Slashdot Mirror
Microsoft Designed UAC to Annoy Users
I Don't Believe in Imaginary Property writes "At the 2008 RSA security conference, Microsoft's David Cross was quoted as saying, 'The reason we put UAC into the platform was 'to annoy users. I'm serious.' The logic behind this statement is that it should encourage application vendors to eliminate as many unnecessary privilege escalations as possible by causing users to complain about all the UAC 'Cancel or Allow' prompts. Of course, they probably didn't expect that Microsoft would instead get most of the complaints for training users to ignore meaningless security warnings."
I don't think that is what he really meant. What MS is trying to do is actually the right thing. MS wants to make it access privileges more like Linux. It wants to make it so that random programs can't run a muck with admin privileges. This is MS's attempt to get application makers to stop requesting privileges that they don't need because they are too lazy to program it the right way.
Look, I'll be the first to decry Vista as a piece of shit, but despite all of Vista's flaws, trying to restrict access of programs is a good thing.
Personally, I think that MS is slowly learning. MS is in no danger of losing its business division so long as companies demand backwards compatibility, but in personal computing it is getting kicked around. MS looks old and faded while Apple has a solid product combined with a marketing machine of d00m (Microsoft always sucked at marketing). MS needs to make changes or else it is going to get run over by Apple. Lock in isn't going to last forever in the face of a comparable, if not outright better, product and vastly superior branding and marketing.
I mean hell, what do you think of when you think of Apple? Shinny plastic with a hipster in a coffee shop. What do you think of when you think of MS? A moldy office.
The hard part is getting consumers to blame developers, too.
This reminds me of the c:\program files\ as a default install folder. I think it started with Windows 95. I read somewhere, years after the launch, that it was specifically chosen to force programmers to handle long file names properly.
Funny, even now, I usually create a c:\programs\ directory for everything that doesn't have a proper installer. 10 years and counting.
IMO, the UAC did not have to be as annoying as it is. All they needed was a "allow admin stuff to happen for 5 minutes" dialog so that installing a program would only take one prompt. Too smart for their own good...
Odd that the same home PC at the time, running Linux, had no trouble at all enforcing it.
> You cannot force someone else to follow a particular coding practice
> when your coders do not do so themselves.
It's shamefully pervasive. In my years of developing software for Windows, I've rarely seen other developers NOT running Windows as admin. --basically developing apps. completely blind as to what permissions they may or may not need. (I finally got religion 5-6 years ago after a nasty virus.) Now, every time I log in, I get several ugly little error messages due to HP drivers and other startup bits and pieces not having God access under a normal user account. I think Win developers --QA and project owners too-- need to feel some personal UAC pain.
Ask me about my sig!
Then I said it wrong. Please let me rephrase: "In the era of Windows 95, home PCs weren't considered to have enough CPU and RAM to enforce proper privilege separation while running a graphical user interface." Or did you manage to usefully run X11 on a 486 PC with 8 MB of RAM?
No that doesn't make sense either. How about "windows was never meant to be networked so multi user protection wasn't built in from the start"
http://michaelsmith.id.au
Yes, it forces coders.
:) )
However, if you're a windows user, and you just upgraded to vista, you see these warnings/questions. What's your first response?
1. Man, I wish these crappy coders would learn when to require root access
2. Stupid Vista... I should go back to XP
Upgrading the security model from a non-visible one to one that requires user attention can be a bitch. MS has a lot of difficult decisions to make these days.
Just see http://www.joelonsoftware.com/items/2008/03/17.html.
(Now, if only someone could show me how to embed nice links here...
P.S. I use Gentoo.
But not with UAC. The normal integrity level application can't sniff anything about the UAC elevation. And the elevation password dialog runs on a separate secured desktop so the malware can't access it.
Windows is not *nix, the Windows developers learned from the mistakes of sudo.
The problem is the user interface. As the OpenBSD people keep telling us, sane defaults are the most important thing in security. If you default to insecure, or you default to secure, but so irritating people turn off the security, then your system is not secure.
With respect to your specific problem, requiring elevated privileges for debugging actually does make sense, and I consider it a bug in other operating systems that it's not the case. A process that attaches to another as a debugger can inspect all of that process's memory, and even the contents of registers. If the process is something like your password manager, then it doesn't matter that it stores all of your passwords encrypted on disk and doesn't release them without a pass-phrase if the first piece of malware that gets on to your system can poke around in its memory and read them. Ideally, you would be able to simply flag regions of memory as off-limits to a debugger, but the next best thing is to require elevated privilege. Starting with 10.5, I believe OS X allows a process to set a flag preventing debuggers from attaching, but I've never tried it.
I am TheRaven on Soylent News