From: Digest <deadmail>
To: "OS/2GenAu Digest"<deadmail>
Date: Mon, 13 Dec 2004 00:01:07 EST-10EDT,10,-1,0,7200,3,-1,0,7200,3600
Subject: [os2genau_digest] No. 1001
Reply-To: <deadmail>
X-List-Unsubscribe: www.os2site.com/list/

**************************************************
Sunday 12 December 2004
 Number  1001
**************************************************

Subjects for today
 
1  Re:  Browser vulnerability report by Secunia Window Injection : Gavin Miller <drumextreme at impulse dot net dot au>
2   Telstra have fixed Webmail ! : Ed Durrant <edurrant at bigpond dot net dot au>
3  Re:  Browser vulnerability report by Secunia Window Injection : Ken Laurie <ken.laurie at graeleah dot com>
4  Re:  Telstra have fixed Webmail ! : Chris Graham [WarpSpeed]" <chrisg at warpspeed dot com dot au>
5  Re:  Telstra have fixed Webmail ! : Ken Laurie <ken.laurie at graeleah dot com>
6  Re:  No. 1000 : Kev <kdownes at tpg dot com dot au>
7  Re:  No. 1000 : Ian Manners" <deadmail>
8  Re:  ECD's? : Chris_neeson <Chris_Neeson at compuserve dot com>
9  Re:  Telstra have fixed Webmail ! : Kris Steenhaut <kris.steenhaut at hccnet.nl>

**= Email   1 ==========================**

Date:  Sun, 12 Dec 2004 10:48:18 +1100
From:  Gavin Miller <drumextreme at impulse dot net dot au>
Subject:  Re:  Browser vulnerability report by Secunia Window Injection

Hey Ken,

Mmm... Interesting.  I seems it's not a dongle after all.  The bank 
refers it as a "Security Token" which I assumed to be a dongle of some 
type.  It generates a 6 digit "Authentication Key" as the bank puts it, 
so I guess it's using the method you described.  Still need to use the 
pin and pasword that was previously arranged with the bank.  I'll send 
you some pics off list of the two models being offered. It doesn't 
appear to attatch to the computer at all.

Cheers
G

Ken Laurie wrote:

> Hi Gavin
>
> All the dongles I am familiar with use a combination of a pin and a 
> generated number to create a onetime password. This is called two 
> factor authentication, something you have (the dongle) and something 
> you know (the pin). Usually the password is sent to the server which 
> uses a security server such as LDAP to authenticate you. Even if 
> somebody did manage to get your account or userid and your pin, they 
> would need your dongle to authenticate. The dongle and the server at 
> the other end are sychronised by the initial number on the dongle and 
> the serial number of the dongle. Using this information and the 
> appropriate algorithm the server can calculate the next number 
> generated by the dongle. The number is normally only good for 60 
> seconds, give or take a bit for delays in getting across the network etc.
>
> This is a good secure method of authentication. It also means that if 
> you use online banking from other than your own pc the information 
> captured in cache or cookies etc cannot be used to access your account.
>
> regards
> Ken
>
> Gavin Miller wrote:
>
>> I sent an e-mail to my bank informing them that javascript popups, 
>> popups in general, and cookies are not secure and that they, as a 
>> banking institution, should be looking at alternative and more secure 
>> methods such as a secure server.  My bank offers a dongle that you 
>> can perchase and register as an added login password.  It generates a 
>> different code each time you use it.  I assume this code is stored in 
>> a cookie or file somewhere, and if so defeats the purpose of an extra 
>> security measure.
>>
>> Cheers
>> G
>>
>> Ken Laurie wrote:
>>
>>> Hi John
>>>
>>> Yes bad coding practices strikes again. Some of these web site 
>>> designers/programmers (I use the words lightly) need to wake up and 
>>> really look at what problems they are causing. I have been in IT for 
>>> 28 years and I could go on about this for ages but I won't.
>>>
>>> regards
>>> Ken
>>>
>>> John Angelico wrote:
>>>
>>>> On Sat, 11 Dec 2004 09:17:05 +1100, Ken Laurie wrote:
>>>>
>>>>  
>>>>
>>>>> Hi John
>>>>>   
>>>>
>>>>
>>>>
>>>>
>>>> Hi Ken.
>>>>
>>>>  
>>>>
>>>>> Remember this vulnerability is for all web browsers and you are 
>>>>> only 'secure' because you are not allowing the web site being used 
>>>>> to demonstrate the vulnerability to open a popup. If you use 
>>>>> Citibank then you would need to allow it to open popups and would 
>>>>> then have the vulnerability.
>>>>>   
>>>>
>>>>
>>>>
>>>>
>>>> Hmm, interesting.
>>>>
>>>> Once of my bank sites doesn't open popups (one page for login then 
>>>> same page
>>>> for activities), and the other opens another page where I login, 
>>>> and that's
>>>> all.
>>>>
>>>>  
>>>>
>>>>> The best defense for this vulnerability, until it is resolved, is 
>>>>> when visiting trusted sites that you permit to open popups (such 
>>>>> as most bank sites) not to visit other sites at the same time.   
>>>>
>>>>
>>>>
>>>>
>>>> I would be mounting a challenge to Citibank about popups.
>>>>
>>>> I would refer them to Jakob Neilsen's site: useit dot com on usability 
>>>> guidelines
>>>> or a less polite rant style page like:
>>>> http://members.optusnet dot com dot au/~night.owl/morons.html
>>>> where yes, he has an attitude, but he puts a lot into it about 
>>>> better web
>>>> authoring.
>>>>
>>>>  
>>>>
>>>>> I tend to have the habit of only doing my banking without any 
>>>>> other sites open. My advice to all is to make sure they have no 
>>>>> other web sites open when doing their banking, even if this 
>>>>> vulnerability is resolved.
>>>>>   
>>>>
>>>>
>>>>
>>>>
>>>> Yes, it's a good "paranoia habit" to get into - like hiding your 
>>>> hand as you
>>>> punch in your PIN at an ATM.
>>>> I ALWAYS close the tab or window or browser session of my banking 
>>>> page when
>>>> finished too.
>>>>
>>>>
>>>> Best regards
>>>> John Angelico
>>>> OS/2 SIG
>>>> os2 at melbpc dot org dot au or talldad at kepl dot com dot au
>>>> ___________________
>>>>
>>>> PMTagline v1.50 - Copyright, 1996-1997, Stephen Berg and John Angelico
>>>> ... "Daddy, when will I be old enough to delete Windows?"
> 
>>>>
>>>> 
>
>>>>
>>>>  
>>>>
>>>
>>> [attachments have been removed]
 
>>>
>>> 

>>>
>>>
> 
>>
>> 
>
>>
 
>
> 

>
>
----------------------------------------------------------------------------------
 

**= Email   2 ==========================**

Date:  Sun, 12 Dec 2004 11:08:50 +1100
From:  Ed Durrant <edurrant at bigpond dot net dot au>
Subject:   Telstra have fixed Webmail !

Hi All,

  Good news - Telstra have fixed access to their Webmail
system, which from earlier this week was only accessible
from Microsoft IE browser is now once more fully accessible
from IBM Web Browser, Mozilla and Opera/2 !!

  I haven't as yet had a reply to my complaint however it
seems my complaint, along with I suspect a lot of other
people's have moved them into action.

  Good on TELSTRA !

  Cheers/2

   Ed.

----------------------------------------------------------------------------------
 

**= Email   3 ==========================**

Date:  Sun, 12 Dec 2004 12:02:19 +1100
From:  Ken Laurie <ken.laurie at graeleah dot com>
Subject:  Re:  Browser vulnerability report by Secunia Window Injection

Hi Gavin

Depends on who you speak to as to what they want to call it. Some refer 
to it as a dongle others a security token or fob. Either way these are 
the best type of security to use in these circumstances. Even if 
somebody did get the one-time password it would be useless to them.

What happens with these devices is they display say a 6 digit number 
which changes, normally every 60 seconds. When you log on to your bank 
site they request your userid and then in the password field you would 
enter your pin and the current 6 digit number. This is then checked at 
the security server and if all is OK you get access. The batteries in 
these devices usually last for three years, so after three years you 
would need to get a new one and re-sync everything to gain access. One 
inconvenience every three years is worthwhile considering the extra 
security you get from using these devices.

I use both a hardware one, similar to what is being offered, and a 
software one to access the environment at work. The software one 
basically emulates a hardware device, it is just limited to the one PC 
instead of being able to use any PC. What makes it even worse is there 
is only a windoze software device.

regards
Ken


Gavin Miller wrote:

> Hey Ken,
>
> Mmm... Interesting.  I seems it's not a dongle after all.  The bank 
> refers it as a "Security Token" which I assumed to be a dongle of some 
> type.  It generates a 6 digit "Authentication Key" as the bank puts 
> it, so I guess it's using the method you described.  Still need to use 
> the pin and pasword that was previously arranged with the bank.  I'll 
> send you some pics off list of the two models being offered. It 
> doesn't appear to attatch to the computer at all.
>
> Cheers
> G
>
> Ken Laurie wrote:
>
>> Hi Gavin
>>
>> All the dongles I am familiar with use a combination of a pin and a 
>> generated number to create a onetime password. This is called two 
>> factor authentication, something you have (the dongle) and something 
>> you know (the pin). Usually the password is sent to the server which 
>> uses a security server such as LDAP to authenticate you. Even if 
>> somebody did manage to get your account or userid and your pin, they 
>> would need your dongle to authenticate. The dongle and the server at 
>> the other end are sychronised by the initial number on the dongle and 
>> the serial number of the dongle. Using this information and the 
>> appropriate algorithm the server can calculate the next number 
>> generated by the dongle. The number is normally only good for 60 
>> seconds, give or take a bit for delays in getting across the network 
>> etc.
>>
>> This is a good secure method of authentication. It also means that if 
>> you use online banking from other than your own pc the information 
>> captured in cache or cookies etc cannot be used to access your account.
>>
>> regards
>> Ken
>>
>> Gavin Miller wrote:
>>
>>> I sent an e-mail to my bank informing them that javascript popups, 
>>> popups in general, and cookies are not secure and that they, as a 
>>> banking institution, should be looking at alternative and more 
>>> secure methods such as a secure server.  My bank offers a dongle 
>>> that you can perchase and register as an added login password.  It 
>>> generates a different code each time you use it.  I assume this code 
>>> is stored in a cookie or file somewhere, and if so defeats the 
>>> purpose of an extra security measure.
>>>
>>> Cheers
>>> G
>>>
>>> Ken Laurie wrote:
>>>
>>>> Hi John
>>>>
>>>> Yes bad coding practices strikes again. Some of these web site 
>>>> designers/programmers (I use the words lightly) need to wake up and 
>>>> really look at what problems they are causing. I have been in IT 
>>>> for 28 years and I could go on about this for ages but I won't.
>>>>
>>>> regards
>>>> Ken
>>>>
>>>> John Angelico wrote:
>>>>
>>>>> On Sat, 11 Dec 2004 09:17:05 +1100, Ken Laurie wrote:
>>>>>
>>>>>  
>>>>>
>>>>>> Hi John
>>>>>>   
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Hi Ken.
>>>>>
>>>>>  
>>>>>
>>>>>> Remember this vulnerability is for all web browsers and you are 
>>>>>> only 'secure' because you are not allowing the web site being 
>>>>>> used to demonstrate the vulnerability to open a popup. If you use 
>>>>>> Citibank then you would need to allow it to open popups and would 
>>>>>> then have the vulnerability.
>>>>>>   
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Hmm, interesting.
>>>>>
>>>>> Once of my bank sites doesn't open popups (one page for login then 
>>>>> same page
>>>>> for activities), and the other opens another page where I login, 
>>>>> and that's
>>>>> all.
>>>>>
>>>>>  
>>>>>
>>>>>> The best defense for this vulnerability, until it is resolved, is 
>>>>>> when visiting trusted sites that you permit to open popups (such 
>>>>>> as most bank sites) not to visit other sites at the same time.   
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I would be mounting a challenge to Citibank about popups.
>>>>>
>>>>> I would refer them to Jakob Neilsen's site: useit dot com on usability 
>>>>> guidelines
>>>>> or a less polite rant style page like:
>>>>> http://members.optusnet dot com dot au/~night.owl/morons.html
>>>>> where yes, he has an attitude, but he puts a lot into it about 
>>>>> better web
>>>>> authoring.
>>>>>
>>>>>  
>>>>>
>>>>>> I tend to have the habit of only doing my banking without any 
>>>>>> other sites open. My advice to all is to make sure they have no 
>>>>>> other web sites open when doing their banking, even if this 
>>>>>> vulnerability is resolved.
>>>>>>   
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Yes, it's a good "paranoia habit" to get into - like hiding your 
>>>>> hand as you
>>>>> punch in your PIN at an ATM.
>>>>> I ALWAYS close the tab or window or browser session of my banking 
>>>>> page when
>>>>> finished too.
>>>>>
>>>>>
>>>>> Best regards
>>>>> John Angelico
>>>>> OS/2 SIG
>>>>> os2 at melbpc dot org dot au or talldad at kepl dot com dot au
>>>>> ___________________
>>>>>
>>>>> PMTagline v1.50 - Copyright, 1996-1997, Stephen Berg and John 
>>>>> Angelico
>>>>> ... "Daddy, when will I be old enough to delete Windows?"
>> 
>>>>>
>>>>> 
>>
>>>>>
>>>>>  
>>>>>
>>>>
>>>> [attachments have been removed]
> 
>>>>
>>>> 
>
>>>>
>>>>
 
>>>
>>> 

>>>
> 
>>
>> 
>
>>
>>
 
>
> 

>
----------------------------------------------------------------------------------
 

**= Email   4 ==========================**

Date:  Sun, 12 Dec 2004 17:29:29 +1100 (EDT)
From:  "Chris Graham [WarpSpeed]" <chrisg at warpspeed dot com dot au>
Subject:  Re:  Telstra have fixed Webmail !

On Sun, 12 Dec 2004 11:08:50 +1100, Ed Durrant wrote:

>Hi All,
>
>  Good news - Telstra have fixed access to their Webmail
>system, which from earlier this week was only accessible
>from Microsoft IE browser is now once more fully accessible
>from IBM Web Browser, Mozilla and Opera/2 !!
>
>  I haven't as yet had a reply to my complaint however it
>seems my complaint, along with I suspect a lot of other
>people's have moved them into action.
>
>  Good on TELSTRA !

Not really, they should not have been able to have put it into production
to start with.

-Chris

WarpSpeed Computers - The Graham Utilities for OS/2.
Voice:  +61-3-9307-0344   Internet:   chrisg at warpspeed dot com dot au
FAX:    +61-3-9307-0633   Web Page:   http://www.warpspeed dot com dot au
Postal: WarpSpeed Computers, PO Box 212, Brunswick, VIC 3056, AUSTRALIA


----------------------------------------------------------------------------------
 

**= Email   5 ==========================**

Date:  Sun, 12 Dec 2004 18:38:49 +1100
From:  Ken Laurie <ken.laurie at graeleah dot com>
Subject:  Re:  Telstra have fixed Webmail !

Hi Chris

Now come on. Telstra know that the only people the surf the web and send 
and receive email use windows and iexploder. Telstra can't be expected 
to set up their environment so that any web browser or mail reader can 
work. Sarcasm abounds.

regards
Ken

Chris Graham [WarpSpeed] wrote:

>On Sun, 12 Dec 2004 11:08:50 +1100, Ed Durrant wrote:
>
>  
>
>>Hi All,
>>
>> Good news - Telstra have fixed access to their Webmail
>>system, which from earlier this week was only accessible
>>    
>>
>>from Microsoft IE browser is now once more fully accessible
>>from IBM Web Browser, Mozilla and Opera/2 !!
>  
>
>> I haven't as yet had a reply to my complaint however it
>>seems my complaint, along with I suspect a lot of other
>>people's have moved them into action.
>>
>> Good on TELSTRA !
>>    
>>
>
>Not really, they should not have been able to have put it into production
>to start with.
>
>-Chris
>
>WarpSpeed Computers - The Graham Utilities for OS/2.
>Voice:  +61-3-9307-0344   Internet:   chrisg at warpspeed dot com dot au
>FAX:    +61-3-9307-0633   Web Page:   http://www.warpspeed dot com dot au
>Postal: WarpSpeed Computers, PO Box 212, Brunswick, VIC 3056, AUSTRALIA
>
>

> 

>
>  
>

[attachments have been removed]
----------------------------------------------------------------------------------
 

**= Email   6 ==========================**

Date:  Sun, 12 Dec 2004 16:12:00 +0800
From:  Kev <kdownes at tpg dot com dot au>
Subject:  Re:  No. 1000

Hi Ian

Congratulations on running the best, friendliest, most helpful and most 
informative eCS - OS/2 list in Oz.  At least another 1000 to go.

Cheers
Kev Downes

Ian Manners wrote:
> On Sun, 12 Dec 2004 00:01:09 EST-10EDT,10,-1,0,7200,3,-1,0,7200,3600, Digest wrote:
> 
>>**************************************************
>>Saturday 11 December 2004
>> Number  1000
>>**************************************************
>>
>>Subjects for today
> 
> 
> Whaho, Number 1000 ! = 1000 days of posting on this list, 
> This number doesnt include days that there were no postings to the list.
> 
> Cheers
> Ian Manners
> http://www.os2site dot com/
> 
> Help stamp out, eliminate and abolish redundancy!

>  

> 
> 
> 
----------------------------------------------------------------------------------
 

**= Email   7 ==========================**

Date:  Sun, 12 Dec 2004 21:16:52 +1100 (EDT)
From:  "Ian Manners" <deadmail>
Subject:  Re:  No. 1000

Hi Kev

I just host it :-)

Thanks John, Bob, Ed, and everyone one this list, because its the
people on the list that make the list :-)

> Congratulations on running the best, friendliest, most helpful and most 
> informative eCS - OS/2 list in Oz.  At least another 1000 to go.
 
Cheers
Ian Manners
http://www.os2site dot com/

"I have six locks on my door all in a row.  When I go out, I lock every other one. I figure no matter how long somebody stands there picking the locks, they are always locking three." -- Elayne Boosler
----------------------------------------------------------------------------------
 

**= Email   8 ==========================**

Date:  Sun, 12 Dec 2004 07:23:15 -0500
From:  Chris_neeson <Chris_Neeson at compuserve dot com>
Subject:  Re:  ECD's?

Good Grief!

Regards?
Chris
 
------ Paul replied ---------
A CD that has both audio & data tracks.  Generally the data tracks are 
multimedia files - film clips or such.

os2cdrom.dmd included with eCS 1.2 doesn't appear to be able to handle 
them...

------- to Chris' question -----------
> Actually, what is an 'enhanced' CD?
> ( while this topic is within recent memory ).
----------------------------------------------------------------------------------
 
**= Email   9 ==========================**

Date:  Sun, 12 Dec 2004 13:49:27 +0100
From:  Kris Steenhaut <kris.steenhaut at hccnet.nl>
Subject:  Re:  Telstra have fixed Webmail !



Ken Laurie schreef:

> Hi Chris
>
> Now come on. Telstra know that the only people the surf the web and 
> send and receive email use windows and iexploder. Telstra can't be 
> expected to set up their environment so that any web browser or mail 
> reader can work.

Yes they can be expected that. For the good reason they are expected to 
comply to html and javascript standards.

The reason why only the I E could see the Telstra pages was because 
there were errors and errors in their scripts, at which the IE _failed_ 
to react properly. And that is exactly one of the reasons why the IE is 
the most unsafe of programs you can think of.


-- 
Groeten uit Gent,

   Kris

----------------------------------------------------------------------------------
 

