A couple of interesting security blog posts

 Jeff has an uncanny ability to dig into details that most folks gloss over: Exposed? : Examining Secunia Unpatched Warnings – Part 3

I have to concur with Kai: People like this just frost me: Security considered a burden for users


Comments (9)

  1. Arthur says:

    Kai completely missed the point of the original article. While I’m generally the one of the last people to defend Symantec, I feel obliged to point out that what Trollope said was "customers had found the feature so "chatty" that it was a burden on users". This is not an issue of seat belts or airline checkpoints. This is a question of whether a particular tool was worth the pain and suffering of using it and clearly some feedback said that it wasn’t.

    People are notoriously bad about using tools if they are too hard to use well and enterprises are no different. If the cost of deployment is too high then they won’t do it. Clearly someone needs to make the tool more user friendly. Hopefully it will be you guys.

  2. Doug says:

    While I have to agree that UAC was the right thing to do, I also have to mention that it still really needs some work. This is the kind of thing that gives Microsoft a bad name — yes, it solves the problem, but it is a major pain to use. There are a few areas that really could have used just a little more polish.

    1. Speed. I know we have to switch to the secure desktop, but does everything on my machine have to pause for 5 seconds before the UAC prompt comes up?

    2. Tools. Yeah, I can add a manifest to make things work right, but sometimes that isn’t convenient. How hard would it have been to provide a simple command-line tool named "elevate.exe" to force something to run elevated, and "unelevate.exe" to force something to run as the current user? How about a flag to regsvr32 that says "elevate me"?

    3. Configuration. I can change the properties of shortcuts to run something as Admin, but I can’t change them to un-elevate something that Vista’s heuristics have incorrectly decided to elevate. I have to be a wizard in the arts of manifests to make my app behave correctly.

    4. Minimize the pain. To run an installer from the web, I have to a) confirm that I want to let the site initiate a download, b) confirm to IE that I really do want to launch the file I just downloaded, c) confirm to the shell that I know the file came from the Internet and that it is ok, d) confirm to the UAC system that I trust the program. (And then I get told that the application MIGHT not have installed correctly, with no hint about why Windows thinks something went wrong, and no way to know how to answer the question of "Did the app install correctly?") Or to perform some shell operation like create a new file in a protected location, I have to confirm 3 UAC dialogs: one to create the file, one to give the file a name, and one to save content into the file. Can’t we figure out a way to do this with maybe not quite so many dialogs?

    5. Minimize more pain. The places where I have to do the UAC dance are at the leaf nodes of far too many tasks. Setting up a computer should involve confirming my access to admin settings, making all of my configuration changes, and then closing the control panel. Instead, I have to run 20 different applets, each of which wants a separate UAC confirmation, and some of which want multiple UAC conformations. Put all of the admin-level settings in one place so I can change them all at once with only one UAC prompt! (Computer Management is the closest MS comes with this.) Don’t take the UAC buttons away from the leaf nodes (that is great for discoverability).

    Again, I still feel that UAC’s benefits outweigh the burden. But does the burden really have to be so heavy? This is where Apple kills MS – they figure out a way to have their cake and eat it too. They go the extra mile to give it polish and smooth out the rough spots. They don’t just say "that’s the way it is – we did it that way for a good technical reason." Too many engineers know why it is "impossible" to solve the problem, which is why the problem doesn’t get solved until some non-engineer figures out how to do the impossible.

  3. michael_HOWARD says:

    Doug – some very well thought out comments, thanks! But here’s the funny thing. After I’d set up my wife’ Vista PC, installed all the stuff she needs and configured it to the way she likes it, which took probably three days all told. She has never seen a UAC prompt. Not one. Not a SINGLE prompt! I think what’s important about UAC is that for *NORMAL* users, like my wife, UAC is a non-issue. It’s all us geeks thinking it’s chatty. But that’s my opinion.

  4. C Gomez says:

    I’ve stated to friends and family (who, as we all know, us types are local tech support for, right?) that the absolute number one thing they can do is run as non-admin.

    If I set up someone’s computer, I set them up with an admin account and password, and then personal accounts for everyone in the household.  Like it or hate it, I set up Fast User Switching (because in the home world of Windows, one person does get up to do something while another person wants to use the computer).

    Once most of that person’s typical software is installed, they don’t have any problems.  They are also protected from most programs that want to "install" something (including malware) because their HKEY_LOCAL_MACHINE and C:Program Files folders aren’t accessible.

    It is a panacea?  No, but I think it’s step one in a layered defense.

    Now, the problem MSFT faces is making it so that we don’t need local tech support.  This is not an easy fix.  Almost by necessity the first account created has to be an Admin account.  The problem for MSFT is, a LARGE number of households setting up Windows by themselves are NEVER going to make another account.  So we still, even in Vista, will have people running around as Admin.

    (Spoken by someone who hasn’t even seen the Vista beta… and is eager to try it out when it releases.)

  5. mpd says:

    UAC is definitely nice, but will it help the people who download and run free "virus/spyware scanners" they find on the internet?  (Like my family.)

    Just this past weekend, I spent a couple hours on the phone trying to help a family member fix their computer because of this problem.  While fixing the main problem, her firewall kept jumping up with messages about allowing various programs access to the internet.  (No, I don’t know what firewall software she’s using.)  The point is, her internal default is "I don’t know what this is, so I’ll allow it."  

    UAC won’t help this behavior.  To my family, it’s just one more button to click.  One problem (bug?) with UAC is that sometimes, the consent dialog shows a big number – presumably a GUID – instead of the application name.  When they see an application name they don’t know what to do about it, what are they going to do with a GUID?

    Personally, what I think would help most of all is a movie/help session explaining some key security concepts – like run as a standard user, using Defender, not installing gobs of crapware downloaded from the internet, etc.  Does Microsoft have anything like that in the works?

  6. Joe says:

    Jeff’s numbers are off.

    Linux distributions are made up of third party software. Thus the number of vulnerabilities are not RedHat vulnerabilities, but vulnerabilities in third party software. RedHat didn’t *create* these vulnerabilities. However, since they ship the software, they have to provide updates.

    So comparing Windows with Linux doesn’t work. Microsoft does not issue patches for Adobe, Sun’s Java, Winzip, Quicktime, Firefox, Nero, Roxio, Cisco, etc.

    The core of a linux distribution is the kernel, which is written by Linus. The kernel is useless without the userland and 3rd party software.

    So to summarize:

    RedHat is a collection of 3rd party software on top of the linux kernel, most of which is not written by RedHat.

    Microsoft is a complete OS, all software shipped is written by Microsoft.

    Apples and oranges.

    If you really want to compare apples and apples, one should compare Microsoft and FreeBSD or OpenBSD, since these ship a complete base OS, like Microsoft does.

  7. ... says:

    luogo grande:) nessun osservazioni!

  8. ... says:

    Chi ha fatto questo? E un buon posto per trovare le informazioni importanti!:)