Slashdot Mirror


User: Blakey+Rat

Blakey+Rat's activity in the archive.

Stories
0
Comments
11,072
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 11,072

  1. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    My point is that you can't have UAC "classify" actions by their threat level, because Windows has no idea what the intent of the action is.

    My example is perhaps bad, because you're probably right that iTunes does that at install time and thus doesn't require a separate UAC prompt for it. But don't focus on the *example*, focus on the *point* I'm trying to make.

  2. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    That's a feature to prevent malware from programmatically pressing the "Allow" button. Windows XP had that problem with the signed drivers warning: nasty drivers that were unsigned could programmatically press the "Allow" button and install themselves without the user seeing the warning. With UAC, the prompt actually appears on an entirely different desktop, one that all of your running applications don't have access to send events to, making it secure.

    This all goes back to: what would you have done? How would you solve the problems of programs being able to hit "Allow" for their own malware-esque actions?

  3. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    Well, Windows has the Run As... server, which can probably be used to do this. The problem is, then Microsoft would have to trust the application developer to implement that, and they already know that their application developers don't follow Microsoft's instructions.

  4. Re:It's all a workaround on UAC Whitelist Hole In Windows 7 · · Score: 1

    That depends on how you define "multi user".

    Pray tell, sir, what definition of "multi-user" includes Linux and OS X, but not WinNT?

    If you mean it can have multiple user accounts but only one can be logged on at any one time on the same box then it is. In the non-Windows world "multi user" means that multiple users can be logged on at the same time; Windows has never been able to do this.

    You can have as many user accounts logged on to WinNT as you like at one time. Originally this was only supported over Telnet, but then 2000 (I believe) let you do it over RDC, and XP and up had "Fast User Switching" to do it with interactive GUIs applications.

    The fact that you don't know any of this makes you completely unqualified to talk about WinNT.

    Part of the problem Microsoft have in taking a real multi-user approach (in addition to Windows not being designed for it) is that they have different licensing models and prices for seats on some Windows products. Hence desktop Windows is a one seat / one logged on account deal.

    This paragraph is complete gibberish. I've (personally) created over 100 user accounts on a single XP Professional install. Without paying anything, or punching in any serial keys, or anything. (The machine was at a hospital sleep room, shared between dozens of doctors. We created an account for each doctor for security reasons.)

    Since only one user can be logged on at any one time, that user must be able to install / uninstall software, which means Microsoft have their default user as an Administrator; which means all actions are run with admin rights....which includes malware.

    Wow. Just wow. Running as Administrator has *nothing* to do with compatibility with Windows 98 applications, it's all about running installers. It's hard to believe one person can be so idiotic.

  5. Re:Summary of the stupidity on UAC Whitelist Hole In Windows 7 · · Score: 1

    So you agree to:

    want easily bypassed using a standard Windows trick that allows one process to insert code into a second process ON EARTH severely

    (BTW the answer is: plug-ins. Old programs use that technique as a way of implementing plug-ins. For example, I think Explorer does. There was a time with computers didn't have 3 GB of RAM standard, and you couldn't justify putting a whole script interpreter in your application just for plug-ins.)

  6. Re:Good thing it's a beta on UAC Whitelist Hole In Windows 7 · · Score: 1

    1) Doesn't prompt for admin password. Instead, it just prompts Cancel / Allow.

    You can tell it to ask for your password, instead.

    Pop-quiz: UAC that asks for passwords by default would be considered:
    A) Less annoying
    B) More annoying
    than the current UAC model?

    2) Doesn't tell you what or why it is prompting.

    Valid complaint. When I used OS X, their version of UAC told me less than Microsoft's, so it's not like Microsoft's UAC is worse than the competition because of this point.

    3) Double prompts. (And worse)
    * They needed to prompt for the duration of the app (or a time limit), not for each individual operation.

    So your program can get a UAC approval for writing an .ini file in Program Files, then within the time limit it'd be fine to add a virus to run on startup? Your first two items argue for a more secure UAC, this one argues for a LESS secure UAC-- which is it?

    4) Prompts at places where security is not relevant, such as
    - Modifying the start menu. Other OS's just modify your local one.

    Windows only prompts if you're editing the All Users start menu, as it should since that's a system-wide setting and not a user setting. You have to go out of your way to do this-- if you simply right-click a start menu item and choose "pin to menu", you'll never get prompted.

    BTW, the lack of the ability to edit the systemwide menu in other OSes would be considered a flaw by many.

    - Read-only access to system level items. Going to the various control panels should not require admin access.

    Valid complaint. Microsoft should be able to re-code control panels to only prompt when you hit "Ok" or "Apply." Some control panels already do this, like the "Local Users and Groups" inside Administrative Tools, most do not.

    - Chastise developers who do not write code to work as limited users. (They needed to do this back in 1993 with Windows NT - CERTAINLY by 2000 this should have been eliminated.)

    How do you believe Microsoft could do this? I mean, I agree with you 100%, but how?

    - Make workarounds for specific applications that wrote things to the wrong place. Ex: Directing HKLM registry entries to HKCU.

    They already do that in a LOT of places. Depending on what the application is trying to write to HKLM, it'll sometimes get redirected to a key inside of HKCU. Ditto with filesystem operations, sometimes Vista will spoof another Program Files folder inside the user folder as needed for misbehaving apps.

  7. Re:No Script Bragging -- please stop on UAC Whitelist Hole In Windows 7 · · Score: 1

    That's the only reason to turn scripting off on the modern web: so you can outraged about how everything requires it and comment on it in really geeky (yet somehow also amazingly luddite) forums like this one.. (Also see: Cookies.)

  8. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    That's how you did software plug-ins before computers had enough RAM to justify putting your own LUA/JS/VB/Whatever interpreter in every process. Remember, Windows is an OLD OS, there's a lot of cruft.

  9. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    Fine, but why is that the case for MS and not for anyone else? Could it be, perhaps, that it's because Microsoft never really had or enforced any standards about how development should be done, where things should be written, and so on? Why does one installer want to create C:\ATI\Drivers while another dumps everything into the main Program Files folder, for example?

    What's the alternative? Microsoft blacklists applications? In your example, both installers are wrong. Microsoft has its own installer system which works fine, but what can they do if developers don't use it? Nothing.

    The only real alternative would be for Microsoft to have implemented something like UAC years and years ago, but then we'd have the exact same thing we have now, just ... years and years ago.

    If the user is incapable of understanding security problems then why is it helpful for them to authorize this kind of thing? Might as well just not ask them at all, since they're not going to understand.

    Well, yes, but that's true of every security system ever.

    Untrue. Off the top of my head I remember reading about that Debian ssh flaw (which, incidentally, had been fixed and pushed to the repositories by the time I even saw it on slashdot) and that Intel driver a while ago that crashed a bunch of beta Ubuntu installs.

    And off the top of my head, I remember an article yesterday saying Firefox had more security bugs than IE, Opera, and Safari combined. Here it is: http://news.cnet.com/8301-1009_3-10190206-83.html?tag=newsEditorsPicksArea.0 This being Slashdot, now you're obligated to tell me in all the ways that article is flawed, because surely it can't be true! Gasp!

    We're talking about an OS where viewing certain websites can lead to arbitrary code execution, and where even reading certain types of emails can be an issue.

    We're also talking about an OS with hundreds of millions of uneducated users who hit "Accept" "Install" to every piece of malware they see. That's a unique situation with Windows, so I don't see statistics on the amount of malware for it being relevant to that for any other OS.

    But from the ground up it's lightyears ahead of anything Microsoft has ever done, or likely will ever do.

    Except for NT had more, finer grained, and better, security controls than Linux for a decade. If you're going to compare a Workstation/Server OS like Linux with Windows, you have to compare to the Workstation/Server version of Windows... and NT's security model compares very favorably with Linux in that arena. It's only in the last few years that Linux has been treated like a desktop system.

    Yes. UAC was years in the making and was a hilariously poor attempt at making something that pretended to increase security.

    Which brings up my original point, what *should* have they done instead? You've offered no answers, just gripes.

  10. Re:I'm not dead yet on Why TV Lost · · Score: 2, Insightful

    What, exactly, is stopping you from plugging a computer into your nice big TV surrounded by couches? Other than a complete and utter lack of imagination?

    For the price of a decent 5.1 sound system you can buy a nice computer to plug into that TV and do all your streaming in the "correct" room. Plus with another $50 you can add in a HDTV antenna and have a complete solution. Vista even comes with the software, Media Center, that takes care of most of it for you for free.

    That would be why computers won. I have no idea how you got modded up, except apparently at least 4 moderators are also unaware that you can plug TVs into computers.

  11. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    Maybe that's so, but that's no excuse for the half-assery of installing software into the Users folder.

  12. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    Source of problem that make people use admin accounts without apparent reason is design fault of MS. So first thing they should is to change this design make it similar to how things done in unix way or if they can make it better.

    Except Vista and Windows 7 *don't* make Admin accounts by default. And that's what we're talking about. Microsoft already does things the "Unix way", the problem is that their third-party developers don't.

    Second, they *should* broke backward compatibility. Whoever says that MS doesn't do that, they lie. They are breaking backward compatibility on lots of their applications feature-wise.

    Nobody is saying their record of backwards compatibility is flawless. But you have to admit it orders of magnitude beyond that of Linux or OS X. (Hell, I don't think Apple even pretends to care about compatibility at this point.)

    They could broke the backward compatibility and add helper tools to their development platform so that new binaries using Vista-specific apis could be released by vendors easily.

    Their development platform actually does things correct by default. The problem isn't new applications that people are starting right now, but applications that have been around for decades.

    One reason they don't do that they don't care. They want Windows to be broken that way. That's another exploitation of their market power. They want people to get infected with viruses, malware etc. in order to increase market around prevention of these tools. They basically try to extend economy around their product. As a result of that they don't spend engineer time to re-design their OS.

    Oh yes, it has to be a conspiracy theory. Better put on your tinfoil hat.

  13. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    Whether they *should* or not is immaterial. The fact is that they *do*, and they have to run under newer versions of Windows.

  14. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    If program A is running as admin and it starts program B, program B is also running as admin. (The started runs under the same user account as the starter.)

    That's the way NT is designed, and changing that would break thousands of applications/system features/etc. It's not a realistic solution, if you're proposing changing that fundamental feature.

  15. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    Possibility, but an application like iTunes adding a RUN key in the registry would look the same as the InfectR.exe virus adding a RUN key. It's definitely not a bad idea.

  16. Re:What Microsoft should do on UAC Whitelist Hole In Windows 7 · · Score: 1

    My timed based "solution" is not a solution as you seem to think, it is an analogy from the POV of the "halting problem".

    See: http://en.wikipedia.org/wiki/Halting_problem (since nobody seems able to use google)

    If you can't communicate clearly enough to make your point without relying on Wikipedia, I think the problem's with you and not me.

    In any case, my answer still applies if you were promoting some kind of sandbox solution to the problem. If you're promoting something else, then you'll have to explain what that is.

    Microsoft's UAC requires users to regularly solve impossible problems (or just guess the answer and hope for the best).

    Like, uh, what?

    Sure it requires a lot of thinking and work.

    But to get Vista after 6 billion dollars and how many years...

    Well, since you obviously have all the answers, why don't you just to to Redmond, tell Microsoft you can solve all their problems for only $1 billion, and be their greatest hero?

  17. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    For one, I don't believe Windows was originally designed to be a multi-user OS, was it? Everything it does that pretends to be has been an afterthought kludge. I honestly don't know if this is the case with NT-based systems so feel free to correct me.

    It's not. Windows NT was designed with good security (in fact better security than Linux at the time) from day one.

    But let's not pretend that it's the "exact same", either. In 2000 and XP none of it mattered because everyone ran as Administrator and did whatever the hell they wanted, which resulted in just about every Windows machine you'd ever come across being infested with malware and trash.

    Yes, but why did they run as administrator? Microsoft shipped the OS to run as administrator by default, because their *buggy* Windows 98 applications* simply did not work correctly. Given the choice between people saying (wrongly) "Windows 2000 can't run any applications!!!" and lower security, Microsoft went the lower security route. Note that this is a "damned if you do, damned if you don't" situation-- either way, Microsoft gets years of bad PR because of buggy third party applications.

    * And yes, if you have a correctly-written Windows 98 application, it won't trigger UAC prompts even if it's never been modified for 2000, XP, or Vista. Even Windows 98 had guidelines on which areas of the filesystem and registry programs are allowed to store files in.

    In Vista, UAC hassles people to the point where they either get trained to just click "yes" to everything, or turn it off completely -- and it almost never tells you exactly what it's whining about either.

    Well, that's perhaps a valid complaint. Although I think saying "the application is trying to write a registry key to HKLM/Software" would be even more confusing, and that's what 90% of those UAC prompts would say.

    And frankly, unless you have a good understanding of why NT is designed the way it is, bring up a UAC prompt like: "this program is attempting to write into the Program Files folder" would just result in most users saying, "so what!?" The layman doesn't understand the security model, nor should they be expected to to use their computer, and messages like that would just make Microsoft sound stupid to them.

    The expected method of installing new software on a Microsoft system is to download an untrusted executable and run it. You have no way of knowing where it's coming from, no means of defeating MITM compromises, and no way of knowing what the installer is really going to do.

    Windows has file signing, and your other complaints are addressed by using .MSI installer packages. The problem is that Microsoft can't disable non-MSI installers, because they'd start screaming monopoly.

    Windows then happily lets the installer vomit anywhere it wants, make registry changes, dump files into important system folders, and so on.

    Yeah, but it asks your permission first. That's about all it can do, realistically.

    The code has been examined and vetted by people who know what they're doing, and used by thousands more, so if there was some problem -- and there can be -- it quickly gets noticed, fixed, and pushed out as an update.

    I don't have much faith in the "many eyes" concept to improve security, personally. I understand the theory, but it seems that Firefox has just as many security problems as any other (closed source) application.

    As for MITM attacks, you actually check the MD5 checksums? I sure as hell never do-- I'd love to see statistics on how many people actually do that. My guess is that it's less than 1% of downloaders.

    Meanwhile we're all still waiting around for Microsoft to deal with known security holes; there was an article here on Slashdot yesterday mentioning the zero-day Excel problem, but it also talked about how two other crucial Excel holes, known since last April, are still open and it doesn't look like Microsoft intends to do anything about those. And no one

  18. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    WinNT != Win32

    "My Documents" was introduced in Windows 95, for Win32. WinNT has always had user-specific document folders.

    The point is that developers are still writing applications for Windows 95. They need to get it into their thick skulls that NT has different rules, that NT has always had different rules, and that consumers have been running NT and NT only for ALMOST A DECADE.

    And as I recall, early versions of windows encouraged use of INI files that were stored in the application installation directory itself.

    Only pre-Windows 95 versions. Which means Microsoft's been telling developers to not use INI files for 15 years now.

  19. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    Windows Explorer (yes I *do* want to delete files off *my own desktop*)

    Have you actually *used* Vista? This doesn't happen.

    half the apps in the control panel (it should ask *once* when you run the control panel not every time you change a setting)

    Yes, the ones that are administrative settings require UAC.

    Logging into a wifi network - why is this even privileged?

    It's not. Your copy of Vista is fucked up. Or maybe you're using some shitty-ass third party Wifi connection utility (which falls under "buggy third party applications.") Microsoft's wifi connection app doesn't do a UAC prompt. (Check that: it will if you tell it to auto-connect, then save that connection, because that's a systemwide setting and not a user setting.)

  20. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    You don't have to agree with me.

    Two things though:

    1) I do find that most people who say things like that didn't actually *use* Macintosh before OS X, and so they don't have any old software to lose. When you have expensive software that no longer runs, then it's more of a problem.

    2) Classic *sucks.* I can't emphasize this enough. It's not an acceptable level of quality of any product, especially not if that product is the *only* way to achieve backwards compatibility.

  21. Re:Shooting the fish in the bucket! on Targeted Advertising Coming To Cable TV · · Score: 1

    Our brains can not tell the difference between fact and fiction. It's our higher cognitive abilities that will reason in hope to find the fact.

    Our higher cognitive abilities aren't part of our brains?

  22. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    That's because Windows security is fundamentally flawed from the ground up

    It's the exact same multi-user security model used by Linux and OS X-- how come when Microsoft implements it, it's "fundamentally flawed" but somehow the exact same thing is perfectly fine in other OSes?

  23. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    The problem with Vista UAC is that it pops up for actions which shouldn't require administrator privileges.

    That's because buggy applications are trying to do something that's indistinguishable from a malware attack.

    Normally, you'd consider an application (other than an installer) writing a file to Program Files to be malware. A LOT of Windows applications do this, it's a bug. In Windows XP, those buggy applications (when run as a normal user) would simply crash or give a vague error message. In Vista, Vista will ask you if you want to allow that application to do that operation.

    Vista doesn't know whether or not the operation is dangerous, and there's no way it could know. So it asks for everything.

    The real problem is buggy applications, and that's completely out of Microsoft's hands.

  24. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    Apple did it, and people adjusted pretty well.

    I didn't, I actually switched to Windows due in part to the poor quality of the OS X Finder and the removal of backwards-compatibility in OS X. The difference is that Apple, and "reality distortion field" Apple customers, don't give a third of a crap about backwards compatibility.

    Apple realized what MS didn't - that they had a single-user OS, and it was flat-out impossible to turn it into a true multi-user OS without changing everything about it, so they started over from scratch (well, with the help of Darwin) and ran legacy apps in a VM.

    And Microsoft create NT, made it compatible with their older Win32 applications, and released that. Different solution to the same problem.

    It worked very well.

    No it didn't. It killed your laptop battery even when doing absolutely nothing. It only ran maybe 75% of applications, and that's being generous. It killed all features of those applications that interacted with other parts of the system. It "worked" mostly, but "very well?" No.

    Windows (however much it tries to be multi-user) is still at it's core, a single-user OS.

    That's plain wrong. You know nothing about Windows.

    If they want security, they need to start over from scratch.

    They *did* start over from scratch, that's what NT is. The problem is that their developers are still writing software for Windows 98-- UAC is just telling people about the bugs in their existing software, nothing more.

  25. Re:If it was easy-- on UAC Whitelist Hole In Windows 7 · · Score: 1

    UAC just enforces the coding guidelines that have been in place since Windows NT3. The only difference between XP and Vista is that, by default, XP will let programs break those guidelines at will and Vista don't. But these guidelines aren't new! They're as old as the OS itself!

    Additionally, the applications that cause UAC now were actually completely broken in the past. Try running any of those applications as a normal user instead of an administrator, they did not work. They were *already broken*. UAC is just telling people "hey this app is broken."