UAP - ugh

Discussion in 'Windows Vista General Discussion' started by Steve, Apr 29, 2006.

  1. Steve

    Steve Guest

    Excerpts from
    http://www.schneier.com/blog/archives/2006/04/microsoft_vista.html


    Modern operating systems like Linux and Mac OS X operate under a
    security model where even administrative users don't get full access
    to certain features unless they provide an in-place logon before
    performing any task that might harm the system. This type of security
    model protects users from themselves, and it is something that
    Microsoft should have added to Windows years ago.

    Here's the good news. In Windows Vista, Microsoft is indeed moving to
    this kind of security model. The feature is called User Account
    Protection (UAP) and, as you might expect, it prevents even
    administrative users from performing potentially dangerous tasks
    without first providing security credentials, thus ensuring that the
    user understands what they're doing before making a critical mistake.
    It sounds like a good system. But this is Microsoft we're talking
    about. They completely botched UAP.

    The bad news is that UAP is a sad joke. It's the most annoying feature
    that Microsoft has ever added to any software product. The problem
    with UAP is that it throws up warning dialogs for even the simplest of
    tasks.

    The dialogs stack up, one after the other, in a seemingly never-ending
    display of stupidity. Sometimes you'll find yourself unable to do
    certain things for no good reason, and you click Allow buttons until
    you're blue in the face.

    The problem with the Security Through Endless Warning Dialogs school
    of thought is that it doesn't work. All those earnest warning dialogs
    blend together into a giant "click here to get work done" button that
    nobody bothers to read any more. The operating system cries wolf so
    much that when a real wolf rolls around, you'll mindlessly allow it
    access to whatever it wants, just out of habit.

    These dialog boxes are not security for the user, they're CYA security
    from the user. When some piece of malware trashes your system,
    Microsoft can say: "You gave the program permission to do that, it's
    not our fault."

    Warning dialog boxes are only effective if the user has the ability to
    make intelligent decisions about the warnings. If the user cannot do
    that, they're just annoyances. And they're annoyances that don't
    improve security.



    --

    The wages of sin are death,
    but by the time taxes are taken out,
    it's just sort of a tired feeling.

    ....Paula Poundstone
     
    Steve, Apr 29, 2006
    #1
    1. Advertisements

  2. Steve

    Puppy Breath Guest

    That looks it's based on the earliest betas. My experience with current CTPs
    has been nothing like that. I have to escalate privileges where appropriate,
    sure. And once in a while I have to click an Allow box. But nothing that
    even comes close to the criticisms in those mindless rants.
     
    Puppy Breath, Apr 29, 2006
    #2
    1. Advertisements

  3. I think it's OK - yeh it needs some tweaking in a few (maybe a few more than
    few...) places, but it's OK.

    --
    Zack Whittaker
    » ZackNET Enterprises: www.zacknet.co.uk
    » MSBlog on ResDev: www.msblog.org
    » Vista Knowledge Base: www.vistabase.co.uk
    » This mailing is provided "as is" with no warranties, and confers no
    rights. All opinions expressed are those of myself unless stated so, and not
    of my employer, best friend, Ghandi, my mother or my cat. Glad we cleared
    that up!

    --: Original message follows :--
     
    Zack Whittaker, Apr 29, 2006
    #3
  4. Steve

    Puppy Breath Guest

    Well we've got several months of tweaking before there is an actual product.
    By the time the product is released I bet most of the complaints will be the
    hardware requirements and the fact that the interface is so different from
    the Win 95-to-XP string of products.
     
    Puppy Breath, Apr 29, 2006
    #4
  5. Andre Da Costa [Extended64], Apr 29, 2006
    #5
  6. people learn to automate the motion of pressing OK without thinking
    thus it is extreamly dangerous...

    they have to change it somehow. I dont like the way you have to enter a
    password in linux
    either.....

    Xp had non administrator accounts... I dont understand the need for this....
    they could ask you in the start if you want to be administrator or not
    and have an explaination of the dangers, and then let the user decide....
     
    John Jay Smith, Apr 29, 2006
    #6
  7. I can't help but agree with the general idea. Putting myself in a typical
    end-user's shoes, I can see the most blatant and overlooked security failing
    in Windows, from NT through Vista: when you install the system, you need to
    create one user account (in fact, up to Win2k, you didn't have to do even
    that), which is an administrator by default. Do the MS people imagine, even
    one second, that the end-user will bother to create another, limited,
    account for his/her day-to-day usage? If they do, they're sadly disconnected
    from reality (I just can't suppose they're *all* that stupid). There's still
    time, I think, to correct it: when you install Vista (RTM), force the user
    to create both an administrator and a standard account, and make the latter
    the default login. And *explain* why this is necessary. The various
    self-congratulation screens one sees during the setup process are quite
    superfluous. Explaining why the end-user mustn't use an admin account for
    ordinary tasks is much more important. And since it's mandatory to use an
    admin account to run the system management tasks, then the numerous "allow"
    dialogs are just a ridiculous nuisance, very much like the "validation"
    process for Microsoft downloads.
    --
    Pierre Szwarc
    Paris, France
    PGP key ID 0x75B5779B
    ------------------------------------------------
    Multitasking: Reading in the bathroom !
    ------------------------------------------------

    "Steve" <> a écrit dans le message de ...
    |
    | Excerpts from
    | http://www.schneier.com/blog/archives/2006/04/microsoft_vista.html
    |
    [snip]
     
    Pierre Szwarc, Apr 29, 2006
    #7
  8. Needs a new driver - I'm not gonna write one for yer! I've got enough to do
    as it is!!
    Just save yourself time, money, and a lot of effort, and just buy yourself a
    Windows Mobile 2003/5.0 phone instead, because then you can sync it up with
    anything and everything :eek:)

    --
    Zack Whittaker
    » ZackNET Enterprises: www.zacknet.co.uk
    » MSBlog on ResDev: www.msblog.org
    » Vista Knowledge Base: www.vistabase.co.uk
    » This mailing is provided "as is" with no warranties, and confers no
    rights. All opinions expressed are those of myself unless stated so, and not
    of my employer, best friend, Ghandi, my mother or my cat. Glad we cleared
    that up!

    --: Original message follows :--
     
    Zack Whittaker, Apr 29, 2006
    #8
  9. Andre Da Costa [Extended64], Apr 29, 2006
    #9
  10. Does 5308 fix this problem? I downloaded it last night from MSDN but haven't
    installed it yet.
     
    michael e dziatkowicz, Apr 29, 2006
    #10
  11. Steve

    Puppy Breath Guest

    There's not doubt that the whole concept of bringing the "typical" corporate
    security model into the home environment is going to throw people for a
    loop. After all, nobody has the job title "system administrator" in a
    household. After the stiff hardware requirements and new interface, this is
    likely to be the #3 main reason for slow adoption of Vista.
     
    Puppy Breath, Apr 29, 2006
    #11
  12. Steve

    Puppy Breath Guest

    5308 is OK on the privilege escalation and Allow boxes. At least, I'm not
    getting an extreme number of them and they're not piling up at all. I stay
    in my Standard account all the time except for a few high-level security
    things.
     
    Puppy Breath, Apr 29, 2006
    #12
  13. I don't know about that. I mean, it didn't stop the adoption of XP, did it?
    It just delayed it a bit, but after a while XP went into homes like a hot
    knife into butter.
    --
    Pierre Szwarc
    Paris, France
    PGP key ID 0x75B5779B
    ------------------------------------------------
    Multitasking: Reading in the bathroom !
    ------------------------------------------------

    "Puppy Breath" <> a écrit dans le message de ...
    | There's not doubt that the whole concept of bringing the "typical"
    corporate
    | security model into the home environment is going to throw people for a
    | loop. After all, nobody has the job title "system administrator" in a
    | household. After the stiff hardware requirements and new interface, this
    is
    | likely to be the #3 main reason for slow adoption of Vista.
     
    Pierre Szwarc, Apr 29, 2006
    #13
  14. Steve

    Puppy Breath Guest

    So will Vista. It'll probably just take a little longer because it's a more
    radical change. More like the change from DOS to Windows than the change
    from ME/2000/98 or whatever to XP.
     
    Puppy Breath, Apr 29, 2006
    #14
  15. Steve

    Ed Dixon Guest

    It will go into homes because PCs will be sold with only Vista. The better
    measure is purchased upgrades.

    A fair percentage of corporate users have not even moved to XP. Many are
    still running the OS that came with their PC, which is true of a large
    percentage of users, regardless of category or location.

    Ed
     
    Ed Dixon, Apr 29, 2006
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.