habit of only doing my banking without any other sites open. My advice >to all is to make sure they have no other web sites open when doing >their banking, even if this vulnerability is resolved. Yes, it's a good "paranoia habit" to get into - like hiding your hand as you punch in your PIN at an ATM. I ALWAYS close the tab or window or browser session of my banking page when finished too. Best regards John Angelico OS/2 SIG os2 at melbpc dot org dot au or talldad at kepl dot com dot au ___________________ PMTagline v1.50 - Copyright, 1996-1997, Stephen Berg and John Angelico .... "Daddy, when will I be old enough to delete Windows?" ---------------------------------------------------------------------------------- **= Email 6 ==========================** Date: Sat, 11 Dec 2004 12:55:46 +1100 From: Ken Laurie Subject: Re: Browser vulnerability report by Secunia Window Injection Hi John Yes bad coding practices strikes again. Some of these web site designers/programmers (I use the words lightly) need to wake up and really look at what problems they are causing. I have been in IT for 28 years and I could go on about this for ages but I won't. regards Ken John Angelico wrote: >On Sat, 11 Dec 2004 09:17:05 +1100, Ken Laurie wrote: > > > >>Hi John >> >> > >Hi Ken. > > > >>Remember this vulnerability is for all web browsers and you are only >>'secure' because you are not allowing the web site being used to >>demonstrate the vulnerability to open a popup. If you use Citibank then >>you would need to allow it to open popups and would then have the >>vulnerability. >> >> > >Hmm, interesting. > >Once of my bank sites doesn't open popups (one page for login then same page >for activities), and the other opens another page where I login, and that's >all. > > > >>The best defense for this vulnerability, until it is resolved, is when >>visiting trusted sites that you permit to open popups (such as most bank >>sites) not to visit other sites at the same time. >> >> > >I would be mounting a challenge to Citibank about popups. > >I would refer them to Jakob Neilsen's site: useit dot com on usability guidelines >or a less polite rant style page like: >http://members.optusnet dot com dot au/~night.owl/morons.html >where yes, he has an attitude, but he puts a lot into it about better web >authoring. > > > >>I tend to have the >>habit of only doing my banking without any other sites open. My advice >>to all is to make sure they have no other web sites open when doing >>their banking, even if this vulnerability is resolved. >> >> > >Yes, it's a good "paranoia habit" to get into - like hiding your hand as you >punch in your PIN at an ATM. > >I ALWAYS close the tab or window or browser session of my banking page when >finished too. > > >Best regards >John Angelico >OS/2 SIG >os2 at melbpc dot org dot au or >talldad at kepl dot com dot au >___________________ > >PMTagline v1.50 - Copyright, 1996-1997, Stephen Berg and John Angelico >... "Daddy, when will I be old enough to delete Windows?" > > > > [attachments have been removed] ---------------------------------------------------------------------------------- **= Email 7 ==========================** Date: Sat, 11 Dec 2004 13:09:01 +1100 From: Ken Laurie Subject: Virus Myths Hi All Further to John's email mentioning the morons page, others might be interested in a site that has been around for many years and discusses computer Viruses, hoaxes and urban legends. http://www.vmyths dot com/ regards Ken ---------------------------------------------------------------------------------- **= Email 8 ==========================** Date: Sat, 11 Dec 2004 17:31:24 +1100 From: Gavin Miller Subject: Re: Browser vulnerability report by Secunia Window Injection I sent an e-mail to my bank informing them that javascript popups, popups in general, and cookies are not secure and that they, as a banking institution, should be looking at alternative and more secure methods such as a secure server. My bank offers a dongle that you can perchase and register as an added login password. It generates a different code each time you use it. I assume this code is stored in a cookie or file somewhere, and if so defeats the purpose of an extra security measure. Cheers G Ken Laurie wrote: > Hi John > > Yes bad coding practices strikes again. Some of these web site > designers/programmers (I use the words lightly) need to wake up and > really look at what problems they are causing. I have been in IT for > 28 years and I could go on about this for ages but I won't. > > regards > Ken > > John Angelico wrote: > >> On Sat, 11 Dec 2004 09:17:05 +1100, Ken Laurie wrote: >> >> >> >>> Hi John >>> >> >> >> Hi Ken. >> >> >> >>> Remember this vulnerability is for all web browsers and you are only >>> 'secure' because you are not allowing the web site being used to >>> demonstrate the vulnerability to open a popup. If you use Citibank >>> then you would need to allow it to open popups and would then have >>> the vulnerability. >>> >> >> >> Hmm, interesting. >> >> Once of my bank sites doesn't open popups (one page for login then >> same page >> for activities), and the other opens another page where I login, and >> that's >> all. >> >> >> >>> The best defense for this vulnerability, until it is resolved, is >>> when visiting trusted sites that you permit to open popups (such as >>> most bank sites) not to visit other sites at the same time. >> >> >> I would be mounting a challenge to Citibank about popups. >> >> I would refer them to Jakob Neilsen's site: useit dot com on usability >> guidelines >> or a less polite rant style page like: >> http://members.optusnet dot com dot au/~night.owl/morons.html >> where yes, he has an attitude, but he puts a lot into it about better >> web >> authoring. >> >> >> >>> I tend to have the habit of only doing my banking without any other >>> sites open. My advice to all is to make sure they have no other web >>> sites open when doing their banking, even if this vulnerability is >>> resolved. >>> >> >> >> Yes, it's a good "paranoia habit" to get into - like hiding your hand >> as you >> punch in your PIN at an ATM. >> I ALWAYS close the tab or window or browser session of my banking >> page when >> finished too. >> >> >> Best regards >> John Angelico >> OS/2 SIG >> os2 at melbpc dot org dot au or talldad at kepl dot com dot au >> ___________________ >> >> PMTagline v1.50 - Copyright, 1996-1997, Stephen Berg and John Angelico >> ... "Daddy, when will I be old enough to delete Windows?" > >> >> > >> >> >> > > [attachments have been removed] > > > > ---------------------------------------------------------------------------------- **= Email 9 ==========================** Date: Sat, 11 Dec 2004 17:45:43 +1100 From: Ken Laurie Subject: Re: Browser vulnerability report by Secunia Window Injection Hi Gavin All the dongles I am familiar with use a combination of a pin and a generated number to create a onetime password. This is called two factor authentication, something you have (the dongle) and something you know (the pin). Usually the password is sent to the server which uses a security server such as LDAP to authenticate you. Even if somebody did manage to get your account or userid and your pin, they would need your dongle to authenticate. The dongle and the server at the other end are sychronised by the initial number on the dongle and the serial number of the dongle. Using this information and the appropriate algorithm the server can calculate the next number generated by the dongle. The number is normally only good for 60 seconds, give or take a bit for delays in getting across the network etc. This is a good secure method of authentication. It also means that if you use online banking from other than your own pc the information captured in cache or cookies etc cannot be used to access your account. regards Ken Gavin Miller wrote: > I sent an e-mail to my bank informing them that javascript popups, > popups in general, and cookies are not secure and that they, as a > banking institution, should be looking at alternative and more secure > methods such as a secure server. My bank offers a dongle that you can > perchase and register as an added login password. It generates a > different code each time you use it. I assume this code is stored in > a cookie or file somewhere, and if so defeats the purpose of an extra > security measure. > > Cheers > G > > Ken Laurie wrote: > >> Hi John >> >> Yes bad coding practices strikes again. Some of these web site >> designers/programmers (I use the words lightly) need to wake up and >> really look at what problems they are causing. I have been in IT for >> 28 years and I could go on about this for ages but I won't. >> >> regards >> Ken >> >> John Angelico wrote: >> >>> On Sat, 11 Dec 2004 09:17:05 +1100, Ken Laurie wrote: >>> >>> >>> >>>> Hi John >>>> >>> >>> >>> >>> Hi Ken. >>> >>> >>> >>>> Remember this vulnerability is for all web browsers and you are >>>> only 'secure' because you are not allowing the web site being used >>>> to demonstrate the vulnerability to open a popup. If you use >>>> Citibank then you would need to allow it to open popups and would >>>> then have the vulnerability. >>>> >>> >>> >>> >>> Hmm, interesting. >>> >>> Once of my bank sites doesn't open popups (one page for login then >>> same page >>> for activities), and the other opens another page where I login, and >>> that's >>> all. >>> >>> >>> >>>> The best defense for this vulnerability, until it is resolved, is >>>> when visiting trusted sites that you permit to open popups (such as >>>> most bank sites) not to visit other sites at the same time. >>> >>> >>> >>> I would be mounting a challenge to Citibank about popups. >>> >>> I would refer them to Jakob Neilsen's site: useit dot com on usability >>> guidelines >>> or a less polite rant style page like: >>> http://members.optusnet dot com dot au/~night.owl/morons.html >>> where yes, he has an attitude, but he puts a lot into it about >>> better web >>> authoring. >>> >>> >>> >>>> I tend to have the habit of only doing my banking without any other >>>> sites open. My advice to all is to make sure they have no other web >>>> sites open when doing their banking, even if this vulnerability is >>>> resolved. >>>> >>> >>> >>> >>> Yes, it's a good "paranoia habit" to get into - like hiding your >>> hand as you >>> punch in your PIN at an ATM. >>> I ALWAYS close the tab or window or browser session of my banking >>> page when >>> finished too. >>> >>> >>> Best regards >>> John Angelico >>> OS/2 SIG >>> os2 at melbpc dot org dot au or talldad at kepl dot com dot au >>> ___________________ >>> >>> PMTagline v1.50 - Copyright, 1996-1997, Stephen Berg and John Angelico >>> ... "Daddy, when will I be old enough to delete Windows?" >>> >>> >>> >>> >>> >> >> [attachments have been removed] > >> >> > >> >> > > > ----------------------------------------------------------------------------------