Slashdot Mirror
Microsoft Designed UAC to Annoy Users
I Don't Believe in Imaginary Property writes "At the 2008 RSA security conference, Microsoft's David Cross was quoted as saying, 'The reason we put UAC into the platform was 'to annoy users. I'm serious.' The logic behind this statement is that it should encourage application vendors to eliminate as many unnecessary privilege escalations as possible by causing users to complain about all the UAC 'Cancel or Allow' prompts. Of course, they probably didn't expect that Microsoft would instead get most of the complaints for training users to ignore meaningless security warnings."
If they'd done this from the start, no one would be complaining. In Linux or UNIX, if a program wants elevated privileges, it requires user intervention. The result is that programs don't expect to have superuser privileges if they don't actually need them, and everyone is happy because the only things that have to be done as root are things you'd expect to require root access.
Mac OSX has prompts for authorization also. It doesn't bother me like Vista does. Why not? I didn't really catch it... until I realized that I could ignore the dialog box and get something done before allowing an update/reboot or whatever. Something that simple and the whole problem goes away!
It is an idiotic approach. Vista is the one being annoying....how could someone predict that end users would blame the applications and not the os that's to blame? Not to mention the whole issue of purposely designing a ui to annoy paying customers, to pressure 3rd parties to change.
Bad idea all around if this was their intention at design.
I'll believe in corporations having personhood when Texas executes one... - advocate_one
It appears you are trying to make a snide comment.
[Cancel] [Allow]
I'd rather have someone respond than be modded up.
It Worked!
You cannot force someone else to follow a particular coding practice when your coders do not do so themselves.
whatcouldpossiblygowrong
134340: I am not a number. I am a free planet!
I think there is going to be quite a bit of criticism of MS for this but basically you see UAC prompts where you would have to do a su or sudo to get the job done as a starndard user in Linux/Unix. The reason you don't have to do those all the time in Linux is that the application writers do not write their apps to require constant root priviledge escalations. There is one app that I couldn't get working properly in Fedora 8 without running it with a sudo - Nero Linux - and it annoyed me quite a bit.
MS needs to drag both its users and those who write windows applications along to the limited security model we all need each other to be using for the good of the internet. It was always going to be painful.
The one criticism that I have of the system/model in practice is the start menu - and that is all MS! I try to organize my start menu and I see several dialogs. I would be much more on-board with only one Cancel or Allow for an operation like that...
No they didn't design UAC to annoy users. This was a crass statement made by a Microsoft employee. No company would design something to annoy users. This was a poor use of self-deprecating rhetoric that will be exploited to the extreme. It's a dumb statement for a Microsoftie to make, and really dumb for the media to exploit.
"Stupid is as stupid does", somebody once said.
I'm not MS's biggest fan. But this isn't the worst strategy ever.
It's actually pretty logical that if you make running these retarded apps annoying, you can force the vendors to fix them.
But MS faces a big obstacle in that strategy--the fact that moving back to XP fixes the problem as well, from the user's perspective. And of course, the fact that doing so also makes today's computers 3x more responsive.
It's a shame... I would love a world where Vista caught on but UAC didn't have to pop up ever unless something truly administrator-ish were really going on. Then all my users could be Users.
This approach could have worked. But if they really meant for it to work, then developers would have been required to embed usable contact information in the application. When the UAC prompt came up it would explain that this was a result of an action taken by the application, and that if it seemed unnecessary to you, you should click a button and send feedback to the developer.
It would also identify and tag the particular circumstances so that there could be a option, "don't warn me about this again."
This latter option would have been particularly useful during the beta phase.
After a couple of years, Microsoft might then assume that developers had been given adequate warning and adequate feedback, and the option to ignore warnings could have been retracted.
What Microsoft did doesn't sound as if they serously wanted the approach to work. They just wanted to be able to say that users "didn't want" security, just the way Detroit said for decades that car buyers "didn't want" safety.
"How to Do Nothing," kids activities, back in print!
It does make sense, when you think about it, since they've found step 2 and patented a frustration detection system.
I have to steal this comment from one of the posts from that story, but...
Step 1: Make frustration and annoying software
Step 2: Patent frustration detection system
Step 3: Profit.
"Be light, stinging, insolent and melancholy"
This reminds me of the c:\program files\ as a default install folder. I think it started with Windows 95. I read somewhere, years after the launch, that it was specifically chosen to force programmers to handle long file names properly.
Funny, even now, I usually create a c:\programs\ directory for everything that doesn't have a proper installer. 10 years and counting.
IMO, the UAC did not have to be as annoying as it is. All they needed was a "allow admin stuff to happen for 5 minutes" dialog so that installing a program would only take one prompt. Too smart for their own good...
This is incorrect. The registry key in question is protected by permissions and by default requires you to be running as Administrator in order to make changes. If UAC is on, then to get a command prompt, regedit, etc running with Admin rights requires UAC approval somewhere along the line.
UAC is not about confirming specific actions like changing registry keys. It is about giving Windows permissions to use admin-level privileges. For example, once you allow a command prompt to run with your admin token, it can then launch admin-level tasks without any new prompts.
Microsoft added spaces in system directories to annoy users too I'm sure and specially neglected to make links to network folders work with spaces and left it like that for the past 13 years, to ensure that you cannot copy and paste a spacy network path from Windows Explorer into Outlook and email it to someone else in the company. All that only to annoy their users...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Why not just tell the application vendors to "eliminate as many unnecessary privilege escalations as possible"? It would be an easier way to solve the problem, plus less people would hate their operating system.
I'm sad to hear that. This was the most logical explanation of UAC's existence I have heard. If you are correct that means MS actually had a different object/goal in mind for UAC, that they actually thought it would improve security, that they actually thought that it WASN'T annoying, that this thing got passed off on multiple levels throughout the dev process as being a) useful, b) a desirable feature, c) accomplished a purpose.
UAC does none of those things in the real world. It is a horrible security mechanism, it slows down every day usage of most PCs, it causes endless annoyance to users. If this feature was designed solely for the purpose of alerting 3rd party devs to the numerous unnecessary privilege escalations they are using, it almost would be worth it/make sense. If not, it is proof that MS has absolutely no clue what users want, need, or what is a good feature.
Not true.
I can disable UAC using regedit, using msconfig, gpedict.msc, User Account applet. Each and every method raises a UAC consent prompt.
Microsoft is right. Most applications should never have administrator privileges, not even during installation. It's way past time to tighten the screws.
The basic idea's sound. The problem is that, given the implementation, users view the problem as being UAC and/or Vista, not the apps. After all, the apps work just fine if you turn those annoying dialogs off or go back to XP. If the users don't view the app as the cause of the problem, they won't pressure the app vendor to do anything about it. Idea fails.
I prefer the Unix approach. The OS doesn't pop up any dialog, or offer the user any choice. If an app does something it doesn't have privileges for, it gets an ENOPRIV returned from that call and isn't allowed to do that. How the app handles it from there is up to the app, but there's no easy way to make the errors go away at the system level (most modern Unixes are set up to make it inconvenient to log in or run programs as root, and only root can install a program setuid-root).
Microsoft Designed UAC to Annoy Slashdot Users.
There. All better.
Sig this!
Aha! They annoyed me so much that I actually switched to linux. /success
Because it's much easier to sit on Slashdot and make up bullshit and lies about Microsoft because it's trendy to hate them.
If some blank paper is in the printer, and a program writes to it without authorization from the owner of the paper, the paper becomes unusable.
But do you have to enter your root password every time you print? I think not.
Visual IRC: Fast. Powerful. Free.
Doesn't matter, I should only get 1 prompt, not 3.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
UAC is not a bad idea. True, they could have gone the gksudo way and allow a window of time before asking for permission again. And then they could ask for a password instead of getting people in the habit of clicking away past warning windows. But still, it's not a bad thing.
They also had to stop programs from storing settings and user stuff under the write-restricted "Program Files" folder.
Now, annoying users intentionally to exert pressure on software vendors is just twisted.
UNIX/Linux users may want to have a little thought about what things would be like without the SUID facility ('ping', anyone?), and, on the other hand, the security implications of SUID. I was shocked when I read the example at page 249 of the UNIX Haters' Handbook, which illustrates the problem of blindly trusting your PATH with a simple example in which you can trick your system administrator into providing you with a root shell binary. Tried it. It works.
Not that this has prevented me from ditching Windows Vista in favour of Ubuntu on my laptop (desktop to follow when Ubuntu 8.04 is released).
The state you are in while your HEAD is detached... - wait, what?
Sure. Authorization happens now automagically in any semi modern distro. There's a lot of infrastructure that was developed to handle those situations---and many more, of course.
Uograde to Vista, Cancel or Allow. Cancel.
UAC does none of those things in the real world. It is a horrible security mechanism, it slows down every day usage of most PCs, it causes endless annoyance to users.
This kind of statement has been puzzling to me since I installed Vista on one of my machines, since I don't see UAC pop-ups unless:
1) I'm installing something new.
2) I'm running some executable I just downloaded through my web browser, or
3) I'm running something written in the 90's.
The first two cases being times I'm glad the prompt is there and the third being more or less acceptable to me since we're talking about 9+ year old software. Often I'll go weeks at a time withotu seeing a UAC prompt.
John
UAC is totally ineffective as as its one of the first things nearly everyone turns off because its so damned annoying.
As much fun as it is to bash MS, they have some very difficult problems to deal with.
One reason for their success is that they never say: you need a certain version of glibc to run this app, or you need some outdated rpm chain of dependencies that conflict with the new version (may god have mercy on my karma.) If it's a Windows program it will run on Windows (sometimes.) I'd say 90% of the badness and kludginess of Windows is because of their desire to not break apps that people have been running since the 3.1/95 days.
With the kind of resources they have they should be doing a much better job, but I think anyone who's tried to provide backward compatibility in software even in trivial cases will agree that it quickly becomes an unmanageable clusterfuck.
... also, I can kill you with my brain.
I have been asked and wondering why Microsoft has such a bad track record in security and user access control especially since recent Windows have been built on NT which comes from OS/2 and VMX. According to me it's fairly simple: group permissions. Look at a default Linux/Unix-style installation, you have about 20 groups to start out with. If you're a desktop user, usually you're a member of audio, video, games, cdrom and user. On a Windows machine you're either a User or an Administrator. The way the Linux kernel and it's modules are built, if you need direct access to hardware, you can either be root (not good) or you can access it through it's /dev entry which has group permissions.
So if you want to play music, you can access the hardware (albeit through a kernel module) by making yourself member of the group audio. In Windows however, if you need direct access, you can either use DirectX or a process (daemon) or become an Administrator so you can get to the kernel. There is no group Audio that has only access to the Audio-part of the kernel. As soon as you need direct access for real-time anything, you can't really add yourself to any group to do so.
This of course goes way back before desktops were running NT versions (like 2000 or XP). Before, Windows was running on top of DOS, developers could just code directly into the hardware (just load dos4gw), there is no access control in DOS. DOS was also not meant to be running any services or be connected to a network that's where the whole thing with virusses got started, anything that was running could simply request a hook into the BIOS, under the hood, protected memory was regulated with emm386 while Windows 95-ME all used the faster, less secure himem.sys. Microsoft merged together the NT and DOS and made it into 2000 and XP. There were no extra permissions added for desktop users, the pure server model was coded around to allow for desktop speed and real-time access to hardware, never giving any thought that actually running all services that hook into hardware as Administrator would give problems.
Custom electronics and digital signage for your business: www.evcircuits.com
Well, I guess they really blue that one.
"Our opponent is an alien starship packed with atomic bombs. We have a protractor."
FYI run a muck is wrong. There is no muck. It's run amok.
I don't know about that. Personally I didn't start hating them until I migrated to the IBM PC in the early 80's. Before that they were just another software vendor.
https://en.wikipedia.org/wiki/Inverted_totalitarianism
I think you underestimate the depth of feeling that Microsoft has engendered in much of the technical community.
If you're a company that makes a product that the majority use, your customers don't just start to hate you, it's something you have to work at for years. It's our nature to become emotionally attached to something that's such a big part of our lives, and the fact that Microsoft has squandered such an opportunity for loyalty and created ill-feelings instead is something that future generations of business students and corporate psychologists will study for centuries to come.
You are welcome on my lawn.
What they didn't anticipate though, is people screening out the warnings. Yes, it's important for you, the developer. No, it's not important for the user, who only wants to Get Stuff Done (tm).
If the same yes/no question pops up every 10 minutes, don't expect a different answer when it says "Do you want to install spyware, adware, a couple of trojans, and [whatever they actually wanted to install]?".
Remember, users don't read. Not because they're incapable, they have more important things to do.
There, fixed it for you.
In fact, now I come to think of it, Microsoft designed all of Windows to annoy users. I use it and man, I'm annoyed as hell right now.
Once I was a four stone apology. Now I am two separate gorillas.
HP driver annoyances (their shitty home(/SMB) devices are notorious for this and end up even in larger setups cause of ignorant buyers) can be usually quite easily fixed by searching the registry by device name or ID and giving users group more control over those subtrees. Be aware of security considerations and give only minimal level of extra rights that are neccessary.
Msconfig is your friend when disabling unneeded startup items. I especially loathe the auto-updaters that get installed by default if you don't know specific installer parameters. Sun java is class A example of that crap, it informs limited users about updates and recommends them to upgrade - only halfway through it throws error message.
My UID is prime. Hah!
And please don't accuse anyone on slashdot of being trendy.
Professor Karmadillo Songs of Science
I don't get it really. Microsoft's software is so pervasive and I've spent ages using Windows, writing Windows applications and drivers, even if I mostly do embedded code.
I've used lots of other OSs too, and I really don't see what's so bad about Microsoft. Even their aggressive businesses are quite useful since I know if I knock up quick Windows application with Visual C++ I can reach 90% of the market. You can do pretty much anything you want in userland with Win32 and in kernel mode with WDM. Basically their stuff works fine for me. I don't know why other technical people have such problems with it.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Because even if it works 'fine' for you, there is a better option out there, and by using windows, you are forced to pay, and are locked in. I don't know about everyone else, but I have a problem with the fact everyone in the world is paying for something which is worse than something they could get for free (and if everyone did run it, it'd become better in every way overnight (hardware manufacturers making drivers, etc...).
-- Lattyware (www.lattyware.co.uk)
I tried for months to get Windows NT4 to operate as a webserver and a DNS server with an uptime > 2-3 days. Couldn't do it with a (then pretty decent) Pentium-100 with 32 MB of RAM.
Then, a year or two later, I discovered Linux, and tried it out on an old junker AM486/100. With 16 MB of ram, and a 500 MB HDD, and X-Windows/KDE 1.x running on the super-long VLB video card, it managed to host a web server, a DNS server, telnetd, ntpd, postgres, php, AND ssh reliably, 24x7 for MONTHS before I learned enough of what's going on to see that it was actually doing all that!
That was RedHat 5.1. It's what sold me on Linux, because, for all its many warts, it actually did the job reliably. And now, some 9 years later, it's still "doing it" (Now CentOS 4) and I'm still loving it, 24x7!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
If UAC dialogs are annoying and unnecessary, they're really just behaving like other Windows alerts. There's a whole mentality on the platform for being irritating and bothering users with pointless information.
Still, this was a new class of alert, to be taken seriously. Microsoft had a chance to break with "tradition" and put real thought into what would make a useful dialog, such as (only) information critical for making a good decision and prompting no more than necessary. But instead, we have self-congratulatory "aren't you glad we're looking out for your computer" text, a lot of color, and "abcapqyt.exe" as the only thing distinguishing one UAC dialog from the next. The dialogs therefore essentially read as "You have no idea WTF is running. [OK]" to most people.
I compare this to legalese. Microsoft is taking the "throw 400 pages of crap in the user's face, make them entirely responsible for understanding the ramifications, if they click OK they're responsible" approach to security. When I see legal documents, I *really* appreciate companies who go to the effort to "humanize" what they present. In about a paragraph of extremely readable English, they say hey, this is what we're talking about here, and this is why we have this agreement. Why *couldn't* UAC dialogs do the security equivalent of this deciphering for users, so "abcapqyt.exe" is not my only clue?
"Microsoft killed my company, I hold a personal grudge. I don't use Microsoft products and neither should you."-JWZ
UAC is annoying people into uninstalling Vista and switching to Linux and OS X. So, it's working: UAC really is improving PC security.
For the next release, however, maybe Microsoft should be more straightforward and simply boot into a display that says "please go to www.ubuntu.com to upgrade your OS and applications".
UAC is actually very bad from a security viewpoint. By annoying users more than necessary (more later), all it does it makes most users turn UAC off.
From a cynical POV, I think all UAC is for is to allow Microsoft to blame users for security problems (ah you turned UAC off - so it's YOUR fault).
If Microsoft was really interested in security they would have done more and better sandboxing of applications.
My suggestion is to have a manageable number of default templates for sandboxing applications. If the app is unsigned by a user-trusted entity, the user gets a pop up which tells the user what type of sandbox the application wants to run in.
It would be far easier to train Joe Schmoe to not run a "flash game" which asks for "Full User Privileges" or even "Full System Privileges" (with all the scary warnings etc) and to only run a "flash game" that asks for a "Guest Game" sandbox. After all there is no need for most legitimate flash games to access "My Documents" or your web browser bookmarks, or even your microphone/webcam.
The idea is even if a program wanted to do something nasty, if it is running in a sandbox, it can't, and if a program requests an unusual sandbox so that it can do something nasty, it is easier for a user to know something strange is going on.
This would also be a lot less work than UAC. Don't need to make 10 decisions one after another when you run the app.
There could be custom sandbox templates that are validated and signed by a mutually trusted authority. So that new apps that require fancy privileges can run in fancy sandboxes without annoying prompts that bother Joe Schmoe.
As for Linux and OSX, they aren't really more secure than Windows, with both these OSes if Joe Schmoe is about to run something new, he doesn't even know what the program is really going to do till he runs it. It is like expecting Joe Schmoe to solve the halting problem and without him being able to read the source code either - "Is this program going to halt, or is it going to take over my computer?". So my suggestions are just as applicable to them.
What you mention is exactly what is desired.
UAC nags you for every little piece of rubbish. 99.999% of those requests are ok. Well, not ok, if programmers would not require godmode for every stupid little setup change... but they're not harmful. It's the other 0.001% that matter.
Now, the average user turns off UAC. For a simple reason: Imagine some tool you don't know much besides operating it asks you "The futzgrabber in the argamajig wants to mirfl. Cancel or allow?" What do you do? After some try and error, you learn that the thing does what you want when you click allow. You start wondering why the heck you have to click allow. And the next logic step is to turn the pointless thing off altogether.
And here's where the tool works as designed. Because if you get infected, MS can just shrug and say "Hey, we gave you the tool to avoid it. See, UAC would have told you this wants to do something bad, but you turned UAC off. Your fault."
Instead of finding a way to give the user a secure system, MS just shifted the blame. You can't blame Windows now anymore if you get infected. It has a tool that would have told you you're going to get infected, but you turned it off. Shift the blame for the infection to the user, away from the system. That's all UAC is about.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The biggest privilege level violation problem in Windows is the fact that there's even a mechanism to allow privilege elevation in the HTML control.
If Microsoft wants to eliminate privilege elevation, they need to start by scrapping ActiveX.
Just like Apple, Microsoft should be smart for the following version of Windows. If they want to break with previous versions anyway, they should just pick an existing *nix foundations and write their won GUI on top of that. It would really make the world much better IMHO.
Shift the blame for the infection to the user, away from the system. That's all UAC is about.
Yes, and once everybody declares Vista too difficult to use and administer, Microsoft will have an alternative for you.
Since I wrote that essay last year, Office Live has become real(-ish).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)