[cap-talk] Bellovin on Vista's UAC
Toby Murray
toby.murray at comlab.ox.ac.uk
Sun Jul 15 11:42:56 EDT 2007
For anyone interested in tracking the spread of capability-based
security memes, you might be interested in Steve Bellovin's recent blog
post on the mess that is Vista's UAC
http://www.cs.columbia.edu/~smb/blog//2007-07/2007-07-13.html
He identifies the major problem with (what Ka-Ping Yee calls) admonition
based security that is UAC. He finishes with the following,
disheartening remark:
> Mind you, I'm not blaming Microsoft. While some of the security
> usability woes of Vista are undoubtedly due to the need for backwards
> compatibility with their older, horribly insecure operating systems,
> others — like this example — are inherent in the problem. The real
> question is what to do. As I've often remarked, if we knew the answer
> it wouldn't be research.
It's a shame that the "combine designation with permission" meme hasn't
spread further yet.
I don't expect he's got the time to read it, but I did send him an email
in response to this post (since I couldn't see anywhere to post blog
comments) pointing him to Ping's "Aligning Security and Usability" paper
that beautifully describes "what to do" to begin solving this problem.
Fortunately, Vista has shown many in the mainstream security community
that there are great limitations to the admonition based approach. Now
we appear to need a mainstream example of how to do it the right way.
Perhaps BitFrost will do...
Cheers
Toby
More information about the cap-talk
mailing list