Slashdot Mirror
Benefits of Vista's User Access Control?
Abtin Forouzandeh asks: "Having used Vista for a few months, something keeps nagging me about the user account control. For the UAC to be useful, the user needs to have a fair amount of knowledge about: what the UAC is; what application it is blocking; the consequences of blocking the action; and an alternate approach if the blocked action did something useful. Anyone who has ever worked with end-users can tell you that they are generally disinterested in learning anything about computer usage beyond how to use word and make a spreadsheet. Frankly, even as a highly technical user, I nearly always approve the UAC dialog, even if I don't know the consequences. Since users lack knowledge, and Vista keeps asking esoteric/ambiguous questions, then users will always approve UAC dialogs. Since the UAC so clearly fails in its goal of making computing more secure, and substantially increases complexity, why is it common wisdom that turning off UAC is 'not recommended'? For 99% of users, is there any true downside? Has the community come up with ways to make UAC useful?"
I suppose it's useful from Microsofts point of view, if a lot of security is put into the users hands, it is the users fault when something goes wrong.
Vista does make editing the HOSTS file more complex. I've done it five times today on my Vista box (migrating a server and testing before DNS updates). It's kind of a pain. But it's not nearly as bad as the article implies.
My procedure:
Start -> Right click on EMEditor (my text editor, it's pinned to the menu so it's always there) -> Choose "Run as Administrator"
Click "Continue"
File -> Open -> C:\windows\system32\drivers\etc\hosts
Edit File
Save
On XP:
Start -> Run
Type: "notepad C:\windows\system32\drivers\etc\hosts"
Click "OK"
Edit File
Save
Basically, you can't write to the hosts file by default, so you have to elevate an application (text editor, notepad, cmd.exe) to edit it. This is similar to Linux, where you have to use "sudo" or "su", except that there are better/more text-mode editors on Linux (although Vim/Nano/EMACS do run on Windows, you have to install them first).
Now, EMEditor is Vista compatible (certified even), but it would be nice if it could elevate when a write operation fails due to incorrect permissions. Then you could just edit the file as usual, and elevate when you save.
I've said it once, and I'll say it again: UAC is going to get better over time. Lots of applications require elevation now (even some games), but as developers update their programs, we'll see fewer and fewer UAC prompts. VMWare, for example, used to require elevation in the 6.0 betas, but it doesn't anymore. Give it a year or two. Apps will stop requiring elevation except for the things that really do affect the system.
UAC means that software developers will write software that doesn't need elevation. That can only be a good thing in the long run.
What it is most useful for is stopping privileged operations from happening behind your back - malware theoretically has to make at least some noise to infect at a systemwide level with user account control turned on. If it's turned off entirely, you might not get that extra "something's not right here" warning before your antivirus gets disabled and that nasty rootkit gets installed.
Also, as someone already pointed out, this makes programs that require administrator rights unnecessarily much noisier, and provides a support incentive to software publishers to fix their software so it works unescalated.
Not great from a usability perspective but for a company that's almost ignored security until recently it's a start.
...As the lower-privileged user and graphical sudo equivalents in OS X and some Linux distributions. It allows the user to run at a lower level of privileges by default and elevate when necessary, limiting the amount of damage malicious code can do on its own.
Similarly, it suffers exactly the same weakness - the user can inadvertently raise the privilege level of malicious code.
Hopefully more developers will write their code properly and the number of spurious UAC prompts will drop over time. Given that most developers haven't made any effort to make their applications LUA-friendly in the preceding decade, however, I'm not holding out much hope Vista making it _easier_ for them to get away with it will create any more inventive.
My average experience is even less; I can go for several days without a prompt. I've only seen them today due to testing installation of a program I'm writing.
I see a lot of UAC complaints on Slashdot but very little on details as to what the person is doing to garnish so many prompts. So here's my proposal to Slashdotters: If you've seen more than 5 UAC prompts in one day, what were you doing to cause them?
Yes, certain scenarios will display a crapload of UAC prompts, such as running your favorite software that prompts, trying to move stuff around in Program Files, installing every app you find on SourceForge, etc., and some of those scenarios are of genuine concern and have noticeable user impact. However, I'm interested in getting these actual experiences and separating them from the rediculous and vague second-hand claims that prompts are spawning faster than bunnies.
"Be light, stinging, insolent and melancholy"
okay. So Vista didn't destroy your computing experience. Great.
'Vista is the next version of the OS with the broadest hardware and software compatibility. $109 is a pretty cheap price for that.'
Can you think of any compelling reason why you should be paying $109 for a new version of the OS instead of receiving a free service pack that updates the driver database with new drivers?
Following the example of two of the most annoying programs ever, ZoneAlarm and Norton Firewall, Microsoft implements a feature that requests a permission to do something from the person least likely able to make an informed choice, and absolutely not interested in knowing about it -- current desktop user. However in ZoneAlarm the reason for this is psychological -- if ZoneAlarm didn't constantly remind user that something is threatening his precious computer, user wouldn't know if ZoneAlarm does anything useful at all. In Vista it's pointless because it's not like user has a choice of buying or not buying some feature with it.
There are few specific APPLICATIONS, explicitly called by the user, that may have to run with elevated privileges, and beyond them there is nothing that is supposed to access system settings, write configuration files or executables. If anything other than those few select applications try to do that, user shouldn't be asked -- the action should be denied, just like it always was in Unix and occasionally even in Windows. If someone has to edit any system files, he knows that he has to run editor as administrator -- and if he doesn't, he has no reason to manually edit them in the first place. If someone runs installer, installer always has to run as administrator.
The reason why Gnome and KDE desktops have password dialogs is not to ask user if he does or doesn't want to do something privileged -- of course, he does if he just started some administrative application. It's to ask him for a password that malicious application or user with no sudo access can't enter by themselves, and to give him the application's name so he can be sure that the application that will run is the same application that he just asked for. The dialog can just as well be a captcha for users that can't remember their own passwords -- the point is to confirm that a program is started by a real human user in front of the keyboard. A piece of malware can run gksudo, and user will see the dialog with a program that he didn't run -- it's assumed that he will cancel it if he doesn't recognize the name. But this is actually a suboptimal use of sudo, a limitation of typical sudoers file configuration. A much better idea will be to supply sudoers file with all possible applications and arguments that may be used in this manner -- then anything else will be simply denied without any user's interaction, or user will be just notified that something tried to run gksudo with invalid arguments.
While the decision that administrative application may still run at reduced privileges unless it does something that requires true administrative access is a good idea, switching between those modes is not something that should be asked from user -- it should be asked at the very beginning when application starts, and should be done only for administrative applications.
Contrary to the popular belief, there indeed is no God.
I just recently found a very interesting and scary presentation about security and phishing.
Basically computer software has conditioned us to automatically press Ok in any dialog and there is nothing we can do about this. Automated actions by the user is inevitable and is present in every action in our life.
Nobody remembers if they locked the door or not and if you put "If you reach under your chair you will find $500" in a popup dialog, nobody is going to notice it.
From what I think I got from the presentation:
* If you want warnings to be at all effective, avoid "false positives" at all costs. That is: Never show the user popups like: "you are sending information unencrypted over the network" (or whatever the IE dialog says) when you press a submit form on a web site, because people don't care and they will learn to ignore all such popups, even the important ones. The UAC is extremely guilty of this.
* Some good insight into decision makers by users. Hint: people generate options one at a time and reject options that don't work. They never compare options but take the first one that works. This is called singular evaluation approach and is heavily taken advantage of in marketing. Software makers and web site creators should learn from this and modify their web sites accordingly.
Apple has in recent memory broken compatibility twice. The latest processor switch doesn't seem to have made much of a difference in hard-core Mac users - after all, they were punished with the PowerPC switch not very long ago and stuck around. However, the prospect of re-buying all the software for most people and companies isn't an attractive one. Certainly for security, emulation wouldn't be an available option. Apple, perhaps not completely a result of these compatibility breakages but nevertheless a factor, has about 4% of the personal computer market.
IBM has had an extremely long run with the same external processor architecture. Today, if you buy a IBM mainframe system it runs essentially a superset of the System/360 instruction set. A program that was written for OS/360 in 1965 stands a very good chance of running today. IBM has had since the 1960's such a commanding lead in the mainframe market so as to push all other vendors out of the business completely, or to force them to jump through IBM's hoops by being completely compatible. It is unthinkable today to even look at a mainframe system that would not be IBM-compatible. For practical purposes, IBM has 100% of the market.
OK, so which model makes the most sense? Apple with 4% or IBM with 100%? Periodic breaks in compatibility requiring new software or continuous software compatibility for 50 years? There are clearly differences between the personal computer and mainframe markets, but the similar effects of a break in compatibility are quite instructive.
Why do you think Microsoft has stuck with compatibility for the last 20 years and pushed other considerations aside? Could it be they really like having nearly 100% of the market?