Charge for matchmaking like Steam does. Provide an actual service instead of trying to keep a certain sequence of bytes a secret and hand it out selectively. This argument would suggest that a game like say Portal, which doesn't have an online gameplay component should always be free. It doesn't make sense. What if the online gaming service is provided by one company and the game by another? Each one is entitled to charge for the service in the manner they see fit, just as consumers are entitled to pick their products and services based on what pricing they think is fair.
I don't feel for the publishers at all. Their software is an infinite good.. it doesn't make sense to charge for copies when it costs a penny to press a disk and costs a hundredth of that to offer it for download.
Strongly disagreed
It doesn't matter that it takes 1 cent to press a disk. How much did it cost to make the software, and how many disks did you sell? If your development cost was 10 million dollars, and you sold 10 million copies, you would have to charge at least $10 per disk to break even -- simple math.
It doesn't matter that it's an infinite good either, and that at $10 per copy, every sale after 10 million is profits. They are still entitled to think that they are providing you with a product/service that is worth at least $10 and that is what they ask you to pay them for it. Easy example is a $50 game that you spend one month playing for about an hour a day -- it's not an unreasonable price to ask -- if a customer isn't willing to pay that price, they shouldn't buy the game. If consumers show a trend of "getting the game by hook or by crook", then the publisher will add copy-protections.
It's really that simple -- it comes down to simple human nature. As long as there exists theft / shrink / infringement (whatever you wanna call it), there will be copy-protection. It's up to the govt./courts to step in and define our (consumer's) rights clearly to make sure our rights don't get trampled on by these copy-protection mechanisms.
The ultimate copy protection: Quality product at a reasonable price.
Strongly disagreed.
Copy-protection (akin to shrink/theft prevention) is a completely seperate issue from pricing.
Customers have every right to think a product is overpriced, and not make a purchase. Similarly publishers have every right to think their product is worth a certain price, and charge accordingly. They might price themselves out of the market if they get the pricing wrong, but they are still well within their rights to decide their price. There might be a tradeoff where a certain price point strikes an optimum balance between legal purchases and illegal downloads - but there's not been a proven case of that happening yet (though hopefully Amazon will prove to be just that for MP3s at least).
Ultimately this argument might work for something like music with is a 1-dollar or less purchase. But this same argument won't extend well to movies, games, operating systems etc. where even the break-even price point could be anywhere from $10 to $100. Comparing that against 'free' -- it's easy to predict what choice most people will make.
it doesn't treat me like some criminal. I don't want my software to stop working because I had no internet access I feel for the publishers as much as I do for the consumers. Without copy-protection its just too easy for people to rip-off the publishers. I think for people without net-access, phone-in activation is a decent substitute.
I admit I didn't read the article, but for every new and ridiculous height publishers go to for copy-protection, there a new and ridiculous height that crackers go to, to break the protection and then they put the results on bittorrent.
I think it's another case where the law woefully lags behind technology. There need to laws (urgently) protecting consumer rights when copy-protection is applied, just like there's the DMCA which helps publishers go after people who circumvent their protections (helps a little too much).
The point being, once the law makes it clear what copy protection can and cannot do, then at least the publishers have guidelines to work with and can go to town with copy protections but still not trample on our rights.
I especially think the "treating us as criminals" arguments is given way more weight than it's really worth. I mean, does anybody have a better idea about how to validate s/w as being legally purchased other than using some product activation mechanism (whether it works over the phone or net?)
"DOS ain't done, til Lotus won't Run" was *well* known back in the 80's in my user group. I call BS.
Everybody loves to trot out that phrase, but it's a complete myth.. Let me quote the relevant part of that link:
I first asked Mitch Kapor, founder of Lotus, and his quote was "I've heard the stories over the years, but I don't have any specific recollection that there was a devious silent break of the kind you mentioned. I also have a bad memory." Kapor was kind enough to put me in touch with some old Lotus people he knew. And they all corroborated the story: "It's an interesting myth, and one I've heard about in general terms, although I've never heard the specific quote before. However, I have no recollection of any instance of its actually happening with 1-2-3 or with any other product I've worked on." And, "My memory of the early days (1984-85) is that we would get early betas of DOS to test with 1-2-3 and any errors that we found were 'bugs' in DOS and fixed by Microsoft.
In order for the RMS system to work, any computer interacting with an RMS "protected" file must disobey its user if so ordered. This is what I mean by groupthink. It sounds really awful when you put it that way, but it just isn't true.
RMS servers are sold to enterprises for them to be able to protect their content (strategy memos, design docs, etc.). This is the property of the enterprise, and if the enterprise wants to employ access controls it is within its rights to do so. Your rights did not get trampled when you tried to circumvent RMS protections. In some organizations (healthcare/insurance/customer service) for example where customer's private information should only be accessible on a need-to-know basis, you in fact might have been trampling on somebody elses rights by trying to circumvent it. So please don't pretend it's all black-and-white "my computer disobeyed me so MS is evil" stuff.
We are talking about Mandatory signing. I want my OS to ask "what you are about to do is often considered stupid, are you sure about that?" before I attempt to load an unsigned kernel driver. To you the most important criteria seems to be obedience from your computer. The 99% of the world of computer users that doesn't understand the difference between a signed and unsigned driver, or the gravity of your proposed warning. That makes for an easy design decision. The cost of signing isn't prohibitive, and the certificate authorities aren't controlled by MS - so I don't understand why this is a problem. If you want to load some custom driver you are working on, why not buy a signing cert. yourself? I had a conversation with a guy sometime back that was creating drivers for alternative input devices for disabled people. I'm sure you could get charitable funding for that sort of thing, because as I said, the cost is simply not prohibitive. Even if you think it is, you should blame Verisign for that and not MS.
I would be able to load unsigned drivers if I felt like it. I would be able to designate my own set of trusted keys and/or CAs. Why stop there? Why not plug in an alternative task scheduler? Or a new file system driver, to make windows work on etx3? If you want to do these things, the OS that best fits you is Linux - there's simply no doubt about it. If, like the rest of the world the computer is just a tool to get stuff done, at least for now, your solution is Windows or OS-X. Different design decisions in windows are the result of a different target audience -- not flaws just because they don't meet your requirements to a T.
Security and control are, in some respects, similar; but never make the mistake of assuming that they are either identical or interchangeable. Strongly agreed -- but you shouldn't make the mistake of assuming that the lack of an option is automatically "disempowerment", and done with malicious intent.
I'm not just fudding about Vista DRM-OMG!, I'm talking about things like Rights Management Services, and mandatory driver signing. Dude -- if you think this isn't FUD, you've allowed groupthink to take control of your mind. I urge you to take control of it again.
RMS is a server, and client API, that can be used to add encryption to your applications. For example, if you are a design company and you buy a CAD tool which has implemented protections using the RMS API, you can buy an RMS server from MS and set it up. Now when you want to distribute a design company-wide you can click on a template (say, "company confidential"), and it will be encrypted and the server will only hand a decryption key to company employees. Or you can share more broadly or more granularly too. If an employee puts the design on a USB drive (or gmail) for use later on her laptop at home, she can do that too -- but the design is still encrypted (and hence protected). And there's almost nothing extra that users need to do, beyond the creator needing to click the "company confidential" template. Bottom line is, the control of your IP is now in your hands. Now that's empowering
Mandatory driver signing is a good step too: if a driver runs in kernel land, it's absolutely imperative it be signed. You don't want a malware infected driver getting loaded do you? Don't think of drivers as just device drivers -- they can take many forms (file system filters, many modules of AV programs etc.). If you don't have a guarantee that these things have not been tampered with, don't you think it's a terrible decision to allow it to run in kernel mode? In general signing is a good practice even for non-kernel mode drivers and even applications.
If they don't register themselves (and probably a file extension) they are not proper windows apps - and access to those parts of the registry needs admin privs What is your definition of 'proper windows apps'? In any OS you'll face the same issue when registering file handlers. There are security implications if you allow file handlers to be modifiable without admin privs.
- For many programs (say office/notepad/firefox/cmd.exe) the answer will be "No" I agree... Once installed Correct. UAC prompt during installation. No UAC prompt when running the program.
No, Cmd never needs admin privs It depends on what you're doing. 'net time/set' for example requires you to run elevated. 'dir', for example, will not. Same case with powershell -- it depends on what you're doing.
Why would a Firefox plugin need admin privs? I said, while installing a plugin...
It should be the difference between a user app and a service. An app should never need admin privs not even for install. Not necessary. In addition to the example of registering file-handlers, just for example, a particular app might need to add or update dlls in system32 depending on whether it requires a particular QFE to be installed, and whether or not it is present on your system.
You fail to understand that on Unix/Linux a downloaded file is _not_ a program that will run. It needs to have a specific 'chmod -x name' in order for it to be executable. This is something that Windows users often fail to understand. 1. sh malware.sh will work even if malware.sh only has r-------- permissions.
2. The underlying assumption was a social engineering attack -- so the user is consciously following whatever steps needed to exectute the malware. 3. The alternate scenario (exploiting a security hole) relies on, for example, buffer overruns and other exploits to execute code -- not launching a program the way you normally would (in linux, or windows)
In the 'sudo case' you failed to get over the hurdle that it won't run at all so there is no 'sudo case' I just debunked that above.
The foolishness is that a UAC occurs frequently for many things that are trivial so a significant one hides amongst the annoying ones This is a complete myth. Once their machine is set up, the average user will not see a UAC prompt more than roughly once a month (patch tuesday) or so..
Anyway UACs are not to help security but are merely to transfer blame: It is not MS's fault any more, it is the user's fault because they allowed the security failure to infect the machine. Whatever dude...
As most userrs don't know why the UAC popped up anyway then how do they tell the difference? I already addressed that in this thread itslef -- you don't normally see a UAC prompt unless you're installing apps/messing around with settings, etc. If you're just editing docs, browsing, checking email, watching a movie, and you get a UAC prompt, something is wrong -- simple. Users who don't have the expertise to understand what that sentence means should not have admin accounts - so they won't get any UAC prompts anyway. And the problem of distinguishing malware from legit apps is not what sudo or UAC are intended to do -- they are tools to enforce the priciple of least privilege.
Except that forcing people to enter their *Admin* password to escalate their privileges also forces them to stop and think "hmmm does this program REALLY need that type of access?" Sudo and UAC both grey out the entire desktop, and pop a system modal dialog that prevents you from doing anything else until you respond to it. If that's not enough to tell the user something big is happening, the password part isn't going to help either.
Additionally if the person is not an admin for that machine, they won't be able to install the software without someone's help, ideally an individual who took the time to NOT give them an admin account for just this reason... so they wouldn't install malware by mistake. Right, and that's exactly how it works for UAC as well. If you're not an admin, your only option for installing something that requires admin access is calling an admin to help out. You won't get a UAC prompt (you have to do what's known as an 'over-the-shoulder' elevation instead, which requires the admin to enter their user/pass to "run as admin").
SUDO doesn't work if it is turned into an obligatory prompt dialogue that people just click through mindlessly. The reports of UACs annoying-ness are greatly exaggerated. As a Vista user since around launch date I can tell you I'm not used to seeing a UAC prompt at all. Patch Tuesday and Firefox updates are probably the only time I see them -- and that's exactly the way it should be.
Well, if I can install a program for me *as* me on windows, I don't need UAC. I don't need root to install Loki's Rune on linux. I need it for windows as it currently is. But that's a function of different installers - not of the OS capabilities. Even registry keys have ACLs in windows and it's possible to write an installer so that you can install programs on a per-user basis without needing to elevate -- its just that most windows developers choose not to write their installers this way.
As to why this doesn't work is that Windows requires access to the registry, access to the C:/Windows/system32 directory, it requires all sorts of access that it doesn't REALLY need (if there was a delineation between "System"/"Admin"/"User" roles and filesystem access. Not necessarily true. System32 contains OS binaries. An application shouldn't install anything inside system32. An exception being when an application depends on a QFE being applied to some dll in system32, or to add a system component that wasn't present. In any case installing the QFE/component even by itself (without the application) would have required you to elevate. It's the same as an installer needing to update/add an.so in some system location in linux -- the installer would need to pop a sudo prompt.
And while here, to answer BAG's point, the thing is, if you hose your system and ONLY break your data, you can restore that data or re-create it. This doesn't affect your wife's data, nor the data for your two kids. If the badness was done by Admin/root, you can't trust your OS so you must install the entire system again, THEN restore from backup YOUR data, your WIFE's data, the data for your KIDS. Good point. BUT..:)
The solution to all this is completely unrelated to elevated privileges and file system ACLs. The proper solution is to give people a way of knowing whether or not they can trust the applications they are installing. And the answer to that is digital signatures, and roots of trust. Throwing a big-ass alert when an installer is missing a signature, or has an invalid/expired signature is what's required -- and windows and OS-X already do this (I'm not aware if linux has this infrastructure or not -- I think it doesn't). Of course, this has a cost implication to developers trying to distribute random shareware they create, but it's not prohibitive and it's a necessary step. For an average user, it's much easier to educate them to never, never ever install something that isn't signed, vs. educating them to recognize what they should and should not install (globally, locally or any which way).
There is a problem in this thinking. The sudo prompt is only expected to appear in certain situations (such as clicking on administrator mode button in certain dialogs), not randomly when browsing the web. AFAIK, on Vista it can appear anytime application asks for it (but I am not Vista user). Not true -- what happens when you launch synaptic, for example? You get a sudo prompt. Most gui apps (installers, administrative widgets) that require admins privs are going to start with gksudo or whatever to elevate.
The part about a prompt appearing when you're randomly browsing the web also still applies. i.e. the assumption here is that a security hole in your browser has been exploited because you went to a website that has malicious content. The hole was exploited to remotely execute code. This code, in the hypothetical scenario will throw some message that convinces the uninformed user that they actually want to proceed and then spoof a sudo prompt (or even display a real sudo prompt).
The situation is just hypothetical -- social engineering attacks generally don't need to exploit exotic holes -- they just need to entice the user into doing something dumb (install this codec to see Paris Hilton naked). And the average linux user is simply not going to fall foul of it. But the central point remains -- there isn't much point to asking a user for a password when elevating privileges, and actually asking for one is a weakness.
The only (not really valid) argument in favor of the password is "if I lend my machine to someone for 5 mins they shouldn't be able to much around with it". Well, don't give your machine to people who will much around. If you don't have that level of trust -- make them use the guest account. If you walk away from your machine -- remember to lock it before you get up.
Windows Vista does all the wrong things
- Prompts for permission on both installed and uninstalled programs repeatedly
- treats an install the same as running a program
That's actually quite inaccurate:
The question is do you need admin creds to run the program / installer or not?
- For most installers the answer will be "Yes".
- For many programs (say office/notepad/firefox/cmd.exe) the answer will be "No"
- For the same programs, the answer could sometimes be "Yes" (cmd.exe, firefox to install a plugin, etc.)
Note that you won't get asked to elevate everytime you launch the app -- though you can configure it that way if you wish. The app needs to be coded correctly to understand when it needs to elevate (for example the way firefox will pop a UAC prompt only when it wants to upgrade itself or install a plugin -- but otherwise pretty much runs UAC-free. This is pretty much as it should be.
If an application actually needs to run as administrator to function correctly (even when the app doesn't actually do anything that requires admin privileges) -- it means it's a pre-vista application that was poorly written and ignored MS's platform development guidelines (for XP). UAC annoyances serve to expose those apps, and their next iterations will be better. Tough decision on MS's part, but it had to be made, and it was definitely the right call.
Seriously, people bash UAC, but it's pretty much identical to sudo. In fact, I can think of a scenario in which UAC is actually better than sudo:
In a social engineering attack where you download some program (malware) and run it -- the malware could spoof a UAC prompt -- if you are foolish enough to click "Allow", well, nothing really happens because the program didn't get elevated privileges (since it was a fake UAC prompt). In the sudo case, the equivalent level of foolishness has you entering your password instead of merely clicking "Allow". Result is that the malware has your password now, so it's basically Game Over.
Of course, this is probably a moot point because a better social engineering attack would actually do something causing a genuine UAC prompt (instead of bothering to spoof it). The level of foolishness required to click "Allow" is probably the same in both cases.
I guess where UAC becomes valuable is when an attacker has managed to exploit a hole, to execute code remotely without requiring you to fall foul of a social engineering attack. This way you know you haven't done anything to deserve the UAC prompt that just popped up, so you know that you should click "Deny" here. This might still fail to protect users that have absolutely no clue, but honestly they shouldn't be running an admin account anyway (and hence should not be able to elevate a process).
The installer allowed you to install for the current user (in their home directory) or, if they wanted it in a central location, as root in/usr/local/games.
Loki did it in Linux.
Why can't MS do it in their installers? It does - the default path is program files, and you are free to change that to your home directory if you wish. Anyway, what has that got to do with security/trojans/UAC?
The problem with finding and removing rootkits (and other forms of malware) is that the vendor of the OS does not provide any means of identifying what the LEGITIMATE files are. This is truly the meat of the issue. The vendor (MS in this case) has actually tried to address this issue. The idea is to verify digital signatures instead of hashes (more secure, scalable, and puts the 'trust' issue in the hands of a third parties - Verisign mostly). Windows already has a catalogue of signatures for all system binaries. Updates are also signed by MS's signing certificate. The main remaining hole is drivers - and MS tried to make it compulsory for drivers to be signed in Vista, but got threatened by some industry group or the other (can't remember the details now), so we'll have to wait for the next version of windows for this. Once they're able to enforce the rule that only signed binaries are allowed to be loaded into the kernel, it becomes a much more manageable task to ensure that the kernel has not been compromised.
With Ubuntu, I can boot from a LiveCD and check any file on my hard drive. What package does it belong to? Does it have the correct checksums? Actually -- applying updates + drivers means that your hashes are no longer compeltely verifiable from the live CD. Even if you maintain an updated database of hashes there is no guarantee that the malware has not written hashes into it that will check out ok, for the infected binaries. That's why a digital signature is more important.
Then you haven't seen lot of newest applications. Other developers already mimic that. Which ones? Why don't you get specific? Which applications mimic the ribbon, and what is it in the menu that makes it a 'ribbon'? You already got it dead-wrong with defrag.
And I have used Office Vista too. Then your hatred of MS is clouding your vision -- causing you to see ribbons where they don't exist.
p.s. I had to use Defrag tool wich uses Ribbon style interface now too. Talk about wasting time to find SIMPLE FUNCTION in that mess. You clearly have never used the ribbon. As of now, nothing uses the ribbon except MS Office. Period. Open your eyes man -- your hatred is blinding you.
An invite-only confrence where they test how well their product does? No testing happens at Blue Hat. The idea is from MS to have the best from Black Hat speak to it's own people - an idea interchange. It's MS-internal because MS wants its employees to get exposure to this information, and so that MS employees can discuss specifics (with the invitees) that are relevant to them.
You'll get skewered data that we all know their going to use to bash Linux and support Windows This site does not rely on data (skewed or otherwise) to put MS on the proverbial skewer. For an very recent example, look at the thread earlier today (where one journalist theorizes that MS may at some future date put some 'copyright cop' on Zunes, and/.ers were out in the numbers to condemn the evil empire without once stopping to notice that this simply wasn't true!)
But instead of trying to focus on fixing up the problems with their operating system, Balmer is focusing all the company's attention on trying to acquire Yahoo so that he can do battle against Google. The Yahoo acquisition is just the current 'hot button' topic. On what basis do you suggest that Ballmer is not focused on Windows as well?
SAP and Google don't hide their protocols and they aren't monopolies 1. You don't know that.
2. If they choose to, there is nothing illegal about it (thanks to EU's myopia).
3. Having a majority share makes no difference. It should either be legal or illegal. Otherwise you're punishing success. i.e. you're biasing what would otherwise have been a free market.
The Samba team has always intended to replicate AD functionality in Samba 4, and no doubt the the EU antitrust prosecution, which forced Microsoft to make server interoperability information available to competitors, will make that easier. That's very true, but that's also exactly my point. While the EU directive on MS ensures MS cannot hold back IP/protocol/doc info (and puts low caps on the amount MS can charge, and the model by which it charges), it does nothing to ensure that in the future if the Samba folks (or anyone) need this kind of information from say SAP or Google (or anyone) that they can get it. It only forces MS to be open to interoperability -- it does not address the root cause -- that there is no legislation on openness of file-formats, protocols, IP etc., or caps or compulsion to license it etc.
That's exactly why I accused the EU of just extorting money. They are imposing fines on one company for certain violations, without actually putting in place any laws that address the big picture.
The only thing keeping the 360's division barely out of the red right now are the ridiculous 50 dollar online fees Microsoft forces (emphasis mine) their diehard 360 fans to pay for the privilege of playing online games. I see it this way: MS charges me $50/year for hosting online gameplay. The service and the experience is stellar, so I have no problem paying that fee.
In any case, the thing keeping the 360 division profiable is attach rate - MS sells over 6 games per console. This is absolutely a win-win. It gives MS a chance to make money, it means more money for the game studios, and it means customers are enjoying the experience enough to spend on games.
Slashdot Mirror
Strongly disagreed
It doesn't matter that it takes 1 cent to press a disk. How much did it cost to make the software, and how many disks did you sell? If your development cost was 10 million dollars, and you sold 10 million copies, you would have to charge at least $10 per disk to break even -- simple math.
It doesn't matter that it's an infinite good either, and that at $10 per copy, every sale after 10 million is profits. They are still entitled to think that they are providing you with a product/service that is worth at least $10 and that is what they ask you to pay them for it. Easy example is a $50 game that you spend one month playing for about an hour a day -- it's not an unreasonable price to ask -- if a customer isn't willing to pay that price, they shouldn't buy the game. If consumers show a trend of "getting the game by hook or by crook", then the publisher will add copy-protections.
It's really that simple -- it comes down to simple human nature. As long as there exists theft / shrink / infringement (whatever you wanna call it), there will be copy-protection. It's up to the govt./courts to step in and define our (consumer's) rights clearly to make sure our rights don't get trampled on by these copy-protection mechanisms.
Strongly disagreed.
Copy-protection (akin to shrink/theft prevention) is a completely seperate issue from pricing.
Customers have every right to think a product is overpriced, and not make a purchase. Similarly publishers have every right to think their product is worth a certain price, and charge accordingly. They might price themselves out of the market if they get the pricing wrong, but they are still well within their rights to decide their price. There might be a tradeoff where a certain price point strikes an optimum balance between legal purchases and illegal downloads - but there's not been a proven case of that happening yet (though hopefully Amazon will prove to be just that for MP3s at least).
Ultimately this argument might work for something like music with is a 1-dollar or less purchase. But this same argument won't extend well to movies, games, operating systems etc. where even the break-even price point could be anywhere from $10 to $100. Comparing that against 'free' -- it's easy to predict what choice most people will make.
I admit I didn't read the article, but for every new and ridiculous height publishers go to for copy-protection, there a new and ridiculous height that crackers go to, to break the protection and then they put the results on bittorrent.
I think it's another case where the law woefully lags behind technology. There need to laws (urgently) protecting consumer rights when copy-protection is applied, just like there's the DMCA which helps publishers go after people who circumvent their protections (helps a little too much).
The point being, once the law makes it clear what copy protection can and cannot do, then at least the publishers have guidelines to work with and can go to town with copy protections but still not trample on our rights.
I especially think the "treating us as criminals" arguments is given way more weight than it's really worth. I mean, does anybody have a better idea about how to validate s/w as being legally purchased other than using some product activation mechanism (whether it works over the phone or net?)
Everybody loves to trot out that phrase, but it's a complete myth.. Let me quote the relevant part of that link:
I first asked Mitch Kapor, founder of Lotus, and his quote was "I've heard the stories over the years, but I don't have any specific recollection that there was a devious silent break of the kind you mentioned. I also have a bad memory." Kapor was kind enough to put me in touch with some old Lotus people he knew. And they all corroborated the story: "It's an interesting myth, and one I've heard about in general terms, although I've never heard the specific quote before. However, I have no recollection of any instance of its actually happening with 1-2-3 or with any other product I've worked on." And, "My memory of the early days (1984-85) is that we would get early betas of DOS to test with 1-2-3 and any errors that we found were 'bugs' in DOS and fixed by Microsoft.
RMS servers are sold to enterprises for them to be able to protect their content (strategy memos, design docs, etc.). This is the property of the enterprise, and if the enterprise wants to employ access controls it is within its rights to do so. Your rights did not get trampled when you tried to circumvent RMS protections. In some organizations (healthcare/insurance/customer service) for example where customer's private information should only be accessible on a need-to-know basis, you in fact might have been trampling on somebody elses rights by trying to circumvent it. So please don't pretend it's all black-and-white "my computer disobeyed me so MS is evil" stuff.
We are talking about Mandatory signing. I want my OS to ask "what you are about to do is often considered stupid, are you sure about that?" before I attempt to load an unsigned kernel driver. To you the most important criteria seems to be obedience from your computer. The 99% of the world of computer users that doesn't understand the difference between a signed and unsigned driver, or the gravity of your proposed warning. That makes for an easy design decision. The cost of signing isn't prohibitive, and the certificate authorities aren't controlled by MS - so I don't understand why this is a problem. If you want to load some custom driver you are working on, why not buy a signing cert. yourself? I had a conversation with a guy sometime back that was creating drivers for alternative input devices for disabled people. I'm sure you could get charitable funding for that sort of thing, because as I said, the cost is simply not prohibitive. Even if you think it is, you should blame Verisign for that and not MS.I would be able to load unsigned drivers if I felt like it. I would be able to designate my own set of trusted keys and/or CAs. Why stop there? Why not plug in an alternative task scheduler? Or a new file system driver, to make windows work on etx3? If you want to do these things, the OS that best fits you is Linux - there's simply no doubt about it. If, like the rest of the world the computer is just a tool to get stuff done, at least for now, your solution is Windows or OS-X. Different design decisions in windows are the result of a different target audience -- not flaws just because they don't meet your requirements to a T.
Security and control are, in some respects, similar; but never make the mistake of assuming that they are either identical or interchangeable. Strongly agreed -- but you shouldn't make the mistake of assuming that the lack of an option is automatically "disempowerment", and done with malicious intent.
RMS is a server, and client API, that can be used to add encryption to your applications. For example, if you are a design company and you buy a CAD tool which has implemented protections using the RMS API, you can buy an RMS server from MS and set it up. Now when you want to distribute a design company-wide you can click on a template (say, "company confidential"), and it will be encrypted and the server will only hand a decryption key to company employees. Or you can share more broadly or more granularly too. If an employee puts the design on a USB drive (or gmail) for use later on her laptop at home, she can do that too -- but the design is still encrypted (and hence protected). And there's almost nothing extra that users need to do, beyond the creator needing to click the "company confidential" template. Bottom line is, the control of your IP is now in your hands. Now that's empowering
Mandatory driver signing is a good step too: if a driver runs in kernel land, it's absolutely imperative it be signed. You don't want a malware infected driver getting loaded do you? Don't think of drivers as just device drivers -- they can take many forms (file system filters, many modules of AV programs etc.). If you don't have a guarantee that these things have not been tampered with, don't you think it's a terrible decision to allow it to run in kernel mode? In general signing is a good practice even for non-kernel mode drivers and even applications.
- For many programs (say office/notepad/firefox/cmd.exe) the answer will be "No"
I agree
No, Cmd never needs admin privs It depends on what you're doing. 'net time
Why would a Firefox plugin need admin privs? I said, while installing a plugin...
It should be the difference between a user app and a service. An app should never need admin privs not even for install. Not necessary. In addition to the example of registering file-handlers, just for example, a particular app might need to add or update dlls in system32 depending on whether it requires a particular QFE to be installed, and whether or not it is present on your system.
2. The underlying assumption was a social engineering attack -- so the user is consciously following whatever steps needed to exectute the malware.
In the 'sudo case' you failed to get over the hurdle that it won't run at all so there is no 'sudo case' I just debunked that above.3. The alternate scenario (exploiting a security hole) relies on, for example, buffer overruns and other exploits to execute code -- not launching a program the way you normally would (in linux, or windows)
The foolishness is that a UAC occurs frequently for many things that are trivial so a significant one hides amongst the annoying ones This is a complete myth. Once their machine is set up, the average user will not see a UAC prompt more than roughly once a month (patch tuesday) or so..
Anyway UACs are not to help security but are merely to transfer blame: It is not MS's fault any more, it is the user's fault because they allowed the security failure to infect the machine. Whatever dude...
As most userrs don't know why the UAC popped up anyway then how do they tell the difference? I already addressed that in this thread itslef -- you don't normally see a UAC prompt unless you're installing apps/messing around with settings, etc. If you're just editing docs, browsing, checking email, watching a movie, and you get a UAC prompt, something is wrong -- simple. Users who don't have the expertise to understand what that sentence means should not have admin accounts - so they won't get any UAC prompts anyway. And the problem of distinguishing malware from legit apps is not what sudo or UAC are intended to do -- they are tools to enforce the priciple of least privilege.
The solution to all this is completely unrelated to elevated privileges and file system ACLs. The proper solution is to give people a way of knowing whether or not they can trust the applications they are installing. And the answer to that is digital signatures, and roots of trust. Throwing a big-ass alert when an installer is missing a signature, or has an invalid/expired signature is what's required -- and windows and OS-X already do this (I'm not aware if linux has this infrastructure or not -- I think it doesn't). Of course, this has a cost implication to developers trying to distribute random shareware they create, but it's not prohibitive and it's a necessary step. For an average user, it's much easier to educate them to never, never ever install something that isn't signed, vs. educating them to recognize what they should and should not install (globally, locally or any which way).
Aaargh! "much around" should have been "muck around". Both times!
The part about a prompt appearing when you're randomly browsing the web also still applies. i.e. the assumption here is that a security hole in your browser has been exploited because you went to a website that has malicious content. The hole was exploited to remotely execute code. This code, in the hypothetical scenario will throw some message that convinces the uninformed user that they actually want to proceed and then spoof a sudo prompt (or even display a real sudo prompt).
The situation is just hypothetical -- social engineering attacks generally don't need to exploit exotic holes -- they just need to entice the user into doing something dumb (install this codec to see Paris Hilton naked). And the average linux user is simply not going to fall foul of it. But the central point remains -- there isn't much point to asking a user for a password when elevating privileges, and actually asking for one is a weakness.
The only (not really valid) argument in favor of the password is "if I lend my machine to someone for 5 mins they shouldn't be able to much around with it". Well, don't give your machine to people who will much around. If you don't have that level of trust -- make them use the guest account. If you walk away from your machine -- remember to lock it before you get up.
- Prompts for permission on both installed and uninstalled programs repeatedly
- treats an install the same as running a program
That's actually quite inaccurate:
The question is do you need admin creds to run the program / installer or not?
- For most installers the answer will be "Yes".
- For many programs (say office/notepad/firefox/cmd.exe) the answer will be "No"
- For the same programs, the answer could sometimes be "Yes" (cmd.exe, firefox to install a plugin, etc.)
Note that you won't get asked to elevate everytime you launch the app -- though you can configure it that way if you wish. The app needs to be coded correctly to understand when it needs to elevate (for example the way firefox will pop a UAC prompt only when it wants to upgrade itself or install a plugin -- but otherwise pretty much runs UAC-free. This is pretty much as it should be.
If an application actually needs to run as administrator to function correctly (even when the app doesn't actually do anything that requires admin privileges) -- it means it's a pre-vista application that was poorly written and ignored MS's platform development guidelines (for XP). UAC annoyances serve to expose those apps, and their next iterations will be better. Tough decision on MS's part, but it had to be made, and it was definitely the right call.
In a social engineering attack where you download some program (malware) and run it -- the malware could spoof a UAC prompt -- if you are foolish enough to click "Allow", well, nothing really happens because the program didn't get elevated privileges (since it was a fake UAC prompt). In the sudo case, the equivalent level of foolishness has you entering your password instead of merely clicking "Allow". Result is that the malware has your password now, so it's basically Game Over.
Of course, this is probably a moot point because a better social engineering attack would actually do something causing a genuine UAC prompt (instead of bothering to spoof it). The level of foolishness required to click "Allow" is probably the same in both cases.
I guess where UAC becomes valuable is when an attacker has managed to exploit a hole, to execute code remotely without requiring you to fall foul of a social engineering attack. This way you know you haven't done anything to deserve the UAC prompt that just popped up, so you know that you should click "Deny" here. This might still fail to protect users that have absolutely no clue, but honestly they shouldn't be running an admin account anyway (and hence should not be able to elevate a process).
...I mean the evil power of Microsoft coupled with... Objectivity. Gotta love it.With Ubuntu, I can boot from a LiveCD and check any file on my hard drive. What package does it belong to? Does it have the correct checksums? Actually -- applying updates + drivers means that your hashes are no longer compeltely verifiable from the live CD. Even if you maintain an updated database of hashes there is no guarantee that the malware has not written hashes into it that will check out ok, for the infected binaries. That's why a digital signature is more important.
And I have used Office Vista too. Then your hatred of MS is clouding your vision -- causing you to see ribbons where they don't exist.
You'll get skewered data that we all know their going to use to bash Linux and support Windows This site does not rely on data (skewed or otherwise) to put MS on the proverbial skewer. For an very recent example, look at the thread earlier today (where one journalist theorizes that MS may at some future date put some 'copyright cop' on Zunes, and2. If they choose to, there is nothing illegal about it (thanks to EU's myopia).
3. Having a majority share makes no difference. It should either be legal or illegal. Otherwise you're punishing success. i.e. you're biasing what would otherwise have been a free market.
That's exactly why I accused the EU of just extorting money. They are imposing fines on one company for certain violations, without actually putting in place any laws that address the big picture.
In any case, the thing keeping the 360 division profiable is attach rate - MS sells over 6 games per console. This is absolutely a win-win. It gives MS a chance to make money, it means more money for the game studios, and it means customers are enjoying the experience enough to spend on games.