If Microsoft's basic security model has really not changed since NT 3.1, then there was really no reason to implement Vista's UAC...
Right. Just like if Linux's "security model" hasn't changed since 1991 there wouldn't be any need for those nice graphical sudo prompts and the like that everyone gets now.
UAC is little more than UI gravy. It's mostly about putting a prettier and more automated face onto "Run As", much like the graphical sudo prompts in OS X and recent Linux distros do. The underlying ACL-based multiuser security model that actually make it possible, has not changed since day 1.
But if you really think Microsoft's basic security model has not needed to change, then you have no reason to complain about any virus or IE-exploit malware that you get between now and Windows 7. Or maybe 8.
I've been running NT as a regular user since early 1996. As such, I've been no more worried about IE exploits than I have about any other userspace code exploits (on any of my machines, be they Windows, Linux, FreeBSD, Solaris, OS X, or whatever).
Oh, and I'm still waiting to hear about these "inherent problems", rather than rhetorical, anecdotal, FUD about problems in the UI and userspace programs.
Pardon me, I should qualify that statement. If you are referring to Vista, which arguably has respectable security, my reply is: maybe the security is okay but nobody wants to use it. If, on the other hand, you are referring to Windows 7, then my reply is: we'll believe it when we see it.
Since the fundamental design of Windows security hasn't really changed since Windows NT 3.1, I still want to hear about why it's any more or less "inherently insecure" than other platforms.
Redhat and Ubuntu will update your system to the latest version (think Vista in MS land) for the same price of the SP3 update to a legacy OS. (The price is "free", btw).
Depending on the support contract, RedHat costs you anything from US$500 to US$thousands per year for updates. That's a long way from "free".
"what" or "why" - the point is it needs to be meaningful. And many times, it really does know why. Possible things would be: "Adding items to system startup" or "Registering new system component (COM)" or "Modifying file extension associations" - The registry is a hierarchy, and the UAC can know what the registry entries mean. How about "updating system file" for file system stuff.
I am not going to argue the implementation could not be improved. However, my point was that it *does* provide more information than the alleged none at all. With that said, it's pretty much a certainty that most users would have neither the knowledge, nor interest, to understand such information.
Not fixed on my mom's computer.
For example ?
First, the user doesn't, and should not have to, understand the difference.
99% of the time, they never have to.
They drag something in their start menu, it should change.
And that's what happens. The only time you will get prompted is modifying the "All Users" Start Menu, which means either a) you're trying to modify an existing "All Users" item, or b) you've deliberately delved into the directory structure behind the Start Menu and are changing the "All user" section. Just dragging and dropping something onto the Start Menu won't hit the "All Users" section (unless you're trying to drop it into some folder already in the "All Users" section).
I can only see this being a problem if you're the kind of person who likes to constantly rearrange and rename items in the Start Menu just for the hell of it. I doubt such people are a significant proportion of users.
If it was a system-wide setting, then it should now be a local setting.
This kind of defeats the purpose of a system-wide "setting".
On OS X, I've never had to understand that there was a difference at all.
OS X doesn't have the same focus on centrally managed environments that Windows does. (Fundamentally, Windows is built to be used in a centrally-administered, domain-authenticated, corporate environment. The "home user" stuff is tacked on afterwards, and not always well.)
No, the wheel group is an ordinary user group that usually carries no permissions of itself. Wheel users have exactly the same right as normal users, with only one exception: wheels can be elevated to root.
Which is the same as the 'admin' group (or whatever they've called it) in Vista.
In fact, on some systems the wheel/admin/whatever group *does* have additional permissions. In OS X, for example, members of that group have write access to/Applications and some other system directories.
The user will be presented with a non-informative Cancel/Allow box which can easily trigger a Pavlov response.
Actually the box will tell you which application is requesting elevation, and ask you if it was because you triggered it.
How again are they similar?
In pretty much every way except UAC being slightly more automated and heuristic. Especially from the end user perspective, where the distinction between "requesting an elevation prompt" and "triggering an elevation prompt" is, at best, irrelevant. The idea that security prompts in other OSes are any less "Pavlovian" because the underlying triggers have somewhat different implementations, is laughable.
The typical end user does not understand and does not care why an elevation prompt has appeared. If they did, the "malware problem" would never have grown past the "slightly irritating" phase.
Like there wasn't any fat and lazy kids before the invention of the Playstation?
I would certainly say that sedentary lifestyles have become a lot more common over the last couple of decades. Game consoles aren't the only factor, by a long way, but they are certainly a contributor.
Back when I was a kid, game consoles were expensive and, hence, uncommon. The cartoons and such on TV were much better than they are today, but they were also only on for a couple of hours in the afternoon, rather than 24/7. You pretty much *had* to go outside and do stuff because there wasn't anything else *to* do.
Although, like I said, it's hardly the only contributing factor. Increasing urbanisation (so less space for kids to get out and do stuff), substantially worse diets (and much easier access to bad food), the modern scourge of helicopter parents who won't let their kids outside for fear they'll be kidnapped and, of course, the inevitable feedback loop because every other kid is in the same situation (so even if you do let your kids out of the house, no-one else will, so they'll just go to someone else's house and sit around doing nothing).
The argument that "We don't host the files so we are not at fault" is extremely weak.
Indeed. Kinda like the argument that gun sellers only sell the guns, the don't fire them, is extremely weak.
All media should be free. Okay done.. now if all media is free than all software should be free. okay done. Now all services and products should be free okay done.
This is what's known as a non-sequitur.
If we were to make all media free it would in effect kill the fish, in this case big media, and if we were to do that then there would be:
And embedded system designers. Not all of them are iPhones.
Here I was thinking we were discussing the retail versions of Windows.
Again: Why would this be at all difficult?
It probably isn't. However, you need to justify the development change itself (and the work involved), the QA, and support for both it, and all the stuff it breaks. Where's the payoff for that in making a group of people happy who would almost certainly never be your customers in the first place ?
Linux boxes can't install or uninstall anything as a regular user, they need root priv's to do that.
A process running as a user can do whatever it wants to the user's home directory. Why do you think malware can't be run from a user's home directory ?
This is a huge defense mechanism that Windows does not have, it is very much central in protecting the system from malware.
Windows most certainly does have it. That many people run as Administrator and effectively circumvent this is a separate issue.
The whole point is, however, it's almost completely irrelevant. Malware doesn't need elevated privileges to do pretty much everything it might want to do.
Indeed. If you define it the same was as computer scientists and OS developers, then Windows NT is multiuser.
If you define it like an anti-Windows troll, then it isn't.
A multiuser OS is one that can run processes in different user contexts. Everything above that is userspace gravy. An OS doesn't even need to be capable of supporting interactive logins *at all* to qualify as multiuser.
If you mean it can have multiple user accounts but only one can be logged on at any one time on the same box then it is. This is what Microsoft define as "multi user".
No, they don't.
In the non-Windows world "multi user" means that multiple users can be logged on at the same time; Windows has never been able to do this. This is vintage Microsoft problem solving at work; just redefine the terms rather than fixing the real problem.
Firstly, NT has always been able to handle, say, multiple users telnetted in - if you want to use that definition of "logged in". If you want to use another definition, "Run As" has always existed and when you "Run As" a program as another user, that user account is logged in. If you want to use the "GUI login" definition, then multiple GUI logins have been around since NT 4.0.
Secondly, by your wrong definition, the only thing you need to turn a single user OS into a multiuser OS is a telnet server (or something similar). Do you seriously want to try and argue that Windows 95 running a telnet server is a multiuser OS ?
Thirdly, by your wrong definition, running Linux on embedded hardware that has no ability to facilitate interactive logins, makes it a single user OS. Do you really want to argue that when you can't login to it, Linux is a single user OS ?
This means that even if you do try to modify your Windows box to something resembling a more secure *nix like model, every app will be fighting you on it, demanding admin rights for the simplest, most menial things.
Actually it's nowhere near that bad. I've been running Windows NT as a regular user since early 1996, and even back then it was unusual to find something "Run As" (or some judicious filesystem permissions mangling) couldn't make work.
UAC is an attempt to glue in a kinda *nix sudo function which is long overdue, but it's never going to work that well.
UAC is basically an attempt to put a prettier and more automated face on "Run As". The underlying technology to facilitate has been there since the first version of NT, back in 1992.
This is the reason why *nix boxes would never have the same malware problem if they had Windows market share.
Yes, they would (especially if they'd had that marketshare through the same time period - do you have any idea how common UNIX exploits were in the 90s ?). User privilege separation is almost completely irrelevant to malware. A piece of malware can do basically anything it needs to from a regular user account.
What Microsoft actually did was make "Administrator" accounts into something more like "user" accounts, and add a level of privilege yet higher than administrator.
On a UNIX system, these are called the wheel group (might be 'admin', or something similar, depending on exactly which UNIX), and root, respectively.
While the underlying implementation is quite different, from a high level, all Microsoft have done with UAC is implemented a somewhat automated "sudo" with "%admins ALL=(ALL) ALL" and made the default user an 'admin' instead of an 'Administrator'.
This is why it is hilarious to hear all these people going on and on about how the "security model" in OS X or Linux is so much better because of sudo, etc. It's exactly the same.
Windows isn't even a monopoly either. Vistas flaws have seen the OS X market share increase.
Note that from a legal perspective, Windows and OS X are not competitors, so OS X's marketshare has zero impact on whether or not Windows is a "monopoly".
Sure, it goes a bit further than Linux or MacOS (e.g. requiring permission to change the time) [...]
You need elevated privileges to set the time on a Linux system (as you should). It's been a while since I actually did it manually, but I would assume you do on OS X as well (and if you don't have to, then you should).
If Microsoft's basic security model has really not changed since NT 3.1, then there was really no reason to implement Vista's UAC...
Right. Just like if Linux's "security model" hasn't changed since 1991 there wouldn't be any need for those nice graphical sudo prompts and the like that everyone gets now.
UAC is little more than UI gravy. It's mostly about putting a prettier and more automated face onto "Run As", much like the graphical sudo prompts in OS X and recent Linux distros do. The underlying ACL-based multiuser security model that actually make it possible, has not changed since day 1.
But if you really think Microsoft's basic security model has not needed to change, then you have no reason to complain about any virus or IE-exploit malware that you get between now and Windows 7. Or maybe 8.
I've been running NT as a regular user since early 1996. As such, I've been no more worried about IE exploits than I have about any other userspace code exploits (on any of my machines, be they Windows, Linux, FreeBSD, Solaris, OS X, or whatever).
Oh, and I'm still waiting to hear about these "inherent problems", rather than rhetorical, anecdotal, FUD about problems in the UI and userspace programs.
And I want to repeat: if you really don't know, then you are not qualified for this discussion.
I *do* know, which is why I want to hear what bullshit you're going to make up to pretend *you* know.
I guess you have to define 'comparable form' since the entire OS and updates are available as white box ....
How about "direct from the vendor, in a supported and trusted form".
This is the comment I was replying to:
Redhat and Ubuntu will update your system to the latest version (think Vista in MS land) for the same price of the SP3 update to a legacy OS.
Red Hat will most certainly NOT "update your system to the latest version" for "free".
Pardon me, I should qualify that statement. If you are referring to Vista, which arguably has respectable security, my reply is: maybe the security is okay but nobody wants to use it. If, on the other hand, you are referring to Windows 7, then my reply is: we'll believe it when we see it.
Since the fundamental design of Windows security hasn't really changed since Windows NT 3.1, I still want to hear about why it's any more or less "inherently insecure" than other platforms.
While anecdotes from Windows users regarding how they tried to make an inherently insecure system secure could be extremely valuable [...]
Perhaps you could expand on how Windows is any more or less "inherently insecure" than other platforms.
With fiber channel and infiniband becoming more common, servers are moving away from direct attach storage. It simply doesn't need to be there.
Not everyone has the storage needs a SAN provides. Particularly when it has a pricetag in the ballpark of an order of magnitude higher.
DASD isn't going anywhere.
Updates are available regardless.
No, they're not. At least not in any comparable form.
The whole model is not comparable to MS.
That I can agree with.
Redhat and Ubuntu will update your system to the latest version (think Vista in MS land) for the same price of the SP3 update to a legacy OS. (The price is "free", btw).
Depending on the support contract, RedHat costs you anything from US$500 to US$thousands per year for updates. That's a long way from "free".
"what" or "why" - the point is it needs to be meaningful. And many times, it really does know why. Possible things would be: "Adding items to system startup" or "Registering new system component (COM)" or "Modifying file extension associations" - The registry is a hierarchy, and the UAC can know what the registry entries mean. How about "updating system file" for file system stuff.
I am not going to argue the implementation could not be improved. However, my point was that it *does* provide more information than the alleged none at all. With that said, it's pretty much a certainty that most users would have neither the knowledge, nor interest, to understand such information.
Not fixed on my mom's computer.
For example ?
First, the user doesn't, and should not have to, understand the difference.
99% of the time, they never have to.
They drag something in their start menu, it should change.
And that's what happens. The only time you will get prompted is modifying the "All Users" Start Menu, which means either a) you're trying to modify an existing "All Users" item, or b) you've deliberately delved into the directory structure behind the Start Menu and are changing the "All user" section. Just dragging and dropping something onto the Start Menu won't hit the "All Users" section (unless you're trying to drop it into some folder already in the "All Users" section).
I can only see this being a problem if you're the kind of person who likes to constantly rearrange and rename items in the Start Menu just for the hell of it. I doubt such people are a significant proportion of users.
If it was a system-wide setting, then it should now be a local setting.
This kind of defeats the purpose of a system-wide "setting".
On OS X, I've never had to understand that there was a difference at all.
OS X doesn't have the same focus on centrally managed environments that Windows does. (Fundamentally, Windows is built to be used in a centrally-administered, domain-authenticated, corporate environment. The "home user" stuff is tacked on afterwards, and not always well.)
The government has no business in deciding here.
They're not deciding, they're informing.
Are you liable?
No.
Yes.
Same goes with them. The moment they create the site allowed indexing and a search bar they became personally responsible.
So Google is "personally responsible" for everything it indexes ?
No, the wheel group is an ordinary user group that usually carries no permissions of itself. Wheel users have exactly the same right as normal users, with only one exception: wheels can be elevated to root.
Which is the same as the 'admin' group (or whatever they've called it) in Vista.
In fact, on some systems the wheel/admin/whatever group *does* have additional permissions. In OS X, for example, members of that group have write access to /Applications and some other system directories.
The user will be presented with a non-informative Cancel/Allow box which can easily trigger a Pavlov response.
Actually the box will tell you which application is requesting elevation, and ask you if it was because you triggered it.
How again are they similar?
In pretty much every way except UAC being slightly more automated and heuristic. Especially from the end user perspective, where the distinction between "requesting an elevation prompt" and "triggering an elevation prompt" is, at best, irrelevant. The idea that security prompts in other OSes are any less "Pavlovian" because the underlying triggers have somewhat different implementations, is laughable.
The typical end user does not understand and does not care why an elevation prompt has appeared. If they did, the "malware problem" would never have grown past the "slightly irritating" phase.
Like there wasn't any fat and lazy kids before the invention of the Playstation?
I would certainly say that sedentary lifestyles have become a lot more common over the last couple of decades. Game consoles aren't the only factor, by a long way, but they are certainly a contributor.
Back when I was a kid, game consoles were expensive and, hence, uncommon. The cartoons and such on TV were much better than they are today, but they were also only on for a couple of hours in the afternoon, rather than 24/7. You pretty much *had* to go outside and do stuff because there wasn't anything else *to* do.
Although, like I said, it's hardly the only contributing factor. Increasing urbanisation (so less space for kids to get out and do stuff), substantially worse diets (and much easier access to bad food), the modern scourge of helicopter parents who won't let their kids outside for fear they'll be kidnapped and, of course, the inevitable feedback loop because every other kid is in the same situation (so even if you do let your kids out of the house, no-one else will, so they'll just go to someone else's house and sit around doing nothing).
The argument that "We don't host the files so we are not at fault" is extremely weak.
Indeed. Kinda like the argument that gun sellers only sell the guns, the don't fire them, is extremely weak.
All media should be free. Okay done.. now if all media is free than all software should be free. okay done. Now all services and products should be free okay done.
This is what's known as a non-sequitur.
If we were to make all media free it would in effect kill the fish, in this case big media, and if we were to do that then there would be:
No, it would not.
And embedded system designers. Not all of them are iPhones.
Here I was thinking we were discussing the retail versions of Windows.
Again: Why would this be at all difficult?
It probably isn't. However, you need to justify the development change itself (and the work involved), the QA, and support for both it, and all the stuff it breaks. Where's the payoff for that in making a group of people happy who would almost certainly never be your customers in the first place ?
Linux boxes can't install or uninstall anything as a regular user, they need root priv's to do that.
A process running as a user can do whatever it wants to the user's home directory. Why do you think malware can't be run from a user's home directory ?
This is a huge defense mechanism that Windows does not have, it is very much central in protecting the system from malware.
Windows most certainly does have it. That many people run as Administrator and effectively circumvent this is a separate issue.
The whole point is, however, it's almost completely irrelevant. Malware doesn't need elevated privileges to do pretty much everything it might want to do.
That's the UAC. Security a 5-year-old could click past.
So if you're one of the minority where a password is required, configure it to use one.
1) Doesn't prompt for admin password. Instead, it just prompts Cancel / Allow.
Irrelevant for the common case. You can configure it to ask for full credentials if you want to.
2) Doesn't tell you what or why it is prompting.
It does tell you what. The "why" could be useful, but it's highly likely this information could not be presented in a user-friendly manner.
3) Double prompts. (And worse)
As I understand it, this has been improved with SP1.
- Modifying the start menu. Other OS's just modify your local one.
Modifying your Start Menu items does not prompt. Modifying the system-wide one, obviously, does.
- Read-only access to system level items. Going to the various control panels should not require admin access.
Er, you don't...
What Microsoft should have done on Windows Vista:
What you list is basically what they did.
So UAC is either institution incompetence, or malice (they just want to shift blame to the users, or they don't actually want increased security).
Or they realise that your system would take about a decade to phase in and are currently at about year 3.
That depends on how you define "multi user".
Indeed. If you define it the same was as computer scientists and OS developers, then Windows NT is multiuser.
If you define it like an anti-Windows troll, then it isn't.
A multiuser OS is one that can run processes in different user contexts. Everything above that is userspace gravy. An OS doesn't even need to be capable of supporting interactive logins *at all* to qualify as multiuser.
If you mean it can have multiple user accounts but only one can be logged on at any one time on the same box then it is. This is what Microsoft define as "multi user".
No, they don't.
In the non-Windows world "multi user" means that multiple users can be logged on at the same time; Windows has never been able to do this. This is vintage Microsoft problem solving at work; just redefine the terms rather than fixing the real problem.
Firstly, NT has always been able to handle, say, multiple users telnetted in - if you want to use that definition of "logged in". If you want to use another definition, "Run As" has always existed and when you "Run As" a program as another user, that user account is logged in. If you want to use the "GUI login" definition, then multiple GUI logins have been around since NT 4.0.
Secondly, by your wrong definition, the only thing you need to turn a single user OS into a multiuser OS is a telnet server (or something similar). Do you seriously want to try and argue that Windows 95 running a telnet server is a multiuser OS ?
Thirdly, by your wrong definition, running Linux on embedded hardware that has no ability to facilitate interactive logins, makes it a single user OS. Do you really want to argue that when you can't login to it, Linux is a single user OS ?
This means that even if you do try to modify your Windows box to something resembling a more secure *nix like model, every app will be fighting you on it, demanding admin rights for the simplest, most menial things.
Actually it's nowhere near that bad. I've been running Windows NT as a regular user since early 1996, and even back then it was unusual to find something "Run As" (or some judicious filesystem permissions mangling) couldn't make work.
UAC is an attempt to glue in a kinda *nix sudo function which is long overdue, but it's never going to work that well.
UAC is basically an attempt to put a prettier and more automated face on "Run As". The underlying technology to facilitate has been there since the first version of NT, back in 1992.
This is the reason why *nix boxes would never have the same malware problem if they had Windows market share.
Yes, they would (especially if they'd had that marketshare through the same time period - do you have any idea how common UNIX exploits were in the 90s ?). User privilege separation is almost completely irrelevant to malware. A piece of malware can do basically anything it needs to from a regular user account.
Windows was designed as a single user system with the user sitting at the box.
Windows NT has been a multiuser system since day 1.
In which of your three choices would you categorize MacOS X? And this is a genuine question, not fanboism.
OS X would be a '3'.
What Microsoft actually did was make "Administrator" accounts into something more like "user" accounts, and add a level of privilege yet higher than administrator.
On a UNIX system, these are called the wheel group (might be 'admin', or something similar, depending on exactly which UNIX), and root, respectively.
While the underlying implementation is quite different, from a high level, all Microsoft have done with UAC is implemented a somewhat automated "sudo" with "%admins ALL=(ALL) ALL" and made the default user an 'admin' instead of an 'Administrator'.
This is why it is hilarious to hear all these people going on and on about how the "security model" in OS X or Linux is so much better because of sudo, etc. It's exactly the same.
Windows isn't even a monopoly either. Vistas flaws have seen the OS X market share increase.
Note that from a legal perspective, Windows and OS X are not competitors, so OS X's marketshare has zero impact on whether or not Windows is a "monopoly".
Sure, it goes a bit further than Linux or MacOS (e.g. requiring permission to change the time) [...]
You need elevated privileges to set the time on a Linux system (as you should). It's been a while since I actually did it manually, but I would assume you do on OS X as well (and if you don't have to, then you should).