Slashdot Mirror
Microsoft Designed UAC to Annoy Users
I Don't Believe in Imaginary Property writes "At the 2008 RSA security conference, Microsoft's David Cross was quoted as saying, 'The reason we put UAC into the platform was 'to annoy users. I'm serious.' The logic behind this statement is that it should encourage application vendors to eliminate as many unnecessary privilege escalations as possible by causing users to complain about all the UAC 'Cancel or Allow' prompts. Of course, they probably didn't expect that Microsoft would instead get most of the complaints for training users to ignore meaningless security warnings."
If they'd done this from the start, no one would be complaining. In Linux or UNIX, if a program wants elevated privileges, it requires user intervention. The result is that programs don't expect to have superuser privileges if they don't actually need them, and everyone is happy because the only things that have to be done as root are things you'd expect to require root access.
Mac OSX has prompts for authorization also. It doesn't bother me like Vista does. Why not? I didn't really catch it... until I realized that I could ignore the dialog box and get something done before allowing an update/reboot or whatever. Something that simple and the whole problem goes away!
Yep, the proper way to do this would be to have UAC like crazy when running an app in debug/test mode, and leave the customers alone. If they want to put pressure on the 3rd party developers, then they should do that directly, and not mess with everyone in hopes that the pressure would kind of go back to the 3rd party developers.
That assumes that 3rd party developers care at all about the customer experience, which if you look at Norton/McAfee, is very dubious.
And then give the customers something reasonable, like how sudo works on *nix.
If I have nothing to hide, don't search me
You cannot force someone else to follow a particular coding practice when your coders do not do so themselves.
I think there is going to be quite a bit of criticism of MS for this but basically you see UAC prompts where you would have to do a su or sudo to get the job done as a starndard user in Linux/Unix. The reason you don't have to do those all the time in Linux is that the application writers do not write their apps to require constant root priviledge escalations. There is one app that I couldn't get working properly in Fedora 8 without running it with a sudo - Nero Linux - and it annoyed me quite a bit.
MS needs to drag both its users and those who write windows applications along to the limited security model we all need each other to be using for the good of the internet. It was always going to be painful.
The one criticism that I have of the system/model in practice is the start menu - and that is all MS! I try to organize my start menu and I see several dialogs. I would be much more on-board with only one Cancel or Allow for an operation like that...
No they didn't design UAC to annoy users. This was a crass statement made by a Microsoft employee. No company would design something to annoy users. This was a poor use of self-deprecating rhetoric that will be exploited to the extreme. It's a dumb statement for a Microsoftie to make, and really dumb for the media to exploit.
"Stupid is as stupid does", somebody once said.
I'm not MS's biggest fan. But this isn't the worst strategy ever.
It's actually pretty logical that if you make running these retarded apps annoying, you can force the vendors to fix them.
But MS faces a big obstacle in that strategy--the fact that moving back to XP fixes the problem as well, from the user's perspective. And of course, the fact that doing so also makes today's computers 3x more responsive.
It's a shame... I would love a world where Vista caught on but UAC didn't have to pop up ever unless something truly administrator-ish were really going on. Then all my users could be Users.
This approach could have worked. But if they really meant for it to work, then developers would have been required to embed usable contact information in the application. When the UAC prompt came up it would explain that this was a result of an action taken by the application, and that if it seemed unnecessary to you, you should click a button and send feedback to the developer.
It would also identify and tag the particular circumstances so that there could be a option, "don't warn me about this again."
This latter option would have been particularly useful during the beta phase.
After a couple of years, Microsoft might then assume that developers had been given adequate warning and adequate feedback, and the option to ignore warnings could have been retracted.
What Microsoft did doesn't sound as if they serously wanted the approach to work. They just wanted to be able to say that users "didn't want" security, just the way Detroit said for decades that car buyers "didn't want" safety.
"How to Do Nothing," kids activities, back in print!
Not that I disagree, and I realize bashing Vista is a quick way to feel like you fit in, but how else are you going to pressure third party vendors to not write crappy applications that need admin privileges for stupid reasons? Every Win32 program in existence seems to think it needs to put its settings into an INI file located in the program files directory.
A big reason for Windows sucking is the third party applications. Look at what XP did with the tray: introduced this little arrow that hides infrequently used icons because every marketing assmunch realized they could brand the user's computer and most of the users wouldn't be able to do anything about it. Meanwhile, it became common to see half the task bar being eaten by the tray and 25 stupid icons just sitting there. (Sun doing that with Java says a lot about the platform.) It is the tragedy of the commons playing out on the user's desktop, and the users are the ones losing. Meanwhile, nobody seems to care, it is business as usual.
With regard to UAC, I'm curious to what you think is a better solution. Not that I like the current one, but I rate it as the least-worst option that I can think of, other than virtualization.
Turning off UAC doesn't involve a UAC-mediated privilege elevation.
WTF? Even if UAC has the narrow goal of guarding against malware rather than a malicious user sitting at the console, doesn't this completely defeat the purpose?
(It seems that it does require a reboot, but that's hardly a barrier. Some piece of malware can just silently flip a registry key to turn off UAC, and then wait until the next time you reboot to finish 0wning you.)
Wow! Microsoft thinks of its users as pawns in a pissing match between them and developers? Why not? They think of them as pawns in their pissing match with the DOJ, their vendors, the conquest of the world... Fuck you, Microsoft!
Why not just tell the application vendors to "eliminate as many unnecessary privilege escalations as possible"? It would be an easier way to solve the problem, plus less people would hate their operating system.
I'm sad to hear that. This was the most logical explanation of UAC's existence I have heard. If you are correct that means MS actually had a different object/goal in mind for UAC, that they actually thought it would improve security, that they actually thought that it WASN'T annoying, that this thing got passed off on multiple levels throughout the dev process as being a) useful, b) a desirable feature, c) accomplished a purpose.
UAC does none of those things in the real world. It is a horrible security mechanism, it slows down every day usage of most PCs, it causes endless annoyance to users. If this feature was designed solely for the purpose of alerting 3rd party devs to the numerous unnecessary privilege escalations they are using, it almost would be worth it/make sense. If not, it is proof that MS has absolutely no clue what users want, need, or what is a good feature.
Microsoft is right. Most applications should never have administrator privileges, not even during installation. It's way past time to tighten the screws.
The basic idea's sound. The problem is that, given the implementation, users view the problem as being UAC and/or Vista, not the apps. After all, the apps work just fine if you turn those annoying dialogs off or go back to XP. If the users don't view the app as the cause of the problem, they won't pressure the app vendor to do anything about it. Idea fails.
I prefer the Unix approach. The OS doesn't pop up any dialog, or offer the user any choice. If an app does something it doesn't have privileges for, it gets an ENOPRIV returned from that call and isn't allowed to do that. How the app handles it from there is up to the app, but there's no easy way to make the errors go away at the system level (most modern Unixes are set up to make it inconvenient to log in or run programs as root, and only root can install a program setuid-root).
c:\progra~1\ would be the workaround there, fyi
Dos programs used to handle it like that with (and my memory is a bit fuzzy here) FAT32 methinks. The legacy is still in there even though the modern cmd.exe can handle long names in quotes. Now, if only they could learn how to properly escape special characters...
If you're stuck with a browse box and no option to type in the path manually I guess you're pretty much out of luck...I'd kill for decent symbolic linking in Windows, shortcuts are like a bad joke
Because it's much easier to sit on Slashdot and make up bullshit and lies about Microsoft because it's trendy to hate them.
If some blank paper is in the printer, and a program writes to it without authorization from the owner of the paper, the paper becomes unusable.
But do you have to enter your root password every time you print? I think not.
Visual IRC: Fast. Powerful. Free.
Doesn't matter, I should only get 1 prompt, not 3.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
UAC is not a bad idea. True, they could have gone the gksudo way and allow a window of time before asking for permission again. And then they could ask for a password instead of getting people in the habit of clicking away past warning windows. But still, it's not a bad thing.
They also had to stop programs from storing settings and user stuff under the write-restricted "Program Files" folder.
Now, annoying users intentionally to exert pressure on software vendors is just twisted.
UNIX/Linux users may want to have a little thought about what things would be like without the SUID facility ('ping', anyone?), and, on the other hand, the security implications of SUID. I was shocked when I read the example at page 249 of the UNIX Haters' Handbook, which illustrates the problem of blindly trusting your PATH with a simple example in which you can trick your system administrator into providing you with a root shell binary. Tried it. It works.
Not that this has prevented me from ditching Windows Vista in favour of Ubuntu on my laptop (desktop to follow when Ubuntu 8.04 is released).
The state you are in while your HEAD is detached... - wait, what?
UAC is totally ineffective as as its one of the first things nearly everyone turns off because its so damned annoying.
I have been asked and wondering why Microsoft has such a bad track record in security and user access control especially since recent Windows have been built on NT which comes from OS/2 and VMX. According to me it's fairly simple: group permissions. Look at a default Linux/Unix-style installation, you have about 20 groups to start out with. If you're a desktop user, usually you're a member of audio, video, games, cdrom and user. On a Windows machine you're either a User or an Administrator. The way the Linux kernel and it's modules are built, if you need direct access to hardware, you can either be root (not good) or you can access it through it's /dev entry which has group permissions.
So if you want to play music, you can access the hardware (albeit through a kernel module) by making yourself member of the group audio. In Windows however, if you need direct access, you can either use DirectX or a process (daemon) or become an Administrator so you can get to the kernel. There is no group Audio that has only access to the Audio-part of the kernel. As soon as you need direct access for real-time anything, you can't really add yourself to any group to do so.
This of course goes way back before desktops were running NT versions (like 2000 or XP). Before, Windows was running on top of DOS, developers could just code directly into the hardware (just load dos4gw), there is no access control in DOS. DOS was also not meant to be running any services or be connected to a network that's where the whole thing with virusses got started, anything that was running could simply request a hook into the BIOS, under the hood, protected memory was regulated with emm386 while Windows 95-ME all used the faster, less secure himem.sys. Microsoft merged together the NT and DOS and made it into 2000 and XP. There were no extra permissions added for desktop users, the pure server model was coded around to allow for desktop speed and real-time access to hardware, never giving any thought that actually running all services that hook into hardware as Administrator would give problems.
Custom electronics and digital signage for your business: www.evcircuits.com
What they didn't anticipate though, is people screening out the warnings. Yes, it's important for you, the developer. No, it's not important for the user, who only wants to Get Stuff Done (tm).
If the same yes/no question pops up every 10 minutes, don't expect a different answer when it says "Do you want to install spyware, adware, a couple of trojans, and [whatever they actually wanted to install]?".
Remember, users don't read. Not because they're incapable, they have more important things to do.
Because even if it works 'fine' for you, there is a better option out there, and by using windows, you are forced to pay, and are locked in. I don't know about everyone else, but I have a problem with the fact everyone in the world is paying for something which is worse than something they could get for free (and if everyone did run it, it'd become better in every way overnight (hardware manufacturers making drivers, etc...).
-- Lattyware (www.lattyware.co.uk)
UAC is actually very bad from a security viewpoint. By annoying users more than necessary (more later), all it does it makes most users turn UAC off.
From a cynical POV, I think all UAC is for is to allow Microsoft to blame users for security problems (ah you turned UAC off - so it's YOUR fault).
If Microsoft was really interested in security they would have done more and better sandboxing of applications.
My suggestion is to have a manageable number of default templates for sandboxing applications. If the app is unsigned by a user-trusted entity, the user gets a pop up which tells the user what type of sandbox the application wants to run in.
It would be far easier to train Joe Schmoe to not run a "flash game" which asks for "Full User Privileges" or even "Full System Privileges" (with all the scary warnings etc) and to only run a "flash game" that asks for a "Guest Game" sandbox. After all there is no need for most legitimate flash games to access "My Documents" or your web browser bookmarks, or even your microphone/webcam.
The idea is even if a program wanted to do something nasty, if it is running in a sandbox, it can't, and if a program requests an unusual sandbox so that it can do something nasty, it is easier for a user to know something strange is going on.
This would also be a lot less work than UAC. Don't need to make 10 decisions one after another when you run the app.
There could be custom sandbox templates that are validated and signed by a mutually trusted authority. So that new apps that require fancy privileges can run in fancy sandboxes without annoying prompts that bother Joe Schmoe.
As for Linux and OSX, they aren't really more secure than Windows, with both these OSes if Joe Schmoe is about to run something new, he doesn't even know what the program is really going to do till he runs it. It is like expecting Joe Schmoe to solve the halting problem and without him being able to read the source code either - "Is this program going to halt, or is it going to take over my computer?". So my suggestions are just as applicable to them.
OK, and what exactly stops me from simply doing my very own dialog that looks exactly like UAC? What exactly stops me from redirecting the call for issuing an UAC prompt to my dialog instead?
Right: nothing. Almost.
One thing, disabled by default, is the SAS (you known, Ctrl+Alt+Del). If enabled, it requires the user to press it, which only the UAC dialog is able to ignore. Almost, since it doesn't matter - do your dialog in DirectX or OpenGL with a transparent surface, and you'll still be able to force your dialog to always be on the top.
Also, some third party components like VMware allow you to trap SAS on behalf of the system, or your malware.
Once having aqquired the admin password, I can use CreateProcessAsTokenW() to elevate to admin privileges.
What comes then is a matter of configuration: By default I can do anything I want, since once I'm running with admin rights while being logged in as a user UAC thinks that I've already elevated and doesn't ask any more.
But even if it is configured to ask again, there are some actions which don't trigger requests, for example the usage of the SE_BACKUPRESTORE_PRIVILEGE - which allows me to write to the raw disk as well as override all ACLs; that is a complete compromise.
The cause are two big problems:
- SAS doesn't worl because DirectX and OpenGL are considered as too privileged.
- The UAC provides no means to authenticate itself. Why not letting a user choose a picture at install time which is then stored at a safe location with only NT-AUTHORIYT\SYSTEM being able to read, such that only the UAC dialog is able to present it to the user?
"Do what I say, not what I do"
Sounds perfectly reasonable to me.
e.g.
"Go to school"
"Don't drive the car"
"Don't try to have sex with mom"
"Don't do that or you'll end up like me"
Tons of different rules for children and adults. Welcome to the real world. Minors aren't the same as adults.
What you mention is exactly what is desired.
UAC nags you for every little piece of rubbish. 99.999% of those requests are ok. Well, not ok, if programmers would not require godmode for every stupid little setup change... but they're not harmful. It's the other 0.001% that matter.
Now, the average user turns off UAC. For a simple reason: Imagine some tool you don't know much besides operating it asks you "The futzgrabber in the argamajig wants to mirfl. Cancel or allow?" What do you do? After some try and error, you learn that the thing does what you want when you click allow. You start wondering why the heck you have to click allow. And the next logic step is to turn the pointless thing off altogether.
And here's where the tool works as designed. Because if you get infected, MS can just shrug and say "Hey, we gave you the tool to avoid it. See, UAC would have told you this wants to do something bad, but you turned UAC off. Your fault."
Instead of finding a way to give the user a secure system, MS just shifted the blame. You can't blame Windows now anymore if you get infected. It has a tool that would have told you you're going to get infected, but you turned it off. Shift the blame for the infection to the user, away from the system. That's all UAC is about.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.