- To: slug@xxxxxxxxxxx
- Subject: Re: XecureBrowser - looks like snake oil to me. (was Re: [SLUG] Browsers for banking)
- From: Mada R Perdhana <mrp.bpp@xxxxxxxxx>
- Date: Thu, 11 Nov 2010 10:31:54 +0700
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=KItfK5Or77W+8TlmF729kVr1Z7TcmS3ZFW3Z7Upac6g=; b=BYBLDvuLIxep6GwdjxhYXngZisU1Z9z1gRN9ksh7HxSmBYl3GClZCwmsA3A8Pk5PUP USpEtfnmDeVpdqSIC+NgDR5S0rXD22+K+55IwpX8uR/WyAVTjfQ3pZXE+XLgDGaWeK+y CH38cwOzF9XguHKniCSgEzPGD2qrZ7IADHKSw=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=pytTUJFynWxNxXp/Zwt9MMZK/UgTTVuJJHKd/3aK8VVfVshQJij1pAeKvoJoD15AEy kwl7wHTzVPNUxvKljbLj3+g3CDLNyR6s6NYy0nGDsdN752GV/eKTVF4awO7i+zESKe+N NBUxyUb3YuP0w+HErMaOPBfWALYOCPasn/wZE=
I think, it is too careless if this is just a scam, because the
developers also threw a request to the public (the information
security community) to perform tests on their application. from
existing web (https://www.xecureit.com/xb/), we could also seen that
they had an affiliation with ISACA and CISSP certification, which in
my personal opinion it is to reckless to "drag" this two bid name
into, since it would make a big reaction from the information security
communities.May be some of security experts in here could also do
some test with that thing, to prove whether ,xb just a scam or it is
really works to secure ib transaction.
anyway, again.. everything returns to the user, to determine which are
the most secure (or convenience?) way to conduct an ib transactions.
On Thu, Nov 11, 2010 at 7:05 AM, Daniel Pittman <daniel@xxxxxxxxxxxx> wrote:
> Mada R Perdhana <mrp.bpp@xxxxxxxxx> writes:
> How interesting. It looks pretty much like snake-oil, a scam intended to
> scare folks who don't know much about security, to me.
> The problems start with their lack of presence: the main bits of presence
> are a FaceBook page, a twitter account, and a Yahoo Group with barely
> coherent writing about their content.
> They do, though, do the scam-focused thing: waffle vaguely about security
> issues, claim (but not prove) they are more secure, then tell you that you
> are a bad person if you don't instantly convince your friends to use their
> They do have an email address, apparently attached to some Google Apps
> hosting, and a website with links to their 2008 security forum, and a copy of
> the same information about security (eg: none) as their FaceBook page
> They start with the *technical* issues by claiming that "techniques of
> cracking the SSL implementation" are widespread, but provide no evidence about
> what those techniques are - or why they are, for example, not being widely
> reported since that would be huge security news.
> If we generously assume that they mean that attackers are running software on
> your machine to intercept content *without* having to violate the
> cryptographic security of the SSL/TLS protocol then they have a huge burden of
> proof in the form of demonstrating their software actually does anything.
> Which, of course, they don't deliver.
> Meanwhile, if we look to their writing on the facebook "page" they have some
> excellent advice for you: you can keep the software safe by keeping the
> original zip file around, and if you ever have a doubt (sic) you can just
> extract the executable again.
> Because, y'know, an attacker would never, ever think of being able to attack a
> bit of software every time it ran, or to fiddle with an executable inside a
> zip file. That would be, y'know, hard!
> They also explain that in the next couple of versions they will be working to
> fix security problems like hijacking of your laptop - so, y'know, if this
> issue has not been addressed in this version then, hey, apparently our
> generous assumption earlier was inaccurate.
> They *can't* be claiming that they secure the system against local attacks,
> leaving *only* that these hackers are breaking the SSL/TLS protocol. Oh,
> Their public don't help, either. The top hits contain claims like this:
> As you know, break-ins money can through hypnosis, ATM card fraud, and
> phishing. Phishing is a cunning technique to obtain sensitive information
> while transacting through Internet Banking. They stole your information
> such as the username, password, credit card numbers and so on-depending on
> the form of phising
> I know that one of my huge security concerns, which a secure web browser could
> help with, is that I might be subject to hypnosis or ATM card fraud! Those
> damn hackers and their hypnotic virus powers!
> So, MRP: this looks convincingly like something that is at best snake-oil, and
> at worst outright fraud. Care to respond?
>> Try XecureBrowser, it's a browser design for ibank transaction,
>> protect from ssl injection or anything which relate with ibank crime
>> On 11/10/10, Jeremy Visser <jeremy@xxxxxxxxxxx> wrote:
>>> Jim Donovan said:
>>>> Commonwealth opens extra windows but only logs off in one of them;
>>>> you have to close the others by hand. Not that they will work after
>>>> logoff but it's lousy security.
>>> I don't know what browser you use, but in Chromium I just typed
>>> 'netbank.com.au', logged in, and not a single browser window was opened.
>>> The NetBank interface just opened in the same browser window.
>> Linkedin : http://id.linkedin.com/in/mrpbpp
>> PGP ID : 0xDC3A483A
>> PGP Fingerprint : FCBE 697C 3C47 89D2 C28F 6C94 E607 7E99 DC3A 483A
>> See http://www.keyserver.net or any PGP keyserver for public key
>> "Never Trust an Operating System You don't have the Source for..."
>> "Closed Source for device Driver are ILLEGAL and not Ethical... act!"
>> "Isn't it, MS Windows a real multitasking OS?, Why? 'Cause It can boot and
>> crash simultaneously!"
> ✣ Daniel Pittman ✉ daniel@xxxxxxxxxxxx ☎ +61 401 155 707
> ♽ made with 100 percent post-consumer electrons
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Linkedin : http://id.linkedin.com/in/mrpbpp
PGP ID : 0xDC3A483A
PGP Fingerprint : FCBE 697C 3C47 89D2 C28F 6C94 E607 7E99 DC3A 483A
See http://www.keyserver.net or any PGP keyserver for public key
"Never Trust an Operating System You don't have the Source for..."
"Closed Source for device Driver are ILLEGAL and not Ethical... act!"
"Isn't it, MS Windows a real multitasking OS?, Why? 'Cause It can boot
and crash simultaneously!"