Linked by Thom Holwerda on Thu 5th Mar 2009 13:27 UTC
Windows For Windows 7, Microsoft has made some changes to User Account Control to counter the criticism that UAC was too intrusive. It didn't take long before several holes were poked in Windows 7's default UAC settings, and now one is left to wonder: is it wise to sacrifice security for (perceived?) usability? Ars has an editorial that deals with this question.
Thread beginning with comment 351810
To read all comments associated with this story, please click here.
Security OR usability?
by gustl on Thu 5th Mar 2009 14:45 UTC
gustl
Member since:
2006-01-19

If this is indeed the question, UAC as it was and is can only be a complete failure.

I mean, the UNIX-style rights management has had no major changes since UNIX was born. And it is both secure AND usable.

Microsoft might be better off, doing what Apple did: Get rid of ALL old ties, take a BSD and close-source it, and put a virtual machine with a XP or Vista on the thing to be backwards compatible.

That would give them the opportunity do do several things right:

- No more drive letters.
- UNIX-style permissions.
- strict seperation of administrator and user, like in UNIX-ish opsyses.
- changing directory seperator from "\" to "/", at some keyboard layouts "\" is a 3rd key function.
- adopting a graphical shell environment.

On top of that they can deliver their usual desktop, probably enhanced by virtual desktops.

Edited 2009-03-05 14:46 UTC

Reply Score: 2

RE: Security OR usability?
by Thom_Holwerda on Thu 5th Mar 2009 14:54 in reply to "Security OR usability?"
Thom_Holwerda Member since:
2005-06-29

- No more drive letters.


NT doesn't use drive letters. It was a userland decision to maintain them from Windows 9x-onwards.

UNIX-style permissions.


NT already has that - and more, through for instance ACLs.

- strict seperation of administrator and user, like in UNIX-ish opsyses.


NT already has this. Again, userland decided not to enforce it.

Reply Parent Score: 9

RE[2]: Security OR usability?
by gustl on Thu 5th Mar 2009 15:08 in reply to "RE: Security OR usability?"
gustl Member since:
2006-01-19

Well, if the NT kernel already has all that, why did Microsoft decide against bringing it to userland?

I less and less understand Microsoft's behaviour. It is like:
- Do we have one shovel? YES!
- Do we have a 1000 working excavators? YES!
- OK guys, take the shovel and digg the new panama channel, because today I don't really feel excavatorish.

With today's computers and a virtual machine with a fully-blown XP or Vista on it, I really don't see a reason why NOT to pull this off.

Reply Parent Score: 3

RE[2]: Security OR usability?
by Piranha on Thu 5th Mar 2009 16:56 in reply to "RE: Security OR usability?"
Piranha Member since:
2008-06-24

NT already has this. Again, userland decided not to enforce it.


Isn't that like saying "My car's engine can push 10lbs of pressure, but the frame, transmission, rings, headers, etc. can't handle it."..

You're only as strong as your weakest link my friend =)

Reply Parent Score: 5

jabbotts Member since:
2007-09-06

Far as I can see, winNT (distro) already has a graphic interface. Did you mean seporating the graphic and functional layers of most programs?

Back-slash vs forward slash is not a huge issue personally but I can understand how making it a second class citizen on the keyboard causes grief. My own issue is purely habbit, after so many hours at the server prompt, it's not surprising that my first Windows cli command path returns an error due to using the wrong slash key. (I also giggle every time "/h" brings up a list of Unix like command switches; see shutdown /h for example.)

winNT (kernel) if as discussed in the article could be far better implemented by fixing the userland around it.

I make enough noise about specifying distributions rather than "Linux" as a blanket term. I'm equally willing to look at winNT-kernel separate from winNT-distribution.

Now, if Microsoft can fix it's corporate culture and allow the developer tallent they've collected to actually be talented; win8 could be very much worth a look. (I think it may be too late for some of the "design decisions" in win7.)

Reply Parent Score: 1

google_ninja Member since:
2006-02-05

Microsoft is between a rock and a hard place. The rock is that their security systems need to be enforced more then they are, the hard place is the billions of dollars customers have invested in the platform in terms of legacy software that relies on them not being enforced.

As of windows XP, nothing at all should have ever been writing to anyting but HKEY_CURRENT_USER in the registry, and nowhere on the disc except for AppData in the user folder. If it is a corporate app designed for NT, it should never have had any excuse to do that.

Reply Parent Score: 4

Bill Shooter of Bul Member since:
2006-07-14

I mean, the UNIX-style rights management has had no major changes since UNIX was born. And it is both secure AND usable.


Usable: Yes
Secure: Sorta. The NSA didn't think it was good enough. Hence SELinux.

Also, putting a virtual machine underneath XP or vista wont make XP or vista more secure. Don't really understand how it could. A Trojan on the virtual machine you store your data on, is still a Trojan that has access to your data.

Reply Parent Score: 2

RE[2]: Security OR usability?
by gustl on Mon 9th Mar 2009 15:24 in reply to "RE: Security OR usability?"
gustl Member since:
2006-01-19

" I mean, the UNIX-style rights management has had no major changes since UNIX was born. And it is both secure AND usable.


Usable: Yes
Secure: Sorta. The NSA didn't think it was good enough. Hence SELinux.

Also, putting a virtual machine underneath XP or vista wont make XP or vista more secure. Don't really understand how it could. A Trojan on the virtual machine you store your data on, is still a Trojan that has access to your data.
"

Well, even without SELinux you have to find a privilege escalation hole to get the machine under full control, which is one severe step more than what is required for the usual Windows desktop machine. With SELinux it is even harder.

And yes, you are right, putting XP or Vista into a VM cannot help right NOW, but in a few years time, when nobody needs this "backwards to ancient"-compatibility any more, the system THEN will be in a better state.
If Microsoft stays with current policies, they will have the same bad situation again and again and again.

Reply Parent Score: 2

RE: Security OR usability?
by google_ninja on Thu 5th Mar 2009 17:08 in reply to "Security OR usability?"
google_ninja Member since:
2006-02-05

I mean, the UNIX-style rights management has had no major changes since UNIX was born. And it is both secure AND usable.


The idea of root is inherently insecure, because if that is compromised, everything is compromised. Because of that, your system is as secure as the least secure process running as root on a UNIX machine. The upside is that this allows for something that is extremely simple to wrap your head around.

ACLs allow a far more fine grained approach to security, both in regards to root/no root and in regards to cascading permissions. The other edge of this is that it drives the complexity way up from the traditional UNIX DAC approach. On windows, the tooling has gotten a hell of alot better with Vista and 2k8, but even though I know what I am doing and there is a GUI to show me effective permissions, I still sometimes sit there scratching my head wondering where something came from.

All that to say that I actually agree with you that a UNIX approach would be more appropriate for home users, because they dont stand a chance in hell of figuring out ACLs, but that UNIX style ugo is not the end all of security paradigms.

Reply Parent Score: 3

RE[2]: Security OR usability?
by mkone on Thu 5th Mar 2009 21:27 in reply to "RE: Security OR usability?"
mkone Member since:
2006-03-14

"I mean, the UNIX-style rights management has had no major changes since UNIX was born. And it is both secure AND usable.


The idea of root is inherently insecure, because if that is compromised, everything is compromised. Because of that, your system is as secure as the least secure process running as root on a UNIX machine. The upside is that this allows for something that is extremely simple to wrap your head around.

ACLs allow a far more fine grained approach to security...
"

On any computer system, there is going to be at least one user who is all powerful. That is unavoidable. The only thing ACLs give you is the ability to give different permissions to different users. The granularity is good. But you can't knock UNIX for having root. And besides, you do get ACLs with UNIX nowadays anyway, at least you do in Linux. If you need to.

Reply Parent Score: 2

RE[2]: Security OR usability?
by rajj on Thu 5th Mar 2009 21:29 in reply to "RE: Security OR usability?"
rajj Member since:
2005-07-06

You can't just talk about UNIX security as a generality. Most of modern UNIX operating systems have ways to deal with containing the all mighty root. The BSDs have TrustedBSD (MAC), Secure Levels and Jails. Linux has SELinux (MAC), UML, and chroot(). Solaris has Zones and MAC. All of these also support POSIX ACLs. In the case of Solaris, it also support NFSv4 style ACLs which are very similar to NT ACLs. FreeBSD should also get this in the near future.

Even though NT doesn't have the concept of a super-user, for all practical intents, if an admin account is compromised, you're still hosed because the ACLs pretty much give admins carte blanche access anyway.

NT style ACLs are also really easy to get wrong (most permissive access rather than least permissive access), and its non-trivial to verify that any particular entity has the access that you think they do.

Reply Parent Score: 3

RE: Security OR usability?
by dagw on Thu 5th Mar 2009 17:17 in reply to "Security OR usability?"
dagw Member since:
2005-07-06

-UNIX-style permissions.
- strict seperation of administrator and user, like in UNIX-ish opsyses.

If they're going to start from zero and do things 'right' why would they use these ancient approaches? Even in the Unix world people are looking at ways to move beyond these concepts with technologies like ACL and SELinux.

Windows actually has good file permission and user/admin separation. The problem isn't one of technology. but one of culture. Windows has always had a culture that everybody could use and access everything and far too many developers have developed their applications based on this assumption. Improving the technology won't do much without at the same time re-educating the developers.

Reply Parent Score: 3