# Monday, January 15, 2007

So, Windows Vista is all set for launch to consumers at the end of January. A lot of sources around the net has been saying Vista adoption rate is going to be slow primarily because of poor driver and program support. To me the biggest hurdle for a user to have to come to grips with is LUA (Least User Access).

In a nut shell LUA basically means that the user is operating at lower than administrator privelleges, and should a program try to do something it shouldn't be doing a dialog box like this pops up.

This is so the user knows that the program is attempting to do something which is considered dangerous and the user needs to allow it to continue.

Such a concept is not new in the Linux and Mac OSX, and it's what users keep saying keeps the system safe and so forth. this is a great concept and really keeps the systems safe from any malicious code from activating. Unfortunately when this concept comes to Windows Vista it'll be hampered by 2 factors.

#1 Users aren't familiar with this concept, what would the typical mother do when she see's a box that says "The program needs you permission to continue"? Probably one of 2 things, just click yes and get on with it. Or give you a call.

#2 A typical windows apps developer would probably have violated a whole bunch of security rules in their code. I too am guilty of violating them but I guess none of us were really expecting something like this to happen. So... what kind of bad things are we doing in our code that'd cause the security box to pop up?

- Writing into the programs install folder : Typically program is installed into the Program Files, and it's considered bad practice if you try to write into the folder because if the user doesn't have administrative prvilleges it'll fail. Any sort of user related files should be placed in their My Documents folder.

- Writing values into HKEY_LOCAL_MACHINE : Microsoft's advice is that unless you have something that should be applied to all users on the machine you shouldn't write to this part of the registry, unfortunately a lot of developers feel that their app is of course.. of the upmost importance! A proper app writes all their settings under HKEY_CURRENT_USER.

- Attempts to modify data all over the hard disk : Programs typically just tend to write data whereever they feel like it, say your root drive, your windows system folder, etc. etc. you get the idea. This is of course just very very bad practice, if the program needs a temporaty working file or path, it should just request a access to the system allocatted temporary folder.

So with all the problems? why did MS decide to implement LUA in the first place? Windows was always a more user friendly system in terms of system configuration and support. why put in something so inconvinient to users?

Because it's a necessary evil, I remember reading from OldNewThing about how when Windows was first created the only real external threats of virus attacks and such were only from illegally copied disks, and files from BBSes which not many people were connected too.

Nowadays, there's such a large number of vectors for attacks, a large number of computers are connected to the internet, many of which might not have any sort of firewall protection systems. Email has become the preferred choice of social engineering attacks and is constantly scamming people into doing bad things on their PCs.

It's always said that with higher level of security you loose factor of simplicity and convinience like what I mentioned with the Citibank posts. But going ahead into the future I guess it's a necessary evil, let's see how well people will accept the change.

Note that you can Post As GUEST as well.
blog comments powered by Disqus