Slashdot Mirror
Benefits of Vista's User Access Control?
Abtin Forouzandeh asks: "Having used Vista for a few months, something keeps nagging me about the user account control. For the UAC to be useful, the user needs to have a fair amount of knowledge about: what the UAC is; what application it is blocking; the consequences of blocking the action; and an alternate approach if the blocked action did something useful. Anyone who has ever worked with end-users can tell you that they are generally disinterested in learning anything about computer usage beyond how to use word and make a spreadsheet. Frankly, even as a highly technical user, I nearly always approve the UAC dialog, even if I don't know the consequences. Since users lack knowledge, and Vista keeps asking esoteric/ambiguous questions, then users will always approve UAC dialogs. Since the UAC so clearly fails in its goal of making computing more secure, and substantially increases complexity, why is it common wisdom that turning off UAC is 'not recommended'? For 99% of users, is there any true downside? Has the community come up with ways to make UAC useful?"
I suppose it's useful from Microsofts point of view, if a lot of security is put into the users hands, it is the users fault when something goes wrong.
Your computer feels like its really interested in what you think?
The benefits? You have to ask? Pssh, it's simple:
/.ers could smugly mock Microsoft users by making "Blue Screen of Death" jokes. When Windows XP came out, we kept making these jokes, but as time went on, they got less and less funny due in no small part to the fact that the BSoD has become a less frequent part of the Windows experience. Needless to say, this sucks for those of us who use OS X or Linux! What are we gonna rag on?
With Windows 98 and, to a lesser extent, 2000, we
Well, then Microsoft went and did a big favor to the alternative OS community: UAC. Now, we can all get a big ol' chuckle (and "+5 Funny" mod points) out of saying, "Cancel or Allow?" in any thread whatsoever. It doesn't even have to be a thread about Vista or Microsoft. Apple even made a commercial about it! It's great. It's like Microsoft declared free karma Christmas!
"Mod me +5 Funny: Cancel or Allow?"!
And that's the benefit of UAC.
I have been helping a Norwegian magazine write a 100 page Vista Special, one of my articles was about UAC. In the beginning I was very excited about this feature, thinking that it would provide some safety. Then, after a while, two things happened:
1) I got tired of the constant nagging and the need to enable admin mode by default on several apps by default to avoid compatibility issues, and
2) I realized that I clicked 'Allow' on anything anyway, the only exception would be a UAC dialog popping up from nowhere. This approach would make me wide open for attacks by supposedly trusted installers anyway.
So I turned it off! I still havent had any malware or viruses (Symantec Corporate kills most of that anyway). My life got all jolly and happy again. I can only imagine that the same "always allow" mentality will be the same for less savvy users. You want to do your work, right?
Dvorak on Doomtech
Vista does make editing the HOSTS file more complex. I've done it five times today on my Vista box (migrating a server and testing before DNS updates). It's kind of a pain. But it's not nearly as bad as the article implies.
My procedure:
Start -> Right click on EMEditor (my text editor, it's pinned to the menu so it's always there) -> Choose "Run as Administrator"
Click "Continue"
File -> Open -> C:\windows\system32\drivers\etc\hosts
Edit File
Save
On XP:
Start -> Run
Type: "notepad C:\windows\system32\drivers\etc\hosts"
Click "OK"
Edit File
Save
Basically, you can't write to the hosts file by default, so you have to elevate an application (text editor, notepad, cmd.exe) to edit it. This is similar to Linux, where you have to use "sudo" or "su", except that there are better/more text-mode editors on Linux (although Vim/Nano/EMACS do run on Windows, you have to install them first).
Now, EMEditor is Vista compatible (certified even), but it would be nice if it could elevate when a write operation fails due to incorrect permissions. Then you could just edit the file as usual, and elevate when you save.
I've said it once, and I'll say it again: UAC is going to get better over time. Lots of applications require elevation now (even some games), but as developers update their programs, we'll see fewer and fewer UAC prompts. VMWare, for example, used to require elevation in the 6.0 betas, but it doesn't anymore. Give it a year or two. Apps will stop requiring elevation except for the things that really do affect the system.
UAC means that software developers will write software that doesn't need elevation. That can only be a good thing in the long run.
How many articles have there been complaining about Vista this week alone? Seriously, it isn't as if you guys are the customers, you're just the consumers more than willing to pay for it. Maybe if there were no alternatives, or it was a project paid for with tax dollars all this complaining would be meaningful, but it is niether; it is a product produced by a for-profit company.
Windows has been out long enough that it has long since gotten boring to be complain about it. Microsoft's business practicies are a lot more worthy of complaint; even I know there are intelligent engineers doing what one would assume to be their best, inside of Microsoft.
If Vista is rubbish, do what most people do with rubbish: throw is out, and not discuss it with company. Windows isn't a Linux distro, loud complaining isn't going to change anything
Peace
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
What it is most useful for is stopping privileged operations from happening behind your back - malware theoretically has to make at least some noise to infect at a systemwide level with user account control turned on. If it's turned off entirely, you might not get that extra "something's not right here" warning before your antivirus gets disabled and that nasty rootkit gets installed.
Also, as someone already pointed out, this makes programs that require administrator rights unnecessarily much noisier, and provides a support incentive to software publishers to fix their software so it works unescalated.
Not great from a usability perspective but for a company that's almost ignored security until recently it's a start.
The summary gives two different definitions for UAC, which is more than there should be if you aren't making any Doom jokes. Which is correct?
# cat
Damn, my RAM is full of llamas.
What the hell is the point of all of these articles? Linux users aren't going to switch to Vista. Mac users are already convinced that their OS is Job's gift to man. And Windows users are going to switch to Vista when they buy a new computer.
Vista is here. The DRM features don't stop me from playing my MP3s, XVID videos, or from running FairUse4WM. It doesn't bring my modest 1.8GHz single-core Athlon 64 box to its knees, even with the Aero Glass UI (of course, my $40 Radeon X1300 helped that - the GeForce 6100 IGP was kind of sluggish. It hasn't stopped me from installing Ubuntu, ripping DVDs, using Daemon Tools, installing unsigned drivers, or doing anything else that I would do to a Windows system.
UAC hasn't prompted me for anything in the past 4 hours. I see - maybe - 1 or 2 prompts per day. Perhaps that's because I don't go trying to put files in "C:\windows" or screw with system DLLs.
Firefox works. So does Thunderbird, Office 2003, Visual Studio, Paint Shop Pro, VMWare, Virtual PC, Maple, EMEditor, WinSCP, PuTTY, AVG, SmartFTP, Microangelo, iTunes, Quicktime, Daemon Tools, TI Connect, WinRAR, ATITool, SpeedFan, RMClock, PowerStrip, Prime95, Paint.NET, uTorrent, Opera, NSIS, Java, Flash, Adobe Reader, 3DMark, Warcraft III, Steam, and WoW.
Oh, and all of my hardware works. On both of my desktops and my notebook.
So what doesn't work? Display aspect ratio selection doesn't work with NVIDIA's shitty drivers (one reason my desktop has an ATI card now). PDFCreator refuses to work, as does VNC.
Vista is the next version of the OS with the broadest hardware and software compatibility. $109 is a pretty cheap price for that.
What was in that large boxes with marking "UAC" in game "DOOM 1".
Looks like it was Vista...
Has the community come up with ways to make UAC useful?
Yes. I can now easily condition people to incessantly push a button without having to resort to all those messy endorphins.
Blank until
...As the lower-privileged user and graphical sudo equivalents in OS X and some Linux distributions. It allows the user to run at a lower level of privileges by default and elevate when necessary, limiting the amount of damage malicious code can do on its own.
Similarly, it suffers exactly the same weakness - the user can inadvertently raise the privilege level of malicious code.
Hopefully more developers will write their code properly and the number of spurious UAC prompts will drop over time. Given that most developers haven't made any effort to make their applications LUA-friendly in the preceding decade, however, I'm not holding out much hope Vista making it _easier_ for them to get away with it will create any more inventive.
You want to do your work, right?
Agreed, and smart users will do the same. However, in the long run applications will have to avoid causing UAC prompts and eventually it will be possible to secure the "windows ecosystem" without breaking common programs. So I'd say Microsoft is doing the right thing, just that doing the right thing when it comes to security is rarely popular. Possibly I'm being optimistic, but I think they may have thought this one through.
Ok, here is what I'm wondering. If you have a single-user desktop and administer it yourself, what is the point of having a seperate administrative account? Any program that acquires *your privileges* will have access to all the sensitive data on the machine. So you are screwed anyhow.
Honestly I'd argue that running your OS in a virtual machine and having a virus and rootkit scanner running from outside that virtual machine is much more meaningful desktop security. At least that way you have some still security left after handing off administrative powers to random daily operations like installing windows stuff off the net.
Lets face it, forget technology, Linux is more secure simply because you typically download all your programs from a single distro's repository and those programs are already trained to handle limits on their permissions.
-- http://thegirlorthecar.com funny dating game for guys
"Be light, stinging, insolent and melancholy"
The programs on Windows are not written properly and so there's a need for UAC and those other security and safety features. There's just too many complex programs which their functions have long been forgotten and so when Microsoft tries to fix the imperfections by editing or taking out the existed codes, something else goes wrong. Until Microsoft finally starts programming a new OS from scratch, we should expect more and more of these so called security and safety features to be created for us by microsoft. This is why when our machines are infected, Microsoft points finger at us because it is our own fault since they have already provide to us all these security and safety features. Sure there's benefits of these features, but they are inconvience for us since they do bug us on what we want them to do (such as those popup messages).
Following the example of two of the most annoying programs ever, ZoneAlarm and Norton Firewall, Microsoft implements a feature that requests a permission to do something from the person least likely able to make an informed choice, and absolutely not interested in knowing about it -- current desktop user. However in ZoneAlarm the reason for this is psychological -- if ZoneAlarm didn't constantly remind user that something is threatening his precious computer, user wouldn't know if ZoneAlarm does anything useful at all. In Vista it's pointless because it's not like user has a choice of buying or not buying some feature with it.
There are few specific APPLICATIONS, explicitly called by the user, that may have to run with elevated privileges, and beyond them there is nothing that is supposed to access system settings, write configuration files or executables. If anything other than those few select applications try to do that, user shouldn't be asked -- the action should be denied, just like it always was in Unix and occasionally even in Windows. If someone has to edit any system files, he knows that he has to run editor as administrator -- and if he doesn't, he has no reason to manually edit them in the first place. If someone runs installer, installer always has to run as administrator.
The reason why Gnome and KDE desktops have password dialogs is not to ask user if he does or doesn't want to do something privileged -- of course, he does if he just started some administrative application. It's to ask him for a password that malicious application or user with no sudo access can't enter by themselves, and to give him the application's name so he can be sure that the application that will run is the same application that he just asked for. The dialog can just as well be a captcha for users that can't remember their own passwords -- the point is to confirm that a program is started by a real human user in front of the keyboard. A piece of malware can run gksudo, and user will see the dialog with a program that he didn't run -- it's assumed that he will cancel it if he doesn't recognize the name. But this is actually a suboptimal use of sudo, a limitation of typical sudoers file configuration. A much better idea will be to supply sudoers file with all possible applications and arguments that may be used in this manner -- then anything else will be simply denied without any user's interaction, or user will be just notified that something tried to run gksudo with invalid arguments.
While the decision that administrative application may still run at reduced privileges unless it does something that requires true administrative access is a good idea, switching between those modes is not something that should be asked from user -- it should be asked at the very beginning when application starts, and should be done only for administrative applications.
Contrary to the popular belief, there indeed is no God.
I'm a casual Ubuntu user and when you try to do something in Ubuntu you have to do "sudo blablabla". You fill in your password once and it doesn't ask you again until you open another terminal. In the user-interface you have to fill in your password for any action you do on screen.
But... what if Windows users got accustomed to PowerShell and decided to do everything from the command line. What happens then? I haven't tested it to see what happens but what if an ubuntu-like solution could be built into PowerShell?
Windows PowerShell
Copyright (C) 2006 Microsoft Corporation. All rights reserved.
PS C:\>sudo freeporn.exe
Password:
You now have free pr0n!
PS C:\>
Mod me down, but UAC is another excuse M$ came up with to be able to say "Users are lame: we have warned them but they still clicked confirm."
No security system works that way. That's why impersonation was introduced into OSs (NT included) long time ago. Accounts are setup for particular tasks with limited set of privileges. Depending on the work user does, he log-ins under different account. This is not perfect, but best what people came up with.
And that works for Unix and MacOSX - and nobody's complaining. But M$... It seems to me priority of M$ is not to make system people can use and feel safe (if they do nothing extraordinary), but to create a better platform fitting to ActiveX. UAC serves no other purpose and achieves nothing else.
M$ did take user's complain literally: before in Win9x/NT times ActiveX might have worked in background w/o user knowing that something was brewing up. Now users are notified with nice UAC dialogs that something is happening - and what is happening identified with 32 digit GUID... Very user friendly, I'd say.
All hope abandon ye who enter here.
Could malware create a DoS by launching random tasks - each one requiring admin level access. Would this then repeatedly prompt the user for admin permissions?
One big difference between UAC and "sudo" or the MacOSX security dialog is that UAC does not ask for a password. Minor convenience (well, probably serious convenience given how frequently UAC pops up today), but major risk. I can leave my Mac or Linux box to someone that does not know the password, without instantly making him / her an administrator on my machine. The same is not true with Vista + UAC.
-- Did you try Tao3D? http://tao3d.sourceforge.net
I just recently found a very interesting and scary presentation about security and phishing.
Basically computer software has conditioned us to automatically press Ok in any dialog and there is nothing we can do about this. Automated actions by the user is inevitable and is present in every action in our life.
Nobody remembers if they locked the door or not and if you put "If you reach under your chair you will find $500" in a popup dialog, nobody is going to notice it.
From what I think I got from the presentation:
* If you want warnings to be at all effective, avoid "false positives" at all costs. That is: Never show the user popups like: "you are sending information unencrypted over the network" (or whatever the IE dialog says) when you press a submit form on a web site, because people don't care and they will learn to ignore all such popups, even the important ones. The UAC is extremely guilty of this.
* Some good insight into decision makers by users. Hint: people generate options one at a time and reject options that don't work. They never compare options but take the first one that works. This is called singular evaluation approach and is heavily taken advantage of in marketing. Software makers and web site creators should learn from this and modify their web sites accordingly.
An OS X "Administrator" account is not like a Windows "Administrator" account. Under OS X, when you provide an administrator account and password to this kind of dialog what it is actually doing is granting you the permissions, at the OS level, to perform the action. Without going through this dialog even an "administrator" doesn't actually have the rights to perform it.
That is, in OS X this dialog is authorizing you to perform the action. If you are already authorized (that is if you were careless enough to run as root - the only real "administrator" account in the Windows sense) you shouldn't be presented with a dialog at all, because it's not asking you to *approve* an action you're already authorized to perform.
The difference between authorization and approval dialogs is obscured by dialogs like the UAC one that are sometimes authorization and sometimes approval dialogs.
But it's an important one. Approval dialogs are never necessary, technically, they're just there to try and give the user a "last chance" to keep a program from doing something that's possibly dangerous and may be irreversible. Whenever they exist, they should be a red flag, and an indication that the program may need to be restructured so the dangerous or irreversible operation doesn't happen.
For example, instead of deleting a file, move it to a location to be deleted later. Give the user the opportunity to look in that location and restore the files.
AND WHEN YOU HAVE DONE THAT, REMOVE THE APPROVAL DIALOG YOU DON'T NEED ANY MORE.
Sorry for shouting, but I still can't believe that someone thinks it's a good idea for Windows to ask you if you want to move a file to the trash.
Apple has in recent memory broken compatibility twice. The latest processor switch doesn't seem to have made much of a difference in hard-core Mac users - after all, they were punished with the PowerPC switch not very long ago and stuck around. However, the prospect of re-buying all the software for most people and companies isn't an attractive one. Certainly for security, emulation wouldn't be an available option. Apple, perhaps not completely a result of these compatibility breakages but nevertheless a factor, has about 4% of the personal computer market.
IBM has had an extremely long run with the same external processor architecture. Today, if you buy a IBM mainframe system it runs essentially a superset of the System/360 instruction set. A program that was written for OS/360 in 1965 stands a very good chance of running today. IBM has had since the 1960's such a commanding lead in the mainframe market so as to push all other vendors out of the business completely, or to force them to jump through IBM's hoops by being completely compatible. It is unthinkable today to even look at a mainframe system that would not be IBM-compatible. For practical purposes, IBM has 100% of the market.
OK, so which model makes the most sense? Apple with 4% or IBM with 100%? Periodic breaks in compatibility requiring new software or continuous software compatibility for 50 years? There are clearly differences between the personal computer and mainframe markets, but the similar effects of a break in compatibility are quite instructive.
Why do you think Microsoft has stuck with compatibility for the last 20 years and pushed other considerations aside? Could it be they really like having nearly 100% of the market?
Exactly so, you are 100% correct. The /. community has an incredibly vested interest in continuing the anti-MS FUD, no matter how anti-reality it turns out to really be. If we can keep bashing Windows, we never have to acknowledge the fact that Linux, as a desktop operating system, is still, in a great many respects, chasing Windows 95's very distant tail lights.
Why is this scary? Because it's a great deal of hard work getting cross-distro and user friendly installation packages to work on the same level of reliability (meaning no manual config changes or file moves) which MS has had since way back in the heyday of MS-DOS, not to mention Windows 3.0. And how about "plug and play"? Why can't Linux auto-config and auto-install new hardware? Because it's hard, tedious work which the much-lauded "community" would prefer someone else do.
Every person writing yet another goddamned text editor weakens Linux, in the exact same way every Slashdotter trying to tear down Windows weakens Linux. "The Community" needs to start jumping the bar set over a decade ago by Windows 95 before they can talk about supposed faults in Vista. Tend to your own garden first: that's the exact reason Linux is not ready for the desktop (just ask Munich).
Can't malware cause plenty of pain even without the need to elevate it's privilege? How does UAC keep malware from deleting or inserting spam in files the user doesn't need elevated privilege to edit?
It improves the perception of security. That way marketing has a bullet item to use in advertising and sales presentations. On a more positive note, it's provided marketing collateral for Apple as well ("Cancel or Allow"). Too bad no one at Microsoft noticed how Linux handles authorization for administrative tasks.
[Insert pithy quote here]
Vista's UAC prompt seems a little overly paranoid even for that. Why, for example, do I have go through several prompts when changing the Windows Time setting using MS's own control panel? All I want to do is have it sync up with my other clocks and that doesn't really feel like a security threat.
What interests me about that $109 is just how expensive it is compared to the cost of everything else in the computer. Windows last saw a major update five years ago. Back then, even if we forget about inflation, a retail box of Windows cost less than $109. So the price of Windows has gone up.
Meanwhile, the cost of every single other thing in the computer has gone down, and the value provided has gone up. Processors: cheaper and faster. Optical drives: cheaper, faster, more capacity. RAM: cheaper, more capacity. Screens: cheaper, bigger, more resolution. The list goes on and on. Now one can spend just a few hundred dollars and get a good desktop, or just a little more and get a decent laptop.
Software has gotten cheaper too. Much of it is available free of charge via download or through a Web app. A lot has changed in five years.
A lot, that is, except Windows. Sure, it picks up some new features. But everything else has gotten lots of new features and has dropped in price. Windows, meanwhile, picks up a few features and gets more expensive.
That $109 doesn't seem much of a bargain to me.
Penny - plain text accounting
Back when I still had to work on Windows boxes, I found a version of sudo for Windows 2000. It took a little bit of work assigning the rights required to be able to use it, but it worked fine. Of course, there's not much fun running rundll32 with the right arguments ... but there were some uses.
... it's only Ubuntu that has a brain-dead permit-all default rule. sudo rules should really be tailored to semi-dangerous commands that will not wreak havoc (or otherwise it is quite trivial to write a script that first gets the user to enter their password for some less dangerous command, and then run some more dangerous commands).
Note of course that sudo isn't only used on Ubuntu
We can't have a Slashdot discussion without an automotive analogy, right? But in this case, it might be appropriate.
There is abundant evidence from insurance company data that Antilock Braking Systems do not do much in practice to prevent or mitigate accidents. No one knows why not, but they don't. But would you recommend to someone that they disable their ABS system? Not only will you be blamed if they have an accident on any road that has a trace of moisture or sand on it, you might even be legally liable.
UAC looks to be much the same thing. It's pretty evident that it is a failed approach to secutity. Not necessarily dumb. But failed. Nonetheless, very few people are just going to come out and say that it doesn't work and you might just as well turn it off and wait for the next attempt to bolster security. After all, there might be some condition somewhere where it actually helps.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey