warning:security meta-redirections after logging..

[aka21stCentury]

DUC Members:

I am reporting a newly developed concern. After logging in here (duc.digidesign.com) there is now a meta-redirection error. My NoScript settings have not changed.

Without blocking meta-direction in NoScript w/Firefox going to a site like YouTube you can be lured to a 'hacker site' hosting material with similar tags. Do not allow meta-redirection. At YouTube click the actual video you want to watch. Period. None of that internal video within video redirection crap! It is a security risk not worth taking.

AVID's developers have made some change to the website. I doubt this is a good one.

So Meta-redirections now? Since April 23rd 2010.

XXS scripting attempts to hack us or steal our log credentials on the DUC. AVID you have no secure log in. No https cookies. No P.h.D or M.D. working for the government will be allowed at your website user conference. Period!

We also do not feel our identities should be stolen by hackers and used to log into this site. Or allow XXS hacks. Now that you have Eastern European access points, also Asian, Chinese,Taiwan, and Australia: Australia -- home of the psybot infecting the most common Netgear and Linksys home routers. No single country is secure but some are way more insecure than others.

Enforce a encrypted cookie policy. No XXS hacks allowed as many of use do use NoScript with Firefox. And only an https: login. SSL-3 or TLS-1 w/ NoScipt default settings sanitize XXS once the addon is installed, restart Firefox go to the NoScript icon at bottom right corner of Firefox page, leave default settings, then go to options: enforce encypted cookies then enter domain: avid.com digidesign.com bank.com etc etc

Read here:http://maone.net/

Firefox 3.6 and NoScript 1.9.9.42

New NoScript only allows these meta-redirection:
^http://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?
^http://([a-z]*)\.?search\.yahoo\.com/search(?:\?|/\1\b)
^http://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$
^http://translate\.google\.com/translate_t[^"'<>\?%]+$


More Warnings

We all need to surf with history erased as much as possible. If you need history for a session save it and clear it- go back to private browsing mode. You can open up your history in firefox and save them as bookmarks in a folder on desktop. Then clear all history, login-passwords, cookies, and surf in 'privacy mode' so no cache goes to hard-disk. This is how the RGB (Russian Hacker Group & Turk Hackers) were infecting Safari caches from innocent BBS sites. These were imbedded javascript trojans that could run JAVA applets.

Also a firefox addon called RefControl will block all third party header referrals- these are used by hackers along with history to follow your movement around the internet and a site you commonly log into or click on a prearranged button. Such as (Preview Changes) (Save Changes) post new thread etc. It takes seconds for a good hacker to 'clone' the DUCs thread post page and as I am typing this edit it could be done, when I click save --- what I am clicking is an invisible html 'radio button' underneath. If you are security conscious and are not in priveleged mode and system preferences etc all require admin authorization, you should be safe. No admin surfing priveleges on this log-in as I administer my computers securely. I recommend everyone to do the same. This is critical. Again. No Federal employee has Admin priveleges. They hand out specially constructed Dell Laptops pre-set and no-admin access period. No VOIP No SKYPE. If you do use SKYPE use it as a non-priveleged user, but when you quit app it still leaves incomming ports open. So now you must restart your machine. So beware of SKYPE.

CD Baby

Ok went to listen to the album we recorded as I didn't crack the plastic. Also I was overuled in my choice of tunes to place on the CD. Actually a CD-ROM now which I didn't know about. Big deal. We all get our feelings hurt especially recording, producing or with album credits no credits and such. As I said: no payment.... a labor of love... the world needs songs with meaningful lyrics. AVID please understand you're doing a great service capturing art bbut 99.9 percent of artists don't have money. We can't afford Apple Computers anymore. Done deal. Going to a Quad Core but XP.

Norton Internet Security warned me not to go to CD Baby. I went anyway and the XSS hack attempts followed me. So my advice. Follow the security advise I am passing on...

Use RefControl addon in Firefox 3.6+ and block all third party referrals (header) used to track you. Or for even more security under tools, block all header referrals, however some sites may not 'work'. Firefox can be set to always open in privacy mode. Unless you have problems watching Hulu videos set your cache to zero kbs.

Your movement now accross the internet cannot be tracked as easily.

Also. Don't think I am being paranoid this is why so many of us use NoScript and Firefox. ALL FEDERAL employees have been required for nearly 4 years to use Firefox. After logging into a secure site, quit firefox so it clears its secure cache. Apple users use secure virtual memory. All control panel setting require admin password to change. This is basic 101 in security. As stated before unencrypted cookies can be stolen. Encypted cookies hackers can't deal with this is only government that does this and unless its the Chinese government we don't care do we?

Myspace & Facebook previously used unencrypted cookies, this is how hackers impersonated users and planted trojans emailing then to an entire address book in Facebook x 190,000. DO NOT ALLOW cookies! Enforce an encrypted cookie policy.

I HAVE BEEN ON THIS BOARD SINCE 1999 (but took a long hiatus because of illness)

If everyone demanded an https login and https (TLS-3 preferred over SSL-3) encrypted cookie. It would be done.

I believe hackers follow you from CD BABY or big sites that require javascript and active-x or silverlite and when you arrrive at a site like this they might clone the html and know exactly where the 'buttons' are for your to push. You won't see this happening. XSS hacks underlay html code that is invisible to you and when you click (post new thread) or something similar you may inadvertantly install malware or allow FLASH Video Cam access by all websites. Since our login password is unsecure, on open wifi networks or big ISPs like Comcast or Cox this is a threat. XXS has been an ongoing problem with Macromedia not calling 'Flash Player' security settings by its real name: instead they call it "Settings Manager".

Mark my words. All versions of Flash (even the latest release) are insecure because Macromedia/Adobe does not require a password or some form of verification Mac Addresses are cloned constantly by even kiddy scripters (they should allow users on their own computers to authenticate as an admin user and only then allow Flash Security Settings to be alterred). They force you to go to their website, on a non-https page. Apple is right-on IMHO.

How many of you have actually gone to Macromedia: search Flash Player "Settings Manager" and played around? These settings are a joke. If your eyesight camera was turned on by a XSS hack, allowing any website to access it without your permission you would never know because Macromedia would be sued. So they hide the fact that it has changed by not showing you the current state, and forcing you to confirm changes regardless whether you are making changes or not. This is deliberate. Also, Flash: deny global storage and watch the 'empty' folders appear -- simply search .SWF and you will find them many with hex names on the folders. Sure they are empty but you are being tracked against your express wishes to deny global storage. In the hex name is code that tells exactly where you were viewing flash. ON and On and On... Macromedia continues to allow this unbelieveable insecure program. Some opensource developers even call it the most 'evil program' out there. So beware.

Apple is battling Adobe now for good reason regarding FLASH PLAYER. They want to secure the iPhone and iPad.

HP installs insecure Flash Player 7 at root in unix when you simply install their printers. Now Flash Player has root permissions. Unbelieveable. There are not even instructions regarding this installation or how to remove it. Macromedia/Adobe needs another spanking IMHO. First Omniture spyware (open ports) then they buy Omniture.

NEVER SURF WITH ADMIN PRIVELEGES EVER!

Always download Flash de-installer and de-install Flash for all users with all web browsers closed. Then with the latest version (if you choose to use Flash) install for each user. PITA but it is worth it.

IF you install a HP printer beware: Only the Macromedia Flash Player de-installer can remove this as an admin user (log in as priveleged log out and relog in as non priveleged) NEVER SURF WITH ADMIN PRIVELEGED. Each user then has to go to Macromedia's web page to set Flash Security Settings. So you see, you are forced to go there with admin priveleges enabled. It is the worst setup.

Apple is right to boycott Flash Player: alternative --- Click2Flash --- opensource plays in Quicktime window. Perian is another opensource codec and control panel that allows DIVX and AVI FLV to play within Quicktime and also Dolby 5.1 or stereo.

Please look into this. Everyone I can't stress how important this is. Or place a band-aide over your eyesight cam.

Peace & Safe Surfing

Over & Out.

[aka21stCentury]

OK. First went to AVID.COM then to Pro Tools and Communities and no more meta-redirections. So your old bookmarks no longer work folks.

Also the time of this post PST USA is 10:17 AM

[necjamc]

If it doesn't say 10:17 for you then you most likely would have your time zone in your User CP set wrong.

[aka21stCentury]

No one else. I can't imagine not getting this right. I was on the ball in 2000. But will check. I couldn't find it before as things changed from last time I was on here like 5 years ago or something.

[necjamc]

Go to your USER CP, and click Edit Options, the check your timezone settings.

[aka21stCentury]

How or when did this change on the DUC? My settings were indeed Greenwhich Mean Time. I know they were originally set to PST. Fixed now

[aka21stCentury]

Re: Security. Why am I sometimes seeing "Share This" and "Google" in my scripts options? All that is required is is digigesign.com

Also when I change pages on the DUC I am required to re-allow Digidesign to run scripts. This is nuts. The two cookies I see are duc.digidesign.com and avid.com and this is the way it should be. However...

So Avid is using "Share This" now? Is this the pop-up asking for feed back on the new website? I like the look of it. Very professional. A friendly face. Certainly not the Berkeley Well of the old days. But I don't like non-https logins or non-https cookies. Also we should be allowed to bookmark the DUC directly. Even Firefox gives a redirect warning...

And Digidesign.com is wanting me to turn on "Google Scripts" this makes no sense. Please someone give me a reason?

Must have been changes made previously to the DUC as my privacy settings had been set to 'open' and I don't make those kind of mistakes (not intentionally anyway). Now only registered users can view pers info. I just changed this and time zone (why and how GMT I'll never know).

[necjamc]

Glad you solved it.

[aka21stCentury]

Thanxs.

Time set problem was not my problem though. Somehow this was changed to 'default' GMT as were my CP security settings (all open) without my permission. Whether this happened years ago and there was a notice to this effect I can't say.

Also. More redflags from NoScript warning not to resend data.

IMPORTANT

Is this because vBulletin uses quotes with meta tags (javascript)????

Here is an example.

Quote:

<div align="center">
<div class="smallfont" align="center">
<!-- Do not remove this copyright notice -->
Powered by: <a href="http://www.dpbolvw.net/...editing code out..." target="_blank" onmouseover="window.status='http://www.vbulletin.com';return true;" onmouseout="window.status=' ';return true;">vBulletin</a>, Copyright &copy;2000 - 2008, Jelsoft Enterprises Limited.</a> Hosted By: <a href="http://www.urljet.com/red.php?a_aid=c29a317b" target="_blank">URLJet.com</a>
<img src="http://www.ftjcfx.com/ht75xxxxxuserpsword?xxxxx" width="1" height="1" border="0"/>
<!-- Do not remove this copyright notice -->
</div>

Here is what NoScript says about XSS

http://noscript.net/faq#xss

Quote:

4 - XSS
4.1
What is XSS and why should I care?
4.2
Looks like the Anti-XSS feature causes problems with URLs containing some characters such as <, ' (single quote) or " (double quotes). What's happening?
4.3
Can I turn off Anti-XSS activity notifications?
4.4
Can I bypass Anti-XSS filters for certain web pages?
4.5
Can I turn off the Anti-XSS protection?
4.6
Why does NoScript block documents loaded from jar: URLs?
4.7
Why are Flash applets originating from trusted sites (e.g. youtube.com movies) blocked if embedded on untrusted sites?
4.8
How does IFrame blocking work and why is it disabled by default?