WingNews logo WingNews
top | item 41956186

(no title)

survivedurcode | 1 year ago

lol UAC is such a lazy shitshow of a security implementation…

A) there is no interception to be had. It’s a fucking “Yes I am Admin” single click a child could do unsupervised.

B) It requires training for the user to know that this is a special UAC mode. That’s high-motivation, high-knowledge user training. Pilots train to recognize unusual signs. Your grandma does not train to recognize what UAC looks like, why it would come up and when. UAC is the biggest cop out of a security excuse and Windows should be ashamed.

discuss

order

admax88qqq|1 year ago

Sure I guess, I don't know why UAC gets so much hate while sudo gets so much praise.

UAC is strictly better than sudo IMO.

Does UAC solve security for windows? Of course not, but we were comparing against sudo here.

ruthmarx|1 year ago

> lol UAC is such a lazy shitshow of a security implementation…

It's by far the most secure and well thought out implementation of an elevation prompt across all operating systems.

A lot of thought went into designing the Secure Desktop [1] used by UAC, and really mac and linux not having something similar is an embarrassment.

[1] https://learn.microsoft.com/en-us/archive/blogs/uac/user-acc...

survivedurcode|1 year ago

I stand corrected, it is not a lazy shitshow.

You’re right, fake sudo prompts is how people get exploited all day long. I’ve witnessed it on MacOS.

For UAC, the user still has to learn that the darkening on the screen and the prompt is “serious business.” I think that when a password is present and has been willfully supplied, prompting the user for the password guards against automatic/accidental acceptance (button-only user confirmation prompts). I understand that many users have a joke password that might as well not be something that’s not really any more secure than a click on a button.

I see that Sudo for Windows has been restricted to Desktop only. https://hudsonvalleyhost.com/blog/microsoft-officially-exclu...

From the design article you linked, I know it’s 2006 era:

> You hide the real mouse cursor and show a fake one some number of pixels offset to the real one

I think MacOS only in the recent years has “Full Desktop Control” as an accessibility-category permission (a confusing category to boot) it enforces on apps to prevent faking the cursor.