Tuesday, April 1, 2008

SecCanWest

I haven't been able to get complete details from the whole SecCanWest thing; so Windows Vista wasn't compromised, but Adobe Flash was? *Sigh*

Security is very very hard.

(Don't worry, Adobe: There is an easy heuristic for determining the number of security issues remaining in a codebase: For every security issue you find, another security issue is bound to exist. You can use that to determine the actual number of security bugs in your code. This heuristic applies to any codebase on any OS.)

It sounds like UAC worked, though.

One of the areas of most active user feedback in Vista is UAC - people hate typing in their password to (for example) install random software.
Users already have far too many passwords (I've seen some studies that say that the average (average!) Information Worker has to remember 14 password already. Ridiculous.
In my personal experience, it seems that most users have no idea what their Windows user account password it - it just isn't something they use *that* often. Compared to, say, their Hotmail password. Or their Windows Live Hotmail password. Or their Windows Live Hotmail with Passport password.

Also, it is a pretty well-established fact that as soon as somebody has physical access to your machine, it is game-over from a security standpoint. (Heck, they could look at the disk sectors with a microscope, and read your documents. Probably. That's how microscopes work, right?)

When the user is attempting to install software we need to verify that that *the actual user* is the one granting admin access to the software installer; not a bit of user-context malware.

This is why the UAC prompt appears in the blacked-out special session (to stop UI automation from any bit of malware that might be running in your user context already from keylogging your password and doing a runas with admin creds later.)

So, we need to verify and prove that a human is granting permission for the software install. Any human close to the keyboard will do, as physical access to the machine == you can administer the machine. So really, you don't need a human with an admin user account; you just need a human. Or rather: you just need to prove that you have a human at the keyboard.

What kinds of proofs are used today to prove to software that a human is at the keyboard, instead of a robot? I, for one, can think of a solution that is pretty popular already - you might too, if you take a look around the web.

13 comments:

JulianGall said...

It's good to hear the explanation of why UAC works the way it does. I've never seen it explained before.

However, do people at Microsoft realise how annoying it is? I can see the need to have some sort of system modal dialog box to avoid robots, but why does the screen have to flash and flick? Why does the sound that goes with it often not synchronise with the screen? Maybe everyone at MS has really fast PCs where this is not a problem but for most of us, it's a jarring and disruptive process. It interrupts the flow of what you're doing far more than just displaying the dialog would.

Sorry to ask this but if Apple can ask for passwords to install applications in OS X without all this flashing and mode changing, why can't Vista?

Julian Gall

Viking said...

Hey Julian,

As OS X asks for the password you don't need to stop automation apps/scripts as they'd still need to know the password. Vista doesn't ask for a password - it just asks for approval.

That also means that if you don't have a password in OS X it's vulnerable to this kind of automated approval via script/app whereas Vista is not.

Personally i prefer the OS X approach, but each has benefits.

Viking said...

In OS X there is a root account, but also administrator privilege accounts. By default any account created in the OS X setup is an administrator with access to create cron jobs, delete and add apps and modify many other system level settings.

Vista's technique of blocking other software from interacting with the UAC prompt does *NOT* suck (IMHO), but in classic MS fashion it's a.) visually jarring to the point of being hostile and b.) doesn't trust the user with knowing their own password to ask for it.

I would think ideally an authorization dialog message that like Vista's UAC can't be automated and like OS X asks for the password and intelligently displays the application and requested privilege would be ideal.

Unknown said...

In one of microsoft-guy-blogger was info that only 3% of all Vista users disabled UAC...

Vincent Clement said...

kumar: One version for all. Everyone should have access to the same options and features. No confusion. No need for different support or FAQs. Simple sells.

Viking said...

Unfortunately the Microsoft logic is that fear up-sells.

Ie. oh god i better not get the wrong or too weak version that won't work, so Ultimate it is. At least that's the only line of thinking i can dream up that makes any sense to me...

v.srikanth said...

Selling multiple SKU's makes sense in OEM point-of-view, as OEM's can configure PC's differently (at different price points) for different SKU's.

Personally, I dont like the use of multiple SKU's. Hopefully with the "rumoured" modular approach of Windows 7 + Live services, will produce a better approach to solve this problem.

v.srikanth said...

lol @mugunth

Even I was coming to a conclusion that this Blog is dead.

Good to see a post after a long time and ironically on April 1st.

Keep them coming.

v.srikanth said...

UAC isnt soo annoying, but i do agree that it is annoying to some extent especially with entering the secure-desktop-mode.

I remember reading an article which claims that most of the applications, if correctly written (or modified for vista) does not need to kick UAC. I dont know is that is true ( cam some-one confirm!? )

Viking said...

UAC will only kick in if you or your apps perform something that requires administrative rights on the machine. So an application that doesn't require admin rights to function won't trigger UAC.

Examples of badly written apps triggering UAC would be user-level settings into the HKEY_LOCAL_MACHINE area of the registry, or saving your preferences in a file located in C:\Program Files\crappy app\preferences.

Unknown said...

'scuse me.

for those of us who are not physically stuck to our computers (no offense intended to anyone who reads this), could you please expound as to what your last paragraph is talking about?

Bastiat said...

"I, for one, can think of a solution that is pretty popular already - you might too, if you take a look around the web."

Errm, CAPTCHA ?

SirYes said...

For all those wanting the question for password instead of UAC prompt, there's a natural way of doing that.

You just need to create an additional non-administrative account for daily use. Then for escalating the privileges you'd have to provide the name and password for the administrative account (simple Cancel/Allow UAC works only for such accounts). This works even for computers connected to a domain, in this case the HOSTNAME\Account and password is required.

It just depends on how securely you want to run daily.