It's just that the majority of users aren't going to read that, or the quite reasonable consumer security guidelines. They can fix that by linking to guidelines (like the guide linked at the bottom of the above page) as part of the UAC warning. They won't though, because some marketing type will worry that it will alienate non-technical users. I don't think UAC is a bad thing, it's just a sucky implementation. This is in-part down to non-compliance of applications, but I think the blame there lies dually with Microsoft and developers that claim their apps are Vista Ready.
The secure desktop, as used by the UAC, doesn't require Ctrl-Alt-Delete. That was removed somewhere during Vista's testing process. In fact pressing control alt-delete stops the UAC process, and takes you to a screen that allows you to switch user/launch the taskmanager etc. so a spoof program would present exactly the same behaviour except it wouldn't exit after pressing Ctrl-Alt-Delete. That's not a distinction most users are going appreciate.
The problem with the UAC prompts is that people are going end up pressing yes as a reflex action. In part because most applications are currently not entirely very Vista friendly, which means they invoke UAC (sometimes unnecessarily) an awful lot. This is not entirely Microsoft's fault.
But, you're right, preventing spoofed authentication dialogues is something most current desktop OSes suffer from. It's just that Vista currently liberally displays the dialogue, which I believe will have a counter-productive effect. Crying wolf.
It would be interesting to know how easy it is to spoof the dimmed screen, you don't have to Ctrl-Alt-Delete to enter the password. I think you've raised pertinent questions. Without getting into the nuts and bolts, which I hope to do in the following weeks, I would rather defer the question to others. However it should be more difficult:
http://blogs.msdn.com/vishalsi/archive/2006/11/30/ what-is-user-interface-privilege-isolation-uipi-on -vista.aspx
IIRC the UAC prompt operates in something called the secure desktop which would also have to be compromised. The devil is in the detail though, so I'll hedge my bets.
I think that's true, but I think the issue here isn't really one of something being wholly bad, rather the implementation. I think bitching is good, it's not like it's going to affect Microsoft's market share, and if they choose to listen to constructive criticism Vista has a good chance of been the most secure consumer operating system. One of the things Apple have done particularly well is insulate users from their stupidity, and while it's not a total mitigation it is some mitigation, which I think the current UAC implementation does badly for the reasons I've outlined elsewhere on this post. True, for some fairly legitimate reasons, people have a beef with Microsoft, but that doesn't automatically mean that all criticism is irrational.
I think it's more a case of a hack that allows misrepresentation, after all it doesn't escalate privileges or straight out compromise the system. But in combination with the standard social engineering as seen on most malware sites it should be classified as a hack.
Actually, I would have no problems with Microsoft's security claims if they added the Properly fitted blurb. In fact I applaud their Vista features page for that reason, their security blurb on that page is excellent and is good for the user. That page is how it should be done. Their security guides for Vista are among the best Microsoft has ever produced. But in general they haven't been so good. I have never once, in all of these threads, stated that I think education is the sole answer - but as such Microsoft have done a very poor job of educating or insulating the user. They could do much better. In general I think UAC is a good thing (particularly for corporate desktops) but I think the present implementation sucks, and will probably be addressed in future versions. In fact I'm willing to bet that the present implementation was a marketing compromise rather than something a technical person pushed for.
With standard Vista accounts users have to enter an admin password as well as click the UAC confirmation. This is similar to Ubuntu when standard users want to use admin privileges or even OS-X. I'm not suggesting Microsoft would dare rip-off OS-X though... heh.
The point you seem to have willingly ignored is that in order to drive a car, in the real world, people have to have achieved a certain level of proficiency. Which is why the "you wouldn't blame Chevrolet..." arguments are so weak. Computer users mostly don't have to take a test - so please don't ignore that - it's rather a large aspect of modern computing. A company that claims a product has certain level of security out of the box (would you like me to cut an paste the marketing blurb?) that actually offers a system that is no more secure than its users, is not really right in making those marketing claims. If you look at the marketing for most other real-world security products they usually say something along the lines of "Provides security if properly fitted". Microsoft say Provides Security, without the Properly fitted bit. As such its competitors in the OS market do a better job of insulating users from their stupidity. What you're arguing for is not insulating users from their own stupidity. That's fine as long as you don't market on the basis of security or live in the real world.
Because the current UAC implementation has counter-productive properties in the form of overoptimistic assumptions. The majority of things people install will be benign, so the UAC pop-up is something that is going to desensitise users to its importance. To get the best level of security out of Vista people will have to read Microsoft documents like Security Best Practice Guidance For Consumers. On the whole they won't. Which means that UAC's assumptions that people won't just click yes are off the mark.
I don't know which world you live in, but in my world generally users don't bother reading up on security when they run Windows, which means that the importance of good security processes is obvious. The current UAC interface ensures that users will get complacent. It will, I think, be something that Microsoft will improve upon over time.
A big problem with any security system is user complacency, especially with routine things that mostly present no problems. The malware isn't Microsoft's fault, but given they know their users they could do more to educating from within the OS (rather than relying on them reading technical documents from their website).
The point being that buying a gun, unless it's illegal, is a little more difficult that buying an operating system. It doesn't make Microsoft responsible for every malware instance (the people creating the malware are), but it does mean that they have a responsibility to ensure the users are aware of the risks. I don't think the present UAC implementation is adequate, particularly with the initial account having admin rights. I'm not talking about blame, rather the process of marketing an operating system as protecting users, when what it actually does is desensitise them to security pop-ups. It will desensitise them because the majority of programs they install will be benign, therefore they will end up clicking yes as a reflex action. I don't think UAC is a bad thing, just the present implementation of a binary yes or no question combined with users that know little or nothing about security.
Microsoft shouldn't be required to take the blame for harm that results to their installation or data because of third party programs that they themselves didn't supply. You allowed the program to run, you deal with the consequences; it isn't Microsoft's fault at all that you decided to allow NastyShitware.exe to run. Why should it be? If you shoot yourself, are Smith and Wesson liable?
No, not unless Smith and Wesson were selling guns to people they knew were going to misuse them. Microsoft knows that many of their users are totally security clueless.
The problem is that most of the time people are going to be running programs with no security issues. This will lead, given most computer users don't understand the concept of system files (let alone computer security), to people clicking yes as a reflex action. UAC is good for users who know what they're doing, the problem is that as a consumer operating system, the base users won't. UAC will be excellent for corporate use though (provided the IT administrators know their mustard).
My problem with UAC is that I bought a new computer recently, with Vista pre-installed and during the initial setup it prompted me to create a user account. The user account had full admin privileges. I immediately set up a lower privilege account for general webbrowsing etc, and when using that account not only do I have UAC confirmation messages, but I also have to enter a password. That is a good thing - rather like 'su' in Unix like operating systems or Ubuntu's locked screed admin method. Users just aren't going to realise the importance of what they're doing with just binary yes or no security questions. If anything with the initial account defaulting to admin, Pavlov's dog like, they're going to be conditioned to hit yes without thinking. People aren't paranoid even though people are out to get them.
To rectify this problem Microsoft should make it clear during installation that the initial admin account shouldn't be used as the main account. This is not clear during the installation.
Good things:
- Internet Explorer's protected mode. - Making sure the heap is in a different place on each computer. - UAC is good for experienced or computer literate users (nobody else.
Bad things:
- UAC, in its present form, is just training computer illiterate people to click yes. There is an emphasis with a consumer operating system to educate the user. Not necessarily enforce (that would restrict freedom) but it should educate. All or nothing is not good. - Idiot reviewers thinking that an operating system is the largest contributory factor in the speed of a computer. Saying Vista is faster than XP when it's been run on a new, much faster computer, is a little like trading a saloon car for an Aston Martin and saying that the Aston Martin is faster because of the upholstery.
Slashdot Mirror
Heh, but they're being quite reasonable:
v ista/features/details/useraccountcontrol.mspx
http://www.microsoft.com/windows/products/windows
It's just that the majority of users aren't going to read that, or the quite reasonable consumer security guidelines. They can fix that by linking to guidelines (like the guide linked at the bottom of the above page) as part of the UAC warning. They won't though, because some marketing type will worry that it will alienate non-technical users. I don't think UAC is a bad thing, it's just a sucky implementation. This is in-part down to non-compliance of applications, but I think the blame there lies dually with Microsoft and developers that claim their apps are Vista Ready.
The secure desktop, as used by the UAC, doesn't require Ctrl-Alt-Delete. That was removed somewhere during Vista's testing process. In fact pressing control alt-delete stops the UAC process, and takes you to a screen that allows you to switch user/launch the taskmanager etc. so a spoof program would present exactly the same behaviour except it wouldn't exit after pressing Ctrl-Alt-Delete. That's not a distinction most users are going appreciate.
The problem with the UAC prompts is that people are going end up pressing yes as a reflex action. In part because most applications are currently not entirely very Vista friendly, which means they invoke UAC (sometimes unnecessarily) an awful lot. This is not entirely Microsoft's fault.
But, you're right, preventing spoofed authentication dialogues is something most current desktop OSes suffer from. It's just that Vista currently liberally displays the dialogue, which I believe will have a counter-productive effect. Crying wolf.
It would be interesting to know how easy it is to spoof the dimmed screen, you don't have to Ctrl-Alt-Delete to enter the password. I think you've raised pertinent questions. Without getting into the nuts and bolts, which I hope to do in the following weeks, I would rather defer the question to others. However it should be more difficult: http://blogs.msdn.com/vishalsi/archive/2006/11/30/ what-is-user-interface-privilege-isolation-uipi-on -vista.aspx
IIRC the UAC prompt operates in something called the secure desktop which would also have to be compromised. The devil is in the detail though, so I'll hedge my bets.
I think that's true, but I think the issue here isn't really one of something being wholly bad, rather the implementation. I think bitching is good, it's not like it's going to affect Microsoft's market share, and if they choose to listen to constructive criticism Vista has a good chance of been the most secure consumer operating system. One of the things Apple have done particularly well is insulate users from their stupidity, and while it's not a total mitigation it is some mitigation, which I think the current UAC implementation does badly for the reasons I've outlined elsewhere on this post. True, for some fairly legitimate reasons, people have a beef with Microsoft, but that doesn't automatically mean that all criticism is irrational.
I think it's more a case of a hack that allows misrepresentation, after all it doesn't escalate privileges or straight out compromise the system. But in combination with the standard social engineering as seen on most malware sites it should be classified as a hack.
Actually, I would have no problems with Microsoft's security claims if they added the Properly fitted blurb. In fact I applaud their Vista features page for that reason, their security blurb on that page is excellent and is good for the user. That page is how it should be done. Their security guides for Vista are among the best Microsoft has ever produced. But in general they haven't been so good. I have never once, in all of these threads, stated that I think education is the sole answer - but as such Microsoft have done a very poor job of educating or insulating the user. They could do much better. In general I think UAC is a good thing (particularly for corporate desktops) but I think the present implementation sucks, and will probably be addressed in future versions. In fact I'm willing to bet that the present implementation was a marketing compromise rather than something a technical person pushed for.
With standard Vista accounts users have to enter an admin password as well as click the UAC confirmation. This is similar to Ubuntu when standard users want to use admin privileges or even OS-X. I'm not suggesting Microsoft would dare rip-off OS-X though... heh.
The point you seem to have willingly ignored is that in order to drive a car, in the real world, people have to have achieved a certain level of proficiency. Which is why the "you wouldn't blame Chevrolet ..." arguments are so weak. Computer users mostly don't have to take a test - so please don't ignore that - it's rather a large aspect of modern computing. A company that claims a product has certain level of security out of the box (would you like me to cut an paste the marketing blurb?) that actually offers a system that is no more secure than its users, is not really right in making those marketing claims. If you look at the marketing for most other real-world security products they usually say something along the lines of "Provides security if properly fitted". Microsoft say Provides Security, without the Properly fitted bit. As such its competitors in the OS market do a better job of insulating users from their stupidity. What you're arguing for is not insulating users from their own stupidity. That's fine as long as you don't market on the basis of security or live in the real world.
Because the current UAC implementation has counter-productive properties in the form of overoptimistic assumptions. The majority of things people install will be benign, so the UAC pop-up is something that is going to desensitise users to its importance. To get the best level of security out of Vista people will have to read Microsoft documents like Security Best Practice Guidance For Consumers. On the whole they won't. Which means that UAC's assumptions that people won't just click yes are off the mark. I don't know which world you live in, but in my world generally users don't bother reading up on security when they run Windows, which means that the importance of good security processes is obvious. The current UAC interface ensures that users will get complacent. It will, I think, be something that Microsoft will improve upon over time. A big problem with any security system is user complacency, especially with routine things that mostly present no problems. The malware isn't Microsoft's fault, but given they know their users they could do more to educating from within the OS (rather than relying on them reading technical documents from their website).
The point being that buying a gun, unless it's illegal, is a little more difficult that buying an operating system. It doesn't make Microsoft responsible for every malware instance (the people creating the malware are), but it does mean that they have a responsibility to ensure the users are aware of the risks. I don't think the present UAC implementation is adequate, particularly with the initial account having admin rights. I'm not talking about blame, rather the process of marketing an operating system as protecting users, when what it actually does is desensitise them to security pop-ups. It will desensitise them because the majority of programs they install will be benign, therefore they will end up clicking yes as a reflex action. I don't think UAC is a bad thing, just the present implementation of a binary yes or no question combined with users that know little or nothing about security.
It will be scary the first few times. Given that most of the stuff people install is benign they're going to rapidly become desensitised.
Microsoft shouldn't be required to take the blame for harm that results to their installation or data because of third party programs that they themselves didn't supply. You allowed the program to run, you deal with the consequences; it isn't Microsoft's fault at all that you decided to allow NastyShitware.exe to run. Why should it be? If you shoot yourself, are Smith and Wesson liable?
No, not unless Smith and Wesson were selling guns to people they knew were going to misuse them. Microsoft knows that many of their users are totally security clueless.
The problem is that most of the time people are going to be running programs with no security issues. This will lead, given most computer users don't understand the concept of system files (let alone computer security), to people clicking yes as a reflex action. UAC is good for users who know what they're doing, the problem is that as a consumer operating system, the base users won't. UAC will be excellent for corporate use though (provided the IT administrators know their mustard).
My problem with UAC is that I bought a new computer recently, with Vista pre-installed and during the initial setup it prompted me to create a user account. The user account had full admin privileges. I immediately set up a lower privilege account for general webbrowsing etc, and when using that account not only do I have UAC confirmation messages, but I also have to enter a password. That is a good thing - rather like 'su' in Unix like operating systems or Ubuntu's locked screed admin method. Users just aren't going to realise the importance of what they're doing with just binary yes or no security questions. If anything with the initial account defaulting to admin, Pavlov's dog like, they're going to be conditioned to hit yes without thinking. People aren't paranoid even though people are out to get them.
To rectify this problem Microsoft should make it clear during installation that the initial admin account shouldn't be used as the main account. This is not clear during the installation.
Good things:
- Internet Explorer's protected mode.
- Making sure the heap is in a different place on each computer.
- UAC is good for experienced or computer literate users (nobody else.
Bad things:
- UAC, in its present form, is just training computer illiterate people to click yes. There is an emphasis with a consumer operating system to educate the user. Not necessarily enforce (that would restrict freedom) but it should educate. All or nothing is not good.
- Idiot reviewers thinking that an operating system is the largest contributory factor in the speed of a computer. Saying Vista is faster than XP when it's been run on a new, much faster computer, is a little like trading a saloon car for an Aston Martin and saying that the Aston Martin is faster because of the upholstery.