Microsoft Says Other OSes Should Imitate UAC 493
COA writes "Many Vista adopters find User Account Control irritating, but Microsoft thinks it's an approach other OSes should emulate. Microsoft Australia's Chief Security Adviser Peter Watson calls UAC a great idea and 'strategically a direction that all operating systems and all technologies should be heading down.' He also believes Microsoft is charting new territory with UAC. 'The most controversial aspect of Watson's comments all center around the idea that Microsoft is a leader with UAC, and that other OSes should follow suit. UAC is a cousin of myriad "superuser" process elevation strategies, of which Mac OS X and all flavors of Linux already enjoy. The fact is that Microsoft is late to the party with their Microsoftized version of sudo. That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior.'"
Or not? (Score:5, Insightful)
news flash (Score:5, Insightful)
Microsoftened? (Score:5, Insightful)
Agreed, other OS's need to copy UAC (Score:5, Insightful)
Hell, they should make them appear so often people completely ignore their content and just blindly click "OK" or "Allow". Yeah, that's the ticket...
Ironic (Score:5, Insightful)
How is this news (Score:2, Insightful)
Translation of story title... (Score:5, Insightful)
Instead of UAC asking you permission (Score:1, Insightful)
Patently obvious motivation. (Score:5, Insightful)
Translation: "If we can get all the other operating systems to follow our lead, we can claim some sort of patent infringment on 'em."
> The fact is that Microsoft is late to the party with their Microsoftized version of sudo. That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior.'"
The fact that Microsoft is late to the party is what makes it a patent trap. If it were just sudo, it wouldn't be patentable. When it's "a method for controlling process elevation, comprised of (sudo) and (a fancy display mechanism) and (extra monitoring)", it becomes patentable.
Microsoft is setting a trap for future patent lawsuits. Deny or Allow?
Re:Agreed, other OS's need to copy UAC (Score:5, Insightful)
Exactly.
I translated the microsoft speak as "We suck... so everyone else should too! Cancel or Allow?"
You can tell your locked down DRM laden OS... (Score:5, Insightful)
Almost right (Score:5, Insightful)
I would say (and many here would agree) that UAC is a half-hearted, bad copy of sudo. sudo requires authentication and only for actions that require elevated privileges (like changing key system files). UAC annoying asks the user to verify suspicious behaviors to ensure that is what he or she really wants to do. Really UAC is an attempt at MS to shift the blame the user for their somewhat insecurity architecture. When something does go wrong, MS can blame the user saying it was the user's duty to verify their actions.
UAC isn't a bad idea, just one taken waaay to far. (Score:5, Insightful)
The problem of course is that Microsoft went crazy and decided to lock down EVERYTHING. To the point where it's just plain annoying running the OS with it on. I tried it for a couple weeks just to see if I could get used to it. There's a tendency for people to crave the old way of doing something not because it's better, but just because that's what they're used to. I did eventually decide UAC was more trouble than it's worth, and disabled it.
I guess I tend to agree with the theory that UAC wasn't really real security, but about putting the blame more on the user. Microsoft can just claim "Well, you DID disable UAC didn't you?, so it's not our problem."
Spin (Score:3, Insightful)
Re:Hello Microsoft (Score:5, Insightful)
Default Behavior (Score:2, Insightful)
Re:sudo (Score:5, Insightful)
Off-topic? Parent was likely referring to this gem [xkcd.com]
Re:Obligatory (Score:3, Insightful)
Write a goofy screen saver and get people to download it. On install, say "you need to log in to install" which isn't unusual for a screen saver (at least not to the layman.) You put up a fake login dialog, and record their password. You install the screen saver in the user's folder, which doesn't require a password, and will trick the user into thinking it's all legit. Then you just transmit the saved password to God knows where when the screensaver activates.
I don't know if Microsoft's system offers more protection against that scenario.
*clap* (Score:3, Insightful)
Re:Weak comparison (Score:1, Insightful)
Translation: I have no idea what the hell I'm talking about. I only have a cursory idea of what sudo, and for that matter what UAC does. I certainly have never used any of the advanced features. However, if I tell you you're all stupid, and that you're over thinking it, maybe you'll think I'm smart. If I tell you I'm not a fanboy, maybe you'll be stupid enough to believe me.
Re:Obligatory (Score:5, Insightful)
And now it wants everyone to imitate them?
Re:Obligatory (Score:5, Insightful)
Remains to be seen if Vista will ever achieve enough market penetration to apply such pressures effectively, but still...
Build A Better Bridge, Not Build A Better Sign (Score:3, Insightful)
Lets get Microsoft to design a software platform that doesn't require the user to think about whether or not the user is about to break something? Is that really so hard for one of the largest software companies in the world? UAC from my view is the wrong way to solve a problem which was born of questionable engineering. One of the reasons why UAC is so dubious is that the user may not know any better either which is a "blind leading the blind" across that rickety bridge. In summary, a better Windows wouldn't have a need for UAC so why tout this technology?
Re:Or not? (Score:3, Insightful)
Mind you, I'd love to see macs come with an "advanced" mode, where they display all those errors that they normally suppress.
That was one of the few Mac/PC commercials that annoyed me, the one where the PC is "spouting cryptic error messages", and the Mac says, "Oh hey, I'm a Mac, we don't do that."
Grrrrrr, like the "Bomb" or the "Unhappy face" aren't the most cryptic error messages of all? What's wrong? Someone set me up the bomb! Well THAT'S fricking helpful. If I google "bomb" I'm going to get a bunch of guys in suits with no sense of humor at my door in an hour or less, whereas if I google "DLL Error 12af2342fa4" there will probably be a page telling me what DLL is screwed up, and where to get it to reinstall.
Re:UAC isn't a bad idea, just one taken waaay to f (Score:3, Insightful)
What if some malware attacks in this while? That, I believe, is precisely why Microsoft didn't implement it this way.
There's a tendency for IT people to believe that ALL solutions have to be perfect solutions. Yes, there's some level of increased risk for a few minutes after a use authenticates. But if you have a short period of time where the extra rights stick around, you'll likely get people to actually USE the damn thing rather than running as root (or turning off UAC).
Security in particular is often a balance between usability and security. If the product isn't usable because of the security, the users will MAKE it usable by going around the security (thereby defeating the security).
Hmm. Apart from installing/uninstalling software, controlling system settings, and for certain software that hasn't got its act together yet and needs admin permissions, exactly where does UAC pop up?
I couldn't tell you specifically, as I disabled it in Vista months ago. All I know is the damn thing came up waaay too often, so I killed it.
Re:Or not? (Score:4, Insightful)
These errors are long gone. In fact, they are gone since the introduction of MacOS X.. in 2000!
And it's not like the hexadecimal code in a blue screen was that helpful. Yeah, you know it's a driver that caused it.. so what? I knew that before the bsod!
Bass - Aackwards (Score:3, Insightful)
So MSFT is `chown -R unpriv_user *.exe` and making all pgms SUID unpriv_user! This brings problems:
Are all necessary files world-readable? What about other users.
Are all necessary files/dirs world-writable? c:\windows\system32?
How will the OS know if a pgm can access certain ports?
What if a hostile doesn't access ports directly but fork()s legit pgms?.
if other pgms are writeable, can't an attacker assume their priviliges by corrupting them?
Priv isolation by user is far clearer than by pgm.
UAC == *TERRIBLE* Security Idea! (Score:5, Insightful)
As such, users see the prompts as an unimportant nuisance, but soon realize that things don't work unless you click "Allow." Thus, you're training users in Pavlovian fashion to click "Allow" to any damn box that comes up.
Now think about this for a second: when 99% of the prompts you get are harmless, and "Allow" is always the right answer, just how many users will actually read it and apply critical thought when they see the 1% of UAC prompts that warns of actual danger? Almost none of them, even the smart ones. Once you get trained to just click allow, you're going to click it just before your realize "Oops! I didn't want to allow THAT one!"
So if you ask me, UAC is a huge step backwards in terms of security. Microsoft appears to have put almost no thought into it and it's little more than a way of blame-shifting. After all, the USER is the one who didn't click "Deny" the one time in one hundred it would've prevented something bad, so it's *all* their fault. Even though they only did what UAC trained them to do.
Disable UAC now. It's not security; it's blame-shifting.
Re:Obligatory (Score:2, Insightful)
Any system without full Secure Attention Key support is spoofable.
All I need to do on UNIX-a-likes is make something called 'sudo' that gets invoked earlier in your path and says "Password: " the same way.
Since you can customize the 'sudo' password prompt, for Extra Fun Bonus, what I really want to do is invoke 'sudo' connected to a PTY that my program controls the other side of. That way, I can pass the actual password through and have sudo work.
Same applies for fake screensaver unlock boxes, console login prompts, GDM logins (heck, with Red Hat Enterprise, I never know what the GDM login is going to look like from one machine to the next), and so on.
Without a true Secure Attention Key, and one which must be used to have the system verify a password, any system is spoofable.
What we really need is, like others say, a vast reduction in the number of programs that ask for elevated privileges but don't really need them, they're just badly coded. (And this goes for Mac OS X apps, too; frankly, I think there's too much junk in installer form rather than just a drag-and-drop .app folder in a disk image download. If I copy the .app to /Applications, sure, Finder may want some extra privs. But if I put it in ~/MyStuff, no password.)
It needs to be so that people see a password prompt and say, "Why does it need this?" rather than "oh not again."
Re:Well, that's because... Got ya, just a joke! (Score:3, Insightful)
No prob :-)
Definitely not an anything zealot (except coffee perhaps)... Each OS has it's place, it's fan/user base (same thing sometimes), and it's purpose...
Re:UAC == *TERRIBLE* Security Idea! (Score:4, Insightful)
Your point is that people are too dumb to make security decisions, so it's a bad design to require them to make them. Of course, the flip-side of this argument is that unless users are given the opportunity to make a choice, what's available is the same as no choice.
The notion that users can't make good security choices may have some merit, but the idea that disabling UAC is somehow good security advice is backwards- disabling UAC (and therefore running with a full token) is exactly the same as clicking every prompt that comes your way indiscriminately. Ironically, your advice is worse than the problem you're complaining about. OK OK, you *really* just want something better than UAC. Welcome to the club, we all want magical better security.
Security in a world of users who are trained to think that security somehow doesn't involve them will never work. Microsoft helped create that illusion, and it's bitten them hard. You might see this as blame-shifting, but I see it differently: it's pain-shifting. And it's about time. People (and the folks who write their software) have to start being responsible for their own security, and annoying tho it might be, UAC is a step in the right direction. Let's hope we start seeing software designs that don't require elevated privileges, let's look forward to users with a clue about what executing code means. Let's let Microsoft choke a little bit on how much their legacy of interoperability-over-security has cost them.
Re:UAC == *TERRIBLE* Security Idea! (Score:4, Insightful)
Result: The applications are written to behave properly and not try write garbage all over your hard disk. Proper user-specific configurations are much easier to manage. All is good!
Re:UAC == *TERRIBLE* Security Idea! (Score:0, Insightful)
UAC == *Decent* Security Idea! (Score:4, Insightful)
A lot of programs you install in Vista don't give you the prompt, others do. Some things you do in Vista give you the prompt, others don't. Those installs that are silently passed are signed or don't request to do anything dramatic to the system, and average user doesn't care why or how, he just knows it's trusted. He or she usually got that software from the site of the publisher or physical media (likely too, a publisher who is huge) and he or she knows it's safe. The prompts arise when you get into Control Panel and other aspects of the Windows system where changes could bring failure, but not when copying your personal files around. I notice I get it on my laptop when another program calls a program that isn't signed (Firefox calls an old version of Winrar, because I don't want to buy the new one, and each time it asks me if I'd like to open the file. Not only do I LIKE this, but respect it. Sygate personal firewall conditioned me to this when Firefox was opened by another program - not only does it save the time of loading some advert page, on a DVD maybe, but it kept a few pieces of malware from phoning home. Users can understand this behavior.)
The number one item that can protect the average user is if a prompt arises out of no where. If you are browsing the web and suddenly you are asked for permission to modify your system - when you've done nothing to drive the event - you aren't going to allow it. Sure, when you download and install software you may fly through that prompt, but to the new user, the normal user, you will learn right away that installing software is dangerous. In my corporate IT environment installing any software is forbidden, running software not supplied by IT is forbidden - for a reason. After clicking through a few cancel or allows you may just discriminate a little more when it comes to your actions. Is it security? Not really, but do home users really need that much? Isn't it right to tell them that making or saving a change in the Control Panel can have adverse effects? (and likewise with the other actions?)
It's hard to attack UAC completely because Linux and others have Sudo, Redhat allowed you to escalate to root privileges by simply typing the password and to most new Linux users escalating to root has become a normal exercise. There is all this talk about OS security, but it's all in the hands of the users. To deny someone the ability to take control of their own machine is barbaric - I think we all agree with that statement. We can't lock users out of taking control of those center ring privileges, unless you're the head of IT and those machines are under you "watch". You say it shifts blame, but that is where it belongs, on the user. The help is there in Vista, it spells out the concept of UAC in easy to understand terms. There is no reason a normal user can't take advantage of it. I know many people who still accept cookies on a per request basis (on today's web!) - some people actually want this feature. It doesn't work for the great majority of us, but don't kid yourself and say we aren't completely familiar with idea.
My advice for the soccer moms and grandparents: Don't turn it off. Prompting is good. This is coming from someone who has had a desktop system with the same factory install of Windows XP running since January, 2004 (I un-boxed it June of 2004). I work with what I have, and that system has not only been a workhorse for my Windows desktop software, but runs a ton of GPL software and is enhanced with Cygwin. All together I run 6 machines at home with Debian, FreeBSD, XP Pro, XP Home, Vista (aforementioned laptop) and Windows 2000 Server. Only two of those require an escalation of privileges, at the machine Everything has a place and UAC has a place with those new users going to their retail store and buying a PC for the first time. Years ago people were complaining didn't Windows have a similar mechanism.
Finish out the quote please (Score:4, Insightful)
And then we sue them.
Imitate the UAC? (Score:1, Insightful)
Re:UAC == *TERRIBLE* Security Idea! (Score:4, Insightful)
If/when enough developers do so, they'll remove one of the major constraints against running as an ordinary user and not as an administrator.
Didn't UAC open the Phobos Anomaly? (Score:1, Insightful)
When I'm hunting imps in E2M2, the last thing I want to see is more UAC crates.
UAC (Score:3, Insightful)
Jeez I REALLY hope other OS-developers are laughing hard at this and not taking Microsoft's suggestion to implement this everywhere seriously.
Re:Obligatory (Score:3, Insightful)
Re:UAC == *TERRIBLE* Security Idea! (Score:3, Insightful)
It's unfortunate that this looks like bad user experience on Microsoft's part when it's almost certainly winrar's fault.
Re:UAC == *TERRIBLE* Security Idea! (Score:3, Insightful)
It's a shame it doesn't really work though. Good example, I installed an online game on Vista recently. UAC as expected popped up during the install, due to the game installing an updater/login program to Program Files, even though I installed the game to D:\Games. I then ran the shortcut the game made, and it's launcher popped up, downloaded an update to the launcher and then ran. Problem is when it ran, it was out of date and failed. I closed it, reopened it, and no download this time, but same old version. I found the problem was that Windows remapped the upgrade process into that C:\Users folder (don't have the exact path handy, not in Vista currently) so it dumped the upgraded launcher files there, but then wasn't properly redirected to that folder to execute the new launcher. It instead ran the old launcher in Program Files.
The solution was either run the launcher as an admin, or disable UAC. The proper way to do this to me would be pop up a UAC alert or something to let me know the program just tried to patch Program Files instead of silently redirecting it and breaking it.
For a more permanent solution, Microsoft just needs to throw away all the backwards compatibility they have and start from a clean base. Throw together a backwards compatibility sandbox that shows a dividing line in the sand for users, but still allows people to use their old programs. They will eventually migrate to newer ones, and years down the road the backwards compatibility mode can be thrown out. Then everyone will be in a happy secure MS land where the system isn't trying to be so backwards compatible it has to annoy people with a broken security attempt.
In other words, Microsoft should copy a play out of Apples book, ala the OS 9 to OS X transition, specifically "Classic". Throw enough of a new Win32 API in the newer Windows environment that allows an older program to run in the new area with a recompile, and some tweaks for the new systems.
Re:UAC == *TERRIBLE* Security Idea! (Score:3, Insightful)