From: Digest <deadmail>
To: "OS/2GenAu Digest"<deadmail>
Date: Sun, 12 Dec 2004 00:01:09 EST-10EDT,10,-1,0,7200,3,-1,0,7200,3600
Subject: [os2genau_digest] No. 1000
Reply-To: <deadmail>
X-List-Unsubscribe: www.os2site.com/list/

**************************************************
Saturday 11 December 2004
 Number  1000
**************************************************

Subjects for today
 
1   Browser vulnerability report by Secunia Window Injection : John Angelico" <talldad at kepl dot com dot au>
2  Re:  ECD's? : Gavin Miller <drumextreme at impulse dot net dot au>
3  Re:  Telstra WebMail now only accessible via IE : Ed Durrant <edurrant at bigpond dot net dot au>
4  Re:  Browser vulnerability report by Secunia Window Injection : Ken Laurie <ken.laurie at graeleah dot com>
5  Re:  Browser vulnerability report by Secunia Window Injection : John Angelico" <talldad at kepl dot com dot au>
6  Re:  Browser vulnerability report by Secunia Window Injection : Ken Laurie <ken.laurie at graeleah dot com>
7   Virus Myths : Ken Laurie <ken.laurie at graeleah dot com>
8  Re:  Browser vulnerability report by Secunia Window Injection : Gavin Miller <drumextreme at impulse dot net dot au>
9  Re:  Browser vulnerability report by Secunia Window Injection : Ken Laurie <ken.laurie at graeleah dot com>

**= Email   1 ==========================**

Date:  Sat, 11 Dec 2004 00:16:32 +1100 (AEDT)
From:  "John Angelico" <talldad at kepl dot com dot au>
Subject:   Browser vulnerability report by Secunia Window Injection

following a link from The Register site
http://www.theregister.co.uk/2004/12/09/secunia_browser_exploit_warning/

I went to the Secunia site to test 
http://secunia dot com/multiple_browsers_window_injection_vulnerability_test
This also needs the Citibank site www.citibank dot com/

Using tabbed browsing in Firefox 1.0 refreshed approx 24 hours ago (OS/2-eCS
version now compatible with Thunderbird 1.0) and with popups blocked I was
shown Citibank data not Secunia data, indicating prima facie that my Firefox
is not vulnerable here.

Browser version info:
Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.7.5) Gecko/20041207 Firefox/1.0

It may be wise to check your browser, and assure yourself of where you stand.

My version of Firefox is available at www.os2site dot com


Best regards
John Angelico
OS/2 SIG
os2 at melbpc dot org dot au or 
talldad at kepl dot com dot au
___________________

----------------------------------------------------------------------------------
 

**= Email   2 ==========================**

Date:  Sat, 11 Dec 2004 07:57:13 +1100
From:  Gavin Miller <drumextreme at impulse dot net dot au>
Subject:  Re:  ECD's?

Oh sorry Chris, forgot you asked :-[ .

ECD's are enhanced Cd's, ie have 'x' amount of music tracks and a data 
track, usually a movie or somthing like that.  What's been happening is 
OS/2's cd player can read the music tracks but the drive five system 
reports the disk is not formatted correctly.  The commercial Ecd's are 
reportedly only readable from Win and Mac.  I do remember that my Warp 4 
system could read Ecd's but Ecs can't, or at least I could not get it 
to, even with JJS.  There is a nagging thought about fat32 ifs 
interferring, but I can't confirm or deny this.  It's just a faint 
rattling upstairs ;-)  

PS.  Audio CD creator identifies there is an extra track.  Can't do much 
with it, but it's listed.

Cheers
G

Chris_neeson wrote:

>Actually, what is an 'enhanced' CD?
>( while this topic is within recent memory ).
>
>
>Regards
>Chris
>
>------------- G started the sequence with -------------
> 
>Hi All,
>
>Does anyone know how to read enhanced CD's in OS/2?  I'm sure I could 
>many moons ago, but have forgotten how since the move to Ecs.
>
>Cheers
>G

> 
>===========================================
>
>  
>
----------------------------------------------------------------------------------
 

**= Email   3 ==========================**

Date:  Sat, 11 Dec 2004 08:12:10 +1100
From:  Ed Durrant <edurrant at bigpond dot net dot au>
Subject:  Re:  Telstra WebMail now only accessible via IE

I don't have any issues with you posting it to the Linux community.

By the way, as yet, I have had no reply except the automatic acknowledgement of receipt.

When Telstra reply, they usually take 2 or 3 working days anyway !

Cheers/2

Ed.

Kev wrote:

> Hi Ed
>
> Would you mind if I repost this message (in its entirity) to the PLUG
> list?  I'm sure the Linux community would be glad to lobby Telstra too.
>
> Cheers
> Kev Downes
>
> Ed Durrant wrote:
> > Telstra updated their webmail system a few days ago and
> > guess what ....  If you have a telstra cable account you can
> > now ONLY log into it with Microsoft IE !
> >
> > I've tried Mozilla (various versions), IBM Web Browser,
> > Opera/2 and Netscape Communicator on OS/2 plus Mozilla 1.7
> > on Windoze.  All reject my password as being invalid.
> > However .... when I try with IE - guess what everything
> > works !! (same userid and password).
> >
> > Here's my letter to Telstra :
> >
> >
> >
> > Do you realise that the new Webmail system *IS NOT
> > ACCESSIBLE* from Mozilla, Firefox, Netscape Communicator and
> > Opera browsers !!
> > The login screen always returns userid or password invalid
> > when it is not !
> > The *ONLY* browser that access can be obtained through is
> > Microsofts virus ridden, badly written, inefficient Internet
> > explorer, which is not available for Linux or OS/2 hence
> > cutting off this part of your customer base.
> >
> > I am taking legal advise about this restrictive practice on
> > your part as well as considering the contractual terms
> > regarding removal of service.
> >
> > I am prepared to give TELSTRA the benefit of the doubt if
> > you are able to rectify the situation within a short period
> > of time, otherwise I will be forced to take further action,
> > possibly switching telco supplier.
> >
> >
> > I wonder what reply I'll get .....
> >
> >
> > Surely the Linux community (and possibly MAC OSX ?) will
> > also complain ??
> >
> >
> > Cheers/2
> >
> > Ed.
> >
> 
> >  
> 
> >
> >
> >

>  


----------------------------------------------------------------------------------
 

**= Email   4 ==========================**

Date:  Sat, 11 Dec 2004 09:17:05 +1100
From:  Ken Laurie <ken.laurie at graeleah dot com>
Subject:  Re:  Browser vulnerability report by Secunia Window Injection

Hi John

Remember this vulnerability is for all web browsers and you are only 
'secure' because you are not allowing the web site being used to 
demonstrate the vulnerability to open a popup. If you use Citibank then 
you would need to allow it to open popups and would then have the 
vulnerability.

The best defense for this vulnerability, until it is resolved, is when 
visiting trusted sites that you permit to open popups (such as most bank 
sites) not to visit other sites at the same time. I tend to have the 
habit of only doing my banking without any other sites open. My advice 
to all is to make sure they have no other web sites open when doing 
their banking, even if this vulnerability is resolved.

regards
Ken


John Angelico wrote:

>following a link from The Register site
>http://www.theregister.co.uk/2004/12/09/secunia_browser_exploit_warning/
>
>I went to the Secunia site to test 
>http://secunia dot com/multiple_browsers_window_injection_vulnerability_test
>This also needs the Citibank site www.citibank dot com/
>
>Using tabbed browsing in Firefox 1.0 refreshed approx 24 hours ago (OS/2-eCS
>version now compatible with Thunderbird 1.0) and with popups blocked I was
>shown Citibank data not Secunia data, indicating prima facie that my Firefox
>is not vulnerable here.
>
>Browser version info:
>Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.7.5) Gecko/20041207 Firefox/1.0
>
>It may be wise to check your browser, and assure yourself of where you stand.
>
>My version of Firefox is available at www.os2site dot com
>
>
>Best regards
>John Angelico
>OS/2 SIG
>os2 at melbpc dot org dot au or 
>talldad at kepl dot com dot au
>___________________
>

> 

>
>  
>
----------------------------------------------------------------------------------
 

**= Email   5 ==========================**

Date:  Sat, 11 Dec 2004 12:06:29 +1100 (AEDT)
From:  "John Angelico" <talldad at kepl dot com dot au>
Subject:  Re:  Browser vulnerability report by Secunia Window Injection

On Sat, 11 Dec 2004 09:17:05 +1100, Ken Laurie wrote:

>Hi John

Hi Ken.

>Remember this vulnerability is for all web browsers and you are only 
>'secure' because you are not allowing the web site being used to 
>demonstrate the vulnerability to open a popup. If you use Citibank then 
>you would need to allow it to open popups and would then have the 
>vulnerability.

Hmm, interesting.

Once of my bank sites doesn't open popups (one page for login then same page
for activities), and the other opens another page where I login, and that's
all.

>
>The best defense for this vulnerability, until it is resolved, is when 
>visiting trusted sites that you permit to open popups (such as most bank 
>sites) not to visit other sites at the same time. 

I would be mounting a challenge to Citibank about popups.

I would refer them to Jakob Neilsen's site: useit dot com on usability guidelines
or a less polite rant style page like:
http://members.optusnet dot com dot au/~night.owl/morons.html
where yes, he has an attitude, but he puts a lot into it about better web
authoring.

>I tend to have the 
>habit of only doing my banking without any other sites open. My advice 
>to all is to make sure they have no other web sites open when doing 
>their banking, even if this vulnerability is resolved.

Yes, it's a good "paranoia habit" to get into - like hiding your hand as you
punch in your PIN at an ATM. 

I ALWAYS close the tab or window or browser session of my banking page when
finished too.


Best regards
John Angelico
OS/2 SIG
os2 at melbpc dot org dot au or 
talldad at kepl dot com dot au
___________________

PMTagline v1.50 - Copyright, 1996-1997, Stephen Berg and John Angelico
.... "Daddy, when will I be old enough to delete Windows?"
----------------------------------------------------------------------------------
 

**= Email   6 ==========================**

Date:  Sat, 11 Dec 2004 12:55:46 +1100
From:  Ken Laurie <ken.laurie at graeleah dot com>
Subject:  Re:  Browser vulnerability report by Secunia Window Injection

Hi John

Yes bad coding practices strikes again. Some of these web site 
designers/programmers (I use the words lightly) need to wake up and 
really look at what problems they are causing. I have been in IT for 28 
years and I could go on about this for ages but I won't.

regards
Ken

John Angelico wrote:

>On Sat, 11 Dec 2004 09:17:05 +1100, Ken Laurie wrote:
>
>  
>
>>Hi John
>>    
>>
>
>Hi Ken.
>
>  
>
>>Remember this vulnerability is for all web browsers and you are only 
>>'secure' because you are not allowing the web site being used to 
>>demonstrate the vulnerability to open a popup. If you use Citibank then 
>>you would need to allow it to open popups and would then have the 
>>vulnerability.
>>    
>>
>
>Hmm, interesting.
>
>Once of my bank sites doesn't open popups (one page for login then same page
>for activities), and the other opens another page where I login, and that's
>all.
>
>  
>
>>The best defense for this vulnerability, until it is resolved, is when 
>>visiting trusted sites that you permit to open popups (such as most bank 
>>sites) not to visit other sites at the same time. 
>>    
>>
>
>I would be mounting a challenge to Citibank about popups.
>
>I would refer them to Jakob Neilsen's site: useit dot com on usability guidelines
>or a less polite rant style page like:
>http://members.optusnet dot com dot au/~night.owl/morons.html
>where yes, he has an attitude, but he puts a lot into it about better web
>authoring.
>
>  
>
>>I tend to have the 
>>habit of only doing my banking without any other sites open. My advice 
>>to all is to make sure they have no other web sites open when doing 
>>their banking, even if this vulnerability is resolved.
>>    
>>
>
>Yes, it's a good "paranoia habit" to get into - like hiding your hand as you
>punch in your PIN at an ATM. 
>
>I ALWAYS close the tab or window or browser session of my banking page when
>finished too.
>
>
>Best regards
>John Angelico
>OS/2 SIG
>os2 at melbpc dot org dot au or 
>talldad at kepl dot com dot au
>___________________
>
>PMTagline v1.50 - Copyright, 1996-1997, Stephen Berg and John Angelico
>... "Daddy, when will I be old enough to delete Windows?"

> 

>
>  
>

[attachments have been removed]
----------------------------------------------------------------------------------
 

**= Email   7 ==========================**

Date:  Sat, 11 Dec 2004 13:09:01 +1100
From:  Ken Laurie <ken.laurie at graeleah dot com>
Subject:   Virus Myths

Hi All

Further to John's email mentioning the morons page, others might be 
interested in a site that has been around for many years and discusses 
computer Viruses, hoaxes and urban legends.

http://www.vmyths dot com/

regards
Ken

----------------------------------------------------------------------------------
 

**= Email   8 ==========================**

Date:  Sat, 11 Dec 2004 17:31:24 +1100
From:  Gavin Miller <drumextreme at impulse dot net dot au>
Subject:  Re:  Browser vulnerability report by Secunia Window Injection

I sent an e-mail to my bank informing them that javascript popups, 
popups in general, and cookies are not secure and that they, as a 
banking institution, should be looking at alternative and more secure 
methods such as a secure server.  My bank offers a dongle that you can 
perchase and register as an added login password.  It generates a 
different code each time you use it.  I assume this code is stored in a 
cookie or file somewhere, and if so defeats the purpose of an extra 
security measure.

Cheers
G

Ken Laurie wrote:

> Hi John
>
> Yes bad coding practices strikes again. Some of these web site 
> designers/programmers (I use the words lightly) need to wake up and 
> really look at what problems they are causing. I have been in IT for 
> 28 years and I could go on about this for ages but I won't.
>
> regards
> Ken
>
> John Angelico wrote:
>
>> On Sat, 11 Dec 2004 09:17:05 +1100, Ken Laurie wrote:
>>
>>  
>>
>>> Hi John
>>>   
>>
>>
>> Hi Ken.
>>
>>  
>>
>>> Remember this vulnerability is for all web browsers and you are only 
>>> 'secure' because you are not allowing the web site being used to 
>>> demonstrate the vulnerability to open a popup. If you use Citibank 
>>> then you would need to allow it to open popups and would then have 
>>> the vulnerability.
>>>   
>>
>>
>> Hmm, interesting.
>>
>> Once of my bank sites doesn't open popups (one page for login then 
>> same page
>> for activities), and the other opens another page where I login, and 
>> that's
>> all.
>>
>>  
>>
>>> The best defense for this vulnerability, until it is resolved, is 
>>> when visiting trusted sites that you permit to open popups (such as 
>>> most bank sites) not to visit other sites at the same time.   
>>
>>
>> I would be mounting a challenge to Citibank about popups.
>>
>> I would refer them to Jakob Neilsen's site: useit dot com on usability 
>> guidelines
>> or a less polite rant style page like:
>> http://members.optusnet dot com dot au/~night.owl/morons.html
>> where yes, he has an attitude, but he puts a lot into it about better 
>> web
>> authoring.
>>
>>  
>>
>>> I tend to have the habit of only doing my banking without any other 
>>> sites open. My advice to all is to make sure they have no other web 
>>> sites open when doing their banking, even if this vulnerability is 
>>> resolved.
>>>   
>>
>>
>> Yes, it's a good "paranoia habit" to get into - like hiding your hand 
>> as you
>> punch in your PIN at an ATM.
>> I ALWAYS close the tab or window or browser session of my banking 
>> page when
>> finished too.
>>
>>
>> Best regards
>> John Angelico
>> OS/2 SIG
>> os2 at melbpc dot org dot au or talldad at kepl dot com dot au
>> ___________________
>>
>> PMTagline v1.50 - Copyright, 1996-1997, Stephen Berg and John Angelico
>> ... "Daddy, when will I be old enough to delete Windows?"
> 
>>
>> 
>
>>
>>  
>>
>
> [attachments have been removed]
 
>
> 

>
>
----------------------------------------------------------------------------------
 

**= Email   9 ==========================**

Date:  Sat, 11 Dec 2004 17:45:43 +1100
From:  Ken Laurie <ken.laurie at graeleah dot com>
Subject:  Re:  Browser vulnerability report by Secunia Window Injection

Hi Gavin

All the dongles I am familiar with use a combination of a pin and a 
generated number to create a onetime password. This is called two factor 
authentication, something you have (the dongle) and something you know 
(the pin). Usually the password is sent to the server which uses a 
security server such as LDAP to authenticate you. Even if somebody did 
manage to get your account or userid and your pin, they would need your 
dongle to authenticate. The dongle and the server at the other end are 
sychronised by the initial number on the dongle and the serial number of 
the dongle. Using this information and the appropriate algorithm the 
server can calculate the next number generated by the dongle. The number 
is normally only good for 60 seconds, give or take a bit for delays in 
getting across the network etc.

This is a good secure method of authentication. It also means that if 
you use online banking from other than your own pc the information 
captured in cache or cookies etc cannot be used to access your account.

regards
Ken

Gavin Miller wrote:

> I sent an e-mail to my bank informing them that javascript popups, 
> popups in general, and cookies are not secure and that they, as a 
> banking institution, should be looking at alternative and more secure 
> methods such as a secure server.  My bank offers a dongle that you can 
> perchase and register as an added login password.  It generates a 
> different code each time you use it.  I assume this code is stored in 
> a cookie or file somewhere, and if so defeats the purpose of an extra 
> security measure.
>
> Cheers
> G
>
> Ken Laurie wrote:
>
>> Hi John
>>
>> Yes bad coding practices strikes again. Some of these web site 
>> designers/programmers (I use the words lightly) need to wake up and 
>> really look at what problems they are causing. I have been in IT for 
>> 28 years and I could go on about this for ages but I won't.
>>
>> regards
>> Ken
>>
>> John Angelico wrote:
>>
>>> On Sat, 11 Dec 2004 09:17:05 +1100, Ken Laurie wrote:
>>>
>>>  
>>>
>>>> Hi John
>>>>   
>>>
>>>
>>>
>>> Hi Ken.
>>>
>>>  
>>>
>>>> Remember this vulnerability is for all web browsers and you are 
>>>> only 'secure' because you are not allowing the web site being used 
>>>> to demonstrate the vulnerability to open a popup. If you use 
>>>> Citibank then you would need to allow it to open popups and would 
>>>> then have the vulnerability.
>>>>   
>>>
>>>
>>>
>>> Hmm, interesting.
>>>
>>> Once of my bank sites doesn't open popups (one page for login then 
>>> same page
>>> for activities), and the other opens another page where I login, and 
>>> that's
>>> all.
>>>
>>>  
>>>
>>>> The best defense for this vulnerability, until it is resolved, is 
>>>> when visiting trusted sites that you permit to open popups (such as 
>>>> most bank sites) not to visit other sites at the same time.   
>>>
>>>
>>>
>>> I would be mounting a challenge to Citibank about popups.
>>>
>>> I would refer them to Jakob Neilsen's site: useit dot com on usability 
>>> guidelines
>>> or a less polite rant style page like:
>>> http://members.optusnet dot com dot au/~night.owl/morons.html
>>> where yes, he has an attitude, but he puts a lot into it about 
>>> better web
>>> authoring.
>>>
>>>  
>>>
>>>> I tend to have the habit of only doing my banking without any other 
>>>> sites open. My advice to all is to make sure they have no other web 
>>>> sites open when doing their banking, even if this vulnerability is 
>>>> resolved.
>>>>   
>>>
>>>
>>>
>>> Yes, it's a good "paranoia habit" to get into - like hiding your 
>>> hand as you
>>> punch in your PIN at an ATM.
>>> I ALWAYS close the tab or window or browser session of my banking 
>>> page when
>>> finished too.
>>>
>>>
>>> Best regards
>>> John Angelico
>>> OS/2 SIG
>>> os2 at melbpc dot org dot au or talldad at kepl dot com dot au
>>> ___________________
>>>
>>> PMTagline v1.50 - Copyright, 1996-1997, Stephen Berg and John Angelico
>>> ... "Daddy, when will I be old enough to delete Windows?"
 
>>>
>>> 

>>>
>>>  
>>>
>>
>> [attachments have been removed]
> 
>>
>> 
>
>>
>>
 
>
> 

>
----------------------------------------------------------------------------------
 

