Slashdot Mirror
Details on Refining Vista's User Control
borgboy writes "Windows Vista has gotten a lot of negative press recently following the release of the latest beta, especially regarding excessive prompting for privilege escalation for seemingly common activities. On his blog, Steve Hiskey, the Lead Program Manager for User Account Control in the Windows Security Core group, details what the issues with the excessive prompting are, what the design goals of the feature are, and how they plan to achieve them. Briefly - they know the excessive prompting is a royal pain, they know that have to reduce it to an absolute minimum to be both productive AND an effective security risk mitigation measure, and they want as much feedback as they can get on the beta."
So what's to stop malware from affirming the prompt? It isn't even a hurdle.
To get more.
Just a few clicks away& size=o
http://www.flickr.com/photo_zoom.gne?id=151250154
Mac uses have gotten used to the authorization of petty procedures by now but it was a real nuisance in the beginning, some five years ago. Software developers have gotten used to it also and have written better installers that don't require multiple instances of authorization, or any at all, installers that installs in non restricted areas and so forth. I think these issues will pass with time for Vista users too. In the mean time, they really shoud take joy in the fact that malware will be increasingly scarce on the platform.
- Henrik
- when the Shadows descend -
Of course if the j-o-b foists it on us anyway, at least there will be the necessary hardware upgrade at long last...
If brevity is the soul of wit, then how does one explain Twitter?
Clearly you are not ranking giving Microsoft money a high enough priority in your desired OS feature set.
Don't worry, they're working on that; and you vill like it!
KFG
This is a sad attempt by windows to increase the security of there lacking security in previous OS's. Well thats no surprise. Just a little interesting information, instead of using the Windows Network operating systems that they produce, NT, 2000, etc, there MSN server main host terminal, the connection for the whole network itself to the net past LAN, is a FreeBSD server. A blatant way of them saying, not even we trust or software to be safe.
"Some people think these questions are hard...
Tough crowd here at Slashdot. We all know it's going to suck, but at least let them release it first before you criticize. Seriously though, it is just a beta and not the end result. They're looking for feedback to make improvements and thats a good thing.
http://religiousfreaks.com/I just read this article last night and remember reading about having to keep entering the admin password.
Why can't they set it up so when you open control panel, you have to enter the root password (like opening yast as a non-root user in suse and the like) and then you're essentially su'd until you close control panel, or I suppose you could time it out, so after 10 minutes even if the CP is open, you will have to re-enter the password if you click on a little icon in there.
From reading the article, I did follow the link to the article, putting in your password that many times will drive someone insane.
That which does not kill me only postpones the inevitable.
Reminds me of talking cars. Users ask for an easy to use operating system without it getting in the way. Users complain about security issues. Users ask for a more secure operating system. Users complain about the OS getting in the way. Microsoft's response? You can't have your cake and eat it too. It sounds to me like their security implementation isn't half assed and that they realize that the closest you get to a totally secure machine is one that isn't turned on and has never been used. Their implementation therefore is going to cause some "Yes You Can Do That" "yes" "yes" "yes you can" headaches.
All I have read are bad reviews of Microsoft's next operating system upgrade. Are there really any reasons (yet) for an average user to pay the money to upgrade from Microsoft Windows XP Pro to Microsoft Windows Vista?
Btw, there was free software called Vista produced by the U.S. government for administering veterans' health care. Some time after Microsoft announced its desired name for its software, the U.S. government began calling Vista (so named since 1996), VistA. Now they have even gone so far as to call it VistA (note the obnoxious bold) on its own website. I guess the U.S. government really wanted to help Microsoft out with its trademark application.
It's the greatest feature in vista.
This ensures ALL users and majority of services are running UNPRIVILEGED, which means viruses/malware/etc can't do jack shit to the system.
This is great - try going to c:\windows and creating a file there or a new folder. Boom, UAC dialog. Why? Because normal users don't need to do anythign in C:\windows! But, you say, what about when apps are installed? Well, I went and installed Office 2007 Beta2.
The privilege dialog came up TWICE. Once at beginning install and another time a few seconds later. That wasn't much bother at all. And now I can go back to running it as a unprivileged user.
When vista final is released, it will be the most secure windows release to date.
I agree with you; a system like linux uses does seem to be the best way to keep security... what I don't understand is how MS's system is fundamentally different from what linux does. You need to be what is the functional equivalent of root to install or change settings; but just for normal use I bet it wouldn't ask you that much. For me MS is doing the right thing here
...don't get me wrong I won't be moving from linux (which has many other advantages of windows)
*''I can't believe it's not a hyperlink.''
Regarding the link posted by parent, the problem is: why the Hell doesn't this file (a shortcut), which actually seems to be on the main user's desktop, BELONG to the corresponding user?? Why does it belong to "SYSTEM"? I can't understand how Microsoft succeeds in screwing up things so much each and every time. It's not like there aren't easier, working and well-thought security models (look at UNIX's perms simplicity and efficiency, and they can be completed with a more thorough ACL system).
Those who don't understand Unix are condemned to reinvent it, poorly
It appears that you are trying to post a comment to Slashdot.
Please enter your Windows username and password to continue.
Username:
Password:
You forgot the buttons:
[OK] [Continue] [Cancel]
Continue will let you carry on regardless...
Summation 2
Anytime you install a program, it has to change the registry. You want to see a video encoded in a new format? Ah, you have to register the format and the codec - and there ya go, you have to change the registry. You want to associate a new filetype with a program? There ya go, you have to change the registry.
Sometimes I wonder - rootkits use stealth techniques to intercept registry calls. Why doesn't microsoft use the same rootkit approach to "cage" the registry into the directories used by the programs you install, and let the programs only use their caged registry? That way programs would only need access to their own caged directory and maybe a temporary or data directory.
IMHO, the registry was the worst idea Microsoft could have come up with.
It's too late to change the design once you've made it to Beta. Beta testing is about finding the obvious bugs in the system so they don't end up in the final version. If they tried to fix all their design errors after beta they'd never release anything.
Three reasons:
1. You can save your game in solitaire
2. You can save your game in freecell
3. It includes a super pretty chess game!
How about if you add something extra to make sure no "malware" lands up on my system? Can you do that?
In a word, no. How is the OS supposed to know that that cute little systray weather forecast app you downloaded and installed is actually a trojan?
As long as a user can download and install/run software, the system is vulnerable, and there's nothing it can do about it.
It's official. Most of you are morons.
there's still some core OS UI that's not UAC-enabled, though. for example, you can't fully configure network connection settings without running running explorer.exe elevated.
So they're *still* designing insecurity into the system because they place a higher priority on the "extensibility" that lets applications do things the user isn't expecting them to do.
And they're still relying on Grandma logged into her AOL account as the last line of defense.
Have they learned nothing?
Sorry, that was rhetorical.
This is NOT security! It's just a bunch of meaningless dialogs, that everybody in the world will learn to click "OK" to, thus making them even more meaningless. When linux asks for permissions, it's for a reason. I used several different shells / desktop environments, and never recived shit for deleting a file in ~/Desktop from any of them.
For me MS is doing the right thing here
I'm not saying what they're doing is bad. I'm saying they went a little extreme. With as many times, I believe the article I cited said 17 times, it should have a do not show again. Personally, I do not believe in caching passwords, but for that many times...
I actually commend them for doing this, but it needs to be more practical.
That which does not kill me only postpones the inevitable.
What im getting at is that microsoft is making Vista with all the security precautions in place because their prior operating systems lack so fully in the department its pathetic. And as an example of how sad they truly are when it comes to trusting the security of their own product, I felt the need to point out that the server for MSN that scans all incoming and outgoing data and connects the server itself is a FreeBSD server. Its just a blatant fact that even microsoft knows that their products are crap for security. Total cost of ownership of the MSN properity is not the issue here, its simply the fact that Windows in itself is almost always a rushed to production peice of software filled with bugs, glitches, and holes. Hence, the necessity for continual service packs and security updates. You wanna know when you update FreeBSD, when a new release is out and you dont have a custom kernel.
"Some people think these questions are hard...
Isn't excessive prompts, it's a feature that can let the user stop a certain process from running. How many regenerating virii and rootkits rely of automatically running an executable the second a dodgy process is closed to make it tricky to remove? If you could identify a malicious process and prevent windows from running it in the future. Removing virii that are running, even in safemode is a complete nightmare. A password protected feature that can prevent a process being run again the second it's closed would make the majority of agressive malware next to useless and far easier to remove. Although knowing microsoft they'll leave a security hole in and hackers will start doing things like disabling explorer.exe...
One solution is for developers to write applications that don't need to be installed, nor run as, the Administrator user. Of course, that is if Vista was designed to allow applications to run properly as non-admin.
This is the stupidest thing i've ever seen, anywhere...
Windows has an 'All Users' home directory, which is where this shortcut lived. Since it wasn't owned by the
current user, affirming permission was the right thing to do.
The flow is poorly designed, but it's the first cut of the feature, and the product is unreleased, so a little slack is in order. Of course, this is a Microsoft article on Slashdot. I should be happy there isn't a preponderance of dollar signs on this page. It's amazing you anti-Microsoft zealots finally realized that isn't clever.
Slashdot - where whining about luck is the new way to make the world you want.
I read the article's justifications. And I don't doubt that the number of elevation prompts seen in 'normal' usage will decrease as the betas roll on, to a number that most people will just learn to live with.
But I can't shake the feeling that their idea of increased security is, "WE decide, case by case, what operations are safe for you to do on your computer." Especially with sentences like this: "The hope here is that the user won't need to launch many administrative applications." Or, "Why can't my child run the anti-virus checker?" "They're not supposed to."
Sounds to me like by the time Vista goes gold, Microsoft will have successfully determined what set of operations we should be allowed to do with our computers to make the system somewhat usable by MOST users, MOST of the time.
Does that sound scary to anybody else? PC's with Microsoft OS's are becoming more and more like appliances with just a fixed set of day-in, day-out tasks, e.g. media center, gaming box, office productivity tool.
Fine, then. If that's all people want, I guess they should have an OS that conditions them not to do stupid things. The good result of this might be that Microsoft OS's will be even less desirable for people who still want to use a PC as a tool for exploration, research, and hacking. The bad result will be that, if M$ stays ubiquitous, fewer and fewer young people will even realize that that's what PC's at their best can be.
You're kidding right?
This "excessive prompting" is never complained about with OS X, or within Linux.
Uhh, that's because it works right? Clearly you don't use either because you'll find there is no prompting for normal user activity.
Is not "excessive prompting" exactly...
Uh, no. Again, if you used either one you'd see they take care of the problem the right way as opposed to Microsoft's cluster fsck.
I'm guessing you are trolling for Microsoft. If not, please switch to linux or OSX and you'll see what everyone is talking about.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Wow, talk about holding Microsoft to a different standard than other software companies. Last time I checked, in the OSS pit that is Slashdot, getting feedback about functionality from your potential users is a good thing.
And this is different from the current (real) slashdot how, exactly? For fuck's sake, the real slashdot even requires you to type a captcha! Lamest joke ever.
The big difference between the way it's implemented in Vista, and on my KDE desktop, is my KDE desktop isn't completely locked up by the process. I was typing an email last night when I was cut off in mid sentence by the Vista implementation. THAT'S why it sucks. At least in KDE all I get is a password prompt that I can leave in the background if I need to. OSX works the same way I think. I also think that asking for a password instead of just clicking OK is a better way to do it as well, I can just see the first round of viruses finding a way around clicking OK. At least with a password there's some sort of credential involved. You'd think that with the nifty password strength dialouge you see with setting up a user account, that some user education could be added in as well.
I don't mind having to authorize the process, I applaud it. But completely interrupting what the user is doing is a sure way to make people want to learn how to disable it.
but more power to ya if you like what you've got.
If it can search and index file contents, then it has full access to my data. If access to that index or search feature is insecure then it's taking control of my data out of my hands and giving it freely to others. Why should applications need to access files that I created but which I haven't explicitly opened for their use?
Will the security be in place in both the API and data storage files so that instant search won't just become a new way for malware to quickly focus on the data it wants (e.g. Credit Card or Social Security Numbers)?
While Microsoft has everyone screaming bloody murder about all these security prompts - keep this in mind: It's probably an intentional distraction.
Very few folks seem to be analyzing and criticizing the other 99% of this operating system. Keep focusing on this security-prompt-red-herring, and we'll fail to uncover the real turds before it's too late.
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
The point of UAC is to make sure the user has to authorize any actions that need administrative privileges. So address the authorization instead of the actions. Do what my Debian box does when programs need root privileges. When I run a program like that from my normal user account, a wrapper prompts me to enter the root password or abort the operation. If I enter the password and it's correct, root credentials are added to my keyring temporarily and the program can run as root. As long as those credentials are on my keyring, any other programs that need root access can run without prompting. If the credentials remain unused for more than a short time, they're removed from my keyring and any programs after that that need root privs will cause a prompt again. This makes sure I have to manually authorize root access, but that I don't have to keep answering repetitive prompts. It doesn't require any fancy tuning of which actions prompt and which don't, at most it only needs tuning of how long root credentials remain on the keyring which is a lot simpler.
Typical Microsoft, crafting the most complicated solution to the problem.
I got into it with a(nother?) Microsoftie on this a few weeks ago.
4 07442
4 08915
I predicted there was no clear path with their access control plan.
http://slashdot.org/comments.pl?sid=186700&cid=15
The microsoftie claiming just because I had never used it, I shouldn't criticize and masterfully dropped a few personal insults too.
I fired back that I didn't see it happening.
http://slashdot.org/comments.pl?sid=186700&cid=15
Funny how I was right...
Today's Lesson: Run away from Longwait and don't look back.
Unless of course you are like me and are paid to babysit them. I'm confident there will be plenty of work.
Please Microsoft, just pay me to promote Longwait. It will be much easier on you.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Because the Windows control panel, unlike, say the Preferences menu in GNOME, is a mishmash of user preferences and systems administration functions. IMHO, they should just remove all of the the system admin functions out of control panel, and have a new Start Menu shortcut that opens the 'Manage...' window you get when right-clicking on computer.
My blog
This kind of security model has always been present in OS X, and other various unix-like flavors, so applications written for these operating systems have always expected to explicitly request super-user authorization before doing any system-level configuration.
The situation on Windows is completely different. Microsoft is retrofitting Windows with this security model, but it must still support the vast catalog of existing software that was written assuming the traditional Windows security model. So, instead of an application or installer explicitly requesting authorization, Windows watches all processes for what amounts to security violations, halts the process and prompts the user for elevation. And now they're talking about writing shims for specific problematic applications. Yikes!
To call this over-engineering is an understatement, to say the least, but what else can they do? The value of Windows has always been in its backward compatibility, and Microsoft cannot give that up without risking their dominance in the market. But this is precisely why OS X has surpassed Windows in terms of the rate of development within the last few years (also an understatement).
ENDUT! HOCH HECH!
I'm not sure why you have to say "uh" when posting. There is plenty of time to form cogent arguments without stalling for time.
At any rate, I actually do use OS X and Linux. But yes, my primary desktop is Windows. Frankly I find OS X to be overhyped and Linux is just not a great desktop. Don't get me wrong, I *heart* linux deeply and use exclusively LAMP at work.
And I do find the prompting in OS X to be excessive at times. When running software updates I must enter my password for each update.
Even from the terminal, even if I am logged in as root I still need to sudo rm -R and then enter my password to remove a directory and it's contents. It's for the best, of course, but it seems that I shouldn't have to enter my password again once I've logged in as "root the all powerful". Darwin is a weird unix-like.
Now, lastly - I'm not looking forward to Vista. I use windows pretty much because it runs my games and has the added advantage of being able to browse and process words. But I am by no means a die-hard fan. I simply have the opinion that it's a good thing that Windows is prompting more often. I am not implying that this indicates that Windows is by any means now "fixed" because of it. Microsoft needs to leave their current architecture behind - Vista should (and it seems will) be the last of the NTs.
--
Music should be free
My Computer Music Tutorial Videos
Funny, Slashdot doesn't ask me for my Windows username. Of course, you've probably used the same name and password for your system as you do for a site like Slashdot, which is why you missed the point...
This guy's the limit!
-- "I never gave these stories much credence." - HAL 9000
The real problem is: the icon belongs to the system, not the user. So the user shouldn't try to delete it, since it will affect other accounts, too.
Of course, that means the user can't get rid of the icon at all, which is a bug in the way desktop displays icons. It should either:
1) display only the user's icons, or
2) allow the user to "hide" system icons.
Same problem with the Start menu, by the way.
Freedesktop.org's menu standard is much better. (At least, the way KDE works - I assume that other DEs support this, too). The user can create a local shortcut with the same name, and it will override the system icon. The shortcut can be marked as "hidden", which will effectively delete the system one for the current user.
nt
spoonerize "magic trackpad"
They've had how many years and an unbelievable amount of people/money thrown at the problem and this is the best they've got?
4 47596
My previous post on the subject covers it pretty well:
http://slashdot.org/comments.pl?sid=187221&cid=15
It's funny that it's moderated 30% Interesting 40% Troll 30% Underrated
Just pay me and I'll promote Longwait.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
For the record, Gnome on Ubuntu 6.06 does lock the screen until you enter a password. However, this still happens infrequently and predictably enough to not be annoying in the least --it only happens when dealing with application addition/removal, and any of the apps in System->Administration. Pretty reasonable.
I used to deal with UAC before. :)
Does anyone else see this as being a metaphor for (or at least, highly parallel to) the huge beaurocracy of the NSA: an organization designed to have the appearance of being "tough on security", but actually being costly and inconvenient while affecting real security very little?
My gut feeling is this is another Microsoftie doing damage control.
the optimal number of steps
Is one. Just one. On my kde desktop, I right-click the icon, select delete. Apple's desktop is similar.
In both instances, there's a robust security model underneath my desktop that does not require an extra "are you sure?" button on my desktop to work right.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
i have dealt with some difficult customers, but this slashdot crowd right now is just utterly ridiculous. there are a few that are willing to go against the grain and give vista a chance before dismissing it entirely, but the vast majority of the slashdotters lately are as close-minded and biased as any group i have ever seen. if MS adds a feature that you all love from another OS or application, they are copying. if they don't add it, they are behind the times. if MS tries to beef up security, they are doing too little too late, and it probably won't be effective anyway. if they don't try to beef up security... well i think you know what you all think of that. if MS releases a patch for IE, it is yet more proof that their software was flawed in the first place. if they don't release the patch, they are too slow to react to security threats, and are failing their users. this is the best one, and it happened just like this, a few posts up... if they open up to a beta group and ask for suggestions, they are skimping out on doing actual work and getting us, the computer elite, to do their design for them. if they don't open up to a beta and take suggestions, they are ignoring their users. i could go on, but i think you catch the drift. i get it, you guys hate MS. i thought this was a forum for open-minded people to share ideas and learn from each other, but if you want to just sit around and play target practice on a company that you have decided a long time ago that you will hate for life, then i might just have to give up on getting any more actual insight from reading the comments on slashdot, particularly on MS related stories.
I know Vista is in Beta but when I beta tested Windows 2000, there were alot of bugs in that beta.
I emailed Microsoft with problems with Windows 2000. It was a really nice, long email.
They sent me a nice email back saying that they will look into the problems that I had found out,
And guess what they never fixed them. The same issues were in the final release that were in the beta.
the Lead Program Manager
Program Manager? I thought we got rid of that thing after 3.11?
Well, I think I've heard enough.
Slashdot = -1 Redundant, Asperger, kdawson FUD, Libertarian, and Linux
Plenty of the people who have complained, that I've seen, have been people who have used either OS X or Linux and complained that the Vista beta implementation of the feature was clumsier and more intrusive than the implementation of similar security functionality on those non-Windows platforms.
Being similar in outline is not the same thing as being identical in implementation.
The only thing those links show is that you're a ignormaous flamer that doesn't know how to use linebreaks. And that you managed to hook a "microsoftie" with your low-wait slashbot-style trolling. It's pretty pathetic that you are bragging about that little exchange, because it shows you in an extremely poor light.
Whenever I hear the word 'Innovation', I reach for my pistol.
I'm sorry mpapet, but I don't see the personal insults. You appear to come off attacking Vista without detailing any knowledge of actually using the product.
What do you expect when using terms such as "Longwait"????
Theres your answer then, prevent the user from downloading and installing said software. All you'd have to do is have an integrated IQ test at log on, this could pop up at a 6 month period, if you fall below the desired score by a couple points, it denies you access and tells you to go smart up and stop watching soaps on TV.
If you fall greatly below the desired score the new M$ Vista webcam would track your face and fire a cable with a barbed hook from its underside into you. It would then procede to electricute you until you die. Hence, not only does it prevent user stupidity, it could also do the world a small favour in the process.
Must go file this patent.
"I may be full of crap about this game, and I may be wrong, and that's fine." -Jack Thompson
Another post shows the several steps it takes to delete an icon on your desktop.
Are you sure you want to delete this thing on your desktop?
Yes, because It's my fsking desktop! Not root, not another account, mine!
going to c:\windows and creating a file there or a new folder
As a system administrator I can tell you nearly all users don't want to go anywhere near c:\windows. XP solved it enough for these users. OSX and Linux have a security model that Microsoft will only dream about.
So, they've created another complicated system on top of an OS not designed with security from the kernel upward.
Switch to OSX or Linux. It works right.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Not to mention that the entire reason the trash can exists is so that you don't have to have an "are you sure" prompt because if you "delete" something by accident you can just grab it out of the trash!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
In Windows, even simple actions require accessing TONS of DLLs. I imagine that MS simply set up Vista to ask for "authorization" EVERY TIME a "privileged" DLL needs to be accessed. Obviously, that gets out of control.
They need to figure out a way to make it so that you authorize certain ACTIVITIES, instead of every individual executable that activity requires.
Of course, that's damn hard, because of the way Windows is designed.
Personally, I don't find the dialogs that bad, and if it can keep people from doing STUPID stuff, I'm all for it.
While your view is correct, there are some reasons why a confirmation-on-delete can still be beneficial, especially for novice users.
Say a novice user (think grandma) is trying to click on Rename and accidently hits delete without evening noticing that delete was an option. If the shortcut disappears, they would be thoroughly confused. They would not know to look in the recycle bin.
Also, remember, this confirmation *can* be turned off in Vista (just like in XP.) So, you can have it the way you like it if you decide to use Vista. However, I support the decision to default this feature to on.
Because everyone was demanding that they fix the security problems as their number one priority and they -finally- listened. So they did fix them, which broke some poorly behaved apps, and they got screamed at for breaking apps. You can't have it both ways.
Tell that to a paralyzed person who controls the computer with his/her voice. Because the voice recognition program needs to send keystrokes to Windows.
But nice to see you were moderated +5 insightful, despite blatantly ignoring the words accessibility extensions .
From the blog:
The problem with marking Windows binaries to "silently elevate" is that we feel it will lead to "worms" or self propagating malware.
Marking "silent elevator" should require administrative privilege, so what's the problem?
Unix has this for years, that is called "setuid root". This is extremely useful.
Also, it's very easy to have a knob to allow all signed applications to do silent elevation. Much cleaner than developing hacky shims.
Any form of user control in Vista would be a nice improvement from Windows XP.
For the record, Gnome on Ubuntu 6.06 does lock the screen until you enter a password... Pretty reasonable.
Hmm, I disagree. There is no good reason to lock up the UI until the password is entered and a number of reasons not to. The biggest I can think of is it makes for less informed users. If a dialogue asks for my permission to do something and I don't understand it, the first thing I'm going to do is Google it. If the UI is locked up, that option is gone, so I'm making a less informed choice which is more likely to lead to a bad decision.
I don't want Vista to succeed. I like that when people use GNU/Linux, they're reminded that it feels good to share and collaborate. I like that it also makes people start questioning patents, excessive copyright, fair use circumventions, etc. So even if people end up liking Vista, that would feel like a step backward for me because it moves people further away from open-source software.
I wonder when I became an idealist...
This is NOT security! It's just a bunch of meaningless dialogs, that everybody in the world will learn to click "OK" to, thus making them even more meaningless.
Sir, you are wrong! Everybody in the world will learn to click "Continue." Everybody is already trained to click "OK" at random intervals so they used a different button name that is always the same.
At the risk of sounding like a broken record, I really really wish people would stop acting like the beta is finished code, and complaining about it. A simple "Sheesh, I hope they change / fix that!" turns into " Omfg look at that crap they put in there! were all doomed!"
I really need to stop trying to play the devil's advocate around here, fucking holier then thou zealots are going to kill my karma.
Windows has more viruses because linux has more virus coders.
From the link:
:)
"For example, when the application attempts to write to a file in the program files directory, Windows Vista gives the application its own private copy of the file in the user's profile so the application will function properly."
My idea is not to cage the user, but the APP. Caging the user still won't work. It's like closing down the cage with you and the bengala tiger inside. OK ok... they give you a whip. Happy?
If we cage the APPLICATIONS, every app will run on its own sandbox, without affecting the rest of the system.
If Spinal Tap wrote software...the result = Windows Vista
No freaking kidding. That post was probably the most amazing example of being "damned if you do and damned if you don't" I've ever seen.
concrete5: a cms made for marketing, but strong enough for geeks.
Why on earth would any sane person knowingly allow a computer program to impersonate themselves or others? My gut feeling is that MS and other software mfg want more control of MY and YOUR computer without us knowing it. It wouldn't surprise me if elements of the Vista allow MS to search your computer for bogus copies of MS software and software from other companies without us knowing it. MS could sell this service to other companies (i.e. music industry, publishing industry with e-books). And how about marketing companies want to know your buying habits. Remember that the OS has unrestricted to your drives - and the Internet. This becomes a serious concern as more home users become hard wired to the Internet 24/7 with fixed IPs. Think about it. Why would a home user need all this sophistication? And forget about worrying about a family member (i.e. kids) updating windows. Most family members who are online have their own PC - $700 is all it cost and no one has to fight for a turn on the Internet.
they actually have this feature. You right click on explorer and click run as. Then type in my computer on top. any thing you do from that window edit/run will be done as who ever you "ran as".
This feature probably will not work on vista because after I installed the new ie 7 i could no longer goto my computer from the browser.
I am a big linux fan, but I still would not recomend it to anyone who doesn't know what assembly is. Linux needs to learn from windows' trials and errors. Come on fokes, all I am looking for a distro backed by linux, where I can give the cd to my brother and it will install as easy as windows. Meaning for compatibility issues, make a wrapper that reads windows' driver files. I have no clue how you can do this, but if you can do it, I promise you windows would dissapear from most computers.
Teasing the nobles, and rightfully so!
What everyone seems to miss is that the fundamental flaw, which the blog author alludes to, is Microsoft's desire to allow applications to masquerade as the user and send messages via the Windows message pump (via SendMessage() etc).
The real flaw is that MS is maintaining a design decision that was made back in the days of Win3.1: there shall be one method for structured message passing (the message pump) which will cover user input, application IPC, system notifications, clipboard copying, window redraw requests, etc. This message pump is built into the core threading model for the OS (many other windowing systems have this too, it isn't just Windows).
Since there is only one front door, user input uses the same facility as everything else, and it becomes impossible to tell if the user pressed the "A" key or if an application sent a KEYPRESS message.
One solution is to have OS-enforced segregation between these types of input, and force multiple input channels. The mouse and keyboard (and other legitimate devices) get to use the "user input" channel, and other apps get to use a different channel.
But Microsoft doesn't want to do this because they want to enable Bob-style guided interactions with applications, where the target application can be automated/scripted without its knowledge. Changing this also has huge backward-compatibility issues---basically anything built for pre-Vista windows must be modified and rebuilt.
So MS is talking security, but this is a case where market footprint and backward compatibility are fighting with security---and ease of use is caught in the crossfire. A first for MS.
Premature optimization is the root of all evil
What we need is not 100 dialogs verifying if we really really really want to delete or execute something. What is needed here is an internationally recognized license to operate a computer. That is right, a license to operate a computer, just like we need licenses to operate a vehicle. Damage done by improper use of a computer nowadays is pretty extensive. A license would filter out part of the core problem allowing them to focus on fixing the other part, making the actual OS secure and not just slapping these dialog hacks. I'm only half joking.
[alk]
As long as a user can download and install/run software, the system is vulnerable, and there's nothing it can do about it.
No need to fear -- DRM and Trusted Computing are right around the corner to save the day...
*ducks*
Where do want microsoft me drag today?
This guy is clearly cracking under the pressure. I never understood people like that. Steve, if you read this, just tell Gates he is a Fscking crook and a moron in front of a room full of people and stroll out proudly. Every gasp you hear will be a gasp of respect.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
...a new Start Menu shortcut that opens the 'Manage...' window you get when right-clicking on computer.
They have one. It's called "Computer Management" under Start/Programs/Administrative Tools.
Post-rock/Ambient/Drone and other noise.
Hang on, Isn't this place over-ran by Linux fanboys? Isn't this just the windows version of 'SUDO'? I run Fedora and it often prompts me for the root passwd to do things. How is this different?
What they are doing beats running as non-admin on Windows XP. Which is basically the only way to be secure as the Windows core was engineered correctly while the apps were not.
Most Microsoft apps actually run correctly when you are not an admin because Microsoft sells to large companies which are mostly locked down, but 3rd party apps are horrible. There's no way a regular user could set up all his apps to run as that involves a lot of command line fun with CACLS on XP Home.
The part of Windows that was not designed correctly is the All Users account. If you install an app that's supposed to be available to all users then, for example, it's desktop icon is installed in the All Users/Desktop dir instead of being added to each user's Desktop dir. And to change anything for All Users you need admin priviledges, which is why Windows requires priviledge escalation for simple tasks like removing an icon from your desktop.
Dejan
In a word, no. How is the OS supposed to know that that cute little systray weather forecast app you downloaded and installed is actually a trojan?
The only person who knows what they expect the software to do is the user. The problem is, most OS's neither tell the user what the program is doing, nor let them restrict the behaviors of that software. The second ability is a solved problem, but what is lacking is a good user interface to inform the user. Microsoft is not the one to look to for a good UI design. Hopefully, however, someone else will write on and MS can copy it.
As long as a user can download and install/run software, the system is vulnerable, and there's nothing it can do about it.
Horse crap. There is plenty of low hanging fruit here. Just warning the user the first time new software tries to access their personal files, address book, IM list, internet, or system files and forcing them to choose what level of permission to grant, with a good UI would stop 90% of the trojans out there right now.
The program "Weather Widget" wants to read your e-mail address book. (Stop it from reading the address book)(Allow it to read the address book once)(Allow it to read the address book always)(Advanced options).
Poof! Problem solved. This is what MS should have done years ago. All of this "blah blah blah blah blah blah blah (OK)(Cancel)" crap over and over again is useless and just trains users to always click "OK" without reading anything.
Im probably inviting a lynching from the zealots but... Linux aint much better! I have been messing with linux in one form or another (started with slack in the mid 90's but have since moved to ubuntu and suse 10.1) and it is still messy to get things done in the gui environments without logging as root (note: I didnt say it CANT be done, its just easier as root)! I anticipate Vista to have the same hangups I have come to find annoying with linux... the need to punch in my loooong root password every time I want to do something as simple as install an app or navigate my own system freely. I just want it to be simple, the same as everyone else. I also want it to be secure enough that i dont constantly have to visit my friends and relatives without having to bring along my antivirus and antispyware kit. It easy for everyone to knock it but I dont see many people actually offering any helpful solutions. Who cares wether its Windows, Linux, OSX, BeOS, *nix or any other OS. As long as it gets the job done with a minimum of fuss.
Quidquid latine dictum sit, altum sonatur.
Noted
There is one very good reason and it is why Vista does this: because the dialog actually appears on a special secure desktop that no other processes can interact with, preventing elementary UAC dialog spoofing, button-pushing, and keylogging tactics. It may be inconvenient, but good security often is.
If you don't know where you are going, you will wind up somewhere else.
Just warning the user the first time new software tries to access their personal files, address book, IM list, internet, or system files and forcing them to choose what level of permission to grant, with a good UI would stop 90% of the trojans out there right now.
The idea has merit, but again, it's hardly foolproof. So Jo Sixpack installs Weather Buddy Widget, and lo, Windows pops up a dialogue warning him that it's trying to make a network connection.
Well, of course it is - it's trying to download the weather forecast, right?
Or is it establishing its place in the zombie botnet and awaiting its first spam to send out or DDoS target? How does Jo Sixpack (who's already naive enough to download and install the thing in the first place, remember) know which?
It's accessing "My Documents" - well, yeah, it's trying to write config data; or trying to scan all your documents for juicy looking data?
I'll grant you that accessing your email address book should be a giveaway. So you don't write Weather Buddy Widget to do that; you write Comet Contact Manager to do that.
Better information about what's being accessed by what might well help catch some of these things, but by no means all. I've also seen programmers with a couple of decades experience absently-mindedly click "ok" on a dialogue, then realise the stupid mistake they've made. People make mistakes, misread things, are in a hurry, don't care, or just plain don't understand.
would stop 90% of the trojans out there right now
Even assuming that the figure you pulled out of the air is correct (and I think it's hopelessly optimistic, but then I'm pretty pessimistic), all it would do is trigger a brief lull as the crapware spewing idiots upped their game and wrote new malware that asked for reasonable-sounding access, then abused it.
There's only so much an OS can do, as long as the person sat at the keyboard has insufficient knowledge and the administrative password.
It's official. Most of you are morons.
There is one very good reason and it is why Vista does this: because the dialog actually appears on a special secure desktop that no other processes can interact with, preventing elementary UAC dialog spoofing, button-pushing, and keylogging tactics.
If they can't secure their dialogue from keylogging and other processes without a UI lockup, then they should get out of the business. Making it slightly harder to spoof is a weak reason.
It may be inconvenient, but good security often is.
Again, I disagree. Ignoring the human component in security is an elementary mistake. Making it inconvenient, but applying it unnecessarily will make users find ways around it, even if that way is clicking "Continue" or entering a password reflexively every time they see such a dialogue.
Security and usability are not polar opposites as so many people, like MS, would have you believe. I still disagree, fundamentally with this choice.
It will have the familiar ring of Debian but will colorfully convey how this new and improved O/S interacts with the 'end' user
GJ
Some years ago, to play an animation or watch a picture, you could just put it in the floppy disk with the application required to view it.
Today, you can't embed the codec in the CD-ROM, you have to register it. I just wonder... WHY??? Why do you have to INSTALL the codec instead of JUST RUNNING it?
The idea has merit, but again, it's hardly foolproof.
True, but it is much, much better than nothing and it restricts the needed user education to a reasonably small set, rather than the PhD worth of info you need now.
So Jo Sixpack installs Weather Buddy Widget, and lo, Windows pops up a dialogue warning him that it's trying to make a network connection. Well, of course it is - it's trying to download the weather forecast, right? Or is it establishing its place in the zombie botnet and awaiting its first spam to send out or DDoS target? How does Jo Sixpack (who's already naive enough to download and install the thing in the first place, remember) know which?
The application "Weather Buddy Widget" is sending an unusually high amount outgoing traffic for non-server application. (restrict the traffic level)(stop the internet connection)(allow the traffic to continue as it is).
Warning, the application "Weather Buddy Widget" is sending traffic in a way that is normally used to send large numbers of e-mails. (restrict the traffic level)(stop the internet connection)(allow the traffic to continue as it is).
It's accessing "My Documents" - well, yeah, it's trying to write config data; or trying to scan all your documents for juicy looking data?
That is why you don't store any config data in "My Documents" and throw a warning when an application tries to access any file it did not create, without the user directing it to do so. Let them go to file and open and open a file, but if it tries to look in something else in the "My Documents" folder without user interaction throw a warning. After all, it is for documents, not configurations and any program breaking that convention is suspicious.
I'll grant you that accessing your email address book should be a giveaway. So you don't write Weather Buddy Widget to do that; you write Comet Contact Manager to do that.
Ahh, but then you have to get them to install two pieces of software in order to propagate and you throw an alert when they try to talk to one another. "Weather Buddy Widget" wants to get data from "Comet Contact Manager" (allow them to share)(stop them from sharing).
Better information about what's being accessed by what might well help catch some of these things, but by no means all.
Right now, properly written, it would stop all but a few and with a little education it should stop nearly all of them going forward.
I've also seen programmers with a couple of decades experience absently-mindedly click "ok" on a dialogue, then realise the stupid mistake they've made. People make mistakes, misread things, are in a hurry, don't care, or just plain don't understand.
Users don't like these interruptions, so they will tend to avoid software that creates them, thus programs move towards better practices. By not providing an "OK" button prevents people from acting reflexively. They actually have to read the dialogue to pick a choice. Making it plain English lets them make a good choice. Will some choose randomly, maybe, but they will get unpredictable responses. Given that on a well made system, with good software these should appear very rarely I think it is very workable.
I disagree. How do you make access to personal information and files and propagation behavior sound "reasonable?" Give users the power and the information and most of this malware will be dead in the water. Sure, malware will still crop up, but it will be very crippled, and almost impossible to hide.
There's only so much an OS can do, as long as the person sat at the keyboard has insufficient knowledge and the administrative password.
So it is time to give them the knowledge, both directly from the OS and then with a small amount of educati
Is it just me that thinks that this won't help a bit, because inexperienced PC users will get annoyed by the dialogs very fast and start pressing 'Permit' automatically every time it pops up? If so, this feature will be of no use at all.
The "product" is in beta, after x years in development, so this is pretty much what we can expect in the final version.
My point is, that if you HAVE permissions for an operation, then the operation should be executed; if you DON'T have permissions, then you should be prompted to login as user that does have permissions.
Gaining required rights by clicking "OK"/"I agree"/"Sure, what the hell" is quite idiotic.
I'm not anti-MS, but it's just hard to find something so stupid and amusing for ridicule in the linux world. (Spatial Gnome came close)
That's a design problem.
Any serious desktop should have a global "undo" button, that you need to learn about, before you sit at the computer. Then you could delete any file you wanted, even by accident, and then get it back.
The whole problem is that it's difficult to implement a global "undo" function that works _everywhere_. It's very difficult. It's not impossible, though.
About your saying that it can be turned off, that's nonsense. Interfaces that need configuration to work are badly designed interfaces. The application should be judged with its default configuration, because that is what is available everywhere.
Slashdot isn't tough on Microsoft at all. They just hate Microsoft for no good reason and they lack social skills in the real world.
Most people on here don't really code anything and they have no idea what it takes and what Beta actually means. They just know that Microsoft sucks because their friends say so, so it must be true.
In the long run, slashdot kids really don't amount to anything big.
They may not be polar opposites, but they are in tension, since usability is all about using things, whereas security by definition is there to prevent you from using things. Ideally, the security only stops you from doing things that you don't want to do anyways, but if this were always the case, then things like UAC wouldn't even be necessary at all.
If you don't know where you are going, you will wind up somewhere else.
The default configuration should be designed for what will please the majority of users. Then, there should be configuration options so that the minorities can have it their way too.
Your comment is true: Interfaces that need configuration to work are badly designed interfaces.
However, obviously, asking for a confirmation on file delete still *works*, it's just not your personal preference (you prefer to delete first and undo after). Which is fine, but you're the minority. You'll have to check a box to make Windows act this way.
Since when was the OSS community interested in helping M$ improve its game? M$ has declared open warfare on OSS many time so isn't it about time we told them to just **** off? Tell them it's great just as it is then, hopefully, it will die the death it should do.
TO START
PRESS ANY KEY
Where's the 'ANY' key? I see Esk, Kitarl, and Pig-Up...
Prompts are not an effective security feature for the average user.
Many users will simply click the "Proceed" button without giving it much thought -- particularly if:
(1) They see the same prompt dozens of times each week, or,
(2) The web-site that they downloaded the file from tells them that it's safe to click the "Proceed" button.
Vista seems to have based their new security model on the user prompt. It will result in a small reduction in malware, but it will not be a significant reduction.
What it ought to do is pop up one of those little non-modal balloon help things from the recycle bin the first couple of times, telling the user that the file was just moved there (as opposed to a modal dialog telling the user that the file is about to be moved there).
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
The example of deleting a desktop icon was poorly chosen. In this case the user decided to delete an icon that's not owned by him, so escalation is required. Most icons you put on your desktop and would not be asked to delete. If you're trying to delete a file you don't have access to in Gnome file manager, wouldn't you expect to get the same prompt?
Even if you are admin and can delete that icon that isn't owned by you doesn't mean you should automatically be able to do it. Look, just because you "HAVE" permission for an operation does NOT mean it should be executed. The whole point of restricting admin access is to make the admin account safe. What if you want to be able to login as admin and listen to a CD without having to worry about a rootkit automatically installing? It makes sense to have it pop up a box that says "Are you sure you want to install this rootkit?" because at that point you'll definitely be confused as to why this box popped up after insterting a CD and you'll click No.
Of course all of this UAC crap can be disabled on various levels, so it's not like anybody is forcing you to deal with it -- at least not if you're the admin!
dom
No, there's no reliable way to close multiple apps at exactly the same time. There would always be a race condition such that it wouldn't work.
What you really want to do is suspend the offending processes (break into them with a debugger). Once they're all suspended, you can have your way with them. The only time this doesn't work is when they've got a DLL in some important process (like winlogon) that you can't suspend completely. In that case you have to figure out which thread is causing the spawning and just suspend it (use Procexp from Sysinternals for this) until the next reboot where hopefully it won't start up again.
dom
However, obviously, asking for a confirmation on file delete still *works*, it's just not your personal preference (you prefer to delete first and undo after). Which is fine, but you're the minority. You'll have to check a box to make Windows act this way.
It doesn't work.
New people need two clicks to perform an action that could require just one click. By any measure, it'almost a 100% inefficiency. But at least it has some safety, it could keep them from erasing something.
For users that get accustomed to it, it's even worse. The two-click operation becomes a single gesture, and now any safety it was supposed to give you is just lost. The delete operation becomes a single gesture, and reverting it is not only far from effortless, but it is not always possible.
I would describe the situation as "barely working".
I understand that they can't change their interface into one that actually does work, becuae it could need some retraining for some people, but that doesn't take anything away from the fact that the interfaces they can supply, with the premise of not changing much, are retarded.
As of me, I'm not clicking any freaking checkbox. Ubuntu (with Gnome, of course) works the way I like out of the box, thank you very much. It doesn't have the undo function I want, but I believe it could evolve into that.
This is wrong. Security is about preventing other people from using things. Security should never stop the owner of a system from doing what they want, only stop other people from doing what they want. For example, a user might want to play a game and a malware author might want to send spam using a trojan disguised as a game. The point of both security and usability is to let the user play the game (if it exists), without sending spam messages they don't want to. In order for this to happen, the user needs to know what given software is doing and be able to control it. Don't buy into the fallacy that these things are in any way in opposition.