UAC is not (that) broken in Windows 7

Note 25-11-2011: I initially planned to pair this post with another post discussing the flipside – that injection-based attacks still pose a risk, and it would be better for Microsoft to have left the default at the maximum setting, and force the user to use a Standard account. Since Leo Davidson (the discoverer of the flaw) replied below, I also intended to post a response to his reply – however, both got sidelined and forgotten. This post is left here intact for historical purposes.

A few days back, Long Zheng (who has my upmost respect as a blogger) published (another) article about UAC. Before we discuss that, let’s summarise the article linked at the top of his, written by Microsoft’s Mark Russinovich:

• UAC was made primarily to make life easier for standard users. Ergo, standard users could use Vista with relative ease, as opposed to, you know, pretty much not at all.
  • It does so by using a split token – users would run in standard mode, and get a prompt to elevate when needing admin privs.
  • In this way, people could set up an admin account for big swabs of admin fun, while using standard accounts normally without having to switch to the admin account for e.g. installing stuff.
• Many people were complaining that they still had to get great swabs of prompts to elevate to admin while they were using an admin account. Still others complained about redundant and unneeded prompts.
  • Microsoft responded to this by cutting down on multiple prompts and removing unnecessary prompts.
  • They also added a security token to some programs that will make those programs autoelevate some tasks in admin mode. That way, admins can do their great swabs of admin stuff without getting a prompt every minute or so. Pre-emptive comment: that was an exaggeration to make a point. I know their must be something seriously wrong with my computer to get a prompt a minute.
• UAC is not a security boundary. In the end, it is up to the user to decide whether or not to run that program.

Zheng’s primary point of contention is that programs will inject code into other programs to elevate themselves to avoid the hassle of doing it themselves. This ignores several things:

• It is actually harder to inject code into another service than to set up an elevated COM interface (or autoelevate your program.)
• People doing this are just begging for their programs to be broken in the next release of Windows.
• It is unlikely that any major software developer is going to do this, since they usually submit their programs through WHQL, which are sure to pick up on this practice.
• Programs can do this anyway – that is, piggyback on some other programs’ UAC prompt using injected code. Once someone else's code is running, “your system” isn’t *your* system anymore.
• If you’re a virus writer, it’s easier to tell your users to elevate first than to go through the hassle of code injection.
• Finally, standard user will still get the prompt. If you are running as admin, you either a) should know what you’re doing, or b) shouldn’t be admin in the first place.

I’ve also seen some people claim that this allows Microsoft to parrot “make your programs UACified” without doing it themselves. Er, no, because they still have to make it work in standard user. The whole admin thing is to make it easier to set up your computer, then set up a standard account.

Having said all that, I do think Microsoft is making a mistake, and I for one will be pushing the UAC bar all the way to eleven. However, treating it as some inherent flaw in UAC is missing the whole point, which was to run as standard user without switching accounts.

As an added bonus, Rafael Rivera (who I also have a lot of respect for) asks why the icon is a shield if it’s not protecting users. I can think of a few reasons:

• Its use steams from the Security Center in Windows XP which was (shock horror!) a shield. Although Security Center is no longer in Windows 7 (replaced by the Action Center), the icon remains for non-confusion.
• (submitted by Bad Analogy Guy:) Like a proper shield, it’s up to the bearer to decide whether or not to hold it up or down. However, knights don’t wear shields when they’re hunting, nor do lords when they’re beating up peasants *ahem*, making proclamations and laws and whatnot, because they can be reasonably sure that they’d be safe.
• Marketing and programmers don’t talk very well to each other.

Have a great day, I’ll be here all week. Try the veal.

--MarkKB

The State of Audio on Linux Part 1 – Insufficient Memory

Note 26-09-2012: I was going to do a series of articles on the sordid state of Linux Audio as it was in 2009, but as with a lot of things, this got sidetracked and forgotten. This post remains for historical purposes.

My memory sucks.

Yesterday, I was talking with Jonathan (a friend) about Linux on the Desktop, and I remembered something I had read half-a-year previous about the state of audio on Linux. I couldn’t remember what it was, only that it involved mixing – I put it down to the inability to do hardware mixing.

This was the article I read. Oops. ^///^

For those not willing to RTFA, it talks about the history of Linux audio. First there was OSS. Then OSS became proprietary (teh EVILS!), and then the free version of OSS got old, so ALSA was built to replace it. Unfortunately, ALSA was completely incompatible with OSS, so they had to include emulation to support both older apps and people who didn’t want to learn ALSA. But the emulation wasn’t all that good in that it doesn’t do software mixing, which defeats the purpose of using ALSA in the first place.

So, to sum up, ALSA doesn’t do software mixing for its OSS compat stuff. My bad.

OK, so how is Audio on Desktop Linux really? Stay tuned!

--MarkKB

Spatial Browsing: The Case For The Explorer

Originally written 21/07/2008. Images created 24/08/2008.

I recently came across something rather interesting on Ars Technica – a kind of old article, entitled “About the Finder…” (a pun based on the second menu item of the Apple menu in Mac OS 9 and earlier). In it, John Siracusa makes the case for the Spatial File Manager, and also somewhat condemns what I call the Browser File Manager (although it’s more commonly known as the navigational file manager.)

Now, Mr. Siracusa is an awesome writer, and he makes some excellent points in the article, but I have, in particular, problems with his arguments on Page 4 against the Browser File Manager. It seems all they amount to is “I’m Not Used To It, Therefore It Sucks”.

In the article, he states that the spatial file manager enables us to remember the “location” of the file, while the browser file manager makes us learn “strings” and “addresses”, forcing people to memorize text, instead of visual cues. The problem with those claims is, in reality, they are completely false. Indeed, the Browser and the Spatial employ the same methods – they simply have different ways of going about it.

Browsing and Visual Paths

When I want to find one of my sketches using Windows Explorer, I double-click My Documents, double-click My Pictures, double-click the Art folder, and double-click Sketches. Now, I know that I store my photos in a folder called Camera in the My Pictures folder. If I want to then check out the photos I took on the 25th of August 2006, I click Back, Back and then open the Camera folder and open the folder labeled “2006-08-25”.

 

In my mind, I know that the folder called My Documents contains another folder called My Pictures, and in that folder are two others, called “Art” and “Camera”. Therefore, I know that if I want to get to the Camera folder from the Art folder, I must first “put away” the Art folder back into the My Pictures folder (i.e click “Back”) and then “take out” the Camera folder, placing the My Pictures folder down for the moment so I can place my full attention on the Camera folder.

This is no different from real life; indeed, the only thing that’s changed is that it’s all so much faster. This is the point John was trying to make with the Spatial File Manager; however, the analogy works just as well for the Browser File Manager.

Strings and File Paths

Even when I do type paths, I don’t think of them as strings. The path \\blah\shared\test\ means that the computer named “blah” contains a folder named “shared”, which contains a folder named “test”. C:\Program Files\MarkKB means the C drive contains a folder named “Program Files” which, in turn, contains a folder named “MarkKB”.

OK, obviously, I don’t actually think that when I’m typing it in, or browsing it in Explorer; rather it all happens automatically – muscle memory kicks in, and I don’t really have to “think” much about the journey, but instead can focus on the destination.

Paths and Landmarks

The reason this works is because its the same way we remember routes to and from places: walking to school, driving to work, taking the bus – we rely on landmarks to get from point A to point B. Landmarks can be anything – T-junctions, gas stations, billboards, crossings, old folk homes, they all contribute to our muscle memory. In the example I used at the beginning, I used My Pictures as the common “landmark” to get from Art to Camera.

Indeed, when you really get down to it, a file path is nothing more than a shorthand compilation of landmarks: C:\Users\markkb\Documents\test.doc is no more different than writing Home\Tree\Shops\Gas Station\Roundabout\School. That a file path would reflect a path in real life (complete with shortcuts! ^^) comes as no surprise – after all, computers are designed to reflect the reality they were created in.

Because, y’know, otherwise they wouldn’t work at all. And that’d really suck.

Is Windows Live Suite a good idea?

This post was originally posted at my Windows Live Spaces blog. [View original post]

MarkKB's Blog - Sat 15 Sep 2007

Simple answer, yes. But the answer is much more complex than that.

OK, those who frequent my blog (wait, there's people who frequent my blog?) will probably not be that technically inclined, so I'd like to first preface this post with the warning that this post discusses software in a way that many who just update and say 'eh' will not care about. If you are one of those people, it's best not to continue, although if you're feeling courageous, go right ahead.

Now, don't get me wrong: the idea is fine. There's nothing wrong with the unified installer that is Windows Live Suite. It's the execution that bothers me.
"Whatd'ya mean?" I hear you say. Well, there is no way to download standalone installers. It's the unified thingy or nothing.
"But you don't need standalone installers, the unified installer replaces it all!" Which leads me to my second point. You can't download the whole lot and install it offline. You have to be online to install it, and it has to be the latest version.

Personally, I hate installers that exist merely to download the appropriate files of a single program from its servers. AOL is a culprit with their AIM and ICQ installers. For one thing, it kinda makes you think "wait, what's the point of downloading the installer if it's just gonna download stuff anyway?" For another, you're gonna have to pay your ISP for every time you run the installer. This isn't really a point for those who are on a flat-rate plan, more for those who pay by the hour or megabyte, or those with capped plans. Another thing is, of cause, something may be missing in the new version that is in the older, or the new version may be too cluttered, or...

The penultimate reason is because of archivists, those who regularly swap disks between Windows Vista, Win3.1 and MS-DOS 5, those who long for the beta version of Windows 1.0 shown in Byte in 1983, or for that one hard disk containing Star Trek (the cancelled Apple port of System 7 to Intel-based processors). These people want to be able to preserve what once was, or just do so because they like it. Half the screenshots on Wikipedia are due to these people.
If everyone had had an Internet-based installer, we would hear tell of how Netscape 4 sucked, how Windows Live Messenger was once dubbed "MSN Messenger", or Firefox went through three name changes, or how Microsoft Office used to have cute little characters bouncing around their work, and we'd say, "yeah right, prove it." Proof is one of the key concepts in history, and many people have spent decades arguing proof of historical fact.

Lastly, what if Microsoft disappears? What happens if their servers go down? People of tomorrow may start up their installers, only to find the message "Server not found" staring them in the face. (Of cause, Messenger won't work anyway, but stuff like Mail and Writer, which works with other stuff, and Photo Gallery, which doesn't need an Internet connection, won't install either.)

Again, I have no problems with the Windows Live Suite installer. It's a good idea. It means I don't have to go all over the Windows Live site to get the various programs in the Suite. It's just the lack of alternates, or of something tangible on our hard disks, that I don't like.

So my suggestion to Microsoft is this: provide both an offline and online installer, or better yet, optional standalone installers like in previous versions. Or maybe make the installer so it download the stuff to a non-temporary folder where we can get it and use for later. Don't do this to us, the users.

Zone Blues

This post was originally posted at my Windows Live Spaces blog. [View original post]

MarkKB's Blog July 23rd 2006

I hate it when people don't read.

Like when people message me on WLM when meh status is set to "Away" (you know who you are!)

Or when people complain about an issue that's already been addressed.

For instance, those who play on the Zone will know that the so-called "Classic Games" have been retired due to aging technology and ancient servers. This resulted in an uproar among the community.

But it seems all the ho-ha is about two things: lobbies and ZoneFriends.
The "lobby" was where you would stand around and chat until you were ready to play, or until a game freed up. Some people just stood around and chat, never actually playing a game. ZoneFriends was a IM program.

With the retirement of Classic games, and no replacement for lobbies in the new ones, disgruntiled Zoners flooded the forums with messeges such as IWANT ZOEN BAK!!! or, those with more brains, left to flock to GameSpy Arcade, Yahoo! Games and the like. The rest of us accepted these changes.

Mind you, I thought the new games were better, with better graphics, and faster response time. Oh well.

I also thought that the Zone team had made it clear that they were working on a replacement. Apparently I was wrong about that too.

From Beyond The Zone:

What about ZoneFriends?
Along with our old servers, the ZoneFriends tool will be taking a long-overdue retirement. All of our remaining (and future!) multiplayer games will be integrated with MSN Messenger. This is a big, big step forward for us. With its wide range of contact and message functions, handy additional features and even exclusive games, Messenger is everything that ZoneFriends wanted to be when it grew up.

So, wait, does this mean no lobbies?
That’s correct, at least for now. The old lobby system was built into our earliest classic games, and is to current game technology what a biplane engine would be to a stealth jet: similar, but essentially incompatible. Online gaming is all about community, so in addition to the in-game chat and Messenger-based invitation ability of our new multiplayer games, we’ve been researching new social and community features for both the games and our site in general. Of course the end result will be fun to use, but we’re also aiming for something that will still be as fun and useful after our second decade joins the first.

Bold emphasis added by me.

Beyond The Zone was an article that was displayed both on the main page and on the page of every Classic-based game.

Another gripe was that for some games, such as Bridge, the new version would be instated a few months after the old version was retired.

Let me make an analogy to a famous example: Gran Turismo. Gran Turismo is the most played PlayStation game ever. It is considered to be the racing sim. The original version alone sold 10.84 million units, forget Gran Turismo 4. The entire series is the ninth most-sold franchise in the world, with 43.7 million units sold in total.

Gran Turismo 2 was rushed to release in Nov 20 1999, so it could be out in the stores by the holidays. Sony publically admitted that development of the game had not been completed. As such, it had a lot of glitches, including the famous Plam Strip track, the remnent of the Drag Racing track that was removed so they release it on time.

This could happen to Bridge, if it were released before it was ready.

But then the Zone reinstated Classic Bridge due to "popular demand". What do people do to show their appretiation?

They spam the board.

Darned if ya do, darned if you don't.

Now, everyone wants their own classic games back, not considering that perhaps they're struggling to keep those remaining old servers running. (If I'm right, they're only running Bridge from a few old servers in the corner, as opposed to the many they had before that were running Classic Games.)

So... yeah, that's all from meh for today...

--MarkKB