Slashdot Mirror
Vista's Troublesome UAC is Developer's Fault?
MythMoth wonders: "We've heard all about the pain and discomfort of working with Windows' User Account Control (UAC) switched on, but now Ian Griffiths is explaining that the developers are the problem — they brought it on themselves. In earlier articles we have heard that Microsoft think that everyone should do it like this — Ian does acknowledge that things are better in the Unix world, but is he right? Is the onus now on the developers to help fix a problem that they did not cause?"
Rather than ask the user for permission on every operation, what other ways could Microsoft have improved Vista's security?
- First few times: What is this annoying thing?
- Next few times: Well I guess it's better than not knowing
- After that (without reading) click ok...
So does that mean it's not working, wasting my time, AND training me to ignore security warnings? Honestly I don't have a better solution except for the rhetorical question "why can't people who exploit users justTurning coffee into code.
How many unix developers run as root? Probably because it works in the first place! Seriously though.. windows is beyond simple refactoring and I believe that vista is the evidence. The unix model is simple and effective but best yet scales reasonably well. Daemons run as root? No.. nor do they run a joe or bob. Even as sudo, you can still limit what commands you can run. SELinux takes things to a whole other level.
----
Go canucks, habs, and sens!
I kind of like the concept of UAC. I mean the messages are so annoying that hopefully developers will start to avoid getting them pop up.
Hopefully this will cause applications to stay the hell out of the Windows directory, the registry and wherever else they seem to think would be a good place to sprinkle data randomly. I pine for the days of being able to uninstall a program fully from my system by deleting its folder. Or being able to simply copy a configuration file from one computer to the next and having all my settings preserved.
Perhaps I'm forgetting how bad that system was in the DOS days, and I'd welcome people reminding me, but it is looking pretty good at the moment.
Hmm, I'd say he's got a good point - there's simply not a culture of privilege awareness in Windows developers.
Perhaps Microsoft should set up an audit unit and start giving software a 'UAC-compatible' tick if a piece of software has minimised how much UAC approval is required if its turned on, allowing the publisher to put it on their box so that the customers can tell. Who knows, perhaps one day the UAC system might actually be viable.
on Windows, on Unix and on OS X.
The problem on Windows is that it is a single user operating system with delusions of being a multi-user operating system.
The problem on Unix is that it is a time sharing operating system which people inexplicably use as a workstation operating system.
The problem on OS X is that there are no serious threats, so no-one has any idea if their security model does anything because it never gets tested.
And the problem with all three of them is that they assume that the program will always do what the user wants and therefore the program should inherit permissions from the user. On Windows that was never true. On Unix it was only true back when all users were developers and had enough time to read the source code to all the programs they ran and thus felt they could trust them. On OS X it was actually true because, again, no-one writes malware for OS X.
The security model should be, quite simply: the program has a manifest that declares what permissions it needs with a fine granularity. The permissions should be placed into a hierarchy. For example: writes to disk -> writes to user files -> writes to user files of type X. The user should be able to inspect these permissions to determine if they are acceptable. If they are not, then the user should be free to uncheck "required" permissions.. the program should still run but those functions of the program which invoke a required permission should cause a prompt. The prompt should give the option to deny the request, or fake the request so it appears to the program that it completed successfully.
And yes, developers should use this mode.. and they would, because it is actually useful instead of just being a pain.
How we know is more important than what we know.
Is there an onus on developers to actually write code that's aware of privileges? Absolutely. Windows developers have gotten a free ride with respect to access rights for a long time, but that party's over. But can Microsoft just throw up their hands and say "Okay guys, it's on you now"? Absolutely not. The reason developers have gotten away with this for so long is that Microsoft's own conventions and practices encouraged this. Users were set up with root-equivalent permissions by default, and there was no authentication mechanism in place (and there still isn't).
Microsoft should've deprecated UAC heuristics and put a time limit on them. They should've given developers a year (or so) to update their applications to be aware of privileges, and then simply remove the UAC heuristic features that "guess" whether an application needs privileges. So if you run an installer built for Windows XP, it doesn't get the right privileges without you explicitly launching it with admin rights.
Indeed, and I would take it one step further. I'd append to each UAC a description of why it's bad practice. Something like....
Application X is trying to do X. This is behavior typical of malware or virus activity, but can be a product of poor developmet practices.
It isn't going to win any friends, but will certainly bring their ego's into play. Of course if MS really had some balls they'd just make developers live within their install directory. Nothing gets in or out without a open/save dialog, provided by the system of course.
But I also think it's awesome that MS basically absorbed the audio stack. But only because I hate Creative even more than MS. It took 15 years, but incompetent and destructive finally caught up with them.
I suppose, like the US, Microsoft will do the right thing. Once all of the other options have been exhausted.
Platform advocacy is like choosing a favorite severely developmentally disabled child.
Once people start to understand UAC and how it works, people will begin to harness it and accept it rather than shun away from it.
/priv" in a normal shell under the administrator logon. Now open up a shell using "Run as administrator" and type "whoami /priv".
.manifest file and place it in the same directory as the .exe. The manifest file is just an xml file that tells Vista that the .exe will require administrator privileges to run (queue UAC.) Google "vista manifest" or check this out for more information: http://channel9.msdn.com/Showpost.aspx?postid=2112 71
UAC allows administrators to be logged in 24/7 without having 20+ privileges until the actually need that power. 99% of the time UAC will strip the administrator privileges away from the administrator and grant them with 6 SeXXX privileges to work with. It does this by using two different tokens instead of one. The first is a normal user token, and the second is the real administrator token. When you see that screen where UAC asks for elevation, that's when Vista will grant you the administrator token. Don't believe me? Type "whoami
Vista isn't the shining example of everything secure, but it sure is lightyears ahead of XP and a real good step in the correct direction. Windows users will whine and gripe about it, but they will eventually have to go through the same stuff the *nix crowd did along time ago when people were logged in with root 24/7.
If you require Vista to elevate you with certain apps, then create a
Enjoy..
h
Valkyrie is about to die! Wizard needs food -- badly!
I've spent the last eight years of my life packaging and deploying apps for Corporate environments.
In none of those environments were the users Administrators (or even Power Users). I have written a few scripts and applications to work around some issues, but in general, it is a case of setting the appropriate permissions in HKLM and \Program Files\. It takes some work, but I have only ever had one seriously intractable application.
For the past 4 years I (and my family) have run primarily as users on our home PCs. Its a bit of a pain in XP, and I wrote my own Privilege escalation tool to make some things easier, but again, it is now pretty smooth. Even games work as users, with the appropriate settings. Vista (on my new laptop) is far easier, and no less frustrating than Kubuntu, which is always asking me to sudo an elevated operation.
UAC is a good thing - it's smart, and as developers get with the program, will add protection (not frustration) for users.
What's wrong with asking the user for permission on every operation? That's what my linux box does. It's called "su", and it makes me type in my password to make system changes. In fact, that's what every real operating system has ever done. Welcome to the real world.
A major reason for the "insecurity" of windows, IMHO, is the culture of its users. You get people who still remember 95 and 98, (and DOS) and who like to run everything as root. They don't want to be bothered with those nag boxes. But nag boxes are what it takes to secure a system. Security requires some effort on the part of the user, too. Funny how things work like that, isn't it?
See, in the beginning, a single user OS was perfectly OK. Even if you hooked your DOS machine up to the internet, it was probably a terminal, not as a computer in its own right. And really, they had so little RAM that a full-on operating system like linux would be massive overkill. A cell phone is a multimedia powerhouse compared to those machines.
But the microcomputers got bigger. They got a networking stack. People started using them like real systems instead of big, featureful, programmable calculators. They went mainstream, too. But the mindset of the users and developers was (and still is) somewhere way back in the 80s. The developers have gotten better; they add in UNIX features with every windows release. But the users, for the most part, just want to buy a box from Dell and have it work out of the box, like an appliance. Which is a fine thing to want, but those same users are also the kind of people who will install the purple monkey, become phishing victims, run binaries they got off P2P, and so on. And unless Microsoft locks people out of their own computers, there's not a damn thing they can do about that.
So while it was acceptable to bash Microsoft back in the day (no firewall, single-user mode, instability, etc), most of these problems have been fixed. Oh, sure, Windows is no OpenBSD. It's kind of kludgy, compared to linux, or OSX, or your *NIX-like system of choice. But at this point, if your system gets hacked, its probably your own dumb fault. Anymore, if you whine about windows without mentioning specifics, you just end up looking stupid, not 1337 and educated.
No, I am not a Windows fanboy. I don't dual boot, either, although I do use VMWare when I absolutely must. But it still pisses me off to see such obvious bullshit. Some of it is Apple propaganda, but a lot of it is propagated by windows users themselves. Which is understandable, I suppose, but not particularly productive.
UAC is pretty much essential to meet the mutual goals of:
a) run old software designed for prior windows versions.
and
b) be secure.
You might want to allow, for example, an online game to delete files IF those files belong to the game, and only to the game, like obselete maps, sound files, etc. But you don't want someone to exploit a bug in the game online to hose your system; like the bug I found in Counterstrike (old version, long fixed) where putting "%D%D%D%D%D%D%D" as your playername would crash it out (classic printf issue).
You could possibly run an app in a VM 'sandbox', but that idea breaks down as soon as you try to cut-n-paste from one app to another, or two apps want to write files in the same directory... what should it do then, prompt for Cancel/Allow for each breach of the sandbox? or have the user define complex sets of which applications are allowed to talk to each other? I did that for a Linux setup, I made seperate accounts for each service, one for the Fax receiving, one for Apache, one for each instance of the DVR simulator, one for DistCC, one for web browsing... and configured them for exactly, and only what access each needed; the Fax could put files into a directory to be served by Apache, but could not touch the templates and other pages, and nothing Apache did could touch the Fax archive and configuration, each simulated DVR had its own IP address, and couldn't see the others except via network packets. It was terribly complex, and done as a learning experiance. because everything worked perfectly when run as one user, or if p[ermissions were opened up, but it took months of spare time to get all the permissions exactly right as seperate users.
Unless you can be absolutly sure that EVERY action a program may take is approved, it needs to be controlled. As apps get fixed up, and Vista gets service packs or whatever to improve support for specific apps, the issue will fade, but never be completely gone, because sometimes, it'll save the users ass.
That won't work for the same reason that the current Windows security model doesn't work.
It's too much trouble.
I believe this is one of the main reasons why UNIX applications generally do not play fast and loose with permissions. The security model is very simple. A process is owned by the account most suitable for the role it will perform. There's no need for complicated LPSECURITY_ATTRIBUTES structures. (And yes, I do think that even those are too complicated for most purposes, so you can guess what I think of the more esoteric aspects of Windows security tokens.)
Be honest, if you program for Win32, how many times have you just passed NULL as the first parameter of CreateEvent()?
If you want to make people do the Right Thing, make the Right Thing easier to do than the Wrong Thing.
I think that this is, in turn, a consequence of earlier Microsoft operating systems (Windows 3.x to ME) that did not have security features worth mentioning. Unix had a clear differentiation between user and admin (root) rights since decades. Windows did not, and essentially everyone was administrator.
As a result, lots of applications got written that implicitly required admin rights, accidentially or because it was the path of least resistance for the developer. As a result of that, people got used to work as administrators all the time on the newer systems (Win NT and later) too. As a result of that, there was less pressure to clean up the applications.
Now Microsoft is trying to break that vicious circle with UAC, but it seems they are not very successful... as it is once more the path of least resistance to turn it off
C - the footgun of programming languages
@ECHO OFF
PROMPT $p$g
C:
CD \NWCLIENT
SET NWLANGUAGE=ENGLISH
loadhigh LSL
loadhigh NE2000
loadhigh IPXODI
VLM
CD \
UAC cannot and will not mean secure computing. It's been pointed out before, that "may X do Y" dialoge comes up so friggin' often that users either turn it off or click "yes" on everything.
And that does not only apply to "clueless" users. Of course, someone who has no idea what the computer does and just why an application like explorer.exe has no business beyond the local net, will click yes on the "when in doubt, click yes or it won't work" presumption. The problem is that many Windows-Services are started in ways that make it impossible to determine whether a given program is supposed to do this or that, because there are many started using wrapper programs.
Many services are started using an application to start services. And you ONLY see that application, not (necessarily) the drivers it aktually loads. Some of them need to get access to very core deep functionality. And, unfortunately, can be abused to start trojans.
Generally, the problem lies in the untidy separation between system and user. As has been pointed out before, too, one of the problems is that developers didn't care too much about access rights so far, because you could readily assume that the user had administrator privileges, so key hives like HKLM were overused, even when unnecessary.
Another problem is that UAC is an "all or nothing" privilege mechanism, at least when it comes to installers. You either unlock the whole system or nothing. And this is even for a user with some knowledge no trivial matter to decide. You download a game from some demo page and it requests elevated privileges. Is it because it needs to set a key in HKLM, which is maybe unneeded but not critical, or is it because it comes bundled with some spyware that wants to root itself deeply in your system?
Basically, to me it seems that UAC is MSs way to shift the blame for infections away from them, and (mostly) towards the user. You allowed it to happen, we warned you, you clicked yes.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I don't think Microsoft are asking. I wrote the blog entry the question refers to, and I don't work for Microsoft, nor was I acting on their behalf. (And I don't imagine I've made myself any friends in Microsoft with that blog entry.) I know the guy who submitted the question to Ask /. (MythMoth) - he doesn't work for Microsoft either. In fact as far as I know he mainly runs Ubuntu these days, and he's been a Java developer for years.
My motivation is pretty simple: I think it sucks that lots of apps have problems if you run as a non-admin user. As an application developer myself, I know that if applications are broken in this way, there is basically nothing Windows can do to fix that. (The same would be true of Linux - it would be trivial to write an application that refuses to run properly unless it's running as root. It wouldn't be Linux's job to fix that apps problems would it?) Yes, the fact that the culture grew up this way is Microsoft's fault. But I want the culture to get better. So my goal was to encourage developers write apps that work properly for non-admin users.
On another note, you've said something that doesn't seem to apply to any version of Windows I'm familiar with:
The user is boss in Windows. If you're the admin of a Windows box, it'll let you do anything, including shooting yourself repeatedly in the foot if you so choose. To give an example that's relevant to the point at hand: an admin can choose to turn off UAC. (A bad choice, IMO, but Windows certainly won't stop you making that choice.) That's just one tiny example of course - one amongst thousands. The admin is in complete control of his or her machine.
(Of course, if the admin doesn't know what he or she is doing, then this 'control' will be purely hypothetical. Being an admin merely makes it possible to control everything, but to achieve that in practice does require you to know how to achieve what you're trying to achieve. And Windows does put up the odd road block to discourage you from doing certain particularly egregious forms of damage to your machine, so if you're not an expert user, you might mistakenly conclude that you're not in control. But the bottom line is: if you're the admin, you can circumvent any of these because you are, ultimately, in complete control of your machine.)
Can you point to a single concrete example of where Windows "thinks it is better, wiser and more powerful than the user"? I've been using Windows for almost as long as I've been using Linux. (12 years and 15 years respectively.) I can't think what you might be referring to - could you be specific please?
One could make a case that Windows should behave as you're suggesting it does. (I personally don't think it should, but I can see there's an argument.) After all, the vast majority of home users are entirely unqualified to "examine every single running process themselves". But for better or worse, if someone walks into a shop and buys a PC they are the de facto administrator of that box, whatever OS it might be running, and regardless of how well qualified they might be for that task. You could argue that if Windows was as authoritarian as you are suggesting that we might have fewer zombie Windows boxes out there, because end users wouldn't be empowered to hand over control of their machines to botnets. (It's pretty well documented that enterprise that don't let end users run as admin just don't have the security problems Windows is famed for.)
I wouldn't actually want it to work that way though. While I don't run as root most of the time, it's important to me to be able to control my box. Which is exactly how it is. So I'm surprised by what you've written.
Ian Griffiths
Waiting passively for the programmers to change their bad habits isn't the best strategy that could have be taken by microsoft.
... admin work on the machine as intended. They found thousands of bad-behaving softwares that can work under this envrionment.
:
: : /. developpers will be slow to change. They don't write code "perfect by the book", code that "somewhat works" is enough for most of them. Read sites like this if you don't believe.
:
As you state those problems stems from bad programming habits. Developers that have taken the habit of writing critical data just like in the old DOS days : wherever it pleases them, ignoring the fact that some place are supposed to be reserved for admins only.
It has worked up to WinXP because either there wasn't any protection (older DOS based Windowses) or all users did run as admins by default (newer NT based Windowses). Now that VISTA finally tries to correct this and approach something that looks like Unix' habits - using admin-level privileges for doing
BUT THEY'VE TAKEN THE WRONG ROUTE AROUND THE PROBLEM !!!
With such problems you have three solutions
- IGNORE THEM. Let the bad-behaving software just crash or display error message. That would attract attention to the fact that those software are broken. BUT ! Most users will believe that errors appear because Vista is buggy. The new version will get a bad reputation (as if the rest wasn't enough) and no users would like to switch. Microsoft would loose valuable market shares.
-> So that's why microsoft doesn't do it.
This behavious only works on Unices because most of the other software function correctly and users guess that the problems comes from the badly-behaving software and they try to download a corrected newer version or a better alternative.
- ASK USER'S PERMISSION. Do some 'sudo'-style privilege escalation for every single action that would require admin rights. And hope that developer will notice and produce more Vista-compatible softwares.
-> This is what microsoft has done, BUT THIS IS FUNDAMENTALLY WRONG.
Because concerning users
- It floods them with a mass of annoying blocking popups asking for privileges. The users ends-up first answering OK to everything (and the Unix style protection is completly lost) and then they disable the whole UAC to stop the flow of popups. So it is as if it wasn't introduced in vista in the first place.
And concerning developers
- As pointed by other
- Changing may be difficult for them, because it would require re-doing the whole program architecture. Or it could pose problem to migration between the older bad-behaving version and the newer vista-compatible version, and there's a huge users pool that the developpers want to avoid pissing because of a non-trivial migration.
- And finally, they aren't compelled to change this, because users are running with UAC disabled anyway.
The last solution would be
- VIRTUALIZE IT. Put all old-world (pre-Vista) software in a sandbox, a chroot jail, or whatever it is called in Windows. Whenever some pre-Vista software tries to access stuff it shouldn't in a normal user context, just do it - but on a dummy local copy to both avoid damaging the system and avoid annoying the user. That's the route that Apple has went were pre-OSX apps are ran inside some kind of emulator. But that is easier for them because of the radical shift in architecture : older software rely on a such different API, that it had to be emulated anyway, throwing a sandbox in the mix was only an added bonus.
Microsoft could do it as easily, because, fundamentally, Vista is XP with a shiny interface and some DRM thrown in. It would have annoyed users : They used to ran perfectly well behaving software writen for NT-Kernel under XP and suddenly, under Vista which uses mostly the same internal structure they have to run the same software inside a sandbox.
Microsoft SHOULD have spent a lot of time planning well the transit
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
1. UAC is not SUDO
.NET, complete with its own security penetration API. :p
UAC is completely unrelated to sudo. It's an extension of the proxy privileged service scheme they've been using all along. It's not a bad model... it's much like what SafeTcl slave interpreters use... but it shouldn't be confused with "su", "setuid", or "sudo" in UNIX.
2. What they did wrong
Security is like sex, once you're penetrated you're ****ed. UAC, reduced privilege mode to run IE in, all the extra dialogs and warnings and security centers of the last ten years, they're all attempts to reduce the damage or pass the blame for the penetration on to the user. The solution is not to add more layers of annoying mitigation after IE, Outlook, and other applications that use the HTML control are inevitably penetrated. The solution is to redesign the HTML control so that it doesn't provide a security penetration API (the way ActiveX works in IE, that's what it comes down to) in the first place.
Instead, they present Silverlight, based on
Also, apart from that, Microsoft is a very visible and controversial company, so owning up to being part of it is fine (in my book). That gives you a chance to weigh that onto what he has written and evaluate it in that context.
Whether it belongs under every post is debatable, but the fact of the matter is that it is relevant in many cases where he talks about MS. Mods can use their points in any way they see fit. That's what Metamod is for - catching obvious abuse.
---
Sorry if the post is messy, I got 4 phone calls while I was typing this. It's as if my employer expects me to be working just because I'm present.
Contrary to what a few mindless Linux zealots will tell you, Windows NT has always been an isolating multi-user system. That is, multiple users are supported, and each user's data is protected from other users, as well as system data (all the stuff outside the users' home directories). Always. However, NT's backward compatibility wasn't so good at first, particularly with 16-bit programs. As as result, even though it was relatively stable and secure, it was pretty rare for quite a few years.
The admin problem really comes about with Windows 9x, which was released a couple years after Windows NT. Windows 9x is not an isolating multi-user system; in fact, it basically has "multi-user" capabilities strapped on to Windows 3.1. There's no file system or registry permissions, nor is there a distinction between admin and vanilla user. Windows 9x quickly became popular, as it had fairly good backward compatibility with DOS and Windows 3.1 programs, and was significantly better than Windows 3.1 in general (though nowhere near comparable to NT). So, developers everywhere started writing programs for Windows 9x. Most of these programs didn't need to run on NT (as it was a niche market for some 7 years after release), so they didn't. Dealing with limited access was more difficult, and programmers were lazy.
Consequently, by the time NT finally overthrew 9x (with Windows XP), you had a huge number of existing programs that assumed full access of the computer (for one particularly bad example, the Mechwarrior: 2 Mercenaries installer used CLI and STI for something or other - kernel mode instructions; this blew up very badly on NT, so I did some debugging). But much worse, you had an entire generation of programmers that didn't know how to work with limited user. And since most users were forced to run in admin so that they could run legacy programs in XP, the developers figured that they didn't need to learn, and the problem became self-perpetuating.
In conclusion, YES, developers are 100% to blame for the admin problem. Granted some of those developers are in MS, but in general I've found MS programs to work FAR better than third-party programs, with regard to requiring admin. I'm speaking as someone who has been running as limited user for several years and runs MS programs like Visual Studio and Office very frequently.
As a footnote, I really wish NT offered a service to allow programs to temporarily elevate their privileges (such as getting write access to their program directory) to install patches without requiring admin (once the service verifies that the patches are properly signed). Myself and a friend are considering making such a service ourselves, actually.
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
I've been called an astroturfer before. Calling out who I work for helps prevent further such accusations.
No, but I used to work for Microsoft.
First off, I agree with the article's assessment that it is the developer's fault why UAC is required in the first part. Now, I know this is slashdot, and Micro$oft bashing is everyone's favorite past time here, but, I'm going to defend them for a moment. The reason why I say it's the developers fault is because for YEARS Microsoft has been publishing information on how application's should function to work in as "Limited Users" (aka non-Administrators), at least since the days of Windows 2000. Now, the problem is, most developers I know have never even heard of this! What is this magical mystical document I speak of? Well, it's the Microsoft Logo specifications, aka "Designed for Windows". This talks about all kinds of useful things including separation of user data from application resources; which from my experience is the primary reason why USER applications do not function as non-Administrators.
t a/getstartedcert.aspx?LangType=4105
9 29d-679a-4238-8c21-2dcc8ed1f35c/Windows%20Vista%20 Software%20Logo%20Spec%201.1.doc
Now, I also know that Microsoft themselves haven't followed their own rules, and some applications still require administrative rights (and some stupid design decisions such as IE's Code Store Database). Combine that with the fact that they have to support an existing installation base of applications that don't follow those practices and what else can they do? Ever tell have to tell a business user that they can't use their mission critical application anymore because it doesn't work with a proper security implementation? How about telling a Grandparent that have to go buy a new version of some application that they've been using for 10 years because it doesn't work on their new PC? UAC is Microsoft's bridge to go from the old way of everyone running as Admins to the way everyone else has been saying to run, as a "Limited User". It's either that or the proliferation of the fallacy that on Windows you must run as Root.
So, UAC sucks, but can anyone actually recommend a better solution that will work for the install base Windows has? I'm not talking about the "Windows has more users than Unix/Linux/Mac", I'm say that Windows user's and developers are DUMBER than Unix/Linux/Mac users/developers. Now, don't get me wrong, there are extemes on both sides of the fence, but if we looked at percentages, the percentage of dumb users and developers on the Windows side will probably far outweigh those on the other platforms. (Queue the "well switch stupid" comments. And I will, once the industry does as well, it's all about critical mass people.)
Here's some more information on the Vista Logo requirements:
http://microsoft.mrmpslc.com/InnovateOnWindowsVis
Here's the "Requirements for the Windows Vista Logo Program for Software document":
http://download.microsoft.com/download/8/e/4/8e4c