Tuesday, April 1, 2008

SecCanWest

I haven't been able to get complete details from the whole SecCanWest thing; so Windows Vista wasn't compromised, but Adobe Flash was? *Sigh*

Security is very very hard.

(Don't worry, Adobe: There is an easy heuristic for determining the number of security issues remaining in a codebase: For every security issue you find, another security issue is bound to exist. You can use that to determine the actual number of security bugs in your code. This heuristic applies to any codebase on any OS.)

It sounds like UAC worked, though.

One of the areas of most active user feedback in Vista is UAC - people hate typing in their password to (for example) install random software.
Users already have far too many passwords (I've seen some studies that say that the average (average!) Information Worker has to remember 14 password already. Ridiculous.
In my personal experience, it seems that most users have no idea what their Windows user account password it - it just isn't something they use *that* often. Compared to, say, their Hotmail password. Or their Windows Live Hotmail password. Or their Windows Live Hotmail with Passport password.

Also, it is a pretty well-established fact that as soon as somebody has physical access to your machine, it is game-over from a security standpoint. (Heck, they could look at the disk sectors with a microscope, and read your documents. Probably. That's how microscopes work, right?)

When the user is attempting to install software we need to verify that that *the actual user* is the one granting admin access to the software installer; not a bit of user-context malware.

This is why the UAC prompt appears in the blacked-out special session (to stop UI automation from any bit of malware that might be running in your user context already from keylogging your password and doing a runas with admin creds later.)

So, we need to verify and prove that a human is granting permission for the software install. Any human close to the keyboard will do, as physical access to the machine == you can administer the machine. So really, you don't need a human with an admin user account; you just need a human. Or rather: you just need to prove that you have a human at the keyboard.

What kinds of proofs are used today to prove to software that a human is at the keyboard, instead of a robot? I, for one, can think of a solution that is pretty popular already - you might too, if you take a look around the web.

17 comments:

juliangall said...

It's good to hear the explanation of why UAC works the way it does. I've never seen it explained before.

However, do people at Microsoft realise how annoying it is? I can see the need to have some sort of system modal dialog box to avoid robots, but why does the screen have to flash and flick? Why does the sound that goes with it often not synchronise with the screen? Maybe everyone at MS has really fast PCs where this is not a problem but for most of us, it's a jarring and disruptive process. It interrupts the flow of what you're doing far more than just displaying the dialog would.

Sorry to ask this but if Apple can ask for passwords to install applications in OS X without all this flashing and mode changing, why can't Vista?

Julian Gall

Viking said...

Hey Julian,

As OS X asks for the password you don't need to stop automation apps/scripts as they'd still need to know the password. Vista doesn't ask for a password - it just asks for approval.

That also means that if you don't have a password in OS X it's vulnerable to this kind of automated approval via script/app whereas Vista is not.

Personally i prefer the OS X approach, but each has benefits.

Mugunth Kumar said...

Oh... So.. shippingseven was not fired from job??? I thought, he was caught by his project manager, which is why he was not blogging...
MAC OS X, if I'm not wrong does not have Administrator account. It has one and only one root account and I believe no one can create a user account with root privileges. This is not the case in Windows Vista. So to elevate, the user must know the root password (only admin password) which doubles as proving that the user at keyboard is a human.
So in short, vista's technique sucks... Vista could as well ask questions like, "How many cats are there in the picture?" etc., to add more frustration. u see, captcha is already dead... (http://www.codinghorror.com/blog/archives/001067.html)

Viking said...

In OS X there is a root account, but also administrator privilege accounts. By default any account created in the OS X setup is an administrator with access to create cron jobs, delete and add apps and modify many other system level settings.

Vista's technique of blocking other software from interacting with the UAC prompt does *NOT* suck (IMHO), but in classic MS fashion it's a.) visually jarring to the point of being hostile and b.) doesn't trust the user with knowing their own password to ask for it.

I would think ideally an authorization dialog message that like Vista's UAC can't be automated and like OS X asks for the password and intelligently displays the application and requested privilege would be ideal.

AlfeG said...

In one of microsoft-guy-blogger was info that only 3% of all Vista users disabled UAC...

Mugunth Kumar said...

One question for shippingseven...
Will Windows 7 ship in Multiple SKUs?
Actually, people are not against multiple SKUs. Windows 2000 and Windows XP had them. But the names were clear enough to state why they are used for. In my opinion, two SKU's are enough. A basic version without any advanced features like BitLocker etc., etc., and a fully featured customizable version. The basic version should be something like Vista Home Prem + Business (Parental controls + media center + Previous versions)

VincentClement said...

kumar: One version for all. Everyone should have access to the same options and features. No confusion. No need for different support or FAQs. Simple sells.

Viking said...

Unfortunately the Microsoft logic is that fear up-sells.

Ie. oh god i better not get the wrong or too weak version that won't work, so Ultimate it is. At least that's the only line of thinking i can dream up that makes any sense to me...

v.srikanth said...

Selling multiple SKU's makes sense in OEM point-of-view, as OEM's can configure PC's differently (at different price points) for different SKU's.

Personally, I dont like the use of multiple SKU's. Hopefully with the "rumoured" modular approach of Windows 7 + Live services, will produce a better approach to solve this problem.

v.srikanth said...

lol @mugunth

Even I was coming to a conclusion that this Blog is dead.

Good to see a post after a long time and ironically on April 1st.

Keep them coming.

v.srikanth said...

UAC isnt soo annoying, but i do agree that it is annoying to some extent especially with entering the secure-desktop-mode.

I remember reading an article which claims that most of the applications, if correctly written (or modified for vista) does not need to kick UAC. I dont know is that is true ( cam some-one confirm!? )

Viking said...

UAC will only kick in if you or your apps perform something that requires administrative rights on the machine. So an application that doesn't require admin rights to function won't trigger UAC.

Examples of badly written apps triggering UAC would be user-level settings into the HKEY_LOCAL_MACHINE area of the registry, or saving your preferences in a file located in C:\Program Files\crappy app\preferences.

Alex said...

'scuse me.

for those of us who are not physically stuck to our computers (no offense intended to anyone who reads this), could you please expound as to what your last paragraph is talking about?

Bastiat said...

"I, for one, can think of a solution that is pretty popular already - you might too, if you take a look around the web."

Errm, CAPTCHA ?

SirYes said...

For all those wanting the question for password instead of UAC prompt, there's a natural way of doing that.

You just need to create an additional non-administrative account for daily use. Then for escalating the privileges you'd have to provide the name and password for the administrative account (simple Cancel/Allow UAC works only for such accounts). This works even for computers connected to a domain, in this case the HOSTNAME\Account and password is required.

It just depends on how securely you want to run daily.

9999 said...

情趣用品,情趣用品,情趣用品,情趣用品,情趣,情趣,情趣,情趣,按摩棒,震動按摩棒,微調按摩棒,情趣按摩棒,逼真按摩棒,G點,跳蛋,跳蛋,跳蛋,性感內衣,飛機杯,充氣娃娃,情趣娃娃,角色扮演,性感睡衣,SM,潤滑液,威而柔,香水,精油,芳香精油,自慰套,自慰,性感吊帶襪,吊帶襪,情趣用品加盟AIO交友愛情館,情人歡愉用品,美女視訊,情色交友,視訊交友,辣妹視訊,美女交友,嘟嘟成人網,成人網站,A片,A片下載,免費A片,免費A片下載愛情公寓,情色,舊情人,情色貼圖,情色文學,情色交友,色情聊天室,色情小說,一葉情貼圖片區,情色小說,色情,色情遊戲,情色視訊,情色電影,aio交友愛情館,色情a片,一夜情,辣妹視訊,視訊聊天室,免費視訊聊天,免費視訊,視訊,視訊美女,美女視訊,視訊交友,視訊聊天,免費視訊聊天室,情人視訊網,影音視訊聊天室,視訊交友90739,成人影片,成人交友,美女交友,微風成人,嘟嘟成人網,成人貼圖,成人電影,A片,豆豆聊天室,聊天室,UT聊天室,尋夢園聊天室,男同志聊天室,UT男同志聊天室,聊天室尋夢園,080聊天室,080苗栗人聊天室,6K聊天室,女同志聊天室,小高聊天室,上班族聊天室,080中部人聊天室,同志聊天室,聊天室交友,中部人聊天室,成人聊天室,一夜情聊天室,情色聊天室,寄情築園小遊戲情境坊歡愉用品,情趣用品,成人網站,情人節禮物,情人節,AIO交友愛情館,情色,情色貼圖,情色文學,情色交友,色情聊天室,色情小說,七夕情人節,色情,情色電影,色情網站,辣妹視訊,視訊聊天室,情色視訊,免費視訊聊天,美女視訊,視訊美女,美女交友,美女,情色交友,成人交友,自拍,本土自拍,情人視訊網,視訊交友90739,生日禮物,情色論壇,正妹牆,免費A片下載,AV女優,成人影片,色情A片,成人論壇,情趣,免費成人影片,成人電影,成人影城,愛情公寓,成人影片,保險套,舊情人,微風成人,成人,成人遊戲,成人光碟,色情遊戲,跳蛋,按摩棒,一夜情,男同志聊天室,肛交,口交,性交,援交,免費視訊交友,視訊交友,一葉情貼圖片區,性愛,視訊,視訊聊天,A片,A片下載,免費A片,嘟嘟成人網,寄情築園小遊戲,女同志聊天室,免費視訊聊天室,一夜情聊天室,聊天室

明男 said...

情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,美國aneros,rudeboy,英國rudeboy,英國Rocksoff,德國Fun Factory,Fun Factory,英國甜筒造型按摩座,甜筒造型按摩座,英國Rock Chic ,瑞典 Lelo ,英國Emotional Bliss,英國 E.B,荷蘭 Natural Contours,荷蘭 N C,美國 OhMiBod,美國 OMB,Naughti Nano ,音樂按摩棒,ipod按摩棒,美國 The Screaming O,美國TSO,美國TOPCO,美國Doc Johnson,美國CA Exotic,美國CEN,美國Nasstoy,美國Tonguejoy,英國Je Joue,美國Pipe Dream,美國California Exotic,美國NassToys,美國Vibropod,美國Penthouse,仿真按摩棒,矽膠按摩棒,猛男倒模,真人倒模,仿真倒模,PJUR,Zestra,適趣液,穿戴套具,日本NPG,雙頭龍,FANCARNAL,日本NIPPORI,日本GEL,日本Aqua Style,美國WET,費洛蒙,費洛蒙香水,仿真名器,av女優,打炮,做愛,性愛,口交,吹喇叭,肛交,魔女訓練大師,無線跳蛋,有線跳蛋,震動棒,震動保險套,震動套,TOY-情趣用品,情趣用品網,情趣購物網,成人用品網,情趣用品討論,成人購物網,鎖精套,鎖精環,持久環,持久套,拉珠,逼真按摩棒,名器,超名器,逼真老二,電動自慰,自慰,打手槍,仿真女郎,SM道具,SM,性感內褲,仿真按摩棒,pornograph,hunter系列,h動畫,成人動畫,成人卡通,情色動畫,情色卡通,色情動畫,色情卡通,無修正,禁斷,人妻,極悪調教,姦淫,近親相姦,顏射,盜攝,偷拍,本土自拍,素人自拍,公園露出,街道露出,野外露出,誘姦,迷姦,輪姦,凌辱,痴漢,痴女,素人娘,中出,巨乳,調教,潮吹,av,a片,成人影片,成人影音,線上影片,成人光碟,成人無碼,成人dvd,情色影音,情色影片,情色dvd,情色光碟,航空版,薄碼,色情dvd,色情影音,色情光碟,線上A片,免費A片,A片下載,成人電影,色情電影,TOKYO HOT,SKY ANGEL,一本道,SOD,S1,ALICE JAPAN,皇冠系列,老虎系列,東京熱,亞熱,武士系列,新潮館,情趣用品,情趣,情趣商品,情趣網站,跳蛋,按摩棒,充氣娃娃,自慰套,G點,性感內衣,情趣內衣,角色扮演,生日禮物,生日精品,自慰,打手槍,潮吹,高潮,後庭,情色論譠,影片下載,遊戲下載,手機鈴聲,音樂下載,開獎號碼,統一發票號碼,夜市,統一發票對獎,保險套,做愛,減肥,美容,瘦身,當舖,軟體下載,汽車,機車,手機,來電答鈴,週年慶,美食,徵信社,網頁設計,網站設計,室內設計,靈異照片,同志,聊天室,運動彩券,大樂透,威力彩,搬家公司,除蟲,偷拍,自拍,無名破解,av女優,小說,民宿,大樂透開獎號碼,大樂透中獎號碼,威力彩開獎號碼,討論區,痴漢,懷孕,美女交友,交友,日本av,日本,機票,香水,股市,股市行情, 股市分析,租房子,成人影片,免費影片,醫學美容,免費算命,算命,姓名配對,姓名學,姓名學免費,遊戲,好玩遊戲,好玩遊戲區,線上遊戲,新遊戲,漫畫,線上漫畫,動畫,成人圖片,桌布,桌布下載,電視節目表,線上電視,線上a片,線上掃毒,線上翻譯,購物車,身分證製造機,身分證產生器,手機,二手車,中古車,法拍屋,歌詞,音樂,音樂網,火車,房屋,情趣用品,情趣,情趣商品,情趣網站,跳蛋,按摩棒,充氣娃娃,自慰套, G點,性感內衣,情趣內衣,角色扮演,生日禮物,精品,禮品,自慰,打手槍,潮吹,高潮,後庭,情色論譠,影片下載,遊戲下載,手機鈴聲,音樂下載,開獎號碼,統一發票,夜市,保險套,做愛,減肥,美容,瘦身,當舖,軟體下載,汽車,機車,手機,來電答鈴,週年慶,美食,徵信社,網頁設計,網站設計,室內設計,靈異照片,同志,聊天室,運動彩券,,大樂透,威力彩,搬家公司,除蟲,偷拍,自拍,無名破解, av女優,小說,民宿,大樂透開獎號碼,大樂透中獎號碼,威力彩開獎號碼,討論區,痴漢,懷孕,美女交友,交友,日本av ,日本,機票,香水,股市,股市行情,股市分析,租房子,成人影片,免費影片,醫學美容,免費算命,算命,姓名配對,姓名學,姓名學免費,遊戲,好玩遊戲,好玩遊戲區,線上遊戲,新遊戲,漫畫,線上漫畫,動畫,成人圖片,桌布,桌布下載,電視節目表,線上電視,線上a片,線上a片,線上翻譯,購物車,身分證製造機,身分證產生器,手機,二手車,中古車,法拍屋,歌詞,音樂,音樂網,借錢,房屋,街頭籃球,找工作,旅行社,六合彩,整型,水噹噹,貸款,貸款,信用貸款,宜蘭民宿,花蓮民宿,未婚聯誼,網路購物,珠海,下川島,常平,珠海,澳門機票,香港機票,婚友,婚友社,未婚聯誼,交友,婚友,婚友社,單身聯誼,未婚聯誼,未婚聯誼,婚友社,婚友,婚友社,單身聯誼,婚友,未婚聯誼,婚友社,未婚聯誼,單身聯誼,單身聯誼,婚友,單身聯誼,未婚聯誼,婚友,交友,交友,婚友社,婚友社,婚友社,大陸新娘,大陸新娘,大陸新娘,越南新娘,越南新娘,外籍新娘,外籍新娘,台中坐月子中心,搬家公司,搬家,搬家,搬家公司,線上客服,網頁設計,線上客服,網頁設計,網頁設計,土地貸款,免費資源,電腦教學,wordpress,人工植牙,關鍵字,關鍵字,seo,seo,網路排名,自然排序,網路排名軟體,