Details on Refining Vista's User Control 304
borgboy writes "Windows Vista has gotten a lot of negative press recently following the release of the latest beta, especially regarding excessive prompting for privilege escalation for seemingly common activities. On his blog, Steve Hiskey, the Lead Program Manager for User Account Control in the Windows Security Core group, details what the issues with the excessive prompting are, what the design goals of the feature are, and how they plan to achieve them. Briefly - they know the excessive prompting is a royal pain, they know that have to reduce it to an absolute minimum to be both productive AND an effective security risk mitigation measure, and they want as much feedback as they can get on the beta."
malware safeguards (Score:4, Insightful)
So what's to stop malware from affirming the prompt? It isn't even a hurdle.
Re:malware safeguards (Score:3, Insightful)
Re:malware safeguards (Score:5, Informative)
unfortunately, this breaks the brilliant synergy2 [sourceforge.net] tool temporarily...
Re:malware safeguards (Score:2)
Re:malware safeguards (Score:3, Informative)
maybe they should add an option to enable the build-in reader during UAC elevation...
Re:malware safeguards (Score:2)
Re:malware safeguards (Score:2)
Re:malware safeguards (Score:2)
Brilliant!
Re:malware safeguards (Score:2)
Anyone want to furnish the
Here's how to delete a file on Windows Vista (Score:5, Funny)
http://www.flickr.com/photo_zoom.gne?id=151250154
Re:Here's how to delete a file on Windows Vista (Score:3, Funny)
Re:Here's how to delete a file on Windows Vista (Score:2)
Broken security model -- AGAIN! (Score:3, Insightful)
Those who do
Re:Broken security model -- AGAIN! (Score:3, Insightful)
Another thing is surprising: how can you do privilege escalation without entering your password/authentification of any kind? How is it more secure if there is no user entry? It's just like a sudoers file wi
Re:Broken security model -- AGAIN! (Score:2)
With UNIX, there is never any authentification asked to root (but asking for confirmation is never useless
Re:Broken security model -- AGAIN! (Score:2)
Re:Broken security model -- AGAIN! (Score:2)
Re:Here's how to delete a file on Windows Vista (Score:3, Interesting)
Re:Here's how to delete a file on Windows Vista (Score:3, Insightful)
Second, his first step is simply "look at the shortcut." No action was taken.
Third, it's already been publically stated that the UAC will not cover this case in the future. Now we're down to 3 cl
Re: click delete, CONFIRM delete? (Score:2, Interesting)
the optimal number of steps
Is one. Just one. On my kde desktop, I right-click the icon, select delete. Apple's desktop is similar.
In both instances, there's a robust security model underneath my desktop that does not require an extra "are you sure?" button on my desktop to work right.
Re: click delete, CONFIRM delete? (Score:2)
Re: click delete, CONFIRM delete? (Score:3, Interesting)
Already fixed (Score:2)
Re:Already fixed (Score:2)
the real problem (Score:2, Insightful)
Of course, that means the user can't get rid of the icon at all, which is a bug in the way desktop displays icons. It should either:
1) display only the user's icons, or
2) allow the user to "hide" system icons.
Same problem with the Start menu, by the way.
Freedesktop.org's menu standard is much better. (At least, the way KDE works - I assume that other DEs support
Re:Here's how to delete a file on Windows Vista (Score:3, Interesting)
SAme as in OSXs early days (Score:2, Troll)
Re:SAme as in OSXs early days (Score:3, Interesting)
on the other hand, I have gotten those prompts in osX for microsoft and real built applications which were trying to do things which they had no business doing.
all the open source players i have installed on osX (I have 2 or 3) have never required root authorization for anything, yet wmp and real wanted to access my root files, why? This hints at how invasive the programs are, what ar
Re:SAme as in OSXs early days (Score:5, Insightful)
I've used the beta. It's awful. The usability of the file "explorer" is atrociously convoluded. It makes it even more complicated to know what's going on that XP did. And, to keep this on topic-- the security measures are astoundingly invasive. Vista seemingly asks you to confirm the same type of function, triggered in the same way, but by different applications. Look, if I want port 80 HTTP requests to go through, I want them to go through all the frickin' time. Don't make me repeat myself. (Yes, this is only an example but it's indicative of the process you'll go through time and time again.)
Maybe it's the horrible presentation of the dialogs that does it? They offer ZERO information about what *application* (in English instead of seemingly random strings of letters and numbers!!!!) wants your attention. It also offers no real understanding of what is being asked of you. Microsoft, for all they did correctly with the xbox 360 interface, needs to learn how to design a dialog. Here's a fine example:
I open a jpeg file or some other seemingly harmless thing. I get a security alert box that unnecessarily shares the shit out of me with it's inappropriate use of iconography. It says something incomprehensible like this:
Application gobbleygook.exe is attempting to access suckit.dll. Do you want to want to allow this? (This is considered a minor threat.)
Oh. Great. So some EXE with a name I don't recognize wants access to a DLL (what's that-- hahaha?) that I also don't recognize. Now that I'm completely lost, Windows tells me this is not that much of a threat and I can probably click "allow" for the application I don't know to open the dll I don't know to do some task that I have no clue to what it's purpose is. Super.
I'm trying to make a point by being a bit funny about this-- but Microsoft really needs MAJOR improvement to this process. First, don't assume everything is a threat and scare a user into confirming something that is not needed. Second, improve the presentation. Third, figure out how to discen between Malware and your own software!
Re:SAme as in OSXs early days (Score:3, Insightful)
This is the same problem with software firewalls. Unless your an expert user you have jack shit of an idea whether or not to allow xxxxx.exe to connect to xxx.xxx.xxx.xxx port xx.
I just don't see the constant prompting as a better alternative, I honestly hope I'm wrong though. It would be nice if MS finally was able to deliver security to the masses. Personally I am partia
Re:SAme as in OSXs early days (Score:2)
I fixed that for you.
Regarding all of your complaints, this is what betas are for. To get user feedback and address the problems, and obviously Microsoft is doing just that.
Re: Same as in OSXs early days (Score:2)
My favorite was something I encountered yesterday: creating a new folder inside C:\Windows\system32, I get the "you must authenticate blah blah"... ok, fine, makes sense, I want to create a directory inside the system space.
But then when I type in the actual name I want (replacing "New Folder") and hit enter, I get the authentication rigamarole AGAIN. What, like I was going to leave it named "New Folder"? Sheez...
Re:SAme as in OSXs early days (Score:2)
- Microsoft
Re:SAme as in OSXs early days (Score:3, Insightful)
No, this isn't even close to be the same. Vista asks you for confirmation of nearly everything you can possible do on the computer. At no point did OS X do this.
Agreed, the previous poster overstated this by quite a bit.
Vista seemingly asks you to confirm the same type of function, triggered in the same way, but by different applications. Look, if I want port 80 HTTP requests to go through, I want them to go through all the frickin' time.
Not me. I want my Web browser to be able to get to port 80. I
Re:SAme as in OSXs early days (Score:5, Insightful)
Windows, on the other hand, has hundreds of thousands of apps that expect to be administrator. The software companies don't want to fix them, and Microsoft doesn't want to break them.
So MS defined a middle ground -- annoying prompts which you can't get rid of. Since there isn't a special security level which hides the prompts. presumably people will complain to the software authors and the software authors will fix the apps. And if they don't fix the apps, at least the programs will still run.
Doesn't Vista does get rid of those promps? (Score:3, Informative)
I haven't been testing Vista personally, but I just read a Paul Thurrott article on User Account Control [winsupersite.com] that seems to indicate that these annoying prompts do go away after instal
Huge Difference (Score:3, Interesting)
The situation on Windows is completely different. Microsoft is retrofitting Windows with this security model, but it must still support the vast catalog of existing software that was written assuming the traditional Windows security model. So, inst
Re:Huge Difference (Score:3, Insightful)
Yeah, supporting older applications would be a pain in the ass if your users expect to be able to use the exact same ancient binary image they were using before your OS was conceived. When you willingly give up your right to the source code of the software you use, you'
Re:Huge Difference (Score:3, Insightful)
Considering there's only a few million Windows applications, that action would likely crash the world economy. Or at least prevent large swaths of the market from ever upgrading.
Apple has a small and highly loyal group of users, so their upgrade policy works for that ecosystem. But it's also a huge self-limiter on their marketshare, because they throw old users overboard
Re:Huge Difference (Score:3, Informative)
All zealotry aside, there are things in Windows that are done very well, and there are things in Windows that completely suck, and the things that suck are almost universally due to some sort of backward compatibility concerns.
Considering (Score:2, Insightful)
Of course if the j-o-b foists it on us anyway, at least there will be the necessary hardware upgrade at long last...
Re:Considering (Score:5, Insightful)
I think why I liked 2000 so much was that it was NT done right, a well written and stable OS without a lot of clutter. I think that if Vista really was a new OS, not just enhancements to their existing codebase, then we'd be okay with it.
I think we'll have a 2000-like resurgence in a good Windows when a Windows OS is released as a managed code OS. until then I'll keep dreaming.
Re:Considering (Score:2)
Brought to us by the Department of Redundancy Department.
Re:Considering (Score:3, Informative)
Just an FYI, if someone really wants to work with Windows 2003 server, there are tons of 120day evaluation versions they can get their hands on, even off the Microsoft Web site.
If you are doing testing or ru
It's Still In Beta Folks! (Score:5, Insightful)
Tough crowd here at Slashdot. We all know it's going to suck, but at least let them release it first before you criticize. Seriously though, it is just a beta and not the end result. They're looking for feedback to make improvements and thats a good thing.
http://religiousfreaks.com/ [religiousfreaks.com]You don't make design changes in beta. (Score:2, Insightful)
Re:You don't make design changes in beta. (Score:2, Insightful)
Of course, it's easy to criticize. If the challenges in pointing out flaws were anywhere near creating something in the first place, Slashdot would have about 3 comments per story.
Re:You don't make design changes in beta. (Score:2)
Second, you clearly didn't bother to read the article, since the underlying design isn't going to be changed anyway.
Mod Parent Down (Score:2)
My previous post on the subject covers it pretty well:
http://slashdot.org/comments.pl?sid=187221&cid=15
It's funny that it's moderated 30% Interesting 40% Troll 30% Underrated
Just pay me and I'll promote Longwait.
Re:It's Still In Beta Folks! (Score:5, Informative)
Some people here still expect beta to mean beta, which is conventionally intended to identify bugs in an otherwise stable product. A beta release is not, as you suggest, an invitation to change the feature set, though that has never prevented Microsoft from bending the rules at its convenience.
To be charitable, I can imagine that with this Vista beta, the codebase might indeed be as stable as what we ordinarily expect from a beta release, and so what we're looking at now is just a matter of tuning the configuration parameters so that it prompts at the right thresholds. And, on the principle of security by default, the system will initially tend toward maximum prompting. However, thinking more soberly, a secure system will have fully addressed these issues at the design level, and prompting will not be excessive but appropriate and meaningful. If it's not, that's a clear sign that the design has deeper problems than can be fixed just by changing the prompting parameters. Pardon my cynicism, but in my experience, that would be entirely typical of Microsoft.
Definition of beta at: Wikipedia [wikipedia.org].
For usability see: Whitten and Tygar [usenix.org].
Re:It's Still In Beta Folks! (Score:5, Insightful)
You give yourself too much credit. Slashdot's not a tough crowd at all. Slashdotters generally hate Microsoft, that's all. Those companies that Slashdot favors can put out utter crap and get unqualified praise from slashdotters.
Re:It's Still In Beta Folks! (Score:5, Funny)
Re:It's Still In Beta Folks! (Score:2)
su - ? (Score:2)
Why can't they set it up so when you open control panel, you have to enter the root password (like opening yast as a non-root user in suse and the like) and then you're essentially su'd until you close control panel, or I suppose you could time it out, so after 10 minutes even if the CP is open, you will have to re-enter the password if you click on a little icon in there.
From reading the articl
Re:su - ? (Score:2)
Re:su - ? (Score:2)
I'm not saying what they're doing is bad. I'm saying they went a little extreme. With as many times, I believe the article I cited said 17 times, it should have a do not show again. Personally, I do not believe in caching passwords, but for that many times...
I actually commend them for doing this, but it needs to be more practical.
Re:su - ? (Score:2)
Market Forces? (Score:3, Insightful)
It's all about the registry (Score:4, Informative)
Sometimes I wonder - rootkits use stealth techniques to intercept registry calls. Why doesn't microsoft use the same rootkit approach to "cage" the registry into the directories used by the programs you install, and let the programs only use their caged registry? That way programs would only need access to their own caged directory and maybe a temporary or data directory.
IMHO, the registry was the worst idea Microsoft could have come up with.
Re:It's all about the registry (Score:2)
Wouldn't that just be Apple preference files?
Re:It's all about the registry (Score:2)
Re:It's all about the registry (Score:2)
http://www.microsoft.com/technet/windowsvista/sec
(Actually, the whole document is interesting if you want the PR overview of teh security changes.)
getting there... (Score:5, Informative)
there's still some core OS UI that's not UAC-enabled, though. for example, you can't fully configure network connection settings without running running explorer.exe elevated.
Re:Not Likely (Score:2)
I predicted there was no clear path with their access control plan.
http://slashdot.org/comments.pl?sid=186700&cid=154 07442 [slashdot.org]
The microsoftie claiming just because I had never used it, I shouldn't criticize and masterfully dropped a few personal insults too.
I fired back that I didn't see it happening.
http://slashdot.org/comments.pl?sid=186700&cid=154 08915 [slashdot.org]
Funny how I was right...
Today's Lesson: Run away from Longwait and don't look back.
Re:Not Likely (Score:2)
Re:Not Likely (Score:2)
What do you expect when using terms such as "Longwait"????
Wow. All this time, and it's more of the same. (Score:4, Insightful)
So they're *still* designing insecurity into the system because they place a higher priority on the "extensibility" that lets applications do things the user isn't expecting them to do.
And they're still relying on Grandma logged into her AOL account as the last line of defense.
Have they learned nothing?
Sorry, that was rhetorical.
Easy fix (Score:2, Interesting)
Re:Easy fix (Score:2)
Whose computer is it, anyway? (Score:2, Insightful)
But I can't shake the feeling that their idea of increased security is, "WE decide, case by case, what operations are safe for you to do on your computer." Especially with sentences like this: "The hope here is that the user won't need to launch many administrative applications." Or, "Why can't my chil
Re:Whose computer is it, anyway? (Score:3, Insightful)
Re:Whose computer is it, anyway? (Score:3, Insightful)
A child (or parent) shouldn't be running antivirus. That should be started and run by the system, because it needs those privelages.
There absolutely needs to be a list of things that a regular user can do, and it needs to be short. On a Linux system, that list consists of not much more than reading and writing in your home directory, viewing the contents of some other directories, and accessing some input/o
Is Indexing a Security Breech? (Score:4, Insightful)
If it can search and index file contents, then it has full access to my data. If access to that index or search feature is insecure then it's taking control of my data out of my hands and giving it freely to others. Why should applications need to access files that I created but which I haven't explicitly opened for their use?
Will the security be in place in both the API and data storage files so that instant search won't just become a new way for malware to quickly focus on the data it wants (e.g. Credit Card or Social Security Numbers)?
Security Rope-A-Dope (Score:2, Insightful)
Very few folks seem to be analyzing and criticizing the other 99% of this operating system. Keep focusing on this security-prompt-red-herring, and we'll fail to uncover the real turds before it's too late.
Re:Security Rope-A-Dope (Score:3)
Don't prompt each time (Score:2)
The point of UAC is to make sure the user has to authorize any actions that need administrative privileges. So address the authorization instead of the actions. Do what my Debian box does when programs need root privileges. When I run a program like that from my normal user account, a wrapper prompts me to enter the root password or abort the operation. If I enter the password and it's correct, root credentials are added to my keyring temporarily and the program can run as root. As long as those credentials
Re:Don't prompt each time (Score:2)
Linux and Macs don't suffer from viruses because it isn't worth it for device writers to target them, not for any inherent higher level of security. Ok, that's not entirely fair... Linux has the advantage of being so forked and fragmented that a virus has to be much cleverer in order to spread (i.e. not being a monoculture provides a certain degree of immunity much l
I will handle it just the way... (Score:2)
this crowd is ridiculous (Score:5, Insightful)
Re:this crowd is ridiculous (Score:5, Insightful)
Your post is spot-on, but what do you expect from a site that uses a broken windows icon for Windows stories and a Gates-Borg icon for Microsoft stories? These are the only topics on this site whose icons contain editorial spin of any kind (and that spin is derragatory, of course). This site really doesn't have any credibility whatsoever when it comes to Microsoft stories. Sad, but true.
Re:this crowd is ridiculous (Score:3, Insightful)
Sometimes I think
I've been using the last two releases of Vista and I also own a Mac-Mini and a Windows XP box. I ran Linux for three years (Debian) before giving up. I agree that there are stil
Re:this crowd is ridiculous (Score:4, Insightful)
i have dealt with some difficult customers, but this slashdot crowd right now is just utterly ridiculous. there are a few that are willing to go against the grain and give vista a chance before dismissing it entirely, but the vast majority of the slashdotters lately are as close-minded and biased as any group i have ever seen.
What exactly do you think all these Vista articles are about? They are discussions of what MS has done, what they have right and what they've screwed up. If you see a preponderance of what they got wrong, well that is partly human nature and it is partly because MS has gotten a lot wrong lately and not so much right.
if MS adds a feature that you all love from another OS or application, they are copying. if they don't add it, they are behind the times.
Both of the above are true. Are you implying copying is a bad thing?
if MS tries to beef up security, they are doing too little too late, and it probably won't be effective anyway.
What!?! This is a discussion about such a security feature, and one that a lot of people are having problems with, which MS acknowledges and has asked for feedback on. So you think discussing why it has problems is somehow biased? Facts aren't biased, your opinions of them might be. MS implemented more strongly user level security, something other OS's have had for a long time. A lot of it, they have done less well than other OS's which is what is causing a lot of the problems. The alerts are too frequent due to architectural decisions and some poor decisions in the implementation. The UI is terrible and a huge hole in this security. Pointing this out is a good thing and it lets MS know where to start fixing things.
if MS releases a patch for IE, it is yet more proof that their software was flawed in the first place. if they don't release the patch, they are too slow to react to security threats, and are failing their users.
There is a right way to handle vulnerabilities and exploits, but MS neglects it in favor of the most profitable way. They deserve to be taken to task for that.
f they open up to a beta group and ask for suggestions, they are skimping out on doing actual work and getting us, the computer elite, to do their design for them. if they don't open up to a beta and take suggestions, they are ignoring their users.
They certainly should ask for suggestions, but at the same time, due to some of their very unethical business practices, a lot of people would rather not help them. Where's the conflict?
i could go on, but i think you catch the drift.
I do indeed. You claim people here are close minded, but all of your complaints amount to people stating facts as they see them and having different opinions. That sounds like the opposite of close minded to me.
i get it, you guys hate MS.
Most people who love computers have a strong dislike for MS. They have single-handedly done more damage to the industry than anyone would have thought possible. People in the industry see that and are forced to deal with the consequences. That has nothing to do with this discussion of how they implemented a feature, other than whether or not some people are willing to provide them with helpful feedback. If you want to take issue with someone's opinion here, go ahead, but actually address one. Don't whine that people don't have the same opinions as you, or they have unspecified things to say that you don't like.
i thought this was a forum for open-minded people to share ideas and learn from each other, but if you want to just sit around and play target practice on a company that you have decided a long time ago that you will hate for life, then i might just have to give up on getting any more actual insight from reading the comments on slashdot, particularly on MS related stories.
Since you don't seem to have any insightful or even useful opinions about the discussion, maybe we'd all prefer it if you did ta
Re:this crowd is ridiculous (Score:2)
You spelled "grammar" wrong, and since when is the word "caps" capitalized?
I think I know why there are so many (Score:2)
They need to figure out a way to make it so that you authorize certain ACTIVITIES, instead of every individual executable that activity requires.
Of course, that's damn hard, because of the way Windows is designed.
Personally, I don't find the dialogs that bad, and if it can keep people
silent elevation (Score:3, Informative)
From the blog:
The problem with marking Windows binaries to "silently elevate" is that we feel it will lead to "worms" or self propagating malware.
Marking "silent elevator" should require administrative privilege, so what's the problem?
Unix has this for years, that is called "setuid root". This is extremely useful.
Also, it's very easy to have a knob to allow all signed applications to do silent elevation. Much cleaner than developing hacky shims.
Security Hole == Windows Message Pump (Score:4, Interesting)
The real flaw is that MS is maintaining a design decision that was made back in the days of Win3.1: there shall be one method for structured message passing (the message pump) which will cover user input, application IPC, system notifications, clipboard copying, window redraw requests, etc. This message pump is built into the core threading model for the OS (many other windowing systems have this too, it isn't just Windows).
Since there is only one front door, user input uses the same facility as everything else, and it becomes impossible to tell if the user pressed the "A" key or if an application sent a KEYPRESS message.
One solution is to have OS-enforced segregation between these types of input, and force multiple input channels. The mouse and keyboard (and other legitimate devices) get to use the "user input" channel, and other apps get to use a different channel.
But Microsoft doesn't want to do this because they want to enable Bob-style guided interactions with applications, where the target application can be automated/scripted without its knowledge. Changing this also has huge backward-compatibility issues---basically anything built for pre-Vista windows must be modified and rebuilt.
So MS is talking security, but this is a case where market footprint and backward compatibility are fighting with security---and ease of use is caught in the crossfire. A first for MS.
Re:Slashdot on Vista (Score:4, Funny)
Please enter your Windows username and password to continue.
Username:
Password:
You forgot the buttons:
[OK] [Continue] [Cancel]
Continue will let you carry on regardless...
Re:Why the interest? (Score:4, Funny)
1. You can save your game in solitaire
2. You can save your game in freecell
3. It includes a super pretty chess game!
Re:There you go again (Score:5, Interesting)
In a word, no. How is the OS supposed to know that that cute little systray weather forecast app you downloaded and installed is actually a trojan?
As long as a user can download and install/run software, the system is vulnerable, and there's nothing it can do about it.
Re:Excessive security? (Score:2, Insightful)
Re:Mod Parent Down (Score:2)
This "excessive prompting" is never complained about with OS X, or within Linux.
Uhh, that's because it works right? Clearly you don't use either because you'll find there is no prompting for normal user activity.
Is not "excessive prompting" exactly...
Uh, no. Again, if you used either one you'd see they take care of the problem the right way as opposed to Microsoft's cluster fsck.
I'm guessing you are trolling for Microsoft. If not, please switch to linux or OSX and you'll see what ever
Re:Mod Parent Down (Score:2)
Windows Visa - Beta 2, not even CTP yet....
Maybe they are using the beta to determine the appropriate balance of user prompting that doesn't piss the users off or desensitize them too much?
sudo does work fine except I find the priviledge escalation from user to root to be a little too, how should I say it, extreme?
Re:Excessive security? (Score:3, Insightful)
Re:Excessive security? (Score:3, Insightful)
Plenty of the people who have complained, that I've seen, have been people who have used either OS X or Linux and complained that the Vista beta implementation of the feature was clumsier and more intrusive than the implementation of similar security functionality on those non-Windows platforms.
Being similar in outline is not the same thing as being identical in implementation.
Re:Feedback?! (Score:3, Insightful)
Re:Bad Software Design (Score:2)
From my testing, the Microsoft (ical-based) calendar app looks like it'll be kind of nice. And there's some nice new things for deployments and in group policy, but that's not really "average user" stuff.
Average users will be pissed off when they find out that none of the default games are
Re:The prompting is not annoying (Score:2)
And the most fucking annoying if you actually want to *do* anything outside of wordprocessing, web browsing or gaming.
I've used this beta and you can be asked for "confirm" your actions 3 or 4 times just trying to do something simple like get in and change your TCP/IP settings - on top of all the usual confirmation dialogs you'd get in XP/2K. Sure, you can turn off UAC, but that somewhat defeats the point of having it there and
mmm, drugs (NT) (Score:2)
Re:security feature that's needed by windows... (Score:2)
Re: the Lead "Program Manager" (Score:2)