Microsoft Designed UAC to Annoy Users 571
I Don't Believe in Imaginary Property writes "At the 2008 RSA security conference, Microsoft's David Cross was quoted as saying, 'The reason we put UAC into the platform was 'to annoy users. I'm serious.' The logic behind this statement is that it should encourage application vendors to eliminate as many unnecessary privilege escalations as possible by causing users to complain about all the UAC 'Cancel or Allow' prompts. Of course, they probably didn't expect that Microsoft would instead get most of the complaints for training users to ignore meaningless security warnings."
Re:If this is true... (Score:5, Interesting)
Look, I'll be the first to decry Vista as a piece of shit, but despite all of Vista's flaws, trying to restrict access of programs is a good thing.
Personally, I think that MS is slowly learning. MS is in no danger of losing its business division so long as companies demand backwards compatibility, but in personal computing it is getting kicked around. MS looks old and faded while Apple has a solid product combined with a marketing machine of d00m (Microsoft always sucked at marketing). MS needs to make changes or else it is going to get run over by Apple. Lock in isn't going to last forever in the face of a comparable, if not outright better, product and vastly superior branding and marketing.
I mean hell, what do you think of when you think of Apple? Shinny plastic with a hipster in a coffee shop. What do you think of when you think of MS? A moldy office.
Re:Not that bad a strategy, really. (Score:4, Interesting)
C:\Program Files\ (Score:5, Interesting)
Funny, even now, I usually create a c:\programs\ directory for everything that doesn't have a proper installer. 10 years and counting.
IMO, the UAC did not have to be as annoying as it is. All they needed was a "allow admin stuff to happen for 5 minutes" dialog so that installing a program would only take one prompt. Too smart for their own good...
Like "Program Files" and "My Documents" (Score:4, Interesting)
Re:If this is true... (Score:5, Interesting)
Re:Turning off UAC doesn't require UAC confirmatio (Score:4, Interesting)
I can disable UAC using regedit, using msconfig, gpedict.msc, User Account applet. Each and every method raises a UAC consent prompt.
Re:you, my friend, made an incorrect assumption... (Score:1, Interesting)
Re:Of course... (Score:5, Interesting)
Odd that the same home PC at the time, running Linux, had no trouble at all enforcing it.
Re:C:\Program Files\ (Score:3, Interesting)
Re:Like "Program Files" and "My Documents" (Score:3, Interesting)
Re:And Microsoft was the biggest offender. (Score:5, Interesting)
> when your coders do not do so themselves.
It's shamefully pervasive. In my years of developing software for Windows, I've rarely seen other developers NOT running Windows as admin. --basically developing apps. completely blind as to what permissions they may or may not need. (I finally got religion 5-6 years ago after a nasty virus.) Now, every time I log in, I get several ugly little error messages due to HP drivers and other startup bits and pieces not having God access under a normal user account. I think Win developers --QA and project owners too-- need to feel some personal UAC pain.
Re:Of course... (Score:5, Interesting)
Then I said it wrong. Please let me rephrase: "In the era of Windows 95, home PCs weren't considered to have enough CPU and RAM to enforce proper privilege separation while running a graphical user interface." Or did you manage to usefully run X11 on a 486 PC with 8 MB of RAM?
No that doesn't make sense either. How about "windows was never meant to be networked so multi user protection wasn't built in from the start"
Re:Not that bad a strategy, really. (Score:2, Interesting)
Vista has had many issues (UAC and Drivers being my biggest complaints), but it has been my primary OS since NVIDIA finally released a stable driver back in December.
It's taken nearly a year since commercial introduction, but it is now a quite stable OS. I haven't seen a system crash since December (previously 90% + due to NVIDIA's drivers), UAC has been virtually non-existent (except for truly system-level changes and BOINC until version 6 is official), and DWM has been truly a blessing since day one (despite the overhead, this was my primary reason fory trying Vista in the first place -- I hardly ever see a stupid wall-of-mirrors or flickering of Windows; and the very few times I do, it's at an app level, not an OS/WM level).
Re:And Microsoft was the biggest offender. (Score:5, Interesting)
However, if you're a windows user, and you just upgraded to vista, you see these warnings/questions. What's your first response?
1. Man, I wish these crappy coders would learn when to require root access
2. Stupid Vista... I should go back to XP
Upgrading the security model from a non-visible one to one that requires user attention can be a bitch. MS has a lot of difficult decisions to make these days.
Just see http://www.joelonsoftware.com/items/2008/03/17.html [joelonsoftware.com].
(Now, if only someone could show me how to embed nice links here...
P.S. I use Gentoo.
Re:If this is true... (Score:1, Interesting)
In a heavily regulated industry obsessed with privacy and security, Linux on the desktop is a competitive advantage. Any audit or bid for a government contract requires a lengthy description of IT's security policies and procedures. When Company A manages customers' personal information on locked down Linux-based workstations and Company B uses an aging version of XP or Vista, Company A's environment is perceived as more secure, IMO.
The funny thing is, cost rarely comes up as a reason for choosing OSS. Features, more/better choices, and interoperability (on enterprise applications at least) are the reason we use OSS. The majority of our applications are web-based, and our vendors are increasingly using standard formats like EDI and XML rather than Excel spreadsheets. I see our Office "lock-in" decreasing every year. OSS has already won the war on the servers and, to my surprise, will soon make its way onto a significant number of desktops.
Re:you, my friend, made an incorrect assumption... (Score:4, Interesting)
I think you underestimate the depth of feeling that Microsoft has engendered in much of the technical community.
If you're a company that makes a product that the majority use, your customers don't just start to hate you, it's something you have to work at for years. It's our nature to become emotionally attached to something that's such a big part of our lives, and the fact that Microsoft has squandered such an opportunity for loyalty and created ill-feelings instead is something that future generations of business students and corporate psychologists will study for centuries to come.
Re:And Microsoft was the biggest offender. (Score:2, Interesting)
I agree in principle, but not in practice. Firstly, UAC presents a minimal barrier to the installation of malware with its "The publisher could not be verified" message.
Once that's clicked through, and the program's run ONCE with system privs, that software can make any changes it wants to your system, even if UAC is fully enabled. A keylogger to intercept passwords, autostart at boot, wipe the user files, anything, and all without a peep from UAC.
UAC's value is in protecting users from themselves, not malware authors, and by making the prompts a type of social engineering tool (the irritation factor) intended to get customers angry with devs, instead of MS directly pressuring software developers themselves or with their dev tools, Microsoft has minimised it's value to computer users.
Flawed logic (Score:2, Interesting)
Re:If this is true... (Score:5, Interesting)
Windows is not *nix, the Windows developers learned from the mistakes of sudo.
Re:you, my friend, made an incorrect assumption... (Score:2, Interesting)
I've used lots of other OSs too, and I really don't see what's so bad about Microsoft. Even their aggressive businesses are quite useful since I know if I knock up quick Windows application with Visual C++ I can reach 90% of the market. You can do pretty much anything you want in userland with Win32 and in kernel mode with WDM. Basically their stuff works fine for me. I don't know why other technical people have such problems with it.
Re:If this is true... (Score:3, Interesting)
I attended RSA and I was present at David Cross's talk today. His intent seemed more to grab the attention of a group of people with high-level to detailed security concepts, and it got the desired result. Unfortunately for him, some reporter/blogger blew it out of context and out of proportion, writes a sensational headline, and the result is this thread. What I got from the talk was "we knew UAC would bug users, but it was still the right thing to do -- we had to fix this bad habit of developing apps to require admin privs when they don't need them -- and this was the only way to achieve that."
Poor dude will probably get his head bitten off for this little sound bite he worked into his speech.
Me too me too me too! (Score:3, Interesting)
Then, a year or two later, I discovered Linux, and tried it out on an old junker AM486/100. With 16 MB of ram, and a 500 MB HDD, and X-Windows/KDE 1.x running on the super-long VLB video card, it managed to host a web server, a DNS server, telnetd, ntpd, postgres, php, AND ssh reliably, 24x7 for MONTHS before I learned enough of what's going on to see that it was actually doing all that!
That was RedHat 5.1. It's what sold me on Linux, because, for all its many warts, it actually did the job reliably. And now, some 9 years later, it's still "doing it" (Now CentOS 4) and I'm still loving it, 24x7!
Re:And Microsoft was the biggest offender. (Score:3, Interesting)
I use Linux and while there are times a dialog box pops up, it is not needed as often.
Here is an example of boneheadedness. I write Excel applications that tie together with
The problem relates to how COM grants you rights to do certain things as a user. And when you are debugging you need more rights... WTF? Under Linux it would not matter because both are running in the context of the user and hence it can be debugged.
Why these problems on Windows? ACL's....
Re:And Microsoft was the biggest offender. (Score:5, Interesting)
The problem is the user interface. As the OpenBSD people keep telling us, sane defaults are the most important thing in security. If you default to insecure, or you default to secure, but so irritating people turn off the security, then your system is not secure.
With respect to your specific problem, requiring elevated privileges for debugging actually does make sense, and I consider it a bug in other operating systems that it's not the case. A process that attaches to another as a debugger can inspect all of that process's memory, and even the contents of registers. If the process is something like your password manager, then it doesn't matter that it stores all of your passwords encrypted on disk and doesn't release them without a pass-phrase if the first piece of malware that gets on to your system can poke around in its memory and read them. Ideally, you would be able to simply flag regions of memory as off-limits to a debugger, but the next best thing is to require elevated privilege. Starting with 10.5, I believe OS X allows a process to set a flag preventing debuggers from attaching, but I've never tried it.
Re:And Microsoft was the biggest offender. (Score:3, Interesting)
You just add extra group, put the the person in the group, change the group of the file to the new group and make it writable by the group.
It was proven (mathematically and practically) that UNIX model with ugo+rwx and directories allow one to emulate effect of ACLs. It's not straightforward - but it is possible.
On other side, Windows has problems because on one side engineers try to implement near perfect solution (e.g. NT). But then when you try to build OS on top of it you find that your simple program which under UNIX takes 5 lines under Windows takes about 200 lines of code.
UNIX security model isn't ideal: it has compromise included. But thanks to that it keeps many developers sane - and many users happy.
Windows tries perfect security - but nobody could program for it. Well, except for the SysInternals folks. But this is just exception confirming the rule.
How about starting with Microsoft? (Score:3, Interesting)
If Microsoft wants to eliminate privilege elevation, they need to start by scrapping ActiveX.
Here's an idea (Score:3, Interesting)