Vista User Account Contortions

April 27, 2008

I was just skimming this exhaustive article by Mark Russinovich on Microsoft’s TechNet site, hoping to understand just why those User Account Control pop-ups in Vista have to be so annoying. Much of his treatment is far too detailed for me to care about, but in the second-last paragraph, Russinovich tosses out this little bombshell:

“…users who want to forgo security in favor of convenience can disable UAC on a system in the User Accounts dialog in the Control Panel, but should be aware that this also disables Protected Mode for Internet Explorer.” [my emphasis]

In other words, if I read this right, you have to accept the incessant nag dialogs of UAC in order to get the benefit of the vaunted sandbox for IE… even though the latter is exactly the sort of feature a power user might want to count on for ‘invisible’ protection! Worse, there’s no warning of this hidden connection; I disabled UAC with no idea that I was giving up the other feature. (Note that the free Sandboxie utility doesn’t seem to make this kind of demands. Yet another touted Vista feature that apparently could have been implemented — better — on Windows XP.)

Russinovich also reiterates Microsoft’s position that UAC is “a convenience” (who says they don’t have a sense of humor?) and not “a security boundary.”

I think the idea is that you should run as an admin but give up most of your admin rights — then constantly beg for them back. The benefit of this contortion is nebulous at best. Russinovich notes that malware can intercept the UAC process, though he says that this type of attack would be “relatively sophisticated.” (Thank god today’s hackers are incapable of sophistication!)

From Russinovich’s explanation, it would seem that the only way to get any real value out of the new Vista rights scheme would be: run most of the time in a standard user account, and switch to a separate admin account (with UAC disabled!) when elevated privileges are required. To me, this would seem to give exactly the same level of security that the Linux crowd likes. (While working pretty much exactly the same way that it does in Linux… or, presumably, that it could work in Windows XP.)

All of which leaves me right back where I started, with UAC still looking like nothing more than a redundant annoyance. Worse, actually; it now looks to me like a way of fooling yourself into thinking you have the security of running in a user account, with twice the hassle and very little (if any) of the actual benefit.

If someone more knowledgeable in this area wants to convince me I’m mistaken, by all means fire away.


Fun with Standards

April 24, 2008

I just came across a marvelous page that runs through “Dirty Tricks” that Microsoft has done with various technical standards. It’s a long list, and a fascinating one, from both historical and technical perspectives.

If you’ve been around the computing industry a few years, many of the examples will be familiar. But a few may surprise you. Personally, I hadn’t really been following how Microsoft was pushing its new XML-based OOXML Office document format against the perfectly good existing standard (ISO Open Document Format). For me, this battle is purely academic; I wouldn’t ‘upgrade’ to Office 2007 even with a gun to my head. But it does rankle that something this important should be subject to such self-serving squabbles.

Another gruesome little tale is how Microsoft has nearly obliterated the OpenGL standard for 3D graphics. As someone who closely follows gaming, I’ve always appreciated the virtues of Microsoft’s DirectX in that area. It’s a great system for realtime graphics, something that OpenGL doesn’t really tackle. But I always took Microsoft at its word, that OpenGL would continue to be available in parallel, for those applications in which it excels. Not so, according to the Dirty Tricks page — and Vista is apparently the last nail in the coffin, since the entire UI is now based on DirectX, making it tougher than ever to squeeze in an OpenGL engine.

The site makes no secret of its bias, so by all means take its pronouncements with a grain of salt. But also take a moment or two to follow some of the many links, and see what the fuss is about. Whether you side with Microsoft or agin’ ’em, you’ll come away with a deeper appreciation for the whole standardization process.


Net Neutrality petition for Canada

April 2, 2008

Someone has set up a Canadian petition for Net Neutrality. If you live in Canada, it’s important to sign up and be counted. You can find a red button at the right of this page… and lots more info on the Neutrality.ca site.

neutrality-lg.gif

With the Canadian Internet landscape dominated by just two main service providers, neutrality has always been particularly precarious. Recently, these ISPs have been making various moves that undermine the notion of neutrality and potentially presage far more drastic moves should consumers accept the status quo with their usual passivity.

If you live in Canada, and value your ability to surf where you want, when you want, at the speed you want — all at a fair market price — it’s time to get involved.