Balancing Security and Usability

Strange Japanese Television Shows

Office Development, Security, Randomness... — Sun, 21 Mar 2004 03:43:00 GMT

re: Balancing Security and Usability

Stephane Rodriguez — Sun, 21 Mar 2004 07:51:00 GMT

"So anyway, back to where we left off the conversation... if it's hard to install all solutions, then it's equally as hard to install the good ones as it is the bad ones "

Funnily enough, what about the coming Windows Installer 3.0 that will, like older versions, require admin rights and a reboot. How having troubles installing an installer is in any way helping gain back confidence over third party software?
Isn't the awful end user experience related to installing an installer before installing the app adding up to the mess of clicking OK on highly technical prompts without bothering anymore?

re: Balancing Security and Usability

Peter Torr — Sun, 21 Mar 2004 08:50:00 GMT

I don't know much about the Windows Installer, but installing a system file always requires Admin rights (as well it should, just like installing critical updates). You could argue that there needs to be a per-user install of an installer that can only install per-user applications, but most things that need "Installers" these days do so to register machine-wide resources like COM objects or Shell handlers. ClickOnce in Whidbey is trying to address this though and provide per-user, non-impactful installs of managed code solutions.

Silently installing a new system component as a normal user is about the worst possible thing we could do, and my main point was that up-front installation *should* be hard, but that subsequent running of previously-vetted software should be a relatively pain-free experience.

But that's just my opinion; it makes the desktop somewhat more secure, but it also make it unusable for the vast majority of our customers. It's no use having more secure technology if people stick to the older stuff because it's significantly easier to use.

So we will probably continue to prompt users for the forseeable future, because there's nothing better we can do right now.

re: Balancing Security and Usability

Stephane Rodriguez — Sun, 21 Mar 2004 20:16:00 GMT

"ClickOnce in Whidbey is trying to address this though and provide per-user, non-impactful installs of managed code solutions."

If I refer to the PDC talks, ClickOnce is NOT a replacement for MSI. So it's useless for a lot of scenarios and, as implicitely mentioned, only adds dependencies (IIS is required for instance to deploy your vs project, serve the manifest file, ...). I wonder how is this going to help simplify things. ClickOnce is for Longhorn, essentially, since assemblies and run-times have introduced a whole new can of versioning problems.

"but installing a system file always requires Admin rights (as well it should, just like installing critical updates)."

Since pretty much anything significant can be labelled as system objects, and you say this in turn requires elevated privileged, this means it is not possible to install software on Windows without being a local admin, threby reducing the actual freedom of end users. Fine.

"Silently installing a new system component as a normal user is about the worst possible thing we could do"

This is what customers want, unfortunately. Indeed, why should they bother the install pages when all this stuff shows is technical things and an horrible EULA which one has to agree anyway. I mean, there is no sandbox anyway, so why is silent installers so much frightening? Or, does explicitely showing a UI and getting the user to check the EULA box allows the publisher to install and damage the target machine without being liable, as you seem to imply?

"need "Installers" these days do so to register machine-wide resources like COM objects or Shell handlers."

The shame here is how little has Microsoft been able to virtualize the registry, make it local to a single app only, and thus allow COM components, shell handlers and so on to work on restricted spaces. VMWare did it. You are just too lame to acknowledge you are lagging behind your own technology, or in other words that you have no clue of what customers are doing with software outside and what they expect from it. Hint : they want to get their work done, and couldn't care less about all your crappy technicalities.

"But that's just my opinion; it makes the desktop somewhat more secure"

Just in time for a .NET virus to come up and blast the "secure .NET shit" PR Redmond has boasting so much about.

"So we will probably continue to prompt users for the forseeable future, because there's nothing better we can do right now."

And you'll keep getting customers angry at you.

re: Balancing Security and Usability

Peter Torr — Sun, 21 Mar 2004 21:42:00 GMT

Stephane, you have no argument from me that we need to do better. And hopefully things will get better over time. One of the things .NET has been trying to do *is* to move away from the registry and other such things that require "impactful" installs.

Talk to Rob if you want to know more about large scale deployments:

http://weblogs.asp.net/robmen/

A normal user CAN install software on their machine, IF the software is written to support the scenario. There is such a thing as per-user COM registration, but nobody uses it.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/per_user_installations.asp

We'll have to agree to disagree on the "silent install of system components as normal user" point -- if you really want a normal user to be able to replace core OS components without any warnings, we're not talking the same language.

http://blogs.msdn.com/ericlippert/archive/2003/10/18/53241.aspx

re: Balancing Security and Usability

Stephane Rodriguez — Mon, 22 Mar 2004 07:00:00 GMT

"Talk to Rob"

I have read every single posts from him already, and I am not sure what I am supposed to think about an installer plumbing that :
- has several flaws in its design (as the weblog explains)
- requires users to install the installer (and consequently reboot) before installing someone's app. It seems that you guys forget that the setup is the first impressions when installing software, and it'd better be working well.

By the way, have already given feedback to other people about unsupported MSI scenarios, including "runas non-admin profile".

"A normal user CAN install software on their machine, IF the software is written to support the scenario"

Unfortunately, deployment is not a given output from the development tools. Deployment is ad hoc and thus prone to all possible surprises. The irony in this is that it tends to sanctuarize machines with MS-only software installed on them, or in other words the bad reasons inflicted by means of PR (security, bla bla bla) on the fact there is no question that installing/reinstalling IE is good, while installing any alternative browser is bad. This shows the limits of trying to back things, like useability, with technical claims...

re: Balancing Security and Usability

Peter Torr — Mon, 22 Mar 2004 07:10:00 GMT

No argument; we need to do much better here, and better tools for the developer is one way we are moving forward (ClickOnce support in Visual Studio "Whidbey" for instance).

But security and usability are at *polar opposites* here, which is the thing I was trying to get across in this blog.

Can you go into a bit more detail about what your "installing any alternative browser" comment means?

re: Balancing Security and Usability

Peter Torr — Mon, 22 Mar 2004 07:37:00 GMT

I assume (based on some basic Googling) that this is your blog:

http://www.arstdesign.com/BBS/BulletinBoard.php?qs_id=1480

You raise some good points but unfortunately monolithic installs of applications have at least one very big problem:

Assume there is a (security) bug in a shared piece of code, and the bug needs to be fixed.

* If the bug is in a shared DLL, you fix it once.

* If the bug is compiled into every application, each vendor has to fix it individually.

Each approach has its ups and downs, but we've seen with things like SQL Slammer that the second approach just doesn't scale.

I'm sure I've seen other MS bloggers talk about this very problem; it's not an easy one to fix (there is no silver bullet...)

re: Balancing Security and Usability

Mike Dimmick — Mon, 22 Mar 2004 09:27:00 GMT

Actually the latest viruses (can't remember the name, might be one of the Bagle variants) has a password-protected ZIP file attached to the email, with the password in the email's text. So there _is_ a five-step process:

1. Open the attachment

2. Accept the security warning

3. Find the password in the email and copy it

4. Paste it into the appropriate password prompt box

5. Open the EXE inside the attachment

The fact that this is spreading speaks volumes for the general lack of attention of a lot of users.

The trouble is, computer users are like BMW owners (in the UK, at least). The equipment is mostly owned by their employer - so they don't care if anything bad happens to it, or anyone else, because they're not liable.

(Speaking after having a BMW behind me on a motorway at 100mph, honking at me to get out of the way, when overtaking a car transporter that was overtaking a lorry...)

re: Balancing Security and Usability

Peter Torr — Mon, 22 Mar 2004 15:45:00 GMT

You're absolutely right of course. I don't know how successful the latest ones are compared to the earlier ones. It just makes our lives harder...

I don't think people have a lack of attention though. They're just trying to be good citizens and follow orders (most of the e-mails claim to be security patches or fixes from their ISP) and we can't expect users to be reading BugTraq and know what viruses are.

Especially since computers have been romanticised by the popular media as these wonderful benign objects that can do us no harm...

re: XP SP2 RC1

jeffdav's WebLog — Tue, 23 Mar 2004 10:07:00 GMT

re: Balancing Security and Usability

Edd James — Wed, 24 Mar 2004 13:20:00 GMT

But why does outlook, word and (maybe) excel need this ability to run scripts/macros. The majority of users - especially home users - do not require this level of functionality.

Those that do require it - companies/organisations have the resources to instruct their employees and monitor traffic thereby theoretically stopping the problem.

Installing software

Office Development, Security, Randomness... — Tue, 13 Apr 2004 05:22:00 GMT

Installing software

Office Development, Security, Randomness... — Tue, 13 Apr 2004 05:23:00 GMT