Path: news.net.uni-c.dk!logbridge.uoregon.edu!news.maxwell.syr.edu!sunqbc.risq.qc.ca!news.uunet.ca!nf3.bellglobal.com!border1.nntp.aus1.giganews.com!nntp.giganews.com!nntp3.aus1.giganews.com!bin6.nnrp.aus1.giganews.com.POSTED!not-for-mail From: "Hugh Laderman" Newsgroups: comp.lang.basic.visual.database,comp.lang.basic.visual.misc,comp.lang.beta,comp.lang.c References: <3C8435F2.4ED2879A@attglobal.net> <3c851cb0_2@news.iprimus.com.au> <3c853c75.13087585@news1.rdc1.nsw.optushome.com.au> <3c860e75.66855528@news1.rdc1.nsw.optushome.com.au> <3c866698.89421478@news1.rdc1.nsw.optushome.com.au> <3c8692e4.100763252@news1.rdc1.nsw.optushome.com.au> Subject: Re: WARNING! My OE removed the attachment as being unsafe Lines: 155 X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 5.50.4133.2400 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: <_9zh8.62166$yL2.5372576@bin6.nnrp.aus1.giganews.com> NNTP-Posting-Date: Wed, 06 Mar 2002 19:14:34 CST Organization: Giganews.Com - Premium News Outsourcing X-Trace: sv3-RdMi+96j6IaWVNOeZI3O9QVc6qgPbF3p1oL5I+Rl7Q7iY4f4GKsdg3fkKO0Lq5nyx8YZKiCaaII2krk!a1xZbuE8mAQ65cNsgMa70Lj6uWMMsBADCKWc5LaW5L+jTGW9C9TWxlxveYK+jVToN6BPAv6zmGyw!2vU= X-Complaints-To: abuse@comcast.com X-DMCA-Complaints-To: abuse@comcast.com X-Abuse-Info: Please be sure to forward a copy of ALL headers X-Abuse-Info: Otherwise we will be unable to process your complaint properly Date: Thu, 07 Mar 2002 01:14:34 GMT Xref: news.net.uni-c.dk comp.lang.basic.visual.database:119697 comp.lang.basic.visual.misc:516653 comp.lang.beta:13158 comp.lang.c:585219 I'm a bit surprised that this thread has not yet contained the argument that - *all* complex software is loaded with holes - OE, due to its widespread use, is *the* major target of mischievous culprits - OE's holes become more frequently exposed and so require patches more frequently - fewer holes are exposed in other software, but they still exist Of course, maybe the reason this argument has not been presented is because I am totally clueless ;-) "Terry Austin" wrote in message news:a66bl0021ie@enews2.newsguy.com... > > "Frank Adam" wrote in message > news:3c8692e4.100763252@news1.rdc1.nsw.optushome.com.au... > > On Wed, 6 Mar 2002 13:31:27 -0800, "Terry Austin" > > wrote: > > > > >was credible. I questioned that, and pointed out they have a > > >multi-million dollar a year incentive to spread FUD about the > > >most common (by far) operating system and email client, > > >and that their credibility is not, therefore, a given. > > > > > MS would not sit by idle and take the defamation, if it wasn't true. > > MS doesn't engage in pointless litigation any more than any profit > driven company does. It's only defamation if damage is done. > It would be difficult to damage MS's reputation. > > > > >You are the one who demanded a guarantee of absolute security. I > > > > > No, i simply replied to a one word reply, which indeed was bullshit. > > No, you said it in reply to me, and your exact words were: > > "Unless you (or MS) can guarantee to me that this was *the* patch, the > patch and nothing but the last patch.... i'll stay wary and away from > it." > > Message-ID: <3c860e75.66855528@news1.rdc1.nsw.optushome.com.au> > > > > You know me, i don't argue over crap, but one guy said "there is no > > real security" another replied "bullshit". > > "Real security" to me means peace of mind, but as long as the > > occasional bullet gets through the defences, i don't feel safe. > > You attack OE for things that are true of all email clients, and all > operating systems. You apply different standards to different email > clients. Specifically, you will not use OE, in *your* words, quoted > above, because there is no guarantee that there will be no more > vulnerabilities. There is no such guarantee for whatever email > client you do use, no matter what it is, and yet you use it. > > It's a double stanadard. > > > > >merely pointed out that you are applying a different standard to OE > > >than you apply to Free Agent or whatever email client you use. > > > > > FreeAgent can not be flawed as a newsreader. > > It doesn't handle HTML and since HTML posts are frowned upon anyway > > on usenet, why should it. ? > > Beside the point. Whatever email client you use, there is no guarantee > that no vulnerabilities will ever be found in it, which is the guarantee > that you demanded of OE or you'll "stay wary and away from > it." > > > > >> It's pointless blaming the OS, we are talking about OE. > > >It's never pointless blaming the OS when the OS is the true culprit > > >in all security vulnerabilities. If Windows didn't support the various > > >mix-and-match features between applications, OE *couldn't* have > > >most of the more serious security vulnerabilities. > > > > > The OS has very little play in this. > > Not true at all. The OS touches every single packet that comes in > through your internet connection. > > >OE relies on IE to display it's > > text. IE is the one with the security problems in 90% of all cases. It > > is IE which had the little "let's execute attachment automatically" > > bug(see latest security patch) it was/is also the culprit in the > > built in cookie broadcaster (no patch yet, AFAIK). > > All MAPI enabled clients are vulnerable to OS flaws. All HTML > enabled clients are, as well, especially if they support Javascript. > Event Eudora does that, and MAPI as well. the potential is there. > OE seems to have more actual flaws, but they are as easy, if not > easier, to patch since it's part of the WindowsUpdate process. > When was the last time you saw a free patch for any other email > client that was that easy to download and install - after automatically > identifying what was needed? > > > People clicking on attachments without a clue is just stupidity and is > > not OE's or IE's fault. > > And that accounts for about 90% of infections. > > > One could argue that IE is about as close to the core of the OS as a > > program can get, but that is by design (as they say). > > Indeed, it is. Nearly all of the design flaws in OE and Outlook are > a direct result of requests from users to Microsoft, who wanted > more functionality. > > > > >>I use the OS > > >> because i have to and i am aware of it's flaws. > > >Same is true for OE, for me. > > > > > Terry, i don't doubt that you and most of us on these professional > > groups have no problems. We could at least be classed as power users. > > I'm an IT professional, network administrator, and sometime programmer. > I'm actually significantly above power user. You probably are, too. > > > My wife works for a large multinational insurance broker company. > > As you can imagine, with the amount of sensitive data there, network > > security and maintanance is at the highest level one could fathom... > > 3 network wide infections so far this year, Win98 stations, IE/OE. > > All three due to user stupidity in running attachments, I suspect. Which > is not a flaw in OE. The one virus infection we've had in our corporate > office > (the one that deletes Norton, naturally) was through Pegasus, not OE. > Becuase > the user ran an attachment. No email client that is RFC compliant (or even > slightly functional) could have prevented that. > > > > >There's very little difference from one email client to the next. > > > > > True, only IE. > > Can we go home now, or do we go another round ? > > I don't entirely disagree with you. OE is more trouble to keep secure, > in some ways. Those ways, however, are easier to do than most software > patching, and most of the vulnerabilities are the direct result of functions > added at the request of user base. The claim that OE cannot be made > secure is spurious. It is true only in the sense that *no* email client > can be made secure. It can be made *as* secure as any other, with > fairly trivial effort. If you don't go through that effort, it's not secure. > But if you don't go through that effort, Windows isn't secure, and it > doesn't matter *what* email client you use. > > It's a difference without meaning. > > Terry Austin > > >