Loading ...
Sorry, an error occurred while loading the content.

In My World Redemption Is A Security Risk :-)

Expand Messages
  • z_coder
    If this wasn t holding up my project, I d be rolling on the floor in hysterics. Since I can t laugh about it yet, I hope somebody else gets a chuckle out of
    Message 1 of 7 , Jul 16, 2003
    • 0 Attachment
      If this wasn't holding up my project, I'd be rolling on the floor in
      hysterics. Since I can't laugh about it yet, I hope somebody else
      gets a chuckle out of it.

      I recently completed my first Outlook application. It's an internal
      application using Outlook 2000 with Exchange 5.5 (soon to be 2000).
      I informed my supervisor that I wanted to purchase Redemption so my
      users wouldn't get the annoying security warnings. Not understanding
      the documentation, she saw it as a possible security risk. She
      consulted with our network security person. He's been researching
      this for three days. Since it's impossible to prove a negative, he
      was unable to find any information implicating Redemption as a
      security risk, so he declared it a security risk and said we couldn't
      purchase it.

      When I attempted to explain what it does and doesn't do, his eyes
      glazed over. He believes that if the DLL is installed on all of our
      systems that somehow an incoming virus can hijack it and use it to
      replicate itself undetected. Even though I told him it does not
      change the security settings of Outlook, he isn't convinced. He also
      seems to think that somehow this DLL is going to hitch a ride on an
      outgoing email and wreak havoc throughout the world. This is not by
      any means the first time I've used a DLL to bypass system warnings,
      but because this one deals with Outlook security it's perceived as
      being in some way evil and prone to exploitation.

      After you finish having a good laugh over the absurdity of this,
      would someone please explain in painfully detailed and simplistic
      terms why this DLL is not going to bring on the destruction of the
      world as we know it? None of my explanations are sinking in at all.

      Thanks to all. Great info on this list.

      BZ
    • J.D. Walker
      My advice is to just let the security warnings pop up..and let the users deal with them. You ll get your support to purchase Redemption before too long. J.D.
      Message 2 of 7 , Jul 16, 2003
      • 0 Attachment
        My advice is to just let the security warnings pop up..and let the users deal with them. You'll get your support to purchase Redemption before too long.

        J.D.





        >
        > From: "z_coder" <bz@...>
        > Date: 2003/07/16 Wed PM 01:38:55 EDT
        > To: outlook-dev@yahoogroups.com
        > Subject: In My World Redemption Is A Security Risk :-)
        >
        > If this wasn't holding up my project, I'd be rolling on the floor in
        > hysterics. Since I can't laugh about it yet, I hope somebody else
        > gets a chuckle out of it.
        >
        > I recently completed my first Outlook application. It's an internal
        > application using Outlook 2000 with Exchange 5.5 (soon to be 2000).
        > I informed my supervisor that I wanted to purchase Redemption so my
        > users wouldn't get the annoying security warnings. Not understanding
        > the documentation, she saw it as a possible security risk. She
        > consulted with our network security person. He's been researching
        > this for three days. Since it's impossible to prove a negative, he
        > was unable to find any information implicating Redemption as a
        > security risk, so he declared it a security risk and said we couldn't
        > purchase it.
        >
        > When I attempted to explain what it does and doesn't do, his eyes
        > glazed over. He believes that if the DLL is installed on all of our
        > systems that somehow an incoming virus can hijack it and use it to
        > replicate itself undetected. Even though I told him it does not
        > change the security settings of Outlook, he isn't convinced. He also
        > seems to think that somehow this DLL is going to hitch a ride on an
        > outgoing email and wreak havoc throughout the world. This is not by
        > any means the first time I've used a DLL to bypass system warnings,
        > but because this one deals with Outlook security it's perceived as
        > being in some way evil and prone to exploitation.
        >
        > After you finish having a good laugh over the absurdity of this,
        > would someone please explain in painfully detailed and simplistic
        > terms why this DLL is not going to bring on the destruction of the
        > world as we know it? None of my explanations are sinking in at all.
        >
        > Thanks to all. Great info on this list.
        >
        > BZ
        >
        >
        >
        > --------------------------------------------------------------------
        > Unsubscribe: mailto:outlook-dev-unsubscribe@yahoogroups.com
        >
        >
        >
        > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
        >
        >
        >
      • Sue Mosher
        You could also print out the Security page on the Redemption site and explain it to him in words of one syllable.
        Message 3 of 7 , Jul 16, 2003
        • 0 Attachment
          You could also print out the Security page on the Redemption site and explain it to him in words of one syllable.
        • Dmitry Streblechenko
          Using Redemption is not any different from rewriting your code in C++/Delphi to directly use Extended MAPI. While not exactly a rocket science, that does take
          Message 4 of 7 , Jul 16, 2003
          • 0 Attachment
            Using Redemption is not any different from rewriting your code in
            C++/Delphi to directly use Extended MAPI. While not exactly a rocket
            science, that does take time and money. Redemption does not use any
            black magic (like modifying Outlook code in memory at runtime), it uses
            legitimate and fairly well documented API used by Outlook itself. The
            whole reason for its existence is that the API (Extended MAPI) has a
            very steep learning curve and is not useable from VB/VBA/.Net.
            To prevent a virus from hijacking Redemption, you can customize the dll
            so that it doesn't even look like the original library - all Class GUIDs
            and names stored in the registry to identify Redemption can be changed.
            Using Redemption as a virus payload is also impracttical given its size
            (500kB for the distributable version).
            A virus writer would be much better off either using an SMTP engine
            directly (there are literally dozens if not hundreds of open source
            libraries that let you send a message to an SMTP server) or using
            Extended MAPI directly (less likely given who 90% of the virus writers
            are).
            There are always ways to write a virus, but the virus writers (just like
            everybody else) use the path of least resistance - it was easy to use
            Outlook Object Model, security patch made that much harder, so the virus
            writers switched to easier alternatives - there were no new viruses of
            any significance after MS patched Outlook that use Outlook Object Model.

            -----Original Message-----
            From: z_coder [mailto:bz@...]
            Sent: Wednesday, July 16, 2003 10:39 AM
            To: outlook-dev@yahoogroups.com
            Subject: In My World Redemption Is A Security Risk :-)


            If this wasn't holding up my project, I'd be rolling on the floor in
            hysterics. Since I can't laugh about it yet, I hope somebody else
            gets a chuckle out of it.

            I recently completed my first Outlook application. It's an internal
            application using Outlook 2000 with Exchange 5.5 (soon to be 2000).
            I informed my supervisor that I wanted to purchase Redemption so my
            users wouldn't get the annoying security warnings. Not understanding
            the documentation, she saw it as a possible security risk. She
            consulted with our network security person. He's been researching
            this for three days. Since it's impossible to prove a negative, he
            was unable to find any information implicating Redemption as a
            security risk, so he declared it a security risk and said we couldn't
            purchase it.

            When I attempted to explain what it does and doesn't do, his eyes
            glazed over. He believes that if the DLL is installed on all of our
            systems that somehow an incoming virus can hijack it and use it to
            replicate itself undetected. Even though I told him it does not
            change the security settings of Outlook, he isn't convinced. He also
            seems to think that somehow this DLL is going to hitch a ride on an
            outgoing email and wreak havoc throughout the world. This is not by
            any means the first time I've used a DLL to bypass system warnings,
            but because this one deals with Outlook security it's perceived as
            being in some way evil and prone to exploitation.

            After you finish having a good laugh over the absurdity of this,
            would someone please explain in painfully detailed and simplistic
            terms why this DLL is not going to bring on the destruction of the
            world as we know it? None of my explanations are sinking in at all.

            Thanks to all. Great info on this list.

            BZ



            --------------------------------------------------------------------
            Unsubscribe: mailto:outlook-dev-unsubscribe@yahoogroups.com



            Your use of Yahoo! Groups is subject to
            http://docs.yahoo.com/info/terms/
          • J.D. Walker
            Good idea, Sue, but I m afraid even that may not work. I ve worked in network security for a while, and a lot of people who work in network security are
            Message 5 of 7 , Jul 16, 2003
            • 0 Attachment
              Good idea, Sue, but I'm afraid even that may not work. I've worked in network security for a while, and a lot of people who work in network security are *SECURITY* personnel, not IT folk by any stretch of the imagination..yet they get thrust into the position.

              This guy sounds like one of those. Our friend may have to take his case higher.


              >
              > From: "Sue Mosher" <sue@...>
              > Date: 2003/07/16 Wed PM 02:18:25 EDT
              > To: <outlook-dev@yahoogroups.com>
              > Subject: RE: In My World Redemption Is A Security Risk :-)
              >
              > You could also print out the Security page on the Redemption site and explain it to him in words of one syllable.
              >
              >
              >
              > --------------------------------------------------------------------
              > Unsubscribe: mailto:outlook-dev-unsubscribe@yahoogroups.com
              >
              >
              >
              > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
              >
              >
              >
            • Leon.Jollans@xaman.com
              I feel your pain. In my world, NNTP is a security risk so I m not allowed to use newsgroups. ?!?!?!
              Message 6 of 7 , Jul 17, 2003
              • 0 Attachment
                I feel your pain. In my world, NNTP is a security risk so I'm not allowed to
                use newsgroups.

                ?!?!?!

                > -----Original Message-----
                > From: z_coder [mailto:bz@...]
                > Sent: 16 July 2003 18:39
                > To: outlook-dev@yahoogroups.com
                > Subject: In My World Redemption Is A Security Risk :-)
                >
                >
                > If this wasn't holding up my project, I'd be rolling on the floor in
                > hysterics. Since I can't laugh about it yet, I hope somebody else
                > gets a chuckle out of it.
                >
                > I recently completed my first Outlook application. It's an internal
                > application using Outlook 2000 with Exchange 5.5 (soon to be 2000).
                > I informed my supervisor that I wanted to purchase Redemption so my
                > users wouldn't get the annoying security warnings. Not understanding
                > the documentation, she saw it as a possible security risk. She
                > consulted with our network security person. He's been researching
                > this for three days. Since it's impossible to prove a negative, he
                > was unable to find any information implicating Redemption as a
                > security risk, so he declared it a security risk and said we couldn't
                > purchase it.
                >
                > When I attempted to explain what it does and doesn't do, his eyes
                > glazed over. He believes that if the DLL is installed on all of our
                > systems that somehow an incoming virus can hijack it and use it to
                > replicate itself undetected. Even though I told him it does not
                > change the security settings of Outlook, he isn't convinced. He also
                > seems to think that somehow this DLL is going to hitch a ride on an
                > outgoing email and wreak havoc throughout the world. This is not by
                > any means the first time I've used a DLL to bypass system warnings,
                > but because this one deals with Outlook security it's perceived as
                > being in some way evil and prone to exploitation.
                >
                > After you finish having a good laugh over the absurdity of this,
                > would someone please explain in painfully detailed and simplistic
                > terms why this DLL is not going to bring on the destruction of the
                > world as we know it? None of my explanations are sinking in at all.
                >
                > Thanks to all. Great info on this list.
                >
                > BZ
                >
                >
                >
                > --------------------------------------------------------------------
                > Unsubscribe: mailto:outlook-dev-unsubscribe@yahoogroups.com
                >
                >
                >
                > Your use of Yahoo! Groups is subject to
                > http://docs.yahoo.com/info/terms/
                >
                >
              • trickstagal
                Z-Order, FYI - We utilise Redemption in a number of our clients organisations some with 5,000+ mailboxes (in both the Public & Private sectors). We have
                Message 7 of 7 , Jul 23, 2003
                • 0 Attachment
                  Z-Order,

                  FYI - We utilise Redemption in a number of our clients organisations
                  some with 5,000+ mailboxes (in both the Public & Private sectors). We
                  have customized the dll hence seemed to keep our clients happy on the
                  security issue. To date we have had no complaints and don't envisage
                  we will.

                  I do agree with the other response from J.D. deploy the App and let
                  the prompts speak for themselves. It certainly helped us push
                  Redemption on our existing Apps as our clients began deploying the
                  security patch and CDO became a big no no.

                  Thanks for the good laugh, I can certainly empathise with your
                  situation. Good luck.

                  --- In outlook-dev@yahoogroups.com, "Dmitry Streblechenko"
                  <dmitry@i...> wrote:
                  > Using Redemption is not any different from rewriting your code in
                  > C++/Delphi to directly use Extended MAPI. While not exactly a rocket
                  > science, that does take time and money. Redemption does not use any
                  > black magic (like modifying Outlook code in memory at runtime), it
                  uses
                  > legitimate and fairly well documented API used by Outlook itself.
                  The
                  > whole reason for its existence is that the API (Extended MAPI) has a
                  > very steep learning curve and is not useable from VB/VBA/.Net.
                  > To prevent a virus from hijacking Redemption, you can customize the
                  dll
                  > so that it doesn't even look like the original library - all Class
                  GUIDs
                  > and names stored in the registry to identify Redemption can be
                  changed.
                  > Using Redemption as a virus payload is also impracttical given its
                  size
                  > (500kB for the distributable version).
                  > A virus writer would be much better off either using an SMTP engine
                  > directly (there are literally dozens if not hundreds of open source
                  > libraries that let you send a message to an SMTP server) or using
                  > Extended MAPI directly (less likely given who 90% of the virus
                  writers
                  > are).
                  > There are always ways to write a virus, but the virus writers (just
                  like
                  > everybody else) use the path of least resistance - it was easy to
                  use
                  > Outlook Object Model, security patch made that much harder, so the
                  virus
                  > writers switched to easier alternatives - there were no new viruses
                  of
                  > any significance after MS patched Outlook that use Outlook Object
                  Model.
                  >
                  > -----Original Message-----
                  > From: z_coder [mailto:bz@c...]
                  > Sent: Wednesday, July 16, 2003 10:39 AM
                  > To: outlook-dev@yahoogroups.com
                  > Subject: In My World Redemption Is A Security Risk :-)
                  >
                  >
                  > If this wasn't holding up my project, I'd be rolling on the floor
                  in
                  > hysterics. Since I can't laugh about it yet, I hope somebody else
                  > gets a chuckle out of it.
                  >
                  > I recently completed my first Outlook application. It's an
                  internal
                  > application using Outlook 2000 with Exchange 5.5 (soon to be
                  2000).
                  > I informed my supervisor that I wanted to purchase Redemption so my
                  > users wouldn't get the annoying security warnings. Not
                  understanding
                  > the documentation, she saw it as a possible security risk. She
                  > consulted with our network security person. He's been researching
                  > this for three days. Since it's impossible to prove a negative, he
                  > was unable to find any information implicating Redemption as a
                  > security risk, so he declared it a security risk and said we
                  couldn't
                  > purchase it.
                  >
                  > When I attempted to explain what it does and doesn't do, his eyes
                  > glazed over. He believes that if the DLL is installed on all of
                  our
                  > systems that somehow an incoming virus can hijack it and use it to
                  > replicate itself undetected. Even though I told him it does not
                  > change the security settings of Outlook, he isn't convinced. He
                  also
                  > seems to think that somehow this DLL is going to hitch a ride on an
                  > outgoing email and wreak havoc throughout the world. This is not
                  by
                  > any means the first time I've used a DLL to bypass system warnings,
                  > but because this one deals with Outlook security it's perceived as
                  > being in some way evil and prone to exploitation.
                  >
                  > After you finish having a good laugh over the absurdity of this,
                  > would someone please explain in painfully detailed and simplistic
                  > terms why this DLL is not going to bring on the destruction of the
                  > world as we know it? None of my explanations are sinking in at all.
                  >
                  > Thanks to all. Great info on this list.
                  >
                  > BZ
                  >
                  >
                  >
                  > --------------------------------------------------------------------
                  > Unsubscribe: mailto:outlook-dev-unsubscribe@yahoogroups.com
                  >
                  >
                  >
                  > Your use of Yahoo! Groups is subject to
                  > http://docs.yahoo.com/info/terms/
                Your message has been successfully submitted and would be delivered to recipients shortly.