A
Adam Albright
I hate to say so MS, but your average joe, the person you are making UAC
for, is going to do exactly what they are doing, that is turning UAC off.
I'm not a "average Joe" user and I turned off UAC too. I bet most have
or will because it isn't any real improvement in security and as many
have already found out be a real pain in the ass. You listed some good
reasons why people don't like it. Perhaps the biggest flaw with UAC is
Microsoft itself admits it is set up on purpose to be defeated. Read
that last sentence again slowly so it sinks in.
Don't just take my word for it. Listen to a "hacker", kind of cute
looking one too, not all hackers are kids or pot belly beer slurping
anti-social types.
"Joanna Rutkowska has always been a big supporter of the Windows Vista
security model. Until she stumbled upon a "very severe hole" in the
design of UAC (User Account Control) and found out — from Microsoft
officials — that the default no-admin setting isn't even a security
mechanism anymore".
"That's because Vista uses a compatibility database and several
heuristics to recognize installer executables and, every time the OS
detects that an executable is a setup program, "it will only allow
running it as administrator."
Note ===> On the surface this may sound like a good thing, actually
its not. Keep reading, but read carefully.
This, in Rutkowska's mind, is a "very severe hole in the design of
UAC."
In simple terms that means any hacker worth his or her salt could,
problably with little effort desgin some malicious bit of code to
pretend to be a "installer" type of application and Vista will
unbuckle its belt, drop its pants to its anxles and let that code do
whatever it wants, including access the deepest depths of Windows
including the kernel, having its way also with other applications or
your priceless data.
More than just talk, this hacker did eactly that at a high volume
conference of "black hat hackers" invited by Microsoft no less.
A poster named dara summed it up quite nicely in another piece you can
find here:
http://theinvisiblethings.blogspot.com/2007/02/vista-security-model-big-joke.html
A key point, I think, that Ms. Rutkowska made, perhaps
unintentionally, is that Microsoft cannot be expected (for reasons of
compatibility, I suppose) to design a completely new operating system.
This speaks to the root of all their problems - even Vista is just a
new shell built on top of old technologies. It's a bit like an upside
down pyramid; eventually it will collapse entirely as the underlying
structure proves incapable of sustaining all the new construction
piling up on top of it.
Perhaps because they serve a less diverse and expansive user base,
Apple Computer was willing and able five or six years ago to do what
Microsoft cannot - switch from their old, rickety operating system,
with it's myriad vulnerabilities, to a new system (OS X), build on a
sound, proven and substantially more secure foundation - UNIX. Since
then the trojans and viruses which used to plague the Mac OS have
dried up altogether.
LINUX, the open source alternative to Windows that is growing steadily
in popularity, is likewise modeled on UNIX.
It's not unreasonable to conclude, therefore, that Windows in any form
is living on borrowed time. Much of its current popularity is a result
of little more than inertia. It's hard to see how even the billions
Microsoft has committed to marketing Vista can make up for the core
weakness of the underlying system.
Vista may be an improvement over Windows XP in many respects, but the
differences, like beauty, are only skin deep.
Now read what Madam "hacker" Ms. Rutkowska said about UAC:
http://blogs.zdnet.com/security/?p=29&tag=nl.e589