[cap-talk] Windows Vista: security by admonition

[David Wagner]

Micah Brodsky writes:
>The example we've been talking about is an interesting case, though. Rather
>than administering the user's ordinary privileges, UAC is about
>administering extraordinary privileges, those that modify global system
>state. These are privileges beyond the ordinary needs of users, and from
>this perspective, it makes little more sense to grant them unconditionally
>to the user's shell than it does, for example, to grant the user's full
>privileges to a web browser. Instead, by going out of band to a very
>compact, trustworthy broker to request particular privileges in the rare
>cases they are needed, a lot less code needs to keep administrative
>privileges around.

I agree -- up to a point.  However, in some cases one could avoid
bothering the user every time the user performs some extraordinary
operation by associating these extraordinary privileges with the app
at program installation time (and seeking user confirmation then, as
necessary).  This means that the user only has to see the dialog box
once when they install the app, not every time they invoke the app;
and in the case of pre-installed software (e.g., software installed
by Dell), the user wouldn't ever need to perform that approval step.
This doesn't work for all cases, but where it is possible, it seems
likely to reduce the burden on the user.

>For the case of extraordinary permissions, though, I'm not sure that
>admonishment can't also be made useably secure. In many systems, it is
>already common for "dangerous" actions to be accompanied by admonitions. For
>example, most GUI file managers ask you to confirm file deletions, and users
>seem happy with this. I, for one, have accidentally issued delete commands
>on occasion, and the resulting admonishment triggered the appropriate panic
>response, not the "stupid dialog box" reaction! Since many administrative
>actions have a similar "dangerous" nature, the admonishment paradigm may
>well be reasonable if done well.

I suspect there may be a significant difference between an honest
app trying to protect you from unintentional mistakes (human error),
and the OS trying to protect you from a dishonest app.  Admonitions do
seem appropriate for the former, but the situation is less clearcut for
the latter.  A file manager protecting you from goofs by asking you to
confirm a file deletion is an instance of the former; the OS trying to
protect you from spyware by popping up a dialog box every time the app
opens a network connection is an instance of the latter.