UAC is an acronym you will soon grow to hate. One of Vista’s major flaws for the competent or professional user is that Microsoft’s “we know what’s best for you” attitude evident in XP has grown expansively. It can be illustrated very simply in the image here. You will see the start menu with the instantly recognisable universal icon for “shut down”. Only in Vista it’s not. Instead it stores your session in memory and puts the machine to sleep. Now I know Microsoft are keen to promote the fast booting and low power consumption that its sleep mode offers but, especially with this laptop, often I just want to switch the damn thing off. Forcing me to click on a tiny arrow an select it from a list is not only unhelpful, it actually slows the process down.
The major issue is the soon-to-be-loathed User Account Control system. It is designed to solve a very real problem — that of novice users running as administrators and inadvertantly opening their computer up to all sorts of malware because they don’t know what they are running. I, on the other hand, do. So forcing me to run in standard user mode and to ask me for permission every single time I perform an act like interacting with the Program Files folder is unnecessary. To ask me twice (a first popup warns that permission is required, a second actually asks for the requisite permission as well as a password if you are logged into another account) is unacceptable. Worse still the “secure desktop” proceeds to hijack my entire screen, fading out everything else and locking it, until I select a response. Drawing attention to a new window is fine, halting whatever I happen to be doing is not.
A neater solution to this problem is definitely needed because this intrusive system will likely lead to many users disabling UAC altogether. I should stress that many of these issues can be solved by tweaking the way in which UAC operates while retaining many of its security advantages. Ed Bott discusses these options as well as how Microsoft can save User Account Control as a concept.
26 September 2006 at 6:30 pm
I agree there are UI problems with Vista. As there are with all operating systems that the market forces upon us poor unsuspecting users with very pretty UIs. Your argument that this hurts the professional user however is slightly odd, I would say that not explaining a logo hurts less experienced users far more than professionals, for whom it will be internalised.
I have used UAC for many months now and frankly I don’t have a problem with it.
It’s no worse than the proxy-to-administrator behaviour that one had to do to run a Windows XP box in a secure manner. In fact, it’s a lot better, it terms of time. The thing that bothers me is that it risks a rapid acceptance of dialogs without processing them, which is a serious problem.
Perhaps the actual implementation with multiple dialogs is weak. A single dialog might be better.
Frankly in terms of security, MS do know better than the hordes of uninformed users who have their machines systematically rootkitted and then winge at MS for being insecure. I don’t understand your complaints about a nanny state, they’ve provided you with a feature, if you don’t want it, turn it off. Was adding a firewall that was on by default a nanny state action? Well, perhaps, but as it saved us from several horrific worm strikes, it was one I very grately welcome.
If you look at securely deployed system, they implement something that looks like UAC. Afterall, do you run Linux as root?
Afterall, if the delightfull people who write non-Windows standard compliant software won’t be pushed into actually putting the work into not screwwing their users over any other way then I don’t really care if Microsoft forces their hand.
As for the desktop capture, this is close to necessary to prevent UI exploits. There are methods of doing race-condition and screen-capture + forced interaction attacks that make it very difficult to do anything else without opening a privildege escalation hole.
Interestingly many of the other OSs on the market respond by simply saying that privilidge escalaltion is beyond the current state of the art to patch.
However, because this kind of impact is currently the best way of doing things (though I hate to think of the way it will (or more to the point, won’t)) interact with accessibility features, the basic end result is that most people do not want security at all costs. They want security at no cost, which by today’s technology is a contradiction in terms. And they want someone else to blame when it goes wrong. Many will consider UAC a push too far.
Frankly, also, you should note that you (and all the other people who complain about UAC) are not end-users. By definition they are people using pre-release versions of Windows. End users don’t change settings on their machines anywhere near as often, result in many more vulnerabilities, and don’t have a clue about how not to hurt themselves with their computer. Hopefully many will not work out how to turn UAC off.
However, as I comment in the paper on UI security in Jan, there is a strong trade-off between ‘viscosity’ of the interface and the security behaviour of a user. A secure interface that exhibits a viscosity that is too high, is essentially a ‘cognitive security vulnerability’ and all will happen is that people will attack the user instead of the OS.
I think it would be reasonably fair to say that Secure Usability in any meaningful sense of word is well beyond the current state of the art.
UAC is the result of having to do something that is not understood.
Now if Computer Science would take HCI a little more seriously, perhaps we’d have something better, but alas no, anything that involves people is not worthy of study.
I expect to be flammed for this opinion. 🙂
26 September 2006 at 6:31 pm
Incidentally, did your copy of Photoshop CS2 work on Vista?
26 September 2006 at 6:42 pm
For your interest…
-> Create a special Admin Mode
This isn’t such a bad idea and is essentially equiv. to a connection back into the same machine.
However this creates a usage mode of Windows that many users find intensly confusing (you have 2 windows open, both interacting with the same machine, under different execution contexts). This will present a different view of many settings, resulting in confusion attacks that are easily exploited by phisers. I think it would need to be properly tested to see whether this would work at all.
> Put a time limit on UAC.
I believe the author may have been inexperienced in security. Very early in the days of security, something called a race-condition attack was found
if (cannot complete operation)
try again in 1 second
Perform dangerous operation
Just waits until the user context gets the appropiate permission, and exploits it. Oh dear.
> Provide easy options to open Control Panel and/or Explorer with full Admin rights. …. So why not offer those options on the Start menu?
How are you going to stop me executing UI interaction commands that move the mouse cursor and emit clicks? Or would you prefer to break all legacy applications that use this behaviour?
> Identify applications running in an elevated context.
I agree entirely. But this won’t solve any of the major problems above. I got the impression that Vista was going to do this anyhow, it certainly did with the command prompt in Beta 2.
Security is not this simple, MS’ security team are not morons, they may have thought of these kind of issues and elected to build security, rather than a very holey sieve. But is it too much security?
26 September 2006 at 7:34 pm
Photoshop CS2 does run on Vista. The first time you run it you will need to run as administrator. This allows the activation process to operate properly. Having done so you can run it normally. The only issue is with automatic updates so the best approach is to download and install them manually.
As for the UAC discussion, I do agree with much of what you say. I gripe not about the concept but about its current implementation. Particularly the multiple dialogue box issue because most inexperienced users don’t pay attention to more than one.
What you say about inexperienced users not changing default settings is true but I look at it from a different perspective. The UAC is provided in a way that can be secure without being intrusive with some tweaking. However disabling it much, much easier. I worry that users with a little knowledge will take the easier route. A little of that commodity is, after all, rather dangerous.
Incidentally I agree the UI changes are definitely more harmful to general users than professionals – I was simply using it to illustrate the evident mentality which then went on to influence UAC. I will discuss changes to the Office UI next, and there are some truly bizarre decisions there.
27 September 2006 at 5:36 pm
At the risk of being pedantic, that orange icon is not the icon for ‘shut-down.’ On XP the shutdown icon is an unbroken circle with a red background and the line in the middle of the cirle, while ‘sleep’ icons have the line breaking the circle with a yellow background, so Microsoft are just following what’s already gone before.
I agree that it’s weird to have a prominent sleep button and no power off button though.
27 September 2006 at 5:56 pm
Well spotted, I hadn’t noticed that actually!
However the same “power” icon is pretty universally used outside of Windows to denote switching on and off. But you’re right, they are being consistent with their own use of the icon.
29 September 2006 at 11:13 pm
Thank you. 🙂 I’m now going to try and replace all the rubbish information in my head with some knowledge that may actually help in the next couple of weeks. This may take some time…