Details on Refining Vista's User Control

borgboy writes "Windows Vista has gotten a lot of negative press recently following the release of the latest beta, especially regarding excessive prompting for privilege escalation for seemingly common activities. On his blog, Steve Hiskey, the Lead Program Manager for User Account Control in the Windows Security Core group, details what the issues with the excessive prompting are, what the design goals of the feature are, and how they plan to achieve them. Briefly - they know the excessive prompting is a royal pain, they know that have to reduce it to an absolute minimum to be both productive AND an effective security risk mitigation measure, and they want as much feedback as they can get on the beta."

malware safeguards

[Douglas+Simmons]

As a result, Windows cannot tell if YOU launched the application or if malware launched the application.

So what's to stop malware from affirming the prompt? It isn't even a hurdle.

It's Still In Beta Folks!

[gasmonso]

Tough crowd here at Slashdot. We all know it's going to suck, but at least let them release it first before you criticize. Seriously though, it is just a beta and not the end result. They're looking for feedback to make improvements and thats a good thing.

http://religiousfreaks.com/

Re:It's Still In Beta Folks!

[I'm+Don+Giovanni]

Yes, it's a tough crowd here at Slashdot.

You give yourself too much credit. Slashdot's not a tough crowd at all. Slashdotters generally hate Microsoft, that's all. Those companies that Slashdot favors can put out utter crap and get unqualified praise from slashdotters.

Re:Considering

[Richthofen80]

I kind of disagree. For me, it was more of a parabola. I hated Windows 3.1, hated 95 less, 98 even less, 98SE I had contempt for, and then the peak is Windows 2000, which was the most Stable and least-resource hungry. Then ME and XP were released... XP maintains some of the stability but they wonked up a ton of little things. And it looks like Vista is just stacking more 'stuff' on top to annoy me.

I think why I liked 2000 so much was that it was NT done right, a well written and stable OS without a lot of clutter. I think that if Vista really was a new OS, not just enhancements to their existing codebase, then we'd be okay with it.

I think we'll have a 2000-like resurgence in a good Windows when a Windows OS is released as a managed code OS. until then I'll keep dreaming.

Wow. All this time, and it's more of the same.

[Phanatic1a]

The issue here is extensibility of Windows. Windows prides itself it on being pluggable and extendable. For example, to facilitate the accessibility extensions, Windows needs to be able to send keystrokes on the user's behalf so that a Windows user can talk to an input device and have that be translated into keystrokes that drive a dialog or type an email message. This also allows interesting and useful scenarios such as "show me how" buttons inside help dialogs.

However, that means that malware, running as a Standard User, can download an administrative application, and send keystrokes through Windows to simulate the user invoking the application. As a result, Windows cannot tell if YOU launched the application or if malware launched the application.

So they're *still* designing insecurity into the system because they place a higher priority on the "extensibility" that lets applications do things the user isn't expecting them to do.

Once that is true, we can then move to educating the users to know that "good" elevations are ones that they initiated and "bad" elevations are ones that suddenly appear without their explicit action.

And they're still relying on Grandma logged into her AOL account as the last line of defense.

Have they learned nothing?

Sorry, that was rhetorical.

Re:SAme as in OSXs early days

[Frobozz0]

No, this isn't even close to be the same. Vista asks you for confirmation of nearly everything you can possible do on the computer. At no point did OS X do this. While *installation* of applications have always asked for confirmation, and access to your Keychain has also, pretty much nothing else does. Vista, on the other hand, is about a gnat's hair away from asking you to confirm "Did you really want to click?"

I've used the beta. It's awful. The usability of the file "explorer" is atrociously convoluded. It makes it even more complicated to know what's going on that XP did. And, to keep this on topic-- the security measures are astoundingly invasive. Vista seemingly asks you to confirm the same type of function, triggered in the same way, but by different applications. Look, if I want port 80 HTTP requests to go through, I want them to go through all the frickin' time. Don't make me repeat myself. (Yes, this is only an example but it's indicative of the process you'll go through time and time again.)

Maybe it's the horrible presentation of the dialogs that does it? They offer ZERO information about what *application* (in English instead of seemingly random strings of letters and numbers!!!!) wants your attention. It also offers no real understanding of what is being asked of you. Microsoft, for all they did correctly with the xbox 360 interface, needs to learn how to design a dialog. Here's a fine example:

I open a jpeg file or some other seemingly harmless thing. I get a security alert box that unnecessarily shares the shit out of me with it's inappropriate use of iconography. It says something incomprehensible like this:

Application gobbleygook.exe is attempting to access suckit.dll. Do you want to want to allow this? (This is considered a minor threat.)

Oh. Great. So some EXE with a name I don't recognize wants access to a DLL (what's that-- hahaha?) that I also don't recognize. Now that I'm completely lost, Windows tells me this is not that much of a threat and I can probably click "allow" for the application I don't know to open the dll I don't know to do some task that I have no clue to what it's purpose is. Super.

I'm trying to make a point by being a bit funny about this-- but Microsoft really needs MAJOR improvement to this process. First, don't assume everything is a threat and scare a user into confirming something that is not needed. Second, improve the presentation. Third, figure out how to discen between Malware and your own software!

Re:SAme as in OSXs early days

[NutscrapeSucks]

Well, Apple required everyone to rebuild their applications for OS X, and when they did so, they fixed all the stupid single-user assumptions. Which is great so long as your apps were ported to OS X.

Windows, on the other hand, has hundreds of thousands of apps that expect to be administrator. The software companies don't want to fix them, and Microsoft doesn't want to break them.

So MS defined a middle ground -- annoying prompts which you can't get rid of. Since there isn't a special security level which hides the prompts. presumably people will complain to the software authors and the software authors will fix the apps. And if they don't fix the apps, at least the programs will still run.

Re:Feedback?!

[siegecraft4]

Wow, talk about holding Microsoft to a different standard than other software companies. Last time I checked, in the OSS pit that is Slashdot, getting feedback about functionality from your potential users is a good thing.

Is Indexing a Security Breech?

[buckhead_buddy]

A big feature touted in Vista is the Instant Search feature. Will it become a new security hole?

If it can search and index file contents, then it has full access to my data. If access to that index or search feature is insecure then it's taking control of my data out of my hands and giving it freely to others. Why should applications need to access files that I created but which I haven't explicitly opened for their use?

Will the security be in place in both the API and data storage files so that instant search won't just become a new way for malware to quickly focus on the data it wants (e.g. Credit Card or Social Security Numbers)?

Re:Here's how to delete a file on Windows Vista

First, two of his seven steps are just emptying the recycle bin. He says he has to do this "every time he wants to delete a shortcut". He clearly doesn't understand the recycle bin. If he doesn't want its functionality, he can turn it off or shift+delete the file (which bypasses the recycle bin for that operation)

Second, his first step is simply "look at the shortcut." No action was taken.

Third, it's already been publically stated that the UAC will not cover this case in the future. Now we're down to 3 clicks.

Lastly, I'm unsure how he got a shortcut on his desktop that he doesn't own. I've been using Vista for months now (assorted builds) and I haven't run into this situation. This seems like a bug to me.

Assuming this bug gets fixed, we're now down to 2 steps - click delete, confirm delete. This, in my opinion, is the optimal number of steps. A confirmation on delete activities is probably good. Especially since the delete confirmation can be turned off in the recycle bin options for power users.)

this crowd is ridiculous

[mrn121]

i have dealt with some difficult customers, but this slashdot crowd right now is just utterly ridiculous. there are a few that are willing to go against the grain and give vista a chance before dismissing it entirely, but the vast majority of the slashdotters lately are as close-minded and biased as any group i have ever seen. if MS adds a feature that you all love from another OS or application, they are copying. if they don't add it, they are behind the times. if MS tries to beef up security, they are doing too little too late, and it probably won't be effective anyway. if they don't try to beef up security... well i think you know what you all think of that. if MS releases a patch for IE, it is yet more proof that their software was flawed in the first place. if they don't release the patch, they are too slow to react to security threats, and are failing their users. this is the best one, and it happened just like this, a few posts up... if they open up to a beta group and ask for suggestions, they are skimping out on doing actual work and getting us, the computer elite, to do their design for them. if they don't open up to a beta and take suggestions, they are ignoring their users. i could go on, but i think you catch the drift. i get it, you guys hate MS. i thought this was a forum for open-minded people to share ideas and learn from each other, but if you want to just sit around and play target practice on a company that you have decided a long time ago that you will hate for life, then i might just have to give up on getting any more actual insight from reading the comments on slashdot, particularly on MS related stories.

Re:this crowd is ridiculous

[I'm+Don+Giovanni]

LOL
Your post is spot-on, but what do you expect from a site that uses a broken windows icon for Windows stories and a Gates-Borg icon for Microsoft stories? These are the only topics on this site whose icons contain editorial spin of any kind (and that spin is derragatory, of course). This site really doesn't have any credibility whatsoever when it comes to Microsoft stories. Sad, but true.

Re:this crowd is ridiculous

[99BottlesOfBeerInMyF]

i have dealt with some difficult customers, but this slashdot crowd right now is just utterly ridiculous. there are a few that are willing to go against the grain and give vista a chance before dismissing it entirely, but the vast majority of the slashdotters lately are as close-minded and biased as any group i have ever seen.

What exactly do you think all these Vista articles are about? They are discussions of what MS has done, what they have right and what they've screwed up. If you see a preponderance of what they got wrong, well that is partly human nature and it is partly because MS has gotten a lot wrong lately and not so much right.

if MS adds a feature that you all love from another OS or application, they are copying. if they don't add it, they are behind the times.

Both of the above are true. Are you implying copying is a bad thing?

if MS tries to beef up security, they are doing too little too late, and it probably won't be effective anyway.

What!?! This is a discussion about such a security feature, and one that a lot of people are having problems with, which MS acknowledges and has asked for feedback on. So you think discussing why it has problems is somehow biased? Facts aren't biased, your opinions of them might be. MS implemented more strongly user level security, something other OS's have had for a long time. A lot of it, they have done less well than other OS's which is what is causing a lot of the problems. The alerts are too frequent due to architectural decisions and some poor decisions in the implementation. The UI is terrible and a huge hole in this security. Pointing this out is a good thing and it lets MS know where to start fixing things.

if MS releases a patch for IE, it is yet more proof that their software was flawed in the first place. if they don't release the patch, they are too slow to react to security threats, and are failing their users.

There is a right way to handle vulnerabilities and exploits, but MS neglects it in favor of the most profitable way. They deserve to be taken to task for that.

f they open up to a beta group and ask for suggestions, they are skimping out on doing actual work and getting us, the computer elite, to do their design for them. if they don't open up to a beta and take suggestions, they are ignoring their users.

They certainly should ask for suggestions, but at the same time, due to some of their very unethical business practices, a lot of people would rather not help them. Where's the conflict?

i could go on, but i think you catch the drift.

I do indeed. You claim people here are close minded, but all of your complaints amount to people stating facts as they see them and having different opinions. That sounds like the opposite of close minded to me.

i get it, you guys hate MS.

Most people who love computers have a strong dislike for MS. They have single-handedly done more damage to the industry than anyone would have thought possible. People in the industry see that and are forced to deal with the consequences. That has nothing to do with this discussion of how they implemented a feature, other than whether or not some people are willing to provide them with helpful feedback. If you want to take issue with someone's opinion here, go ahead, but actually address one. Don't whine that people don't have the same opinions as you, or they have unspecified things to say that you don't like.

i thought this was a forum for open-minded people to share ideas and learn from each other, but if you want to just sit around and play target practice on a company that you have decided a long time ago that you will hate for life, then i might just have to give up on getting any more actual insight from reading the comments on slashdot, particularly on MS related stories.

Since you don't seem to have any insightful or even useful opinions about the discussion, maybe we'd all prefer it if you did ta