Prompts, prompts, and more prompts...jeez

[Kerry Brown]

But that isn't why Microsoft added UAC at least not according to them.
They added it so that it was harder for any malicious programs to do
something bad. Again, it shouldn't have been an all or nothing features.
It is just Microsoft once again trying to control what we do with our
computer and how we do it. Until they allow me to decide what is and isn't
monitored UAC can go to hell right along with Microsoft and their poorly
implemented grandiose ideas.

This is not my understanding of UAC. UAC is a security measure that allows
users to either run as an administrator but have the the security of a
standard user or run as a standard user but allow them to run programs that
need administrator permissions without logging off and logging on as an
administrator. While this is also very useful at fighting malware the fact
that it stops a lot of malware is more of a side effect of good security
rather than a design goal of UAC. Security protects against many things
besides malware. Some things are user error, program bugs, malicious user,
etc..

 

[Don]

Until they allow me to decide what is and
isn't monitored UAC can go to hell right along with Microsoft and their
poorly implemented grandiose ideas.

If you haven't seen this video by the guys who did UAC, you owe it
to yourself to watch it. They are addressing the many people who
feel the way you do:

http://channel9.msdn.com/ShowPost.aspx?PostID=288259

 

[Jimmy Brush]

But that isn't why Microsoft added UAC at least not according to them.

They added it so that it was harder for any malicious programs to do
something bad.

This is incorrect.

They added it so that your system would be seperated into two modes, as I
said. A "restricted" mode, suitable for most programs, that prevents them
from harming the system. And an "unrestricted" mode, that allows complete
access to the computer, at YOUR REQUEST.

UAC isn't about fighting malware.

UAC is about putting you IN CONTROL of your computer, by informing you when
a program requests *full, complete control* of your computer (even if it is
for something simple, such as deleting a folder, because as I said, once you
give a program control, it can do whatever it wants to your computer), and
allowing you to decide if you want that program to have complete control
over your computer or not.

Again, it shouldn't have been an all or nothing features.

UAC works by preventing programs from gaining complete control over your
computer without YOUR permission.

If UAC wasn't "all or nothing", how would it do this? If it only protected
CERTAIN THINGS on your computer, but didn't protect others, then programs
could simply use the unprotected things to gain control over your computer,
completely rendering UAC worthless.

It is just Microsoft once again trying to control what we do with our
computer and how we do it.

This is so untrue as to be absurd. The system asks *YOU* when a program
requests access to your computer. You are the only one in control here - the
system does not make ANY decision itself.

Until they allow me to decide what is and isn't monitored

You can. As I stated before - UAC protects access to resources that are
marked as "administrator access only" - if you want all programs to be able
to access something, you just change the security to give access to your
user account, and then all programs will be able to access it.

<snip>
--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Jack Splat =\(8\)]

Moderatly interesting video. A bit long winded. Doesn't do anything to
change my mind and make me want to turn UAC back on. I doubt it will do that
for most people who I think given time and getting tired of clicking dialog
boxes over and over will also turn UAC off. There should be some user
controll to the UAC.

If people are so stupid as to run stuff from sources they don't know then
they get what they deserve. Designing a security function for the brain dead
users without any consideration for those that do know what they are doing
is just stupid.

=(8)

 

[Jack Splat =\(8\)]

Well then Jimmy I guess the people at Microsoft don't know what they are
talking about. I asked why they added UAC the way they did. And my post was
the jist of why they added it they way the did.

=(8)

 

[Ronnie Vernon MVP]

Jack

It's not a matter of being a "stupid user." If you've been around for
awhile, you know how sophisticated the bad guys have become. UAC is an
attempt to give control back to the user, as far as what can be run on their
system or not. Most other operating systems have had this same control for a
lot of years.

Also, UAC is tightly integrated with Virtualization and Compatibility.
Turning UAC off can cause problems with some software.

 

[cquirke (MVP Windows shell/user)]

On Fri, 23 Mar 2007 16:55:06 -0700, "Jack Splat =\(8\)"

If people are so stupid as to run stuff from sources they don't know then
they get what they deserve. Designing a security function for the brain dead
users without any consideration for those that do know what they are doing
is just stupid.

Whenever I read comments like this, I just shrug and think "there's
someone else who just doesn't 'get' it".

It's like "...bbbbut the attachment was from someone I know!"

Surely there are enough dots out there to join them up?

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"

 

[cquirke (MVP Windows shell/user)]

On Fri, 23 Mar 2007 16:56:17 -0700, "Jack Splat =\(8\)"

Well then Jimmy I guess the people at Microsoft don't know what they are
talking about. I asked why they added UAC the way they did. And my post was
the jist of why they added it they way the did.

The reasons why MS add a feature are interesting, but may turn out to
be of limited relevance.

As an MS Office user at the turn of the century, 99% of "document"
macros encountered would be malware. Does it matter that MS intended
this to be a Useful Feature [TM]? Nope. Same thing goes with the
"useful feature" of scripts automatically running in unsolicited email
"message text", as was designed into OE4 and OE5, and was STILL left
On by duhfault in post-Kak WinME.

So yes, I'm interested in why MS does things, but I don't stop
thinking after I've read their stuff.

MS 2007 isn't MS 2000, in that they aren't as ignorant of adverse
implications as they were in those Polyanna days. You may well find
the reverse is true where UAC is concerned; maybe it was intended as a
temporary compatibility smooth-over from XP to Vista application
design, but the main value may be as a malware trip-wire.

It's also not an entirely unexpected phenomenon.

Firstly, elevation prompts are common enough in MacOS and Linux that
even a toe-in-the-water dabbler such as myself hasn't had a day on
these OSs without encountering them at least once.

Secondly, there's a trend in safety add-ons to generalize the firewall
egress monitoring "alert and learn" model to internal events. PrevX
and All-Seeing-Eye are two examples of this that work much as UAC
does; they don't attempt to understand why something is being
attempted, they just step in and give you a chance to Just Say No.

Finally, UAC has already demonstrated its value to me. Yes, I'm
peeved about the 200+ times I've had to nod through "yes, I really
want to rename this Start Menu item" alerts, but I was happy to see an
unexpected UAC alert pop up when looking for drivers for an old
scanner. As one of the "found" pages started to dribble down the
screen, UAC popped up asking whether it was OK to... ("NO")

-------------------- ----- ---- --- -- - - - -

Tip Of The Day:
To disable the 'Tip of the Day' feature...

 

[Jimmy Brush]

If people are so stupid as to run stuff from sources they don't know then
they get what they deserve. Designing a security function for the brain
dead users without any consideration for those that do know what they are
doing is just stupid.

UAC is as much for power users as it is for "everybody else" (I won't use
the term of endearment that you use

Very simply, UAC draws a line between admin actions and non-admin actions,
and ensures that any program wanting to cross that line gets your approval.

I mean, as a power user, do you really want notepad to be able to format
your hard drive?

And if you download some utility from the internet and run it, don't you
want to know FOR SURE (not just trust or guess, but know with certainty)
that it WILL NOT be able to do admin things unless it asks you?

And what about trusted system components? Do you want any program that
happens to run on your computer (whether they prompt or not) to be able to
run format.exe? Or any other system utility?

Because if UAC didn't prompt every time you ran system utilities or trusted
programs, this is what would happen. Any program you ran would be able to
start a trusted program and use it to perform whatever action that program
does.

Now think about all the trusted system utilities on your computer, as well
as any that you may have downloaded. These programs can be used to do a lot
of nasty things.

Preventing programs that don't prompt from directly doing admin things is
worthless if they can just start some trusted system utility to perform
admin things by proxy .

I don't want notepad to be able to start format.exe and format my hard
drives.

UAC doesn't prompt to make sure you "know what you are doing." UAC prompts
to make sure that IT KNOWS that you INTEND for something to happen. Because
this is the only way it knows, and the only way it can enforce the rule that
"only programs that you intend to have admin power will be allowed to have
it."

And this is why it works with everyday users. Because the only thing the
system is interested in is if the user intended to start a program that
would have full control over their computer. The user doesn't need to know
anything technical about whats going on.

UAC is not a gimmick, and it is not a means of controling what you do. It is
actually very simple. All it does is let you choose which programs have
control over your computer, and prevents any program from gaining full
control over your computer without in some way gaining your permission.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Richard Urban]

Right. People who repair computers for a living just love it when consumers
click on an attachment they get in the email and install malware onto their
computer. 95% of computers users are NOT knowledgeable and need protection
from others, and from themselves.

It helps pay the rent.

--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User

 

[Hugh Wyn Griffith]

Because the only thing the 
system is interested in is if the user intended to start a program that 
would have full control over their computer.

PMJI -- I'm largely on your side on this discussion but I do feel that
what you say above is also the weakness of the situation:

(1) It is inevitable that human beings, whether the highly intelligent
ones like me or the normal users, will autorespond "Of course I wanted
that program to run; I would not have done what I did if I didn't"

(2) When you start to run an "untrusted" application it just asks if
you wanted this program, that you know where it came from, that you've run
it before (approximation from memory).

I don't see anything about full control over the computer or even why this
might be dangerous. Perhaps it is in the tutorials or guided visits that
everyone jumps over? <s>

I'm in favor of the concept of UAC and I recognize the difficulty of
making it a selective control that can be turned off by the "qualified"
user but at present it just disappears into mist like most nag screens.

I wish I could suggest a perfect solution .....

 

[Jimmy Brush]

You're right, it doesn't say anything about full control... I think they
should have thrown that in there somewhere. I assume the reasoning is that
they wanted to make the message as short as possible, and so they went with
"If you started this action, click continue".

That really does get down to the point, and is really the only reason the
prompt exists ... to make sure the user started the action, as opposed to
software.

That does make it seem like a nag screen, which is unfortunate (it is not
really a nag screen as it is not warning the user about what they are doing,
just making sure that they want it to happen).

99% of the time, the user will have started the action, and will continue.
And at first glance and by just by reading and thinking about that, it would
seem to make the prompt useless, as wouldn't the user get used to clicking
continue over and over.

But, after having used the prompting system for a while, I can tell you that
yes, i get used to clicking continue, but *only* when I expect to get a
prompt ... I notice *very much* unexpected prompts, or prompts from programs
that I don't recognize.

Here's why I think this works:

- The prompts hardly come up at all
- When they DO come up, users inspect them and get used to clicking continue
when they start that program
- Even with being used to clicking continue for expected prompts, unexpected
prompts still have that "stop!" effect

So, when an UNEXPECTED prompt comes up, it is *very* noticable to me,
because the only prompts that I click on are the ones that I expect.

For example, Adobe updater likes to throw up a UAC prompt randomly, and it
scares me every time it pops up... while I quickly dismiss all the prompts
that I expect to happen.

Of course, that might just be me, I don't know.

--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Hugh Wyn Griffith]

So, when an UNEXPECTED prompt comes up, it is *very* noticable to me, 

I think the screen dim, that I've seen people complain about, is a
brilliant idea.

Do you know if UAC does have a learning curve -- after NN accesses it
will stop asking -- or will it go on flagging forever?

I ask partly because before replying to your message I thought I'd
better check the wording that comes up and it took me quite a few tries
on desktop icons that I reckoned predated VISTA and should be flagged as
non-conformist.

while I quickly dismiss all the prompts that I expect to happen.

That's what I see as the progression that is inevitable, and so
defeating the UAC

 

[Adam Albright]

You're right, it doesn't say anything about full control... I think they
should have thrown that in there somewhere. I assume the reasoning is that
they wanted to make the message as short as possible, and so they went with
"If you started this action, click continue".

That really does get down to the point, and is really the only reason the
prompt exists ... to make sure the user started the action, as opposed to
software.

For those that don't know or maybe haven't experienced it yet, there
are DIFFERENT nag screens with differnt color title bars and other
changes based on the "threat level" of any preceived security breach
to the system. Only one that really matters is red. This you can't
dismiss, there being no continue button to click through.

That does make it seem like a nag screen, which is unfortunate (it is not
really a nag screen as it is not warning the user about what they are doing,
just making sure that they want it to happen).

Like everytime time you turn the water on at your bathroom sink a neon
sign would flash saying don't forget to use soap then another one that
said dry hands afterwards and oh... don't forget to hang up the towel
and another sign over the toilet reminding you to put seat down. ;-)

The point there are WAY TOO MANY nag screens.

99% of the time, the user will have started the action, and will continue.
And at first glance and by just by reading and thinking about that, it would
seem to make the prompt useless, as wouldn't the user get used to clicking
continue over and over.

But, after having used the prompting system for a while, I can tell you that
yes, i get used to clicking continue, but *only* when I expect to get a
prompt ... I notice *very much* unexpected prompts, or prompts from programs
that I don't recognize.

That's the biggest design flaw. Prompts get ignored if they happen for
operations you do constantly. Its like crying wolf, people just ignore
it after awhile, so it's purpose is severely muted if not outright
defeated.

Here's why I think this works:

- The prompts hardly come up at all
- When they DO come up, users inspect them and get used to clicking continue
when they start that program
- Even with being used to clicking continue for expected prompts, unexpected
prompts still have that "stop!" effect

So, when an UNEXPECTED prompt comes up, it is *very* noticable to me,
because the only prompts that I click on are the ones that I expect.

Vista should be smart enough to ONLY come up when something unexpected
happens. Hint: According to the two main Microsoft engineers that
wrote the code behind UAC, that is how it is suppose to work. Duh...
remember we're talking about a computer. It should (can be) programmed
to learn and come to logical decisons on its own based on past
behavior.

 

[Richard Urban]

UAC is a user "aid" and will always depend upon the user applying some
thought before responding to a prompt.

It is no different that all the prompts that ZoneAlarm Internet Security
Suite throws up when run under Windows XP. If a user clicked on something to
initiate an action - accept. If a user "did NOT" initiate the action - they
had better not accept and say no. Something else is trying to control your
computer.

Common sense rules. Unfortunately, all too many people show a complete lack
of this god given talent when it comes to using a computer. I have a younger
brother, 59 years old, who should use a shoe box and index cards. Even then
he would screw up.

--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User

 

[Adam Albright]

UAC is a user "aid" and will always depend upon the user applying some
thought before responding to a prompt.

It is no different that all the prompts that ZoneAlarm Internet Security
Suite throws up when run under Windows XP.

UAC is VERY different than ZoneAlarm which uses a rules list and
remembers what you tell it. UAC keeps showing the same nag screen the
first time you try to do something it don't like or the 1000th time.

If a user clicked on something to
initiate an action - accept. If a user "did NOT" initiate the action - they
had better not accept and say no. Something else is trying to control your
computer.

Excuse me, the most serious of these have a red title bar and no click
through option. This is where UAC should have stopped instead of
trying to be a Net Natty and throw a fit for moronic things like
trying to delete a desktop shortcut.

Common sense rules. Unfortunately, all too many people show a complete lack
of this god given talent when it comes to using a computer.

Indeed. There often called MVPs.

 

[Hugh Wyn Griffith]

will always depend upon the user applying some 
thought before responding to a prompt.

True, but any psychologist, or parent, will tell you that repetitive
warnings breed contempt!

Sad but true. I can't think of a good solution.

 

[cquirke (MVP Windows shell/user)]

UAC is VERY different than ZoneAlarm which uses a rules list and
remembers what you tell it. UAC keeps showing the same nag screen the
first time you try to do something it don't like or the 1000th time.

The reason egress-monitoring firewalls can do that, is they can bind a
"allways allow this" to clearly-defined values of "this" - i,e, not
just the name of the file and where it is, but an MD5 checksum that
would change if the file were infected or replaced.

I don't know whether UAC has that level of awareness. If it is fuzzy
(i.e. spoofable) in terms of context (i.e. loose values for "this")
then that would be one good reason not to allow UAC alerts of a
particular type to set to "always allow".

The other reason why one may not want to allow UAC exclusions, is that
MS OSs enjoy far less "security by obscurity" than one particular
3rd-party firewall, and as such settings are likely to be stored
somewhere, malware can write itself a "blank cheque" once active.

We've already seen this effect with XP firewall, which gets clobbered
by several malware in ways that make it impossible to turn back on
unless the relevant registry settings are re-asserted.

It may be that the UAC team learned from this, and did not add a
setting to "always allow..." for this reason.


Just to be clear here: I'm not defending the design so much as
speculating why it might have been designed this way.

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"

 

[cquirke (MVP Windows shell/user)]

Vista should be smart enough to ONLY come up when something unexpected
happens. Hint: According to the two main Microsoft engineers that
wrote the code behind UAC, that is how it is suppose to work.

See http://cquirke.mvps.org/exblog/natural.htm

That's mainly about WiFi, but the point of "Use hard scopes as natural
cover" is that modern OS design strives to dissolve such scopes - so
that the context of "the user is doing this interactively" is lost.

In the old days, features would be primarily accessible from user
interaction, then possibly exposed to automation, then later there
would be exposure to "remote administration" via network.

Often the end-point functionality would be reproduced depending on
method of access - interactive, code or network - making it quite easy
to block any one of these.

By the time you get to XP and Vista, the way of initiating an action
may be completely unlinked from the actions themselves. If you
capture an attempt to do something at the point that the action is
called, it may be impossible to deduce whether this was initiated
interactively, via code, or via network.

And remember; to be malware-safe, the above deduction has to be
unspoofably accurate.

That's one of the reasons UAC "stops the clock" with a modal dialog
box, greyed screen, and reset display state - to protect against faux
mouse clicks or keystrokes that might automate the "user" response.


The point of all the above is that the way UAC operates may make it
impossible to deduce whether the alerted operation was initiated via
user interaction, code automation, or network "administration".

-------------------- ----- ---- --- -- - - - -

Tip Of The Day:
To disable the 'Tip of the Day' feature...

 

[Adam Albright]

The point of all the above is that the way UAC operates may make it
impossible to deduce whether the alerted operation was initiated via
user interaction, code automation, or network "administration".

Take it back to the logical conclusion. Microsoft has waved the white
flag of surrender and now admits all prior versions of Windows were
major security risks and much of that was due to how Windows was
written including how many Microsoft developers, including those
inside Microsoft wrote applications. They further admit by deploying
UAC, they can't fix Windows to make it safer so they tossed the ball
in the user's court by flashing a simplistic warning; the UAC nag
screens.

The real solution would be to rebuild Windows from the grown up, 100%
redo and make it secure that way. That of course would cause a huge
chunk of their customers to run away screaming since little if any
current hardware or software would work in such a totally new from the
ground up radically different Windows. So Microsoft was stuck between
a rock and a hard place and picked UAC as a "solution". All UAC really
does is create the illusion of security in most situtations because we
all know 9 times out of 10 once a user, any user starts out to do
something, some nag screen he can click through isn't going to stop
him from doing what he planned to do in the first place.