Jim Roepcke's weblog have browser, will travel (est. 1999)

Ed Leafe
August 21st, 2003 - 09:31

On Thursday, August 21, 2003, at 01:20 PM, Jim Roepcke wrote:

> IMHO, any technology-savvy person who has been paying attention to
> current events for the last few years, but continues to use Outlook
> Express for their email client, deserves to get hundreds of viruses in
> their mailbox every day.

Most people are not technology-savvy; they don’t even know that you
can change stuff like that on a computer. They get Windows, because
that’s what everyone else uses. When you first connect it to the
internet, it sets up OE for you. Most people then assume that that’s
what you need to use for email.

___/
/
__/
/
____/
Ed Leafe
http://leafe.com/
http://opentech.leafe.com

Dan Budiac
August 22nd, 2003 - 13:04

Argh! This is not an Outlook issue. Repeat: NOT an Outlook issue!

SoBig.F carries its own SMTP engine. It scans your hard drive for email address, regardless of whether they’re in your Outlook address book, a word document, or a text file. There is absoutely NOTHING about SoBig.F that requires Outlook. Just a user that doesn’t know better than to open a suspicious email attachment.

And don’t say it’s Windows fault, either. There’s no reason this couldn’t happen on the Mac. Windows machines are just a bigger target.

(FWIW, I agree that Outlook has an atrocious security record. But SoBig.F has nothing to do with it.)

James Spahr
August 21st, 2003 - 10:14

On Thursday, August 21, 2003, at 01:54 PM, Jim Roepcke wrote:

> Definitely. I’ve seen enough computer illiterate people using Windows
> to know that for those people’s sakes I wish Microsoft made better,
> more secure software so these innocent people wouldn’t have to endure
> the stress. But I’m referring to the savvy people here… those that
> should know better. I really don’t understand why a person would use
> an email client with that kind of track record for security.

So, my Dad use OE on Win 98. He complains about various things about
it. What should I be tell him to use? It would need to be affordable.

James.

Giles Turnbull
August 21st, 2003 - 13:07

James wrote:

>So, my Dad use OE on Win 98. He complains about various things about
>it. What should I be tell him to use? It would need to be affordable.
>

I got my dad to switch to Pegasus (http://www.pmail.com) from OE and
he was very pleased with the improved security. The Pegasus UI takes
a little getting used to if all you’ve ever used are MS products, but
it treats attachments, embedded files and html messages the way they
ought to be treated – with suspicion. And it’s free, of course.

Giles
http://gilest.org

Jim Roepcke
August 21st, 2003 - 15:44

On Thursday, August 21, 2003, at 04:33 PM, Bill Kearney
wrote:

> Uh Jim, it’s not Outlook Express that’s the problem. It’s Outlook and
> then only
> when it hasn’t been updated. I make use of OE all day long (and
> Outlook) and
> never have a problem.

Perhaps there is an updated version of Outlook Express that doesn’t
have the bugs it used to, or perhaps there are settings you’ve applied
that help. Obviously you don’t open attachments that are unknown.

Klez, for example, could activate itself in OE when you opened or
previewed the message.

http://securityresponse.symantec.com/avcenter/venc/data/
w32.klez.d@mm.html

> If and when other software gets around to actually implementing what
> Outlook
> does, and not just e-mail, and does it BETTER then you’ll have a
> decent reason
> for people to switch. Outlook is a lot more than just mail and those
> that use
> it actually seem to LIKE IT.

Understood. I just think it’s foolish to exchange features for
security. These email viruses are costing people a LOT of money and
time and grief. Perhaps I should say, people who use unpatched/old
versions of Outlook/OE deserve viruses.

> So offer a program that does all of what Outlook does and then maybe
> you’ll get
> people to consider switching to it. Thus far I’ve seen nothing that
> comes close
> (and I’ve looked at a great many of them).

I liked a couple features of Outlook when I used it at CEISS, but I
hated just as many features (people loved sending email with huge red
MS Comic Sans fonts for example). My favourite feature is the grouping
feature. I had my mail grouped by flag status, and then sorted by
date, so my flagged messages always stayed at the top of the window.

Jim

Bill Kearney
August 21st, 2003 - 17:49

> Perhaps there is an updated version of Outlook Express that doesn’t
> have the bugs it used to, or perhaps there are settings you’ve applied
> that help. Obviously you don’t open attachments that are unknown.

Indeed OE6 has been out for quite a while now. And I found it had absolutely no
issue with upgrading the 2gb of messages I’ve got in one profile that uses it.

> Klez, for example, could activate itself in OE when you opened or
> previewed the message.

HTML mail has /always/ been a plague on humanity and should never have gotten
out.

> Understood. I just think it’s foolish to exchange features for
> security. These email viruses are costing people a LOT of money and
> time and grief. Perhaps I should say, people who use unpatched/old
> versions of Outlook/OE deserve viruses.

Whoa there partner, the stuff like calendars and decent addressbook intergration
are not just ‘features’, they’re core parts of why people use it.

Nobody deserves viruses, of course, but failure to update and the trouble it
causes are just out of control. I’m tempted to go along with you though…

> I liked a couple features of Outlook when I used it at CEISS, but I
> hated just as many features (people loved sending email with huge red
> MS Comic Sans fonts for example). My favourite feature is the grouping
> feature. I had my mail grouped by flag status, and then sorted by
> date, so my flagged messages always stayed at the top of the window.

Yeah, ’stationery’ on e-mail is a blight on society. I hassle anyone sending me
that crap. Plain text please.

What’s worse here is, and Microsoft deserves taking heat for it, is the way they
handle MIME parts using HTML. The MIME format supports totally self-contained
messages. So the HTML and all images can get bundled up all within the message
itself. This is the only way they should have *ever* allowed HTML mail to get
delivered. Now we’re stuck with legions of idiots that think it’s a good idea
to send you HTML mail that’s got images off on remote servers. Ugh. A pox on
them and their houses all.

-Bill Kearney

Bill Kearney
August 22nd, 2003 - 04:05

> That’s good to know. Are there any settings that a person should
> ensure are set to be sure they can’t get a virus by opening or
> previewing an email? I have a neighbour that I’m sure uses Outlook
> Express. If you’re SURE that it’s safe, I’ll go over and upgrade their
> mail client for them.

Upgrading to OE6 does bring along upgrading to IE6 requirements. If they’re
using some ancient version of the OS then there may be other outside issues to
consider.

I recently upgraded several boxes from 98/ME to using XP. Yes, adding more
memory is a requirement. Taking the boxes from their previous 64mb to 256mb
makes it a non-issue performance-wise. Those DIMMs are cheap these days at
about $40 each. But the transition from 98 to XP was smooth and for the
majority of applications involved it was relatively painless. For most of them
flattening the box and starting over was considered an acceptable option. But
for those desiring in-place upgrades it worked as well.

> > HTML mail has /always/ been a plague on humanity and should never have
> > gotten
> > out.
>
> Pretty much, but it was inevitable and companies that release software
> with so many obvious security flaws should be sued into the ground. I
> think it’s only a matter of time before someone starts a class action
> lawsuit against MS for promoting such horrible software.

As a developer you should be VERY cautious about making such a statement. If
you think letting such actions being taken against MS is a good idea stop and
think. Those actions can just as easily be taken against YOU and any code you
develop. Be very careful about opening Pandora’s box here. It will cause a
grave amount of harm to the industry as a whole. MS can afford it but the
industry cannnot. So taking this approach will do more to /strengthen/ MS than
to harm it.

> I know! I didn’t say Outlook didn’t have useful features. I just said
> people shouldn’t exchange features for security. If a product is
> secure, then the features shouldn’t mean squat. Once a product is
> found to be a virus threat, people should tell the vendor you won’t use
> the product until it’s secure.

And MS *has* made it secure! The outbreaks are the result of people being too
damn lazy to install what’s being provided as a FREE set of fixes!

> I like that “virus” that patches people’s machines. I wish that person
> would write more that would fix all sorts of security holes on Windows
> machines.

Nah, trouble here is virus code is shown, over and over again to be poorly done.
The welchia virus, attempting to patch things, causes it’s own hassles on the
boxes. The fixes are available and are free. There’s no need for viruses here.

> Microsoft deserves heat for about a thousand things. Most software
> vendors do, really. Software in general, is really poorly written. I
> think the shareholders and mangers that push developers to release
> software before it’s ready, and hire programmers who are incompetent
> should get the fingers pointed at them… not to mention the customers
> who refuse to demand (and pay for) quality software. So much of this
> of course is just a matter of ignorance of the consequences. Hopefully
> in 20-30 years we’ll be better off in that regard.

I share the sentiment you’re expressing. Developing code is a tough exercise.
And the range of platforms MS has to support requires HUGE amounts of testing
before release. The vibrancy of the market in 3rd party cards, motherboards and
assorted parts is based on the OS being able to support them. As a result,
however, the testing required is quite significant. This introduces even more
opportunities for problems. The alternative, however, of using proprietary
stuff from limited vendors would have kept machines in the $3k+ price range.
It’s a damned-if-you-do, damned-if-you-don’t scenario.

As for pushing for software reform that’s fine idea. Trouble is development is
an expensive process. Going the distance and doing throrough testing and
development is not cheap. Here we’d have to go off on the tangent of revenue
models and such but that’s fodder for another thread.

Yes, users should push for better solutions. Trouble is those solutions won’t
come cheap.

-Bill Kearney

Bill Kearney
August 28th, 2003 - 07:42

> > And don’t say it’s Windows fault, either. There’s no reason this
> > couldn’t happen on the Mac. Windows machines are just a bigger target.
>
> You’re absolutely right. But I wish you’d keep quiet about that.
> Honestly, I worry that all this gloating from Mac users is going to
> backfire. We’d probably deserve it too because Mac users are very
> complacent about viruses.

I have looooooong refrained from making that statement. Much like the old story
of the three little pigs, all these folks crowing about how secure they are
compared to windows are in for an extremely rude awakening. When the
malcontents tire of attacking Windows…

As for upgrades, consider this point, better written software often demands
greater machine resources. It’s nothing for an aging P133 to read mail. But to
ask it to start filtering the mail for spam, virus checking and all sorts of
other things isn’t going to work, there’s just not enough horsepower. Combine
that with those added features requiring disk space and other resources and it’s
a losing proposition. Contrast this with just buying a new box. They’re cheap
and along the way they keep a legion of people employed. The disk makers, the
RAM suppliers, the CPU foundry, sheetmetal for the case, etc. Buying a new box
helps keep the industry going.

And since we’re a long way from perfect software, a vibrant industry means
continued development.

I’m as much for avoiding purchasing replacement stuff (like my aging Jeep) but
not if it means I can’t take advantage of recent developments (like better gas
mileage). Software and the hardware to back it up are nowhere near as evolved
as something basic like the automobile. In another decade or so maybe this will
be different. Meanwhile, upgrades are the way to go.

-Bill Kearney