Details on Refining Vista's User Control 304
borgboy writes "Windows Vista has gotten a lot of negative press recently following the release of the latest beta, especially regarding excessive prompting for privilege escalation for seemingly common activities. On his blog, Steve Hiskey, the Lead Program Manager for User Account Control in the Windows Security Core group, details what the issues with the excessive prompting are, what the design goals of the feature are, and how they plan to achieve them. Briefly - they know the excessive prompting is a royal pain, they know that have to reduce it to an absolute minimum to be both productive AND an effective security risk mitigation measure, and they want as much feedback as they can get on the beta."
Re:SAme as in OSXs early days (Score:3, Interesting)
on the other hand, I have gotten those prompts in osX for microsoft and real built applications which were trying to do things which they had no business doing.
all the open source players i have installed on osX (I have 2 or 3) have never required root authorization for anything, yet wmp and real wanted to access my root files, why? This hints at how invasive the programs are, what are they doing monkeying around at that level on my system.
The user prompting you are seeing in windows is not necessarily excessive, it may arise from genuine security concerns because of how invasive microsoft is to their users, as reported in previous years consistently with hidden logs, spyware bundling, and surruptitious installation of DRM modules. (I have office 2004 on my mac, was prompted for a root pass, and immediately hunted down where the change was.. it turns out it snuck a drm bundle into my web browser!)
Re:Here's how to delete a file on Windows Vista (Score:3, Interesting)
Re:There you go again (Score:5, Interesting)
In a word, no. How is the OS supposed to know that that cute little systray weather forecast app you downloaded and installed is actually a trojan?
As long as a user can download and install/run software, the system is vulnerable, and there's nothing it can do about it.
Easy fix (Score:2, Interesting)
Huge Difference (Score:3, Interesting)
The situation on Windows is completely different. Microsoft is retrofitting Windows with this security model, but it must still support the vast catalog of existing software that was written assuming the traditional Windows security model. So, instead of an application or installer explicitly requesting authorization, Windows watches all processes for what amounts to security violations, halts the process and prompts the user for elevation. And now they're talking about writing shims for specific problematic applications. Yikes!
To call this over-engineering is an understatement, to say the least, but what else can they do? The value of Windows has always been in its backward compatibility, and Microsoft cannot give that up without risking their dominance in the market. But this is precisely why OS X has surpassed Windows in terms of the rate of development within the last few years (also an understatement).
Re: click delete, CONFIRM delete? (Score:2, Interesting)
the optimal number of steps
Is one. Just one. On my kde desktop, I right-click the icon, select delete. Apple's desktop is similar.
In both instances, there's a robust security model underneath my desktop that does not require an extra "are you sure?" button on my desktop to work right.
Re: click delete, CONFIRM delete? (Score:2, Interesting)
Say a novice user (think grandma) is trying to click on Rename and accidently hits delete without evening noticing that delete was an option. If the shortcut disappears, they would be thoroughly confused. They would not know to look in the recycle bin.
Also, remember, this confirmation *can* be turned off in Vista (just like in XP.) So, you can have it the way you like it if you decide to use Vista. However, I support the decision to default this feature to on.
Security Hole == Windows Message Pump (Score:4, Interesting)
The real flaw is that MS is maintaining a design decision that was made back in the days of Win3.1: there shall be one method for structured message passing (the message pump) which will cover user input, application IPC, system notifications, clipboard copying, window redraw requests, etc. This message pump is built into the core threading model for the OS (many other windowing systems have this too, it isn't just Windows).
Since there is only one front door, user input uses the same facility as everything else, and it becomes impossible to tell if the user pressed the "A" key or if an application sent a KEYPRESS message.
One solution is to have OS-enforced segregation between these types of input, and force multiple input channels. The mouse and keyboard (and other legitimate devices) get to use the "user input" channel, and other apps get to use a different channel.
But Microsoft doesn't want to do this because they want to enable Bob-style guided interactions with applications, where the target application can be automated/scripted without its knowledge. Changing this also has huge backward-compatibility issues---basically anything built for pre-Vista windows must be modified and rebuilt.
So MS is talking security, but this is a case where market footprint and backward compatibility are fighting with security---and ease of use is caught in the crossfire. A first for MS.
Re:Here's how to delete a file on Windows Vista (Score:3, Interesting)
Re: click delete, CONFIRM delete? (Score:3, Interesting)