Slashdot Mirror


User: 99BottlesOfBeerInMyF

99BottlesOfBeerInMyF's activity in the archive.

Stories
0
Comments
10,115
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,115

  1. Re:Define "volunteer." on Who Wrote, and Paid For, 2.6.20 · · Score: 2, Insightful

    Thing is, even though some of those changes were done by programmers in the course of their paid jobs, isn't the work still being "volunteered," albeit by the company rather than an individual?

    If my large copy jobs are routinely late and I call Officemax and tell them they need to get their heads out of their asses, fire the guy responsible, and get me my stuff on time; am I volunteering my free consulting services to Officemax? It is all a matter of perspective. The term "volunteer" in our culture generally carries implications of altruism rather than self interest. The important point to take away from this is that despite the common perception otherwise, most Linux development is done for profit, even if that profit is not accumulated in so direct a manner as selling the OS.

  2. Re:Why is the victim silent? on California Joins Open Document Bandwagon · · Score: 1

    If the palying[sic] field becomes level and multiple vendors compete to serve them while being fully inter-operatble, it will be the corporate America that will benefit most. Technically they are the victim of the monopolistic deeds of MSFT. Still they remain silent, and the Govenment, after protecting the citizens from their own stupidity (seat belts, airbags, spacing between crib railings) now comes to rescue corporate America?

    Corporate america is not a single entity that acts in a unified fashion. It is a horde of competing companies. Many of those companies probably know that it is in the best interests of corporate america as a whole to switch to open standards, but that does not make it in the best interests of any one company to switch until the others have done so. Aside from that, they can only ask for action through the government.

    If Government intervention is what it takes to force a level playing field, I will accept it. But still I would prefer it if market forces create a level playing field instead of government mandates.

    It is important to note, that the government is not mandating open standards for corporate america, only for the government themselves who can afford to act in more long term ways. As for "market forces" the point of a monopoly is significant influence in a market to bypass market forces. You can never rely upon market forces to correct a monopoly.

  3. Re:A pseudonym? on Academic Credentials and Wikiality · · Score: 1

    ...no one in India is getting taught critical thinking, logic, or rhetorical methods in their early education. In some areas, we may well have moved too far away from rote skills: it'd be nice to see the basic rules of grammar and spelling drilled in a touch more, neh?

    I disagree. Spelling and grammar are useful for precisely communicating, but for the most part the average person's ability to spell and apply grammar rules seems, to me, to be sufficient to communicate what they want to communicate. I've worked as both an editor and a writer in my time and I understand the value, but I think the importance placed upon it, relative to things like logic, is sadly inappropriate.

    And "appealing" to formal fallacy is itself an informal fallacy -- I defer to Einstein and Hawking when it comes to matters of physics.

    No it isn't, unless you mistake the purpose of the formal definitions. Any given statement is not proven correct or incorrect by who said it, but by the merits of the statement itself. We may trust certain authorities more, but their being an authority is not an argument for correctness in any given case. If you are uninformed enough so that you don't understand a given subject then certainly you cannot have a useful opinion on that subject and should defer to someone or to the collective opinion of society, but it is a logical fallacy to mistake that for you having evidence that that fact in question is correct.

  4. Re:A pseudonym? on Academic Credentials and Wikiality · · Score: 1

    That's a good way to foist your blame on surrounding people, virtual or otherwise. You screw up and it's the "user base's" fault?

    Who screwed up? What was the error here? If anything the error was made by users and admins on wikipedia (the user base) who supported keeping something in a wikipedia article solely because they believed that this person was authoritative or had some degrees and therefor that item must be correct.

    You screw up and it's your fault, not mine. I reject your attempt to lob guilt upon me for your shortcomming.

    Guilt? Guilt is emotion and has nothing to do with this. This is about correctly determining facts. The blame for incorrectly determining them falls right upon every person who uses an illogical method for that determination including espousing the illogical opinion that if this person did have all those degrees the items in wikipedia would be any more or less correct.

  5. Re:A pseudonym? on Academic Credentials and Wikiality · · Score: 1

    No, the slippery slope argument is just that: an argument. Just because something can be a fallacy does not mean it always is.

    "slippery slope" is a term traditionally used to describe a logical fallacy, if one thing(X) happens and results in another(Y) that therefor yet another thing(Z) will happen and result in an increase of that(Y). No logical fallacy implies that the actions involved won't happen, simply that the argument that follows the fallacy provides no support for if it will or will not and is thus not a useful argument and should be ignored.

    ...(in the most trivial case, literally: if you push that box onto that slippery slope, it will slide all the way to the bottom).

    Wow, where to start with this. An enemy may actually be made out of straw, thus the 'strawman argument" is not a logical fallacy. By this line of reasoning you could come up with some obscure justification for something called by the same name as each logical fallacy and thus conclude that there are no logical fallacies, only arguments which can be true sometimes. Putting a box on a slippery slope and it sliding down, is not an example of the slippery slope fallacy.

  6. Re:Wiki equality applies to the higher ups too on Academic Credentials and Wikiality · · Score: 1

    If this person has been using those fake credentials to gain support from others while editing articles, then maybe a ban is appropriate.

    If a person is using fake credentials to gain support and actually gets it maybe both he and all his "supporters" should be banned, since "appeal to authority" is a classic logical fallacy and in no way provides evidence that any given information is true. Experts can be just as wrong as other people and they can lie. Facts need to be determined by logic, not emotional dependance upon someone's supposed certification.

    Actually, admins have quite a bit of potential to corrupt Wikipedia content, especially if they can gain the support of other admins by presenting them with false credentials. Users can be blocked and pages can be protected from editing except by admins.

    Perhaps one of wikipedia's requirements for being an admin should be to read and understand the wikipedia page on "logical fallacy" so that admins can make logical choices.

    But Wikipedia doesn't really have a totally egalitarian editing policy. When the content of a page is disputed by an admin and a non-admin, the admin is going to win the dispute 9 times out of 10.

    Ahh, but since anyone can be become an admin and admin status is not in any way tied to whether or not one has particular educational certificates how does this particular instance reflect the disparity?

    Even moreso if the admin claims to have certain credentials.

    Sadly, this reflects a problem with the users of wikipedia, the admins, and the general populace. Most people don't understand logical decision making and thus make illogical decisions. This is not so much a failing of wikipedia as a failing of the general populace and the educational system reflected upon wikipedia.

  7. Re:A pseudonym? on Academic Credentials and Wikiality · · Score: 2, Informative

    This is nothing more or less than a profound appeal to improper authority, the authority being the editor in question.

    This reflects one of the greatest flaws in the US educational system. I went to public schools. I took probably 8 or more history classes, none of which ever made it to WWII and half of which spent a lot of my childhood woefully mis-educated me about the facts behind "thanksgiving." In none of my classes in public school was I taught critical thinking, logic, or the rhetorical method... vital tools for properly understanding, making decisions, and communicating effectively. We barely touched upon the scientific method, despite having numerous general science classes. Even in order to get my undergraduate degree I was never required to take a course in the rhetorical method.

    If education in the US provided proper building blocks and intellectual tools, instead of rote memorization of both true and false "factoids" the situation where one person fakes their credentials would be of no matter. Appealing to authority is a logical fallacy as any properly educated person knows. The sad fact is, most people are so poorly educated that even politicians have no problem not only espousing obvious logical fallacies, but calling them by name (slippery slope is a fallacy and calling something a slippery slope does not bolster your argument, it undermines it, when taking to people who understand the rules of logic). This is not a failing of this person or wikipedia so much as a general failing of the wikipedia user base.

  8. Re:Silly article: on Who Needs a Satellite Dish When You Have a Wok? · · Score: 2, Insightful

    You have to compare the downside-- if the Wok setup goes down for any reason, what is the cost per hour to the station? Initial purchase price isnt a very good barometer here.

    Have you factored in the free advertising this just brought to them? They just paid for a lot more than one uplink with the millions of people viewing an article about them.

  9. Re:I surprised you saw UAC at all. on Tricking Vista's UAC To Hide Malware · · Score: 1

    Correct. You *MUST* be an admin to install an application system-wide. This is completely logical and I wouldn't expect any less.

    You're missing the point. By default all installers ask for admin permission and run as admin. If you download an installer, you have to go out of your way to run it as a normal user, which people simply aren't going to do. Thus, there is basically no motivation for developers to write installers that do that. Further, since MS has not provided an official non-admin service for handling licensing of software, developers have a lot of motivation to keep doing the same thing they have been.

  10. Re:But, What Now? on Tricking Vista's UAC To Hide Malware · · Score: 1

    No, my point is the absolutely secure system you want is impossible for anyone to deliver on.

    But I don't want an "absolutely secure system" as I pointed out. I want a "reasonably secure system" designed with the current malware problem in mind. 25% failure rate is not reasonable.

    What one person thinks is a completely secure usable system another thinks is full of holes and barely usable. I'm not saying complaining is wrong, or discussing security is bad. Just that satisfying everyone is impossible.

    Results are measurable. Simply designing a system so that a current security expert could look at it and at least think it might have a significant benefit seems pretty reasonable to me. UAC is a marginal improvement in Windows to try to bring it up to the level of security of other OS's that don't have a malware problem in the first place and thus aren't designed to handle what Windows needs.

    There is always a tradeoff between user-friendliness and security and software developers need to decide where to draw that line. Some want it way to one side while others want it way to the other, but someone is always complaining. People need to be a little more realistic in their expectations.

    This is a fallacy. Please stop repeating it. Security and user friendly are not diametrically opposed. Many, many security improvements also improve usability. The fact that inept security people and the general populace have seen the trend to add user unfriendly technologies as way to improve security is something MS is taking advantage of with UAC. It is obviously user unfriendly in a blatant way, so most people assume it adds security, but realistically, it adds very little. MS, however, is more interested in the perception of security anyway.

    Adding false positive security alerts to a UI reduces user friendliness and reduces security. I'm taking MS to task for not giving a damn and not even really trying to solve the main problem, which is their security assumption that if a user runs it, the OS should trust it. This is quite simply not the case and the fact that MS still insists on designing based upon that assumption at the same time that they reduce user friendliness by repeating the same UI mistakes that they have been taken to task for by UI experts for over a decade means we should all be speaking loudly enough to be hard over the PR machine that this is not "good enough."

  11. Re:But, What Now? on Tricking Vista's UAC To Hide Malware · · Score: 1

    No matter how well of a security system MS designs, idiots will always find a way to break it.(and Slashdotters will always find something to bitch about it)

    No matter how much progress we make in the medical field people will still die. (and AMA correspondents will always find some disease to complain about)

    I guess I'm just not understanding the point of your comment. Are you saying computer geeks like us should just ignore huge security problems, and since no security can be perfect we should all just give up and stop pointing out problems? This is a forum for computer geeks. MS has poorly designed a half-assed security system. You think it would be best if we all just kept quite about it and went on about our business, rather that trying to discuss the issue? Why are you here commenting in the first place?

  12. Re:But, What Now? on Tricking Vista's UAC To Hide Malware · · Score: 1

    I don't know what world YOU live in, but ignoring security recommendations, not researching anything, and just clicking "Allow" without a clue to what you are allowing is not Microsoft's fault.

    And here is the fundamental misstatement of the security problem that has plagued the industry for years. Security is not about figuring out who can be blamed for failure, it is about preventing failure. If I design a system where when you run malware it says, "this program is malicious, don't run it (Don't Run)(Run) along with a graphic" but also install a method of running an electric shock through the mouse and keyboard so that every time the user clicks (Don't Run) they are shocked, have I designed a secure system? After all, if the user is clicking (Run) it is their fault right? I've successfully shifted the blame, does that mean I've designed a secure system? Hell no!

    All good security design takes into account the human element. Security scans at the airport of people on a "list" are wholly ineffective because so many people are on the list that the humans in the loop become conditioned to assume they are all false positives. Likewise, providing (Cancel)(Allow) dialogue boxes that are all the same with a high ratio of false positives for every real attempted security breach is just another way to operant condition people to mindlessly click "Allow."

    Does that make it Microsoft's fault?

    If MS designed a security system without taking into account that most of their users are "shaved apes" then yes, it does make it their fault that it is insecure.

    How do you suggest Microsoft cures the world of dumb computer users who won't do what they are told, and what go against what common sense would dictate?

    Gee, they could design systems for the people that actually use them and provide those people with both the information they need to make good choices, the ability to make those specific choices, and a good user interface so that they are able to actually get the information instead of being inundated with hundreds of false positives.

    The problem with Vista's security is not that "users are teh stupid." It is MS's basic premise that programs should have complete access or none, without the user being given enough information to know if they can trust that application. Any system attacked as much as Windows and run by as novice of users as Windows should provide a competitive marketplace for certification of trust and should sandbox all applications based upon that level of trust. The user should never, ever be asked to allow or deny some program from doing whatever unspecified thing it is that the program wants to do, but should very rarely ask a user if some program should be allowed to exceed the predetermined level of trust it has been given in a specified way, i.e "the program 'marsblast' would like to read your AddressBook file (Stop it from reading my AddressBook file)(Let it read my AddressBook file once)(Always let it read my AddressBook file)." If MS had to compete for users, instead of having a monopoly, they would have implemented this 5 years ago. UAC shows they still don't give a damn about security, but are willing to make a "me too" entry that is a decade late, and implemented half-assedly.

  13. Re:We need to cut down on the complexity. on Tricking Vista's UAC To Hide Malware · · Score: 1

    If you can execute arbitrary code* at the user's permission level, you have access to everything the user can do; set up a user cron job, for example, to get instructions from a botnet. or even just launch your great ad popup campaign every 30 seconds while the user is logged in.

    Ahh, but does the user's non admin account have permission to open up the port to connect to the IRC control channel, or whatever is being used in the current botnet control tools? Does the user have permission to root the box, so that it can disable the antivirus, so it is not detected? Does it have permission to send ICMP pings to DoS some server?

    In many cases the answer to these questions is "no." Most worms these days are trying to root machines and setup a botnet. Some uses of the botnet can be accomplished without admin access, but a lot of them cannot. Botnets mostly are used to send spam and launch DDoS attacks. Can a non-administrative user change the mail server or start a new one? A bot without administrative access can certainly launch an HTTP based attack, but other types are somewhat limited. I don't even think you could launch a proper DDoS on the root DNS servers without admin access.

    I beleive[sic] that application level permissions is the future of computer security.

    I agree with you there and am a big proponent of MACLs. I'm not trying to imply that application level security is not needed, only that there are some real differences between the dangers posed by compromising a user account on a UNIX machine, versus on a Windows machine, or root on either.

  14. Re:Isn't this the whole point of UAC? on Tricking Vista's UAC To Hide Malware · · Score: 2, Insightful

    At which point I would expect the user to go "hmm, this isn't right" and then attempt a virus scan or to stop visiting the website that keeps prompting them.

    That sort of depends upon how high the false positive rate is in general.

    The UAC is not a magic bullet, but it is a far better solution than anything we have today. Do you have a better idea? Don't let these programs run at all?

    I'm not saying UAC is worthless, just that it is far from ideal, or even sufficient to provide the security needed by the average user. As for having a better idea, I sure as hell do. I think any reasonable security engineer who looked at Windows with the goal of solving the malware problem would conclude several things. First, Windows is attacked so much more often due to its dominance that the security mechanisms on more secure desktops, like Linux, are still insufficient to solve the problem. Second, if you look at the most secure OS's available today, they've all gone the same route, mandatory access controls. That is to say, locking down security on an application by application basis with restrictions for all resources, not just files or network ports.

    Moreover, MS already started to implement a signing framework needed to bring MAC to a desktop user in a usable way and the NT kernel has built in support for the kind of ACLs needed. The answer is pretty obvious at that point. The assumption that users will know if they can trust a given application and are not going to run software that they don't expressly trust is an incorrect assumption.

    MS engineers, however apparently look at things a little differently. Instead of innovating a solution to the problem or even copying the really secure systems on the market, they looked at their closest competitors and tried to come up with something that would be "close enough" to what Linux and OS X have implemented that people would not see them as way behind anymore. They seem to have been trying to solve the problem that people perceive them as insecure, rather than the problem that users cannot do what they need to do securely. UAC addresses the perception by being very visible, while not really getting there for actual security.

    As for their application signing solution (a needed tool for both users and the OS to determine trust) MS's normal self seems to have undermined it by building a framework designed around lock-in, rather than one that fosters competition among certifiers of trust that would lead to really useful information. At this point, I basically have no faith that MS has the ability to engineer a truly secure solution and the only hope for MS's customers is that someone else will do it so MS can copy it.

  15. Re:UAC is not there for *user* protection on Tricking Vista's UAC To Hide Malware · · Score: 1

    Microsoft shouldn't be required to take the blame for harm that results to their installation or data because of third party programs that they themselves didn't supply. You allowed the program to run, you deal with the consequences; it isn't Microsoft's fault at all that you decided to allow NastyShitware.exe to run. Why should it be? If you shoot yourself, are Smith and Wesson liable?

    The purpose of a Smith and Wesson is to shoot a person. The purpose of a consumer desktop OS is to run that user's software. If during the normal course of operation I needed to be some sort of an expert in order to safely fire a Smith and Wesson without the bullet hitting my foot, then yes they would be liable. Since most people are not coders and most software is not open source the fact of the matter is almost all users have to run software they don't completely trust in order to perform normal operations with their home computer. I don't trust Adobe, but I do need to run their software to do my job. I don't completely trust the Apache developers, but I don't have time or expertise to review all the code.

    A properly designed consumer desktop system would take into account that most users need to run untrusted software and design the OS to do so with some level of security. UAC is MS's halfhearted attempt to sort of restrict applications a little bit in some instances, but it is nowhere near sufficient for the average user to be able to use with a reasonably low risk of malware infection.

  16. Re:Isn't this the whole point of UAC? on Tricking Vista's UAC To Hide Malware · · Score: 0

    Using the aforementioned vulnerability, I can send as many UAC prompts as I want. If I send 10 a day at random times, with different messages how long do you think it will be before the user accidentally clicks "Allow" or gets annoyed and turns off UAC?

  17. Re:No tricking involved on Tricking Vista's UAC To Hide Malware · · Score: 1

    And IIRC, the Vista buttons are labeled "Allow" and "Cancel" which I believe are both verbs.

    They are verbs, but they are not unique verbs associated with the action being taken, so much as generic terms. By presenting them repetitively, users are subjected to operant conditioning. People aren't machines, or at least not the same kind of machines as computers. After the 20th or 30th time clicking the same button, it starts to become a conditioned response and after a few years, users often don't even remember having clicked it.

    And for the record, I think Microsoft and Apple both stole the bases of their respective UIs from Xerox at the Palo Alto Research Center way back in the day...

    Well, you could say "Apple" stole the UI, but that is a pretty biased viewpoint from what I've read. As I understand it, Xerox developed a UI, but then mothballed it and developers from Xerox went to Apple and arranged a partnership with their old company to let them develop something similar for Apple. As for who MS stole their UI from, well they lost the lawsuit that says they copied it from Apple and paid fees to Apple in the beginning, so I unless there is a lot of information I don't know, they seem to have copied the Mac, not Xerox.

  18. Re:No tricking involved on Tricking Vista's UAC To Hide Malware · · Score: 1

    Wait, I thought Vista stole it's UI from OS X, which supposedly has the best UI on the planet. Hmmm...

    You're probably trolling, but on the off chance you're not, I'll respond. While a lot of both the feature set and the graphic effects in Vista seem influenced by OS X, the UI itself is still pretty much based upon Windows 95. Just because you are copying elements from a UI, by the way, does not mean the end result will be usable if you don't copy everything exactly and don't understand why certain elements were used in certain ways. For this particular case, you'll note OS X itself does not run afoul of the OK/Cancel mistake, because they name all buttons for real actions (OK is not a verb) and provide unique dialogue boxes and buttons for each occurrence and as rarely as possible.

  19. Re:We need to cut down on the complexity. on Tricking Vista's UAC To Hide Malware · · Score: 1

    To the *NIX crowd: Please, please, please stop trivializing the destruction of a user's home folder. For home use, there is rarely more than 1 user, and loosing[sic] all documents/etc is marginally better than reinstalling the whole OS.

    There is one important reason why compromising a user account versus compromising a machine makes a difference and that is, just compromising a user account does not necessarily give a worm author sufficient access to add a machine to a useful and profitable botnet. As such, even if a worm author can destroy everything in the user's home directory, they aren't going to because it doesn't make them any money. Being so poor you can't afford shoes won't help you outrun any muggers, but it is likely to decrease your chances of being mugged in the first place.

    There is no reason that an application should have this kind of permission, IMO, we need to look past user level permissions to application level permissions, as this is where real security exists.

    I 100% agree on this point. It is long past time Windows made use of NT's ACL capabilities. I'm hoping Apple gets their MAC and signing frameworks up and running correctly in the next few years so MS has something to copy.

  20. Re:I surprised you saw UAC at all. on Tricking Vista's UAC To Hide Malware · · Score: 1

    So MS decided that running such apps should be a pain in the ass - at first it will be bad, but once developers rewrite things to works a standard user (and they will be forced to do it, or users will get mad), UAC warnings will appear when something does really need user attention.

    Except that by default, whether it needs permission or not, installers ask for and run with admin permission. That means developers have no motivation to to stop writing installers that require administrative permissions and malware writers' trojans that ask for suck permission will not stand out even if developers did change their behavior for some other reason.

  21. Re:No tricking involved on Tricking Vista's UAC To Hide Malware · · Score: 3, Insightful

    ...microsoft is basically forcing their customers to practice hitting that continue button while still trying to concentrate on the tasks at hand.

    The "OK/Cancel mistake" has been in usability textbooks as an example of what no to do for more than a decade now. It is quite clear to anyone who has had any formal training in human-computer interaction that either MS hires the worst UI people on the planet, or the marketing department overrides all of the UI people's proposed changes. It is also clear that either MS is only vaguely aware that UI deign is an important part of security, or they are a lot more interested in providing the perception of security than the reality. My opinions is that Vista security is a lot like searches at the airport. For the most part it is completely ineffective at actually increasing overall security when it is important, but it is very, very visible and "in your face" so people assume "something is being done" and are mollified.

  22. Re:We need to cut down on the complexity. on Tricking Vista's UAC To Hide Malware · · Score: 1

    OpenBSD is just as susceptible to someone downloading an evil binary and clicking "Yes" as Windows is.

    This is not exactly true. On OpenBSD finding a local elevation vulnerability to allow you to root the machine from an untrusted account is nontrivial. To date, that is not the case with Windows, including Vista which already has unpatched, outstanding elevations. Further, on OpenBSD the user can install software as the local user for the most part, whereas users are prompted for admin access to run installers, by default, in Windows. Finally, you can install TrustedBSD and run said malicious evil binary without any real risk.

    In general, however, I think you're correct. Microsoft should not be looking at the average OpenBSD install as the model for their security because Windows has a different set of problems than OpenBSD. Windows is constantly being subjected to attacks by malware and if OpenBSD was subjected to the same level of attack, it would adapt and develop more secure methods. MS should be looking at TrustedBSD or SELinux as the model for their security. Copying OpenBSD (which is sort of what UAC is an attempt at) is not sufficient to actually solve their problems.

    In order to provide users with a secure desktop, MS has to innovate and be one of the first to adapt ultra-secure MAC type security in a novice user desktop. Sadly, MS is not exactly up to the challenge of innovating much of anything, especially when three vital components of such a system are fundamental security, user interface design, and competitive third party integration. MS constantly puts marketing and bundling ahead of security, makes terrible UI choices, and uses every new feature to lock out competition rather than invite it in some market. As such, I don't believe they are capable of providing a secure OS.

  23. Re:But, What Now? on Tricking Vista's UAC To Hide Malware · · Score: 1, Insightful

    Ok. Time for a question. So you've programmed a screen to mimic UAC. Good job. Now, to do any damage, your app must request elevation from Vista. Uh oh, guess what. Time for a REAL UAC prompt. Now what?

    Well, one obvious answer is to provide fake UAC authorization prompt for dozens upon dozens of applications and hide the real UAC prompt in the middle of them. After six or seven the average user will just start hitting "Allow" for everything under the assumption that they need to to get their OS to work again, or they will turn of UAC entirely.

  24. Re:UAC is not there for *user* protection on Tricking Vista's UAC To Hide Malware · · Score: 2, Insightful

    I would be interested in what you consider would protect the user. You have three options here. 1/ No-one decides what goes on your computer. It's an open free-for-all. 2/ Microsoft decides what goes on your computer. Corporate lock-down. 3/ You decide what goes on your computer. You're the boss.

    The basic problem is the assumptions behind your classification. You assume that "something on your computer" equates to "your computer is compromised." I agree that the user needs to be the one determining what is installed an further, I agree that the OS should, "warn the user what's happening to their computer, provide as much useful information as possible (in as much a user-friendly manner as possible) and then let the user decide." You're still missing a piece of the puzzle here. The OS needs to let the user what is going on, very specifically and the OS needs to let the user allow and deny behaviors very specifically. That is how UAC fails.

    Which is pretty much what is happening here. And still people complain.

    The Register described UAC as "too little too late." That about sums up my opinion. It is a baby step in the right direction, but no where near enough to actually solve the problem users have and because of the implementation of certain elements may lead to long term greater insecurity because of the way it trains users.

    Here's a simple example of how UAC fails and why. A user downloads a trojan installer and double clicks on it. Installers, by default, run as admin and require the user to click "Allow" in a UAC prompt. This means a trojan installer and a freeware game installer appear, to the user, to be exactly the same. Worse, the user has been asked to click "Allow" many times for other procedures where there was very little risk. What would make any reasonable security person assume the user will not click "Allow?"

    My assertion is that by default the user should be allowed to install anything they want, but that all software should run in an ACL sandbox, by default, and should be restricted from certain behaviors by default and that the user should be prompted not when installing software, but when the software actually tries to do something most legitimate software does not need to do, and then they should be given well crafted dialogue boxes with unique actions for buttons to avoid conditioning.

    This is entirely doable, it just requires that MS take security seriously and actually looks at the problem and the behaviors of users and creates a technological solution designed to solve that problem. UAC is a "me too" solution that tries to bring security up to par with common Linux and OS X desktops, but it ignores that those desktops are not under constant attack by malware while Windows is. Windows needs to be better than the average Linux desktop in order to provide users with the same risk of infection. UAC is nowhere near the level of security needed and the poor UI design exacerbates exisiting security problems brought on by previous poor UI designs in Windows.

  25. Re:Is that the best he can come up with? on Windows Vista - Still Fresh After 19 Months? · · Score: 5, Insightful

    I assign keyboard shortcuts to all my commonly used applications. I might go digging around in the Start Menu a couple times a week, but's hardly a reason to change operating systems.... Is that really a huge efficiency boost? I use Windows Search even less than I use the Start Menu. It's very rare that I don't know where to find something on my own machine. Does anyone else use the Search function that often? For what are you typically searching?

    This was almost exactly my attitude when I started using Mac OS X 10.4. Spotlight indexed searching, well okay, but I don't really do that. I now use spotlight every day for both finding some document and quickly starting applications. In less than a second, using only the keyboard, I can do a search for some string and open that PDF file I was reading about the MPLS adoption in Europe. I don't need to know if it was in my e-mail attachment inbox, saved to the desktop, or if I was a good boy and actually filed it with my research materials. In less time than that I can search for and open some program I rarely use but recall the name of. Imagine if your search was globally accessible from the keyboard and faster than going to the start menu and selecting something for items you haven't made shortcuts for. For those items you did make shortcuts for, there is no need. Photoshop is "cmd-space+p+h+enter" and it is open.

    Now my experiences with Vista RC1 were somewhat less encouraging, but I'd have a hard time giving up my indexed search at this point and I imagine in a year or two when MS has ironed most of the bugs out, you may find yourself feeling the same way. I would seriously try using these features for a while and see what your opinion is then, rather than pre-judging them.