Re: Tried a Security key on XP - no go

8 views
Skip to first unread message

Mayayana

unread,
Mar 24, 2022, 8:47:46 AMMar 24
to
"Charlie+" <cha...@xxx.net> wrote

| As an aside - when installing the security key to google with W7, a good
| few software items were automatically downloaded to make it all work and
| install correctly, its not as simple as they all make it sound!

I can't believe how bad GMail has become. You need
to prove your ID "six ways from Sunday" so that you
can see email from a friend that Google has already
rifled through.

Now you need multiple software programs to log in? It's absurd.
Any important files are not sent as email, anyway. Neither
my bank nor my doctor will send me anything directly.
Instead I have to log into a "secure" website, where some
college kid who doesn't know how to code has written a
webpage on top of script "libraries" that pulls in code from
5 external domains, which won't display at all on XP, despite
having New Moon browser that's only a few months old.

It sounds like you're determined to stay with Google's
spyware operation no matter what, but you might consider
that you could have your own domain, with dozens of email
addresses, for about $10/month. Then you could also have
a website there if you wanted to. But you would have to
wean yourself away from Google's teat. I can see why they're
appealing to so many people. They make it almost effortless
to use high quality, free versions of just about anything people
want to do on a computer. It's an interesting strategy. MS
and Apple both try to keep you in their own little world, but
Google does a better job of that without even needing to
own the OS.



Paul

unread,
Mar 24, 2022, 11:22:43 AMMar 24
to
On 3/24/2022 3:26 AM, Charlie+ wrote:
> Just thought this might be of interest..
> On XPSP3 (x32) I tried to add a USB security key (Feitian K9+NEC) to my
> gmail account as a backup 2F login route for the coming nuisance.
> Not possible either to add the key to Google (using XP + Firefox] or to
> achieve a 2F login through the key on XP once I had already added the
> key using a Win7 browser.
> I dont think XP has the drivers or whatever to cope with a security key
> (maybe they all have to use x64 ?) although it recognizes a HID item has
> been plugged in.
> As an aside - when installing the security key to google with W7, a good
> few software items were automatically downloaded to make it all work and
> install correctly, its not as simple as they all make it sound!
> Maybe W10 has the gen already built in?
> I tried Linux+FF second after failing with XP and managed to bugger up
> that system trying, so beware. Debian +FF crashed that computer with
> the key plugged in and a reboot wouldn't work - Grub failed completely
> and repair not possible, so be prepared! And I still dont know if Linux
> registration of the key would be possible! I went to W7 after that.
> However it is possible to subsequently 2F login with the key using Linux
> +FF... C+
>

I have no idea what this gibberish means. Maybe it applies to the K9.

COS: 4.7.00
FIDO: 7718
OTP: 7435 AAGUID = ee041bce-25e5-4cdb-8f86-897fd6418464

https://fido.ftsafe.com/windowslogon/

"The current version of FEITIAN Windows Logon Tool is in
public preview version.

If you have any feedback about the tool and document, please
contact FEITIAN Technical Support from: https://ftsafe.com/Support/Inquiry
"

That looks to be Windows 10-ish terminology of some sort.

https://fido.ftsafe.com/guides/

Tools and Advanced Configurations

To maximize the usability of FIDO Security Keys, FEITIAN have
developed a series of companion tools for additional features
and security key management. Find the tools suitable for you
here or contact us if you have specific requirements.

FEITIAN Windows Logon Suite

FEITIAN Windows Logon Suite is provides additional layer of
normal PC/Work station authentication, with the support of FEITIAN
FIDO Security Keys, user can experience MFA to your windows system,
Click Here for more detail.

FEITIAN OTP Tool

FEITIAN OTP Tool is used for manage the optional OATH HOTP function
provided by ePass FIDO and ePass FIDO-NFC Security Keys and manage
protocol switching, Click Here for more detail.

This looks more like it. It might actually do something. Hmmm.

https://fido.ftsafe.com/otptool/

Managing communication protocol

Both ePass FIDO-NFC and ePass FIDO Security Key support both
FIDO HID and OTP communication protocols.

– OTP protocol enables the security as a virtual keyboard.
The OTP value will be automatically typed in when user press the button.
...

Managing OATH HOTP

To enable the HOTP function, please follow the steps below:

1. Click the Random data button to generate a random SN and OTP Seeds on the top:

2. Record the SN and Seeds and Upload to the website you want to use.

3. Click Save to burn the seed into ePass FIDO-NFC. You will be asked
to touch the button to confirm as well. When succeed, you will be able
to see the following information in the middle of the application:

When the key is plugged in, the OTP value will be generated in the
cursor when the button is pressed.

4. The HOTP in FEITIAN ePass FIDO-NFC support multi-user function, which
means that multiple OTP seeds can be saved in ePass FIDO-NFC. But there
is only one active user which is the user with the red font.

(Note: It is recommended that you keep a record about the relationship
between SNs and Accounts. FEITIAN is not liable to the locked accounts
if the relationship is lost.)

(Note: Do not store the Plaintext OTP seed anywhere after uploaded to the website!)

*******

These people obviously work for the bomb disposal squad.
They will tell us about the red and blue wire... when there
is no red or blue wire.

I have a suspicion that maybe:

Download this:

https://download.ftsafe.com/files/FIDO/OTP_TOOL_5.0.zip

1) You generate a SerialNumber (SN) and Seed for a particular purpose.
Record it. Send it to the party expecting this authentication.

2) With the "tool" open, the SN and Seed form a row in the display.
Cursor down to the row in question. The device is then presumably
told to prepare for a button press on the top. Selecting the row,
prepares the device for that specific function. I could not tell
you whether any tool-clicks are required at this point.

3) Pressing the button of the HID, while some application window
has the focus, *may* send authorization to the site. The site
will decode using the previously uploaded SN and Seed. Crypto is
involved, so your token is not sent as plaintext.

With lots of possibilities for being locked out. And in the
case of someone like GMail, you can imagine the copious quantities
of help you'll be getting.

I don't really like the manifest, because of the "6.0.0.0" part (Vista OS?).

<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
<dependency>
<dependentAssembly>
<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls'
version='6.0.0.0' processorArchitecture='x86'
publicKeyToken='6595b64144ccf1df' language='*' />
</dependentAssembly>
</dependency>
</assembly>

But the executable looks hopeful. Looking at Detail tabs, it's worth at least
trying it on Windows XP. No, it doesn't have malware in it. I scanned it
with Defender.

https://www.virustotal.com/gui/file/ec298b28cebac7ac7ac2ee8518a0fe0355d23a7c60e0779e4e2316d212fcd434/details

Name: OtpTool_5.0.exe
Size: 1,691,136 bytes (1651 KiB)
SHA1: 32CF771C05AA1ECC385D55B1D715B83D5EBF517F
SHA256: EC298B28CEBAC7AC7AC2EE8518A0FE0355D23A7C60E0779E4E2316D212FCD434

You should keep the folder structure so the tool can find its
graphics files to paint the "skin" on the screen.

And you should have bought a USB extension cord and
made yourself a desk mount for the key, so it does not
get broken, or the connector worn out. Check for the need
to support the key mechanically, as you will be pressing the button
on a daily basis.

I have no idea what this thing does -- the above is merely
a wild guess.

Paul

Antler

unread,
Mar 24, 2022, 11:33:35 AMMar 24
to
Try MyPal browser.

Mayayana

unread,
Mar 24, 2022, 12:32:33 PMMar 24
to
"Antler" <Ant...@Antler.com> wrote

| Try MyPal browser.
|

According to their website, MyPal is based on Pale Moon.
I'm using New Moon, which a recent Pale Moon for XP. But
PM itself is a different rendering engine from Firefox. I find
I have more problems with recent NM than I do with FF 52.
And I get the advantage of not using a browser with a childish
name and a childish icon. :)


Paul

unread,
Mar 25, 2022, 3:56:29 AMMar 25
to
On 3/25/2022 3:08 AM, Charlie+ wrote:

> > I have no idea what this gibberish means. Maybe it applies to the K9.
> >
> > COS: 4.7.00
> > FIDO: 7718
> > OTP: 7435 AAGUID = ee041bce-25e5-4cdb-8f86-897fd6418464
> >

> snip
> Sorry if my Security Key experience was badly told! C+

I was referring to this information shown on the web page.
Is a customer of this hardware device, expected to be familiar
with three standards versions ? If these are standards,
I've never heard of them before.

COS: 4.7.00
FIDO: 7718
OTP: 7435 AAGUID = ee041bce-25e5-4cdb-8f86-897fd6418464

As a HID device, it is "typing" into the window that currently
has focus, when you push the button. That seems to be the concept
as I understand it. The device is multi-channel, and the "otp-tool"
tells the stick in advance, which channel/stream it is sending
to the "thing" or "web site" needing authentication. You can authenticate
multiple things, by selecting the channel, before pushing the button.

On the SecurID cards we had at work, there was no electrical connection,
and you copied a six digit code to the thing needing authentication.
And that particular scheme was time based, and clock drift on the
card could foul up the sequence delivery. These FIDO devices
obviously have some solution for that (where the sequence isn't
canned, and it's likely to be a challenge/response).

Paul

Pamela

unread,
Mar 27, 2022, 8:54:41 AMMar 27
to
On 21:59 24 Mar 2022, said:

> On Thu, 24 Mar 2022 08:33:28 -0700, Antler <Ant...@Antler.com> wrote:
>
>>Try MyPal browser.
>>
>
> My FFx 52.9 32bit used with XP has become very slow for the internet.
> I went with MyPal. I't's a lot faster. The only problem that I have
> with MyPals is the darn commercials on Youtube videos. That's why I
> only use FFx 52.9 for downloading from Youtube. The old version of
> FFx does not show any commercials.

Oddly enough, I get the opposite.

With XP running on a very old Athlon 3500+ cpu, MyPal v29.1.1 is
distinctly slower than Ffx 52.9.

Mayayana

unread,
Mar 27, 2022, 12:43:11 PMMar 27
to
"Pamela" <pamela.priv...@gmail.com> wrote

| > My FFx 52.9 32bit used with XP has become very slow for the internet.
| > I went with MyPal. I't's a lot faster. The only problem that I have
| > with MyPals is the darn commercials on Youtube videos. That's why I
| > only use FFx 52.9 for downloading from Youtube. The old version of
| > FFx does not show any commercials.
|
| Oddly enough, I get the opposite.
|

I think it mainly depends on settings. I use FF and New Moon.
Both are virtually instant on nearly all sites. But I block most
3rd-party files with a HOSTS file and I use NoScript. People
often complain about slow browsers, but it's not really the
browsers. It's the 20 MB of bloated javascript loading from 5
different domains, plus the script that's trying to watch you while
it decides what ads to load. If you stop that stuff, only running
script that's absolutely necessary, then security, privacy and
speed are all greatly improved. Your browser should never be
visiting Google analytics, Google fonts, Doubleclick,
googletagmanager, value*, *click*, *ad*, statcounter,
scorecardresearch, and so on. You should never see an ad.
Not because ads are bad but because nearly every ad online
is connected with spyware and is loading from a site you didn't
choose to visit.


If you don't want to deal with all that you can use uBlock Origin,
though I don't know if it supports XP.


Paul

unread,
Mar 27, 2022, 1:36:24 PMMar 27
to
On 3/27/2022 9:18 AM, ha...@invalid.com wrote:
> According to what I see on the Web, that Athlon went to market back
> in 2004. My desktop with 2.93 gigahertz Intel Core 2 Duo E7500 is
> quite a bit younger than that. That might be the difference why
> yours creeps along slower.
>
> The MyPal on my box is a LOT faster than my FFx 52.9. There is no
> comparison between the two.
>

Check the cache settings in about:config and verify
the browsers are set up the same way.

You can cache to the cache2 folder and leave 5000 files in there.

You can cache to memory instead, and when the browser exits,
the cached files are all tossed away.

My Mozillian browsers are both set for the latter. The disk cache
is turned off and cache2 no long fills with crap.

Paul

august abolins

unread,
Mar 31, 2022, 10:35:21 PMMar 31
to
Hello andy!

** On Thursday 24.03.22 - 16:59, andy wrote to :

> On Thu, 24 Mar 2022 08:33:28 -0700, Antler <Ant...@Antler.com> wrote:

>> Try MyPal browser.
>>

> My FFx 52.9 32bit used with XP has become very slow for the internet.
> I went with MyPal. I't's a lot faster. The only problem that I have
> with MyPals is the darn commercials on Youtube videos. That's why I
> only use FFx 52.9 for downloading from Youtube. The old version of
> FFx does not show any commercials.


Try nextdns.io It blocks the ads for many site very nicely.
Works with MyPal and FF.





august abolins

unread,
Mar 31, 2022, 10:35:37 PMMar 31
to
Hello mayayana!

** On Sunday 27.03.22 - 12:43, mayayana wrote to :

> "Pamela" <pamela.priv...@gmail.com> wrote

> If you don't want to deal with all that you can use uBlock Origin,
> though I don't know if it supports XP.


I use nextdns.io. Now software DL required. It works with my
FF 52.8 and MyPal.

Mayayana

unread,
Apr 1, 2022, 9:01:45 AMApr 1
to
"august abolins" <nos...@nospam.net> wrote

| I use nextdns.io. Now software DL required. It works with my
| FF 52.8 and MyPal.
|

I've never heard of that. Is it a DNS proxy? I'm not
sure how I'd feel about letting a commercial entity
filter my DNS requests. But it's an interesting idea.


Reply all
Reply to author
Forward
0 new messages