Path: news.net.uni-c.dk!logbridge.uoregon.edu!pln-w!spln!dex!extra.newsguy.com!newsp.newsguy.com!enews2 From: "Terry Austin" Newsgroups: comp.lang.basic.visual.database,comp.lang.basic.visual.misc,comp.lang.beta,comp.lang.c Subject: Re: WARNING! My OE removed the attachment as being unsafe Date: Wed, 6 Mar 2002 16:18:40 -0800 Organization: http://extra.newsguy.com Lines: 136 Message-ID: References: <3C8435F2.4ED2879A@attglobal.net> <3c851cb0_2@news.iprimus.com.au> <3c853c75.13087585@news1.rdc1.nsw.optushome.com.au> <3c860e75.66855528@news1.rdc1.nsw.optushome.com.au> <3c866698.89421478@news1.rdc1.nsw.optushome.com.au> <3c8692e4.100763252@news1.rdc1.nsw.optushome.com.au> NNTP-Posting-Host: p-470.newsdawg.com X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Xref: news.net.uni-c.dk comp.lang.basic.visual.database:119696 comp.lang.basic.visual.misc:516651 comp.lang.beta:13157 comp.lang.c:585202 "Frank Adam" wrote in message news:3c8692e4.100763252@news1.rdc1.nsw.optushome.com.au... > On Wed, 6 Mar 2002 13:31:27 -0800, "Terry Austin" > wrote: > > >was credible. I questioned that, and pointed out they have a > >multi-million dollar a year incentive to spread FUD about the > >most common (by far) operating system and email client, > >and that their credibility is not, therefore, a given. > > > MS would not sit by idle and take the defamation, if it wasn't true. MS doesn't engage in pointless litigation any more than any profit driven company does. It's only defamation if damage is done. It would be difficult to damage MS's reputation. > > >You are the one who demanded a guarantee of absolute security. I > > > No, i simply replied to a one word reply, which indeed was bullshit. No, you said it in reply to me, and your exact words were: "Unless you (or MS) can guarantee to me that this was *the* patch, the patch and nothing but the last patch.... i'll stay wary and away from it." Message-ID: <3c860e75.66855528@news1.rdc1.nsw.optushome.com.au> > > You know me, i don't argue over crap, but one guy said "there is no > real security" another replied "bullshit". > "Real security" to me means peace of mind, but as long as the > occasional bullet gets through the defences, i don't feel safe. You attack OE for things that are true of all email clients, and all operating systems. You apply different standards to different email clients. Specifically, you will not use OE, in *your* words, quoted above, because there is no guarantee that there will be no more vulnerabilities. There is no such guarantee for whatever email client you do use, no matter what it is, and yet you use it. It's a double stanadard. > > >merely pointed out that you are applying a different standard to OE > >than you apply to Free Agent or whatever email client you use. > > > FreeAgent can not be flawed as a newsreader. > It doesn't handle HTML and since HTML posts are frowned upon anyway > on usenet, why should it. ? Beside the point. Whatever email client you use, there is no guarantee that no vulnerabilities will ever be found in it, which is the guarantee that you demanded of OE or you'll "stay wary and away from it." > > >> It's pointless blaming the OS, we are talking about OE. > >It's never pointless blaming the OS when the OS is the true culprit > >in all security vulnerabilities. If Windows didn't support the various > >mix-and-match features between applications, OE *couldn't* have > >most of the more serious security vulnerabilities. > > > The OS has very little play in this. Not true at all. The OS touches every single packet that comes in through your internet connection. >OE relies on IE to display it's > text. IE is the one with the security problems in 90% of all cases. It > is IE which had the little "let's execute attachment automatically" > bug(see latest security patch) it was/is also the culprit in the > built in cookie broadcaster (no patch yet, AFAIK). All MAPI enabled clients are vulnerable to OS flaws. All HTML enabled clients are, as well, especially if they support Javascript. Event Eudora does that, and MAPI as well. the potential is there. OE seems to have more actual flaws, but they are as easy, if not easier, to patch since it's part of the WindowsUpdate process. When was the last time you saw a free patch for any other email client that was that easy to download and install - after automatically identifying what was needed? > People clicking on attachments without a clue is just stupidity and is > not OE's or IE's fault. And that accounts for about 90% of infections. > One could argue that IE is about as close to the core of the OS as a > program can get, but that is by design (as they say). Indeed, it is. Nearly all of the design flaws in OE and Outlook are a direct result of requests from users to Microsoft, who wanted more functionality. > > >>I use the OS > >> because i have to and i am aware of it's flaws. > >Same is true for OE, for me. > > > Terry, i don't doubt that you and most of us on these professional > groups have no problems. We could at least be classed as power users. I'm an IT professional, network administrator, and sometime programmer. I'm actually significantly above power user. You probably are, too. > My wife works for a large multinational insurance broker company. > As you can imagine, with the amount of sensitive data there, network > security and maintanance is at the highest level one could fathom... > 3 network wide infections so far this year, Win98 stations, IE/OE. All three due to user stupidity in running attachments, I suspect. Which is not a flaw in OE. The one virus infection we've had in our corporate office (the one that deletes Norton, naturally) was through Pegasus, not OE. Becuase the user ran an attachment. No email client that is RFC compliant (or even slightly functional) could have prevented that. > > >There's very little difference from one email client to the next. > > > True, only IE. > Can we go home now, or do we go another round ? I don't entirely disagree with you. OE is more trouble to keep secure, in some ways. Those ways, however, are easier to do than most software patching, and most of the vulnerabilities are the direct result of functions added at the request of user base. The claim that OE cannot be made secure is spurious. It is true only in the sense that *no* email client can be made secure. It can be made *as* secure as any other, with fairly trivial effort. If you don't go through that effort, it's not secure. But if you don't go through that effort, Windows isn't secure, and it doesn't matter *what* email client you use. It's a difference without meaning. Terry Austin