Vista's Troublesome UAC is Developer's Fault?

MythMoth wonders: "We've heard all about the pain and discomfort of working with Windows' User Account Control (UAC) switched on, but now Ian Griffiths is explaining that the developers are the problem — they brought it on themselves. In earlier articles we have heard that Microsoft think that everyone should do it like this — Ian does acknowledge that things are better in the Unix world, but is he right? Is the onus now on the developers to help fix a problem that they did not cause?" Rather than ask the user for permission on every operation, what other ways could Microsoft have improved Vista's security?

I saw a different problem

[280Z28]

I noticed a different and (possibly) serious issue:

• First few times: What is this annoying thing?
• Next few times: Well I guess it's better than not knowing
• After that (without reading) click ok...

So does that mean it's not working, wasting my time, AND training me to ignore security warnings? Honestly I don't have a better solution except for the rhetorical question "why can't people who exploit users just /themselves......"

Re:I saw a different problem

[Osty]

So does that mean it's not working, wasting my time, AND training me to ignore security warnings? Honestly I don't have a better solution except for the rhetorical question "why can't people who exploit users just /themselves......"

Which goes to exactly what Ian was saying -- If you're really seeing UAC that often, you're doing something wrong (or you're using software from developers who did something wrong). As developers get their act together and stop requiring admin privileges for trivial things (hint: using %userprofile% and HKCU rather than %programfiles% and HKLM will solve 90% of your admin-privilege requirements when developing), UAC prompts should appear less and less often, and then only when you really expect them (you're doing system configuration stuff) or when there's a real issue that you should deny. Unfortunately, that world is probably 3+ years away as developers get with the program and rev their software, and in the meantime UAC will just become one more annoying dialog you have to click through to do anything.

With that said, I saw the UAC dialog exactly once today, and that was only because I had to upgrade my video drivers. I'm a professional software developer. I spend my time with Visual Studio and SQL Server, and I rarely have to deal with UAC prompts.

Re:I saw a different problem

[280Z28]

It will be interesting to see if developers actually pay attention. Just think about how many poor programming practices you see today*. Books have been out for 10 years about good coding... UAC is but 1 year old. I hope we're not in for the long haul, and yet I know we are...


* Today I ran across a stack class that used for its push function... an overloaded operator new...

Re:I saw a different problem

[EvanED]

Today I ran across a stack class that used for its push function... an overloaded operator new...

I am a reasonably big C++ fan who will staunchly defend the presence of operator overloading in a language, but I cannot comprehend the thought processes that must take place for someone to think that this is a good idea.

Re:I saw a different problem

[pallmall1]

I spend my time with Visual Studio...

So have you followed Microsoft's advice to "run Visual Studio 2005 elevated"?

Who is a developer supposed to listen to -- Microsoft or Ian Griffiths? It seems to me that Griffiths has a lot of nerve blaming developers for following Microsoft's recommendations.

Re:I saw a different problem

[Osty]

So have you followed Microsoft's advice to "run Visual Studio 2005 elevated"?

Honestly, because I use VS as a glorified text editor (builds are for command lines), there's really no need. Even if I did, though, I wouldn't see the UAC prompt all that often -- open Visual Studio once, keep it open for several days.

Re:I saw a different problem

[AaronBrethorst]

VS2005 does not require you to run with admin privileges. There are some scenarios that require this, but they're generally the exception rather than the rule. If you want to do something like create a new IIS website on your local machine from within VS you'll need to launch VS elevated, but this is because IIS requires administrative privileges to accomplish this task. For VS 2005, there wasn't much we could do about that. Let me know if you want more information about the topic. I was the developer division's go-to guy for UAC for a year.

Re:I saw a different problem

[Todd+Knarr]

Except that using HKCU has another problem: many programs register stuff they need in the registry. On a single-user system HKCU isn't a problem. But when another user tries to use that installed program, BAM, none of the required registry entries are in their HKCU tree. Which means developers have to develop another set of practices as well: either writing programs that can self-register themselves and set up all the neccesary registry entries on their own independently of the installer (at which point the need for an installer goes away), or the installer has to set up the system-wide stuff in HKLM (which requires privileges for the installer) and then the program reads first HKLM and then HKCU for entries but only writes changes back to HKCU. Unix already has a well-developed set of practices for this, but Windows developers are going to have to learn from scratch.

Frankly I disagree with part of the quoted comment in this entry. These problems are the developers' fault. But not developers in general, only Windows developers. They've lived in their own world, ignoring everything that everybody else had learned or was learning about multi-user systems and writing programs for them, and now it's coming back to bite them. Microsoft didn't help by catering to them for so long, but ultimately it's the developers who decided not to learn from everybody else's experience and went along with the recommendations of a company with no experience in a multi-user system.

Re:I saw a different problem

[badfish99]

Surely the reason that Window developers haven't learned from the rest of the universe is Microsoft's fault. Microsoft have done everything thay can to make Windows development an entirely self-contained and proprietory process: you use Microsoft's IDE, write your code in Microsoft's unique language or (if you use C++) using Microsoft's unique proprietory API. You never learn, because you never have to think; you just go along with what Microsoft tell you to do, without ever having to understand it. Microsoft told people to run as administrator, and made it the default, so that's what they did.

Re:I saw a different problem

[flukus]

It's not just the developers. My ex boss was adamant that all configuration files should be stored in program files and no ammount of argument could convince him otherwise (he was a network admin so he should have known). Needless to say this screwed up on any remotely secure setup.

I wonder if they've fixed the app for LUCs and vista yet!

Re:I saw a different problem

[aussie_a]

Wow so in order to avoid annoying prompts, you have to keep your program open? That sounds, annoying!

Re:I saw a different problem

[fwarren]

Take a look at what we call "good programming practices" in the Windows world. Look at the windows programming bibles. Look at how many programs written by Microsoft that are not designed to be administrative programs break on Vista.

That's not fair, to expect Office 97 to run fine on Vista. Well actually it is. If you had followed all of Microsoft's best practices, and work the platform as designed....you end up right where we are at today.

Were Microsoft programs ever written to be run as a low privileged user working only with the users folder in "Documents and Settings" and only writing to HKCU. With the installer designed to be run once as an Administrator to write files to "Program Files" and HKLM?

Yes, you could always run a low privileged account and change permissions on certain registry keys. But face it, these are a hack. Until recently, Microsoft never wrote software that way. They never seriously advocated it either. If they did, professional software such as Quickbooks 2001 or 2005 would run just fine on Vista.

Hell, the whole registry thing was a bad idea. In the Linux world, when you move to a new box, you can copy an rc file or folder from /etc and your rc file from your home directory and the program is configured to run properly on the new machine. Bash_rc for example. Most well behaved programs make few if any changes to other programs rc files. Very few of those even need any files from /etc, usually just one file or folder from your user directory is enough.

Most of the time in Windows you can not even copy out the relevant section from HKLM and HKCU because of the shoddy programing practices as taught and evangelized by Microsoft. So many entries in the registry are spread out over so many places, the program won't run if you copy just one section from the registry. A good example is Outlook Express. You cant just copy out "Outlook Express" keys from HKCU and the data files and expect it to run.

If I had to point my finger at developers for bad practices. I will be pointing my finger towards Redmond Washington.

Re:I saw a different problem

[Aladrin]

Actually, I tend to leave my programming environment open for weeks, regardless of operating system. It's not 'annoying' if you would do it anyhow. It's quite a bit less annoying that way because you can just sit down and work, without the 30 second wait for everything to load back up.

So it's a matter of perspective. I will agree that if I had to keep most other programs open to avoid the UAC, it'd be annoying.

(I don't have Vista yet... I'm waiting for that first killer game that makes it a necessity. May it be long in coming.)

Re:I saw a different problem

I had disabled UAC in my vista box and had to reinstall recently, so UAC was turned back on and thought about leaving it for a while, but every time I wanted to delete a file I'd get the expected and usual "are you sure you want to delete?", then the UAC file operation yes/no and one other window, I don't need to click three things to delete a file. So I turned it back off. What you're saying makes perfect sense, but there should be some way to tell that the user clicked on and requested deletion of a file rather than a program.

Re:I saw a different problem

Most of the time in Windows you can not even copy out the relevant section from HKLM and HKCU because of the shoddy programing practices as taught and evangelized by Microsoft. So many entries in the registry are spread out over so many places, the program won't run if you copy just one section from the registry. A good example is Outlook Express. You cant just copy out "Outlook Express" keys from HKCU and the data files and expect it to run. Uh, actually I've done that lots of times.

In fact you don't need any registry keys, just copy the OE data files from the old "Identity" directory to the new one (open/close OE on the target system if it doesn't already exist).

And TBH I don't know where you're getting MS pushing bad practices. All the docs I've seen on MSDN and the application certification guidelines for XP and Vista tell you to do things properly.

Re:I saw a different problem

[DrXym]

So does that mean it's not working, wasting my time, AND training me to ignore security warnings?

Yes. As a Vista user I recommend just disabling the stupid thing.

Re:I saw a different problem

[pla]

VS2005 does not require you to run with admin privileges.

If attaching to a process to debug it doesn't require admin privileges, Vista has a lot more wrong with it than the annoying UAC giving false positives...



There are some scenarios that require this, but they're generally the exception rather than the rule.

Debugging most certainly does not count as an exception to the norm. If you need to work with someone else's code, walking through it a few times with a debugger will teach you more in one day than weeks of reading the code (not to say you shouldn't read the code as well). And if you can write a bugless non-toy app, consider me in awe of your coding prowess.

Re:I saw a different problem

[nschubach]

That's why I've always said and stick by my thought that programs should only have access to the directory in which they run. All settings and program specific files should be contained within said directory and children and not be given permission by default to access anything in or preceding their parent scope. This should be enforced by the OS, save for one aspect which is easily controlled. Save or open common dialogs grant "sudo" access to whatever file the user selects outside that scope. Operating system maintenance programs would be the only other "special" programs and installing them should prompt the user with very stern dialogs with a system stability warning.

Re:I saw a different problem

[elevator]

The only time you will see an UAC prompt when dealing with files, is if you are dealing with somebody OTHER's files and you need to elevate to grant yourself permissions on that file.

Just as with the common Unix you cannot, and never could with the Windows NT line, delete files you don't have the proper permissions to, and just as with Unix, permissions are not granted by name but per (S)ID.

Hence, when you reinstall your box, you will get another SID for your username, so the files you want to delete are not owned by you and you do not have the permissions to delete them, so you cannot delete them without elevating and setting the proper permissions.

The simple solution is to just become owner of your own files.. but then again, you might be just sprouting off some eight month old rumor :)

Re:I saw a different problem

[cerberusss]

If attaching to a process to debug it doesn't require admin privileges, Vista has a lot more wrong with it than the annoying UAC giving false positives...

I only code on Linux, however, I don't think you need admin priv to debug a process that runs with your own user's privileges??

Re:I saw a different problem

[The+Warlock]

Exactly. Go ahead and run gdb on a process that you own. Notice that you don't need to be root. I fail to see what the security hole is here.

Re:I saw a different problem

[tepples]

Go ahead and run gdb on a process that you own. Notice that you don't need to be root. I fail to see what the security hole is here. Would you want some piece of third-party proprietary software to be able to attach gdb to your web browser and hit a breakpoint whenever the user is entering a name and password?

Re:I saw a different problem

[Rycross]

I haven't checked whether this is the case on Vista or not (since I run 2k5 in admin mode), but XP definitely did not allow debuggers to be attached to processes in user modes. There is a specific option to enable user-mode debugging in XP. Vista may be the same.

Re:I saw a different problem

[Maxwell]

If you're really seeing UAC that often, you're doing something wrong (or you're using software from developers who did something wrong). As developers get their act together and stop requiring admin privileges for trivial things (hint: using %userprofile% and HKCU rather than %programfiles% and HKLM will solve 90% of your admin-privilege requirements when developing), UAC prompts should appear less and less often, and th

Uhmmm, yeah. On a blank, brand new Vista install, no 3rd party apps the $!#%ing UAC thing drives me up the wall. You can't do ANYTHING without a UAC prompt. Change desktop background? Open cmd prompt? add run command to start men? fix wacky resolution problem on desktop? move mouse?

I killed UAC solely from MSFT UAC warnings before I even got to any 3rd party developers applications. So MSFT basic message is, as usual, do as I say not as I do...

JON

Re:I saw a different problem

[Pope]

I don't even have a Vista machine, and I leave programs running as long as possible on both my Macs at home and my work XP laptop. Just go to Sleep or Standby when not in use. I use mainly the same 5-8 programs every single day, so why quit them?

Re:I saw a different problem

[SQLGuru]

I agree.

Currently open on my desktop:
Harvest (source control) - opened for two weeks now
Eclipse (Java) - opened for 4 days
PL/SQL Developer (Oracle database) - three copies (each to a different database) 2 to 9 days
WebLogic (hosts the Java) - restarted yesterday because I changed the JDBC pool

There's a required patch that I have to install today, so obviously those numbers will reset.....but I get more work done not waiting for things to start.

Layne

Re:I saw a different problem

[dhasenan]

Most desktop users on Unix only run a few proprietary applications at most: maybe a couple of Windows games (via Cedega or Wine), Opera, and video drivers. Windows games probably won't be able to use gdb on your Unix system; Opera actually is your web browser, so it doesn't need to attach gdb to itself to find your password; and the video drivers are running higher than root.

Of course, you could use SELinux and its application roles. That might help.

Re:I saw a different problem

[dctoastman]

HKCU is a morass and some thing belong in HKLM, especially in an environment with roaming profiles (some mandatory). When I install Word on a box, installation information (where it's located, etc.) should go in HKLM because these are things that are (and here is the kicker) _local to the machine_ and not particular to the user.

You can't install software on a user, so anything a program needs to be successfully run after being installed needs to be HKLM.
Now, user preferences etc. should be HKCU, because those are settings that should follow a user.

Re:I saw a different problem

[UbuntuDupe]

It seems to me that Griffiths has a lot of nerve blaming developers for following Microsoft's recommendations.

Heh. And Ubuntu users have a lot of nerve blaming me for following the install CD's HIGH RECOMMENDATION to install grub on the MBR.

Re:I saw a different problem

[fwarren]

Not all applications are certified. Despite the fact there buried in MSDN there is some good advice. Take a thousand dollars, go to a book store, and buy some books (by Microsoft) on programing in Windows.

Microsoft teaches programmers how to get up to speed and write something in windows. Security is not even tacked on as an afterthought.

If you just "drop" the data file on the new machine, you still don't have any information about the POP account, or passwords. Trust me, when you move that stuff for someone who has a borked system, they ususally don't remember passwords and such.

The point is still valid, try moving Office, or Autocad, or Photoshop to another computer. Or even non-trivial freeware, like software that burns CDs or edits video. There are so many registered dll's, and system hooks in the registry. You are lucky if they thing will even run long enough to show you the application programs window.

Re:I saw a different problem

[tepples]

Most desktop users on Unix only run a few proprietary applications at most But on Windows, there are freeware, shareware, trialware, adware, spyware, botnet zombies, etc. If BSD, Solaris, or Linux were the dominant operating system instead of Windows, it would have these too.

Re:I saw a different problem

[tepples]

So many entries in the registry are spread out over so many places, the program won't run if you copy just one section from the registry. It's copy authentication. If you copied a small set of registry entries, it's likely that you copied the program in violation of the End User License Agreement. But doesn't "roaming profiles" copy your entire HKCU?

Re:I saw a different problem

[mbsurf]

Wouldn't it be more appropriate to request the admin privileges when the user attempted to do something like create a new IIS website, etc. ?

PS. I'm not hating... I use VS 2005 and like it for the most part.

Re:I saw a different problem

[Altus]

Its easy to blame developers but Microsoft has created this problem as much as anyone. There is very little available in terms of best practice guidelines for developing on windows and there really never has been. Developers learned mostly from the behavior of MS applications and from what was the easiest way to develop applications. UAC isn't that much different from the privlage escalation stuff on the mac but you dont see that dialog come up very much. A lot of this comes from the architecture of the mac. Its not necessary for applications to do things that require admin privileges... but more importantly there were good guidelines on where user data should be stored, where application settings should be stored and how things should work to minimize the need for those privileges. Microsoft should have been education developers about the impact of UAC for a very long time (at least as long as Vista was in development) and should have been pushing hard for these changes.

One other thing that might be an issue is that UAC allows programmers to be lazy. I don't know a lot about UAC honestly (so please correct me if I'm wrong) but my understanding is that it automatically prompts the user when an application attempts something that requires privileges. On the mac such an operation would (I believe) simply fail. The developer would have to explicitly escalate the application (requiring input from the user) in order to perform the operation. This forces the developer to do something. Either they escalate or they find the right way to do the task (put the data somewhere else for instance) but the Microsoft model doesn't force this. This might seem like nice flexibility but it severely reduces the effectiveness of UAC in practice.

Sometimes the OS has to show the application who is boss.

Re:I saw a different problem

[ericski]

I second this question? I can see where it is easier to elevate when starting VS2005 and can imagine retro-fitting might be hard/impossible, but it does seem safer to only elevate when needed.

Re:I saw a different problem

I installed Debian 4.0r0 and I'll never see a UAC prompt in my life. And I'm a "professional software developer" to boot.

Beat that.

Re:I saw a different problem

[B'Trey]

Well, it IS a new item on the stack...

(Please do note that I'm not defending this decision, just pointing out what the thought process likely was...)

Re:I saw a different problem

[AaronBrethorst]

Yes, you hit the nail on the head: it absolutely would be. VS 2005 RTM'd about 12 months before Vista did, though, and their design for UAC changed in the interim. Even if we'd done that work-which is decidedly not trivial-it's entirely possible that the behavior that worked for us in the Vista Beta 1/Beta 2 timeframe wouldn't have worked quite right at RTM.

What's tricky is that administrative privileges are assigned on a per-process basis when the process starts up. The net result of that is that we'd have to factor all of these pieces of code throughout the product into separate executables, and then ShellExecute() them.

Re:I saw a different problem

ahhhh, are you trying to say "pseudo"?

Re:I saw a different problem

[Jare]

"It's copy authentication. If you copied a small set of registry entries, it's likely that you copied the program in violation of the End User License Agreement"

That's another half-assed and idiotic idea. Yeah, I'm sure the Registry has prevented all of 3 people from performing some illegal activity. However, it has prevented millions of people from performing perfectly normal and LEGAL activities such as backing up application configuration. Oh sorry, I forgot, backups may be against the law where you live.

The real problem is that too many developers or managers have made half-assed, idiotic decisions based on Microsoft's short-sighted and constantly moving recommendations. At one point in the past, Microsoft encouraged people to install their own DLLs in C:\Windows\...

Re:I saw a different problem

[profplump]

User-privilege-based security is not intended to protect information a user controlls from processes the same user controlls, and can't even if you don't allow debugging. If you don't want your processes to know anything about each other you shouldn't run them as the same user.

Beside that, running a debugger is also far from the easiest way to get someone's passwords if you have the ability to launch programs.

Re:I saw a different problem

[orclevegam]

Save or open common dialogs grant "sudo" access to whatever file the user selects outside that scope.

I think perhaps this isn't exactly what you meant. "sudo" generally grants root privilages to a user (or in your example an application) which is really a rather bad idea. What should happen is applications run as a restricted user with only access to their own directory, and maybe a couple other explicitly assigned directories (such as /tmp), but accessing certain functions such as a common open dialog (OS supplied) would temporarily grant the same privilages as the user running the application. Of course, it should still be possible to request access to other privilages, but doing so would prompt the user to accept, and if the user doesn't have permission to access those resources they should be prompted for the credentials to someone who does have access (such as root, but not necessarily root).

Re:I saw a different problem

[jhantin]

You can't install software on a user, so anything a program needs to be successfully run after being installed needs to be HKLM.

Actually, HKCR is a composite view of HKCU\SOFTWARE\Classes overriding HKLM\SOFTWARE\Classes. User-specific registrations dominate machine-wide registrations. In theory, this is also what the install for "just me" option in many installers is for.

Unfortunately, all too often, software installed under a user with XP admin rights is still installed in %ProgramFiles%, often having unwanted side effects on HKLM or %AllUsersProfile%, and the Uninstall entry still only appears under the offending user's profile. A pox on badly written installers!

Re:I saw a different problem

[nschubach]

Yeah, that's why I put the quotes around sudo. The program should really only have access to the files selected by the user, otherwise the program would not even know the file exists. The OS would open a stream or "connection" to the file for the program and allow it access to the file granted by the user.

Using "sudo" was probably wrong here, but I couldn't think of a better way to say it at the time. You did a better job of explaining it.

Re:I saw a different problem

[AaronBrethorst]

We compiled a list of the known issues with running VS 2005 RTM on Vista a while back. There's some interesting stuff in there that explains exactly what happens when you run VS on Vista with standard user privileges. Feel free to let me know if you want clarification on any of the issues raised in that doc.

Cheers,
Aaron

Re:I saw a different problem

[Osty]

Uhmmm, yeah. On a blank, brand new Vista install, no 3rd party apps the $!#%ing UAC thing drives me up the wall. You can't do ANYTHING without a UAC prompt. Change desktop background?

Wrong.

Open cmd prompt?

Wrong, unless you're trying to open an Admin console.

fix wacky resolution problem on desktop?

Again, wrong unless your "fix" requires updating drivers.

move mouse?

Now you're just being stupid. Either you don't have a Vista installation, you bought into the hype of "UAC Sucks" and just turned it off immediately before really experiencing it, or something is really wrong with your machine.

Re:I saw a different problem

[EvanED]

I've run Visual Studio 6 and 2005 under XP with non-admin rights (in fact I do it regularly), and am able to debug just fine. This includes attaching a debugger to another process.

The only thing I've done with admin priv. on here is install/uninstall programs, and haven't run into a problem yet.

Don't know anything about an option though; maybe it's set in the standard install we use here.

Re:I saw a different problem

[dctoastman]

Ok. Maybe it is just poorly written installers I have a problem with.

Re:I saw a different problem

[Rycross]

The setting is in (run secpol.msc) -> Security Settings -> Local Policies -> User Right Assignment -> "Debug programs." The images that we used had this set to administrators by default, and we had to set it down to "Users," as these were lab machines. I'm not sure if this is normal or a fringe case.

Re:I saw a different problem

[DraconPern]

I am guessing you don't use your own products... Admin privilege is the rule rather than the exception. See. http://blogs.msdn.com/kangsu/archive/2007/01/15/ru n-vs2005-as-administrator-on-vista-when-debugging. aspx And I have to do this even with SP1, debuging a file based website. Not even IIS7.

Re:I saw a different problem

[EvanED]

I'm a CS department, and our XP install is already customized a lot. (Custom GINA, OpenAFS set up, etc.) So it's probably the case that this policy has been non-default since the beginning.

I checked my laptop which has a mostly clean XP installation, and it was set to just admin, so that probably wouldn't work there.

Thanks for the info though; I'll have to remember that.

Re:I saw a different problem

[AaronBrethorst]

Yes, I readily agree that debugging against Cassini (the web server included with VS 2005) is wonky when you're not running Visual Studio as an administrator. Try Winforms development and debugging; you won't experience these issues. Whether or not you need to launch VS as an administrator is really dependent on what you use Visual Studio for. YMMV, and all that.

Re:I saw a different problem

[Foolhardy]

I don't know which books you've been reading, but Microsoft has had a logo program for Windows NT as long as it has been shipping that requires the multiuser design to be followed. I have an old .hlp file describing the Win32 API circa 1995 and it describes proper multiuser application design on Windows.

As for the registry and copying user settings: first, if you want to copy a user's profile to another computer, why not just copy the entire profile? Just copy the directory over, resetting permissions if necessary. That's what I'd do for a unix profile.

Second, OE has a fairly modular design (*gasp*). It uses MAPI (which itself is several pieces) for user identity, mailbox and storage, and it uses the user certificate store for user passwords and certificates. I know that the standard practice on unixes is to re-invent the wheel for each of those functions per mail client, but Microsoft decided create and document separate components. You have to make sure that the settings and data for each of these components, plus OE's own settings are copied. It's easier to either export the user's state (I do believe OE has a function for that), or just copy the entire user profile around.

There are a lot of advantages to breaking up a program into smaller pieces, but keeping track of all those parts (which tend to get spread out all over), is a major disadvantage. Just look at how complex the package management systems and package hierarchies of a major Linux distribution are.

BTW, I'm running Office 97 on WS2003 without issue as a limited user. Back in the day with the likes of NT3.51 and NT4.0, Office 97 was one of the best multiuser apps, even including special user workgrouping functions. I don't see why Vista would be any different.

Re:I saw a different problem

[CavemanKiwi]

For user specific settings why not use the folder "Documents and Settings\username\Application Data\ApplicationName\" . There is a call in .net that gives you the path to the Application Data folder.

Re:I saw a different problem

[Quantam]

I've been using VS2005 on XP as a limited user for years (in fact, my work computer is the same way; I'm a professional programmer). That setting you speak of is set to admin only on my computer (and has always been that way). I have no difficulty with either debugging (programs launched by VS) or attaching to other processes running as my user; nor do I have a problem with using WinDbg. I have absolutely no idea what you're talking about.

Re:I saw a different problem

[DraconPern]

FYI, The VS team recommends running elavated all the time.
http://msdn2.microsoft.com/en-us/vstudio/aa972193. aspx

Re:I saw a different problem

[nschubach]

For one, I'm not a big fan of the verbose naming and the structure of "Documents and Settings", and the only "safe" way I can find to change any of that structure is to reinstall Windows using a "hack" install because the registry saves its data here. I ended up moving it off the system drive and changing it to \home\%username%\settings\ and moving my documents to \home\%username%\docs\ which really plays havoc with those programs that don't use system variables. It does keep the registry in the settings directory though, allowing me to do whatever I want with my documents without having to worry about selecting the registry files along with them. I never did understand why the registry files were in the user's folder. You can't copy those files to another computer and use them there without setting up a roaming profile and copying them to a network share.

Anyway, I think storing settings outside the program scope just creates directory clutter that's not needed. Keeping all the programs contained in their respective directories would allow me to back up that application very easily to a DVD/CD and restore it quickly if I ran into a problem. On top of that, you never have to worry about Program "X" browsing through your documents or pictures looking for something they shouldn't be poking around in. With disk space cheaper and cheaper, the OS could also make a compressed backup after install and use that as a backup in case you find that the program was corrupted or a patch failed without having to re-install it. I'm sure things don't happen a lot, but how many times have you used the airbag in our car?

In my model OS, programs would have less rights to the disk than the user running it. There's really no reason for programs on your PC to have user access and the user should decide when the program leaves it's designated space and what access it has. This would be done with the file open/save dialog as mentioned above and a "directory grant" dialog (or symbolic linking with permission granting a "docs" directory under the program scope) on install or program config option in the OS. Oh, and no programs should ever have access to the OS files unless specifically granted with the exception of dialog/window request or "interface" libraries in a "common library" directory that every program has read only access to in order to request windows, dialogs, and hardware access.

The best part about this is that it would be transparent to the user, yet more secure for the OS and all the programs installed. At least, every time I think about it, that's what I keep telling myself. ;)

Re:I saw a different problem

[fwarren]

You cant use the OE functions if windows won't boot. You can move the store, and jig it go get it going again. But the passwords are history.

They have a logo program, but look at the programs that have the logo. I will start with Winfax, it has the logo, still does I believe. Even though a) every time you send or receive a fax, a temp file is created in the %windows% folder. So you MUST have read/write privileges on the %windows% folder, which should have toasted them from getting the logo in the first place. b) If you install it on a computer that is a member of a domain, you MUST log in as a local user on that machine with admin rights. If you log in as a domain user, and perform the install. You will get a toasted install of WinFax and will have to reformat the drive and reinstall windows on it to get it working.

Quickbooks has the logo. Every time you run it on Vista, you have to click through the UAC prompts and a nasty message to get it to run.

These are all programs that have the Windows Logo on it, have gone through the certification process. Which seems to me to be about long files names, using the correct file and printer dialogs, and registry entries not ini files. They will certify your app, no matter where you drop your dll's, no matter which keys you write to in HKCU or HKLM. These programs could not possibly pass the test of running on a restricted account. Yet the still have that logo.

Belive me, I wish you could just copy the entire profile. Take a machine with a crashed windows install, try to install on another computer, install all the software that was on the first machine (if you can get serial numbers from the end user) and then drop a profile onto the new machine and see how it works. It is NOT seemless. And yes, you can do it in Linux. Until I settled on Kubuntu last year, every 3 to 6 months, I would change linux distro's. I had no problem dragging my home folder around.

Seriously, lets talk application practices. Anyone who has ever admined a linux box would have some idea how thing should work. Most windows software is not designed for UAC. They write crap to HKLM more than needed. Write crap to their folder in the program files directory. Some programs like Microsoft products, create files with random names and bury it in keys spread out through the registry.

Just do what the big boys do, Microsoft, Symantec, Intuit, Adobe, and Autodesk. They all have spent a decade producing software that will not run under UAC. Unless you have a linux/unix background or are deep into security. You are pretty much bound to write software that will not work under UAC. All of your coding examples show a total disregard for it. I still say if you want to blame developers, I would start with the ones in Redmond Washington.

Re:I saw a different problem

VS2005 may not require admin privileges, but the message that pops up seems to suggest that it should always be run elevated.

Re:I saw a different problem

[AaronBrethorst]

I actually wrote that message :) We officially recommend that you always run VS 2005 with elevated privileges. I personally (i.e. not speaking as an official spokesperson for Microsoft) believe that most scenarios work just fine without admin privileges. We could have forced VS 2005 to launch with elevated privileges on Vista.

Re:I saw a different problem

[ericski]

Is there a way to make a shortcut or something to do just that? What can I say, I'm a little lazy and that whole right click run as thing..... ;)

Re:I saw a different problem

[SEMW]

That would be an excellent solution... in a single user system. In a multi-user environment, you'd immediately run into problems whereby one user changes the settings in an application, and all other users find them changed even when they didn't want them changed. Since all major OSes these days are multi-user OSes, and it would be a complete pain to have different practices for sinlge-user and multi-user systems (reinstall the OS and all applications if you want to add a second user? No thanks!), it makes sense to store settings and so on in the same, user-specific folders that documents and data are stored in -- i.e. /home, \Documents and Settings, \users, etc. depending on OS.

Re:I saw a different problem

[AaronBrethorst]

Sure. Make a shortcut to devenv (or vcsexpress, etc. if you're using an express product). Right-click on it, choose Properties, choose the Shortcut tab, click the Advanced button, check "Run as administrator". That should do it for you.

Cheers,
Aaron

Re:I saw a different problem

[ericski]

Cool. I'm a Vista newb (haven't been running it for a week yet.) Tell your boss I said it was OK for you to leave work early. I'm sure he'll let ya. :D

Re:I saw a different problem

[Mr2001]

(I don't have Vista yet... I'm waiting for that first killer game that makes it a necessity. May it be long in coming.) Halo 2 comes out at the end of this month. I so don't want to install Vista, but if someone hasn't hacked the game to run on XP by June, I might do something I'll regret for many years.

Re:I saw a different problem

[AaronBrethorst]

Hah, don't think I can today :) We're rapidly approaching a deadline and it's all hands on deck, but thanks for the note! By all means, please let me know if I can offer you any more assistance with VS on Vista. You can reach me at abreth [here's an atmark] microsoft [here's a dot] com.

Re:I saw a different problem

[Anml4ixoye]

It doesn't. It /does/ require debugging privileges, which can be granted without having to grant Admin access.

Re:I saw a different problem

[Triynko]

nschubach, You are absolutely correct. Finally, someone else understands. That is exactly what must be done to make OSs secure:

SHORT VERSION - if you don't want to read the long version

1. For code to run, it must be assigned a working directory by the OS, and denied access to all other directories by default. Viruses are now impossible; any inadvertently installed code can do no more than sit in its own directory and play with itself.

2. The OS must provide a mechanism for the user to temporarily grant an application read-only access to a file(s) or folder(s). This can be as simple as double-clicking an MP3 in explorer to grant access to a media player, or as complex as having a manager for granting applications read-only access to certain directories).

3. The code should only ever have write access outside the folder it is assigned to. Such operations should be reserved for built-in OS utilities. After editing a document, you save a new copy in the program's own directory... where, if you think about it, only files with a format the program is able to modify will reside. You can then use the OSs built-in file manager to copy the files to a documents folder for archiving... where no program can ever touch them (except for read-only access when granted).


4. The OS must have complete control over the applications that run on it -- which means that it must interpret the code, so that it understands what the code is doing, so that it can determine whether or not the operations in the code are allowed. Non-interpreted code, by definition, suggests that the OS doesn't know what the code is doing... and if it doesn't know what it's doing, it can't possibly stop it from doing something bad. It won't be as fast as machine code, but it will sure be secure. And don't even think about the .NET framework; because ultimately, the OS still runs the machine code that it compiles to blindly. Unchecked machine code can still run on the system, so .NET security warnings do not represent security; they simply represent handicapped applications when compared to the unchecked native apps that are allowed to run on the same system.


LONG VERSION - details, if what you read above interests you

First, I have a brief point to make about security. When faced with the question of why we need a computer security industry, people always bring up stupid analogies like "well, why do we need police, or a legal system?" It's not a fair comparison at all. I hate it when people ask dumb questions like "If your friends jumped off a bridge, would you?" Well, no, because jumping off a bridge is lethal, but painting my fingernails black and spiking my hair is not.

Besides, we need police because we cannot read from, write to, and "program" the human brain the same way that we can program computers to perform exact and consistent functions.


I have 3 points to make:

1. Current operating systems are insecure "by design", not just because of coding mistakes. We can change their design to be very secure.

2. People make mistakes -> software will have mistakes -> mistakes will cause problems -> we will always need a way to recover from such problems... but we don't need Norton Antivirus or Windows Defender. At worst, we'll need to re-enter information if a program crashes, or restore a backup if a drive crashes. With the setup I mentioned earlier, we won't have to worry about a virus destroying a file.

3. Transmission of information will never be completely secure (i.e. encryption and DRM will never be infallible).


Point 1:

A huge design flaw with current OSs is that I can write a program right now that just deletes all or most of the files on my hard drive; and this program can be copied to any computer running windows and will work the same way. This behavior is allowed, by design. Why? Maybe I want to delete all the files on my hard drive.

Re:I saw a different problem

[Triynko]

Sorry, #3 in the short version should read "The code should only ever have write access INSIDE the folder it is assigned to..."

Re:I saw a different problem

[manastungare]

In your scheme of things, how do you propose to let multiple users have access to the same program without duplicating the binaries? Putting programs together in the same location as data files has, in part, been the cause of the current permissions mess on Windows.

Along with the need to limit programs from accessing data they should not be accessing, there is a need to prohibit limited-privileged user accounts from modifying program binaries and resources. What we probably need is some combination of your suggestion along with current practices in various UNIX flavors (which have addressed the issue I raised, BTW).

Specifically, your idea of limiting access to user data files even within a user's home directory is a good idea, but the mapping between a program and the data it can access, should not be as simple as "if it is my descendant in the directory hierarchy, I can access it".

Re:I saw a different problem

[Triynko]

In your scheme of things, how do you propose to let multiple users have access to the same program without duplicating the binaries?

There's no reason to duplicate binaries. Multiple users can access a single program binary, just as we do now. Anyone logged onto my current computer can run Internet Explorer, and there is only one binary for it. Unfortunatly, any program run by any user can probably modify the binary... but that's current OS design.

Putting programs together in the same location as data files has, in part, been the cause of the current permissions mess on Windows.

No, that's rediculous. Perhaps program + SHARED data files in same folder is a bad idea... but that's not what I'm suggesting. I am suggesting that a program has WRITE access only to its own folder. Its that simple. Meanwhile, access is further restricted to files/folders therein that are OWNED BY the current user.
Programs in the past were not designed for multiple users; that was the problem. The new convention, given the understanding that the program only has access to its own folder, is that when a program starts up, it creates a "data_*" folder and a "*.settings" file in its own folder, where * is the name of the currently logged on user. No other programs, and no other limited user accounts can access the "data_*" folder or "*.settings" file. When run as a different user, the program will not attempt to access them, since its looking for a folder whose name is based on the current user's unique login name, and even if it wanted to... it couldn't access them because the new user would not own them!

In summary, under my configuration, a "PROGRAM" is an isolated entity on the system. There is a single copy of it, it can only write to its own folder -- to files and folders owned by the current user -- and by convension, it looks for a data folder unique to the logged on user.

Also, putting data files in the same folder as the program that created them makes perfect sense. If a program only knows how to WRITE file format "X", then it should not have WRITE access to EVERY OTHER FILE on the system. This simplifies things considerably. For example, reguardless of file-associations, which are only useful to Windows Explorer anyway, a program can access any file it created (owned by the current user in the programs own directory). The program should not be changing files it has no business accessing, such as files it didn't create, files not owned by the current user, and files outside its own directory. And it should be reading from files outside its directory that it hasn't been explicitly granted read-access to by the user.

With such isolation, a newly installed program cannot harm your existing data files; all it can do is sit in its own folder and play with itself. Antivirus software that embeds itself in your OS will no longer be necessary. In fact, any program that embeds itself in your OS will be unnecessary. The OS has a modular design where any program can be downloaded and safely run. This OS knows how to keep any program in check! If any program gets out of hand (maybe it's using APIs to change your desktop background or move your mouse all around) you can press a button for a Program Manager that immediatly cuts off all program access to input devices, and allows you to kill the annoying program.

Along with the need to limit programs from accessing data they should not be accessing, there is a need to prohibit limited-privileged user accounts from modifying program binaries and resources. What we probably need is some combination of your suggestion along with current practices in various UNIX flavors (which have addressed the issue I raised, BTW).

Not really, my solution is fine. You're still thinking in terms of current system configurations. Under my configuration, how can a person "modify" a binary? The short answer is that

No chicken and the Egg problem here.

[Goalie_Ca]

How many unix developers run as root? Probably because it works in the first place! Seriously though.. windows is beyond simple refactoring and I believe that vista is the evidence. The unix model is simple and effective but best yet scales reasonably well. Daemons run as root? No.. nor do they run a joe or bob. Even as sudo, you can still limit what commands you can run. SELinux takes things to a whole other level.

Re:No chicken and the Egg problem here.

[simm1701]

Most daemons do run as root though - at first.

You the have trust in the competancy of the developers that it will allocate the resources it needs then suid to a lower priveleged user.

Admittedly thats 2 parts - one the OS being designed to let you do that.

Two, having decent developers with well tested products - I know you wont have an issue running apache as root and letting it suid - but how about some unknown piece of software you have never heard of? Will you just run it as root without thinking? Probably not.

Re:No chicken and the Egg problem here.

Unix daemons only run as root in order to bind to privileged network ports and the like then they usually suid() to their own account. So it's rare for a user to run server software under the UID of their own *nix account. The majority of windows software was just never really written for multi user systems and 2006 was a little late for them to be adding their Microsoft patented sudo.

Another advantage of open source code is that if it's being done wrong, someone will notice and educate the developer. I don't even know what the Windows equivalent of suid() is?

Re:No chicken and the Egg problem here.

[igb]

The usual thing that daemons need to be root for is to allocate a port And remember, daemons dropping privileges once started is relatively new. Up until five or ten years ago they all ran as root.

ian

Re:No chicken and the Egg problem here.

[maxume]

Sudo and SELinux aren't for Grandma. UAC isn't either, but it's a whole lot closer, and it actually isn't a bad thing that Microsoft decided that even token security was worth a whole lot of user pain.

I see no spin

[VirusEqualsVeryYes]

Is the onus now on the developers to help fix a problem that they did not cause?

I could have sworn I saw spin in that question for a second. I must have been mistaken.

I kinda like the concept

[Frogbert]

I kind of like the concept of UAC. I mean the messages are so annoying that hopefully developers will start to avoid getting them pop up.

Hopefully this will cause applications to stay the hell out of the Windows directory, the registry and wherever else they seem to think would be a good place to sprinkle data randomly. I pine for the days of being able to uninstall a program fully from my system by deleting its folder. Or being able to simply copy a configuration file from one computer to the next and having all my settings preserved.

Perhaps I'm forgetting how bad that system was in the DOS days, and I'd welcome people reminding me, but it is looking pretty good at the moment.

Re:I kinda like the concept

[Osty]

Hopefully this will cause applications to stay the hell out of the Windows directory, the registry and wherever else they seem to think would be a good place to sprinkle data randomly. I pine for the days of being able to uninstall a program fully from my system by deleting its folder. Or being able to simply copy a configuration file from one computer to the next and having all my settings preserved.

Just for the record, you don't have to stay out of the registry if you want to avoid admin privileges. You do need to stay out of the HKLM (HKEY_LOCAL_MACHINE) hive, but HKCU (HKEY_CURRENT_USER) can and should be used for user-specific stuff without requiring extra admin privileges.

Re:I kinda like the concept

[Jeff+DeMaagd]

I pine for the days of being able to uninstall a program fully from my system by deleting its folder. Or being able to simply copy a configuration file from one computer to the next and having all my settings preserved.

I really hate to say this, but this is very similar to how Mac OS X works most of the time. Most programs are installed by dragging the icon into the Apps folder, and most programs are uninstalled by deleting them.

Configuration files are a little more complicated, but transferring all the user settings is very easy too, there is a transfer agent that allows you to copy your apps, files and settings to another computer. I know Windows has a transfer agent, I just used it today, and unfortunately, the Windows transfer agent isn't nearly as good. A lot of the preference settings do transfer if you just copy the Library folder in your home directory, system settings are in /Library. But Migration assistant handles almost all of that, IIRC, the only thing that doesn't transfer are a few software license keys.

Re:I kinda like the concept

[Falladir]

There are a few programs that work that way in windows. In the FLOSS domain, there's Gobolinux, which does exactly what you request: it puts all the files for a given program in one folder, so that you can remove it by deleting that folder.

Re:I kinda like the concept

[dunkelfalke]

back then the folder was called directory though.

Re:I kinda like the concept

[AlbertinaJane]

You should try some of the Linux-based operating systems. Yesterday I installed new Ubuntu. Prior doing that I backed up my root partition (I have /home - something like Documents and Settings - on different partition). I merely copied files to my USB disk. Took like 10 minutes for 8 gigs of data. Then I installed Ubuntu 7.04, hated the fonts, convinced that they're different than in 6.06 (or the rendering is different), I restored my backup back to 6.06. Just copied the files. 10 minutes. In unix world, you usualy just copy the files! No stupid registry things. (Ok, let's forget for a second that there is gconf :( ) Using Debian then and now Ubuntu I have much less fuss than I it with Windows. Ok, I am quite familiar with Debian, so Ubuntu is a breeze, but 7.04 is realy realy realy user friendly! It downloads the codeces and stuff automaticaly, all you have to do is say 'yes, buntu, do it for me!'. Neat! :) The only thing I'm missing from Windows world are games. Yes, there is Quake and UT and likes, but I miss Need for Speed and Age of Empires.... They run under Cedega, but they're unplayable (P4@1.7+768MB+Radeon9600 - those work under WindowsXP quite well). Seriousley, try Ubuntu (or any other distro, but I feel that you'll have least fuss with Ubuntu), and see how thigns are done there. Then, maybe, you'll see why UAC concept is not that good, esp. the way Microsoft implemented it.

Re:I kinda like the concept

[physicsnick]

I pine for the days of being able to uninstall a program fully from my system by deleting its folder. Or being able to simply copy a configuration file from one computer to the next and having all my settings preserved. You do realize you just described Linux, right?

I kind of like the concept of UAC. So do we. That's why it was invented twenty five years ago. Save yourself the headache, order your free CDs here.

Re:I kinda like the concept

[alphamugwump]

I pine for the days of being able to uninstall a program fully from my system by deleting its folder. Or being able to simply copy a configuration file from one computer to the next and having all my settings preserved.

Modern systems are just too complicated for that. If you've got multiple users, the configuration is going to be scattered around. If it runs as a daemon or has shell hooks, it has to go somewhere too. If your program has any dependencies, it's going to have to install a shared library (DLL) in some system folder. Oh, sure, you could do like a Mac and put your shared libraries in the same folder as your program. But that defeats the whole purpose of having shared libraries in the first place.

Add to that the necessity of security updates, compatability, and so on, and you end up with a full-featured package manager. Which is also simple (sort of), but I wish they would provide an easier way of getting at the debian configuration database.

Re:I kinda like the concept

[Tom]

I pine for the days of being able to uninstall a program fully from my system by deleting its folder. http://www.apple.com/macosx/

Granted, some crap comes with a windos-like "installer", but on OSX you actually "install" most programs by drag&drop to the applications folder, and you uninstall them by drag&drop from applications to trash.

Re:I kinda like the concept

[gazbo]

Try typing the following commands and reading the output:

ls /usr/lib
ls /etc

You're about to learn about whole new parts of Linux!

Re:I kinda like the concept

[RotHorseKid]

You do realize you just described Linux, right?

Now you're kidding. Please explain how do I remove Apache by removing a single directory? Or even something simpler, say, vi?

Re:I kinda like the concept

[gbjbaanb]

I think it goes:

remove: /var/www/ /var/log/httpd/ /etc/httpd/ /usr/httpd /usr/local/sbin/httpd/

then find out where the per-domain configuration has ended up being stored and delete those.

Of course the above only applies to certain Linux distros, others will put their apache (which may or may not even be called httpd) in different directories.

Re:I kinda like the concept

[gbjbaanb]

Unfortunately, if you put files in the Program Files folder, then you need admin privileges.

So, you need to put the 'static' program apps and so in /ProgramFiles and then put your per-user data in either the HKCU registry or in the user's own /Application Data folder.

If they were the 2/3 places you could find an app's files then I think that'd be fine.

Re:I kinda like the concept

[toadlife]

I just love it when users of distros like n00buntu try to pretend that they know anything about operating systems.

Re:I kinda like the concept

[Eideewt]

su -c 'rm -rf /', of course.

Note: don't.

Re:I kinda like the concept

[Ed+Avis]

If the shared library is only used by that program and no others, then it should go in that program's directory.

On the other hand, if it's a DLL that is used by several applications, then this one app has no real business installing it in the Windows directory and especially not overwriting an existing copy of the same library (even with a newer version). There should be a separate package for the library which manages the library's files, and which can be marked as a dependency by any application that wants this library.

Re:I kinda like the concept

[TheRaven64]

It's not Linux, but on this *NIX box I would uninstall vim by doing 'rm /opt/vim7' as root. Anything I install outside a packaging system goes in /opt/{packagename}. It then creates the standard *NIX hierarchy inside there. Of course, it means passing a lot more options to configure (it needs to know where libraries are in /opt, for example), but it does make the system a lot easier to maintain. I would love to see this become the standard install mechanism, since it means installing is just a matter of un-tarring the binary in /opt and removing is just a matter of running rm. Unfortunately, everyone seems more interested in building complex systems for simple tasks.

Re:I kinda like the concept

[TheRaven64]

This doesn't actually uninstall the application, however. Most applications use NSUserDefaults, at the very least, which stores a dictionary in ~/Library somewhere (and possibly /Library). You need to delete this, if you want a complete uninstall.

The problem with the OS X method is that it can't differentiate between removing because you are uninstalling and removing because you are upgrading. It would be nice if the user defaults system did some kind of auto-cleaning, where defaults created by programs that no longer exist are moved to the trash, and are then deleted the next time you empty it.

Re:I kinda like the concept

[Hegh]

What I'm curious about is why programs' shared libraries are put in the system shared library directory (windows\system32). Wouldn't it make more sense to put system DLLs there, and program DLLs in a separate directory? It would make permission enforcement much easier. I know that there is a "program files\common files" directory, but I don't think most programs use it properly, and even then it's organized by program, so the "common" nature of the files is ruined by not being able to share them with other programs.

Re:I kinda like the concept

[gazbo]

That does indeed make removing a lot easier, but it would also restrict your options regarding partitioning, say. Not a big deal for me, but it is for some. Also, you'd still end up with dot-files and folders under ~ for your personal configs that would need manually removing (though this is less annoying than leaving the entire apps and global config files). It also removes the "shared" aspect of .so files.

Re:I kinda like the concept

[TheRaven64]

It also removes the "shared" aspect of .so files No it doesn't. I install libfoo in /opt/libfoo. The library goes in /opt/libfoo/lib and the headers in /opt/libfoo/include. As I said, I need to specify these as arguments to configure when I build anything that depends on libfoo, but that's not a major problem.

Re:I kinda like the concept

[Duhavid]

Because the path points there, this way they can be found.

Re:I kinda like the concept

[gazbo]

...and then when you delete /opt/appfoo, coincidentally the only app that uses libfoo, you end up with an unused .so in /opt/libfoo. You may not find this a major problem, but it definitely falls under the same category of leaving an orphaned config file in /etc, or some orphaned data in /var. Sure your system has cleaned up better, but it's not cleaned up fully.

Re:I kinda like the concept

As I said, I need to specify these as arguments to configure when I build anything that depends on libfoo, but that's not a major problem.

Configure also accepts a startup script through the CONFIG_SITE environment variable. Then just throw the with and enable arguments on separate lines. Note that the dash prefix must be removed.

This becomes useful when you find the unique package names embedded in every configure script. So for example you could do

if [ "$PACKAGE_NAME" = "foo" ]; then
  with-stuff
  enable-stuff
fi

Re:I kinda like the concept

[drinkypoo]

I haven't even RTFM, but could you configure ldconfig to make symlinks to libraries in a standard location? Then at least you'd only need to configure include directories. Even that could be handled by symlinks, and a script that removes dead symlinks...

Re:I kinda like the concept

[AaronBrethorst]

This doesn't actually uninstall the application, however. Most applications use NSUserDefaults, at the very least, which stores a dictionary in ~/Library somewhere (and possibly /Library). You need to delete this, if you want a complete uninstall.

And even this doesn't necessarily clean all the goop off your system when you delete an application. A lot of apps (including one that I do in my spare time) will also write files to ~/Library/Application Support, and potentially other folders. Firefox does this, as does Camino. That said, I'm still a huge fan of how you install most apps on OS X; I think that the drag and drop installation mechanism is very clean, and incredibly nice.

Re:I kinda like the concept

[GWBasic]

Perhaps I'm forgetting how bad that system was in the DOS days, and I'd welcome people reminding me, but it is looking pretty good at the moment.

Hmmm... No multitasking, no TCP/IP stack, no security at all... I seem to remember that BBSes looked cooler, though.

6 months ago I bought a Macbook. When I replaced my aging Windows XP box with a Mac desktop, all I did was connect a firewire cable between the two and everything was copied.

Re:I kinda like the concept

[aliquis]

But of course if you DO use those shared libraries it's not as easy as just removing the directory longer since it will break other apps...

This could easily be fixed by doing it the amiga way thought, just let each app live in /opt/vim or similair as you did, and also have their etc, lib and so on, but if you then prefer to use shared libraries just copy them to say /shared/lib and configurations to /shared/etc and so on. And then an application is run just try to link/read from it's own lib/etc/whatever and if there are no files/doesn't work look in /shared instead.

Then you aren't depending on another applications directory, since noone will remove anything from /shared (on the amiga there was no reason to, I copied plenty of shit to libs: and it was like 15MB anyway so who cares, also old library versions actually COULD be replaced with new ones, and it always worked, so if you copied a file over with dopus it would say bla bla version is older, so then choose no to copy it, or newer, and you copied it over. I hate that newer library versions aren't backwards compatible in various open source/unix projects.

Admin-level privileges

[Xiroth]

Hmm, I'd say he's got a good point - there's simply not a culture of privilege awareness in Windows developers.

Perhaps Microsoft should set up an audit unit and start giving software a 'UAC-compatible' tick if a piece of software has minimised how much UAC approval is required if its turned on, allowing the publisher to put it on their box so that the customers can tell. Who knows, perhaps one day the UAC system might actually be viable.

Re:Admin-level privileges

[TENTH+SHOW+JAM]

Hmm, a software company approves another software company's software.

Nope. Can't see it happening.

Re:Admin-level privileges

[Osty]

Perhaps Microsoft should set up an audit unit and start giving software a 'UAC-compatible' tick if a piece of software has minimised how much UAC approval is required if its turned on, allowing the publisher to put it on their box so that the customers can tell. Who knows, perhaps one day the UAC system might actually be viable.

In theory, that already exists. In order to use the "Certified for Windows Vista" logo on your software, you have to play nicely with UAC.

Re:Admin-level privileges

[280Z28]

Hmm, I'd say he's got a good point - there's simply not a culture of privilege awareness in Windows developers.

Perhaps Microsoft should set up an audit unit and start giving software a 'UAC-compatible' tick if a piece of software has minimised how much UAC approval is required if its turned on, allowing the publisher to put it on their box so that the customers can tell. Who knows, perhaps one day the UAC system might actually be viable. That is actually THE first requirement listed in the Certified for Windows Vista Logo Technical Requirements

Re:Admin-level privileges

[Jeff+DeMaagd]

Software requiring admin privileges is a problem. I think it's irritating that user-type software requires admin settings to work. That makes idiot-proofing a computer a lot harder.

I think it is a carry-over of the 16 bit Windows compatibility though, from the 9x series to NT series Windows. For 9X, there were no security considerations like this, and for NT series, compatibility seemed to require admin rights, and developers didn't change their programming practices because they didn't have to.

Re:Admin-level privileges

[Threni]

> 10 ? "All hardware is crap, all software is crap, all users are crap."
> 20 GOTO 10

Shocking. You should try and avoid gotos unless you can't.

while (true)
    ? "All hardware is crap, all software is crap, all users are crap."
wend

or

do while (true)
    ? "All hardware is crap, all software is crap, all users are crap."
loop

or

for (;;)
  printf ("All hardware is crap, all software is crap, all users are crap.\n");

It's hard to pick any faults in your sentiments, however.

Re:Admin-level privileges

[Dachannien]

Perhaps a better way to address at least part of the problem would be to have a special compiler option in Visual Studio that's turned on by default in debug configs. The option would cause a dialog box to be displayed anytime a folder or registry subtree is accessed in a way that a non-admin user would be denied access.

Yeah, it wouldn't help anyone who's not developing in Visual Studio, and it wouldn't help anyone at this point who neglected to patch their copy of VS. But at least it would provide helpful guidance to some people for working with a system that has changed significantly (and, quite honestly, for the better) from previous versions of Windows.

Re:Admin-level privileges

[ocbwilg]

Perhaps Microsoft should set up an audit unit and start giving software a 'UAC-compatible' tick if a piece of software has minimised how much UAC approval is required if its turned on, allowing the publisher to put it on their box so that the customers can tell. Who knows, perhaps one day the UAC system might actually be viable.

That's great and all, but they already do something similar. Ever see a shrink-wrapped box at the store with the "Designed for Windows" logo on it? Part of the logo testing is that the app is supposed to work with limited user rights. The problem is, the overwhelming majority of Windows software isn't sold in a shrink-wrapped box, so most software vendors don't bother with logo certification.

Hmm, I'd say he's got a good point - there's simply not a culture of privilege awareness in Windows developers.

Absolutely. It is nearly 100% the developers fault. Though I suppose some share of blame goes to IT departments for not making it clear to their software vendors that applications shouldn't require admin rights to run.

Re:Admin-level privileges

[nascarguy27]

Hmm, I'd say he's got a good point - there's simply not a culture of privilege awareness in Windows developers.

It's not just that. It's also that there's not privilege awareness in Windows users. With XPSP2 and before, users turn the box on and it boots to an admin privileged user by default. Home users normally don't want to be bothered with setting up multiple accounts on the computer. They just want the computer to do what they want it to do.

The security model is all wrong..

[QuantumG]

on Windows, on Unix and on OS X.

The problem on Windows is that it is a single user operating system with delusions of being a multi-user operating system.

The problem on Unix is that it is a time sharing operating system which people inexplicably use as a workstation operating system.

The problem on OS X is that there are no serious threats, so no-one has any idea if their security model does anything because it never gets tested.

And the problem with all three of them is that they assume that the program will always do what the user wants and therefore the program should inherit permissions from the user. On Windows that was never true. On Unix it was only true back when all users were developers and had enough time to read the source code to all the programs they ran and thus felt they could trust them. On OS X it was actually true because, again, no-one writes malware for OS X.

The security model should be, quite simply: the program has a manifest that declares what permissions it needs with a fine granularity. The permissions should be placed into a hierarchy. For example: writes to disk -> writes to user files -> writes to user files of type X. The user should be able to inspect these permissions to determine if they are acceptable. If they are not, then the user should be free to uncheck "required" permissions.. the program should still run but those functions of the program which invoke a required permission should cause a prompt. The prompt should give the option to deny the request, or fake the request so it appears to the program that it completed successfully.

And yes, developers should use this mode.. and they would, because it is actually useful instead of just being a pain.

Re:The security model is all wrong..

SELinux is one effort to correct that problem.

Re:The security model is all wrong..

[Tom]

And the problem with all three of them is that they assume that the program will always do what the user wants and therefore the program should inherit permissions from the user. Bingo!

Where is my "run this program but don't give it access to any of my data" option? That is something I want and that users will understand. Explicitly granting permission to syscall 0x6f03a4b loopback technobabble nonsense does not and never will fly with users who feel more intimidated than protected. Granting "permission to accept your personal data" is more like it. So run everything in a sandbox unless I explicitly allow it to read my files. Once. Because we all know that if I've given root/user/whatever to a program once, there are a billion tricks a piece of malware can and will use to make sure it keeps that access level.

Re:The security model is all wrong..

The problem on Unix is that it is a time sharing operating system which people inexplicably use as a workstation operating system. Hey, some of us actually use Unix as a multiuser operating system. At least 11 other people, by my last who.

Re:The security model is all wrong..

[tulcod]

Now, let's start off by complaining that you've said that there's no malware for OS X twice, but the same is true for linux.
selinux can perfectly help sandboxing your applications. There is no point is some kind of sophisticated interface for it on windows, as that would mean you'd mean to choose before running an application, which most people don't care about, thus just enable everything.
the system is wrong at the core. i'm typing this message from a school PC. there's no illusion on it (too poor? i guess so...), so they've "taken" all my rights, practically. That just means you have no access to the control panel. I type in dvorak, and i can only switch the keyboard layout using dvassist. that is just some small program i'v put on my usb stick and run as user with nearly any rights. dvassist changes the layout, deletes qwerty layouts (i don't really like that part, but meh), and even after rebooting, the pc is still set to dvorak (though there's a feature in dvassist to switch back, happily).
to make things clear: some small program anyone can download from sourceforge works around the security model and writes directly into the windows registry. now, is that a good thing?

windows' security system is wrong at the core, not the interface

Re:The security model is all wrong..

[Verte]

You're missing the multi user point. The great thing about having more than one user is you can have a program run as it's own user, without write access to anything [but its home directory], and without read access to anything personal or private. If permissions were as complicated as you say, installers would set them, and people wouldn't look and correct them.

But then how do programs write to the home directory of the calling user? I'd like to see standardised save-as boxes and such that handle passing that sort of permission, and any other attempt at writing outside the permissions of that program should be interrupted and a query sent to the user. And then, to simplify things, it would be nice to pass EROS style capabilities to programs permanently, so they don't need to explicitly request access to other things they may need.

Though, once you start restricting things like that, you need a whole new model for IPC and such... and I don't think we're ready for that yet.

Re:The security model is all wrong..

Want to sandbox something? Run it under a VM!

It's not the developers problem to account for every eventuality. At the other end of the scale, user software should NEVER require superuser privileges to install.

Over complicated security models fail, this is why unix (outside large corporates) still commonly uses basic file permissions instead of ACL's. Learn the lesson.

Re:The security model is all wrong..

[DrXym]

The security model should be, quite simply: the program has a manifest that declares what permissions it needs with a fine granularity.

That would be called SELinux and is turned on in Fedora Core.

Writing policy files either as a user, admin or even developer is hellishly difficult. FC has been messing with SELinux policies for years before getting it right. It almost requires an interactive mode where the policy can be "trained" by running the app a multiple times to see what registry / folder / files it needs access to and then ensuring that the policy enforces it.

Re:The security model is all wrong..

[abaddononion]

SELinux actually has something like that now, with the Audit-to-allow system, where it will show you all of the various messages where it has blocked a process from accessing something, and you can go through and tell it which ones are acceptable, and it will automagically create the corresponding policy files so that it doesnt block that process anymore. It turned me from completely hating SELinux because of the overwhelming amount of work it was to completely loving how simple AND powerful it was at the same time. And this actually does still force the user to go and manually say "This. I want to allow this." Of course, this doesnt prevent a user from just blanketly saying "Allow all of these!" But if someone's doing that, without reading their messages... they probably dont need to have SElinux on in the first place.

You may have already known about this, since you seem familiar with SELinux via FC, but I figured Id mention it for others. ^^

Re:The security model is all wrong..

[batkiwi]

I don't know if you're fishing for this reply, but this is ALMOST exactly what .NET does (everything except for the prompting... it simply errors if a program isn't allowed to do something). Read up on trust policies, declarative security, and "code access security" in .net.

It's not fully "user friendly" yet (it was originally designed around group policies in a corporate environment), but newer versions of .NET are getting more and more user configuration. The basic idea is that you set up "zones" (like in IE) and apply priveledges to each zone. YOu then set default policies for how programs get assigned to zones (via publisher certificate, via location (network drive, local drive, etc), via namespace, via.......), which you can override on a program by program exception if you want. Finally, you determine which permissions each zone is allowed.

GOOD coders put "declarative security" around methods. If you write to the filesystem, you declare that around the method entrance. Then the runtime won't even run the method, instead throwing an exception. This is "good" because the program never even tries to run the method. EVen if you DON'T declare security it still will not run the part requiring security, but will give you a messier exception because it's run the method up until the actual (example) file access.

Complex currently, without a good UI? (you edit xml files/etc) ... YES
VERY powerful, and eventually great once they add some sensible defaults and a good UI to customize it? IMO, YES!

Re:The security model is all wrong..

[DrXym]

I've seen the setting but to be honest the last time I had to get my hands dirty was in FC3 I believe when my console was filling up with SELinux policy violations and I had to turn it off. Since then it's gotten nicer so I just leave it on and trust it to be correct. I have looked at policy files though and they are pretty scary.

Even if you set some audit mode, you'd still have to do a full soak test of an app to catch everything, including the one time in a thousand that it want to access some dir or load some lib which brings in its own requirements.

Re:The security model is all wrong..

[Just+Some+Guy]

The security model should be, quite simply: the program has a manifest that declares what permissions it needs with a fine granularity.

That's brilliant! It's like it would let you trace syscalls.

And yes, developers should use this mode.. and they would, because it is actually useful instead of just being a pain.

Developers seem to want to use it. Everyone I've talked to who knows about it is interested and claims that they'll consider using it in the future. This is so true that they've been saying it for several years.

Re:The security model is all wrong..

[orclevegam]

What I'd like to see is something along the lines of the way tutorials and such are handled by most applications. When the permissions dialog pops up, in addition to allow or deny, there should be two check-boxes, one that says "Don't prompt me about this again this session." and another that says "Don't prompt me about this from now on.", although it should also come with an extra warning message if you check the second one. The great thing about this system is, that you can just run an app, check the second box and allow for every action you're fine with, deny for every action you don't want, and from then on the application will just run without prompting you, and you know it only has access to what you've approved.

Re:The security model is all wrong..

[metamatic]

The problem on Unix is that it is a time sharing operating system which people inexplicably use as a workstation operating system.

You seem to be unfamiliar with Unix's design history. While Bell Labs like to pretend that it was invented as a big time sharing OS, the truth is it was designed as an OS for a handful of guys to use on a PDP-7 right there in their lab.

Frankly, Richie, Thompson and Condon sharing a PDP-7 isn't conceptually far from mom, dad and the kids sharing a modern PC. Which is exactly why Unix has survived over the years.

Re:The security model is all wrong..

[Tom]

Want to sandbox something? Run it under a VM! You, Sir, missed the point by approximately 23 miles.

I want everything to run in a sandbox, unless I explicitly tell the butler (OS) that this guy is allowed into the house (my private data).

VMs have too much overhead for that, even if you automate their launch. It ain't that hard to do, really. Give me a weekend and I can write a policy for SELinux that does it.

Over complicated security models fail, this is why unix (outside large corporates) still commonly uses basic file permissions instead of ACL's. Learn the lesson. I refer to my original post. Complex security models fail because the user doesn't understand them. Build them with the user in mind instead of some abstract security concept, and you'll get a security model that works.

Users don't "get" type $1_home_t, file_type, sysadmfile, home_type; - but they do get "grant access to my personal data". Just like on holidays, you'll be surprised at the amount of understanding and cooperation if you speak to people in their language instead of insisting that yours is the only valid one.

Re:The security model is all wrong..

[toadlife]

I'm sorry to burst your bubble, but dvassist is not working around the Windows security model.

Switching keyboard layouts requires no special access to the operating system as it is a user preference. You are being restricted from the control panel due to a policy setting, not a security setting.

Though changing this setting probably writes to the user portion of the registry, no access to the system portions of the registry are required.

Try again.

Re:The security model is all wrong..

[tulcod]

Then let me show you another couple of examples: When i've been using my dad's pc (which i've set to use dvorak on my account too), dad will have trouble logging in if the system is not rebooted. how come the keyboard layout is not reset? it should be plus, it's pretty easy to let an application start on boot even when you don't own any rights to do so. you can do a lot like these things, no matter the permissions you got.

Re:The security model is all wrong..

[toadlife]

It's probably something to do with fast user switching, or maybe the keyboard layout is a global setting that all users have access to. I'm not sure, but changing the keyboard layout is not something that can compromise the security of the system.

it's pretty easy to let an application start on boot even when you don't own any rights to do so. Pretty much all users have the right to do this is various ways. The same applies to Linux, *BSD and OS X too BTW.

you can do a lot like these things, no matter the permissions you got You are able to do these things because of the permissions you have.

I work at a school IT dept (higher education, not K-12) and one of my duties is several student labs. From your posts it sounds like the admins at your highschool are typical, incompetent sysadmins that K-12 school districts hire. They hire incompetent techs because they generally don't pay them very well. When you move higher up the educational (you'll need to work on your writing skills to do so. ;) ) ladder the pay for IT people rises and the competency of the staff does accordingly (though I have seen plenty of incompetence in higher ed IT too). The proper way to set up student labs that run Windows is not to deploy stupid policy hack like disabling the control panel, because as I said, policies do not necessarily equate to security. In my labs, students log on a "guests", which are the same as users except their user profiles are not persistent after they log off. I tweak various file/registry ACLs so that all of the programs students need run properly as a non-admin. I don't have any policies that restrict access to the control panel. If the student wants to change their system font to lucida console, their background to pink ponies and their keyboard layout to dvorak, that's fine by me. Those changes will go away as soon as they log off.

Re:The security model is all wrong..

[tulcod]

Pretty much all users have the right to do this is various ways. The same applies to Linux, *BSD and OS X too BTW.

Lol, that is highly incorrect. On any properly installed unix system, normal users don't have any rights unless root have given them. It's the other way around on windows.

you'll need to work on your writing skills to do so. ;)

Please let me make clear that english is not my native language and make some mistakes every now and then.

The proper way to set up student labs that run Windows is not to deploy stupid policy hack like disabling the control panel, because as I said, policies do not necessarily equate to security.

Now, this is an unclear thing in windows. A lot of people (including my school's sysadmins) don't know the difference, really. On *nix, it's all the same thing: no access to wireless hardware devices means, obviously, no damaging access to its configuration applications, because they are just an apllication apart from the kernel layers.

Re:The security model is all wrong..

[toadlife]

Lol, that is highly incorrect. On any properly installed unix system, normal users don't have any rights unless root have given them. No. It's not incorrect. Ever hear of cron? On just about every UNIX system I've used, every user could have their own crontab by default. Windows has the task scheduler, which regular users can use to start programs at bootup. Both cron in unix and the task scheduler in Windows can be restricted to only administrators, but by default they are available to users.

It's the other way around on windows. You have a lot to learn about both Windows and UNIX. Most of what you think you know is wrong.

Re:The security model is all wrong..

[tulcod]

No. It's not incorrect. Ever hear of cron? On just about every UNIX system I've used, every user could have their own crontab by default. Windows has the task scheduler, which regular users can use to start programs at bootup. Both cron in unix and the task scheduler in Windows can be restricted to only administrators, but by default they are available to users.

Let me rephrase it. I actually meant "any properly designed unix system". A normal user cannot use cron in unix at all. Plus, in windows, you'll get administrator rights when using the "cron"-like feature in some ways.

You have a lot to learn about both Windows and UNIX. Most of what you think you know is wrong.

Please talk using arguments, not using your high degrees in nonsense studies.

Re:The security model is all wrong..

[toadlife]

Let me rephrase it. I actually meant "any properly designed unix system. A normal user cannot use cron in unix at all." Well then there are not many properly designed UNIX systems, because almost every one I've ever seen allows any user to have a crontab. This includes HPUX, Solaris, Various GNU/Linux distros, and FreeBSD. OpenBSD is one exception, as I think users must be put in an allow list in order to use crontab by default.

Plus, in windows, you'll get administrator rights when using the "cron"-like feature in some ways. Can you please explain what you are talking about here? In what ways do users get administrative rights by using the task scheduler?

Please talk using arguments, not using your high degrees in nonsense studies. I can't help it if you are ignorant and don't realize it.

They're half-right

[Durandal64]

Is there an onus on developers to actually write code that's aware of privileges? Absolutely. Windows developers have gotten a free ride with respect to access rights for a long time, but that party's over. But can Microsoft just throw up their hands and say "Okay guys, it's on you now"? Absolutely not. The reason developers have gotten away with this for so long is that Microsoft's own conventions and practices encouraged this. Users were set up with root-equivalent permissions by default, and there was no authentication mechanism in place (and there still isn't).

Microsoft should've deprecated UAC heuristics and put a time limit on them. They should've given developers a year (or so) to update their applications to be aware of privileges, and then simply remove the UAC heuristic features that "guess" whether an application needs privileges. So if you run an installer built for Windows XP, it doesn't get the right privileges without you explicitly launching it with admin rights.

Re:They're half-right

[physicsnick]

They should've given developers a year (or so) to update their applications to be aware of privileges They did. Vista was in beta-testing for a long time.

Re:They're half-right

[chaboud]

Note: I'm normally a Microsoft defender here, but I've spent too much of the last eight months dealing with Vista breaking-changes. Onto the rant...

This is such utter nonsense. UAC first came in, IIRC, in Beta 2 (May), but there were far too many problems with Vista over the beta/RC cycle to be workable. UAC was too annoying to leave turned on while trying to figure out the real bugs. UAC is still awful over remote desktop on a slower connection, as it blanks the screen. This cycle was nothing like the 2k or XP cycles with regards to beta and RC stability and direction.

One of our long-released apps went through this:

Beta 1:
Some draw issues, crashes on exit.

Beta 2:
Some draw issues, just fine.

RC1:
Some different draw issues, crashes a helper process on startup, then a second crash, completely, app dead.

RC2:
Some completely different draw issues (others gone), otherwise fine.

Release:
Same draw issues as RC2, crashes a helper process on startup, annoying help pop-up for any plug-in expecting old-school help to be available.

This was a released app for which the shipping bits did not change, at all, over the Vista cycle.

Now, it gets worse with UAC, because there are things that get more restrictive when the user gets sick of UAC and turns it off. The most obvious example is the "can't write to the TEMP folder" defect (by design? The designer is defective.). This kept several installers from working properly. If the user shuts UAC off, apps can no longer write to the TEMP directory and run their expanded installer app (winzip installer approach). This means that getting tired of UAC and pulling the plug on this behavior still interferes in the use of the system. In this case, it will hand the user a cryptic error message and no direction.

They went down this road with things like broken file-sharing and remote-desktop access with no-password accounts in XP, and it continues throughout Vista. Users of Microsoft products are regular victims of hidden behaviors, where seemingly simple changes can have much-delayed distant results.

Microsoft once cared a great deal about backwards compatibility. Now they seem to expect all software vendors to re-code, re-compile, re-test, and re-deploy for an OS change, and that OS was a moving target for the year preceding its release.

We're handling it, but what happens to the software that was orphaned by companies that died (or moved to a different platform)?

Re:They're half-right

[ocbwilg]

Microsoft once cared a great deal about backwards compatibility. Now they seem to expect all software vendors to re-code, re-compile, re-test, and re-deploy for an OS change,

Yes, that's true. This was also the time when Microsoft didn't give a rat's ass about security. Unfortunately they kept getting raked over the coals for having glaring security holes, so they are focusing more on creating an environment that is/can be/should be more secure, and as a result developers who've been able to code however they want to for years actually have to buck up and learn about coding to the new standards.

As someone who has had to admin large Windows installations (both client and server) by far our most difficult task was keeping users from running with full admin rights on their desktop. Why should that be the case? Sure, with Windows 95/98/Me there was just a single access level - admin. But since the days of NT4 (and presumably 3.5 before that, though I never used it) there have been user accounts available with varying levels of permissions going from a standard, limited user to full admin rights. Why is it that 12+ years later we're still fighting with applications that "require" admin privileges to run for no other reason than poor coding practices?

If I'm not mistaken, since the days of Windows 95/NT your application actually had to function correctly as a limited user in order to get the "Certified for Windows" logo. Of course, that probably only applies to the 5% of commercial applications that are sold in a box, while the rest never go through a logo compliance test at all. I can't tell you how much time I've spent on the phone with software vendors (usually for niche apps in the healthcare space) trying to a) convince them that it's important that their app run without full admin rights, and b) find out what restricted system areas their applications write to so that I can modify permissions in order to get their app to work without giving away full rights. It's ridiculous. Even if IT could have a policy whereby we won't approve any application for use in our environment that won't run as a restricted user, we would inevitably be overruled when that new killer app from the leader in the marketspace dazzles our CEO with grand new functionality. What's worse, the app vendors can get away with it because NOBODY is coding to LUA standards.

and that OS was a moving target for the year preceding its release.

Uh...yeah. That's why it's called a 'beta' or a 'release candidate'. That means that the code isn't set in stone, it may have serious flaws, and it is subject to change on a daily basis. If you can't or don't want to write code for a 'moving target' then wait until gold code is available. Sure, your competitors who can write code for a 'moving target' will undoubtedly have a market lead over you, but that's the breaks.

The truth is, it sounds like you guys did a good job of staying on top of issues that your application might have had with Vista. And since the problems that showed up in the gold code were the same as had showed up in previous versions of the code, you no doubt already knew how to fix them. And since the code went gold and was available to you (via MSDN) in November of 2006, even though Vista wasn't released to retail until February of 2007, I would submit that you had plenty of time to work out the issues and that your complaining is just for the sake of having something to complain about.

Re:They're half-right

[MikShapi]

>> Microsoft should've deprecated UAC heuristics and put a time limit on them.
They did.

NT domains running environments where users are not trusted and do not have permissions to modify the system have been around for over a decade. That was also roughly when the windows equivalent of /usr and /home appeared.
Microsoft software has been properly using these for all this time, setting proper example.
Vista was in beta forever. Any software vendor that was caught by surprise by the instatement of UAC should take his head out of his ass and figure out what kept him in his cozy cave for the last couple of years.

Re:They're half-right

[pedestrian+crossing]

Even if IT could have a policy whereby we won't approve any application for use in our environment that won't run as a restricted user, we would inevitably be overruled when that new killer app from the leader in the marketspace dazzles our CEO with grand new functionality.

Sadly, this is so true. Also, when the vendor out-and-out lies about these issues to make the sale. Lesson learned - if it isn't in the contract, anything the vendor told you means jack.

...find out what restricted system areas their applications write to so that I can modify permissions in order to get their app to work without giving away full rights.

Regmon and Filemon are your friends here. It's still a pain in the ass, but it is possible. Most of the time you just need to modify ACLs on a few select reg keys, but sometimes it's something totally asinine, like needing write permissions to system32...

Re:They're half-right

[abaddononion]

And since the code went gold and was available to you (via MSDN) in November of 2006, even though Vista wasn't released to retail until February of 2007, I would submit that you had plenty of time to work out the issues and that your complaining is just for the sake of having something to complain about.

And Im pretty sure this mentality right here is why so many companies, and even many end-users, are saying "We have no intention to upgrade to Vista. Ever." Just because you had "plenty of time to work out the issues" doesnt mean you WANT to spend the time doing it. Especially when the "benefits" of upgrading are shady at best, and by and far seem to be NOTHING more than marketing mumbo-jumbo.

Re:They're half-right

[ocbwilg]

And Im pretty sure this mentality right here is why so many companies, and even many end-users, are saying "We have no intention to upgrade to Vista. Ever." Just because you had "plenty of time to work out the issues" doesnt mean you WANT to spend the time doing it. Especially when the "benefits" of upgrading are shady at best, and by and far seem to be NOTHING more than marketing mumbo-jumbo.

Meh. Vista will be the new standard. People made the same complaints about XP too, but look at where it is today. A year from now the processing requirements of Vista won't seem over the top at all and most of the more egregious problems will have been fixed. Whether you wanted to spend the time working out compatibility issues between your software and Vista isn't a concern to most people. If you do spend the time to do it, then you can sell to Vista users. If don't spend the time to do it, they'll buy from someone else and you'll lose sales. It's that simple.

A bit of ridicule

[earnest+murderer]

Indeed, and I would take it one step further. I'd append to each UAC a description of why it's bad practice. Something like....

Application X is trying to do X. This is behavior typical of malware or virus activity, but can be a product of poor developmet practices.

It isn't going to win any friends, but will certainly bring their ego's into play. Of course if MS really had some balls they'd just make developers live within their install directory. Nothing gets in or out without a open/save dialog, provided by the system of course.

But I also think it's awesome that MS basically absorbed the audio stack. But only because I hate Creative even more than MS. It took 15 years, but incompetent and destructive finally caught up with them.

I suppose, like the US, Microsoft will do the right thing. Once all of the other options have been exhausted.

Re:A bit of ridicule

So when you actually want to format a drive, you get abused for it.

nice.

Re:A bit of ridicule

[SkunkPussy]

Woo! Someone who agrees with me about Creative! I think they are scum who mismarket their products, and sell products that only function properly when 3rd parties take it upon themselves to write drivers for them! (c.f. kxproject)

OT I know! But drawing attention to Creative's unethical practices can never be a bad thing.

Re:A bit of ridicule

[earnest+murderer]

The user telling the system to format a drive is a lot different than a 3rd party application. It isn't like you have to get the same dialog for every task.

Re:A bit of ridicule

[drinkypoo]

Not to mention their long-standing practice of not allowing driver downloads for most products, forcing you to beg on USENET or buy a CD from them. This is actually THE reason (even the SB Live! resampling stupidity was not enough) that I quit buying creative.

UAC is good - if you understand it!

[hexed_2050]

Once people start to understand UAC and how it works, people will begin to harness it and accept it rather than shun away from it.

UAC allows administrators to be logged in 24/7 without having 20+ privileges until the actually need that power. 99% of the time UAC will strip the administrator privileges away from the administrator and grant them with 6 SeXXX privileges to work with. It does this by using two different tokens instead of one. The first is a normal user token, and the second is the real administrator token. When you see that screen where UAC asks for elevation, that's when Vista will grant you the administrator token. Don't believe me? Type "whoami /priv" in a normal shell under the administrator logon. Now open up a shell using "Run as administrator" and type "whoami /priv".

Vista isn't the shining example of everything secure, but it sure is lightyears ahead of XP and a real good step in the correct direction. Windows users will whine and gripe about it, but they will eventually have to go through the same stuff the *nix crowd did along time ago when people were logged in with root 24/7.

If you require Vista to elevate you with certain apps, then create a .manifest file and place it in the same directory as the .exe. The manifest file is just an xml file that tells Vista that the .exe will require administrator privileges to run (queue UAC.) Google "vista manifest" or check this out for more information: http://channel9.msdn.com/Showpost.aspx?postid=2112 71

Enjoy..

h

Re:UAC is good - if you understand it!

[gwait]

At my first job out of tech school, I was given a user account on a Vax running unix, and we had a couple of Sun 2 workstations in the building (68012 processor, windowing system, mice, network, users and a root account).

Nobody there "ran as root" or admin, this was 1984. I'd guess that no serious unix users ever ran as root 24/7.

I mean, seriously, how far back in history have office admin staff been keeping the corporate records and personel files in locked cabinets to keep the regular employees out of the secured files? 1930's ?? Egyptian times?

Re:UAC is good - if you understand it!

[crabpeople]

"grant them with 6 SeXXX privileges"

I find this comment fascinating. How exactly do I get these SeXXX privileges? Can I up the amount if I desire more sexxx?

Re:UAC is good - if you understand it!

[J.R.+Random]

Windows users will whine and gripe about it, but they will eventually have to go through the same stuff the *nix crowd did along time ago when people were logged in with root 24/7.

When was this mythical time? In the elder days of Unix the users were hackers at places like Bell Labs and Berkeley and knew better than to run as root when they didn't need to. By the time others started using it, the convention was established -- you don't run as root. The only cases I can think of that made root the default were a few misguided attempts at "user friendliness" for Linux such as Lindows, and they were properly flamed for it.

lah

UAC reminds me of car insurance... its like limited liability or whatever...
You get pulled over for speeding, get asked if you have Insurance(click yes), you give your card and you're ok, ticket aside.
But when you rear end a new M3 BMW... that shit changes... REAL Quick...

And Ive seen graff scrawled clearer than that goddamn word in the "Please type this word in the image" picture... fuckin dammit!

I like UAC, personally

I've spent the last eight years of my life packaging and deploying apps for Corporate environments.

In none of those environments were the users Administrators (or even Power Users). I have written a few scripts and applications to work around some issues, but in general, it is a case of setting the appropriate permissions in HKLM and \Program Files\. It takes some work, but I have only ever had one seriously intractable application.

For the past 4 years I (and my family) have run primarily as users on our home PCs. Its a bit of a pain in XP, and I wrote my own Privilege escalation tool to make some things easier, but again, it is now pretty smooth. Even games work as users, with the appropriate settings. Vista (on my new laptop) is far easier, and no less frustrating than Kubuntu, which is always asking me to sudo an elevated operation.

UAC is a good thing - it's smart, and as developers get with the program, will add protection (not frustration) for users.

Another non-issue

[alphamugwump]

Rather than ask the user for permission on every operation, what other ways could Microsoft have improved Vista's security?

What's wrong with asking the user for permission on every operation? That's what my linux box does. It's called "su", and it makes me type in my password to make system changes. In fact, that's what every real operating system has ever done. Welcome to the real world.

A major reason for the "insecurity" of windows, IMHO, is the culture of its users. You get people who still remember 95 and 98, (and DOS) and who like to run everything as root. They don't want to be bothered with those nag boxes. But nag boxes are what it takes to secure a system. Security requires some effort on the part of the user, too. Funny how things work like that, isn't it?

See, in the beginning, a single user OS was perfectly OK. Even if you hooked your DOS machine up to the internet, it was probably a terminal, not as a computer in its own right. And really, they had so little RAM that a full-on operating system like linux would be massive overkill. A cell phone is a multimedia powerhouse compared to those machines.

But the microcomputers got bigger. They got a networking stack. People started using them like real systems instead of big, featureful, programmable calculators. They went mainstream, too. But the mindset of the users and developers was (and still is) somewhere way back in the 80s. The developers have gotten better; they add in UNIX features with every windows release. But the users, for the most part, just want to buy a box from Dell and have it work out of the box, like an appliance. Which is a fine thing to want, but those same users are also the kind of people who will install the purple monkey, become phishing victims, run binaries they got off P2P, and so on. And unless Microsoft locks people out of their own computers, there's not a damn thing they can do about that.

So while it was acceptable to bash Microsoft back in the day (no firewall, single-user mode, instability, etc), most of these problems have been fixed. Oh, sure, Windows is no OpenBSD. It's kind of kludgy, compared to linux, or OSX, or your *NIX-like system of choice. But at this point, if your system gets hacked, its probably your own dumb fault. Anymore, if you whine about windows without mentioning specifics, you just end up looking stupid, not 1337 and educated.

No, I am not a Windows fanboy. I don't dual boot, either, although I do use VMWare when I absolutely must. But it still pisses me off to see such obvious bullshit. Some of it is Apple propaganda, but a lot of it is propagated by windows users themselves. Which is understandable, I suppose, but not particularly productive.

Re:Another non-issue

[slittle]

What's wrong with asking the user for permission on every operation?

Because they're morons, don't/can't/won't understand and/or simply don't care, they just want it to work, now, no matter what the consequences. When it stops working they'll call the 10 year old kid next door or get a new computer.

OTOH,

See, in the beginning, a single user OS was perfectly OK.

That's the problem: most Windows systems are still single (physical) user machines; they don't have (half-)clued in admins to manage them on the user's behalf, and they don't have other users to infect. Having escalated privileges on a computer with only one real user doesn't really gain an attacker very much. You can still spam, worm, phish and generally annoy the rest of the internet without elevated privileges. But Microsoft still gets blamed for it. So in reality, asking the user every 5 seconds for confirmation has less to do with privilege escalation and more to do with trying to make the user think about what they're doing.

Re:Another non-issue

> if your system gets hacked, its probably your own dumb fault.

WTF?

Windows relies on RPC whereas I'd never dream of running a portmapper on any of my linux boxes (no need for NIS or NFS). You can't blame users for the hodge-podge of 3rd party technologies that Microsoft has implemented and 'improved' (made proprietary), especially when they're required in order to run the OS. MS just released patches for critical RPC vulns this week, was this the 'dumb fault' of end users?

Remember when Windows received security certification - so long as it wasn't connected to a network. It should be obvious that there are serious design problems with Windows and all the band aids are starting to make it unusable. Confusing granny with security popups isn't enhancing security when it's the underlying architecture that's flawed.

Re:Another non-issue

[wulfhound]

What it takes to secure a (user desktop) system is:-
- Not leaving ports open unless they absolutely need to be
- Not running Outlook Express and randomly downloaded crapware
- Using a reasonably secure browser, and avoiding popup-infested porn and warez sites
- Not running britney_spears.exe when it arrives in your inbox .. etc.

A secure permissions model has very little to do with it, IMHO.

UAC is generally a good thing.

[Kaenneth]

UAC is pretty much essential to meet the mutual goals of:

a) run old software designed for prior windows versions.

and

b) be secure.

You might want to allow, for example, an online game to delete files IF those files belong to the game, and only to the game, like obselete maps, sound files, etc. But you don't want someone to exploit a bug in the game online to hose your system; like the bug I found in Counterstrike (old version, long fixed) where putting "%D%D%D%D%D%D%D" as your playername would crash it out (classic printf issue).

You could possibly run an app in a VM 'sandbox', but that idea breaks down as soon as you try to cut-n-paste from one app to another, or two apps want to write files in the same directory... what should it do then, prompt for Cancel/Allow for each breach of the sandbox? or have the user define complex sets of which applications are allowed to talk to each other? I did that for a Linux setup, I made seperate accounts for each service, one for the Fax receiving, one for Apache, one for each instance of the DVR simulator, one for DistCC, one for web browsing... and configured them for exactly, and only what access each needed; the Fax could put files into a directory to be served by Apache, but could not touch the templates and other pages, and nothing Apache did could touch the Fax archive and configuration, each simulated DVR had its own IP address, and couldn't see the others except via network packets. It was terribly complex, and done as a learning experiance. because everything worked perfectly when run as one user, or if p[ermissions were opened up, but it took months of spare time to get all the permissions exactly right as seperate users.

  Unless you can be absolutly sure that EVERY action a program may take is approved, it needs to be controlled. As apps get fixed up, and Vista gets service packs or whatever to improve support for specific apps, the issue will fade, but never be completely gone, because sometimes, it'll save the users ass.

Won't work

[iangoldby]

That won't work for the same reason that the current Windows security model doesn't work.

It's too much trouble.

I believe this is one of the main reasons why UNIX applications generally do not play fast and loose with permissions. The security model is very simple. A process is owned by the account most suitable for the role it will perform. There's no need for complicated LPSECURITY_ATTRIBUTES structures. (And yes, I do think that even those are too complicated for most purposes, so you can guess what I think of the more esoteric aspects of Windows security tokens.)

Be honest, if you program for Win32, how many times have you just passed NULL as the first parameter of CreateEvent()?

If you want to make people do the Right Thing, make the Right Thing easier to do than the Wrong Thing.

Re:Won't work

[iang]

Actually, passing NULL as the first parameter of CreateEvent is almost always the right thing to do.

Of course the vast majority of developers don't actually know that - they just pass NULL out of laziness. But it turns out that if you spend the time it takes to learn the intricacies of the Win32 security model, you'll still end up passing NULL once you understand what's happening.

You just get to feel smug about it.

Why is Microsoft asking questions on Slahsdot?

[jkrise]

Rather than ask the user for permission on every operation, what other ways could Microsoft have improved Vista's security?

Excuse me, how would such a knowledge help anyone but Microsoft developers? No one but those developers have access to source code, certainly not Slashdot readers.

The fundamental problem with Windows Security architecture is that the Operating System thinks it is better, wiser and more powerful than the user. In Unix, the user is the boss.

If admin users can examine every single running process themselves, and there are no obscure registry settings, binary blobs, TPM, DRM and other 'heuristic' aka guesswork techniques to deal with.. the system can be made secure. The reason is simple: If there is a malicious code that is poisoning the system, the root user can examine it and simply delete it.

The only exception to this rule would be rootkits... and by rugged designs like SE Linux, removal of LKMs, etc. the possibilities for such rootkits can be minimised largely.

And finally, if there exists a simple mechanism for restoring an entire filesystem with file level backups (on separately dsignated partitions for instance), ease of restoration is guaranteed in case of security breach. Windows Vista's System State image rollback is simply more complexity without any added benefits from the simple tar command.

If Vista must be really secure, the registry has to be removed, the device drivers must be open source, the entire OS kernel must be available free for inspection and rectification, the DRM, TPM and PVP kludges must be knocked out... in short Windows should be a mere operating system. I bet that every single OS developer at Microsoft realises the above truth... they're just trying to create a situation where the market tries to follow their Defective by Design philosophy.

Re:Why is Microsoft asking questions on Slahsdot?

[physicsnick]

Excuse me, how would such a knowledge help anyone but Microsoft developers? No one but those developers have access to source code, certainly not Slashdot readers.
Should we not help Microsoft developers, just because this is Slashdot?

Some people are interested in the problem and in how to fix it. Believe it or not, some people actually like Windows.

I'm certainly not one of those people; I've been using Ubuntu for two years. I'm just saying, they exist, hence the question. Besides, even if we're not Windows users, most of us would like to see Windows more secure; everyone would benefit from having less botnets around.

Re:Why is Microsoft asking questions on Slahsdot?

[jkrise]

Should we not help Microsoft developers, just because this is Slashdot?

Please read my post in full. Every single Microsoft developer knows, or definitely ought to know... that UAC is a piece of junk. The insecurity with Windows is inherent.... the OS, or Microsft or Bill Gates.. ow whoever made that design decision... think that they own YOUR computer. It is impossible to secure the operating system as long as this fundamental issue is resolved.

Since this is a design decision taken at the very highest levels in Microsoft, it is futile to debate the issue on Slashdot.

Re:Why is Microsoft asking questions on Slahsdot?

[iang]

I don't think Microsoft are asking. I wrote the blog entry the question refers to, and I don't work for Microsoft, nor was I acting on their behalf. (And I don't imagine I've made myself any friends in Microsoft with that blog entry.) I know the guy who submitted the question to Ask /. (MythMoth) - he doesn't work for Microsoft either. In fact as far as I know he mainly runs Ubuntu these days, and he's been a Java developer for years.

My motivation is pretty simple: I think it sucks that lots of apps have problems if you run as a non-admin user. As an application developer myself, I know that if applications are broken in this way, there is basically nothing Windows can do to fix that. (The same would be true of Linux - it would be trivial to write an application that refuses to run properly unless it's running as root. It wouldn't be Linux's job to fix that apps problems would it?) Yes, the fact that the culture grew up this way is Microsoft's fault. But I want the culture to get better. So my goal was to encourage developers write apps that work properly for non-admin users.

On another note, you've said something that doesn't seem to apply to any version of Windows I'm familiar with:

"The fundamental problem with Windows Security architecture is that the Operating System thinks it is better, wiser and more powerful than the user. In Unix, the user is the boss.

The user is boss in Windows. If you're the admin of a Windows box, it'll let you do anything, including shooting yourself repeatedly in the foot if you so choose. To give an example that's relevant to the point at hand: an admin can choose to turn off UAC. (A bad choice, IMO, but Windows certainly won't stop you making that choice.) That's just one tiny example of course - one amongst thousands. The admin is in complete control of his or her machine.

(Of course, if the admin doesn't know what he or she is doing, then this 'control' will be purely hypothetical. Being an admin merely makes it possible to control everything, but to achieve that in practice does require you to know how to achieve what you're trying to achieve. And Windows does put up the odd road block to discourage you from doing certain particularly egregious forms of damage to your machine, so if you're not an expert user, you might mistakenly conclude that you're not in control. But the bottom line is: if you're the admin, you can circumvent any of these because you are, ultimately, in complete control of your machine.)

Can you point to a single concrete example of where Windows "thinks it is better, wiser and more powerful than the user"? I've been using Windows for almost as long as I've been using Linux. (12 years and 15 years respectively.) I can't think what you might be referring to - could you be specific please?

One could make a case that Windows should behave as you're suggesting it does. (I personally don't think it should, but I can see there's an argument.) After all, the vast majority of home users are entirely unqualified to "examine every single running process themselves". But for better or worse, if someone walks into a shop and buys a PC they are the de facto administrator of that box, whatever OS it might be running, and regardless of how well qualified they might be for that task. You could argue that if Windows was as authoritarian as you are suggesting that we might have fewer zombie Windows boxes out there, because end users wouldn't be empowered to hand over control of their machines to botnets. (It's pretty well documented that enterprise that don't let end users run as admin just don't have the security problems Windows is famed for.)

I wouldn't actually want it to work that way though. While I don't run as root most of the time, it's important to me to be able to control my box. Which is exactly how it is. So I'm surprised by what you've written.

Re:Why is Microsoft asking questions on Slahsdot?

[jkrise]

I don't think Microsoft are asking. I wrote the blog entry the question refers to, and I don't work for Microsoft, nor was I acting on their behalf. (And I don't imagine I've made myself any friends in Microsoft with that blog entry.) I know the guy who submitted the question to Ask /. (MythMoth) - he doesn't work for Microsoft either. In fact as far as I know he mainly runs Ubuntu these days, and he's been a Java developer for years.

Thanks for taking the time to post a rejoinder. My query wasn't on your identity, but on the utility of getting an answer to your question. How does it help anyone if UAC is a developer's fault, the marketing guy's vision fault, or a Segmentation Fault ;-)?? The only people with power to engineer the OS are the developers, and they are driven by their marketing bosses. Hence the title of my post.

But I want the culture to get better. So my goal was to encourage developers write apps that work properly for non-admin users.
Culture is something that gets built-ip over time... in this case, a couple decades. I dont think it can be changed by an Ask-Slashdot query. If Microsoft decide to jettison legacy support, and start afresh the Unix way, the entire IT culture - developer to end user - would see a sea-change, but I'm not holding my breath, after seeing Vista and UAC.

"The fundamental problem with Windows Security architecture is that the Operating System thinks it is better, wiser and more powerful than the user. In Unix, the user is the boss.
The user is boss in Windows. If you're the admin of a Windows box, it'll let you do anything, including shooting yourself repeatedly in the foot if you so choose.

I believe in Vista, even the Admin user is restricted... the Operating System is the boss. One can't install an unsigned driver, even if it is the intended action, with Vista. I believe there are numerous other examples where this is true.

Can you point to a single concrete example of where Windows "thinks it is better, wiser and more powerful than the user"? I've been using Windows for almost as long as I've been using Linux. (12 years and 15 years respectively.) I can't think what you might be referring to - could you be specific please?

Why, I thought it would be obvious to anyone who's used Unix-like systems for a year, let alone 15. If I install ANY FLAVOUR of Linux in a 4GB partition, and I copy that entire partition to a spare partition using the simple 'tar' command... I can rest assured that if the OS crashed, it's a simple matter of running a 'tar' command to get it back working - WITH ALL APPLICATIONS, SETTINGS etc. INTACT. Try doing that with Windows.... ANY version.

I wouldn't actually want it to work that way though. While I don't run as root most of the time, it's important to me to be able to control my box. Which is exactly how it is. So I'm surprised by what you've written.

You have misunderstood me. The first thing a Unix user does, is to create an account and a home directory, and work with that. But THE POSSIBILITY of logging as 'root' and seeing everything that's going on still exists. In such an environment, it is not practical to hide malicious programs so easily, as with Windows. And therein lies the reason why the Unix philosophy of empowering the user, wins easily over the Windows philosophy of asking for a million passwords and prompts... lulling him into a false sense of security.

Re:Why is Microsoft asking questions on Slahsdot?

[NekoXP]

Why, I thought it would be obvious to anyone who's used Unix-like systems for a year, let alone 15. If I install ANY FLAVOUR of Linux in a 4GB partition, and I copy that entire partition to a spare partition using the simple 'tar' command... I can rest assured that if the OS crashed, it's a simple matter of running a 'tar' command to get it back working - WITH ALL APPLICATIONS, SETTINGS etc. INTACT. Try doing that with Windows.... ANY version.

Wow, that's not even slightly close to a good example of what you said.

How is Windows thinking it's "wiser and smarter" than the user by not allowing you to tarball your OS and restore it that way?

You do realise, too, that tarballing your OS isn't going to give you a true backup if you are using ANY filesystem that uses ACLs, custom metadata or whatever.

I dare say there is no archiver on the planet that will properly take and restore an XFS or UFS2 partition in Linux, BSD or so on, and take all the data with it, and whatever that tool is if it does actually exist, it's certainly NOT fucking 'tar'.

As a sidenote, with the right options and a bit of ingenunity and a small script, you can use something like WinRAR to perform a tarball backup of your system - it will gladly pull in all the NTFS extra data like security descriptors and multiple data streams from the filesystem and store it in the archive. You simply then need to set the permissions correctly when you restore, for files which are ostensibly completely hidden from the user and WinRAR's file dialog - important, nasty files which if they were present for the rest of the system to touch, would explode your system in an instant (or at least the next boot)

Windows Vista comes with some tools in the admin kit, which will make something akin to a squashfs filesystem image of a system and keep all permissions on it. As part of the installer process of Vista, you can actually take files from this compressed filesystem 'image' one-by-one, you can add files in, and you can restore a system to your exact specifications - even to the point that you can set up a system from scratch, install all your apps, make an archive of the 'differences' and restore it from a clean Vista DVD you burn yourself. It's a far better method than slipstreaming and is quite close to what you want.

Either way, Linux is not special or better because you can tarball your system and copy it back, ostensibly because if you are using anything more than ext2 and a mainline kernel with absolutely no configuration whatsoever, only shadow passwords and basic PAM, your little tarball trick doesn't work.

Re:Why is Microsoft asking questions on Slahsdot?

[wezeldog]

No problem. Your core argument is sound: Developers should take security seriously.

Just so you know, some developers work in an environment where it is policy that the users (including the developers) are admins of their machines. Most desktops have some third-party vendor software that requires users to run as admin. They couldn't develop with less privilege if they wanted to.

Is that the employer's or developer's fault?

Re:Why is Microsoft asking questions on Slahsdot?

[inquisitor]

One can't install an unsigned driver, even if it is the intended action, with Vista.

Only Vista64 - 32-bit editions will allow unsigned drivers to install with a Big Red Warning. Technically speaking you can also switch a Vista64 system into a developer test mode that allows for unsigned drivers to install, but you really don't want to do that. Microsoft appears to have decided to do this because:

• Driver crashes are the #1 reason for Windows instability since the switch to the NT kernel, and most drivers aren't written by msft. (Creative, NVIDIA, ATI; we're looking at you...)
• 64-bit Windows requires new drivers written for it anyway, so is basically a clean slate - thus few vitally important legacy drivers that will be broken.
• You actually don't need to get WHQL to get signed - just pay some money for the sig. NVIDIA's current 64-bit beta drivers aren't WHQL, for example.
• To get signed, thus, it at least encourages the card manufacturer to put some effort into writing a driver that doesn't suck - at least because they had to spend some money to get it out.
• Hence less crashes and a bit more stable OS.

Sadly Vista 64 is still full-o-bugs, and I can't use it because it won't support my printer, but this at least wasn't a truly dreadful idea to begin with. Definitely not a great one though.

Re:Why is Microsoft asking questions on Slahsdot?

[Foolhardy]

Can you point to a single concrete example of where Windows "thinks it is better, wiser and more powerful than the user"? I've been using Windows for almost as long as I've been using Linux. (12 years and 15 years respectively.) I can't think what you might be referring to - could you be specific please?

Prior to vista, I can't think of any either. However, Vista introduces the concept of integrity levels, two of which are not directly accessible to admins, although there exist hacks to get around it. Restricted IE runs with Low integrity. Normal users run with Medium integrity. Elevated administrator processes run with High integrity. System integrity level is assigned to processes running as Local System. Protected integrity level is used for processes that touch/may touch protected content, including audiog and csrss. There is no documented way for an administrator to create or touch a protected integrity process (or object): a process has to either be a part of the OS or signed in a particular way to be allowed to run with protected integrity. This was apparently done for DRM. You can install a service to touch system integrity objects indirectly, though. Good luck creating an interactive process with system integrity.

Also, Vista requires you to jump through hoops to install unsigned kernel drivers, particularly in the x64 version. Prior to Vista, administrators had the authority to install whatever drivers without having to set any special (and potentially reduced functionality) modes.

Historical problem

[Lonewolf666]

From the blog linked in TFA:

The culture is different on these other operating systems. On UNIX, you'd be considered nuts if you ran as root all the time. And if you wrote a program that demanded to be run as root for no good reason, your application would be shunned, and rightly so.

and:

If you are a developer who has turned off UAC in frustration, remember that UAC is only this way because of all those software developers who insist on running as admin. It's not Windows you should be looking to blame.

I think that this is, in turn, a consequence of earlier Microsoft operating systems (Windows 3.x to ME) that did not have security features worth mentioning. Unix had a clear differentiation between user and admin (root) rights since decades. Windows did not, and essentially everyone was administrator.

As a result, lots of applications got written that implicitly required admin rights, accidentially or because it was the path of least resistance for the developer. As a result of that, people got used to work as administrators all the time on the newer systems (Win NT and later) too. As a result of that, there was less pressure to clean up the applications.

Now Microsoft is trying to break that vicious circle with UAC, but it seems they are not very successful... as it is once more the path of least resistance to turn it off ;-)

Re:Historical problem

The problem is that Microsoft's OS origins started early on extremely modest hardware. The first PC CPUs lacked the hardware necessary to enforce security. There were no "rings" or processor privilege levels. Anything that executed could access everything else on the system: hardware, memory, programs, filesystem, anything. The user at the keyboard could do anything they wanted, and any program that user executed could do anything it wanted, from trashing the machine to HLTing the CPU, anything. In a time before the Internet this was fine.

Yes, UNIX started earlier, but one much larger iron, capable of enforcing the necessary security models, so UNIX had the security concepts baked into it very early on. The early PC CPUs were completely incapable of running UNIX.

Microsoft knew that the model they were using was not condusive to a secure environment. Even in the DOS hayday they worked on their own UNIX implementation called Xenix. They worked on OS/2 with IBM which had a proper security system. When it came time to build NT, they built in an extremely functional security system which was far and beyond anything on UNIX. Access to virtually everything, from filesystem objects to individual settings to drivers and OS security privileges controlled by access control lists instead of simple bitfields.

The big problem came from legacy. Microsoft didn't want to go off in a new direction without orphaning a whole generation of software, and they were smart to know this. Afterall, if a company spends $15,000 on an application for a vertical market they're not going to invalidate that investment by upgrading to a new incompatible OS. So Microsoft did the smart thing in Windows NT and added in DOS and Windows 3.x emulation, allowing the programs to run interpretted in a sandbox, effectively a virtual machine.

However, then someone at MS figured out how to extend DOS with 32-bit support and preemptive multithreading and Windows 95 was born. This environment was close enough to the Win32 support in NT to make determination of emulation difficult, and it also demanded performance that the virtual machine could not provide. Windows 95 ran DOS programs directly alongside Win32 programs with no barriers in order to allow them to perform as expected. This allowed the non-existant security model to continue to exist.

Vista tries to have it's cake and eat it too. Apart from UAC, which everyone sees, is also something called "virtualization," which is a crappy name for the feature. Basically it's a shim into every process which silently catches attempts to write to Program Files or HKEY_LOCAL_MACHINE and redirects the output to the user's profile. It attempts to handle the single most common violation of security in Windows, an application assuming that it can write to anywhere it wants to.

Microsoft has always been aware of the problem. Since NT was released the Logo Requirements have always required that an application function within the confines of a standard User context unless it had to perform an administrative function. Most ISVs simply ignored this and continued to write software as they had on DOS or Windows 3.x.

Re:Historical problem

[azrider]

As a result, lots of applications got written that implicitly required admin rights, accidentally or because it was the path of least resistance for the developer. As a result of that, people got used to work as administrators all the time on the newer systems (Win NT and later) too. As a result of that, there was less pressure to clean up the applications

The problem was not that:

people got used to work as administrators all the time on the newer systems

The problem was that, absent extra work, people had to run as administrators all the time. When I got my new laptop (WinMCE), I tried to set my user id as a local user. The system said "There must be at least one administrator". When I logged in as Administrator (the dual sequence) and tried to lower my user id to a local user, the system still said "There must be at least one administrator" (note that I was logged in as Administrator at that time). The only work around was to create yet another user. This meant that there were two (not one) administrative users defined (the first one with no password out of the box). A security conscious operating system, IMNSHO opinion, should not make this the default case. This not only encourages, but almost demands that the user default environment is to run with all available rather than only necessary permissions.

Re:Historical problem

[Lonewolf666]

The big problem came from legacy. Microsoft didn't want to go off in a new direction without orphaning a whole generation of software, and they were smart to know this. Afterall, if a company spends $15,000 on an application for a vertical market they're not going to invalidate that investment by upgrading to a new incompatible OS. So Microsoft did the smart thing in Windows NT and added in DOS and Windows 3.x emulation, allowing the programs to run interpretted in a sandbox, effectively a virtual machine.

However, then someone at MS figured out how to extend DOS with 32-bit support and preemptive multithreading and Windows 95 was born. This environment was close enough to the Win32 support in NT to make determination of emulation difficult, and it also demanded performance that the virtual machine could not provide. Windows 95 ran DOS programs directly alongside Win32 programs with no barriers in order to allow them to perform as expected. This allowed the non-existant security model to continue to exist.

Good description of Win9x, and I'd like to add that it needed less system ressources than Windows NT. This made it a huge success in the consumer market, but at the expense of promoting the non-existant security model to the 32 bit world.

If Microsoft was always aware of the problem as you say, they must have decided to disregard it when they introduced Windows 95. Because that threw away the best chance of moving the Microsoft world to a security-aware programming paradigm. I think the switch from 16 to 32 bit would have been a good opportunity, marketing-wise, to convince people to accept the NT concept as new standard.

Re:Historical problem

[Geoffreyerffoeg]

Flood pings?

Ethereal?

Several popular uses of mount?

Shutdown?

apt-get install package-that-won't-obliterate-other-stuff?

Gentle Reminder...

[HaeMaker]

@ECHO OFF
PROMPT $p$g
C:
CD \NWCLIENT
SET NWLANGUAGE=ENGLISH
loadhigh LSL
loadhigh NE2000
loadhigh IPXODI
VLM
CD \

Re:Gentle Reminder...

[Nimey]

Ah, the good old days. :-)

Mod Parent up please

[popeyethesailor]

I cant imagine why parent is marked Troll. It's a ontopic reply, with informative commentary, directly from the source.

Re:Mod Parent up please

[nschubach]

I cant imagine why parent is marked Troll.

Maybe it's his signature? Does he really need to tell everyone he works for Microsoft? Can't you just provide good information and not bring the company you work for in to try to up your "cred"? I mean, most of us work for some IT firm or company that many have probably heard about, but when you resort to using the name of some other entity to further your goals, it seems a bit self-indulging.

That and many of us don't particularly care for Microsoft and their business methods. So modding him down is a way to "stick it to the man", if you will.

I'm not saying either of those are the reason, but I can see how they could be. Mods can use their points in any way they see fit.

Re:Mod Parent up please

[empaler]

I cant imagine why parent is marked Troll.

Maybe it's his signature? Does he really need to tell everyone he works for Microsoft? Can't you just provide good information and not bring the company you work for in to try to up your "cred"? However little I care for Microsoft and their business methods, I prefer that he has a disclaimer - otherwise someone would probably troll over his repeated MS-related posts (which I've seen countless times here when people have had repeated good things to say about X company).
Also, apart from that, Microsoft is a very visible and controversial company, so owning up to being part of it is fine (in my book). That gives you a chance to weigh that onto what he has written and evaluate it in that context.
Whether it belongs under every post is debatable, but the fact of the matter is that it is relevant in many cases where he talks about MS.

Mods can use their points in any way they see fit. That's what Metamod is for - catching obvious abuse.
---
Sorry if the post is messy, I got 4 phone calls while I was typing this. It's as if my employer expects me to be working just because I'm present.

Re:Mod Parent up please

[AaronBrethorst]

I've been called an astroturfer before. Calling out who I work for helps prevent further such accusations.

UAC is cosmetics

[Opportunist]

UAC cannot and will not mean secure computing. It's been pointed out before, that "may X do Y" dialoge comes up so friggin' often that users either turn it off or click "yes" on everything.

And that does not only apply to "clueless" users. Of course, someone who has no idea what the computer does and just why an application like explorer.exe has no business beyond the local net, will click yes on the "when in doubt, click yes or it won't work" presumption. The problem is that many Windows-Services are started in ways that make it impossible to determine whether a given program is supposed to do this or that, because there are many started using wrapper programs.

Many services are started using an application to start services. And you ONLY see that application, not (necessarily) the drivers it aktually loads. Some of them need to get access to very core deep functionality. And, unfortunately, can be abused to start trojans.

Generally, the problem lies in the untidy separation between system and user. As has been pointed out before, too, one of the problems is that developers didn't care too much about access rights so far, because you could readily assume that the user had administrator privileges, so key hives like HKLM were overused, even when unnecessary.

Another problem is that UAC is an "all or nothing" privilege mechanism, at least when it comes to installers. You either unlock the whole system or nothing. And this is even for a user with some knowledge no trivial matter to decide. You download a game from some demo page and it requests elevated privileges. Is it because it needs to set a key in HKLM, which is maybe unneeded but not critical, or is it because it comes bundled with some spyware that wants to root itself deeply in your system?

Basically, to me it seems that UAC is MSs way to shift the blame for infections away from them, and (mostly) towards the user. You allowed it to happen, we warned you, you clicked yes.

Shortcuts and save games

[sd.fhasldff]

I pine for the days of being able to uninstall a program fully from my system by deleting its folder. Or being able to simply copy a configuration file from one computer to the next and having all my settings preserved.

Do you REALLY want your save games to be deleted when you "uninstall" an app?

This extends to all data created by applications, e.g. documents created by your word processor of choice. Clearly, this is bad practice. (User) data and configuration SHOULD reside elsewhere. And that's not even delving into the security issues this would present. You don't necessarily want to share your settings or data with other users of the same computer.

Another thing: Unless you use Windows Explorer (or command line) to navigate to and run a program, you can't uninstall a program FULLY by deleting its folder. At minimum, you would need to delete the shortcut to the program from somewhere else - unless you want Windows to be constantly scanning e.g. the Program Files folder for changes... but something tells me, you wouldn't appreciate that ;-)

In total, we have three separate "components" to even a relatively simple application: user configuration, user data and the app itself. In most cases, the app should be accessible to all users of the machine, whereas neither user configuration or data should - in most instances, anyway (I would love for Picassa to be identical, including settings and data, for all users on the "family" computer). Ideally, these components would be be located in predefined locations (can anyone say "My Files"? No, not "My Documents", "My Files"), easily locatable by the user. Yes, that means burying them in the registration database (die!) or under "C:\Documents and Settings\[User Name]\Application Data\[Program Name]\" (or the equally horrendous Vista version of it).*

A properly behaving uninstall program should delete the application (completely, not leave a friggin' empty folder or random "I was here" file) and PROMPT for deletion of configuration - and possibly data.

*Note that many of the problems associated with multiple users on a single WINDOWS system would be at least mitigated by introducing a "home" folder. This would have been an obvious feature to implement in Vista, but no such luck.

Re:Shortcuts and save games

[EvanED]

unless you want Windows to be constantly scanning e.g. the Program Files folder for changes... but something tells me, you wouldn't appreciate that ;-)

Windows supports a directory change notification; an application can request that the file system inform it when the contents of a directory change. (Linux and some Unices has this too, but in general it's not portable across versions of Unix or at all between Linux and Windows.)

At most you'd have to scan on first boot (and that's only necessary if you don't trust the file system to stay the same between boots), even if you take this approach and don't try to think of another way entirely to do it.

*Note that many of the problems associated with multiple users on a single WINDOWS system would be at least mitigated by introducing a "home" folder. This would have been an obvious feature to implement in Vista, but no such luck.

Um, what do you think that C:\Documents and Settings\[user name] is?

Making a statement

[fwarren]

Hey, he was BASICly making a statement.

Waiting PASSIVELY is not a good solution.

[DrYak]

Waiting passively for the programmers to change their bad habits isn't the best strategy that could have be taken by microsoft.

As you state those problems stems from bad programming habits. Developers that have taken the habit of writing critical data just like in the old DOS days : wherever it pleases them, ignoring the fact that some place are supposed to be reserved for admins only.
It has worked up to WinXP because either there wasn't any protection (older DOS based Windowses) or all users did run as admins by default (newer NT based Windowses). Now that VISTA finally tries to correct this and approach something that looks like Unix' habits - using admin-level privileges for doing ... admin work on the machine as intended. They found thousands of bad-behaving softwares that can work under this envrionment.

BUT THEY'VE TAKEN THE WRONG ROUTE AROUND THE PROBLEM !!!

With such problems you have three solutions :

- IGNORE THEM. Let the bad-behaving software just crash or display error message. That would attract attention to the fact that those software are broken. BUT ! Most users will believe that errors appear because Vista is buggy. The new version will get a bad reputation (as if the rest wasn't enough) and no users would like to switch. Microsoft would loose valuable market shares.
-> So that's why microsoft doesn't do it.
This behavious only works on Unices because most of the other software function correctly and users guess that the problems comes from the badly-behaving software and they try to download a corrected newer version or a better alternative.

- ASK USER'S PERMISSION. Do some 'sudo'-style privilege escalation for every single action that would require admin rights. And hope that developer will notice and produce more Vista-compatible softwares.
-> This is what microsoft has done, BUT THIS IS FUNDAMENTALLY WRONG.
Because concerning users :
- It floods them with a mass of annoying blocking popups asking for privileges. The users ends-up first answering OK to everything (and the Unix style protection is completly lost) and then they disable the whole UAC to stop the flow of popups. So it is as if it wasn't introduced in vista in the first place.
And concerning developers :
- As pointed by other /. developpers will be slow to change. They don't write code "perfect by the book", code that "somewhat works" is enough for most of them. Read sites like this if you don't believe.
- Changing may be difficult for them, because it would require re-doing the whole program architecture. Or it could pose problem to migration between the older bad-behaving version and the newer vista-compatible version, and there's a huge users pool that the developpers want to avoid pissing because of a non-trivial migration.
- And finally, they aren't compelled to change this, because users are running with UAC disabled anyway.

The last solution would be :
- VIRTUALIZE IT. Put all old-world (pre-Vista) software in a sandbox, a chroot jail, or whatever it is called in Windows. Whenever some pre-Vista software tries to access stuff it shouldn't in a normal user context, just do it - but on a dummy local copy to both avoid damaging the system and avoid annoying the user. That's the route that Apple has went were pre-OSX apps are ran inside some kind of emulator. But that is easier for them because of the radical shift in architecture : older software rely on a such different API, that it had to be emulated anyway, throwing a sandbox in the mix was only an added bonus.
Microsoft could do it as easily, because, fundamentally, Vista is XP with a shiny interface and some DRM thrown in. It would have annoyed users : They used to ran perfectly well behaving software writen for NT-Kernel under XP and suddenly, under Vista which uses mostly the same internal structure they have to run the same software inside a sandbox.
Microsoft SHOULD have spent a lot of time planning well the transit

A simpler solution exists.

[master_p]

There is a simpler solution: virtualize the O/S for users. Let users play their own version of the O/S, but without a problem for the other users.

Microsoft should have done that right from the start, because their O/S was single user from the beginning.

Another idea is that of protection rings, similar to 80x86 architecture: let each system resource belong in a ring, and allow access to resources only from privileged rings; access less privileged rings only through secure predefined gates. The nice thing with this is that, since it is implemented in software, there is no restriction to the number of rings available.

With this approach, applications that receive data from the network could run at a higher ring from the rest of the applications, and thus they could never touch user data (let alone kernel data).

Re:A simpler solution exists.

[TheRaven64]

virtualize the O/S for users. Let users play their own version of the O/S, but without a problem for the other users. This is almost what UNIX does (and what Plan 9, which is more UNIX than UNIX, actually does). The problem is that it protects users from other users, but it doesn't protect users from malicious applications.

In an ideal world, all software would be run using the principle of least privilege. My web browser would be able to link to the libraries it needs, read and write to a configuration file / folder, and write files into a downloads directory. You can do this fairly easily on a modern *NIX using something like systrace or SELinux, but very few people do because it's non-trivial to get right.

Re:A simpler solution exists.

[master_p]

If you had read the whole of my post, you would have seen that there is a solution for that too.

wow I forgot slashdot is all microsoft bashers

[majortom1981]

IF developers would program their programs right we wouldnt have this problem. If they made something like a game install without having to be an admin then we wouldnt be having these problems. By this I mean. Why does a game have to install registry files? Why cant they be stored in say an encrypted file in the games directory. Even if microsoft changed to unix we would still have these problems because its the developers who refuse to change. Developers should start doing things the right way and start making thier programs not have to be installed into system critical areas.

Re:wow I forgot slashdot is all microsoft bashers

[Lord+Bitman]

per-user Registry access requires admin rights?

I'm somewhat conflicted about the registry. On the one hand, it prevents the practice of scattering configuration files through all corners of a hierarchical filesystem... on the other hand, it does this by telling people to scatter configuration data through all corners of a hierarchical .. non .. file.. thing.

While the problem of configuration is not solved by the registry, I think it's at least superior to /etc/bunchOfUnregulatedFiles ~/.shitloadsMoreOfUnregulatedFiles

Re:wow I forgot slashdot is all microsoft bashers

[NullProg]

IF developers would program their programs right we wouldnt have this problem. If they made something like a game install without having to be an admin then we wouldnt be having these problems. By this I mean. Why does a game have to install registry files?

So you blame developers for following Microsoft guidelines?

Microsoft dictates that Windows programs (games, utilities, etc), write to the registry. Its part of the "Windows Certification" process. You should be asking yourself why Microsoft didn't allow for individual application registries or even better, why they discontinued the Windows INI APIs.

You will find the answer in the fact that you can no longer easily copy C:\Programs Files\WhizBangApp\ to a different Windows computer and have it work. Good for Microsoft and the programs vendor, bad for the computer user/software owner.

Its all about controlling how you use your "personal" computer.

Enjoy,

It IS the developer's fault

[MikShapi]

Microsoft did not invent sudo. They are the absolute last of the pack to implement it.

It's been optional to use forever. Restricted environments (where users still need to work, save files, etc) have been running in NT domains configured to disallow system modification forever and a decade. Vista's been in beta forever, and you need to have been on the friggin moon to not have known well in advance UAC is coming.

If your software writes outside your profile without a very good reason to do so, either update it, or smack the vendor on the head, because it is absolutely his fault. Just because it was ok to do something a certain way in the past doesn't make it ok to do it that way today. UAC/sudo is a simple Darwinian evolutionary step, a trait that gives advantage in a specific environment (The Internet a-la 2007) and is thus selected for, appearing in the next generation of the microsoft OS.

Blaming microsoft for it is lame (Unless you're blaming them for not having done it when Windows 2000 came out, that's ok.). They didn't do any foul play this time. Some developers having issues coping with the "new" reality? Market forces will take care of them soon enough, nothing to get concerned about.

News flash

[hey!]

developers are lazy and sloppy.

It's not just Windows developers running as admin. It's C programmers using sprintf. It's java programmers catching all throwables. It's web programmers taking some string of unknown origins and handing it to a SQL interpreter connected as an account that has DML privs.

What makes a difference is consumers. Unix users don't accept programs that run as root. MacOS users get somewhat better UIs because they demand it. Windows users use Windows because they feel they have to, and so anything goes.

Re:News flash

[MikeBabcock]

What I love about Windows users in general is this belief that they have a right to run software that claims to run on Windows. That is to say, they see a weather applet someone else has so they download and install it. They get a Blackberry because its cool and then run as administrator because the software won't work otherwise, etc., etc.

If you tell them "no, you can't do that" they'll say "well everyone else does" and get upset that you're telling them what not to do with their computer. Ironically, they also get upset when the computer dies. I usually make people sign off on "if you come to me when it breaks, I'm billing you hourly". Yes, I'm a sysadmin, there's a reason we're cranky people.

1. UAC is not SUDO. 2. What they did wrong.

[argent]

1. UAC is not SUDO

UAC is completely unrelated to sudo. It's an extension of the proxy privileged service scheme they've been using all along. It's not a bad model... it's much like what SafeTcl slave interpreters use... but it shouldn't be confused with "su", "setuid", or "sudo" in UNIX.

2. What they did wrong

Security is like sex, once you're penetrated you're ****ed. UAC, reduced privilege mode to run IE in, all the extra dialogs and warnings and security centers of the last ten years, they're all attempts to reduce the damage or pass the blame for the penetration on to the user. The solution is not to add more layers of annoying mitigation after IE, Outlook, and other applications that use the HTML control are inevitably penetrated. The solution is to redesign the HTML control so that it doesn't provide a security penetration API (the way ActiveX works in IE, that's what it comes down to) in the first place.

Instead, they present Silverlight, based on .NET, complete with its own security penetration API. :p

I do blame developers

[stubear]

Windows NT has been out for well over 10 years now and has ALWAYS been a multi-user OS. Windows NT4 was the first really user-friendly version of NT and was the version I started using and never looked back. Developers NEVER coded apps with this in mind, they were too busy hacking together apps to run on Windows 95 and if they worked on NT great. I'm not talking about little utilities or games here either. Photoshop, Office, 3DS Studio MAX, you name it, none of them took into account the security features of NT or the fact that one can run NT in a non-Administrator mode. UAC is not the best answer from a security standpoitn but it is a way for Microsoft to prod developers to think about users when they develop apps for Vista. Windows 95 and its progeny are long since dead (some users just haven't figured that out yet - you know who you are *Windows 98 users - cough*) and the NT based OSes are the future of Windows. Developers now need to work with what they have and stop being lazy.

Re:I do blame developers

[JoeD]

I've been saying this for years. It all stems from MS-DOS. There, you could put anything anywhere, and nothing cared. Then the DOS developers moved to Windows, and kept the habit. Then Windows went multi-user, and suddenly stuff started breaking.

So the user calls the vendor for help. Support calls cost money. So the vendor takes the quick way out and tells people to run as Administrator. Program runs now, so the problem appears to be fixed.

And to be fair, I've been guilty of this myself.

But so have others who should know better. For awhile, the Oracle client for Windows would not run under a normal account. So if you wanted to talk to an Oracle database, you needed to be an admin.

How soon people forget

The linked article laments running as "admin" on windows and offers a few possibilities why it is done that way and why developers feel the need to do it that way.

But it forgets the single biggest reason why it is done that way in the windows world on a regular basis. Before the advent of NT/XP, windows had no concept of "users" as in the Unix plural users sense. There was only one "user" in the whole world from it's perspective, that user sitting at the keyboard/screen/mouse, and that person could do anything they wanted anywhere they wanted anytime they wanted to the system. This was an outgrowth of the fact that windows started out from the DOS world (where you ran as "the all powerful" all the time as well). and only very very recently was drug, kicking and screaming, into the real world of needing an "admin" to modify critical system stuff, and running as a normal "user" the rest of the time. So, yes, the linked article is partly correct, in that developers who write presuming that everyone ins "admin" are part of the problem, but they are only following the lead set out by microsoft.

So the proper blame lies squarely with microsoft, for spending 20+ years "programming" people that 1) it should be mormal that your computer crash 2-3 times a day, and require 5 reboots unrelated to the crashes, and require additional rebooting to make almost any system change at all, and 2) it should be normal to be the all powerful "admin" all the time on your computer.

The blame lies with microsoft producing a system that works that way. The developers were just playing follow the leader.

systrace

Since they were creating something "new" anyway, why not base your model off of something that actually works, like OpenBSD's systrace, instead of just trying to annoy the user into turning off all security notifications?

A definition file (could be supplied with the program) defines what it can do and can't do, and what specific operations require enhanced privileges. At installation time, this definition file could even be pre-inspected, and warnings flagged if it appears to grant too many privileges. If a program tries to execute an operation in a way that it's not specifically allowed to use it, it's denied and an error is flagged. They already have sudo, er, "run as", for legacy applications if the user still has some lingering around.

It wouldn't change much, because the users themselves need to actually care and to be educated about using a computer wisely and securely, but those who did care and wanted to try would be MUCH safer with that than anything Microsoft has ever released.

Oh, wait, I know why they didn't do this. Then they couldn't (secretly) backdoor your computer as easily and sell backdoor landscape to spyware companies (ie: Sony, etc). Nevermind.

-M

64 bit

I'm a developer and I have it off, but it's the ONLY way to run the compiler in Wow emulation mode on a 64 bit operating system. So...

Hobble HTML?

So, your answer would be to get rid of all browser plugins, period? No more Flash? No more Java? No more QuickTime? All of these involve third-party code running in a native process space which could be compromised. All the user has to do is click "Yes" and that Java applet can start rampaging through the system, trashing the user's profile. UNIX, Windows, Mac, doesn't matter.

Why stop there? Why not get rid of pictures, too? Afterall, Linux, Mac and Windows all had vulnerabilities at points in time in reading PNGs. Can't always anticipate buffer overflows, so might as well avoid them.

Or maybe, just maybe, you could borrow a page from OpenBSD and load the browser into a jailed process which sandboxes the entire browser, plugins and all. Only way out is through a security broker with only a handful of specific targets. A buffer overflow in a third-party plugin wouldn't even allow the malicious code to trash the user's profile, let alone the rest of the system. And on top of that, just in case, also wrap the process in a constrained user token, so that even the broker itself is limited to only functioning at the strictest of user settings. This way you'd have to have at least 2 vulnerabilities to manage an exploit, and 3 to actually do any damage.

Oh wait, that is what IE7 on Vista does.

Writing to the registry is fine...

[AzrealAO]

putting data in HKLM (HKey_Local_Machine) when it doesn't need to be, is bad. HKCU (HKey_Current_User) does not require Admin Priveleges, nor does it bring up a UAC Prompt.

Re:Writing to the registry is fine...

[NullProg]

putting data in HKLM (HKey_Local_Machine) when it doesn't need to be, is bad. HKCU (HKey_Current_User) does not require Admin Priveleges, nor does it bring up a UAC Prompt.

I never said writing to the registry was bad. Parent poster was blaming developers for writing to the registry when it was dictated to them by Microsoft. Correct me if I'm wrong, but only with Vista can you mark your MSI software package as not requiring admin password.

Enjoy,

A Brief History of the Admin Problem

[Quantam]

Contrary to what a few mindless Linux zealots will tell you, Windows NT has always been an isolating multi-user system. That is, multiple users are supported, and each user's data is protected from other users, as well as system data (all the stuff outside the users' home directories). Always. However, NT's backward compatibility wasn't so good at first, particularly with 16-bit programs. As as result, even though it was relatively stable and secure, it was pretty rare for quite a few years.

The admin problem really comes about with Windows 9x, which was released a couple years after Windows NT. Windows 9x is not an isolating multi-user system; in fact, it basically has "multi-user" capabilities strapped on to Windows 3.1. There's no file system or registry permissions, nor is there a distinction between admin and vanilla user. Windows 9x quickly became popular, as it had fairly good backward compatibility with DOS and Windows 3.1 programs, and was significantly better than Windows 3.1 in general (though nowhere near comparable to NT). So, developers everywhere started writing programs for Windows 9x. Most of these programs didn't need to run on NT (as it was a niche market for some 7 years after release), so they didn't. Dealing with limited access was more difficult, and programmers were lazy.

Consequently, by the time NT finally overthrew 9x (with Windows XP), you had a huge number of existing programs that assumed full access of the computer (for one particularly bad example, the Mechwarrior: 2 Mercenaries installer used CLI and STI for something or other - kernel mode instructions; this blew up very badly on NT, so I did some debugging). But much worse, you had an entire generation of programmers that didn't know how to work with limited user. And since most users were forced to run in admin so that they could run legacy programs in XP, the developers figured that they didn't need to learn, and the problem became self-perpetuating.

In conclusion, YES, developers are 100% to blame for the admin problem. Granted some of those developers are in MS, but in general I've found MS programs to work FAR better than third-party programs, with regard to requiring admin. I'm speaking as someone who has been running as limited user for several years and runs MS programs like Visual Studio and Office very frequently.

As a footnote, I really wish NT offered a service to allow programs to temporarily elevate their privileges (such as getting write access to their program directory) to install patches without requiring admin (once the service verifies that the patches are properly signed). Myself and a friend are considering making such a service ourselves, actually.

Re:A Brief History of the Admin Problem

In conclusion, YES, developers are 100% to blame for the admin problem.

Yes, because code Red and Melissa was caused by me installing Diablo. Slammer was a result of users installing Paint Shop Pro. ActiveX controls get installed and root kits get downloaded without permission due to users running WinAMP.

The UAC/admin problem exists because its a flawed attempt to patch an already flawed environment. NT security was a joke at the time, any non-admin user could do anything to the system after login ($Guest login account anyone?). Put an unpatched XP computer on the internet and a unpatched 9x computer. Which one gets compromised quicker? How is that an admin problem?

Stop apologizing for the mistakes of Microsoft. Stop believing the marketing drivel that comes out of Redmond. It makes you look worse than the Linux Zealots.

Re:A Brief History of the Admin Problem

[Foolhardy]

It's true that there have been implementation flaws leading to vulnerabilities and the prorogation of worms. These were not caused by the actions of ISVs. Windows is not alone in having implementation flaws. However, implementation and design are two different things, and the topic of this story is UAC, Windows security design, and software that doesn't run with standard user privileges, which IS the fault of whomever wrote the software.

NT has always had local security. The Guest account, disabled by default, has even less privileges than members of the Users group. How would it be helpful for a full user to compromise that? NT 3.51 SP3 attained the Orange book C2 certification, which measures local security design. That wouldn't be possible if "any non-admin user could do anything to the system after login."

Re:A Brief History of the Admin Problem

[Quantam]

"Yes, because code Red and Melissa was caused by me installing Diablo. Slammer was a result of users installing Paint Shop Pro. ActiveX controls get installed and root kits get downloaded without permission due to users running WinAMP.

Stop apologizing for the mistakes of Microsoft. Stop believing the marketing drivel that comes out of Redmond. It makes you look worse than the Linux Zealots." ...okay, wow. You managed to totally and completely miss the topic of the article and my post, and write an rather irate reply in the process. The topic is the reason everybody uses (and writes programs only for) admin, NOT general bugs/security holes in the OS. Very nice knee-jerk reflex to somebody not putting down MS, though. One of us appears to be frothing at the mouth, here, and it sure ain't me.

Vista does virtualize

[The+MAZZTer]

Actually, Vista does virtualize SOME attempts to write to Program Files and HKLM. In fact this was one of the touted features (the writes get redirected to user-specific areas).

Re:Vista does virtualize

[AaronBrethorst]

Just to clarify, x86 Vista (but not 64-bit Vista) will virtualize writes to HKLM, HKCR, the Windows directory, Program Files, and a few other locations under the following circumstances. If your application does not include a <trustInfo> section in its Fusion manifest (or if it doesn't have a manifest at all) it will be virtualized unless the application is specifically on Vista's do not virtualize list. Visual Studio (or, more accurately, devenv.exe, the Visual Studio shell application) is on the do not virtualize list, for example.

Once your application has a Fusion manifest with a trustInfo section, it will stop being virtualized. This is where your app should end up. You don't want it to be virtualized, since this may lead to serious problems on x64/IA64 versions of Windows.

I blogged about this a while back. The first post I made was on virtualization and run levels, and the second one was on creating a UAC-aware manifest file.

Developers vs. Windows Logo Standards for Software

[yhamade]

First off, I agree with the article's assessment that it is the developer's fault why UAC is required in the first part. Now, I know this is slashdot, and Micro$oft bashing is everyone's favorite past time here, but, I'm going to defend them for a moment. The reason why I say it's the developers fault is because for YEARS Microsoft has been publishing information on how application's should function to work in as "Limited Users" (aka non-Administrators), at least since the days of Windows 2000. Now, the problem is, most developers I know have never even heard of this! What is this magical mystical document I speak of? Well, it's the Microsoft Logo specifications, aka "Designed for Windows". This talks about all kinds of useful things including separation of user data from application resources; which from my experience is the primary reason why USER applications do not function as non-Administrators.

Now, I also know that Microsoft themselves haven't followed their own rules, and some applications still require administrative rights (and some stupid design decisions such as IE's Code Store Database). Combine that with the fact that they have to support an existing installation base of applications that don't follow those practices and what else can they do? Ever tell have to tell a business user that they can't use their mission critical application anymore because it doesn't work with a proper security implementation? How about telling a Grandparent that have to go buy a new version of some application that they've been using for 10 years because it doesn't work on their new PC? UAC is Microsoft's bridge to go from the old way of everyone running as Admins to the way everyone else has been saying to run, as a "Limited User". It's either that or the proliferation of the fallacy that on Windows you must run as Root.

So, UAC sucks, but can anyone actually recommend a better solution that will work for the install base Windows has? I'm not talking about the "Windows has more users than Unix/Linux/Mac", I'm say that Windows user's and developers are DUMBER than Unix/Linux/Mac users/developers. Now, don't get me wrong, there are extemes on both sides of the fence, but if we looked at percentages, the percentage of dumb users and developers on the Windows side will probably far outweigh those on the other platforms. (Queue the "well switch stupid" comments. And I will, once the industry does as well, it's all about critical mass people.)

Here's some more information on the Vista Logo requirements:
http://microsoft.mrmpslc.com/InnovateOnWindowsVist a/getstartedcert.aspx?LangType=4105

Here's the "Requirements for the Windows Vista Logo Program for Software document":
http://download.microsoft.com/download/8/e/4/8e4c9 29d-679a-4238-8c21-2dcc8ed1f35c/Windows%20Vista%20 Software%20Logo%20Spec%201.1.doc

Windows is such a mish-mash..

[Kazoo+the+Clown]

of old and new features, deprecated and new APIs, etc... I'm amazed any developer can keep enough of it in their head to write a well behaved application on Windows. Oh, wait... there are some, aren't there?

Many developers were no doubt spending far too much time converting all their string calls to *_s "safe" versions or for 16 bit characters to get around to figuring out what they need to do for UAC. Either that or they just turned UAC and all the compiler warnings off and are completely oblivious to what they're doing wrong...

If Windows wasn't such a rats nest of work-arounds and redesigns, applications would be far more stable and well behaved-- and even Microsoft often can't seem to follow their own rules. The "virtualization" of "program files" and the registry is an ad-hoc kludge if I ever saw one, just one more convoluted whacky factor to mess things up. Oh yeah, it works great-- transparent until you start working with backup programs or migrating or replicating users or user configurations.

Re:Windows is such a mish-mash..

[SEMW]

Surely, if anything, file and registry virtualization makes it even easier for backups, migrating etc. It means that there's only ever one folder you need to copy (\users\username) and it'll come with everything -- per-user data and settings written to HKCU in \username\appdata where they should be, and settings written to HKLM and program files (where they shouldn't be) redirected to username\appdata\virtualstore. So you can just reinstall your app on the new computer, copy your \username folder over, and all your settings will be there, whether they were written to the correct place or not.

Blame Shift Activate!

Yes, developers do need to use better practices. I sincerely wish they'd remove the registry except for actual system settings (use an XML configuration file, which you can actually *validate*, and keep it in your application directory, dammit).

But UAC seems like it won't do much but annoy people into using it. I mean, if you were spyware, even though it's training folks to ignore meaningless, endless security dialogs with NO useful information, wouldn't you turn off UAC (and the warnings about not using UAC) first thing?

Besides, Microsoft ought to take its own advice. If you use the Control Panels much, you get plenty of ridiculous warnings. Maybe they need to practice what they preach instead of shifting the blame onto everyone else, then telling all the other OSes that they should infringe upon Microsoft's patents on this worthless, annoying piece of crap known as UAC?

I swear, they must have Paula Bean working for them. You want a better option? DENY permission to do Bad Stuff[TM] by default, and force the user to set permissions manually if they don't like that (i.e. don't make an API for it). If developers had to choose between a 10 page manual telling the user to toggle permissions to 80 different files and making their application use better procedures, they'd still have to choose the latter, and you wouldn't train people to ignore "security" warnings in the mean time!

AmigaOS

[aliquis]

Always worked nice in AmigaOS so why not. Copy it to your system partition if you want to or don't, in any case it will work. If you ever had to do anything it was an assing (say assign firefox: dh1:apps/firefox) for applications not hardware drive aware which looked for their device name.

Bite the bullet

[shaitand]

Start with Ubuntu, then complete the wine implementation of the windows api. Drop their proprietary networking protocols and use Samba as base to port their functionality. Rebrand it all for MS. Beyond that, security problems are on the users.

Liberate HTML.

[argent]

So, your answer would be to get rid of all browser plugins, period?

Now why would I point to Internet Explorer specifically if I were proposing getting rid of all browser plugins?

Think it through, do a bit of research, and try and figure out what it is about ActiveX that makes it so much more dangerous than Java, Flash, Quicktime, or other plugins that don't include a malware-empowerment API as an integral part of the design. Hint: fixing a buffer overflow doesn't break working APIs.

load the browser into a jailed process which sandboxes the entire browser

That would keep malware from trashing the p0rn collection on your hard disk, but it wouldn't do anything to keep the malware from taking part in a zombie network or forwarding your credit card info, bank account and paypal passwords, and other personal information through the zombie network to the attacker.

Once the browser's compromised, the attacker has won half the prizes on the table. Keeping them from making a clean sweep of it is a good thing, but it's no replacement for getting rid of inherently infixable and insecure APIs.

Plenty of REAL M$ complaints, why make one up?

[Actually,+I+do+RTFA]

That's not fair, to expect Office 97 to run fine on Vista. Well actually it is. If you had followed all of Microsoft's best practices, and work the platform as designed....you end up right where we are at today.

In 1997, under the Win95/98 model, there was no significant administrator vs. user account. In fact, I don't recall multiple accounts per machine. They finally added an administrator account and user account distinction that was easily accessible, and you blame the Office developers for not anticipating what the OS team would do??

I do agree with most of your registry bashing however.

could've been done right

[r00t]

It's way to late now of course, but...

Windows NT 3.x should have mapped C: to the user's home directory. Each user gets their own WINDOWS directory.
Windows 95 should have made the non-user portions of the registry be read-only or even missing.

Then the apps written for Windows 95 would run within the user account. Those without drivers would have been fully compatible with Windows NT 4. Non-hardware drivers could have been virtualized in the next release.

Re:I kinda like the concept, try brand X

[Your+Average+Joe]

OS X works hte way you want. You should try it, you might like it. I now have two Apple computers...

You are dead wrong

[Your+Average+Joe]

Autodesk has the monopoly on the 2d cad market, they also have the Windows logo on the box.

Guess what? AutoCAD requires the user to be local admin. THey make no bones about it. THis is what you get when you have two monopolies writing software.

Another correction

[Triynko]

In the 3rd to last paragraph, a sentense should read "There must also be utility to manage read-only access RIGHTS, whereby a user can TEMPORARILY GRANT read-only access to files or folders to a specific application. This model promotes organization, good backup habits, and PREVENTS accidental overwriting of archived files simply by wanting to save your work."