Re: Announcing Public Availability of NoHTML for Outlook 2000/200 2

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 12/17/01 

Date:         Mon, 17 Dec 2001 15:08:55 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

>From: Vesselin Bontchev [mailto:bontchev@COMPLEX.IS]
>
>Russ did not heed my warning while this project was still in a design
>phase; hopefully he will at least approuve this message of mine because
>the users of this product ought to be warned, otherwise they are running
>the risk of being lulled into a false sense of security.

Vesselin,

I implemented my COM Add-in so that NoHTML 1.2.0.0 checks messages when you
click on them, not when they arrive. It doesn't take a rocket scientist to
figure out that if you're relying on a user action, we're not worried about
the kind of load needed to abrogate the Outlook COM Event triggers. Ergo,
while I'm sure your comments were intended to be constructive and
informative to the users of NoHTML, they really aren't based on any analysis
of NoHTML or its operation, are they.

Your company may well have encountered the problems which you warned me
about, but I haven't implemented my tool in a way that would be affected by
those warnings.

In v1.3.0.0, soon to be released, I have added the functionality that you
believe will be susceptible to load problems. v1.3.0.0 *ADDS* conversion
upon message arrival to your Inbox (inbox only, not other folders). This
*WAS NOT* done to increase the security, or the effectiveness of NoHTML.
Instead, it was done to try and add a performance boost to the way most
people use the tool. If messages are converted as they arrive, it reduces
the time it takes to scroll down a list of messages. If the inbound event
trigger fails, for any reasons, the original method is still in
effect...i.e. NoHTML still converts when you highlight a message (or open a
message).

Your statement, "the conclusion from the above is that NoHTML is pretty much
useless and outward dangerous if you start relying on it.", then is false,
and I would expect you to retract it or provide the details of the analysis
of NoHTML which you have already performed. You tested it and found it to
fail how many times? You were able to get how many malicious HTML-based
emails past it? Under what sort of load did NoHTML fail to convert messages
prior to the user viewing them in a normal mail panel?

The free tool is intended to let people protect themselves. If it doesn't do
that, please let me know.

If you're someone who feels the need to insist on getting a message through
to the list about it to forewarn them of inadequacies that you believe it
has, or mis-representations that you believe I've made about it, then
consider asking me first directly before you make some public statement
about it.

BTW, with more than 50,000 downloads of NoHTML since its release less than 2
weeks ago, there are many people who would be interested in hearing whether
or not you are going to provide the details of the testing you performed on
NoHTML. Please, don't take long to respond. Of course if all you're going to
tell us about is your company's development work, and not specifics about
NoHTML, then let us know you were just speculating and didn't really know
what you were talking about.

I say you don't know you're a$$ from a hole in the ground wrt NoHTML, and
are flat out speculating and wrong, but then I'm biased...I only wrote it to
avoid the performance problems (only god and MS know whether or not I
actually have avoided them)...unless you have actual proof it doesn't work.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
"My thoughts are facts in my world, opinion to you. YMMV"

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000
============================================================================