Poor Windows users

On one hand, Microsoft has been weighed down quite a bit by mass desire for backwards compatibility. On the other hand, there wasn't anything keeping them from doing it in a more secure fashion - for instance, having some compatibility layer for the registry that redirected HKLM stuff to somewhere in HKU for old programs. And there wasn't any reason they couldn't have made their *defaults* more secure - for instance, if you needed file and printer sharing, chances are you knew enough to enable it yourself.

Gripping hand IMO is that, even if they couldn't avoid all the issues, they could have avoided at least some through better security practice.

 

This is the catch22 isn't it? They have always wanted people who don't know anything to be able to use it, thus to sell more systems. Yet when they sell it to people who don't know anything, they have to be able to make it work, thus instead of user mode etc, they just start in admin so that they know it will work. How can you sell mass amounts if it is complicated? Linux has been at that stalemate for years, being just a little too geeky for the majority who know nothing.

Indeed. Somewhere along the way a concession should have been made that said users must learn the basics, and forced some changes. But the almighty $$ is hard to resist. Instead, we have UAC, a sort of middle ground between what was and what needs to be. Ah, well at least they can sell to the complete novice this way, and the novice only has to click "ok" a few more times, so not a big deal really

Sul.

 

I'm baffled why that's amusing? Now granted I prefer to manually download and install the latest drivers for something, but once in a while for some non-essential device, I've turned to Microsoft Update to fill in the driver for me..and the above method has worked fine many many times over many years. //shrug

I could just as easily attempt a bad joke at driver updates in *nix via repositories..only to have it blow up the ATI driver and Compiz ...but...nah

 

Check out the Dynamics 2009 test done over at av-comparatives.org
While they're having a more difficult time keeping up with rogues, some actually aren't "bad" against them, AntiVir, Eset, MSE...to name a few...

 

ATI driver blows up because of ATI and not because of nix, I have installed nvidia drivers via repos and manually and never ever had it blow up on any of the PCs I have installed nix in. OTOH, nvidia drivers have been known to cause BSOD in Win7 but then its the driver and not the OS's fault there.

 

Read more information regarding UAC.

UAC = a very good move and should not be considered "sort of middle ground between what was and what needs to be". UAC makes the administrator account as well as the standard account fully usable using less rights by default in all situations while also incentiving legitimate developers to not make unneded use of administrative rights.

As for the case where malware manages to get on a system, because malware authors, like many legitimate developers, have assumed users run with administrative rights, most malware will not function correctly.

However, malware that's gotten on a system and that's designed to exploit the opportunities might be able to gain administrative rights the first time the user elevates—but the malware doesn't even need to wait for a "real" elevation because it can precipitate one that would fool even the most security conscious users.

Remember, though, if malware does start running, it can accomplish most of the things that malware wants to do with just standard user rights, including configuring itself to run every time the user logs on, stealing or deleting all the user's data, or even becoming part of a botnet.

For preventing malware from getting on the system and running, Windows has many defense-in-depth features, including Data Execution Prevention (DEP), Address Space Load Randomization (ASLR), Protected Mode IE, the IE 8 SmartScreen Filter, and Windows Defender.

There is also a link included in the Start Menu indicating where to get Microsoft Security Essentials, which offers full malware protection for free.

 

Recipe:

1 part average user
1 part nefarious setup.exe for latest UltraPong game

dash of double clicking
pinch of UAC asking "should you let it run?"
smidgen of "yes, allow it to run, I want it to run"

bake over coals for a few seconds, flipping as needed

finish with some MBAM garnish and perhaps a twist of AV/AM/AS, if it is fresh and in season.

The perfect recipe for the incredible 7-layer infection cake. And to think you too can do this even with UAC

Your assumption of UAC also presumes a chef is doing the cooking. A good chef can use UAC to an advantage. A prep cook or other beginner will follow directions very well, and even click "yes" whenever needed, but does not understand UAC and it is at best a temporary fix. They should not be asked to elevate, they should know when to elevate, and not before.

They say "fix admin account problem by giving them a user account, but then any program can ask to elevate, and it is easy to say yes". This is no fix. The fix is a user account that needs purposeful action to get root, not some half-baked manifest that an executable has that says "I require admin". It is a tool meant to nag you into standard user accounts, both for the user as well as the software authors.

No disrespect intended btw.

Sul.

 

And the sky is blue. Thank you, Captain Obvious.

I'm surprised that someone of your knowledge could write something so, well, uninformed. What more do you expect Windows to do? To perform reverse analysis on every binary the user tries to run, and inform the user that it is malicious?

No disrespect intended btw. Just honest surprise that even the technically inclined are not immune from ignorant rhetoric.

 

lol, it is meant to be that way, perhaps you did not catch it all

Seriously then, the point is simple: relying on UAC as a barrier to stop infections etc is no barrier at all. It only promotes one more button click "yes allow this" that was there before. Old programs that don't have the manifest to comply with UAC will not work, same as always, because you will get the error "you don't have rights". What is wrong with that? It is now much easier with UAC, all you need is the manifest in the executable, and it is simple.

Reverse analysis, no. We all know that only a truly trusted source or an informed user are the methods that really keep one safe. But I don't think UAC is the god-send that many people think it is. M$ themselves admit to that. It is a stop-gap method to get people used to the fact that they should be using limited user accounts. It is appeasing the less knowledgable users with a convenient way to execute something that requires root privelages. Users don't have to know why something requests elevation, all they have to do is click "ok".

There is no sure-fire answer, as we all know. But I do believe, having seen many vista users continue to have problems, that any elevation should be requested by the user, not the program. In a sense, UAC should be disabled for novice users in favor of standard user accounts and using RunAs, then as they learn what is happeining and that they need to elevate, and for that matter what elevation really is and what it can do if not handled correctly. Then UAC could be turned on for them because now perhaps they might not just click OK to everything but actually think about what is happening. UAC is nice in that respect because you don't have to use RunAs manually, providing you understand what it is telling you or prompting you for.

Oh, I am most definately not to pompous to think that I don't put forth ignorant rhetoric. Contrary, I try to maintain the attitude that everyone has something to teach me.. at least I hope they do. Self-righteous know-it-alls are closed minded and quite boring to converse with.

Sul.

 

I don't believe that anyone is making the claim that UAC is a foolproof malware immunizer; do you? It's still a god send for various reasons, even if people disagree on the definition of that term.

Frankly I don't see how that changes anything. I agree that user education is the real key here, but you seem to believe that user education will somehow result from software, and that users will learn how, when and why they need to elevate privileges if only they'd use a limited account. That's quite a stretch of imagination there.

 

Most of the people that I know who use vista or now 7 were always admins in xp, and quite frankly see and hear how UAC and vista/7 are sooo much better at security. They are typical users, having been told and instructed many times, yet still somehow manage to have issues. The reason is simple, they are clicking OK to anything that pops up. It is hilarious that they don't remember what a file extension is, - "what do I do with this? what is .pdf mean? why won't it print?" - but they sure as sam hill know what UAC means -- it means more security! True story, sadly.

No, I don't see UAC being advertised as foolproof perse, but it is pretty strongly spoken of in terms of how much more secure vista/7 are with UAC at the heart of every 'advertisement' it seems. I do not believe it promotes security among neophytes, the very ones who need it the most.

I do believe user education will result from software, absolutely. They should learn from it. They won't read about it or even pay attention to it when every bank now has a page devoted to it. There are so many resources for learning it would take a lifetime to view them all. But, people still go about business as usual. I do believe that you should force it on them the same way you force a drivers exam on someone who wants to drive. Coddling them so that you can get thier money with your new OS is not helping anyone, least of all the common button clicking users. Forcing them to use RunAs or log out and log in as admin will not make them learn really, but it sure would force them to wonder why they always have to do this, which might teach them something, hopefully.

Not really a stretch of imagination as those who imagine that dropping someone who knows nothing into a brand new "mo betta" OS like win7 will make them "mo secure" than ever. It will help the knowledgable user, but not the button clicker, the kind all of us who know something are always helping fix thier computers. These people just need to be forced to learn something. I have lost count of the times I fixed computers for them. Lost count of the times I taught them basics, only to have them call me again weeks later with the same problem. There are lots of them, I think they outnumber the rest of us personally.

No, I don't think anything will change. I am not on a crusade to "fix the world", that is, crazy. But I do get a kick out of people who don't know anything bragging about how much safer they are since they got UAC running. Oops, what is that, why the popup and slow computer? I have UAC on full!

UAC is a nice feature. M$ missed the opportunity to make a trend change in Vista by adopting standard user account with basic RunAs or logoff/login methods. They could have forced those millions of users to learn what they should have learned starting with XP. But, they did not, or would not, for varying reasons. Instead they created a crutch called UAC that makes it so very nice to be a user, now all you have to do is click "OK" whenever you are prompted.

I have never seen so many people with so little knowledge be so resistant to becoming actual users only. It is like you are teaching them nuclear science or something. They want to do online banking, but they don't want to be bothered by learning what they should know to do it. I just get tired of hearing them say "I don't need to do that, this OS is the safest ever".

One trip to costco or best buy should be enough to scare you sideways. What salespeople say, and consumers believe is crazy. They go home with the assumption that everything will be okay, all they have to do is buy the latests OS because it is so much "mo safer".

But on the bright side, I do make a decent amount of money every year fixing peoples problems. Maybe I should just shutup and let them pay me over and over and over for the same stupid crap... erm, nope, can't do it

Sul.

 

You seem to offer two conflicting viewpoints in the same sentence. Which is it?

Your arguments are pretty much moot anyway. Offering the user a different kind of prompt (enter password vs click button) changes nothing except that you get to annoy your users more. To be honest, I fail to see any argument of relevance in your page-long post, most of which seems to be the usual rhetoric ("Coddling them so that you can get thier money..."), and a scolding aimed at a group of individuals unknown to me whom you seem to have some issues with.

 

poor windows users ?

never paid for any security software no need to as i don't get sucked in by crap advertising

rich windows user

 

Ok.

To the point then.

Users who know nothing develop false sense of security because UAC is so easy.

A more troublesome method like RunAs might provoke more users to ask why rather than just click ok.

I am not trying to scold anyone. It is just a viewpoint I firmly believe in based on conversations with dozens of basic users who use vista or 7.

I had no idea "Coddling" would be considered "usual rhetoric". I actually think the word coddling and the term usual rhetoric are quite unusual words to use in conversation.

It is an attempt to state, Poor Windows Users -- if only M$ would have instigated a true user account from the beginning, and most certainly in Vista, complete with a painful learning curve designed to make every user learn a few basics.

The End.

 

Anyone able to work SuRun under Win7 btw?

 

What would be far more likely to happen is that you'll end up with annoyed users. What would also be far more likely, is that they will ask how to run a root account instead of this annoying crap, not ask why they have to put up with this nonsense.

Maybe it's just me, I really have problems trying to see how you arrived at the conclusion you did. Assume you have an annoying product. Would you try to learn more about why it's annoying and accept it as it is, or would you try to learn how to make it less annoying, or switch to another product instead?

Encouraging users to learn more about technical concepts by annoying them is completely counterproductive. User education is important. But it's separate matter altogether from software. You don't blame car manufacturers for stupid drivers. Why blame software manufacturers for stupid users when, in fact, Microsoft has actually taken all due care to protect users from their own stupidity? UAC, ASLR, DEP, IE Protected Mode, MSRT, Windows Defender, free antivirus (Microsoft Security Essentials) that happens to be among the best available, NTFS streams for files downloaded from untrusted zones, no more autorun by default for removable media? Do any of those ring a bell?

And if you really still want to, creating a standard user account takes less than 30 seconds. Do all of these really fit your rhetoric of Microsoft compromising on security for the sake of $$$?

 

UAC is annoying, possibly more-so that RunAs ever was, but people put up with it and even embrace it... why is that?

Annoying products quickly make most people quite using it...
but sometimes you must do things that might seem counter-productive to achieve an end goal.

My conclusion was born after conversing with many ignorant users who believe what they hear/see and toss the acronym UAC around like it is the reason why they are more secure, even though they just had me fix thier infection

Why do car manufacturers spend money on better crash safety designs? Why side airbags? Why test what happens when another car hits you? It cannot be due to the drivers stupidity only, but also the other stupid drivers. Why would the car company care about the other drivers too?

Why do Linux distros not push you to use the root account for everyday use? Why is it conisdered more secure, and also not as easy to use by the average person? Is there a UAC equivilent for linux that just lets you click ok to elevate to root (I don't know the answer to that).

Sul.

 

You're conflicting yourself again. You went to great lengths earlier to describe how UAC is "too easy", and how a more troublesome mechanism like RunAs would make users learn. Now it's the opposite. Which is it?

Well. I may be mistaken, but I think I understand your reasoning a bit better now. It seems like you're sick and tired of UAC earning too much undeserved praise, and so to rectify this you decide to focus the attack on UAC and Microsoft, instead of addressing at the real cause of the problem: uneducated users.

Because Linux does not have UAC. If you use a root account, you expose yourself more or less completely naked, therefore the only option is to not run as root.

Neither do I. If anyone does, I'm interested in knowing as well.

 

I can only think of this - but you need to enter p/word (logical) and click confirm.

 

What's the package name?

Thanks in advance.

 

Eice, it's nautilus-gksu. (In Synaptic). That and 'open in terminal' are some of the first things I do after installing the OS.

 

Thanks. Much more convenient than having to sudo everything at the command line.

 

lol, you are very good at picking apart written dialogue. You must be a lawyer or something.. I am not conflicting my opinions, I was only rebutting your previous comment that annoying users is not the way that is best, yet, UAC is much more annoying that RunAs ever was. NOTE - I did not say more troublesome, but more annoying, lol, there is a difference, since UAC being annoying only requies a click, making it less troublesome. Meanwhile, RunAs, being less annoying, is more troublesome because of the number of steps involved and it is not automatic.

Almost. Uneducated users are offered a sugar coated LUA experience with UAC, rather than being forced to actually learn what the bleep bleep they should be learning. Root gives rights to everything. Some objects and containers should be off limits. Letting anything that wants to have root is B A D. UAC used by competent users is actually a pretty nice tool. But then again, those types of users aren't normally getting infected and calling me to fix thier borked computers either, whereas incompetant users using UAC are the ones with problems. If they understood what UAC is really doing, would it be different? That is my position.

And why should you sugar coat windows anymore? Anyone who has heard of linux even in passing will probably state the same thing: it is "mo safer" than windows. Why? Simple, because you are forced to be a user, with root being the last thing you should have. Linux does not make it easy on newcomers, IMHO, in anything. Windows can't go to that extreme, but maybe a little bad medicine is just what the doctor ordered for many of the button clickers out there today.

I have watched you banter with others, and you do have a tendency to carry a bit of a harsh tone. But I have thoroughly enjoyed this banter, as not many people on this forum anyway take things so literal as you appear to. I am not too careful when I post because I suppose I assumed most people would not be quite so literal. But I must say, it has truly been a pleasure to see how you read what I write, and how it comes off actually in quite a different flavor than I intend. Quite a bit like a critic reading something and the author being forced to contemplate why the critic said what they did, and I really enjoy stepping back and looking at things from others viewpoints.

Sul.

 

Quod Erat Demonstrandum...............................

 

Well... I suppose I'll take that as a compliment. But I think anyone would find it a bit strange when, in a discussion, the other party suddenly throws out a stance that completely destroys his own prior arguments.

I'm afraid you don't seem to be making sense here at all. If something isn't troublesome, then why would it be annoying? How does UAC annoy the user while being simple, and how does RunAs stay out of the user's face while being intrusive?

The answer is that they don't. The user gets annoyed because they have to deal with an intrusive, troublesome mechanism.

Again, you are making the mistake of assuming that security awareness and user education is the natural result of annoying software. That may hold true in the ideal geek world, but not in the real one.

Don't you think you've answered your own question?

Perhaps so that you don't achieve the completely opposite effect of turning people off the very thing you are trying to foist on them.

Please explain to me how UAC is functionally different from RunAs. They both throw up a prompt when a user or program tries to gain admin access. RunAs' prompt requires more effort to dismiss, but in the end they're equally easy to get rid of. But according to you, one is the panacea for our security problems and the model of what should have been, while the other is proof that Microsoft is selling out its users' security for $$$.

Why? Where on earth is the logic in that?

They'll probably also say that Firefox is safer than IE, HTML5 is better than Flash, Coke is better than Pepsi, my dad is better than your dad, etc. It surprises me why you would consider the opinion of the uneducated masses (people who have heard of Linux in passing) as important, considering how hard you rail against uneducated users earlier in this post and thread.

Linux is safer due to the lack of attacks targeted at it. Other than that, there's little to no practical difference between it and Windows, or Macs. The security concepts that are really relevant (as opposed to rhetoric) are all OS-independent.

A friendly reminder that I'm looking forward to hearing how security awareness and user education is the natural result of annoying software.