Look these features are great for both systems, But I see a flaw in Vista's UAC, A local flaw. Heres the problem. Say a user leaves his computer logged in and walks away from it. (mind you he/she is under a limited account on either system) On OSX UAC prompts, one must enter a username and password if one would like to install programs or gain elevated privileges. On Vista's side, one ONLY must click allow and thats it. Surely saving 3 seconds and just clicking allow rather then password and login name is great for somebody who can't type that fast or is to lazy to type a password in but now you left a huge hole is your system, although you already did that when you left your computer logged in but all one has to do now is click ALLOW. Does anybody understand what I am saying? I try to explain this to people and the only response I get is FANBOY. Sure I love my mac, and i hate windows, but I don't think either computer is better then another, IN FACT I think all computers are INSECURE and Steve Jobs could be Bill Gates for all i care.
Thats a valid point. This is why on my home machines (OSX, Linux, XP) and my work machine I set a screen saver timeout in addition to locking any machine I am not currently using.
David is right about the account lockout. If you leave your computer open, you got a lot more problems than worrying about someone elevating UAC. You should always lock out Windows automatically after a certain period of time. On corporate PCs, you should set this globally automatically.
Second, what's the purpose of a UAC prompt? It's there to provide program isolation from critical system files and settings and it's there to ask to owner permission to elevate something. What difference does it make if asks you for the password versus clicking allow?
Third, if Microsoft forced password mode (you get this with standard users in Vista) by default, a lot more people will turn off UAC. Now what do we have?
Their usability studies indicated that if they required a password to install software, people would disable UAC, but if they were less invasive (only requiring a button), people wouldn't disable it.
Of course, you can change this invasiveness if you want. Microsoft freely admits that they've tuned the defaults to match their usability testing, but that anybody serious about security should change the defaults to something more user-hostile.
This is the general problem with cyber-security: most problems have no easy solution, and is a question of trade-offs. Right now, the industry as a whole doesn't accept this principle, so you have cyber-security experts criticizing UAC for when it puts up a prompt, and others criticizing the same scenarios for not putting up enough of a barrier.
"What difference does it make if asks you for the password versus clicking allow?"
The difference is one must only know how to click the mouse button! vs actually knowing the username and password to elevate privileges. (I would think thats obvious!)
"Third, if Microsoft forced password mode (you get this with standard users in Vista) by default, a lot more people will turn off UAC. Now what do we have?"
We have many insecure PCs. This is why I am not saying this is a terrible feature, I posted to point out that for this situation I described clicking allow is far less secure then asking for username and password.
"Of course, you can change this invasiveness if you want. Microsoft freely admits that they've tuned the defaults to match their usability testing, but that anybody serious about security should change the defaults to something more user-hostile."
Robert, I need to disagree with Microsoft here. I think that if you're gullible enough to elevate something like a "porn codec" that presumably plays porn files when it really just roots your computer, it won't make a difference whether you ask for password or not.
If anything, I personally believe Microsoft should allow users to maintain a list of common names that is essentially a white list for Authenticode. Then if you get something from Microsoft or Adobe or IBM or some other reputable company that is willing to put up a $10,000 bond (or $1000 if they register photos of their senior management) and promises they won’t put out malware, then allow that installer signed by the bonded company to BYPASS UAC elevation. Could this scheme theoretically be exploited? Sure, someone could choose to lose $10,000 but they’d essentially only get to do it once before they get permanently blacklisted and they’d be wanted cyber criminals.
"so you have cyber-security experts criticizing UAC for when it puts up a prompt, and others criticizing the same scenarios for not putting up enough of a barrier."
Yup, and they're often even the same person that makes both arguments out of both sides of their mouths.
7 comments:
Look these features are great for both systems, But I see a flaw in Vista's UAC, A local flaw. Heres the problem. Say a user leaves his computer logged in and walks away from it. (mind you he/she is under a limited account on either system) On OSX UAC prompts, one must enter a username and password if one would like to install programs or gain elevated privileges. On Vista's side, one ONLY must click allow and thats it. Surely saving 3 seconds and just clicking allow rather then password and login name is great for somebody who can't type that fast or is to lazy to type a password in but now you left a huge hole is your system, although you already did that when you left your computer logged in but all one has to do now is click ALLOW. Does anybody understand what I am saying? I try to explain this to people and the only response I get is FANBOY. Sure I love my mac, and i hate windows, but I don't think either computer is better then another, IN FACT I think all computers are INSECURE and Steve Jobs could be Bill Gates for all i care.
Any thoughts?
Thats a valid point. This is why on my home machines (OSX, Linux, XP) and my work machine I set a screen saver timeout in addition to locking any machine I am not currently using.
Henry,
David is right about the account lockout. If you leave your computer open, you got a lot more problems than worrying about someone elevating UAC. You should always lock out Windows automatically after a certain period of time. On corporate PCs, you should set this globally automatically.
Second, what's the purpose of a UAC prompt? It's there to provide program isolation from critical system files and settings and it's there to ask to owner permission to elevate something. What difference does it make if asks you for the password versus clicking allow?
Third, if Microsoft forced password mode (you get this with standard users in Vista) by default, a lot more people will turn off UAC. Now what do we have?
That's not a flaw. That's a design decision.
Their usability studies indicated that if they required a password to install software, people would disable UAC, but if they were less invasive (only requiring a button), people wouldn't disable it.
Of course, you can change this invasiveness if you want. Microsoft freely admits that they've tuned the defaults to match their usability testing, but that anybody serious about security should change the defaults to something more user-hostile.
This is the general problem with cyber-security: most problems have no easy solution, and is a question of trade-offs. Right now, the industry as a whole doesn't accept this principle, so you have cyber-security experts criticizing UAC for when it puts up a prompt, and others criticizing the same scenarios for not putting up enough of a barrier.
"What difference does it make if asks you for the password versus clicking allow?"
The difference is one must only know how to click the mouse button! vs actually knowing the username and password to elevate privileges. (I would think thats obvious!)
"Third, if Microsoft forced password mode (you get this with standard users in Vista) by default, a lot more people will turn off UAC. Now what do we have?"
We have many insecure PCs. This is why I am not saying this is a terrible feature, I posted to point out that for this situation I described clicking allow is far less secure then asking for username and password.
"Of course, you can change this invasiveness if you want. Microsoft freely admits that they've tuned the defaults to match their usability testing, but that anybody serious about security should change the defaults to something more user-hostile."
Robert, I need to disagree with Microsoft here. I think that if you're gullible enough to elevate something like a "porn codec" that presumably plays porn files when it really just roots your computer, it won't make a difference whether you ask for password or not.
If anything, I personally believe Microsoft should allow users to maintain a list of common names that is essentially a white list for Authenticode. Then if you get something from Microsoft or Adobe or IBM or some other reputable company that is willing to put up a $10,000 bond (or $1000 if they register photos of their senior management) and promises they won’t put out malware, then allow that installer signed by the bonded company to BYPASS UAC elevation. Could this scheme theoretically be exploited? Sure, someone could choose to lose $10,000 but they’d essentially only get to do it once before they get permanently blacklisted and they’d be wanted cyber criminals.
"so you have cyber-security experts criticizing UAC for when it puts up a prompt, and others criticizing the same scenarios for not putting up enough of a barrier."
Yup, and they're often even the same person that makes both arguments out of both sides of their mouths.
Post a Comment