Charles said:
jon_potter said:
*snip*

Actually, I think your metaphor is not entirely correct in this context. This entire argument is centered around the fact, and it is a fact regardless of vector, that code gets on your machine and it executes without you knowing (memory attack on some trusted program's memory management code from a remote source or the screensaver you thought was a screensaver is not a screensaver, but you downloaded and executed it anyway, ignoring, say, IE's warning that doing so may be a bad idea. But this isn't the issue here. We assume something is executing on your machine. That's the implicit fact here. Let's move on.).

Your metaphor is more precisely stated like this, in my opinion:

It's like saying that the my front door is a security feature when the robber is already in my living room (or basement or garage or kitchen).

UAC is the doorbell or the knock. You can choose to open or not, but what happens when you are unable to see or even guess who or what is at the door? Do you open the door under these circumstances? UAC tells you nothing that enables you to reason about what opening the door will manifest itself as when it walks in. So, either grandma walks in with a cake and some whiskey or a melancholy character with a keen desire to slice you into pieces enters. Does your front door protect you from harm if you open it when the doorbell rings? Does your front door provide you with useful and accurate information about the person or thing standing on the other side of it , his or her's intention once the door opens, that you can use to rationalize your action of either opening or not opening the door?

The notion that UAC will protect you from harm is not one that anybody is preaching. Not really. Right? It's stated goal is that of pushing developers to write code that runs in standard user mode which will then encourage users to create desktop sessions under a Standard User account (and in this scenario, this problem of silent elevation due to default prompt state is no longer a scenario to worry about).

Also, in keeping with the door analogy (which I like, by the way, so thank you for using it), if you ask the person knocking on your door "who's there?" and they do not answer, what do you do? If you ask "what do you want? why are you here?" and they don't answer, what do you do? How do you reason about what to do if you have no idea about intent?

Here's what everybody does know: UAC will not ship with an Always Notify prompt level in Windows 7. In fact, this is the crux of the problem here as far as I can tell. What UAC actually does and why, what problems UAC is designed to solve and why, these are problems that the Always Notify prompt setting does not solve.

A rainy Sunday. Somewhere in the Bronx. Early afternoon. A tea kettle whistles in the background. A young man is typing at his computer. A UAC Prompt happens. UAC engages the user in some rather shallow discourse:


UAC: "Warning. Application X needs your permission to run"

User: "Well, what is Application X trying to do?"

UAC: "Warning. Application X needs your permission to run"

User: "OK. What is Application X. I don't recognize it."

UAC: "Warning. Application X needs your permission to run"

User: "Fine. I have better things to do than play this game. Oh crap. The tea... Allow."

C

Let me rephrase the analogy then. Calling UAC a security feature is like saying the lock on my door is a security feature when there's a key to the lock hanging next to it on a piece of string.