Microsoft Designed UAC to Annoy Users

I Don't Believe in Imaginary Property writes "At the 2008 RSA security conference, Microsoft's David Cross was quoted as saying, 'The reason we put UAC into the platform was 'to annoy users. I'm serious.' The logic behind this statement is that it should encourage application vendors to eliminate as many unnecessary privilege escalations as possible by causing users to complain about all the UAC 'Cancel or Allow' prompts. Of course, they probably didn't expect that Microsoft would instead get most of the complaints for training users to ignore meaningless security warnings."

Of course...

If they'd done this from the start, no one would be complaining. In Linux or UNIX, if a program wants elevated privileges, it requires user intervention. The result is that programs don't expect to have superuser privileges if they don't actually need them, and everyone is happy because the only things that have to be done as root are things you'd expect to require root access.

Re:Of course...

If they'd done this from the start, no one would be complaining.

In the era of Windows 95, home PCs weren't considered to have enough CPU and RAM to enforce proper privilege separation.

Re:Of course...

In the era of Windows 95, home PCs weren't considered to have enough CPU and RAM to enforce proper privilege separation.

Odd that the same home PC at the time, running Linux, had no trouble at all enforcing it.

Re:Of course...

The problem is that even MS hasn't gotten around to removing all the annoying UAC popups based on stuff in their own interface. If you want to rename something in your start menu, you get 3 prompts from UAC. Same goes for moving or deleting something. I get tons of UACs, and most of them are from Windows itself, not other apps.

Re:Installed for all users?

Doesn't matter, I should only get 1 prompt, not 3.

Re:Of course...

To extend your point, the reason UNIX systems don't have UAC-style privilege elevation is due to its history. UNIX came into being, and was largely developed, during an era in which virtually all computers were large, multi-user systems that sat in a back room. An administrator would have to be sitting at a terminal 24/7 just in case somebody came knocking -- quite an unreasonable expectation. As a result, programmers had to get used to the idea of restricted abilities.

With the desktop computer model, the situation is quite different. Classically-speaking, the user is sitting right at the machine and is the only one using it. They are the administrator as well as the user. There is no expectation of security since nobody else is involved. Windows derives much of its architecture and style from this method of computing.

Modern-day computing is rapidly moving back toward the shared-computer model. This is occurring somewhat on the front-end (e.g. individual user accounts on a desktop machine for different users), but mostly it's happening on the back-end. Internet servers are very reminiscent of the mainframe-era multi-user model. This is why UNIX is such a good fit for such tasks -- it was designed specifically for it, whereas Windows has had to play catch-up. UAC is a good example of single-user thinking applied to a multi-user problem.

And Microsoft was the biggest offender.

You cannot force someone else to follow a particular coding practice when your coders do not do so themselves.

Re:And Microsoft was the biggest offender.

> You cannot force someone else to follow a particular coding practice
> when your coders do not do so themselves.

It's shamefully pervasive. In my years of developing software for Windows, I've rarely seen other developers NOT running Windows as admin. --basically developing apps. completely blind as to what permissions they may or may not need. (I finally got religion 5-6 years ago after a nasty virus.) Now, every time I log in, I get several ugly little error messages due to HP drivers and other startup bits and pieces not having God access under a normal user account. I think Win developers --QA and project owners too-- need to feel some personal UAC pain.

Re:And Microsoft was the biggest offender.

Any particular examples? Application designed following guidelines of win95 (e.g. Office) will work properly in Vista and will not even require folder/registry virtualization (btw, I assume a lot of effort went into this feature to minimize UAC prompts and it for some reason is rarely mentioned among usual rants about them).

I consider the opposite: Microsoft spends too much effort for app-compat. Would Win2k have defaulted users to be "restricted", while win98/ME were viable alternatives (i.e. MS could still cash in on their sale) for compatibility, this effort could have been much more successful and, nowadays, when you try to get Intuit Quickbooks to start under limited user (you don't have much choice in college setting), you didn't have to give write access to whole CLASSES_ROOT registry branch (don't get me started on this...).

So in short, yes, I believe UAC is a great compromise, which forces lousy coders to reconsider their approach to the stuff they ship.

Re:Of course...

It does - if you're on a limited account.

It's only if you're logged in as administrator that you don't have to provide a password - you already did when you logged on.

Think of it this way - with UAC, even root has to sudo.

A difference so subtle, I nearly missed it

Mac OSX has prompts for authorization also. It doesn't bother me like Vista does. Why not? I didn't really catch it... until I realized that I could ignore the dialog box and get something done before allowing an update/reboot or whatever. Something that simple and the whole problem goes away!

Re:A difference so subtle, I nearly missed it

You can configure to be like that with group policy. The official reason for the current default was that no ordinary process should be able to interfere with user input or fake the UI (i.e. showing some other always-on-top window with a different text that moves away just before the click etc etc). If you can accept that, just turn UAC into "same-desktop" mode, while not turning it off completely.

If this is true...

It is an idiotic approach. Vista is the one being annoying....how could someone predict that end users would blame the applications and not the os that's to blame? Not to mention the whole issue of purposely designing a ui to annoy paying customers, to pressure 3rd parties to change.

Bad idea all around if this was their intention at design.

Re:If this is true...

I don't think that is what he really meant. What MS is trying to do is actually the right thing. MS wants to make it access privileges more like Linux. It wants to make it so that random programs can't run a muck with admin privileges. This is MS's attempt to get application makers to stop requesting privileges that they don't need because they are too lazy to program it the right way.

Look, I'll be the first to decry Vista as a piece of shit, but despite all of Vista's flaws, trying to restrict access of programs is a good thing.

Personally, I think that MS is slowly learning. MS is in no danger of losing its business division so long as companies demand backwards compatibility, but in personal computing it is getting kicked around. MS looks old and faded while Apple has a solid product combined with a marketing machine of d00m (Microsoft always sucked at marketing). MS needs to make changes or else it is going to get run over by Apple. Lock in isn't going to last forever in the face of a comparable, if not outright better, product and vastly superior branding and marketing.

I mean hell, what do you think of when you think of Apple? Shinny plastic with a hipster in a coffee shop. What do you think of when you think of MS? A moldy office.

Re:If this is true...

MS needs to make changes or else it is going to get run over by Apple. Lock in isn't going to last forever in the face of a comparable, if not outright better, product and vastly superior branding and marketing.

I'm pretty sure MS isn't as afraid of Apple as they are of Linux. You might be able to buy/bribe/whatever stock holders, but almost impossible to buy out GNU/Linux. Even if they would get Linus on their side, there would be some nerds releasing GNU/Xunil (That's the point where you might laugh) just a couple of minutes after the announcement. The only thing they may fear is in fact FOSS reaching critical mass.

MS is in no danger of losing its business division so long as companies demand backwards compatibility, but in personal computing it is getting kicked around.

I wonder what happens as windows7 is supposed to break the binary compatibility

Just a typo....

If this is true....

I think it's just that the story submitter accidentally included the letters UAC in the headline.

oblig.

It appears you are trying to make a snide comment.
[Cancel] [Allow]

At last - an MS Success!

It Worked!

If I had to sudo to run each app in Linux...

I think there is going to be quite a bit of criticism of MS for this but basically you see UAC prompts where you would have to do a su or sudo to get the job done as a starndard user in Linux/Unix. The reason you don't have to do those all the time in Linux is that the application writers do not write their apps to require constant root priviledge escalations. There is one app that I couldn't get working properly in Fedora 8 without running it with a sudo - Nero Linux - and it annoyed me quite a bit.

MS needs to drag both its users and those who write windows applications along to the limited security model we all need each other to be using for the good of the internet. It was always going to be painful.

The one criticism that I have of the system/model in practice is the start menu - and that is all MS! I try to organize my start menu and I see several dialogs. I would be much more on-board with only one Cancel or Allow for an operation like that...

Not that bad a strategy, really.

I'm not MS's biggest fan. But this isn't the worst strategy ever.

It's actually pretty logical that if you make running these retarded apps annoying, you can force the vendors to fix them.

But MS faces a big obstacle in that strategy--the fact that moving back to XP fixes the problem as well, from the user's perspective. And of course, the fact that doing so also makes today's computers 3x more responsive.

It's a shame... I would love a world where Vista caught on but UAC didn't have to pop up ever unless something truly administrator-ish were really going on. Then all my users could be Users.

What a half-assed way to go about it.

This approach could have worked. But if they really meant for it to work, then developers would have been required to embed usable contact information in the application. When the UAC prompt came up it would explain that this was a result of an action taken by the application, and that if it seemed unnecessary to you, you should click a button and send feedback to the developer.

It would also identify and tag the particular circumstances so that there could be a option, "don't warn me about this again."

This latter option would have been particularly useful during the beta phase.

After a couple of years, Microsoft might then assume that developers had been given adequate warning and adequate feedback, and the option to ignore warnings could have been retracted.

What Microsoft did doesn't sound as if they serously wanted the approach to work. They just wanted to be able to say that users "didn't want" security, just the way Detroit said for decades that car buyers "didn't want" safety.

C:\Program Files\

This reminds me of the c:\program files\ as a default install folder. I think it started with Windows 95. I read somewhere, years after the launch, that it was specifically chosen to force programmers to handle long file names properly.

Funny, even now, I usually create a c:\programs\ directory for everything that doesn't have a proper installer. 10 years and counting.

IMO, the UAC did not have to be as annoying as it is. All they needed was a "allow admin stuff to happen for 5 minutes" dialog so that installing a program would only take one prompt. Too smart for their own good...

Good idea, bad implementation

The basic idea's sound. The problem is that, given the implementation, users view the problem as being UAC and/or Vista, not the apps. After all, the apps work just fine if you turn those annoying dialogs off or go back to XP. If the users don't view the app as the cause of the problem, they won't pressure the app vendor to do anything about it. Idea fails.

I prefer the Unix approach. The OS doesn't pop up any dialog, or offer the user any choice. If an app does something it doesn't have privileges for, it gets an ENOPRIV returned from that call and isn't allowed to do that. How the app handles it from there is up to the app, but there's no easy way to make the errors go away at the system level (most modern Unixes are set up to make it inconvenient to log in or run programs as root, and only root can install a program setuid-root).

Let me fix this for you...

Microsoft Designed UAC to Annoy Slashdot Users.

There. All better.

Re:At last, a little truth from MS

No they didn't design UAC to annoy users. This was a crass statement made by a Microsoft employee. No company would design something to annoy users. This was a poor use of self-deprecating rhetoric that will be exploited to the extreme. It's a dumb statement for a Microsoftie to make, and really dumb for the media to exploit.

"Stupid is as stupid does", somebody once said.