Polish hacker chick!
Looks like Microsoft made some elementary mistakes in planning their security model - and this means that Vista is about to get exploited as bad as XP was.
Most telling:
'"It seems like Microsoft realized that implementing UAC would be hard, so they decided not to call it a security mechanism anymore and that 'potential avenues of attack, regardless of ease or scope, are not security bugs'," she said, quoting directly from Russinovich's essay.
"I don't think it's fair after all this Vista security campaign we observed in 2006, where Microsoft was boasting about this new security model in Vista. This is not a proper way to solve security problems. Microsoft, instead of trying to diminish the problem, should work on the solutions (even if they expected to see a dozen of new attacks against UAC)," she added.'
I'm debating staying with XP due to the things I've heard about Vista needing so much computing power.
Nothing new here. They had this sort of problem in all versions of Windows. Most likely, further security development would take too long and delay the release of the OS.
Another good reason to linger at XP, and experiment with Ubuntu 6.10.
UAC is so annoying that you will find yourself turning it off. Basically running naked.
It will be a long time befor I purchase Vista....like maybe when Global Cooling is fashionable on the Left again!
by KingSkippus (799657) * on Tuesday February 13, @04:08PM (#18003076) (http://skippus.blogspot.com/ | Last Journal: Sunday June 19, @07:25AM)There's a much, much bigger hole than any programmer could possibly exploit: The annoyance factor.
Last night, I restored my old XP partition after figuring I'd give Vista a shot for just a couple of days. You know, just to experience it myself instead of taking other people's word for what it's like.
The theme of Vista seems to be simple: Annoy the hell out of he end user. You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay? The list goes on and on. Almost every action in Vista is actually compose of two separate actions: the one you want to do, and the confirmation to do it.
After getting Windows Vista installed, I took an hour or so to configure my personal settings and install a couple of applications. I had to acknowledge somewhere between 50 and 100 dialog boxes asking me if it was okay to do what I was doing. No, I'm not exaggerating.
Now, I'm a very experienced computer user, and I've worked for over a decade supporting PCs, servers, networks, and so on. Yes, I know, I could disable UAC if I want to, but that kind of defeats the point of Vista's so-called beefed up security.
Even I became so numb to clicking OK in two short days that I wouldn't think twice about it. You want to move that shortcut on your start menu, is that okay? You want to install the Pwnzjoo virus, is that okay? You want to send your bank account numbers to Nigeria, is that okay? Yes, yes, yes, dammit!
If Microsoft wants to really get serious about security, they have to get it through their heads that it's not about locking everything down and popping up prompt after prompt after prompt to the user. It's about being smart, letting the user do normal things without interference or interruption, and having the level of alerts match the danger of what's being done.
As it is, Vista cries wolf so often that when the real wolves show up, I'd be surprised if any user, newbie or guru, listens.
by 787style (816008) on Tuesday February 13, @04:33PM (#18003516)
I had probably the most frustrating ten minutes i have ever spent on a computer before.
Start, typed in regedit enter.
Vista:Are you sure you want to run this program?
Me: Yes. I went OUT of my way, hit start, run and typed in the pogram name I wanted. Thanks for checking though. (click) ....
Edit the registry, close it. That was easy. .... double clicked on setup. Stupid shield on my icon, what does that mean?
Vista: are you sure you want to run this? it's a program, you know.
Me: Oh that must be what the shield is for. Vista feels like it should protect me from software!
Vista: This is from AMD. Do you trust AMD?
Me: yes, they pay me. I trust them. (click) .....
Install......that was easy. ....
Oops, there's a problem. Well, let's grab the correct file from the build server and copy it over ...
Open my computer, go to program files ....
Vista: Are you sure you want to go there?
Me:Yes (click) ...
open up the application folder ....
drag a file from a network share to the application folder....
Vista: Are you sure you want to overwrite this file?
Me: Yes (click)
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Yes (click)
Vista:You are trying to copy from a network share to the program files folder. This isn't allowed. Hit ok.
Me: (Pounds head) (click) ....
Drag to Desktop. ....
Drag from desktop to application folder. ...
Vista: Are you sure you want to overwrite this file?
me: for the love of god yes
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Die.Die.Die.Die.
by hackstraw (262471) * on Tuesday February 13, @05:36PM (#18004468) (http://www.spamgourmet.com/)
Sounds like Clippy has been re-incarnated.
The sad thing is that I've seen Clippy like once or twice years ago, and that is what I thought this dialog reminded me of, but worse because from what I remember Clippy would start yelling at you when you did anything, and you could just tell him to go away, but now its worse because the operating system blocks and asks you to click a bozo box every time you do anything?
* smashes head on desk *
Let me be clear, I don't use MS software because it is not designed for a computer professional like myself. To be honest, I don't know who its designed for, or if its even designed at all.
The first time I heard Windows was having this UAC thing, I knew that it would suck as only Microsoft could make it suck. I knew it would annoy the hell out of the user so bad that it would do one of two things. 1) annoy them to the point that they just turn it off (I understand this is allowed in Vista) 2) annoy the user and they don't turn it off, they just bend over and take it, and the 1 out of a million clicks when your supposed to say No, you click Yes because that is what you ALWAYS HAVE TO DO TO GET ANYTHING DONE.
* smashes head on desk again *
Microsoft can't even rip off existing security models that work like the elevated priveledges in OS X. Microsoft embarasses me as a computer professional, and I don't even use their stuff, because people associate MS with computers.
Thanks for the grandparent post for sharing their experience, and thank you Apple, Linux, and Sun for making computers usable.
Oh, and I almost forgot.
Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges -- and gives the user no option to let them run without elevated privileges.
Isn't this the case where 99.9% of the time YOU WANT TO BE ASKED? Didn't Microsoft invent the term "driveby install"?
* smashes head on desk again *
Not even considering Vista until they are at least on a "Service Pack 2" stage. Microsoft ain't paying me to bug-test their software, so I'll just stick with what works. WinXP has matured now and I'll stick with it for the next few years.
Also, people looking to upgrade to Vista should note that HW requirements have sky-rocketed. Basically, any computer more than a year old will just be forced to it's knees under Vista. Actually, test run on notepad computers found that many models more than a year old actually overheated and auto-rebooted just from the stress Vista put on them. And because the desktop is now "3D", unless you have a graphics card with 3D acceleration, you're screwed.
Ms. Rutkowska forgets that in the free market the purpose is to maximize the profit. Design needs to be evaluated from this angle.
The names are the same!
I never considered UAC as a gateway but rather a guard.
Is it a pain? Yes. Installing games, Office, apps, etc. that damn prompt gets annoying.
However, I think it serves a very good purpose to alert you to a stealth program trying to install itself.
Downloading bunny pictures and all of sudden UAC pops up and wants to know if you want to install MistressJoanWhipme.exe. At that point running it as administrator doesn't even enter into the decision.