Forgot your password?
typodupeerror
Security Microsoft Operating Systems Software

Microsoft Says Other OSes Should Imitate UAC 493

Posted by kdawson
from the bring-'em-down-to-our-level dept.
COA writes "Many Vista adopters find User Account Control irritating, but Microsoft thinks it's an approach other OSes should emulate. Microsoft Australia's Chief Security Adviser Peter Watson calls UAC a great idea and 'strategically a direction that all operating systems and all technologies should be heading down.' He also believes Microsoft is charting new territory with UAC. 'The most controversial aspect of Watson's comments all center around the idea that Microsoft is a leader with UAC, and that other OSes should follow suit. UAC is a cousin of myriad "superuser" process elevation strategies, of which Mac OS X and all flavors of Linux already enjoy. The fact is that Microsoft is late to the party with their Microsoftized version of sudo. That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior.'"
This discussion has been archived. No new comments can be posted.

Microsoft Says Other OSes Should Imitate UAC

Comments Filter:
  • Obligatory (Score:5, Funny)

    by gunnk (463227) <gunnk&mail,fpg,unc,edu> on Tuesday May 01, 2007 @12:31PM (#18943475) Homepage
    Microsoft would is trying to make you believe sudo was their idea. Cancel or Allow?

    • by HomelessInLaJolla (1026842) <lajollahomeless@hotmail.com> on Tuesday May 01, 2007 @12:43PM (#18943669) Homepage Journal
      If you click "Cancel" an information box is displayed informing you of a patent pending.
      • by Anonymous Coward on Tuesday May 01, 2007 @01:30PM (#18944475)
        UAC has far too many false positives to be meaningful. You can't freaking open the Control Panel without a UAC prompt.

        As such, users see the prompts as an unimportant nuisance, but soon realize that things don't work unless you click "Allow." Thus, you're training users in Pavlovian fashion to click "Allow" to any damn box that comes up.

        Now think about this for a second: when 99% of the prompts you get are harmless, and "Allow" is always the right answer, just how many users will actually read it and apply critical thought when they see the 1% of UAC prompts that warns of actual danger? Almost none of them, even the smart ones. Once you get trained to just click allow, you're going to click it just before your realize "Oops! I didn't want to allow THAT one!"

        So if you ask me, UAC is a huge step backwards in terms of security. Microsoft appears to have put almost no thought into it and it's little more than a way of blame-shifting. After all, the USER is the one who didn't click "Deny" the one time in one hundred it would've prevented something bad, so it's *all* their fault. Even though they only did what UAC trained them to do.

        Disable UAC now. It's not security; it's blame-shifting.
        • Re: (Score:3, Informative)

          by throx (42621)
          Did you actually do any research before posting that rant?

          First, you can open Control Panel and run most of the applets there without triggering a UAC warning.

          Next, the UAC warnings aren't all that common once you have your machine set up and running. The exception there is the power user that actually tinkers with the system at an administrator level quite often, but for the normal user who just runs apps all day - they won't see a UAC prompt at all. If you want to disprove me - just list for me the norm
        • by h2_plus_O (976551) on Tuesday May 01, 2007 @02:32PM (#18945493)

          You can't freaking open the Control Panel without a UAC prompt.
          Actually, you can. ...but that wasn't your point.

          Your point is that people are too dumb to make security decisions, so it's a bad design to require them to make them. Of course, the flip-side of this argument is that unless users are given the opportunity to make a choice, what's available is the same as no choice.
          The notion that users can't make good security choices may have some merit, but the idea that disabling UAC is somehow good security advice is backwards- disabling UAC (and therefore running with a full token) is exactly the same as clicking every prompt that comes your way indiscriminately. Ironically, your advice is worse than the problem you're complaining about. OK OK, you *really* just want something better than UAC. Welcome to the club, we all want magical better security.

          Security in a world of users who are trained to think that security somehow doesn't involve them will never work. Microsoft helped create that illusion, and it's bitten them hard. You might see this as blame-shifting, but I see it differently: it's pain-shifting. And it's about time. People (and the folks who write their software) have to start being responsible for their own security, and annoying tho it might be, UAC is a step in the right direction. Let's hope we start seeing software designs that don't require elevated privileges, let's look forward to users with a clue about what executing code means. Let's let Microsoft choke a little bit on how much their legacy of interoperability-over-security has cost them. ...and let's see how it goes. Will users revolt, and switch to linux en masse? Will there be much rejoicing? Or will the next version be better? Or will users get it?
          • by jacksonj04 (800021) <nick@nickjackson.me> on Tuesday May 01, 2007 @02:45PM (#18945715) Homepage
            This is the crux of my argument in favour of UAC and the new permissions Vista places on the filesystem. You now *cannot* assume the user will be running as admin, because even if they are you still get a UAC prompt if your application tries do something funky outside of its own 'walled garden' registry and application directories.

            Result: The applications are written to behave properly and not try write garbage all over your hard disk. Proper user-specific configurations are much easier to manage. All is good!
        • Except that you become conditioned to WHEN the prompts arise. (Which don't happen when opening the Control Panel btw)

          A lot of programs you install in Vista don't give you the prompt, others do. Some things you do in Vista give you the prompt, others don't. Those installs that are silently passed are signed or don't request to do anything dramatic to the system, and average user doesn't care why or how, he just knows it's trusted. He or she usually got that software from the site of the publisher or physical media (likely too, a publisher who is huge) and he or she knows it's safe. The prompts arise when you get into Control Panel and other aspects of the Windows system where changes could bring failure, but not when copying your personal files around. I notice I get it on my laptop when another program calls a program that isn't signed (Firefox calls an old version of Winrar, because I don't want to buy the new one, and each time it asks me if I'd like to open the file. Not only do I LIKE this, but respect it. Sygate personal firewall conditioned me to this when Firefox was opened by another program - not only does it save the time of loading some advert page, on a DVD maybe, but it kept a few pieces of malware from phoning home. Users can understand this behavior.)

          The number one item that can protect the average user is if a prompt arises out of no where. If you are browsing the web and suddenly you are asked for permission to modify your system - when you've done nothing to drive the event - you aren't going to allow it. Sure, when you download and install software you may fly through that prompt, but to the new user, the normal user, you will learn right away that installing software is dangerous. In my corporate IT environment installing any software is forbidden, running software not supplied by IT is forbidden - for a reason. After clicking through a few cancel or allows you may just discriminate a little more when it comes to your actions. Is it security? Not really, but do home users really need that much? Isn't it right to tell them that making or saving a change in the Control Panel can have adverse effects? (and likewise with the other actions?)

          It's hard to attack UAC completely because Linux and others have Sudo, Redhat allowed you to escalate to root privileges by simply typing the password and to most new Linux users escalating to root has become a normal exercise. There is all this talk about OS security, but it's all in the hands of the users. To deny someone the ability to take control of their own machine is barbaric - I think we all agree with that statement. We can't lock users out of taking control of those center ring privileges, unless you're the head of IT and those machines are under you "watch". You say it shifts blame, but that is where it belongs, on the user. The help is there in Vista, it spells out the concept of UAC in easy to understand terms. There is no reason a normal user can't take advantage of it. I know many people who still accept cookies on a per request basis (on today's web!) - some people actually want this feature. It doesn't work for the great majority of us, but don't kid yourself and say we aren't completely familiar with idea.

          My advice for the soccer moms and grandparents: Don't turn it off. Prompting is good. This is coming from someone who has had a desktop system with the same factory install of Windows XP running since January, 2004 (I un-boxed it June of 2004). I work with what I have, and that system has not only been a workhorse for my Windows desktop software, but runs a ton of GPL software and is enhanced with Cygwin. All together I run 6 machines at home with Debian, FreeBSD, XP Pro, XP Home, Vista (aforementioned laptop) and Windows 2000 Server. Only two of those require an escalation of privileges, at the machine Everything has a place and UAC has a place with those new users going to their retail store and buying a PC for the first time. Years ago people were complaining didn't Windows have a similar mechanism.
    • Re:Obligatory (Score:5, Interesting)

      by truthsearch (249536) on Tuesday May 01, 2007 @12:52PM (#18943825) Homepage Journal
      It's no joke. They really do believe they invented the idea:

      Patent #6,775,781 [uspto.gov]
      • by GweeDo (127172) on Tuesday May 01, 2007 @01:21PM (#18944293) Homepage
        As sad as this is...the patent is coming from a Mister Gang Wang...you just have to love that!

        Wang; Gang (Issaquah, WA)
      • Re:Obligatory (Score:5, Informative)

        by Necron69 (35644) <{jscott.farrow} {at} {gmail.com}> on Tuesday May 01, 2007 @01:27PM (#18944413)
        Gee, that's funny. My 1989 copy of the "UNIX System Administration Handbook" has a lovely section on the usage of sudo on page 32.

        Evi Nemeth herself beat the use of sudo into my head during the Sysadmin Workshop class I took from her in '90. I used to hate it, but now I realize the old bird was right about sudo.

        The UNIX world has this crap beat by more than a decade, with plenty of published prior art.

        - Necron69
        • Re:Obligatory (Score:5, Interesting)

          by IWannaBeAnAC (653701) on Tuesday May 01, 2007 @01:38PM (#18944625)

          Right, but that is not why Microsoft have the patent. There is no way they would bother trying to enforce it, they wanted it because it gives them one more patent to say "Linux infringes on N+1 Microsoft patents. It isn't legally safe to use Linux."... And then demonstrate how benevolent they are by choosing not to sue you.

          Aside: what makes you think 'sudo' dates from 1989? Isn't it more like 30 years' prior art?

          • by Kadin2048 (468275) <[slashdot.kadin] [at] [xoxy.net]> on Tuesday May 01, 2007 @02:18PM (#18945297) Homepage Journal
            As referenced in the manpage; available online here [www.sudo.ws]

            A Brief history of sudo(8):

            Sudo was first conceived and implemented by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science at SUNY/Buffalo. It ran on a VAX-11/750 running 4.1BSD. An updated version, credited to Phil Betchel, Cliff Spencer, Gretchen Phillips, John LoVerso and Don Gworek, was posted to the net.sources newsgroup in December of 1985.

            In the Summer of 1986, Garth Snyder released an enhanced version of sudo. For the next 5 years, sudo was fed and watered by a handful
            of folks at CU-Boulder, including Bob Coggeshall, Bob Manchek, and Trent Hein.

            In 1991, Dave Hieb and Jeff Nieusma wrote a new version of sudo with an enhanced sudoers format under contract to a consulting firm called "The Root Group". This version was later released under the GNU public license. ...
            The original post to Usenet is available in Google's archive here [google.com], although I don't know if that URL is stable or not. But the whole thing is there, including the source, all in plaintext, dated Dec 15, 1985. From reading the discussion it looks as if some other people had similar programs earlier, though, including one called "asroot" which seems a lot less robust.
        • Re:Obligatory (Score:5, Informative)

          by SL Baur (19540) <steve@xemacs.org> on Tuesday May 01, 2007 @02:36PM (#18945583) Homepage Journal
          You didn't read the patent. They describe sudo in it as clear prior art, then go on to describe why their system is different and better.

          The patent is for a heirarchical security model where there are multiple levels of access not the all or nothing of sudo. Only the most privileged is like sudo, the other intermediate levels have some level of system access, but not all. It's kind of like capabilities, but a lot more limited since each higher level of security has access to all the lower levels. Fascinating and I can see why the patent was granted (I hope there's clear prior art in an MLS system of the day or even VMS, SYSPRV and SETPRV are close, but I'm not sure).
          • Re: (Score:3, Informative)

            by The_Wilschon (782534)

            The patent is for a heirarchical security model where there are multiple levels of access not the all or nothing of sudo.

            Soooo, you mean something kind of like the Unix group:user permissions system, whereby you can give specific users (and hence specific programs) access to various things in a really quite fine-grained manner? Or better yet, Access Control Lists (present in various flavors of Linux, notably SELinux)?

            I hope there's clear prior art

            Please see above.

            Sudo is a single quick and convenient

          • Re: (Score:3, Informative)

            by dgatwood (11270)

            The patent is for a heirarchical security model where there are multiple levels of access not the all or nothing of sudo.

            Spoken like someone who has never run visudo.

            The sudoers file format [apple.com] offers a lot of flexibility---hardly an "all or nothing" design.

            • Sudo no! TiVo yes! (Score:3, Informative)

              by SL Baur (19540)
              That is correct, not that it matters and "all or nothing" is what is described in the patent as something that the patent does not cover. (Something implemented since 1999 is not prior art either).

              Let me try to make this clearer, since noone seems to understand what they've patented. Sudo, ACLs, Unix Groups, Capabilities are not what is covered in the patent. The patent does cover something like TiVo. You can be root on your machine, but you are not allowed to change the operating system. The patent do
    • Re: (Score:3, Insightful)

      by Blakey Rat (99501)
      To be fair, Apple's system is pretty easy to spoof.

      Write a goofy screen saver and get people to download it. On install, say "you need to log in to install" which isn't unusual for a screen saver (at least not to the layman.) You put up a fake login dialog, and record their password. You install the screen saver in the user's folder, which doesn't require a password, and will trick the user into thinking it's all legit. Then you just transmit the saved password to God knows where when the screensaver activa
      • Re:Obligatory (Score:5, Insightful)

        by ShieldW0lf (601553) on Tuesday May 01, 2007 @01:03PM (#18944035) Journal
        The interesting bit of the article was the part where it suggests that this will lead application developers for windows to start writing programs that don't need escalated privileges. Long term, such pressures are good for the "software ecosystem".

        Remains to be seen if Vista will ever achieve enough market penetration to apply such pressures effectively, but still...
        • Re:Obligatory (Score:5, Interesting)

          by Hijacked Public (999535) * on Tuesday May 01, 2007 @01:46PM (#18944759)
          I certainly hope so. If this is the direction security needs to go it will have to stop being so annoying.

          I have a collegue (photographer) who bought a new machine with Vista. Had it about a month and called me because he couldn't get Photoshop CS3 to install. We figured out that the problem was that CS3 wants Firefox.exe to close before it will install, which is annoying in the first place because I can't imagine a really good reason a photo editor needs to make modifications to your web browser.

          Anyway, despite shutting down FF and even rebooting CS3 always told him it was running. Turns out he had some variant of a Poison Ivy trojan than resulted in a persistant Firefox.exe process. While he may well have clicked past a UAC prompt in the process of letting this trojan get in Vista still didn't stop it, his AV software didn't detect it, and neither did Windows Defender. While it took a CS3 install to alert him to a problem the very fact that most bits of Windows software all want to modify your registry, play with your browser settings, etc., is why he let it infect him in the first place.

          If you can't stop that stuff with 3 layers of software and who knows how many user prompts then something has to change. It isn't going to be the user.
          • Re: (Score:3, Informative)

            by Afecks (899057)
            That is a firewall issue. Poison Ivy doesn't make permanent changes to Firefox, it simply injects some extra code into it. That is standard Windows behavior, you don't need to run as admin to modify another non-admin process. Anti-virus software can only detect known malware and it doesn't take much to turn known malware into unknown malware. Just an EXE packer or crypter will do the trick most of the time.

            The problem is that when Microsoft includes security features that replaces third party software, peop
        • Re: (Score:3, Interesting)

          by el americano (799629)
          Remains to be seen if Vista will ever achieve enough market penetration to apply such pressures effectively

          Once you're unable to buy a new computer with any version of Windows except Vista, the uptake of Vista should be pretty brisk. I just manually installed XP yesterday, and it's a safe bet that Microsoft has guaranteed that no user is going to want to go through that horrible process, assuming they also are willing to pay full retail "nobody really pays this" price to "downgrade".

          Do not underestimate how
          • Re: (Score:3, Interesting)

            by ShieldW0lf (601553)
            Remains to be seen if Vista will ever achieve enough market penetration to apply such pressures effectively

            Once you're unable to buy a new computer with any version of Windows except Vista, the uptake of Vista should be pretty brisk. I just manually installed XP yesterday, and it's a safe bet that Microsoft has guaranteed that no user is going to want to go through that horrible process, assuming they also are willing to pay full retail "nobody really pays this" price to "downgrade".

            Do not underestima
    • *clap* (Score:3, Insightful)

      ....and the last horse crosses the finishing line... too bad the other horses finished years ago and the race track no longer exists... *Coming soon from Microsoft* More working ideas that where implemented years ago in other operating systems that we'll claim we invented
    • Re:Obligatory (Score:5, Insightful)

      by jkrise (535370) on Tuesday May 01, 2007 @01:02PM (#18944011) Journal
      Vista is Microsoft's proof that whatever they make, the users will just buy, the news agencies will simply extol, and the market will slowly adopt and adapt to. But with UAC, Microsoft went one step further and called everyone else IDIOTS.

      And now it wants everyone to imitate them?

  • Or not? (Score:5, Insightful)

    by Sparr0 (451780) <sparr0@gmail.com> on Tuesday May 01, 2007 @12:31PM (#18943477) Homepage Journal
    How about UAC starts imitating better designed privilege escalation mechanisms from Linux or OS X? Of course, that would require a sensible architecture in which software can be installed by users, for themselves, without superuser permissions. And, unfortunately, it would need secure software as a basis to avoid needing unnecessary privileges to accomplish mundane tasks in insecure applications. Sorry Microsoft, you missed the boat on this one. The majority of Vista users have UAC turned off, and the majority of those who dont will turn it off as soon as they figure out how.
    • Re:Or not? (Score:5, Interesting)

      by frankie (91710) on Tuesday May 01, 2007 @12:52PM (#18943823) Journal

      How about UAC starts imitating better designed privilege escalation mechanisms from Linux or OS X?

      I'm a card-carrying Mac cultist, but I really can't agree that the root password prompt in OS X is well designed. It could easily be severalfold better if they tried. For starters, it's all or nothing, with insufficient information. The little detail dropdown arrow should open up to an elegantly indented list of what privileged actions the app intends to do. Copy a plugin into /Library/foo? Install a kernel extension? Delete all user documents?

      Also, if memory serves, there are still situations where an installer app is allowed to simply take root access for itself without asking. Only Lord Steve knows why no one has abused that yet. And MAC on Mac awaits its Leopardly debut...

      • Re: (Score:3, Insightful)

        by SatanicPuppy (611928) *
        Considering that it wouldn't be unlikely that a single app would want to do all of those things, and that most mac users work at a level where a beep, a little bomb, or an unhappy face is the amount of machine feedback they are used to processing, I think that would be a singularly bad idea.

        Mind you, I'd love to see macs come with an "advanced" mode, where they display all those errors that they normally suppress.

        That was one of the few Mac/PC commercials that annoyed me, the one where the PC is "spouting c
        • Re:Or not? (Score:4, Insightful)

          by Drizzt Do'Urden (226671) on Tuesday May 01, 2007 @01:21PM (#18944301) Homepage
          Like Apple is still selling MacOS 9 on Performas..

          These errors are long gone. In fact, they are gone since the introduction of MacOS X.. in 2000!

          And it's not like the hexadecimal code in a blue screen was that helpful. Yeah, you know it's a driver that caused it.. so what? I knew that before the bsod!
      • Re: (Score:3, Informative)

        by Mattintosh (758112)
        The little detail dropdown arrow should open up to an elegantly indented list of what privileged actions the app intends to do. Copy a plugin into /Library/foo? Install a kernel extension? Delete all user documents?

        It already does that. Exactly that, in fact. It opens up and says "The application needs to install a kernel extension." or "The application needs to install plugins into /Library/foo." I'm not sure how strict it is on what exactly those messages can and cannot say, but I've seen plenty of them p
  • by The Anarchist Avenge (1004563) <nicho341&morris,umn,edu> on Tuesday May 01, 2007 @12:32PM (#18943485)
    From TFA: "Why should I be letting my normal user be running as system administrator?" Welcome to the 1980s
    • This "access control" thing causes me some concerns. Specifically, it looks as though my software "CoolestWebSearch Dot Pr0n!" might not have access to all the sysytem resources it needs to do all the great things that it does. Have you considered this when designing your system? How do I get the correct behavior (allow all pieces of software to run basically in kernel space) back?
    • Re:Hello Microsoft (Score:5, Insightful)

      by QuantumRiff (120817) on Tuesday May 01, 2007 @12:50PM (#18943795)
      Because if your a school, textbooks now contain multimedia CD-ROMS, that have Macromedia Authorware software that is a version from the good old windows 95 days, when everyone had Admin priveleges (this includes books that were published December of 06!). Try calling a publisher, and asking why the hell their software tries to copy files to %system32% before it runs. They don't understand why it wouldn't work, they work from home, and it works on the XP home machines they developed it with! Or even newer non Authorware software that feels it needs to write to HKLM in the registry, to store its configuration. Hell, I have a textbook CD that installs Apache and Mysql to do the "interactive stuff" that sets up a local web server running on port 80(without checking if it is already used), uses a few hundred MB of ram (lots of page file swapping!), requires IE, not Firefox, and heaven help you if you use a Proxy server (the publisher of the sofware has never used one, or tested with it.. how many schools use proxies!) Sorry about the rant, just had to let it out... ;) thank god for deep-freeze
      • Re:Hello Microsoft (Score:5, Interesting)

        by toadlife (301863) on Tuesday May 01, 2007 @01:21PM (#18944309) Journal
        I manage several labs and have had to deal with this type of crap software for ages. There are better solutions than giving students admin rights and using expensive band-aides like deepfreeze.

        Repackage those programs into msi installers using wininstall (or admin studio if your boss will spring for it). Set permissions on files/directories with a machine startup script using cacls and set registry permissions via group policy or the command line. You can find out where the programs are trying to write with process monitor by sysinternals.

        Students in my labs log on as guests and all of the crap software they have to run works just fine. It takes a lot of work up front, but once you get a piece of software repackaged and proper permissions script worked out, you can deploy it using GPOs and never have to think about it again. Most of my labs, I have not visited in over a year.
  • sudo (Score:5, Funny)

    by Inmatarian (814090) on Tuesday May 01, 2007 @12:32PM (#18943489)
    make me a sandwich.
  • Call Theo! (Score:5, Funny)

    by hahiss (696716) on Tuesday May 01, 2007 @12:32PM (#18943503) Homepage
    Yeah, it is about time those OpenBSD pikers got off their collective asses and followed the World Leader in Secure Operating Systems: Microsoft.
  • since when ?
  • news flash (Score:5, Insightful)

    by brunascle (994197) on Tuesday May 01, 2007 @12:33PM (#18943511)
    nearly all OSes already have something similar, but superior, to UAC.
  • Microsoftened? (Score:5, Insightful)

    by HTH NE1 (675604) on Tuesday May 01, 2007 @12:33PM (#18943513)

    "The fact is that Microsoft is late to the party with their Microsoftized version of sudo. That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior.'"
    Patent pending?
  • by Rosyna (80334) on Tuesday May 01, 2007 @12:33PM (#18943515) Homepage
    Other Operating Systems need to put more annoying dialogs that ask for elevation privileges every 5 minutes and don't ask for any credentials.

    Hell, they should make them appear so often people completely ignore their content and just blindly click "OK" or "Allow". Yeah, that's the ticket...
    • by grassy_knoll (412409) on Tuesday May 01, 2007 @12:37PM (#18943585) Homepage

      Other Operating Systems need to put more annoying dialogs that ask for elevation privileges every 5 minutes and don't ask for any credentials.

      Hell, they should make them appear so often people completely ignore their content and just blindly click "OK" or "Allow". Yeah, that's the ticket...


      Exactly.

      I translated the microsoft speak as "We suck... so everyone else should too! Cancel or Allow?"
    • Re: (Score:3, Interesting)

      by rrohbeck (944847)
      >Hell, they should make them appear so often people completely ignore their content and just blindly click "OK" or "Allow". Yeah, that's the ticket...

      Preferably popping up from a background program and grabbing the focus, so if you're typing in another window and hit Return, you select OK. This just happened to me with Outlook's Autoarchive prompt.

      Can they please force the mouse cursor over the OK button too?

      That way, they can always say "It's not our fault. The user allowed it." and the user can claim t
  • Ironic (Score:5, Insightful)

    by Chaymus (697182) on Tuesday May 01, 2007 @12:34PM (#18943527)
    For a company who is reknowned for brutalizing industry standards it's humorous to find them believing the industry would adopt their bastardized version of the existing.
  • How is this news (Score:2, Insightful)

    by MECC (8478) *
    MS thinks they are the greatest, fastest, bestus of all time, and everybody should validate that belief by trying to be like them. This is news how again?

  • I'll just stick with sudo and selinux.
  • by brennanw (5761) * on Tuesday May 01, 2007 @12:35PM (#18943553) Homepage Journal
    "Microsoft says other OSes should annoy the crap of its userbase more."
  • by Falkkin (97268) on Tuesday May 01, 2007 @12:36PM (#18943565) Homepage
    Why use UAC when a much more intuitive sudo interface [xkcd.com] has already been developed?
  • by Tackhead (54550) on Tuesday May 01, 2007 @12:36PM (#18943573)
    > Microsoft Australia's Chief Security Adviser Peter Watson calls UAC a great idea and 'strategically a direction that all operating systems and all technologies should be heading down.'

    Translation: "If we can get all the other operating systems to follow our lead, we can claim some sort of patent infringment on 'em."

    > The fact is that Microsoft is late to the party with their Microsoftized version of sudo. That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior.'"

    The fact that Microsoft is late to the party is what makes it a patent trap. If it were just sudo, it wouldn't be patentable. When it's "a method for controlling process elevation, comprised of (sudo) and (a fancy display mechanism) and (extra monitoring)", it becomes patentable.

    Microsoft is setting a trap for future patent lawsuits. Deny or Allow?

    • They've had display mechanisms for sudo in OSX, Linux for some years, and I believe you can monitor sudo more than the default setting if you want to (am I wrong?).
      • Re: (Score:3, Informative)

        No you're not wrong. Even the default behaviour notifies root when someone tries to invoke it and fails. I'm not sure of the granularity but I am pretty certain that there are a number of configuration options for use in sudoers that set up notification for various invocations by different groups and users. (E.g. notify when random luser even tries to invoke sudo, only notify for adam-admin when his password is entered incorrectly).

        Not to say that any old user can come along and figure this out quickly and
  • by A beautiful mind (821714) on Tuesday May 01, 2007 @12:38PM (#18943605)
    ...what to do, but keep your grubby hands off the real operating systems that don't base their security on feel-good measures, but sound design and actually fixing things.
  • Right... (Score:2, Funny)

    because Unix has a method to do this [that isn't annoying], so we should immediately switch to one that is?
    what the hell is security through pop-ups anyway?
  • Almost right (Score:5, Insightful)

    by UnknowingFool (672806) on Tuesday May 01, 2007 @12:41PM (#18943647)

    The fact is that Microsoft is late to the party with their Microsoftized version of sudo. That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior.'"

    I would say (and many here would agree) that UAC is a half-hearted, bad copy of sudo. sudo requires authentication and only for actions that require elevated privileges (like changing key system files). UAC annoying asks the user to verify suspicious behaviors to ensure that is what he or she really wants to do. Really UAC is an attempt at MS to shift the blame the user for their somewhat insecurity architecture. When something does go wrong, MS can blame the user saying it was the user's duty to verify their actions.

  • by Vexler (127353) on Tuesday May 01, 2007 @12:42PM (#18943655) Journal
    ...ROT13 *is* easier to manage and deploy.
  • by Vellmont (569020) on Tuesday May 01, 2007 @12:42PM (#18943657) Homepage
    I don't think it's such a bad idea to have some extra means of making sure a user REALLY wants to do a special action. Ubuntu and Fedora handle this by asking a user to authenticate whenever an action requiring elevated rights occurs. It's actually done quite well and is only required for doing things like adding or deleting software, and the rights stick around for a while so you're not constantly typing in passwords.

    The problem of course is that Microsoft went crazy and decided to lock down EVERYTHING. To the point where it's just plain annoying running the OS with it on. I tried it for a couple weeks just to see if I could get used to it. There's a tendency for people to crave the old way of doing something not because it's better, but just because that's what they're used to. I did eventually decide UAC was more trouble than it's worth, and disabled it.

    I guess I tend to agree with the theory that UAC wasn't really real security, but about putting the blame more on the user. Microsoft can just claim "Well, you DID disable UAC didn't you?, so it's not our problem."
  • Leave it to Microsoft to do a poor job at copying someone else's idea and taking credit for inventing it.
    What is really sad is many people who only know Windows and are not familiar elevating permissions will believe Redmond's lies.

  • Just great.

    Microsoft can't figure how to make a secure OS easy to use, so they push to make more secure OS's more annoying.

    "You are coming to a sad realization, Confirm or Deny?" Indeed.

  • The submitter wants to compare UAC to sudo? Come on, genius. The "fancy display mechanism" is the entire point! One's a command-line utility for uber-nerds, the other is a prompt which just works. Man, if you're smart enough to run sudo, you should be smart enough to think like a casual person, and understand why one might easily benefit from UAC.

    If I sound like a fanboy, I'm not. I'm just trying to stay objective, which is more than the submitter is doing. Use your head.

  • Spin (Score:3, Insightful)

    by rlp (11898) on Tuesday May 01, 2007 @12:47PM (#18943755)
    What do you expect him to say - "we're late to the party and we botched the implementation". It took them five years to create Vista. They pulled out every major feature except 'security' and DRM and they got security wrong. And now they wonder why customers aren't clamoring to upgrade to Vista.
  • "Wait for us, we're the leader!"
    - Microsoft
  • by filesiteguy (695431) <kai@perfectreign.com> on Tuesday May 01, 2007 @12:50PM (#18943799) Homepage
    ...my browser keeps asking me to allow or deny arstechnica...

  • Default Behavior (Score:2, Insightful)

    by rtobyr (846578)
    Barring the debate over whether UAC is well implemented, what's somewhat new is that it's the default behavior. Ubuntu has been doing this since the beginning of that distro, but I don't know of other Linux distros that--by default--don't let you log in as root, granting sudo priviliges to the first user created. I can't say whether Apple does this. I know for sure that Slackware, Fedora, and RHEL don't. FreeBSD didn't last time I checked, but that was a *long* time ago. I think the debate ought to be less
    • Re: (Score:3, Informative)

      It's what Apple does more or less. The root user isn't actually involved but the first account created can assert administrator level privileges when appropriate by password.
  • by mpapet (761907) on Tuesday May 01, 2007 @01:01PM (#18943993) Homepage
    The fact is that Microsoft is late to the party with their Microsoftized version of sudo. That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior.'"

    No it's not! Not at all. First of all, let's define what sudo should do: Act as a barrier that data and application execution must pass. UAC does not fit the definition.

    "Vista features such as UAC or Protected Mode Internet Explorer that are dependent on limited user privileges -- which Microsoft calls Integrity Levels (IL) -- are designed to allow some IL breaches.

    Because the boundaries defined by UAC and Protected Mode IE are designed to be porous, they can't really be considered security barriers, he said. "Neither UAC elevations nor Protected Mode IE define new Windows security boundaries,"

    Thank you Mark Russinovich for stating what's been clear for quite some time. http://www.networkworld.com/news/2007/021407-micro soft-uac-not-a-security.html [networkworld.com]

    I wish, for once, everyone and their grandmother would stop assuming Microsoft's security proclamations are reliable information.
  • by EXTomar (78739) on Tuesday May 01, 2007 @01:03PM (#18944043)
    Microsoft's UAC approach does not fix the problem. Windows is like a rickety bridge. We know its dangerous but Microsoft's "fix" is to place signs every 5 steps warning you could slip. How about instead we build a better bridge instead of build a better sign? Maybe we need Microsoft to build a better Windows instead of build a better system to warn us about Windows? That must be crazy talk because Microsoft year after year continues to choose to seek how to build better signs instead of better bridges.

    Lets get Microsoft to design a software platform that doesn't require the user to think about whether or not the user is about to break something? Is that really so hard for one of the largest software companies in the world? UAC from my view is the wrong way to solve a problem which was born of questionable engineering. One of the reasons why UAC is so dubious is that the user may not know any better either which is a "blind leading the blind" across that rickety bridge. In summary, a better Windows wouldn't have a need for UAC so why tout this technology?
  • ... and then they will sue them for patent infringement.

    You can't win.
  • by Prien715 (251944) <agnosticpopeNO@SPAMgmail.com> on Tuesday May 01, 2007 @01:08PM (#18944113) Journal
    Microsoft Australia's Chief Security Adviser Peter Watson calls UAC a great idea (and wishes everyone had it)

    In other news, the Notre Dame football coach thinks his team can win. Local Ford salesman hates Toyotas. Linus Torvalds thinks Linux is great. Christians report having favorable rating for Jesus this year.

    MS's Chief Security Adviser is paid to evangelize MS security. This is news?
  • Bass - Aackwards (Score:3, Insightful)

    by redelm (54142) on Tuesday May 01, 2007 @01:30PM (#18944457) Homepage
    Those who do not understand history are condemned to repeat it -- usually as farce.

    So MSFT is `chown -R unpriv_user *.exe` and making all pgms SUID unpriv_user! This brings problems:

    Are all necessary files world-readable? What about other users.

    Are all necessary files/dirs world-writable? c:\windows\system32?

    How will the OS know if a pgm can access certain ports?

    What if a hostile doesn't access ports directly but fork()s legit pgms?.

    if other pgms are writeable, can't an attacker assume their priviliges by corrupting them?

    Priv isolation by user is far clearer than by pgm.

  • by TheLink (130905) on Tuesday May 01, 2007 @01:38PM (#18944617) Journal
    A modern OS should be having something that's much better than sudo.

    Modern desktop class OSes should have sandbox _templates_, with apps being allowed to "suggest" a template.

    Then if an app claims to be a "plain old screen saver", it only gets "plain old screen saver" rights - which means no network access, no access to the user's files etc.

    If it claimed to be a "standard network game" then it gets different sort of access - file system access to its own "app specific data folder" in the user's home directory, access to full-screen graphics, sound _playback_ (not recording[1]), limited network access (as per requested).

    If some flash applet "game" somehow requires "full administrative system privileges", go figure...

    [1] Only a few apps should be allowed to record sound - stuff like skype, voice chat app for games. Your word processor should not be recording sound. The O/S should handle the voice control stuff if you like that sort of crap. And by default you may not wish to allow an app to record sound while backgrounded or just sitting in the "systray".
    • Re: (Score:3, Interesting)

      by fritsd (924429)
      A great idea!
      Let's call it "Role-Based Access Control". I believe that's what SElinux does (and several other systems too).
      According to the wikipedia, also Microsoft Active Directory, so why didn't they use their own existing implementation to put it in MS Vista's UAC?
      Now that I'm posting anyway, can a kind soul explain why spamassassin (scontext=system_u:system_r:spamd_t) gives so many audit errors? Should I add something in its macros?
  • by zakezuke (229119) on Tuesday May 01, 2007 @01:47PM (#18944777)
    I've not used vista that much, but I have had the misfortune to try to install hardware under vista. I have to say that "Tinyfirewall [sunbelt-software.com]" does a better job alterting you that program a is accessing program b. It doesn't make the distinction between something that requires administrator privilages, nor was it decent for average users that don't know what "cryptic-filename" is or does, or if it should access the net, but it was a good stop gap piece of software which took into account the fact that windows wasn't geared for security served as a useful watchdog, esp for windows it self and software which phones home and auto updates.

  • by Nom du Keyboard (633989) on Tuesday May 01, 2007 @03:31PM (#18946647)
    Microsoft Says Other OSes Should Imitate UAC

    And then we sue them.

  • UAC (Score:3, Insightful)

    by JustNiz (692889) on Tuesday May 01, 2007 @07:03PM (#18949465)
    UAC is the biggest pain in the butt to users of any software I've ever come across. Its the first thing I disable in Vista because its continuous stream of "are you sure" dialog boxes everytime you just open a file is so freaking annoying.

    Jeez I REALLY hope other OS-developers are laughing hard at this and not taking Microsoft's suggestion to implement this everywhere seriously.
  • UAC isn't "sudo" (Score:3, Informative)

    by yeremein (678037) on Tuesday May 01, 2007 @09:29PM (#18950597)
    In Unix, you type a command, get "permission denied", and then run the command again, prefixed with "sudo".

    In Windows, you type in a command, get "permission denied", and... crap. There is no "sudo". Instead, you have to find a shortcut to a command prompt, right-click and select "Run as administrator", confirm the UAC prompt, change back to whatever directory you were in, and then run the command. It's a huge pain for people who work from the command line.

Moneyliness is next to Godliness. -- Andries van Dam

Working...