Microsoft Designed UAC to Annoy Users

I Don't Believe in Imaginary Property writes "At the 2008 RSA security conference, Microsoft's David Cross was quoted as saying, 'The reason we put UAC into the platform was 'to annoy users. I'm serious.' The logic behind this statement is that it should encourage application vendors to eliminate as many unnecessary privilege escalations as possible by causing users to complain about all the UAC 'Cancel or Allow' prompts. Of course, they probably didn't expect that Microsoft would instead get most of the complaints for training users to ignore meaningless security warnings."

If this is true...

[pionzypher]

It is an idiotic approach. Vista is the one being annoying....how could someone predict that end users would blame the applications and not the os that's to blame? Not to mention the whole issue of purposely designing a ui to annoy paying customers, to pressure 3rd parties to change.

Bad idea all around if this was their intention at design.

Re:A difference so subtle, I nearly missed it

[cnettel]

You can configure to be like that with group policy. The official reason for the current default was that no ordinary process should be able to interfere with user input or fake the UI (i.e. showing some other always-on-top window with a different text that moves away just before the click etc etc). If you can accept that, just turn UAC into "same-desktop" mode, while not turning it off completely.

Re:Turning off UAC doesn't require UAC confirmatio

[Anonymous Coward]

This is incorrect. The registry key in question is protected by permissions and by default requires you to be running as Administrator in order to make changes. If UAC is on, then to get a command prompt, regedit, etc running with Admin rights requires UAC approval somewhere along the line.

UAC is not about confirming specific actions like changing registry keys. It is about giving Windows permissions to use admin-level privileges. For example, once you allow a command prompt to run with your admin token, it can then launch admin-level tasks without any new prompts.

Re:Of course...

[CastrTroy]

The problem is that even MS hasn't gotten around to removing all the annoying UAC popups based on stuff in their own interface. If you want to rename something in your start menu, you get 3 prompts from UAC. Same goes for moving or deleting something. I get tons of UACs, and most of them are from Windows itself, not other apps.

Re:Of course...

[Z34107]

It does - if you're on a limited account.

It's only if you're logged in as administrator that you don't have to provide a password - you already did when you logged on.

Think of it this way - with UAC, even root has to sudo.

Authenticode

[tepples]

But if they really meant for it to work, then developers would have been required to embed usable contact information in the application.

That's what Authenticode was designed for. But not all developers can afford 2,495 USD for a five-year Authenticode certificate from VeriSign. Microsoft doesn't want to block unsigned applications from running on new versions of Windows, as it would only encourage businesses who rely on unsigned vertical market apps to stick with old Windows.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Of course...

[tepples]

Odd that the same home PC at the time, running Linux, had no trouble at all enforcing it.

Then I said it wrong. Please let me rephrase: "In the era of Windows 95, home PCs weren't considered to have enough CPU and RAM to enforce proper privilege separation while running a graphical user interface." Or did you manage to usefully run X11 on a 486 PC with 8 MB of RAM?

Re:sudo because burning a CD-R is irreversible

[msuarezalvarez]

Sure. Authorization happens now automagically in any semi modern distro. There's a lot of infrastructure that was developed to handle those situations---and many more, of course.

Re:Of course...

[bflong]

Or did you manage to usefully run X11 on a 486 PC with 8 MB of RAM?

Yes. And before that it was a 386sx 16mhz. Worked fine. With X. And a web server running in the background, serving over dialup w/ static IP. Uphill. Both ways!

I'm serious about everything but the uphill both ways thing. I used that thing every day for at least a year. I don't remember it being slow, but I imagine it would seem so today.

Re:Like "Program Files" and "My Documents"

[brentrad]

Before pasting your network link, type <<, paste the link, then >>. Like so:

<<\\network name\here>>

Outlook will remove the first < and last >, and turn it into a clickable hyperlink. Not at all obvious, but it is possible to do it.

Re:At last, a little truth from MS

[Mongoose Disciple]

UAC does none of those things in the real world. It is a horrible security mechanism, it slows down every day usage of most PCs, it causes endless annoyance to users.

This kind of statement has been puzzling to me since I installed Vista on one of my machines, since I don't see UAC pop-ups unless:

1) I'm installing something new.
2) I'm running some executable I just downloaded through my web browser, or
3) I'm running something written in the 90's.

The first two cases being times I'm glad the prompt is there and the third being more or less acceptable to me since we're talking about 9+ year old software. Often I'll go weeks at a time withotu seeing a UAC prompt.

Re:Like "Program Files" and "My Documents"

[El_Oscuro]

Putting double quotes around them will work too. Almost as intuitive as vi. I just figured out the quote trick a few days ago, and I have been trying to get this to work for years. Frustrated, I just *tried* it, and OMG it actually worked! Maybe someday, I will be able to enter an outline without Word scrambling my fonts at random intervals...

Re:Good idea, bad implementation

[Anpheus]

Have you used Linux recently? Most programs that receive the lack of permission that are GUI based will ask to run with gksudo or provide a means for you to do so.

Programs run within the terminal will usually just tell you that you lack permission, please try again.

Re:At last, a little truth from MS

[Spy der Mann]

No company would design something to annoy users.

Hello... clippy?

off topic

[martin-boundary]

FYI run a muck is wrong. There is no muck. It's run amok [merriam-webster.com].

Re:Good idea, bad implementation

[dioscaido]

You really think that the better approach would be to switch people to limited user, and let the majority of windows apps fail? Seriously? If people complain about UAC this vocally, they'd certainly complain that nothing runs at all. Or am I misunderstanding your point?

The goal here is to push windows apps to finally run as limited user. I think with UAC they found a fairly ingenious middle ground -- everyone runs as limited user, but elevating to administrator is very simple (but annoying). Whatever version of windows is around in 5-10 years will likely not need UAC, because the windows app ecosystem will finally be limited user friendly.

Re:A difference so subtle, I nearly missed it

[Anonymous Coward]

Clearly you don't run as multiple users on the same box. Finder as an interface is very unfriendly regarding permissions, even the "Shared" user folder really isn't. Frequently the simple permission command Apply to All Enclosed Items just won't traverse a directory tree at all, and by default it's not possible to ignore permissions selectively on folders.

Thankfully it's quick to switch users, but too often I get a whole series of prompts when I want to move or delete a file, or worse, a program will crash because a destination folder is not writeable. As a result I keep my user passwords VERY short, which has it's own problems... essentially the lauded security of the keychain is being self defeating, as I just want to keep it out of my face.

Re:Of course...

[fizzup]

Period PC hardware absolutely was capable of running X11. I bet quite a few idiots like myself did it at the time.

First, an 80486 was not really period hardware. The Pentium classic was on the market at the time that Windows 95 came out, clocked at 100MHz. It had been around for almost a year at that speed. This processor is a few percent as fast as modern CPUs.

Now, if you were to put Gnome or KDE on this hardware, it would be a pig. For me, I ran the Open Look Window Manager. It looks like this [xwinman.org], which I think looks a little bit worse than Windows for Workgroups. But, man, is it lean.

All rolled up, that window manager, using colour depth common in the period, is probably more than ten times faster than a modern desktop. Through the mists of time, I'd say that Ubuntu, with modern hardware, seems a good three or four times faster than that old unix box, which fits.

For what it's worth, the experience was about as fast as the Sun boxes I had used at university a few years before. IIRC, they were running microSPARC I processors at 40Mhz. I don't remember the RAM, though. They ran OpenLook as well,which is why I used it a few years later. I was used to it.

You should know that X11 was released in 1987. It's not like they wrote and debugged it by desk checking, yeah? It ran on workstations available 20 years ago. Moore's law says there were five doublings of transistors per unit area between 1987 and 1995. To say that hardware in 1995 was too slow to handle security, protection, and a GUI is false on its face.

Re:And Microsoft was the biggest offender.

[evanbd]

(Now, if only someone could show me how to embed nice links here... :) )

It's a web site. You use HTML. Why most forums insist on making up their own weird and varying markup systems when they're busy using a perfectly good one is completely beyond me, but somehow it's common enough that people expect it.

(You may have to change your posting options to "HTML formatted." You may then end up wanting to actually include formatting tags in your comments in order to get them to display properly.)

Re:And Microsoft was the biggest offender.

[Anonymous Coward]

Posting anonymous because it's off-topic, but as someone that develops community sites, I'll tell you why using HTML sucks.

The first reason is output validation. Trying to strip out HTML you don't want users to use without mangling the output is very very hard. This happens on Slashdot all the time, when people use less-than and greater-than symbols in their text -- the parser thinks that they're writing HTML that shouldn't be allowed, and it gets stripped. (Preview, blah blah, whatever. It shouldn't happen.) Unless you're running an intelligent auto-correcting validator like Tidy, or you're parsing the document into a valid object model and then deleting nodes that way (both quite CPU expensive options, compared to running some regular expressions against a string), you're almost certainly going to end up with bad code coming out the other end (either because the parser strips something, or because the end user doesn't know how to write valid HTML), which sucks. With a BBCode, Markdown, or similar parser, you can skip over any invalid markup without breaking the output.

The second reason is convenience features -- instead of making the user write <p><a href="http://slashdot.org/~evanbd">evanbd</a> said:</p><blockquote><p>It's a web site. You use HTML.</p></blockquote>, you can just have them write [quote=evanbd]It's a web site. You use HTML.[/quote], and the parser will convert that intelligently into valid HTML. If you decide down the line that you want to change the code that's outputted for whatever reason, all you need to do is change the application logic and clear out the caches.

So, you see, there ARE good reasons. And to be fair to the poster, before this new comment system, Slashdot used to say below the post box what HTML could be used. Now, it's much less intuitive about what markup method to use.

Cheers,

Re:A difference so subtle, I nearly missed it

[Anonymous Coward]

It's controlled in the back by a simple registry key that all versions of Vista will honour. The Group Policy UI might be missing, but the setting's still there, and there are programs to replace that UI (TweakUAC comes to mind).

Re:Of course...

[init100]

Privilege separation is not something that requires a fast CPU and a big amount of RAM. Separate protection rings were introduced by Intel's 80286 processor, which was released in 1982. Other architectures probably had something equivalent even before then.

Re:Driver and login annoyances

[Anonymous Coward]

HP driver annoyances (their shitty home(/SMB) devices are notorious for this and end up even in larger setups cause of ignorant buyers) can be usually quite easily fixed by searching the registry by device name or ID and giving users group more control over those subtrees. Be aware of security considerations and give only minimal level of extra rights that are neccessary.

Msconfig is your friend when disabling unneeded startup items. I especially loathe the auto-updaters that get installed by default if you don't know specific installer parameters. Sun java is class A example of that crap, it informs limited users about updates and recommends them to upgrade - only halfway through it throws error message.

UAC is no different than any Windows alert

[Killer Eye]

If UAC dialogs are annoying and unnecessary, they're really just behaving like other Windows alerts. There's a whole mentality on the platform for being irritating and bothering users with pointless information.

Still, this was a new class of alert, to be taken seriously. Microsoft had a chance to break with "tradition" and put real thought into what would make a useful dialog, such as (only) information critical for making a good decision and prompting no more than necessary. But instead, we have self-congratulatory "aren't you glad we're looking out for your computer" text, a lot of color, and "abcapqyt.exe" as the only thing distinguishing one UAC dialog from the next. The dialogs therefore essentially read as "You have no idea WTF is running. [OK]" to most people.

I compare this to legalese. Microsoft is taking the "throw 400 pages of crap in the user's face, make them entirely responsible for understanding the ramifications, if they click OK they're responsible" approach to security. When I see legal documents, I *really* appreciate companies who go to the effort to "humanize" what they present. In about a paragraph of extremely readable English, they say hey, this is what we're talking about here, and this is why we have this agreement. Why *couldn't* UAC dialogs do the security equivalent of this deciphering for users, so "abcapqyt.exe" is not my only clue?

Re:And Microsoft was the biggest offender.

[ZERO1ZERO]

Totally spot on. But as long as the input form has some instructions it's neither here nor there e.g. I didn't know till now apparantly

URL:http://example.com/ will auto-link a URL

(enclose in angle brackets). Let's see http://slashdot.org/ [slashdot.org]

No idea how to escape code blocks to show the exact code though.

Re:Of course...

[Weedlekin]

"UNIX, being directly derived from Multics, benefitted from this lineage by having such robust security throughout it's design at the expense of not being able to run on commodity hardware."

Except of course Microsoft's Xenix, which Altos ported to the 8088 in 1982, and SCO offered for the IBM PC in 1983 (MS licensed Xenix source code OEMs and software companies rather than selling the finished product directly to end-users). A lot of people seem to forget that MS were UNIX licensees in 1979 and added several BSD elements to the V7 code they got from AT&T when designing Xenix. All of this happened quite a while before they bought QDOS to satisfy IBM's requirement for a CP/M-like system.

"Windows's legacy lies in DOS, which was designed to run on commodity hardware that completely lacked these capabilities."

Windows' legacy is actually the Lisa and Macintosh, which were what inspired MS to write it. It's a single user system because the Mac was a single user system, and MS chose to use DOS as a launcher because they were aiming it at users of machines that already had DOS and software for it on them. If they'd chosen to use a different OS with a different file structure that required different software, they'd have risked pissing off their potential customer base. Selling a graphical shell that ran on top of DOS but offered multi-user and and pre-emptive multitasking on the other hand would have pissed off IBM, whose contract with MS forbade them from offering those facilities in DOS or DOS-based software to ensure the PC didn't compete with their then lucrative minicomputer business. And as neither were necessary for a Mac-like experience, MS decided to take the route that rubbed the least people up the wrong way.

Re:Of course...

[quux4]

I just checked an XP system I had running. Of 78 processes, 15 (19%) running as SYSTEM.

On Vista, 18 out of 64 (28%) running as SYSTEM.

On an Ubuntu (Dapper) system: 73 out of 119 (61%) were running as root.

On a Fedora (FC4) system: 117 out of 138 (85%) were running as root.

On a CentOS system: 76 out of 96 (79%) were running as root.

All are fairly default systems - no extra-special attention given to lockdown, and certainly none of the services/daemons were changed to run as nondefault users. The FC4 and CentOS systems are servers; the others are desktop systems.

Re:And Microsoft was the biggest offender.

[cdf123]

setfacl -m u::r,g::r,u:bob:rw,o::000 afile

There you go, the user (owner) has read, the specific user (bob) has read/write, the group has read, and others have nothing. Looks easy to me...

Re:Like "Program Files" and "My Documents"

[brentrad]

They finally took the 20 minutes, and fixed that in Vista. For desktop backgrounds, you now have 5 options:
1) fit to screen (ignores aspect ratio)
2) tile
3) center (original picture size)
4) maintain aspect ratio (stretches to fit screen while maintaining aspect ratio)
5) crop to fit screen