Outlook Express and privacy

Factual Questions
1

I use Outlook on a computer that I am going to be sharing with some friends. I want to make it so that my friends cannot go snooping around in my private messages. I do not really expect them to do that, but I would rather not take the chance. I see that I can create different identities and add password protection, however, I noticed this in the help section:

“Adding a password to your identity makes it more difficult for other users to access your files; however, the level of security the password provides is minimal. Even with a password, it is possible for other users to access your files.”

OK, so what is the point of adding the password then? What I would like to know is, exactly how can someone still access my files? Would it require advanced computer skills, or is it ridiculously easy? Also, what other steps can I take to secure my messages, short of not sharing the computer in the first place? I’ve been using Outlook on this computer for a while, and I currently have over 6,000 messages stored on it; I would prefer not to have to move everything if I can avoid it. Nonetheless, how can I save all of the messages and access them on another computer? I have not noticed a simple way to do it. Thanks in advance!

2

All security is a compromise between keeping the bad guys out on the one hand and cost and convenience on the other. You might experiment with setting up a password and then trying to break into your Outlook files without cheating. That won’t be definitive, especially if one of your friends is a well established hacker, but it may help put your mind at ease - which is all that security can do, really.

I know that doesn’t help much, but maybe a better answer will come along shortly.

3

This sounds like Windows 98. If that’s the case forget it. Windows 98 security is practically non-existent.

Windows XP or 2000 has very good security and will keep out all but the most determinded (and well-experienced) users as long as you set things up correctly.

4

First of all, please refer to Outlook Express as “Outlook Express” or “OE” or “Express”. As you probably know, Microsoft sells another program called “Outlook” and the two are as different as night and day. I apologize if this sounds snippy, but you have no idea of how often myself (and other IT geeks) have typed up a five-page post to answer a question about “Outlook”, only to have the OP say something like “I can’t find a PST on my computer” or “What Calendar? My Outlook doesn’t have a calendar”. Again, sorry if I’m being snippy, but it just gets old.

Let’s see. What operating system are you using? If you’re using Windows 2000 or XP, you can create separate user accounts for everyone, and if your configure their permissions correctly, no one but you will be able to access anything in your profile folder in “Documents and Settings”. Or any other user’s folder for that matter. Also note that by “user accounts” I mean Windows user accounts and not OE “profiles”.

As Hail Ants said (after preview), security in Windows 98 is more or less non-existent. There’s no built-in way to keep people from copying yoru data files to a new location and opening them from there.

You asked why they would even bother to add a password if it’s so easy to circumvent. It’s because OE was developed for use in home environments. Junior might have an email address, and while Dad is happy to let him use the computer to snag his mail, he doesn’t want Junior getting in to his email and possibly deleting work emails, etc. It’s for situations like this that OE (and profiles with password protection) was developed.

Most companies use Outlook (the real one, not OE) to provide their employees with email. This has two main benefits For one, you need a username and password to access the user’s Windows profile. If permissions are set up correctly, only the user and Administrators have access to the Outlook data file (PST) on the user’s hard drive. Additionally, if the company uses Microsoft Exchange as their email server no one (not even the Administrators) can access your email profile without your domain name and password*. The second benefit is that most of these companies use a “secure” OS like Windows 2000 or XP instead of Windows 98. When you get to the password prompt in Windows 2000 or XP, you must enter a valid user name and password to access the machine. In Windows 98 you can simply press the “Cancel” button on any login prompt and still be granted access to the local machine.

Lastly, to move OE files to a new machine, click on File > Import\Export and follow the directions, or click on Tools > Options > Maintenance and copy the files located in the “Store Folder” window.

** - Technically, this is incorrect for a number of reasons, but it’s close enough to be true for purposes of this discussion.*

5

For maximum security, you can also encrypt directories in Windows 2000 and XP, on NTFS volumes - right-click the direcory, the click Properties, Advanced attributes. Otherwise, someone with physical access to the PC could boot into another operating system and read/copy the contents of its NTFS volumes without having to know userids and passwords.

6

Thanks for all the useful tips. Yes, the computer I will be sharing is running Windows 98, so from what everyone has said, I shouldn’t expect much security. For the time being, I went ahead and set up a password nonetheless. Perhaps it will be good enough; I do not believe any of my friends are hackers. Eventually I’ll just copy the messages to another machine using the instructions given by Rex Fenestrarum. Thanks again!

7

Outlook Express is so full of security holes I wouldn’t have any expectation of privacy whatsoever, even from people you’re not sharing the computer with.

8

Troll much?

9

You can do this with some freeware in 9x too, but for God’s sake PLEASE remember to back up your key! If you lose that, your data is essentially gone FOREVER.

Remember one of those people convicted of the 1993 WTC bombing - Ramsei Youseff, I think? It took NSA 12 months to crack all the encrypted files on his laptop, and they have far, far more computing power in their arsenal than you can imagine. Although writing a “recovery program” that could crack the encryption keys is not impossibly difficult, the sun will probably implode before you’d get your data back using today’s average PC.

10

Actually, that wasn’t a troll, as I’m not looking for an argument. If you read tech news, you’ll see numerous announcements of security flaws in OE. Microsoft sends out regular updates (I get them, even though I’ve uninstalled OE). The news is filled with stories of viruses spread to and through Outlook Express. To date, I’ve not heard of a system infected through using a program like PocoMail or Eudora if the Microsoft viewer is disabled.

I don’t really care what the reason is. Maybe it’s because people work harder to find the flaws in OE. Maybe it’s a piece of junk. Maybe the tight integration with Windows allows Windows security flaws to affect OE. It doesn’t matter. What matters is that I can use a different program and not have to spend a half hour a day checking the news for more security holes in OE.

11

So you’re happy to make an outrageous statement, then offer nothing to back it up? Good job to you, then.

Yes, I read tech news. In fact, I read “tech news” for about 4 or 5 hours every day. I get MS Security Update bulletins. I hang out at security-centered websites and newsgroups. And I hardly think that I see “numerous announcements” or see “news filled with stories of viruses”. And people that use Pocomail or Eudora are likely to be savvy enough not to click on a suspicious link or attachment.

Of course, when MS disabled access to most forms of attachments in OE 6, people whined that MS was being too restrictive. So which is it? OE is not secure enough or is it too secure? Why is it MS’s fault that idiot users click on links in emails from “Citibank” when they don’t even have accounts there? Why is it MS’s baliwick to educate users not to click on ANNA_KOURNAKOVA_NAKED.JPG.PIF?

Half an hour every day checking for security holes? Retentive much? If you’re that paranoid, why not use PINE? Or FreeBSD?

12

I kind of got the impression you did. My point is that OE is perfectly safe for someone like you. Personally, I’d rather not spend my spare time worrying about security holes and hanging out at security-centered newsgroups.

It doesn’t particularly worry me if an email has a “click here” that does something nasty. I’m smart enough not to click it. But when emails can load viruses on my system just by coming up in the preview pane, I’ve got the wrong email program! When email viewers allow active HTML, scripts, and the like, they’re just not for me.

I’m not a Luddite. Yeah, I used pine and elm, and no, I don’t want to go back to those days. I just read enough security news to see that there are one heckuva lot of notices of holes in OE. I’d just as soon use Eudora or PocoMail, disable the Microsoft viewer, and stop worrying.

That’s not a troll. It’s not an outrageous statement. I’m not looking for an argument. This is “General Questions.” I gave an answer.

13

[ Moderator Mode ]

Rex Fenestrarum, your zeal as the the Windows King is admirable, but as you have already been admonished in the last few hours, accusations of trolling are against SDMB rules and snide accusations are not appropriate to this Forum.

InvisibleWombat, your contributions to this thread, while eventually supported by some analysis, were better suited to IMHO than to GQ. A statement that “OE running on Win 98 contains the following flaws” is a GQ response. Your post of 01-04-2005 09:15 AM does not meet that standard.

Any further contributions to this thread need to be factual in nature.
Travelin’ Man, has your question been answered to the point that we may close this thread?

[ /Moderator Mode ]

14

Yes, I think I got enough information. Thanks!