2008 Pwnie Award Nominees Announced

ruphus13 writes "The Pwnie Awards, an 'annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community' announced their 2008 nominees. From their site, 'The final list of nominees for the nine Pwnie Award categories is finally published. We've received some really good submissions and it was not an easy task to narrow them down to five nominees per category, but we hope that we've done a good job. The next step for the Pwnie Awards judges will gather in an undisclosed location prior to the award ceremony and vote on the winners.'"

Re:Most EPIC fail, Windows Vista?

[jd]

Way back in the mists of time, part of my University training was on Human-Computer Interfaces and how not to design them. One of the first things we were told about was excessive alerts and excessive confirmations. It just causes the user to be desensitized to those things that are important, and they end up hitting the given key or clicking the necessary box without really reading any of the dialog presented. This actually worsens security. Especially if there's any way to silence such warnings, by disabling them for example, or having a utility that injects a confirmation into the module that handles the dialog.

I believe security can sell, but that paranoia and pestering won't. Mandatory access controls, role-based access controls and POSIX access control lists do not require pestering dialog. There are general-purpose operating systems rated A1 on the old Orange Book scale - the highest rating for host security you can get - and I doubt a single one requires massive user intervention to do anything more complex than Solitaire.

I would argue, then, that the article is wrong on Vista, that Vista is NOT the most secure offering from Microsoft because users stop trusting the security facility and are more likely to accidentally permit applications to do something stupid. You have to consider th wetware, and the wetware is very easily overloaded with trivia. Vista is only the most secure offering from Microsoft if nobody uses it.

Re:Most EPIC fail, Windows Vista?

The UAC prompts in Vista seem annoying because they make a bad first impression... a lot of what you're doing with a new or upgraded computer is installing and tweaking things.

Linux and Mac OS aren't really any different, I'm not sure why but they seem to get a bye on what is essentially the same thing (sudo GUI).

Re:Most EPIC fail, Windows Vista?

No kidding. This needs to be modded as high as it can go: Windows Vista is NOT the most secure Windows ever. It just dumps the security concerns onto a user who has no clue what to do with them.

UAC prompts are the most useless things ever. "Something is trying to do something. Cancel or Allow?"

How the fuck should I know?!

I mean, really, has anyone actually looked at those prompts? I consider myself fairly computer literate, but the prompts confuse me. I have no idea what they're asking about.

Consider going to a car mechanic, and being told "we need access to your car, cancel or allow?" Do you allow them to have access? After all, they need access to your car to fix it. But do you trust them?

In real life, you might do research on that. But you can't research the prompts in Vista. They're system modal. (Really. Microsoft themselves killed system modal mode in Windows 2000 only to reintroduce it in Vista.) So you can't go and look up if SMENTTYN.EXE is something you need to allow to access C:\WINDOWS or is something that shouldn't.

(And what, exactly, does "access C:\WINDOWS" mean? Read something? Write something? Execute something? Who knows!)

So instead most users just get fed up and Allow everything.

And when they get pwned by a trojan horse that they never thought to question, Microsoft can honestly say that Windows didn't let it in: the user did by clicking "allow."

Ignoring the fact that the user wasn't given enough information to make an informed decision and that Vista doesn't allow the user to do anything else until they've answered the question.

Vista provides the illusion of security, but it's actually less secure than XP, since it conditions users to blindly allow everything they're asked to do until they get fed up and learn how to disable the security entirely. At least XP only asked Cancel or Allow when running executables downloaded from the Internet instead of just about everything.