Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Designed UAC to Annoy Users

Posted by ScuttleMonkey on from the at-least-they-are-being-honest dept.

I Don't Believe in Imaginary Property writes "At the 2008 RSA security conference, Microsoft's David Cross was quoted as saying, 'The reason we put UAC into the platform was 'to annoy users. I'm serious.' The logic behind this statement is that it should encourage application vendors to eliminate as many unnecessary privilege escalations as possible by causing users to complain about all the UAC 'Cancel or Allow' prompts. Of course, they probably didn't expect that Microsoft would instead get most of the complaints for training users to ignore meaningless security warnings."

23 of 571 comments (clear)

  1. Of course... by evanbd · · Score: 5, Insightful

    If they'd done this from the start, no one would be complaining. In Linux or UNIX, if a program wants elevated privileges, it requires user intervention. The result is that programs don't expect to have superuser privileges if they don't actually need them, and everyone is happy because the only things that have to be done as root are things you'd expect to require root access.

    1. Re:Of course... by tepples · · Score: 5, Funny

      If they'd done this from the start, no one would be complaining. In the era of Windows 95, home PCs weren't considered to have enough CPU and RAM to enforce proper privilege separation.
    2. Re:Of course... by CyberLife · · Score: 5, Insightful

      To extend your point, the reason UNIX systems don't have UAC-style privilege elevation is due to its history. UNIX came into being, and was largely developed, during an era in which virtually all computers were large, multi-user systems that sat in a back room. An administrator would have to be sitting at a terminal 24/7 just in case somebody came knocking -- quite an unreasonable expectation. As a result, programmers had to get used to the idea of restricted abilities.

      With the desktop computer model, the situation is quite different. Classically-speaking, the user is sitting right at the machine and is the only one using it. They are the administrator as well as the user. There is no expectation of security since nobody else is involved. Windows derives much of its architecture and style from this method of computing.

      Modern-day computing is rapidly moving back toward the shared-computer model. This is occurring somewhat on the front-end (e.g. individual user accounts on a desktop machine for different users), but mostly it's happening on the back-end. Internet servers are very reminiscent of the mainframe-era multi-user model. This is why UNIX is such a good fit for such tasks -- it was designed specifically for it, whereas Windows has had to play catch-up. UAC is a good example of single-user thinking applied to a multi-user problem.

    3. Re:Of course... by fizzup · · Score: 5, Informative

      Period PC hardware absolutely was capable of running X11. I bet quite a few idiots like myself did it at the time.

      First, an 80486 was not really period hardware. The Pentium classic was on the market at the time that Windows 95 came out, clocked at 100MHz. It had been around for almost a year at that speed. This processor is a few percent as fast as modern CPUs.

      Now, if you were to put Gnome or KDE on this hardware, it would be a pig. For me, I ran the Open Look Window Manager. It looks like this, which I think looks a little bit worse than Windows for Workgroups. But, man, is it lean.

      All rolled up, that window manager, using colour depth common in the period, is probably more than ten times faster than a modern desktop. Through the mists of time, I'd say that Ubuntu, with modern hardware, seems a good three or four times faster than that old unix box, which fits.

      For what it's worth, the experience was about as fast as the Sun boxes I had used at university a few years before. IIRC, they were running microSPARC I processors at 40Mhz. I don't remember the RAM, though. They ran OpenLook as well,which is why I used it a few years later. I was used to it.

      You should know that X11 was released in 1987. It's not like they wrote and debugged it by desk checking, yeah? It ran on workstations available 20 years ago. Moore's law says there were five doublings of transistors per unit area between 1987 and 1995. To say that hardware in 1995 was too slow to handle security, protection, and a GUI is false on its face.

    4. Re:Of course... by Anonymous Coward · · Score: 5, Insightful

      That's about it in a nutshell, but it is a little more complicated than that.

      UNIX legacy lies in Multics which was designed to work along side big iron hardware with hierarchical protection domains that provide the mechanism to restrict the access of a process to resources. UNIX, being directly derived from Multics, benefitted from this lineage by having such robust security throughout it's design at the expense of not being able to run on commodity hardware.

      Windows's legacy lies in DOS, which was designed to run on commodity hardware that completely lacked these capabilities. Without hierarchical protection rings the OS had absolutely no ability to enforce any form of resource management. Even if there were enough hardware resources to allow for the OS to have more than a few resident functions in memory, every application still had full and complete control over all of the hardware, and a lot of them made the most of it for performance reasons. It didn't matter how many users there were; security was simply not an option.

      When Windows NT was being developed the correct choice was made to completely isolate the older processes to an emulator. Unfortunately this meant that any process written within the last 5 years ran like garbage. Towards the end of the 16-bit era programmers got very creative in overcoming both the limitations of DOS and squeezing every last cycle out of the hardware. This made emulation exceedingly difficult and prone to failure. Companies were sticking to Windows 3.x rather than jumping to NT because of the failure to support legacy applications perfectly.

      When Microsoft developed Windows 95 they reversed that decision and kept the 16-bit DOS core, both for compatibility with legacy applications (particularly games), development time and performance. This enabled the large DOS library to work without a hitch on Windows 95 at the sacrifice of locking down the security model. Without that programmers were able to and continued to shirk the basic security guidelines set forth by Microsoft and write applications that required full access, if not direct kernel access.

      Microsoft is trying to have their cake and eat it too. UAC is three things:

      First, it tries to prepare the user for life as a non-admin. Everyone is used to being admin, and if being admin means not having to think about security then people will continue to be admin. However, if admin isn't really admin unless you really mean it, then admin feels like a normal user. The disadvantage to this is that users will become jaded to the prompt, particularly at this stage when it's fairly prevalent.

      Second, it does force the application developers to make correct decisions and follow the written guidelines. An application that does so will never, ever see a UAC prompt and will run perfectly fine under UAC, and under a normal user context. These guidelines have been a part of the Windows Logo process since Windows NT was first released. Hopefully, as more application developers catch on the UAC prompts will become significantly more infrequent, and applications that require escalation for specific tasks will follow the procedures to inform the user of this fast and request escalation internally only for that task.

      Third, it tries to silently handle programs that do stupid things by "virtualizing" their actions. The vast majority of applications that require administrative access only do so because they try to write either to the %PROGRAMFILES% directory or the HKEY_LOCAL_MACHINE hive of the registry. So, with UAC enabled, attempts to write to these locations are silently redirected to the user's profile. The task succeeds, the application is happy and the user is happy.

      You could argue that the route Apple took was better. I wouldn't disagree, but these kinds of business decisions are complex. Apple basically gets to say "fuck you" to everyone every ten years and they largely live with it. I'm not sure the people would be so forgiving with Microsoft, even if doi

  2. At last - an MS Success! by fatmal · · Score: 5, Funny

    It Worked!

  3. And Microsoft was the biggest offender. by khasim · · Score: 5, Insightful

    You cannot force someone else to follow a particular coding practice when your coders do not do so themselves.

    1. Re:And Microsoft was the biggest offender. by repka · · Score: 5, Insightful

      Any particular examples? Application designed following guidelines of win95 (e.g. Office) will work properly in Vista and will not even require folder/registry virtualization (btw, I assume a lot of effort went into this feature to minimize UAC prompts and it for some reason is rarely mentioned among usual rants about them).

      I consider the opposite: Microsoft spends too much effort for app-compat. Would Win2k have defaulted users to be "restricted", while win98/ME were viable alternatives (i.e. MS could still cash in on their sale) for compatibility, this effort could have been much more successful and, nowadays, when you try to get Intuit Quickbooks to start under limited user (you don't have much choice in college setting), you didn't have to give write access to whole CLASSES_ROOT registry branch (don't get me started on this...).

      So in short, yes, I believe UAC is a great compromise, which forces lousy coders to reconsider their approach to the stuff they ship.

    2. Re:And Microsoft was the biggest offender. by Anonymous Coward · · Score: 5, Insightful

      I doubt it'll happen, though. It seems like the most widely-disseminated "Vista tweak" is how to turn off UAC. Regular users (including your average Windowsland programmer and others who might consider themselves technologically sophisticated) don't see UAC as a feature, they see it as a bug.

    3. Re:And Microsoft was the biggest offender. by Jurily · · Score: 5, Interesting

      Yes, it forces coders.

      However, if you're a windows user, and you just upgraded to vista, you see these warnings/questions. What's your first response?

      1. Man, I wish these crappy coders would learn when to require root access
      2. Stupid Vista... I should go back to XP

      Upgrading the security model from a non-visible one to one that requires user attention can be a bitch. MS has a lot of difficult decisions to make these days.

      Just see http://www.joelonsoftware.com/items/2008/03/17.html.

      (Now, if only someone could show me how to embed nice links here... :) )

      P.S. I use Gentoo.

    4. Re:And Microsoft was the biggest offender. by Silver+Gryphon · · Score: 5, Insightful

      Interestingly enough, Visual Studio 2005 and 2008 under Vista can't access a project stored in a local IIS website unless running as admin. You're explicitly prompted to run the entire session under Administrator account. The alternative is to change your project storage to disk instead of IIS -- maybe not a bad idea, but contradicting their new HTTP based projects of 2002/2003 (as Web services were promoted then too, now web services are actively discouraged for security and scalability reasons. Lessons learned, I guess.)

      Clicking "Run as administrator" is easier and just reinforces the "click through all these dialogs" mentality. I think MS went too far in some of the dialogs; their new push to give detailed explanations is counterproductive, as I don't want to read an essay at that particular time.

      http://msdn2.microsoft.com/en-us/library/aa964620(VS.80).aspx

      Still, I agree -- running as admin is dangerous; Linux and Unix had a great approach from their beginnings. Windows needs to catch up to that, and it'll involve a massive effort on the part of the users and developers. Having Ubuntu Linux prompt similar to UAC helps reinforce the principle of running with lowered privileges, and shows that Windows isn't any more evil now that it has UAC, it's just that things were so non-secure before that it's hard as hell to conform to the new guidelines.

    5. Re:And Microsoft was the biggest offender. by TheRaven64 · · Score: 5, Interesting
      ACLs aren't a problem in themselves. Having fine-grained security is a good decision for a kernel, because it allows you to build other security models on top easily. It's much easier to implement the UNIX security model on Windows than the other way around.

      The problem is the user interface. As the OpenBSD people keep telling us, sane defaults are the most important thing in security. If you default to insecure, or you default to secure, but so irritating people turn off the security, then your system is not secure.

      With respect to your specific problem, requiring elevated privileges for debugging actually does make sense, and I consider it a bug in other operating systems that it's not the case. A process that attaches to another as a debugger can inspect all of that process's memory, and even the contents of registers. If the process is something like your password manager, then it doesn't matter that it stores all of your passwords encrypted on disk and doesn't release them without a pass-phrase if the first piece of malware that gets on to your system can poke around in its memory and read them. Ideally, you would be able to simply flag regions of memory as off-limits to a debugger, but the next best thing is to require elevated privilege. Starting with 10.5, I believe OS X allows a process to set a flag preventing debuggers from attaching, but I've never tried it.

      --
      I am TheRaven on Soylent News
    6. Re:And Microsoft was the biggest offender. by Anonymous Coward · · Score: 5, Funny
      "It's much easier to implement the UNIX security model on Windows than the other way around."

      Why in hell would anyone want to implement Windows "security" on Unix?

  4. Re:If this is true... by Shihar · · Score: 5, Interesting

    I don't think that is what he really meant. What MS is trying to do is actually the right thing. MS wants to make it access privileges more like Linux. It wants to make it so that random programs can't run a muck with admin privileges. This is MS's attempt to get application makers to stop requesting privileges that they don't need because they are too lazy to program it the right way.

    Look, I'll be the first to decry Vista as a piece of shit, but despite all of Vista's flaws, trying to restrict access of programs is a good thing.

    Personally, I think that MS is slowly learning. MS is in no danger of losing its business division so long as companies demand backwards compatibility, but in personal computing it is getting kicked around. MS looks old and faded while Apple has a solid product combined with a marketing machine of d00m (Microsoft always sucked at marketing). MS needs to make changes or else it is going to get run over by Apple. Lock in isn't going to last forever in the face of a comparable, if not outright better, product and vastly superior branding and marketing.

    I mean hell, what do you think of when you think of Apple? Shinny plastic with a hipster in a coffee shop. What do you think of when you think of MS? A moldy office.

  5. Re:At last, a little truth from MS by unlametheweak · · Score: 5, Insightful

    No they didn't design UAC to annoy users. This was a crass statement made by a Microsoft employee. No company would design something to annoy users. This was a poor use of self-deprecating rhetoric that will be exploited to the extreme. It's a dumb statement for a Microsoftie to make, and really dumb for the media to exploit.

    "Stupid is as stupid does", somebody once said.

  6. What a half-assed way to go about it. by dpbsmith · · Score: 5, Insightful

    This approach could have worked. But if they really meant for it to work, then developers would have been required to embed usable contact information in the application. When the UAC prompt came up it would explain that this was a result of an action taken by the application, and that if it seemed unnecessary to you, you should click a button and send feedback to the developer.

    It would also identify and tag the particular circumstances so that there could be a option, "don't warn me about this again."

    This latter option would have been particularly useful during the beta phase.

    After a couple of years, Microsoft might then assume that developers had been given adequate warning and adequate feedback, and the option to ignore warnings could have been retracted.

    What Microsoft did doesn't sound as if they serously wanted the approach to work. They just wanted to be able to say that users "didn't want" security, just the way Detroit said for decades that car buyers "didn't want" safety.

    --

    "How to Do Nothing," kids activities, back in print!

  7. Re:If this is true... by MRiGnS · · Score: 5, Interesting

    MS needs to make changes or else it is going to get run over by Apple. Lock in isn't going to last forever in the face of a comparable, if not outright better, product and vastly superior branding and marketing. I'm pretty sure MS isn't as afraid of Apple as they are of Linux. You might be able to buy/bribe/whatever stock holders, but almost impossible to buy out GNU/Linux. Even if they would get Linus on their side, there would be some nerds releasing GNU/Xunil (That's the point where you might laugh) just a couple of minutes after the announcement. The only thing they may fear is in fact FOSS reaching critical mass.

    MS is in no danger of losing its business division so long as companies demand backwards compatibility, but in personal computing it is getting kicked around. I wonder what happens as windows7 is supposed to break the binary compatibility
  8. Let me fix this for you... by actionbastard · · Score: 5, Funny

    Microsoft Designed UAC to Annoy Slashdot Users.

    There. All better.

    --
    Sig this!
  9. Re:you, my friend, made an incorrect assumption... by plover · · Score: 5, Funny

    Because it's much easier to sit on Slashdot and make up bullshit and lies about Microsoft because it's trendy to hate them. Oh, it's not trendy. We've always hated them.
    --
    John
  10. Difference between Unix and Windows in security by guruevi · · Score: 5, Insightful

    I have been asked and wondering why Microsoft has such a bad track record in security and user access control especially since recent Windows have been built on NT which comes from OS/2 and VMX. According to me it's fairly simple: group permissions. Look at a default Linux/Unix-style installation, you have about 20 groups to start out with. If you're a desktop user, usually you're a member of audio, video, games, cdrom and user. On a Windows machine you're either a User or an Administrator. The way the Linux kernel and it's modules are built, if you need direct access to hardware, you can either be root (not good) or you can access it through it's /dev entry which has group permissions.

    So if you want to play music, you can access the hardware (albeit through a kernel module) by making yourself member of the group audio. In Windows however, if you need direct access, you can either use DirectX or a process (daemon) or become an Administrator so you can get to the kernel. There is no group Audio that has only access to the Audio-part of the kernel. As soon as you need direct access for real-time anything, you can't really add yourself to any group to do so.

    This of course goes way back before desktops were running NT versions (like 2000 or XP). Before, Windows was running on top of DOS, developers could just code directly into the hardware (just load dos4gw), there is no access control in DOS. DOS was also not meant to be running any services or be connected to a network that's where the whole thing with virusses got started, anything that was running could simply request a hook into the BIOS, under the hood, protected memory was regulated with emm386 while Windows 95-ME all used the faster, less secure himem.sys. Microsoft merged together the NT and DOS and made it into 2000 and XP. There were no extra permissions added for desktop users, the pure server model was coded around to allow for desktop speed and real-time access to hardware, never giving any thought that actually running all services that hook into hardware as Administrator would give problems.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  11. tag:nagware by Jurily · · Score: 5, Insightful

    What they didn't anticipate though, is people screening out the warnings. Yes, it's important for you, the developer. No, it's not important for the user, who only wants to Get Stuff Done (tm).

    If the same yes/no question pops up every 10 minutes, don't expect a different answer when it says "Do you want to install spyware, adware, a couple of trojans, and [whatever they actually wanted to install]?".

    Remember, users don't read. Not because they're incapable, they have more important things to do.

  12. Re:Driver and login annoyances by Anonymous Coward · · Score: 5, Informative

    HP driver annoyances (their shitty home(/SMB) devices are notorious for this and end up even in larger setups cause of ignorant buyers) can be usually quite easily fixed by searching the registry by device name or ID and giving users group more control over those subtrees. Be aware of security considerations and give only minimal level of extra rights that are neccessary.

    Msconfig is your friend when disabling unneeded startup items. I especially loathe the auto-updaters that get installed by default if you don't know specific installer parameters. Sun java is class A example of that crap, it informs limited users about updates and recommends them to upgrade - only halfway through it throws error message.

  13. Re:If this is true... by LO0G · · Score: 5, Interesting

    But not with UAC. The normal integrity level application can't sniff anything about the UAC elevation. And the elevation password dialog runs on a separate secured desktop so the malware can't access it.

    Windows is not *nix, the Windows developers learned from the mistakes of sudo.