Forgot your password?
typodupeerror
Microsoft Software

Microsoft Designed UAC to Annoy Users 571

Posted by ScuttleMonkey
from the at-least-they-are-being-honest dept.
I Don't Believe in Imaginary Property writes "At the 2008 RSA security conference, Microsoft's David Cross was quoted as saying, 'The reason we put UAC into the platform was 'to annoy users. I'm serious.' The logic behind this statement is that it should encourage application vendors to eliminate as many unnecessary privilege escalations as possible by causing users to complain about all the UAC 'Cancel or Allow' prompts. Of course, they probably didn't expect that Microsoft would instead get most of the complaints for training users to ignore meaningless security warnings."
This discussion has been archived. No new comments can be posted.

Microsoft Designed UAC to Annoy Users

Comments Filter:
  • Of course... (Score:5, Insightful)

    by evanbd (210358) on Friday April 11, 2008 @08:14PM (#23043140)
    If they'd done this from the start, no one would be complaining. In Linux or UNIX, if a program wants elevated privileges, it requires user intervention. The result is that programs don't expect to have superuser privileges if they don't actually need them, and everyone is happy because the only things that have to be done as root are things you'd expect to require root access.
    • Re: (Score:3, Insightful)

      by stubear (130454)
      They did do this from the start, they just didn't force developers to follow good coding practises when writing apps for the NT platform.
      • by khasim (1285) <brandioch.conner@gmail.com> on Friday April 11, 2008 @08:27PM (#23043220)
        You cannot force someone else to follow a particular coding practice when your coders do not do so themselves.
        • > You cannot force someone else to follow a particular coding practice
          > when your coders do not do so themselves.

          It's shamefully pervasive. In my years of developing software for Windows, I've rarely seen other developers NOT running Windows as admin. --basically developing apps. completely blind as to what permissions they may or may not need. (I finally got religion 5-6 years ago after a nasty virus.) Now, every time I log in, I get several ugly little error messages due to HP drivers and other startup bits and pieces not having God access under a normal user account. I think Win developers --QA and project owners too-- need to feel some personal UAC pain.

          • by Anonymous Coward on Friday April 11, 2008 @10:20PM (#23043858)
            I doubt it'll happen, though. It seems like the most widely-disseminated "Vista tweak" is how to turn off UAC. Regular users (including your average Windowsland programmer and others who might consider themselves technologically sophisticated) don't see UAC as a feature, they see it as a bug.
            • by Opportunist (166417) on Saturday April 12, 2008 @09:00AM (#23046362)
              What you mention is exactly what is desired.

              UAC nags you for every little piece of rubbish. 99.999% of those requests are ok. Well, not ok, if programmers would not require godmode for every stupid little setup change... but they're not harmful. It's the other 0.001% that matter.

              Now, the average user turns off UAC. For a simple reason: Imagine some tool you don't know much besides operating it asks you "The futzgrabber in the argamajig wants to mirfl. Cancel or allow?" What do you do? After some try and error, you learn that the thing does what you want when you click allow. You start wondering why the heck you have to click allow. And the next logic step is to turn the pointless thing off altogether.

              And here's where the tool works as designed. Because if you get infected, MS can just shrug and say "Hey, we gave you the tool to avoid it. See, UAC would have told you this wants to do something bad, but you turned UAC off. Your fault."

              Instead of finding a way to give the user a secure system, MS just shifted the blame. You can't blame Windows now anymore if you get infected. It has a tool that would have told you you're going to get infected, but you turned it off. Shift the blame for the infection to the user, away from the system. That's all UAC is about.
              • by Crayon Kid (700279) on Saturday April 12, 2008 @12:10PM (#23047586)

                Now, the average user turns off UAC. For a simple reason: Imagine some tool you don't know much besides operating it asks you "The futzgrabber in the argamajig wants to mirfl. Cancel or allow?"
                Giving the users some credit (ie. "it helps protect the computer"), I think the reason is simpler than that. Removing UAC is the most obvious solution to the problem (extreme UAC annoyance).

                Let me offer another example: if Linda from Accounting makes for 75% of my daily tech support problems, the most obvious solution for that is not replacing all 2nd floor printers, rewiring Accounting and reinstalling her Windows. It's eliminating Linda.
                • by Opportunist (166417) on Saturday April 12, 2008 @05:02PM (#23049494)
                  But when you tell that to her boss, who is shagging her on a weekly base, it's you who gets eliminated and replaced by someone who stomachs her calls, so your boss continues to get laid.

                  Be wary when trying to eliminate someone who is obviously a moron, chances are good that he or she still has his or her job for a very good, non-work related reason.
              • by Allador (537449) on Saturday April 12, 2008 @05:28PM (#23049636)

                UAC nags you for every little piece of rubbish. 99.999% of those requests are ok.
                By definition, if UAC is nagging you, then its not OK. Either you're purposefully doing something that prompts the system (ie, everything is OK), or some software you're using is doing something bad. Writing user preferences in C:\Program Files\DumbAssApp\prefs.ini is not okay.

                The problem is that the bulk of the 3rd party software developers in the ecosystem use practices that violate the published guidelines and best-practices for the platform, and often use techniques that are indistinguishable from malware.

                Instead of finding a way to give the user a secure system, MS just shifted the blame.
                You kind of argued yourself in a circle there.

                Alot of hand waving about how bad UAC is, it maligns the users, etc etc. And then 'something should be done about it', but no substantive suggestions along those lines.

                Propose a valid alternative that doesnt involve time travel, and your argument might have some weight.

                And whats this stuff about 'blame'? There's no blame, just costs. How would you suggest Microsoft makes incompetent 3rd party developers pay the cost for their sloppy code writing without involving the user in any way?

                What MS has done here is to force the costs of sloppy coding by 3rd party developers to become visible, whereas prior to UAC, if you didnt run as non-admin, you never saw those costs. They were invisibile. MS just made them visible. So now users are bearing the costs of sloppy coding by 3rd party developers, in the hope that the pressure will then be passed on to these devs.

                Unfortunately, MS doesnt have any direct relationship with these vendors, there's no place to have leverage, to make the 3rd party devs do 'the right thing'.

                Overall, it sounds to me like you're just posting here to join in the 'look how much Micro$oft is teh suck' bandwagon, but without actually contributing anything to the conversation. Suggest an alternative thats more substantive than 'something should be done'.

          • by Anonymous Coward on Saturday April 12, 2008 @01:39AM (#23044616)
            HP driver annoyances (their shitty home(/SMB) devices are notorious for this and end up even in larger setups cause of ignorant buyers) can be usually quite easily fixed by searching the registry by device name or ID and giving users group more control over those subtrees. Be aware of security considerations and give only minimal level of extra rights that are neccessary.

            Msconfig is your friend when disabling unneeded startup items. I especially loathe the auto-updaters that get installed by default if you don't know specific installer parameters. Sun java is class A example of that crap, it informs limited users about updates and recommends them to upgrade - only halfway through it throws error message.
        • by repka (1102731) on Friday April 11, 2008 @09:37PM (#23043628)
          Any particular examples? Application designed following guidelines of win95 (e.g. Office) will work properly in Vista and will not even require folder/registry virtualization (btw, I assume a lot of effort went into this feature to minimize UAC prompts and it for some reason is rarely mentioned among usual rants about them).

          I consider the opposite: Microsoft spends too much effort for app-compat. Would Win2k have defaulted users to be "restricted", while win98/ME were viable alternatives (i.e. MS could still cash in on their sale) for compatibility, this effort could have been much more successful and, nowadays, when you try to get Intuit Quickbooks to start under limited user (you don't have much choice in college setting), you didn't have to give write access to whole CLASSES_ROOT registry branch (don't get me started on this...).

          So in short, yes, I believe UAC is a great compromise, which forces lousy coders to reconsider their approach to the stuff they ship.
          • by Jurily (900488) <jurily&gmail,com> on Friday April 11, 2008 @10:59PM (#23044044)
            Yes, it forces coders.

            However, if you're a windows user, and you just upgraded to vista, you see these warnings/questions. What's your first response?

            1. Man, I wish these crappy coders would learn when to require root access
            2. Stupid Vista... I should go back to XP

            Upgrading the security model from a non-visible one to one that requires user attention can be a bitch. MS has a lot of difficult decisions to make these days.

            Just see http://www.joelonsoftware.com/items/2008/03/17.html [joelonsoftware.com].

            (Now, if only someone could show me how to embed nice links here... :) )

            P.S. I use Gentoo.
            • by evanbd (210358) on Friday April 11, 2008 @11:23PM (#23044172)

              (Now, if only someone could show me how to embed nice links here... :) )

              It's a web site. You use HTML. Why most forums insist on making up their own weird and varying markup systems when they're busy using a perfectly good one is completely beyond me, but somehow it's common enough that people expect it.

              (You may have to change your posting options to "HTML formatted." You may then end up wanting to actually include formatting tags in your comments in order to get them to display properly.)

              • by Stormwatch (703920) <rodrigogirao&hotmail,com> on Saturday April 12, 2008 @12:04AM (#23044296) Homepage
                Well, links in BBCode are a bit easier and quicker to write than HTML.
              • by Anonymous Coward on Saturday April 12, 2008 @12:27AM (#23044356)
                Posting anonymous because it's off-topic, but as someone that develops community sites, I'll tell you why using HTML sucks.

                The first reason is output validation. Trying to strip out HTML you don't want users to use without mangling the output is very very hard. This happens on Slashdot all the time, when people use less-than and greater-than symbols in their text -- the parser thinks that they're writing HTML that shouldn't be allowed, and it gets stripped. (Preview, blah blah, whatever. It shouldn't happen.) Unless you're running an intelligent auto-correcting validator like Tidy, or you're parsing the document into a valid object model and then deleting nodes that way (both quite CPU expensive options, compared to running some regular expressions against a string), you're almost certainly going to end up with bad code coming out the other end (either because the parser strips something, or because the end user doesn't know how to write valid HTML), which sucks. With a BBCode, Markdown, or similar parser, you can skip over any invalid markup without breaking the output.

                The second reason is convenience features -- instead of making the user write <p><a href="http://slashdot.org/~evanbd">evanbd</a> said:</p><blockquote><p>It's a web site. You use HTML.</p></blockquote>, you can just have them write [quote=evanbd]It's a web site. You use HTML.[/quote], and the parser will convert that intelligently into valid HTML. If you decide down the line that you want to change the code that's outputted for whatever reason, all you need to do is change the application logic and clear out the caches.

                So, you see, there ARE good reasons. And to be fair to the poster, before this new comment system, Slashdot used to say below the post box what HTML could be used. Now, it's much less intuitive about what markup method to use.

                Cheers,
          • by Silver Gryphon (928672) on Friday April 11, 2008 @11:01PM (#23044056)
            Interestingly enough, Visual Studio 2005 and 2008 under Vista can't access a project stored in a local IIS website unless running as admin. You're explicitly prompted to run the entire session under Administrator account. The alternative is to change your project storage to disk instead of IIS -- maybe not a bad idea, but contradicting their new HTTP based projects of 2002/2003 (as Web services were promoted then too, now web services are actively discouraged for security and scalability reasons. Lessons learned, I guess.)

            Clicking "Run as administrator" is easier and just reinforces the "click through all these dialogs" mentality. I think MS went too far in some of the dialogs; their new push to give detailed explanations is counterproductive, as I don't want to read an essay at that particular time.

            http://msdn2.microsoft.com/en-us/library/aa964620(VS.80).aspx [microsoft.com]

            Still, I agree -- running as admin is dangerous; Linux and Unix had a great approach from their beginnings. Windows needs to catch up to that, and it'll involve a massive effort on the part of the users and developers. Having Ubuntu Linux prompt similar to UAC helps reinforce the principle of running with lowered privileges, and shows that Windows isn't any more evil now that it has UAC, it's just that things were so non-secure before that it's hard as hell to conform to the new guidelines.

        • You cannot force someone else to follow a particular coding practice when your coders do not do so themselves.

          While what you said is true, it can be simplified: You cannot force someone else to follow a particular coding practice.

          For a variety of reasons Windows users grew accustomed to running as full administrators. Large vendors (aka customers) made assumptions when developing for Windows. These assumptions cause problems for a Windows end user (aka the customer) trying to use the large vendor's (aka the other customer's) program. If the user calls the vendor the answer is "run as admin". This conflict is only bad for Microsoft because the end user will put usability over security every day and the large vendor may get sick of dealing with "Windows bugs" and choose a different OS to develop (develop, develop, develop) for.

          Microsoft was really damned if they did and damned if they didn't. It may well be their own fault (due to the original design of DOS) but unless you have a time machine nobody can change that. It seems to me that, while I find UAC to be annoying as hell, they probably did the right thing. By making it pervasive it will help get the Windows security paradigm changed faster than if it was just a gentle suggestion. At the very least they are trying to put it back on the software vendors to focus on security when creating their products--something good for everybody.
    • by tepples (727027) <tepples AT gmail DOT com> on Friday April 11, 2008 @08:54PM (#23043368) Homepage Journal

      If they'd done this from the start, no one would be complaining.
      In the era of Windows 95, home PCs weren't considered to have enough CPU and RAM to enforce proper privilege separation.
      • Re:Of course... (Score:5, Interesting)

        by Chris Mattern (191822) on Friday April 11, 2008 @09:10PM (#23043474)

        In the era of Windows 95, home PCs weren't considered to have enough CPU and RAM to enforce proper privilege separation.


        Odd that the same home PC at the time, running Linux, had no trouble at all enforcing it.
      • Re: (Score:3, Informative)

        by init100 (915886)

        Privilege separation is not something that requires a fast CPU and a big amount of RAM. Separate protection rings were introduced by Intel's 80286 processor, which was released in 1982. Other architectures probably had something equivalent even before then.

    • Re:Of course... (Score:5, Informative)

      by CastrTroy (595695) on Friday April 11, 2008 @08:58PM (#23043390) Homepage
      The problem is that even MS hasn't gotten around to removing all the annoying UAC popups based on stuff in their own interface. If you want to rename something in your start menu, you get 3 prompts from UAC. Same goes for moving or deleting something. I get tons of UACs, and most of them are from Windows itself, not other apps.
    • Re:Of course... (Score:5, Insightful)

      by CyberLife (63954) on Friday April 11, 2008 @09:11PM (#23043488)
      To extend your point, the reason UNIX systems don't have UAC-style privilege elevation is due to its history. UNIX came into being, and was largely developed, during an era in which virtually all computers were large, multi-user systems that sat in a back room. An administrator would have to be sitting at a terminal 24/7 just in case somebody came knocking -- quite an unreasonable expectation. As a result, programmers had to get used to the idea of restricted abilities.

      With the desktop computer model, the situation is quite different. Classically-speaking, the user is sitting right at the machine and is the only one using it. They are the administrator as well as the user. There is no expectation of security since nobody else is involved. Windows derives much of its architecture and style from this method of computing.

      Modern-day computing is rapidly moving back toward the shared-computer model. This is occurring somewhat on the front-end (e.g. individual user accounts on a desktop machine for different users), but mostly it's happening on the back-end. Internet servers are very reminiscent of the mainframe-era multi-user model. This is why UNIX is such a good fit for such tasks -- it was designed specifically for it, whereas Windows has had to play catch-up. UAC is a good example of single-user thinking applied to a multi-user problem.
      • Re:Of course... (Score:5, Insightful)

        by Anpheus (908711) on Friday April 11, 2008 @10:10PM (#23043810)
        Last I remember, registering an account on Slashdot didn't give me a user account on the Linux server.

        UNIX being "such a good fit for such tasks" is completely off-base and irrelevant to the discussion. The software that runs on the OS determines my interactions, and the "privileges" being imparted to registered users, such as allowing me to post a message and have my account name appear above it, are not at all imparted by the multi-user sensibilities of the OS the web server is running off of.

        I guarantee Slashdot could run off Windows or Linux boxes and you or I wouldn't know the difference.
      • Re:Of course... (Score:5, Insightful)

        by Anonymous Coward on Friday April 11, 2008 @11:37PM (#23044222)
        That's about it in a nutshell, but it is a little more complicated than that.

        UNIX legacy lies in Multics which was designed to work along side big iron hardware with hierarchical protection domains that provide the mechanism to restrict the access of a process to resources. UNIX, being directly derived from Multics, benefitted from this lineage by having such robust security throughout it's design at the expense of not being able to run on commodity hardware.

        Windows's legacy lies in DOS, which was designed to run on commodity hardware that completely lacked these capabilities. Without hierarchical protection rings the OS had absolutely no ability to enforce any form of resource management. Even if there were enough hardware resources to allow for the OS to have more than a few resident functions in memory, every application still had full and complete control over all of the hardware, and a lot of them made the most of it for performance reasons. It didn't matter how many users there were; security was simply not an option.

        When Windows NT was being developed the correct choice was made to completely isolate the older processes to an emulator. Unfortunately this meant that any process written within the last 5 years ran like garbage. Towards the end of the 16-bit era programmers got very creative in overcoming both the limitations of DOS and squeezing every last cycle out of the hardware. This made emulation exceedingly difficult and prone to failure. Companies were sticking to Windows 3.x rather than jumping to NT because of the failure to support legacy applications perfectly.

        When Microsoft developed Windows 95 they reversed that decision and kept the 16-bit DOS core, both for compatibility with legacy applications (particularly games), development time and performance. This enabled the large DOS library to work without a hitch on Windows 95 at the sacrifice of locking down the security model. Without that programmers were able to and continued to shirk the basic security guidelines set forth by Microsoft and write applications that required full access, if not direct kernel access.

        Microsoft is trying to have their cake and eat it too. UAC is three things:

        First, it tries to prepare the user for life as a non-admin. Everyone is used to being admin, and if being admin means not having to think about security then people will continue to be admin. However, if admin isn't really admin unless you really mean it, then admin feels like a normal user. The disadvantage to this is that users will become jaded to the prompt, particularly at this stage when it's fairly prevalent.

        Second, it does force the application developers to make correct decisions and follow the written guidelines. An application that does so will never, ever see a UAC prompt and will run perfectly fine under UAC, and under a normal user context. These guidelines have been a part of the Windows Logo process since Windows NT was first released. Hopefully, as more application developers catch on the UAC prompts will become significantly more infrequent, and applications that require escalation for specific tasks will follow the procedures to inform the user of this fast and request escalation internally only for that task.

        Third, it tries to silently handle programs that do stupid things by "virtualizing" their actions. The vast majority of applications that require administrative access only do so because they try to write either to the %PROGRAMFILES% directory or the HKEY_LOCAL_MACHINE hive of the registry. So, with UAC enabled, attempts to write to these locations are silently redirected to the user's profile. The task succeeds, the application is happy and the user is happy.

        You could argue that the route Apple took was better. I wouldn't disagree, but these kinds of business decisions are complex. Apple basically gets to say "fuck you" to everyone every ten years and they largely live with it. I'm not sure the people would be so forgiving with Microsoft, even if doi
        • Re:Of course... (Score:5, Informative)

          by Weedlekin (836313) on Saturday April 12, 2008 @07:12AM (#23045846)
          "UNIX, being directly derived from Multics, benefitted from this lineage by having such robust security throughout it's design at the expense of not being able to run on commodity hardware."

          Except of course Microsoft's Xenix, which Altos ported to the 8088 in 1982, and SCO offered for the IBM PC in 1983 (MS licensed Xenix source code OEMs and software companies rather than selling the finished product directly to end-users). A lot of people seem to forget that MS were UNIX licensees in 1979 and added several BSD elements to the V7 code they got from AT&T when designing Xenix. All of this happened quite a while before they bought QDOS to satisfy IBM's requirement for a CP/M-like system.

          "Windows's legacy lies in DOS, which was designed to run on commodity hardware that completely lacked these capabilities."

          Windows' legacy is actually the Lisa and Macintosh, which were what inspired MS to write it. It's a single user system because the Mac was a single user system, and MS chose to use DOS as a launcher because they were aiming it at users of machines that already had DOS and software for it on them. If they'd chosen to use a different OS with a different file structure that required different software, they'd have risked pissing off their potential customer base. Selling a graphical shell that ran on top of DOS but offered multi-user and and pre-emptive multitasking on the other hand would have pissed off IBM, whose contract with MS forbade them from offering those facilities in DOS or DOS-based software to ensure the PC didn't compete with their then lucrative minicomputer business. And as neither were necessary for a Mac-like experience, MS decided to take the route that rubbed the least people up the wrong way.
  • by starglider29a (719559) on Friday April 11, 2008 @08:16PM (#23043152)
    Mac OSX has prompts for authorization also. It doesn't bother me like Vista does. Why not? I didn't really catch it... until I realized that I could ignore the dialog box and get something done before allowing an update/reboot or whatever. Something that simple and the whole problem goes away!
  • If this is true... (Score:5, Informative)

    by pionzypher (886253) on Friday April 11, 2008 @08:17PM (#23043162)
    It is an idiotic approach. Vista is the one being annoying....how could someone predict that end users would blame the applications and not the os that's to blame? Not to mention the whole issue of purposely designing a ui to annoy paying customers, to pressure 3rd parties to change.

    Bad idea all around if this was their intention at design.
    • Re: (Score:3, Insightful)

      by corsec67 (627446)
      Yep, the proper way to do this would be to have UAC like crazy when running an app in debug/test mode, and leave the customers alone. If they want to put pressure on the 3rd party developers, then they should do that directly, and not mess with everyone in hopes that the pressure would kind of go back to the 3rd party developers.

      That assumes that 3rd party developers care at all about the customer experience, which if you look at Norton/McAfee, is very dubious.

      And then give the customers something reasonabl
    • by Shihar (153932) on Friday April 11, 2008 @08:31PM (#23043240)
      I don't think that is what he really meant. What MS is trying to do is actually the right thing. MS wants to make it access privileges more like Linux. It wants to make it so that random programs can't run a muck with admin privileges. This is MS's attempt to get application makers to stop requesting privileges that they don't need because they are too lazy to program it the right way.

      Look, I'll be the first to decry Vista as a piece of shit, but despite all of Vista's flaws, trying to restrict access of programs is a good thing.

      Personally, I think that MS is slowly learning. MS is in no danger of losing its business division so long as companies demand backwards compatibility, but in personal computing it is getting kicked around. MS looks old and faded while Apple has a solid product combined with a marketing machine of d00m (Microsoft always sucked at marketing). MS needs to make changes or else it is going to get run over by Apple. Lock in isn't going to last forever in the face of a comparable, if not outright better, product and vastly superior branding and marketing.

      I mean hell, what do you think of when you think of Apple? Shinny plastic with a hipster in a coffee shop. What do you think of when you think of MS? A moldy office.
      • by MRiGnS (1125139) on Friday April 11, 2008 @08:57PM (#23043384)

        MS needs to make changes or else it is going to get run over by Apple. Lock in isn't going to last forever in the face of a comparable, if not outright better, product and vastly superior branding and marketing.
        I'm pretty sure MS isn't as afraid of Apple as they are of Linux. You might be able to buy/bribe/whatever stock holders, but almost impossible to buy out GNU/Linux. Even if they would get Linus on their side, there would be some nerds releasing GNU/Xunil (That's the point where you might laugh) just a couple of minutes after the announcement. The only thing they may fear is in fact FOSS reaching critical mass.

        MS is in no danger of losing its business division so long as companies demand backwards compatibility, but in personal computing it is getting kicked around.
        I wonder what happens as windows7 is supposed to break the binary compatibility
      • off topic (Score:3, Informative)

        FYI run a muck is wrong. There is no muck. It's run amok [merriam-webster.com].
      • Re: (Score:3, Interesting)

        by dhavleak (912889)

        I don't think that is what he really meant. What MS is trying to do is actually the right thing.

        You're dead right.

        I attended RSA and I was present at David Cross's talk today. His intent seemed more to grab the attention of a group of people with high-level to detailed security concepts, and it got the desired result. Unfortunately for him, some reporter/blogger blew it out of context and out of proportion, writes a sensational headline, and the result is this thread. What I got from the talk was "we knew UAC would bug users, but it was still the right thing to do -- we had to fix this bad habit of d

    • by Naughty Bob (1004174) * on Friday April 11, 2008 @08:46PM (#23043334)

      If this is true....
      I think it's just that the story submitter accidentally included the letters UAC in the headline.
  • oblig. (Score:5, Funny)

    by cvd6262 (180823) on Friday April 11, 2008 @08:20PM (#23043180)
    It appears you are trying to make a snide comment.
    [Cancel] [Allow]
  • by fatmal (920123) on Friday April 11, 2008 @08:25PM (#23043210)
    It Worked!
  • by the_other_one (178565) on Friday April 11, 2008 @08:28PM (#23043224) Homepage
    whatcouldpossiblygowrong
  • by Deviant (1501) on Friday April 11, 2008 @08:28PM (#23043226)
    I think there is going to be quite a bit of criticism of MS for this but basically you see UAC prompts where you would have to do a su or sudo to get the job done as a starndard user in Linux/Unix. The reason you don't have to do those all the time in Linux is that the application writers do not write their apps to require constant root priviledge escalations. There is one app that I couldn't get working properly in Fedora 8 without running it with a sudo - Nero Linux - and it annoyed me quite a bit.

    MS needs to drag both its users and those who write windows applications along to the limited security model we all need each other to be using for the good of the internet. It was always going to be painful.

    The one criticism that I have of the system/model in practice is the start menu - and that is all MS! I try to organize my start menu and I see several dialogs. I would be much more on-board with only one Cancel or Allow for an operation like that...
  • by danielsfca2 (696792) on Friday April 11, 2008 @08:32PM (#23043254) Journal
    I'm not MS's biggest fan. But this isn't the worst strategy ever.

    It's actually pretty logical that if you make running these retarded apps annoying, you can force the vendors to fix them.

    But MS faces a big obstacle in that strategy--the fact that moving back to XP fixes the problem as well, from the user's perspective. And of course, the fact that doing so also makes today's computers 3x more responsive.

    It's a shame... I would love a world where Vista caught on but UAC didn't have to pop up ever unless something truly administrator-ish were really going on. Then all my users could be Users.
  • by dpbsmith (263124) on Friday April 11, 2008 @08:34PM (#23043268) Homepage
    This approach could have worked. But if they really meant for it to work, then developers would have been required to embed usable contact information in the application. When the UAC prompt came up it would explain that this was a result of an action taken by the application, and that if it seemed unnecessary to you, you should click a button and send feedback to the developer.

    It would also identify and tag the particular circumstances so that there could be a option, "don't warn me about this again."

    This latter option would have been particularly useful during the beta phase.

    After a couple of years, Microsoft might then assume that developers had been given adequate warning and adequate feedback, and the option to ignore warnings could have been retracted.

    What Microsoft did doesn't sound as if they serously wanted the approach to work. They just wanted to be able to say that users "didn't want" security, just the way Detroit said for decades that car buyers "didn't want" safety.

    • Authenticode (Score:3, Informative)

      by tepples (727027)

      But if they really meant for it to work, then developers would have been required to embed usable contact information in the application.
      That's what Authenticode was designed for. But not all developers can afford 2,495 USD for a five-year Authenticode certificate from VeriSign. Microsoft doesn't want to block unsigned applications from running on new versions of Windows, as it would only encourage businesses who rely on unsigned vertical market apps to stick with old Windows.
    • by Dogun (7502) on Friday April 11, 2008 @10:20PM (#23043854) Homepage
      The problem is that the UAC prompt also has to work with legacy applications which don't have contact information. :)

      'don't warn me about this again' - presuming an app was trusted once at install-time, it's just going to go write the 'oh, the user allowed me permanantly, it's ok' setting wherever it turns out that is stored. Then they have no incentive to fix their design issues.

      The problem isn't UAC, it's the fact that windows developers aren't writing for the standard user.
    • by rastoboy29 (807168) on Friday April 11, 2008 @10:28PM (#23043904) Homepage
      Worse, I think they  just did it as a CYA strategy, as opposed to trying to find a real solution.  It's an attitude all too prevalent in corporate America.

      Having spent most of my professional life at small companies, when I started working at larger ones in the last few years I was appalled, disgusted, and amazed to see that MOST of the employees spent their time worrying only about CYA, as opposed to doing a good job.

      What a bunch of fucking pussies.
  • by OMNIpotusCOM (1230884) * on Friday April 11, 2008 @08:38PM (#23043288) Homepage Journal

    It does make sense, when you think about it, since they've found step 2 and patented a frustration detection system [slashdot.org].

    I have to steal this comment from one of the posts from that story, but...

    Step 1: Make frustration and annoying software
    Step 2: Patent frustration detection system
    Step 3: Profit.

  • C:\Program Files\ (Score:5, Interesting)

    by WoTG (610710) on Friday April 11, 2008 @08:51PM (#23043356) Homepage Journal
    This reminds me of the c:\program files\ as a default install folder. I think it started with Windows 95. I read somewhere, years after the launch, that it was specifically chosen to force programmers to handle long file names properly.

    Funny, even now, I usually create a c:\programs\ directory for everything that doesn't have a proper installer. 10 years and counting.

    IMO, the UAC did not have to be as annoying as it is. All they needed was a "allow admin stuff to happen for 5 minutes" dialog so that installing a program would only take one prompt. Too smart for their own good...
    • Re: (Score:3, Interesting)

      by tepples (727027)

      All they needed was a "allow admin stuff to happen for 5 minutes" dialog so that installing a program would only take one prompt.
      Had Microsoft made it system-wide like some antivirus utilities do, any malware running in the background could detect that the 5 minutes have started and do its dirty work.
  • by flyingfsck (986395) on Friday April 11, 2008 @08:54PM (#23043372)
    Microsoft added spaces in system directories to annoy users too I'm sure and specially neglected to make links to network folders work with spaces and left it like that for the past 13 years, to ensure that you cannot copy and paste a spacy network path from Windows Explorer into Outlook and email it to someone else in the company. All that only to annoy their users...
    • Re: (Score:3, Interesting)

      by CastrTroy (595695)
      Just like they don't give you an option to stretch the wallpaper image without screwing up the aspect ratio. A feature that would take 20 minutes to program, but it's left out, simply to annoy the users.
    • Re: (Score:3, Informative)

      by brentrad (1013501)
      Before pasting your network link, type <<, paste the link, then >>. Like so:

      <<\\network name\here>>

      Outlook will remove the first < and last >, and turn it into a clickable hyperlink. Not at all obvious, but it is possible to do it.
      • Re: (Score:3, Informative)

        by El_Oscuro (1022477)
        Putting double quotes around them will work too. Almost as intuitive as vi. I just figured out the quote trick a few days ago, and I have been trying to get this to work for years. Frustrated, I just *tried* it, and OMG it actually worked! Maybe someday, I will be able to enter an outline without Word scrambling my fonts at random intervals...
  • by Animats (122034) on Friday April 11, 2008 @09:01PM (#23043418) Homepage

    Microsoft is right. Most applications should never have administrator privileges, not even during installation. It's way past time to tighten the screws.

  • by Todd Knarr (15451) on Friday April 11, 2008 @09:02PM (#23043426) Homepage

    The basic idea's sound. The problem is that, given the implementation, users view the problem as being UAC and/or Vista, not the apps. After all, the apps work just fine if you turn those annoying dialogs off or go back to XP. If the users don't view the app as the cause of the problem, they won't pressure the app vendor to do anything about it. Idea fails.

    I prefer the Unix approach. The OS doesn't pop up any dialog, or offer the user any choice. If an app does something it doesn't have privileges for, it gets an ENOPRIV returned from that call and isn't allowed to do that. How the app handles it from there is up to the app, but there's no easy way to make the errors go away at the system level (most modern Unixes are set up to make it inconvenient to log in or run programs as root, and only root can install a program setuid-root).

    • by Anpheus (908711) on Friday April 11, 2008 @10:18PM (#23043848)
      Have you used Linux recently? Most programs that receive the lack of permission that are GUI based will ask to run with gksudo or provide a means for you to do so.

      Programs run within the terminal will usually just tell you that you lack permission, please try again.
    • Re: (Score:3, Informative)

      by dioscaido (541037)
      You really think that the better approach would be to switch people to limited user, and let the majority of windows apps fail? Seriously? If people complain about UAC this vocally, they'd certainly complain that nothing runs at all. Or am I misunderstanding your point?

      The goal here is to push windows apps to finally run as limited user. I think with UAC they found a fairly ingenious middle ground -- everyone runs as limited user, but elevating to administrator is very simple (but annoying). Whatever versio
  • by actionbastard (1206160) on Friday April 11, 2008 @09:03PM (#23043432)
    Microsoft Designed UAC to Annoy Slashdot Users.

    There. All better.
  • Well..... (Score:4, Funny)

    by Anonymous Coward on Friday April 11, 2008 @09:07PM (#23043454)
    Aha! They annoyed me so much that I actually switched to linux. /success
  • by pablomme (1270790) on Friday April 11, 2008 @09:40PM (#23043642)

    UAC is not a bad idea. True, they could have gone the gksudo way and allow a window of time before asking for permission again. And then they could ask for a password instead of getting people in the habit of clicking away past warning windows. But still, it's not a bad thing.

    They also had to stop programs from storing settings and user stuff under the write-restricted "Program Files" folder.

    Now, annoying users intentionally to exert pressure on software vendors is just twisted.

    UNIX/Linux users may want to have a little thought about what things would be like without the SUID facility ('ping', anyone?), and, on the other hand, the security implications of SUID. I was shocked when I read the example at page 249 of the UNIX Haters' Handbook, which illustrates the problem of blindly trusting your PATH with a simple example in which you can trick your system administrator into providing you with a root shell binary. Tried it. It works.

    Not that this has prevented me from ditching Windows Vista in favour of Ubuntu on my laptop (desktop to follow when Ubuntu 8.04 is released).

  • End result (Score:3, Funny)

    by edwardpickman (965122) on Friday April 11, 2008 @09:55PM (#23043736)
    Uograde to Vista, Cancel or Allow. Cancel.
  • by JustNiz (692889) on Friday April 11, 2008 @10:05PM (#23043782)
    UAC is totally ineffective as as its one of the first things nearly everyone turns off because its so damned annoying.
  • I have been asked and wondering why Microsoft has such a bad track record in security and user access control especially since recent Windows have been built on NT which comes from OS/2 and VMX. According to me it's fairly simple: group permissions. Look at a default Linux/Unix-style installation, you have about 20 groups to start out with. If you're a desktop user, usually you're a member of audio, video, games, cdrom and user. On a Windows machine you're either a User or an Administrator. The way the Linux kernel and it's modules are built, if you need direct access to hardware, you can either be root (not good) or you can access it through it's /dev entry which has group permissions.

    So if you want to play music, you can access the hardware (albeit through a kernel module) by making yourself member of the group audio. In Windows however, if you need direct access, you can either use DirectX or a process (daemon) or become an Administrator so you can get to the kernel. There is no group Audio that has only access to the Audio-part of the kernel. As soon as you need direct access for real-time anything, you can't really add yourself to any group to do so.

    This of course goes way back before desktops were running NT versions (like 2000 or XP). Before, Windows was running on top of DOS, developers could just code directly into the hardware (just load dos4gw), there is no access control in DOS. DOS was also not meant to be running any services or be connected to a network that's where the whole thing with virusses got started, anything that was running could simply request a hook into the BIOS, under the hood, protected memory was regulated with emm386 while Windows 95-ME all used the faster, less secure himem.sys. Microsoft merged together the NT and DOS and made it into 2000 and XP. There were no extra permissions added for desktop users, the pure server model was coded around to allow for desktop speed and real-time access to hardware, never giving any thought that actually running all services that hook into hardware as Administrator would give problems.
  • by HAKdragon (193605) <[hakdragon] [at] [gmail.com]> on Friday April 11, 2008 @10:28PM (#23043906)
    Well, I guess they really blue that one.
  • tag:nagware (Score:5, Insightful)

    by Jurily (900488) <jurily&gmail,com> on Friday April 11, 2008 @11:07PM (#23044094)
    What they didn't anticipate though, is people screening out the warnings. Yes, it's important for you, the developer. No, it's not important for the user, who only wants to Get Stuff Done (tm).

    If the same yes/no question pops up every 10 minutes, don't expect a different answer when it says "Do you want to install spyware, adware, a couple of trojans, and [whatever they actually wanted to install]?".

    Remember, users don't read. Not because they're incapable, they have more important things to do.
  • by thewils (463314) on Saturday April 12, 2008 @01:27AM (#23044574) Journal
    There, fixed it for you.

    In fact, now I come to think of it, Microsoft designed all of Windows to annoy users. I use it and man, I'm annoyed as hell right now.
  • by Killer Eye (3711) on Saturday April 12, 2008 @03:18AM (#23044972)
    If UAC dialogs are annoying and unnecessary, they're really just behaving like other Windows alerts. There's a whole mentality on the platform for being irritating and bothering users with pointless information.

    Still, this was a new class of alert, to be taken seriously. Microsoft had a chance to break with "tradition" and put real thought into what would make a useful dialog, such as (only) information critical for making a good decision and prompting no more than necessary. But instead, we have self-congratulatory "aren't you glad we're looking out for your computer" text, a lot of color, and "abcapqyt.exe" as the only thing distinguishing one UAC dialog from the next. The dialogs therefore essentially read as "You have no idea WTF is running. [OK]" to most people.

    I compare this to legalese. Microsoft is taking the "throw 400 pages of crap in the user's face, make them entirely responsible for understanding the ramifications, if they click OK they're responsible" approach to security. When I see legal documents, I *really* appreciate companies who go to the effort to "humanize" what they present. In about a paragraph of extremely readable English, they say hey, this is what we're talking about here, and this is why we have this agreement. Why *couldn't* UAC dialogs do the security equivalent of this deciphering for users, so "abcapqyt.exe" is not my only clue?

It's a poor workman who blames his tools.

Working...