Slashdot Mirror
Microsoft Says Other OSes Should Imitate UAC
COA writes "Many Vista adopters find User Account Control irritating, but Microsoft thinks it's an approach other OSes should emulate. Microsoft Australia's Chief Security Adviser Peter Watson calls UAC a great idea and 'strategically a direction that all operating systems and all technologies should be heading down.' He also believes Microsoft is charting new territory with UAC. 'The most controversial aspect of Watson's comments all center around the idea that Microsoft is a leader with UAC, and that other OSes should follow suit. UAC is a cousin of myriad "superuser" process elevation strategies, of which Mac OS X and all flavors of Linux already enjoy. The fact is that Microsoft is late to the party with their Microsoftized version of sudo. That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior.'"
Microsoft would is trying to make you believe sudo was their idea. Cancel or Allow?
Life is short: void the warranty.
How about UAC starts imitating better designed privilege escalation mechanisms from Linux or OS X? Of course, that would require a sensible architecture in which software can be installed by users, for themselves, without superuser permissions. And, unfortunately, it would need secure software as a basis to avoid needing unnecessary privileges to accomplish mundane tasks in insecure applications. Sorry Microsoft, you missed the boat on this one. The majority of Vista users have UAC turned off, and the majority of those who dont will turn it off as soon as they figure out how.
From TFA: "Why should I be letting my normal user be running as system administrator?" Welcome to the 1980s
Today's lucky number is: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
make me a sandwich.
He says cute things too sometimes.
Yeah, it is about time those OpenBSD pikers got off their collective asses and followed the World Leader in Secure Operating Systems: Microsoft.
"Every decent man is ashamed of the government he lives under." - H.L. Mencken
since when ?
Read radical news here
nearly all OSes already have something similar, but superior, to UAC.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Other Operating Systems need to put more annoying dialogs that ask for elevation privileges every 5 minutes and don't ask for any credentials.
Hell, they should make them appear so often people completely ignore their content and just blindly click "OK" or "Allow". Yeah, that's the ticket...
I just turned off UAC in order to get file and printer sharing to work correctly when trying to access an XP box.
Yeah, sounds like something everyone should imitate.
For a company who is reknowned for brutalizing industry standards it's humorous to find them believing the industry would adopt their bastardized version of the existing.
MS thinks they are the greatest, fastest, bestus of all time, and everybody should validate that belief by trying to be like them. This is news how again?
"We are all geniuses when we dream"
- E.M. Cioran
I'll just stick with sudo and selinux.
Yes Francis, the world has gone crazy.
I'm not sure about NTFS but I know a big issue with permission issues is within the FAT filesystem itself. Anyone who can read FAT can read any file by any user and execute any program. One thing nice about any SysV/BSD based OS is that the fs has builtin features that describe who and what can be done with each file. Though NTFS might have fixed this, not sure since I dont use it.
"Microsoft says other OSes should annoy the crap of its userbase more."
Eviscerati.Org: All Hail the Eviscerati
Why use UAC when a much more intuitive sudo interface has already been developed?
Microsoft should convince app developers to write software that does not need elevated privileges.
Translation: "If we can get all the other operating systems to follow our lead, we can claim some sort of patent infringment on 'em."
> The fact is that Microsoft is late to the party with their Microsoftized version of sudo. That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior.'"
The fact that Microsoft is late to the party is what makes it a patent trap. If it were just sudo, it wouldn't be patentable. When it's "a method for controlling process elevation, comprised of (sudo) and (a fancy display mechanism) and (extra monitoring)", it becomes patentable.
Microsoft is setting a trap for future patent lawsuits. Deny or Allow?
This "access control" thing causes me some concerns. Specifically, it looks as though my software "CoolestWebSearch Dot Pr0n!" might not have access to all the sysytem resources it needs to do all the great things that it does. Have you considered this when designing your system? How do I get the correct behavior (allow all pieces of software to run basically in kernel space) back?
My turnips listen for the soft cry of your love
Once again Microsoft thinks it's ahead in the race. Once the reach the finish line, they may finally realize that the others behind them were about to lap them, and then they'll wonder why they have one more lap to go.
...what to do, but keep your grubby hands off the real operating systems that don't base their security on feel-good measures, but sound design and actually fixing things.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Maybe they should licence their uber-UAC to *nix and MacOS X; including a "defunct office-assistant-theme-pack" with just one addition: Klippy, the one-legged, one-eyed penguin that can fly 5 ft while being thrown off a cliff of 5000 ft.
Another nice take at security from Microsoft, throw a warning for everything. If it breaks anyway, you cannot claim you haven't been warned!
because Unix has a method to do this [that isn't annoying], so we should immediately switch to one that is?
what the hell is security through pop-ups anyway?
The machine unmakes the man. Now that the machine is so perfect, the engineer is nobody. -Ralph Waldo Emerson
Microsoft Says Other OSes Should Imitate UAC. It is junk, user hate it and we were not able to come up with something better. But if the honored competition please would follow our lead and implement the same crap, we then would not look so bad anymore. Thank you. :-)
... on your way to go re-elect Nixon
My turnips listen for the soft cry of your love
I would say (and many here would agree) that UAC is a half-hearted, bad copy of sudo. sudo requires authentication and only for actions that require elevated privileges (like changing key system files). UAC annoying asks the user to verify suspicious behaviors to ensure that is what he or she really wants to do. Really UAC is an attempt at MS to shift the blame the user for their somewhat insecurity architecture. When something does go wrong, MS can blame the user saying it was the user's duty to verify their actions.
Well, there's spam egg sausage and spam, that's not got much spam in it.
...ROT13 *is* easier to manage and deploy.
I don't think it's such a bad idea to have some extra means of making sure a user REALLY wants to do a special action. Ubuntu and Fedora handle this by asking a user to authenticate whenever an action requiring elevated rights occurs. It's actually done quite well and is only required for doing things like adding or deleting software, and the rights stick around for a while so you're not constantly typing in passwords.
The problem of course is that Microsoft went crazy and decided to lock down EVERYTHING. To the point where it's just plain annoying running the OS with it on. I tried it for a couple weeks just to see if I could get used to it. There's a tendency for people to crave the old way of doing something not because it's better, but just because that's what they're used to. I did eventually decide UAC was more trouble than it's worth, and disabled it.
I guess I tend to agree with the theory that UAC wasn't really real security, but about putting the blame more on the user. Microsoft can just claim "Well, you DID disable UAC didn't you?, so it's not our problem."
AccountKiller
No, that's not different-- as it mentions elsewhere in the article, that's what sudo does. In fact, you can give users sudo rights for only a single command. Ubuntu, Apple, and pretty much everyone else has given users access to this sort of setup for years.
Well, of course that's your choice, but this isn't a new issue or debate. Some Linux admins I know use root, while others insist on using sudo for everything. It's because some don't want the hassle of typing sudo, while others don't want to have the rights to do anything crazy unless they specifically tell the computer "let me act as a super user."
So there really I don't see anything new or different about UAC, except maybe that the implementation seems worse to me.
Looks like you're trying to allow Chinese hackers into your operating system. Would you like some help?
u-bend
Leave it to Microsoft to do a poor job at copying someone else's idea and taking credit for inventing it.
What is really sad is many people who only know Windows and are not familiar elevating permissions will believe Redmond's lies.
"Anything tastes good if you deep fry it."
I used Vista for testing for an hour last month. It took me ten minutes before I blindly clicked ok whenever the UAC dialog came up.
Just great.
Microsoft can't figure how to make a secure OS easy to use, so they push to make more secure OS's more annoying.
"You are coming to a sad realization, Confirm or Deny?" Indeed.
Learn from the mistakes of others. You won't live long enough to make them all yourself.
The submitter wants to compare UAC to sudo? Come on, genius. The "fancy display mechanism" is the entire point! One's a command-line utility for uber-nerds, the other is a prompt which just works. Man, if you're smart enough to run sudo, you should be smart enough to think like a casual person, and understand why one might easily benefit from UAC.
If I sound like a fanboy, I'm not. I'm just trying to stay objective, which is more than the submitter is doing. Use your head.
after 4 months of living with vista, i decided to go back to XP today. there's just not enough there to be worth the hassles. UAC was the least of my issues. once you get things set up, it doesn't intrude often.
The bigger issue was that i couldn't get any game but Half-Life 2 to run properly, and it still had issues. Since gaming is half my PC usage, i couldn't take it anymore. Old games, new games, whatever. funky graphical artifacts, weird crashes or inability to launch. and yes, my pc is well over the min. specs, i have the latest, greatest VISTA drivers for all my hardware, all the games in question were patched, and i tried adjusting compatibility mode for each game. no luck, and honestly, it's just not worth the effort. except for the 3 new games i've gotten since i took the vista plunge, all my others ran great on the same pc under XP.
anyway, i gave up more than i gained. so long vista, i'm sure we'll reunite someday.
What do you expect him to say - "we're late to the party and we botched the implementation". It took them five years to create Vista. They pulled out every major feature except 'security' and DRM and they got security wrong. And now they wonder why customers aren't clamoring to upgrade to Vista.
[Insert pithy quote here]
"Wait for us, we're the leader!"
- Microsoft
...my browser keeps asking me to allow or deny arstechnica...
The Kai's Semi-Updated Website Thingy
MacWorld is running an analyst who says Vista is more secure than Mac OS X.
Knee jerks begin in 3...2...1...
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
Barring the debate over whether UAC is well implemented, what's somewhat new is that it's the default behavior. Ubuntu has been doing this since the beginning of that distro, but I don't know of other Linux distros that--by default--don't let you log in as root, granting sudo priviliges to the first user created. I can't say whether Apple does this. I know for sure that Slackware, Fedora, and RHEL don't. FreeBSD didn't last time I checked, but that was a *long* time ago. I think the debate ought to be less about whether UAC is well implemented or innovative, and more about whether other OS's ought to have the default behavior that Ubuntu, and now Microsoft have... whether by sudo, UAC, or whatever the mechanism is. To me, that's the point of the whole thing.
Am I the only one who actually read "Union Aerospace Corporation" in the first place?
You are coming to a sad realization. Confirm or Deny? :)
no haha tag?
Browse at -1 to keep an eye out for abuses.
mod me funny
Ballmer is on a mission. Trash the iPhone. Claim that UAC is theirs and unique (they're actually the last to come to the table with it, see SELinux, and various other Linux, MacOS, and BSD implementations).
You guys fall for this stuff. It's a red flag in front of you. The problem really is: there's no one competent standing up for non-Microsoft architectures to the public. So old Monkey-Dance gets in front of gullible 'jounalists', spews disinformation, and you guys snort and charge.
There's nothing to see here. Really. Those that are informed are already past this current deluge of PR crap. Oh yeah, Mikey likes Ubuntu. Suckas.
---- Teach Peace. It's Cheaper Than War.
I'm a bit surprised by this, as I just installed the Longhorn Beta 3 and all this silly UAC stuff seems to be gone (or at least turned off by default). Anyway it doesn't bother me with all those annoying prompts. Is this a pre-cursor to it being removed in SP1 of Vista? Also the default color scheme goes back to something sensible like in Windows 2000. Generally a very pleasant retro sort of OS.
We implemented a special switch which allows these functions. It's located inside the computer's power supply, near the big thing marked "1000uF 250V".
In order for the setting to take effect, you have to make sure to press the switch while the computer is running. We've found that using a steel coat-hanger wire (be sure to sand the paint off, first, you don't want it getting into your computer!) passed in through the vent holes in back works well.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Many Vista adopters find User Account Control irritating, but THIS IS SPARTA!
....and the last horse crosses the finishing line... too bad the other horses finished years ago and the race track no longer exists... *Coming soon from Microsoft* More working ideas that where implemented years ago in other operating systems that we'll claim we invented
"Stallman says add to this code and you are one of us. Gates says use this code and you belong to us."
Imagine what the cowboy coders are thinking.
The fact is that Microsoft is late to the party with their Microsoftized version of sudo. That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior.'"
o soft-uac-not-a-security.html
No it's not! Not at all. First of all, let's define what sudo should do: Act as a barrier that data and application execution must pass. UAC does not fit the definition.
"Vista features such as UAC or Protected Mode Internet Explorer that are dependent on limited user privileges -- which Microsoft calls Integrity Levels (IL) -- are designed to allow some IL breaches.
Because the boundaries defined by UAC and Protected Mode IE are designed to be porous, they can't really be considered security barriers, he said. "Neither UAC elevations nor Protected Mode IE define new Windows security boundaries,"
Thank you Mark Russinovich for stating what's been clear for quite some time. http://www.networkworld.com/news/2007/021407-micr
I wish, for once, everyone and their grandmother would stop assuming Microsoft's security proclamations are reliable information.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
A response to a pop-up isn't the equivalent of deliberate action. How many IE users have installed spyware and viruses on their machines by clicking on a button - any button - to get rid of a browser pop-up? To be fair, I'm not jumping for joy over the MacOS implementation, either.
I've already seen a virus imitate the firewall pop-up on Windows XP, tricking the user to authorize actions and also collect local admin passwords.
There's no safe way of avoiding full privilege separation, and I like my superuser functions done while logged on as a superuser. There's also no way of avoiding the need to learn a little about how a modern operating system works.
-F
Single user Linux boxes are not more secure due to non-root users being default! After all, when was the last time your user account was owned?
UAC was a bad idea. So is sudo which it copies. So is running a single-user Windows XP box as anything but an Administrative user.
Root security privileges are just fine for a multi-user box. But they don't make sense on most home desktops. (I'm not talking about Slashdot readers who make their girlfriends change their password every 3 weeks, I'm talking about normal Joes.)
The most important data on a multi-user machine is the system data. It's far more important than any single user's data. Once system data integrity is breeched, all user's data is at risk. I'm a sysadmin, and I've seen Unix user accounts owned for various stupid reasons, but system security kept tight despite that.
The most important data on a single user machine is the user data. The system data can be restored from the factory install CDs. In the single user environment, you don't need sudo or root or to run as a non-Administrator. What you need is: 1) To be warned when you are doing something that might break the system. 2) To have programs run only with the privileges they need -- NOT with your full user privileges. Sudo is massive overkill for one -- anything more than a warning box is a dreadful UI decision. No, before you say it, the stupid users don't pay any more attention to "Enter your password:" than any other sort of warning box.
Microsoft's UAC approach does not fix the problem. Windows is like a rickety bridge. We know its dangerous but Microsoft's "fix" is to place signs every 5 steps warning you could slip. How about instead we build a better bridge instead of build a better sign? Maybe we need Microsoft to build a better Windows instead of build a better system to warn us about Windows? That must be crazy talk because Microsoft year after year continues to choose to seek how to build better signs instead of better bridges.
Lets get Microsoft to design a software platform that doesn't require the user to think about whether or not the user is about to break something? Is that really so hard for one of the largest software companies in the world? UAC from my view is the wrong way to solve a problem which was born of questionable engineering. One of the reasons why UAC is so dubious is that the user may not know any better either which is a "blind leading the blind" across that rickety bridge. In summary, a better Windows wouldn't have a need for UAC so why tout this technology?
If security checks pop up too often people will grow tired to them and will stop reading the messages and just click next without bothering what the dialog is about. Vista definately crossed this line so the joe average PC isn't much safer from spy/malware than a XP box in admin user mode.
Dude, if you think only "uber-nerds" are capable of typing commands, you should keep your hands off the computer. If you're not smart enough to run sudo, you aren't smart enough to perform administrative tasks in a computer.
If only you windows people kept off the internet, I would have nothing against microsoft fanboys. But the minute you start allowing zombies to install spambots in your machines you are creating a problem for all of us. So, please, if you really believe that "a fancy display mechanism is the entire point" could you, pretty please, disconnect that little cable with the square transparent plug from the back of your computer?
What if some malware attacks in this while? That, I believe, is precisely why Microsoft didn't implement it this way.
Hmm. Apart from installing/uninstalling software, controlling system settings, and for certain software that hasn't got its act together yet and needs admin permissions, exactly where does UAC pop up?
OK. I'll answer my own question. UAC pops up when you create a folder in a system directory, and you have to get past 4 prompts. It's VERY annoying there. That's about the only place I can think of.
... and then they will sue them for patent infringement.
You can't win.
I'll probably be modded down for this...
OpenBSD's systrace when set up properly probably does everything UAC can and more.
Microsoft Australia's Chief Security Adviser Peter Watson calls UAC a great idea (and wishes everyone had it)
In other news, the Notre Dame football coach thinks his team can win. Local Ford salesman hates Toyotas. Linus Torvalds thinks Linux is great. Christians report having favorable rating for Jesus this year.
MS's Chief Security Adviser is paid to evangelize MS security. This is news?
-- Political fascism requires a Fuhrer.
When did Micro$oft buy the Union Aerospace Corp? Does Id know about this?
Not unless you have the backing of the banks ahead of time--and the banks are using Microsoft and their holdings as money laundering puppets.
In generations past the system was described as the "old boy network". In today's world we have a nce of the "rich boy network". The only difference was that, in the old boy network, social grace and political savvy could lead to reward. In the rich boy network the existing rich boys are more than happy to work you over until you're dead.
There must be a solution somewhere but I've yet to find it.
the NPG electrode was replaced with carbon blac
What if some malware attacks in this while? That, I believe, is precisely why Microsoft didn't implement it this way.
There's a tendency for IT people to believe that ALL solutions have to be perfect solutions. Yes, there's some level of increased risk for a few minutes after a use authenticates. But if you have a short period of time where the extra rights stick around, you'll likely get people to actually USE the damn thing rather than running as root (or turning off UAC).
Security in particular is often a balance between usability and security. If the product isn't usable because of the security, the users will MAKE it usable by going around the security (thereby defeating the security).
Hmm. Apart from installing/uninstalling software, controlling system settings, and for certain software that hasn't got its act together yet and needs admin permissions, exactly where does UAC pop up?
I couldn't tell you specifically, as I disabled it in Vista months ago. All I know is the damn thing came up waaay too often, so I killed it.
AccountKiller
well said sid0 ... like I tell my coworkers ... UAC annoyance can and will only go down in frequency once app developers get their act together
I'm a developer and I turned UAC off after just ten minutes. It was so far beyond merely 'annoying' as to make the Apple "I'm a PC/Mac" commercial spoofing it seem like a quaint and naive interpretation.
Look, if I JUST clicked on a button to say "do this", AND I'm logged in as an administrator, what is the point of even asking me "are you sure"? Why can't the knowledge that I physically clicked on the button just now from the console as an administrator be preserved somehow, and made distinct from just some application trying to call some privileged API from a non-privileged state?
The whole design of UAC is just so poor. It completely ignores human psychology. The typical individual is just going to start clicking "allow" to make the damn box go away as soon as possible.
Is it just me, or is windows getting more "irritating" over time? A few years ago, I don't recall bitching at my computer to just let me do my job, and to stop bothering me with things I dont' care about. When I tell it to shut down, it should just shut down, not prompt me endlessly about updates or get hung up because some aspect is asking "are you sure?" when it receives the close notice. Ugh. And don't get me started on Norton or McAffee constantly popping up notifications. I don't CARE that you just updated crap. I don't CARE that the hardware is safe to remove now (I mean, I KNOW that, I just said "safely remove hardware"!).
Why all these pointless and useless notifications? UAC is just the worst of these. It's really driving me insane.
- Spryguy
There are three kinds of people in this world: those that can count and those that can't
Imitation is the highest form of flattery, and Microsoft is simply not getting any flattery so it wants to flatter itself. Really, Microsoft has had no trouble getting others to imitate the actual good things it has done, and of course has no compunction in imitating others. But no one is going to imitate this and it's quite sad that they are suggesting this. It's like Pontiac saying "other companies should copy the Aztek's style." (the Aztek is one of the ugliest cars in history - http://en.wikipedia.org/wiki/Pontiac_Aztek)
So MSFT is `chown -R unpriv_user *.exe` and making all pgms SUID unpriv_user! This brings problems:
Are all necessary files world-readable? What about other users.
Are all necessary files/dirs world-writable? c:\windows\system32?
How will the OS know if a pgm can access certain ports?
What if a hostile doesn't access ports directly but fork()s legit pgms?.
if other pgms are writeable, can't an attacker assume their priviliges by corrupting them?
Priv isolation by user is far clearer than by pgm.
UAC has far too many false positives to be meaningful. You can't freaking open the Control Panel without a UAC prompt.
As such, users see the prompts as an unimportant nuisance, but soon realize that things don't work unless you click "Allow." Thus, you're training users in Pavlovian fashion to click "Allow" to any damn box that comes up.
Now think about this for a second: when 99% of the prompts you get are harmless, and "Allow" is always the right answer, just how many users will actually read it and apply critical thought when they see the 1% of UAC prompts that warns of actual danger? Almost none of them, even the smart ones. Once you get trained to just click allow, you're going to click it just before your realize "Oops! I didn't want to allow THAT one!"
So if you ask me, UAC is a huge step backwards in terms of security. Microsoft appears to have put almost no thought into it and it's little more than a way of blame-shifting. After all, the USER is the one who didn't click "Deny" the one time in one hundred it would've prevented something bad, so it's *all* their fault. Even though they only did what UAC trained them to do.
Disable UAC now. It's not security; it's blame-shifting.
You know, I like the method adopted by Directory Opus (file manager) where you press a button on a window, allow the elevation, and let the window run as elevated until you close it. This could easily be put it as a registry setting for Explorer.
As for UAC, I disabled it in order to set my computer up with programs, and enabled it afterward. In normal usage you really won't see UAC.
Microsoft: Click ONCE Cancel or Allow Linux: Type how many ever keys your password is, then click or enter. Hmmm, which is easier???
Actually I don't think UAC is about security at all. It is just about marketing. You simply cannot make a system secure for a home user. On the one hand you have very well IT savvy criminals with lots of resources, bot nets are about business, on the other hand you have you have a security callous and IT uneducated home user. So something like UAC is security wise nothing more than a smoke grenade. I never created a trojan, but if I wanted to, I am sure I could find a dozen ways to make sure the average Joe Sixpack clicks and enters his credentials wherever I want. So if M$ is lying about security with some flashy feature, this would be ok with me. But they should make sure that it is not annoying.
Btw. I really hate M$, but I never blame them for exploits, which require user interaction. To be secure against uneducated users with a root/admin password you'd need an AI, which is even more intelligent than the malware developer.
Fortunately there are enough other reasons to hate M$.
A modern OS should be having something that's much better than sudo.
Modern desktop class OSes should have sandbox _templates_, with apps being allowed to "suggest" a template.
Then if an app claims to be a "plain old screen saver", it only gets "plain old screen saver" rights - which means no network access, no access to the user's files etc.
If it claimed to be a "standard network game" then it gets different sort of access - file system access to its own "app specific data folder" in the user's home directory, access to full-screen graphics, sound _playback_ (not recording[1]), limited network access (as per requested).
If some flash applet "game" somehow requires "full administrative system privileges", go figure...
[1] Only a few apps should be allowed to record sound - stuff like skype, voice chat app for games. Your word processor should not be recording sound. The O/S should handle the voice control stuff if you like that sort of crap. And by default you may not wish to allow an app to record sound while backgrounded or just sitting in the "systray".
Someone really should show them gksudo...
I've not used vista that much, but I have had the misfortune to try to install hardware under vista. I have to say that "Tinyfirewall" does a better job alterting you that program a is accessing program b. It doesn't make the distinction between something that requires administrator privilages, nor was it decent for average users that don't know what "cryptic-filename" is or does, or if it should access the net, but it was a good stop gap piece of software which took into account the fact that windows wasn't geared for security served as a useful watchdog, esp for windows it self and software which phones home and auto updates.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
Gee, so much for humor.....
StarTrekPhase2 - The Five Year Mission Continues!
The obvious example is in most 'single-user' home boxes, there are in reality multiple users. If each person uses their own account, things are better contained and compartmentalized. If your offspring screws up, your stuff is in order still. An account manages to install malware that effectively cripples the account? You can wipe the account and start over with less impact than wiping the sysstem.
I agree that for a large number of users in the home environment, the data owned by their 'user' is at least as important as the data owned by the system (although you downplay the importance of the system data, for us it's easy to blow away and start over from scratch, for many home users, they may as well buy a new system and start over from there based on what they are comfortable doing themselves and how much a third party would charge to do it for them). However, some people in a typical household are more responsible than others, and making people more accountable for their own stuff is a good thing.
Sudo is important above and beyond UAC because the password dialog means a user irresponsibly leaving their session open in a public place doesn't allow random person to screw with info above and beyond. There are some scenarios beyond a lab computer that can occur. It's also less likely that someone can automatically defeat the system. I dunno how UAC handles things like synergy and vnc, but if not careful, an application could know it was going to trigger UAC, and exploit some facility like vnc or synergy to insert a mouse button event in the right place at the right time. That's trickier if the prompt will require keyboard activity to be injected of unknown content to the hijacking program.
Anyway, there are ways to improve on the model. Some things that may be useful:
-Ability to right click on a folder/file with an option to surrender write or all permission. This wouldn't hard to do, and users frequently are aware of what their most precious data is. They may download a bunch of pictures, then immediately mark it protected data if it was an obvious, easy thing to do. By far working with people fear of losing pictures and such is huge, but surrendering delete/modify privilege would be enough for that, fear of the wrong people reading any financial data would evoke the 'surrender all privilege' behavior. It's very much like a safe, you put it in knowing it will be a pain to get at again, but it's totally worth it given the risk. Common people understand safes and the consequences, so it isn't a stretch to believe they would cope with and effectively use an analogous computer facility if represented well.
-A logical extension of the above is to have folders that the user can mark as 'without privilege, I want to be able to read everything in this directory, and be able to create new files, but once created, I don't want to modify without having to sudo (or whatever)'. Like a safe with a convenient slot to insert documents into.
-Finally, extend multi-user to a finer granularity or at least leverage it as if it were finer grained. A practical application under an X situation, for example, would be every user having multiple accounts they can let run on their display (X allows the users group access). In practice, you'd have 'DMZ' applications (firefox, email client) that are generally characterized as dealing with complex data from sources not well trusted, with access to a very specific set of local resources (i.e. one download directory, etc). Data on a per-incident basis is promoted to a space untouchable by the browser before general usage.
XML is like violence. If it doesn't solve the problem, use more.
Im sorry but does this really need to be front page news? Some idiot makes a public blunder. This has been the bigest nonissue (in tech) since the Tubes incident. Seriously, i think Ars Technica has better things to write about.
Aha! Ok, cool... I thought you were one of those "Pro Unix/Linux/BSD" zealots, that tend to congregate here @ SLASHDOT is all.
I was just trying to be fair about the whole situation, & based on what I've seen in this field for around 20 years total time in it (around & about that). I probably made a few mistakes in my history rehash above, & I am certain I missed other tools/technologies/api's that Ms has either bought out, or licensed before too (list is, lol, pretty long I have to admit).
(And, I don't mind the Pro Unix/BSD/Linux Penguin bunch here: Sure, some are zealots that speak some mistruths or partial truths (if not outright lies or misinformation/disinformation) but, many of them are an 'ok lot' most of the time))
Heck, and some are even FAIR & honest about it (that Microsoft is not evil, and Bill Gates is not "the beast" etc. & all that) & have good things to say about Windows as well at times.
Sorry for not "catching your drift" & I am also probably guilty of a 'history lesson' you are well aware of anyhow, but, there 'tis, & there's no editing/changing it now!
APK
from article:
right, so a fancy display mechanism for sudo, hard to spoof, and extra monitoring to pick up on suspicious behaviour is somehow bad because Microsoft did it?
I think other OS's should have all this. I always thought the Synaptic/package management password entries were a bit fakeable in Ubuntu last time I tried. I wonder if there's any room for progress in getting distros to sign and encrypt executables running on the system. A signed and encrypted (or explicitly trusted) executable could run whenever the user clicked it or it was automated from certain accounts. If it is not signed (self-compiled for instance) then this can flag up a warning that this application may cause trouble. However, of course, users could self-sign their applications to work around the warnings. The signing application itself would be obviously signed and checked against a public key copy (say, Ubuntu servers) so that it cannot be tampered with. Everything else would be arbitrarily local.
Is it such a bad idea to code-sign the stuff that runs on your machine, rather than just the packages they came in?
Check here they have a blurb that PC sales look to be down 12% year/year.
Also, part of the profit kick was that MS could finally register the Upgrade fees from all the big corperations, that paid 3 years ago for a garanteed upgrade, as earned income.
I can't wait to add this to my next version of my hobby OS, AwesomeOS! I'll put it in right after I figure out what a NASM is.
-m
So every other product can be just as shitty as yours? YOU CAN'T WRITE SOFTWARE! ADMIT IT!
Your Assholinesses. We hear and obey! (immediate heel-clicking, extended-right-arm, fascist-type salute)
Remember the future...
Errr... wouldn't it be really really great if sudo had a "fancy display mechanism" and "extra monitoring"? ...and yet, because this is Microsoft's idea, everyone's pulling out the torches and pitchforks.
I'd be very freakin' happy if sudo offered to pop itstelf up to help me run commands when I needed it instead of having to manually call it.
Yup.
He's the pathetic uncivilized hobo. Does that help?
I for one welcome our UAC overlords.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The one and only UAC that I like in Vista is a disabled one. After a couple of days of "Allow?/Deny?" annoyance I had to choose between Xanax and disabling UAC. I am a long time Linux user and I would say that sudo UAC, at least in terms on nerve-wracking potential.
UAC is like putting those loud beep-beep backing up alarms on every vehicle, from truck to skateboard. Eventually everybody learns to ignore the beep-beeping and the feature becomes worse than useless.
Dude, malware is so 90s. Get a Mac already, or switch to Linux if you're smart or cheap.
No prob :-)
Definitely not an anything zealot (except coffee perhaps)... Each OS has it's place, it's fan/user base (same thing sometimes), and it's purpose...
StarTrekPhase2 - The Five Year Mission Continues!
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
??
Microsoft telling others how to do security is like a chicken telling Colonel Sanders how to cook.
If you need help understanding the SE Linux audit messages, you should install SE Troubleshoot
[root@branch ~]# which setroubleshootd /usr/sbin/setroubleshootd
[root@branch ~]# rpm -qf /usr/sbin/setroubleshootd
setroubleshoot-1.7.1-1.fc6
This gives you some help with analysing the failed action. I won't say it taught me a huge amount but it is a step in the right direction.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
Vista has the silliest bugs that has taken 4 months to fix. It goes withouth saying the kind of design thatgoes in http://cacheyourcash.blogspot.com/2007/04/refresh- or-io-problem-with-vista.html
This is true -- I was writing only about "sudo" specifically which is a one-shot, logged, superuser escalation.
You are correct that "su" is much older, according to the (BSD) manpage, "A su command appeared in Version 7 AT&T UNIX." According to Wikipedia, V7 came out in 1979.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
If this is true: "That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior." (and it is) then what the f***?!?! is Apple doing? Why isn't anyone calling Apple on their bullshit hypocrisy? I've got a mac book - I've got a PC running Vista. The UAC/sudo shit is just as annoying in either case - but I can turn UAC off pretty easily - without having to research how to do it (the windows that popup TELL YOU HOW). So, which one is superior ya Whiny lying Mac/Linux hypocrites? :)
Err, ok - whatever. I guess they want to share with others as they are so proud of their own?
why DON'T we have a plaintext list of magic operations and file stuff that an installer wants to do before we have to click or log into higher permissions?
seems there used to be such a thing, even in windows OS install.
instead, what we have is Freakin' Registry Magic and 99 screens of an EULA from Hell, only the last lines of which mean anything.
way back before the dawn of time, because until we got this there were no on-screen clocks, back around Windows 3.1 way, you had config files in which mostly, the Magic Options were close enough to some native human language so you could Edit The Config Files. something still reputed to exist in the -IX world, although not necessarily clearer than the dreadful Registry. Installers often told you what they were doing.
we need to go back to 1990 with our interfaces and commons areas, and back to some sort of license statement on the order of "We own it, you rent it for one machine, don't go poking about under the covers or we'll bite you."
it can't be that hard....
if this is supposed to be a new economy, how come they still want my old fashioned money?
I can't believe ANYONE will put up with the CRAP that MS put out as Vista, especially this UAC crap! We have every intention of TURNING IT OFF on ALL of our systems, or sticking with XP for AS LONG AS POSSIBLE!!!! It really DOES work like the Mac commercials suggest!
That didn't work out too well on Mars, or Phobos for that matter...
"He who can destroy a thing, controls a thing." --Paul Atreides, Dune
In Soviet Russia, other OSes copy Windows!
Except that you become conditioned to WHEN the prompts arise. (Which don't happen when opening the Control Panel btw)
A lot of programs you install in Vista don't give you the prompt, others do. Some things you do in Vista give you the prompt, others don't. Those installs that are silently passed are signed or don't request to do anything dramatic to the system, and average user doesn't care why or how, he just knows it's trusted. He or she usually got that software from the site of the publisher or physical media (likely too, a publisher who is huge) and he or she knows it's safe. The prompts arise when you get into Control Panel and other aspects of the Windows system where changes could bring failure, but not when copying your personal files around. I notice I get it on my laptop when another program calls a program that isn't signed (Firefox calls an old version of Winrar, because I don't want to buy the new one, and each time it asks me if I'd like to open the file. Not only do I LIKE this, but respect it. Sygate personal firewall conditioned me to this when Firefox was opened by another program - not only does it save the time of loading some advert page, on a DVD maybe, but it kept a few pieces of malware from phoning home. Users can understand this behavior.)
The number one item that can protect the average user is if a prompt arises out of no where. If you are browsing the web and suddenly you are asked for permission to modify your system - when you've done nothing to drive the event - you aren't going to allow it. Sure, when you download and install software you may fly through that prompt, but to the new user, the normal user, you will learn right away that installing software is dangerous. In my corporate IT environment installing any software is forbidden, running software not supplied by IT is forbidden - for a reason. After clicking through a few cancel or allows you may just discriminate a little more when it comes to your actions. Is it security? Not really, but do home users really need that much? Isn't it right to tell them that making or saving a change in the Control Panel can have adverse effects? (and likewise with the other actions?)
It's hard to attack UAC completely because Linux and others have Sudo, Redhat allowed you to escalate to root privileges by simply typing the password and to most new Linux users escalating to root has become a normal exercise. There is all this talk about OS security, but it's all in the hands of the users. To deny someone the ability to take control of their own machine is barbaric - I think we all agree with that statement. We can't lock users out of taking control of those center ring privileges, unless you're the head of IT and those machines are under you "watch". You say it shifts blame, but that is where it belongs, on the user. The help is there in Vista, it spells out the concept of UAC in easy to understand terms. There is no reason a normal user can't take advantage of it. I know many people who still accept cookies on a per request basis (on today's web!) - some people actually want this feature. It doesn't work for the great majority of us, but don't kid yourself and say we aren't completely familiar with idea.
My advice for the soccer moms and grandparents: Don't turn it off. Prompting is good. This is coming from someone who has had a desktop system with the same factory install of Windows XP running since January, 2004 (I un-boxed it June of 2004). I work with what I have, and that system has not only been a workhorse for my Windows desktop software, but runs a ton of GPL software and is enhanced with Cygwin. All together I run 6 machines at home with Debian, FreeBSD, XP Pro, XP Home, Vista (aforementioned laptop) and Windows 2000 Server. Only two of those require an escalation of privileges, at the machine Everything has a place and UAC has a place with those new users going to their retail store and buying a PC for the first time. Years ago people were complaining didn't Windows have a similar mechanism.
Get your Unix fortune now!
And then we sue them.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Meme of the day: I browse "Disable Sigs: Checked". So should you.
I'm running Fedore Core 6 and the rights don't seem to stick around. As an example I opened Network Manager, was asked for root password. I then closed it down, waited a few seconds, reopened it and was again asked for the root password.
Apple could improve their security user interface by adding a Security pull-down to the Apple menu. It'd let users easily turn on/off administrator privileges, WiFi, Bluetooth, Ethernet (none, local, Internet), camera, and mike. Anything that's a security hazard should be easy to disable utterly and completely.
Make locking the door easy, and you make intrusion hard.
--Mike Perry, Untangling Tolkien
Maybe they're fishing out there trying to get someone to copy it so they can sic they're rabid blood-thirsty dogs aka patent troll lawyers on them.
I take no responsibility for what I say. Even though I'm never wrong
If you read the patent, it sounds like the access control for elevating the privileges is based on the APPLICATION that the user is trying to run.
SUDO, on the other hand, requires that the USER have the rights to even run SUDO. (The user is listed in the SUDOERS file, but the application isn't.)
This might be disparate enough for a judge.
You mean dig up wierd artifacts and let hell loose? Although, they did make the BFG.. Now that would be a nice command to have in the system. =)
Is this a result of a poor transliteration tradition?
That would, to me, not make much sense as the Chinese language is very structured, and transliterating it to a simpler structure shouldn't bring about such wide gaps (a and o? Come on!)
Dear Microsoft,
Instead of a blue screen with random text, please show me a big yellow smiley face before rebooting my computer.
Thanks.
That is correct, not that it matters and "all or nothing" is what is described in the patent as something that the patent does not cover. (Something implemented since 1999 is not prior art either).
Let me try to make this clearer, since noone seems to understand what they've patented. Sudo, ACLs, Unix Groups, Capabilities are not what is covered in the patent. The patent does cover something like TiVo. You can be root on your machine, but you are not allowed to change the operating system. The patent does cover something like the PS3, you can install Linux and be root on your machine, but you are not allowed access to the whole system. Moreover, that is exactly the language used in the patent to describe their invention - an OEM who wishes to restrict certain privileged operations on their system from an administrating end-user.
*Sudo is specifically not covered. Sony PS3s and TiVos are.
Hope that helps.
Microsoft has been funny. laugh, confirm or deny?
UAC is a joke.
They're using their grammar skills there.
Comment removed based on user account deletion
UAC a good thing? It's the straw that will break IT's corporate back in about six months, once the down time (not the complaints, the down time!) forces a generation of in-house support geeks back onto black asphalt amphetamine sessions. UAC makes the hair on your arms stand up, when you see it in action, gives you dry heaves when you turn it off, and slits your throat when you discover that a hard freeze in Vista does a nearly unrepairable madjack on your user account profiles when you reboot.
--
Bill Gates: "Vista is the best $6 billion I ever spent."
IT guy: "Why did you stop at $6 billion?"
Bill Gates: "It was good enough."
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
Hilarious! Vista's UAC, as pretty much everything MS has done to "improve security" is ridiculous. It's that good old politic of asking "You are trying to run this program as an Administrator. Are you sure?" and the possible answers: "YES, I AM THE ADMINISTRATOR BECAUSE I'M LOGGED IN AS SUCH, YOU DUMB, FOOLISH OS" or "No, I've double clicked an icon just for fun".
It's so pathetic! I wonder when MS will implement something like this "A virus is about to thrash your hard drive. Would you alike to allow it?"
Sad, just sad.
Er Galvão Abbott - IT Consultant and Developer
When I'm hunting imps in E2M2, the last thing I want to see is more UAC crates.
When I compare your 25+ year old approach which is strife with viruses to UNIX's 30+ years of a nice secure track record, the choice on the way to go is pretty clear.
Thanks, but no thanks.
[cancel] [allow]
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Let's downgrade the competition so we can actually compete again..
Sorry, not now I for the first time in quite some time have found a reason to maybe recommend Dell. It most certainly is NOT going to be Sony anymore, their repair service is so bad I can hardly describe it in polite terms..
Insert
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Both are configurable. If you prefer, sudo can omit the password check for the next N minutes, and UAC can prompt even administrators for credentials instead of just an Allow button.
UAC is the biggest pain in the butt to users of any software I've ever come across. Its the first thing I disable in Vista because its continuous stream of "are you sure" dialog boxes everytime you just open a file is so freaking annoying.
Jeez I REALLY hope other OS-developers are laughing hard at this and not taking Microsoft's suggestion to implement this everywhere seriously.
for me i much prefer to type in the Admin. account password when ever i type in "su" .instead of allow or deny . That way I [and I alone] know that i am in superuser mode . And in that mode I know not to do anything STUPID.
"I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
Sorry to say, but your malware concern isn't an issue. When sudo rights "stick around", it's not system or even user wide. For example, while you can use sudo several times in a single terminal and only have to enter a password once, if used again anywhere else, such as a run dialog or another terminal, sudo will again require a password. (Unless a "Remember password" option has been enabled at some stage, though at least on systems where gksu (used by both GNOME and KDE) is involved, you'll by default be warned if a password is about to otherwise silently be reused.)
So, even though I might be for example doing a bunch of software upgrades in a terminal or package manager, and have been granted privileges to do so plus the ability to not keep having to re-enter passwords for those purposes, at no stage could malware run at the same time leverage that.
Consider yourself spoken to.
The Gospel according to lolcat
In Unix, you type a command, get "permission denied", and then run the command again, prefixed with "sudo".
In Windows, you type in a command, get "permission denied", and... crap. There is no "sudo". Instead, you have to find a shortcut to a command prompt, right-click and select "Run as administrator", confirm the UAC prompt, change back to whatever directory you were in, and then run the command. It's a huge pain for people who work from the command line.
I guess I can't speak authoritatively since I don't know what all UAC involves... But I think the *INX approach of prompting for root (or appropriate) password when required works just fine. There's other stuff in the Vista kernel that probably should be incorporated into other OS kernel's though (assuming there is no equivalent). User mode drivers would be nice across the board... Why should anyone's webcam require direct access to kernel space at any level other than making protected system calls. Patch protection is a good thing too. As far as I'm conserned in the world of OS study UAC looks like a big question mark to me.
and the rights stick around for a while so you're not constantly typing in passwords. http://www.sudo.ws/sudo/intro.html -- see the third bullet point. The sudo guys (wisely and honestly) acknowledge that this 'session' is basically a security risk for say, an unattended machine (there are other scenarios too, but this is the most obvious). They wisely left this timeout configurable so that the risk can be eliminated by setting it to zero. So UAC's lack of a 'session' isn't really a flaw - its good design.
Of course, its not wise to ever leave a machine unattended -- you should ideally lock it anytime you aren't using it. Which is why the password prompt in sudo is IMHO not really necessary. I think that confuses two different issues: Authentication vs. Elevation of Privileges. I can easily picture a scenario in which a command line utility/installer/something in linux shows you a fake sudo prompt, the result of which is that the malicious code now has your password. Even if an application tries to mimic a UAC prompt, clicking 'allow' on that prompt does nothing since it isn't the actual UAC prompt.
I'm sure there are scenarios I'm missing etc., but my point is just that I don't think UAC is all bad; it's just a victim of our perception that passwords are always necessary for security. I've been using Vista roughly since launch now, and I can't recall the last time I saw a UAC prompt. Basically when you setup a machine, it might take a couple of weeks before you've got everything just exactly the way you want it, and then after that UAC prompts are going to be very rare - I don't think the average user will really get conditioned to blindly hitting 'allow' each time.
It's a counter-culture way to do things in the UNIX universe, but it's entirely possible.
Free Software: Like love, it grows best when given away.
For Immediate Release, 1 MAY 2007
o ration
Union Aerospace Corporation [UAC] and Microsoft Corporation [MSFT] announce the beginning of a strategic partnership for solar system domination, starting with the implementation of the UAC Advanced PC concept. Any competitors or intellectual property rights breakers will be teleported to their doom on Phobos or Deimos to have their stomachs roasted and chewed by the remaining demonic beasts that roam the halls of abandoned UAC research facilities.
Microsoft, based in Redmond, WA is the leading maker of PC operating systems and application software, founded in the 1970's by Bill Gates.
Union Aerospace Corporation, based on Mars is the undisputed leader in the areas of energy, defense, teleportation, bio-research, aerospace tech, and genomic research founded by Thomas Kelliher.
For more information, visit UAC:
http://en.wikipedia.org/wiki/Union_Aerospace_Corp
Any application can draw a system-modal window that looks like a UAC question, and ask for a password; UAC would have to ask for pressing the SAK (Ctrl-Alt-Del) before asking any questions to make it hard to spoof -- which would certainly be annoing.
For example, Trusted Solaris has the nice feature of a so-called "Trusted Stripe"; this is a region on the screen that can't be spoofed by applications (no application can draw onto the trusted stripe, and no window can be on top of it). The Trusted Stripe displays the sensitivity label of the process that has keyboard focus, and if it is a system-generated dialog (such as the logout confirmation), it will say "Trusted Path". There is also a Trusted Path Menu to ensure that security-critical operations can be started in a secure manner.
That is the way to go if you want to build secure operating systems.
There is absolutely nothing in Windows Vista, AKA Windows Me II, that anyone should emulate.
How ya like dat?
Okay, I admit--you can *open* the Control Panel. I was mistaken because I didn't merely open it, but tried to do a thing or two, which triggered plenty of UAC prompts.
Forgive me for being confused, though, as UAC has undergone a few revisions since the beta builds and all the Vista machines I work with are broken ones people need me to fix. XP has been far better for me in that regard; it gave me a lot less to fix.
The best point so far is that *maybe* UAC will force developers not to spread crap all over the filesystem. This is the first plausible upside to UAC I've heard mentioned. Of course, they added some legacy "help" which can also hose installs by redirecting their crap to other random folders, too, so it's not all roses.