Slashdot Mirror
Microsoft Designed UAC to Annoy Users
I Don't Believe in Imaginary Property writes "At the 2008 RSA security conference, Microsoft's David Cross was quoted as saying, 'The reason we put UAC into the platform was 'to annoy users. I'm serious.' The logic behind this statement is that it should encourage application vendors to eliminate as many unnecessary privilege escalations as possible by causing users to complain about all the UAC 'Cancel or Allow' prompts. Of course, they probably didn't expect that Microsoft would instead get most of the complaints for training users to ignore meaningless security warnings."
If they'd done this from the start, no one would be complaining. In Linux or UNIX, if a program wants elevated privileges, it requires user intervention. The result is that programs don't expect to have superuser privileges if they don't actually need them, and everyone is happy because the only things that have to be done as root are things you'd expect to require root access.
Mac OSX has prompts for authorization also. It doesn't bother me like Vista does. Why not? I didn't really catch it... until I realized that I could ignore the dialog box and get something done before allowing an update/reboot or whatever. Something that simple and the whole problem goes away!
It is an idiotic approach. Vista is the one being annoying....how could someone predict that end users would blame the applications and not the os that's to blame? Not to mention the whole issue of purposely designing a ui to annoy paying customers, to pressure 3rd parties to change.
Bad idea all around if this was their intention at design.
I'll believe in corporations having personhood when Texas executes one... - advocate_one
It also puts the claim that Vista is "easier and faster" firmly in the BS category. Definitely not faster - and they designed it to be annoying.
Such arrogance; I wonder how much longer they'll be able to play this game...
mission uaccomplished!
It appears you are trying to make a snide comment.
[Cancel] [Allow]
I'd rather have someone respond than be modded up.
My son has a $600 HP laptop that is running home premium edition and sp1 (absolutely no problems) Kid figured out UAC completely. It really goes away after the first day or two. All yo uhave to do is read the prompts and understand when and why you are prompted. UAC is awesome, makes my and my kid's laptops super secure and reliable.
I didn't expected [sic] that they would say something like that.
I find it amusing that that article compares UAC to Clint Eastwood. Ironically, I think UAC would actually be less annoying if it called me a 'punk'.
It Worked!
You cannot force someone else to follow a particular coding practice when your coders do not do so themselves.
whatcouldpossiblygowrong
134340: I am not a number. I am a free planet!
I think there is going to be quite a bit of criticism of MS for this but basically you see UAC prompts where you would have to do a su or sudo to get the job done as a starndard user in Linux/Unix. The reason you don't have to do those all the time in Linux is that the application writers do not write their apps to require constant root priviledge escalations. There is one app that I couldn't get working properly in Fedora 8 without running it with a sudo - Nero Linux - and it annoyed me quite a bit.
MS needs to drag both its users and those who write windows applications along to the limited security model we all need each other to be using for the good of the internet. It was always going to be painful.
The one criticism that I have of the system/model in practice is the start menu - and that is all MS! I try to organize my start menu and I see several dialogs. I would be much more on-board with only one Cancel or Allow for an operation like that...
Well, Im not surprised. The customer is not even on their priority list. They are like a Drug cartel. First fix is free, from there they'll charge you as much as posible to use their product for the next one.
I'm not MS's biggest fan. But this isn't the worst strategy ever.
It's actually pretty logical that if you make running these retarded apps annoying, you can force the vendors to fix them.
But MS faces a big obstacle in that strategy--the fact that moving back to XP fixes the problem as well, from the user's perspective. And of course, the fact that doing so also makes today's computers 3x more responsive.
It's a shame... I would love a world where Vista caught on but UAC didn't have to pop up ever unless something truly administrator-ish were really going on. Then all my users could be Users.
This approach could have worked. But if they really meant for it to work, then developers would have been required to embed usable contact information in the application. When the UAC prompt came up it would explain that this was a result of an action taken by the application, and that if it seemed unnecessary to you, you should click a button and send feedback to the developer.
It would also identify and tag the particular circumstances so that there could be a option, "don't warn me about this again."
This latter option would have been particularly useful during the beta phase.
After a couple of years, Microsoft might then assume that developers had been given adequate warning and adequate feedback, and the option to ignore warnings could have been retracted.
What Microsoft did doesn't sound as if they serously wanted the approach to work. They just wanted to be able to say that users "didn't want" security, just the way Detroit said for decades that car buyers "didn't want" safety.
"How to Do Nothing," kids activities, back in print!
Turning off UAC doesn't involve a UAC-mediated privilege elevation.
WTF? Even if UAC has the narrow goal of guarding against malware rather than a malicious user sitting at the console, doesn't this completely defeat the purpose?
(It seems that it does require a reboot, but that's hardly a barrier. Some piece of malware can just silently flip a registry key to turn off UAC, and then wait until the next time you reboot to finish 0wning you.)
It does make sense, when you think about it, since they've found step 2 and patented a frustration detection system.
I have to steal this comment from one of the posts from that story, but...
Step 1: Make frustration and annoying software
Step 2: Patent frustration detection system
Step 3: Profit.
than the banks blaming the customers and making them jump through hoops because the banks' own lame security practices. The banks and Microsoft, Apple, etc should be held responsible. The customers need to demand it.
What?
"Be light, stinging, insolent and melancholy"
Wow! Microsoft thinks of its users as pawns in a pissing match between them and developers? Why not? They think of them as pawns in their pissing match with the DOJ, their vendors, the conquest of the world... Fuck you, Microsoft!
This reminds me of the c:\program files\ as a default install folder. I think it started with Windows 95. I read somewhere, years after the launch, that it was specifically chosen to force programmers to handle long file names properly.
Funny, even now, I usually create a c:\programs\ directory for everything that doesn't have a proper installer. 10 years and counting.
IMO, the UAC did not have to be as annoying as it is. All they needed was a "allow admin stuff to happen for 5 minutes" dialog so that installing a program would only take one prompt. Too smart for their own good...
This is incorrect. The registry key in question is protected by permissions and by default requires you to be running as Administrator in order to make changes. If UAC is on, then to get a command prompt, regedit, etc running with Admin rights requires UAC approval somewhere along the line.
UAC is not about confirming specific actions like changing registry keys. It is about giving Windows permissions to use admin-level privileges. For example, once you allow a command prompt to run with your admin token, it can then launch admin-level tasks without any new prompts.
Microsoft added spaces in system directories to annoy users too I'm sure and specially neglected to make links to network folders work with spaces and left it like that for the past 13 years, to ensure that you cannot copy and paste a spacy network path from Windows Explorer into Outlook and email it to someone else in the company. All that only to annoy their users...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Why not just tell the application vendors to "eliminate as many unnecessary privilege escalations as possible"? It would be an easier way to solve the problem, plus less people would hate their operating system.
Not true.
I can disable UAC using regedit, using msconfig, gpedict.msc, User Account applet. Each and every method raises a UAC consent prompt.
Microsoft is right. Most applications should never have administrator privileges, not even during installation. It's way past time to tighten the screws.
The basic idea's sound. The problem is that, given the implementation, users view the problem as being UAC and/or Vista, not the apps. After all, the apps work just fine if you turn those annoying dialogs off or go back to XP. If the users don't view the app as the cause of the problem, they won't pressure the app vendor to do anything about it. Idea fails.
I prefer the Unix approach. The OS doesn't pop up any dialog, or offer the user any choice. If an app does something it doesn't have privileges for, it gets an ENOPRIV returned from that call and isn't allowed to do that. How the app handles it from there is up to the app, but there's no easy way to make the errors go away at the system level (most modern Unixes are set up to make it inconvenient to log in or run programs as root, and only root can install a program setuid-root).
Microsoft Designed UAC to Annoy Slashdot Users.
There. All better.
Sig this!
Aha! They annoyed me so much that I actually switched to linux. /success
Most of the time, when people talk about bad coding practices in the context of UAC, they're talking about programs which assume that the user will be running as Administrator, and thus they stomp all over areas which should remain protected (both on the filesystem and in the registry.)
Aside from annoying users, UAC ostensibly exists to keep privilege escalation from occuring. If a program really needs the privileges, it can get them granted by the user. If it doesn't, the user can deny them. In practice, one has to question how effective this really is (does the user know when it's a program or a privilege escalation attempt?)
When the developers of shitty software that needs root just to run or to do something that shouldn't it annoys the end users who then in turn complain to their software company reps who then figures out a bunch of people hate how annoying their software is in vista and then they dictate to the developers to fix it, thus annoying the developers. /runonsentence
The teardrop attack was a DoS attack that exploited a TCP stack bug. It had nothing to do with local privilege escalation. Perhaps you should have "googled the rest of the details" before posting.
Aside from that, privilege escalation vulnerabilities have nothing to do with "good coding practices" mentioned by the parent poster.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Because it's much easier to sit on Slashdot and make up bullshit and lies about Microsoft because it's trendy to hate them.
If some blank paper is in the printer, and a program writes to it without authorization from the owner of the paper, the paper becomes unusable.
But do you have to enter your root password every time you print? I think not.
Visual IRC: Fast. Powerful. Free.
If you google teardrop attack you'll find that it has nothing to do w/ hacking Office or IE w/ trojans. Teardrop was a network-based attack that involved DoSing remote systems by sending malicious fragmented IP traffic.
As others have commented, you could not be more wrong about the teardrop attack. Teardrop worked by fragmenting a tcp packet such that when your tcp/ip stack reassembled it, it would buffer overflow and usually just crash the system.
I had LOTS of fun with this back in '96 - (pre-google) I'd search for sites using the "powered by backoffice" image, which made certain that it was vulnerable to this.
Once upon a time, application writers tried to make users do the right thing by making them confirm any significant operation. What it led to was users who just hit the "y" key automatically whenever they got a confirmation request. They stopped reading the message. It is unclear if Vista's system will produce a different result - either through the user confirming blindly or by the application dummying the signal. Either way, it ceases to have any real value.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
UAC is not a bad idea. True, they could have gone the gksudo way and allow a window of time before asking for permission again. And then they could ask for a password instead of getting people in the habit of clicking away past warning windows. But still, it's not a bad thing.
They also had to stop programs from storing settings and user stuff under the write-restricted "Program Files" folder.
Now, annoying users intentionally to exert pressure on software vendors is just twisted.
UNIX/Linux users may want to have a little thought about what things would be like without the SUID facility ('ping', anyone?), and, on the other hand, the security implications of SUID. I was shocked when I read the example at page 249 of the UNIX Haters' Handbook, which illustrates the problem of blindly trusting your PATH with a simple example in which you can trick your system administrator into providing you with a root shell binary. Tried it. It works.
Not that this has prevented me from ditching Windows Vista in favour of Ubuntu on my laptop (desktop to follow when Ubuntu 8.04 is released).
The state you are in while your HEAD is detached... - wait, what?
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
Clearly, you don't have teenage children. It is not only normal common practice, but it is in fact essential to force them to follow all kinds of practices that you yourself do not follow.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Uograde to Vista, Cancel or Allow. Cancel.
John
UAC is totally ineffective as as its one of the first things nearly everyone turns off because its so damned annoying.
As much fun as it is to bash MS, they have some very difficult problems to deal with.
One reason for their success is that they never say: you need a certain version of glibc to run this app, or you need some outdated rpm chain of dependencies that conflict with the new version (may god have mercy on my karma.) If it's a Windows program it will run on Windows (sometimes.) I'd say 90% of the badness and kludginess of Windows is because of their desire to not break apps that people have been running since the 3.1/95 days.
With the kind of resources they have they should be doing a much better job, but I think anyone who's tried to provide backward compatibility in software even in trivial cases will agree that it quickly becomes an unmanageable clusterfuck.
... also, I can kill you with my brain.
The best thing you can do as a user to ensure your user experience is good and will remain good?
Run as a standard user, on Vista and beyond.
Vista has done a lot to boost that demographic, but unless users start realize that Vista has nearly equalized the Administrator and Standard User scenarios, and start running as standard users, developers will find a new way to screw it up for standard users.
Key mistakes developers make:
'de-elevate' - the right way to do this is to keep a parent executable around, relative to the one from which you wish to 'de-elevate'. That parent executable itself may or may not have been 'elevated'.
'HKCR' - HKCR is there for compatability with win16. Stop using it already.
Interacting with the virtualstore - unless you are writing a module specifically designed to perform a one-time migration to address a virtualization issue with an older revision of your app, there's no reason to do this explicitly.
Interacting with the virtualstore from an 'elevated' app - wrong from conception. In UAC, if you elevate, you elevate to potentially another user entirely, and virtual stores are per-user. Ergo, this is never right.
'it's just a prompt'. It's not just a prompt. It's a stressed person running as a standard user in an enterprise who has to go ask help-desk to answer the UAC prompt.
I have been asked and wondering why Microsoft has such a bad track record in security and user access control especially since recent Windows have been built on NT which comes from OS/2 and VMX. According to me it's fairly simple: group permissions. Look at a default Linux/Unix-style installation, you have about 20 groups to start out with. If you're a desktop user, usually you're a member of audio, video, games, cdrom and user. On a Windows machine you're either a User or an Administrator. The way the Linux kernel and it's modules are built, if you need direct access to hardware, you can either be root (not good) or you can access it through it's /dev entry which has group permissions.
So if you want to play music, you can access the hardware (albeit through a kernel module) by making yourself member of the group audio. In Windows however, if you need direct access, you can either use DirectX or a process (daemon) or become an Administrator so you can get to the kernel. There is no group Audio that has only access to the Audio-part of the kernel. As soon as you need direct access for real-time anything, you can't really add yourself to any group to do so.
This of course goes way back before desktops were running NT versions (like 2000 or XP). Before, Windows was running on top of DOS, developers could just code directly into the hardware (just load dos4gw), there is no access control in DOS. DOS was also not meant to be running any services or be connected to a network that's where the whole thing with virusses got started, anything that was running could simply request a hook into the BIOS, under the hood, protected memory was regulated with emm386 while Windows 95-ME all used the faster, less secure himem.sys. Microsoft merged together the NT and DOS and made it into 2000 and XP. There were no extra permissions added for desktop users, the pure server model was coded around to allow for desktop speed and real-time access to hardware, never giving any thought that actually running all services that hook into hardware as Administrator would give problems.
Custom electronics and digital signage for your business: www.evcircuits.com
What could possibly go wrong. We sit in our offices all day, but we know how people think.
Well, I guess they really blue that one.
"Our opponent is an alien starship packed with atomic bombs. We have a protractor."
The parent is incorrect (as has been pointed out by other posters).
100% agree with JustNiz...the first thing I tell anyone is to turn UAC off...we survived in all previous distros of Windows w\o it...I'm pretty sure we will continue to be ok...and for those who always f their computer up they will continue to do so whether UAC is on or not.
FYI run a muck is wrong. There is no muck. It's run amok.
"If a program really needs the privileges, it can get them granted by the user [...] one has to question how effective this really is"
As with *nix the user can only excalate to their own level of access, if they don't have admin rights they can't hand them out. If this is effective in *nix to stop random users running as root (and it is) then it should also be just as effective in windows.
It's fine to blame "windows programmers" for the pop-ups that plague vista but in my experience (20yrs) most proffesional developers are also "*nix programmers". Conditional compilation and a lot more testing is the price one pays for supporting a diverse range of O/S's.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Comment removed based on user account deletion
Snide Schwab has a different thought: Microsoft's legal department foresaw the day when the license "agreement" would be revealed for the fiction it always has been, and the clause disclaiming liability for product faults would be held invalid.
Windows "security" has been laughable since forever, and Microsoft's perennial incompetence in this regard is directly responsible for the millions of compromised computers all over the world spewing spam and attacking servers. It is entirely probable that, if the right lawsuit came along, Microsoft could be held liable for their long-standing incompetence -- unless they could claim they did something about it.
Enter UAC. "There. We did something about it. If the users disable it, or make bad decisions, well, we can't do anything about that." It obviously was the most childish, petulant "solution" that could be conceived to the problem, but that didn't matter, because it was never intended to actually solve the problem. It was supposed to be there to show to a judge that Microsoft wasn't negligent, and therefore not liable.
This is all, of course, entirely speculation on my part...
Schwab
Editor, A1-AAA AmeriCaptions
I don't know about that. Personally I didn't start hating them until I migrated to the IBM PC in the early 80's. Before that they were just another software vendor.
https://en.wikipedia.org/wiki/Inverted_totalitarianism
I think you underestimate the depth of feeling that Microsoft has engendered in much of the technical community.
If you're a company that makes a product that the majority use, your customers don't just start to hate you, it's something you have to work at for years. It's our nature to become emotionally attached to something that's such a big part of our lives, and the fact that Microsoft has squandered such an opportunity for loyalty and created ill-feelings instead is something that future generations of business students and corporate psychologists will study for centuries to come.
You are welcome on my lawn.
What they didn't anticipate though, is people screening out the warnings. Yes, it's important for you, the developer. No, it's not important for the user, who only wants to Get Stuff Done (tm).
If the same yes/no question pops up every 10 minutes, don't expect a different answer when it says "Do you want to install spyware, adware, a couple of trojans, and [whatever they actually wanted to install]?".
Remember, users don't read. Not because they're incapable, they have more important things to do.
The amount of times UAC prompts me is not when running other applications, but pieces that ship as part of Vista. I want to turn off wireless to preserve power, or go on a plane. Prompt. I want to copy a file. Prompt. I want to do anything of any real use. Prompt.
As for changing the "was" to "is" anyone notice that Office 2007 isn't completely Vista compatible? Anyone notice that Microsoft Hardware was really slow on coming out with drivers for Vista. Due to the class action lawsuit we now know why. They are not eating what they are offering and as a programmer I'm leary of implementing Microsoft's latest fad, just for them to deprecate it again. From their security record in Vista so far it's obvious that these things aren't a thing of the past. Heck UAC being annoying is proof enough that they don't really care about security, because it doesn't take a genius to figure out that if you are having to click something all the time, you are going to stop reading it, completely defeating the point of the prompt in the first place and in the process making Vista less secure than XP. Not to even mention their creative accounting on how many security problems have actually been found in Vista, they only count what they've publically disclosed.
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
Our critics say that we can do nothing right! This show show them! lol
http://fakesteveballmer.mypodcast.com/index.html
They chose a great comedian to deliver that line!
...why I'm typing this on Firefox in Mandriva.
Duh! That was so 90's.
There, fixed it for you.
In fact, now I come to think of it, Microsoft designed all of Windows to annoy users. I use it and man, I'm annoyed as hell right now.
Once I was a four stone apology. Now I am two separate gorillas.
HP driver annoyances (their shitty home(/SMB) devices are notorious for this and end up even in larger setups cause of ignorant buyers) can be usually quite easily fixed by searching the registry by device name or ID and giving users group more control over those subtrees. Be aware of security considerations and give only minimal level of extra rights that are neccessary.
Msconfig is your friend when disabling unneeded startup items. I especially loathe the auto-updaters that get installed by default if you don't know specific installer parameters. Sun java is class A example of that crap, it informs limited users about updates and recommends them to upgrade - only halfway through it throws error message.
My UID is prime. Hah!
I think that Microsoft first have to learn to avoid pissing users off and then design a system from that.
I agree that there are far too many cases where administrator access is required, and that those cases must be dealt with, but this is the wrong way. The basic design of Windows also makes it very hard for a user/program to quickly request and escalate privilege rights. You have the "Run As..." functionality, but that's not really useful since users normally doesn't have a secondary account.
In effect - they have made a historical error. If they had been more competent and compared their notes with functionality of other operating systems they would have understood that there are options and methods to improve the security.
In comparing with other operating systems I not only refer to *NIX as is but also features provided by MLS *NIX:es and OpenVMS. Uses of ACL:s or similar, privilege flags as in OpenVMS (which allows for an account to have potential for admin rights but not have it right away and is changed with the "SET PROC/PRIV=..." command). Of course it should be designed differently. And that even as an administrator it would be necessary to escalate privileges. This latest feature would have been a good reminder for those writing stupid accesses to really optimize their requirements. And if a software was to require privileges when executed that should be a feature that had to be enabled at installation of the software and not during runtime.
And then there are some programs that are REALLY stupid - they need to be installed as the user "Administrator". That's really annoying.
Remember that users are really stupid when using your program, but allow functionality to inform the advanced users to be informed about what has gone wrong. Don't be afraid of detailed application dumps - if they are verbose they can actually tell a developer a lot - and even a system administrator may be able to pick up what's wrong. A message like "Insufficient Access" and no more information is likely to piss people off. A binary hex dump that only could be interpreted by a secret program is likewise. Sometimes I miss the several pages of symbolic stack dumps that may happen on the OpenVMS system if something was going out the window... The *NIX core files are also very useful. Both have their share of lack of information but usually you get the general idea about what was wrong. The windows way of doing it is to just provide the user with a message stating that something went wrong and that it was an illegal operation, but not the history behind it like a human readable stack dump.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Microsoft sometimes have good ideas but rarely implement them consistantly.
To this day I find the programs that save their data in their directory the best, I just Xcopy them when I move my computers. It's always a fight to find where programs save their info, is it \documents and settings\localdata and appdata right away? How about in all users\appdata instead? Or maybe in my registry... friggin stupid and now MS punishes devs to have the data in the program folder with UAC.
And please don't accuse anyone on slashdot of being trendy.
Professor Karmadillo Songs of Science
I don't get it really. Microsoft's software is so pervasive and I've spent ages using Windows, writing Windows applications and drivers, even if I mostly do embedded code.
I've used lots of other OSs too, and I really don't see what's so bad about Microsoft. Even their aggressive businesses are quite useful since I know if I knock up quick Windows application with Visual C++ I can reach 90% of the market. You can do pretty much anything you want in userland with Win32 and in kernel mode with WDM. Basically their stuff works fine for me. I don't know why other technical people have such problems with it.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Because even if it works 'fine' for you, there is a better option out there, and by using windows, you are forced to pay, and are locked in. I don't know about everyone else, but I have a problem with the fact everyone in the world is paying for something which is worse than something they could get for free (and if everyone did run it, it'd become better in every way overnight (hardware manufacturers making drivers, etc...).
-- Lattyware (www.lattyware.co.uk)
The alternative is people will just turn off UAC altogether. I'm sorry but I would hit those stupid warnings 20 or 30 times a day. In the absence of a way to train the system, I prefer to disable it altogether.
I tried for months to get Windows NT4 to operate as a webserver and a DNS server with an uptime > 2-3 days. Couldn't do it with a (then pretty decent) Pentium-100 with 32 MB of RAM.
Then, a year or two later, I discovered Linux, and tried it out on an old junker AM486/100. With 16 MB of ram, and a 500 MB HDD, and X-Windows/KDE 1.x running on the super-long VLB video card, it managed to host a web server, a DNS server, telnetd, ntpd, postgres, php, AND ssh reliably, 24x7 for MONTHS before I learned enough of what's going on to see that it was actually doing all that!
That was RedHat 5.1. It's what sold me on Linux, because, for all its many warts, it actually did the job reliably. And now, some 9 years later, it's still "doing it" (Now CentOS 4) and I'm still loving it, 24x7!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
If UAC dialogs are annoying and unnecessary, they're really just behaving like other Windows alerts. There's a whole mentality on the platform for being irritating and bothering users with pointless information.
Still, this was a new class of alert, to be taken seriously. Microsoft had a chance to break with "tradition" and put real thought into what would make a useful dialog, such as (only) information critical for making a good decision and prompting no more than necessary. But instead, we have self-congratulatory "aren't you glad we're looking out for your computer" text, a lot of color, and "abcapqyt.exe" as the only thing distinguishing one UAC dialog from the next. The dialogs therefore essentially read as "You have no idea WTF is running. [OK]" to most people.
I compare this to legalese. Microsoft is taking the "throw 400 pages of crap in the user's face, make them entirely responsible for understanding the ramifications, if they click OK they're responsible" approach to security. When I see legal documents, I *really* appreciate companies who go to the effort to "humanize" what they present. In about a paragraph of extremely readable English, they say hey, this is what we're talking about here, and this is why we have this agreement. Why *couldn't* UAC dialogs do the security equivalent of this deciphering for users, so "abcapqyt.exe" is not my only clue?
"Microsoft killed my company, I hold a personal grudge. I don't use Microsoft products and neither should you."-JWZ
This "laptop" also booted to OS/2, which could run X11 as a separate GUI simultaneously with the Win3.1 and OS/2 GUIs and a bunch of virtual DOS machines. One of the DOS VMs often ran the GEM GUI because I used GEM Draw quite a lot in those days. It also had OS/2's NFS client+server. Four different GUIs with multitasked applications and daemons, all snappy enough in 14MB RAM with a 100MB disk.
Bloat Sucks. Windows seems always to have had more of it than the alternatives.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
*nix can allow normal users to escalate privileges using sudo. UAC is basically a poor re-implementation of sudo.
In Vista you can stop users from escalating privileges by not making them a member of the administrators group, which is much the same as not making them a member of the wheel group in *nix. In this case, Vista will ask for a username/password of an administrator group member before it will "allow".
Well, this Microsoft system is better than nothing. At least I've seen on some forum awhile ago (read: not true) that some user got promt like "Are you sure you want to run trojan.exe?" and so the malware was eventually caught and disabled.
A far better solution vould be to require the sw vendors to obey the security model to get the Windows approwal stamp...
and hunt any vendor down if they put an approwal mark without obeing the security model.
UAC is annoying people into uninstalling Vista and switching to Linux and OS X. So, it's working: UAC really is improving PC security.
For the next release, however, maybe Microsoft should be more straightforward and simply boot into a display that says "please go to www.ubuntu.com to upgrade your OS and applications".
It should. Because I clearly remember that (after having amusedly stared at the 3/4 screenfuls of possible privileges that could be given to your process (and wondering: which are the right ones?), everybody used to type:is changed with the "SET PROC/PRIV=..." command). Of course it should be designed differently.
SET PROC/PRIV=ALL
Instant root.
alf
Yet more hidden costs for software developers. The added burden of support staff, development etc...
Now is the time to move your product to OSX or Linux.
Microsoft would be better off doing what Apple did, obsoleting the old system and redesigning from scratch. Run old Windows apps under a VM or something.
UAC is actually very bad from a security viewpoint. By annoying users more than necessary (more later), all it does it makes most users turn UAC off.
From a cynical POV, I think all UAC is for is to allow Microsoft to blame users for security problems (ah you turned UAC off - so it's YOUR fault).
If Microsoft was really interested in security they would have done more and better sandboxing of applications.
My suggestion is to have a manageable number of default templates for sandboxing applications. If the app is unsigned by a user-trusted entity, the user gets a pop up which tells the user what type of sandbox the application wants to run in.
It would be far easier to train Joe Schmoe to not run a "flash game" which asks for "Full User Privileges" or even "Full System Privileges" (with all the scary warnings etc) and to only run a "flash game" that asks for a "Guest Game" sandbox. After all there is no need for most legitimate flash games to access "My Documents" or your web browser bookmarks, or even your microphone/webcam.
The idea is even if a program wanted to do something nasty, if it is running in a sandbox, it can't, and if a program requests an unusual sandbox so that it can do something nasty, it is easier for a user to know something strange is going on.
This would also be a lot less work than UAC. Don't need to make 10 decisions one after another when you run the app.
There could be custom sandbox templates that are validated and signed by a mutually trusted authority. So that new apps that require fancy privileges can run in fancy sandboxes without annoying prompts that bother Joe Schmoe.
As for Linux and OSX, they aren't really more secure than Windows, with both these OSes if Joe Schmoe is about to run something new, he doesn't even know what the program is really going to do till he runs it. It is like expecting Joe Schmoe to solve the halting problem and without him being able to read the source code either - "Is this program going to halt, or is it going to take over my computer?". So my suggestions are just as applicable to them.
So? They want a prize for creating something that works as planned?
In some respects, this is a good design. There is a clear separation of policy and mechanism, for example. The kernel provides the mechanism for elevating privilege and sudo provides the policy. The down side is that sudo violates the principle of minimum privilege - in order to be able to switch between two very low-privileged users you need to go via a highly-privileged user (root), and a few privilege escalation vulnerabilities in sudo have shown that this is a slight problem.
I am TheRaven on Soylent News
The real WTF is that so much Linux and UNIX software still requires root permission and mucking around with system directories.
Hal,
You're right. I use Windows XP every day of my life and it's a very good product.
I want to like Microsoft, really I do. I was so happy with XP in fact, that I tried Windows Vista when it came out and I got ripped off for a few hundred bucks because it was so awful I had to remove it from my new computer and go buy another copy of XP. In fact, I wish I could recoup some of my losses by selling my Vista to another sucker, but Microsoft won't let me do that.
My dad bought Chevrolets every 4 years for all his adult life. Was it any better than a Ford or Chrysler? How could Microsoft have squandered the possibility for brand loyalty the way they have?
Now, they only stay alive by sheer force of size.
You are welcome on my lawn.
Better for what though? Ever tried playing your latest and greatest FPS on Linux? or a Mac for that matter? You probably had to shell out for a X-Box to play them on, making you a MS whore like everyone else.
In the end it just doesn't matter what OS you use as long as it works for you. The OS is a means to an end, not an end in itself. You can't make people use linux anymore than you can make them worship your favourite god.
The trouble with the OS community these days is that there is too much teen angst around, with extra helpings of spoiltness. "Why should we have to pay for anything? We're entitled to everything for free! Wah!". How much have you contributed to the kernel? Have many mouths do you have to feed? Out here in the real world you need money to pay for goods and services. Like food and rent. Free software is great, but except in certain circumstances (ie where every user is highly technical) it's always going to play second fiddle to paid for software, simply because people need to make a living. Almost all the OS software out there that is dominant in it's market (apache, GNU, etc) was coded largely by academics who didn't need to worry where the next pay cheque came from (or in the case of ubuntu, multi-millionaires who also don't need to worry about putting food on the table). Everyone who tries to make a mainstream linux distro is going to have to make money out of it a some point as they have to pay people to maintain it (cf Redhat). It remains to be seen how ubuntu is going to fund itself in the long run. They're being very secretive but presumably Canonical, as it has no source of income (who's paying for ubuntu user support?), is being funded entirely out of Shuttleworth's pocket. Anyway, enough ranting. Open your mind.
LOL don't any of you DARE start trying to bag people's coding skills just because they write windows programs.... I could almost pick OSS projects at random and give you examples of horrible coding. you don't want to start that argument believe me.
If you mod me down, I will become more powerful than you can imagine....
Windows XP has a feature called the Limited Account. The problem with it is that it's a bit flakey. The "Run As" option works fine. All Microsoft had to do was improve on Limited Accounts by making them more flexible. Instead they went berzerk and created a whole new security feature that wasn't necessary and that's what annoys people.
What you mention is exactly what is desired.
UAC nags you for every little piece of rubbish. 99.999% of those requests are ok. Well, not ok, if programmers would not require godmode for every stupid little setup change... but they're not harmful. It's the other 0.001% that matter.
Now, the average user turns off UAC. For a simple reason: Imagine some tool you don't know much besides operating it asks you "The futzgrabber in the argamajig wants to mirfl. Cancel or allow?" What do you do? After some try and error, you learn that the thing does what you want when you click allow. You start wondering why the heck you have to click allow. And the next logic step is to turn the pointless thing off altogether.
And here's where the tool works as designed. Because if you get infected, MS can just shrug and say "Hey, we gave you the tool to avoid it. See, UAC would have told you this wants to do something bad, but you turned UAC off. Your fault."
Instead of finding a way to give the user a secure system, MS just shifted the blame. You can't blame Windows now anymore if you get infected. It has a tool that would have told you you're going to get infected, but you turned it off. Shift the blame for the infection to the user, away from the system. That's all UAC is about.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Where is the "defectivebydesign" tag when you need it?
And why would M$ have to go through its users to get software developers to do what it wants? Also, isn't it a flaw in the OS when there is any need for permissions whatsoever? There should be a set of low-level permissions available for software. Everything else (root access level) should be restricted, only used when absolutely essential.
I also recall having software installed that needed M$ dot net in order to function. But that dot net stuff for some reason needed all kinds of special permissions and even resulted in a new user account being created just for that. So isn't this a case of the pot calling the kettle black?
Clippy: I see you are getting fed up with all these dialogs. Would you like to: a) call up the software developers to complain about this or b) just keep plodding along and force M$ to actually work on this?
The biggest privilege level violation problem in Windows is the fact that there's even a mechanism to allow privilege elevation in the HTML control.
If Microsoft wants to eliminate privilege elevation, they need to start by scrapping ActiveX.
Well, let's make your two outputs equivalent first --- the BBCode example does not contain the link to evanbd's page (it simply prepends "evanbd said"), whereas your HTML example does, and your BBCode example includes evanbd's quote within the quote itself, not outside of it like your HTML example does. Furthermore, you don't need to embed a new paragraph within a blockquote. So really, the markups should be:
<blockquote>evanbd said:<br />It's a web site. You use HTML.</blockquote>
vs.
[quote=evanbd]It's a web site. You use HTML.[/quote]
The fixed HTML produces the following output:
I threw in the <br /> for some visual similarity, but it's certainly not necessary. As you can see, the differences are fairly minimal.
Try clicking the small link to the "old form" --- the tags are still there.
Just like Apple, Microsoft should be smart for the following version of Windows. If they want to break with previous versions anyway, they should just pick an existing *nix foundations and write their won GUI on top of that. It would really make the world much better IMHO.
What about designing an OS that's really secure in the first place instead of implementing this poor system.
It's fine to blame "windows programmers" for the pop-ups that plague vista but in my experience (20yrs) most proffesional developers are also "*nix programmers". Conditional compilation and a lot more testing is the price one pays for supporting a diverse range of O/S's.
And still it doesn't help. Doom 3, available for both Windows and Linux, ostensibly needs to run as Administrator in Windows.
Why does it need to run as Administrator ? Simply because it attempts to write to a config file located in the %PROGRAMFILES%\Doom 3 directory. Make that one file (which shouldn't even be there in the first place) r/w and Doom 3 works fine from a regular user account.
since they can't figure out how to actually do a good job at locking down the system, they've decided it's a good idea to put spike-strips all over the place to slow down those running around. And they want the user to help do the work of clearing the spike-strips.
I can't wait until someone figures out how to automate the "ok" clicking of any and all UAC dialogs.
This is just going to further desensitize Windows users to informational dialog boxes. Most noob Windows users I've seen just click OK without reading what the box says. They already don't understand 90% of what they are doing so clicking OK seems to make them feel like they are doing the right thing.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
MSKB 260151 has details. I particularly like this gem from that KB article: Microsoft Photo Editor is a minor auxiliary application that does not meet the requirements of the Windows 2000 Logo compliant program. Core Microsoft Office applications do not depend on this application for their functionality. In other words, Office fails the Windows 2000 Logo requirements, but Microsoft gave it approval anyway. One nice thing about being the one making the rules is that one can also make your own exceptions.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
The UAC API is a horrible piece of junk. Here's what happened one day when I tried writing a Vista sudo for Cygwin, once upon a time...
Backstory first:
I was used to running Cygwin on XP, which I like very much (and think is a great combination for getting stuff done). When I got a laptop with Vista, I found that a lot of the GNU tools on Cygwin simply wouldn't work if UAC was on; they simply returned an error, something like, "Permission denied." I wouldn't have minded if the programs had triggered a UAC elevation; I'd have seen that as akin to sudo. But instead, they just flat-out failed.
It seems that programs on Vista do not automatically raise UAC when they attempt to do something that requires elevated privileges. So I asked, "Can I make a program -- I'll call it 'sudo' -- that triggers UAC and then runs another program with the elevated privileges?"
It turns out that the answer is "not really." (I know scripts exist that people call 'sudo for Vista,' but they don't do quite what I wanted; I'll get to that in a second). (EDIT: it may actually be possible, through a somewhat convoluted process involving a number of different EXEs and DLLs with appropriate manifests. I'll get to that at the end. But it's certainly not something provided in any sane way by the API.)
The best way to explain my goals for a Cygwin 'sudo' is with a simple example:
Suppose I attempted the following:
cd /cygdrive/c/Program\ Files/ # Some protected directory
mv a.txt b.txt
Error: Permission Denied
I would want to be able to instead do,
cd /cygdrive/c/Program\ Files/ # Some protected directory
sudo mv a.txt b.txt
#***Vista UAC Prompt pops up; I click OK.***
# (file has been successfully moved)
This seems useful, no? It would be a way to keep UAC, yet also use the commandline tools it currently cripples.
Now, as I mentioned before, there do exist various scripts calling themselves 'sudo for Vista,' but none of them really achieve the above. Here's why: Rather than running mv in the same terminal, they pop up another terminal on top running mv. This sort of does what you want, but not quite -- and subtly breaks a lot of things: For a simple-if-not-compelling example, it's impossible with this scheme to run one program with "sudo" and pipe its output to an un-elevated program (one run without sudo).
At the heart of the problem is the fact that, at the end of the day, there is only one nice way to get UAC out of Vista, and it is a most inflexible one: The ShellExecuteEx() function -- essentially, this is what gets called when you double-click on something in Explorer.
That's a slight oversimplification: There are some other obnoxious hoops you can jump through to get UAC [changing manifests (What's up with that? Tell me how to do that with gcc.), some COM garbage, or simply -- and this is a little silly -- including the word 'setup' or 'install' in your executable's filename], but as far as I could tell they all take you to roughly the same place.
(EDIT: It turns out that there might be just enough wiggle-room to get slightly different results from these different approaches.)
Eventually, frustrated, I gave up.
My conclusion was that the Vista UAC API was a horrible piece of garbage, as this sort of thing is not terribly difficult to achieve on Linux.
EDIT: It seems that, since that day, someone else may have succeeded where I failed. I'll need to try out his solution myself before I can be completely sure that it's what I want, but what I see looks very good. If so, then the author -- Thomas Hruska -- deserves kudos for figuring out a very clever workaround. But I think the very fact that such a workaround is necessary at all merely reinforces my original point that the UAC API is a steaming mess.
UAC does seem to allow for some sudo-like functionality with UAC. If an unprivileged account tries to do something, they get prompted for credentials (username/password). An admin can then elevate that operation to a privileged account, without having to explicitly start a separate session with RUNAS. Too bad that's not available in XP, because I'm not moving to Vista any time soon.
Mark Russinovich, of SysInternals fame, wrote a really good article on how UAC actually works internally. Recommended for those interested. "Inside Windows Vista User Account Control", TechNet.
As far as the user experience goes, I liken it to the way Ubuntu does things: The account you use for normal operations prompts you before performing system actions. They're just implemented totally different. In Ubuntu, you run with a regular *nix user account, and it uses sudo-to-root for the system actions. The root account is nominally not used for interactive logon.
I find the *nix method cleaner. But then, Microsoft is trying to provide backwards compatibility. I'd might be willing to buy that as an excuse, except for the fact that Vista broke so much other stuff. Clearly, backwards compatibility is only sometimes important to Microsoft.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Now it annoys me by warning that I turned it off.
But that's far less annoying than pissing me off every time I try to do something. I also turned off the special effects and Windows Defender. I XP-ified my new laptop as much as possible and it makes Vista usable. It's a lot slower in acquiring a wifi connection than XP.
"You'll get nothing, and you'll like it!"
Comment removed based on user account deletion
for yet another demonstration of just how backwards your logic really is
Comment removed based on user account deletion
Let's compare. In HTML:
And in BBCode:
It saves you a grand total of three characters. It is arguably more intuitive, at the expense of meaning that someone coming from BBCode won't necessarily understand HTML -- and HTML is actually a web standard. And the fact that every forum seems to use its own markup makes it even worse.
You know what I think? I think BBCode was invented because at some point, someone found it easier to create a parser of something entirely different (and escape out anything HTML-ish) than to simply enforce a subset of HTML. The fact that the second link from Google (after Wikipedia) on a search for bbcode takes me to phpbb is kind of a dead giveaway that it was some lazy PHP coding.
Besides, there are even simpler syntaxes out there, if ease of use or ease of typing was the goal. There's WYSIWYG editors for HTML, there's Markdown, Haml, and more. If I wanted to save people from the horrible complexity of HTML, bbcode would be about dead last on my list.
Don't thank God, thank a doctor!
So were you just making up random words in the hope of sounding informed? Or did you just get a little confused.
The teardrop attack has absolutely nothing to do with what you're talking about.
I think what you were probably trying to reference was a Shatter Attack.
Even this wasnt quite as simple or prevalant as you describe. And the whole class of attacks of which the Shatter Attack was one is eliminated in Vista by core changes to the windowing system.
Please make sure you're fully educated and knowledgeable about a subject before coming in here and spouting off as if you know what you were talking about.
You got me there... well said.
By the same token, given that some of the older virus hits still work in XP, with minor updates, even though there was an "architecture change", leads me to wonder if a slight modification to such a virus would not make it "vista compatible" ? Hell, Sub7 still works today. That's either a technical feat on the part of the sub7 crowd, or it is a total and dysmal failure of the windows people to keep up with vulns, especially the kind that would be critical if implemented by a hostile individual in a critical IT environment (banking, military, research, hospitals, etc?).
If anything, I recall that MS has a tendency to not even really fix things when their customers are hurting... there's a reason I gave up on IT work. I valued my sanity. That and I don't like lying to customers that their problem is someone else's fault. Its their fault for buying products aimed at the lowest common denominator of user ability and intelligence.
At this point I don't have to worry anymore and use some bullshit excuse like "its those evil virus writers' fault" or "Microsoft will fix it soon"... or "you probably weren't up to date on patches".
The main flaws of Windows, is that they were operating systems marketed to the lowest common denominator in intellect, and fairly high end hardware that was affordable at the time. If it had not been for the gaming and hardware geeks (think the last generation of hardware overclockers, back when dip switches on boards were still common), and for the hard core gamers, I'm willing to believe that the hardware race would never have taken off like it did.
Frankly I may well have forgotten what the attack was called, per se, you may be right and so might that wiki entry you pointed to. All I know is that walking away from windows IT has done wonders for my sanity. Lying to customers as a company policy is definitely not the way I prefer to do business, but working for someone else ends up costing dearly when the company line is "windows is good, and you need it". For office work, windows is a joke. For gaming, sure, its great... but gaming is the only reason I would even consider still using windows. Other than gaming, I have no reason to touch it, not even with a ten foot pole. Your mileage, however, may vary.
" What luck for rulers that men do not think" - Adolf Hitler
you are coming to a sad realisation - cancel or allow?
.. paranoid crackpot leftover from the days of Amiga.
Shift the blame for the infection to the user, away from the system. That's all UAC is about.
Yes, and once everybody declares Vista too difficult to use and administer, Microsoft will have an alternative for you.
Since I wrote that essay last year, Office Live has become real(-ish).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
But people aren't paying for something they could get 'for free'. Windows is a very different thing to Linux. Go read The Old New Thing for why in detail. Raymond Chen describes a mindset - that new releases of the OS should support old software even if it is buggy, that software interfaces are contracts that should not be broken, and that software designers should make choices for their users rather that presenting them with a load of questions they cannot possibly answer. That's completely missing in the 'free software' world. I've installed Linux a couple of times, fiddled around for a couple of weeks until all the bits of my PC more or less work. But they never work as well as they did in Windows. Eventually I end up nuking it and reinstalling Windows because the Linux 'equivalent' of some Windows applications I use all the time is completely amateurish and user hostile.
And they are not paying very much. Suppose I buy a laptop for $1500. It comes with a copy of Windows which costs say $50 to the PC vendor (I read an article somewhere that estimated the cost of Windows to Dell was $50). But the PC vendor will install a load of trialware on it that I need to uninstall. My guess is that they get paid a kickback for doing that because a percentage of people will buy it at the end of the trial. So the effective cost of Windows is probably less. Under $50 every time I buy a new PC every three years is not a lot of money. Hell I'd pay a lot more to avoid the dreaded Linux fault threshold if I had to.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Comment removed based on user account deletion
Insightful!!! Fucking hell, slashdot needs to invent a new moderation system, one where jerks are prevented from moderating.
Did you forget about NT? 3.51 was around during the Win 3.1 days and NT4 was around during the Win95 days. All ran on the same hardware, NT just needed a bit more RAM to work well.
Windows was designed for a PC (Personal Computer) which in the beginning the only network it used was "Sneaker Net" and a floppy. They had no NIC cards so in Microsoft's weak minds there was no need for security except for locking the room the PC was in. Actually what you are looking at Slashdot with is not a PC but a "Network Workstation". Herein lies the problem using an operating system that is designed so that its security depends on a locked physical door on an open network. Open networks go right around the physical door through the wall.
UNIX and all its family (Linux, BSD, OSX, Solaris) were designed from the start to be a networked operating system so ACL's and user controls were built in from the start.
NT was built to be a networked operating system and had a decent security model. Some said that it was too clunky because you had to set user permissions, users where set up as "Users" and not Administrators so in order to Admin the box you had to log out of your user account and log in as Administrator. (Gee what a novel idea!) So in XPee they used the NT kernel and threw away a decent security model for "Ease of Use" so that people that are either to lazy or too stupid to learn how to use a computer can use one.
Yes they built the UAC to annoy users but it has nothing to do with developers and their code. It is to annoy users to the point they turn it off and then the user is responsible and not Microsoft when the machine gets 0wned. A simple fix to a problem. Shift the blame. You have to remember Microsoft's own development application VS compiles dll's to the system directory to where your app must run in "God mode" for you. Developers are not really to blame as much as the platform they are using to develop with.
I'm glad I don't have to put up with such sh_t anymore.
I can't help thinking that there's something fundamentally wrong with this whole approach to PC security.
Now, as far as I'm concerned, all my PCs are extensions of my own mind. No one else is going to be using them, and it's MY responsibility to ensure that code I don't permit never runs on them.
This implies several things, all of which are contradictory to 'how it's done' at the moment:
* There should never, ever, be any 'active executables' that must run on the PC as part of net browsing or any other activity. Flash, Java, active agents, dynamic plugins, etc - all are a bad idea. Nothing should come in but passive data, that applications already on the PC (by my permission) parse to display.
* Anything that IS installed on the PC should have full access to all PC resources. I don't set varying 'permission levels' to different parts of my own mind, and shouldn't have to put up with this shit on my PC either. At the moment the brain-computer link is so primitive (keyboard-screen) that the incompatible approaches are still workable. As technology advances, this will cease to be so.
* The whole 'permissions' ideology inevitably leads to the kind of DRM insanity that has started with Vista and 'secure computing/trusted computing', and will only get worse (if Microsoft has anything to do with it.) When one considers the computer as an extension of one's own mind, then such DRM bullshit equates to mind control. Which is probably where Microsoft would like to go next.
* The right security model for personal computing, is something more like a perimeter fence. Anything outside the fence is considered hostile. Anything let through the gate is going to have to undergo a very thorough checking out (such as being required to have all executable code in some plain text interpretable form, that can be scanned for nasties). Once inside the fence and OK'd, it is 'part of you' and has the same access to everything as you do.
* Just as your mind has introspection, a conscience, that monitors what you do, PCs need a hardware means to continuously and invulnerably monitor the computer's activities, and throw an emergency halt if something stupid is happening. Some kind of secondary CPU and firmware that acts a bit like a continuous tracer and profiler, and which can't be corrupted by the main processor's actions.
In other words, dispense with ALL the annoyances of internal security, and rely on perimeter executable exclusion, backups and self-activity monitoring to catch and recover from any hostile or faulty internal code operation.
Note that any kind of DRM management would be impossible in such a model. GOOD!
But that is why TPTB will not develop such an OS.
Funny... after a whole bunch of Web searching, I have found exactly one reference to "same-desktop mode": your post. Apparently you either got the name wrong or you're the only person in the entire world who knows about it.
Either way, can you please post instructions on how to enable this so-called "same-desktop mode" so we can all benefit from your knowledge?
What a dumb arrogant statement. Microsoft has their own fucking products that don't run correctly under regular user accounts. Dynamics GP is one example. We run Dynamics for our ERP system, and we have to change NTFS permissions on various folders, and permissions on a handful of registry keys to get it to run correctly.
grep -iw skynet
Comment removed based on user account deletion