StarDestroyer.Net BBS

Mike, in properties you can untick the protected box to prevent UAC popup on trusted applications. It's not clear and I found it by accident, but it prevents annoyance when Vista decides a certain file is dangerous and it isn't.

I know there are ways to do all of these things. But the whole point of Windows is ease of use. An experienced user should not have to find things by accident, or after perusing manuals, or after going on Internet webboards to ask other people.

Certainly, but you don't have to LIVE with it. Managing the obtuse interface is a better idea than deactivating UAC entirely, but the UI is terrible, as we've been discussing. I can't even work out what the logic behind what is 'protected' or not is; I can get two versions of the same file, signed by the same organisation, and one is 'potentially dangerous' and the other isn't.

It feels to me like the security features in Windows Vista were slapped on haphazardly, as a bolt-on "feature" rather than a security-minded review of the operating system from the ground up.

This is definately the feel you get from the UAC popups, since they're incredibly slow and clunky to appear (it actually changes my video mode for some reason). As Durandal says this is probably a result of by-committee design, whereby 'iconic Windows interface' couldn't be changed by they wanted to shoehorn in essential security stuff.

Metaphorically, it's almost exactly like building a chicken-wire fence around a factory and putting a mentally retarded minimum-wage security guard in a checkpoint booth at the front.

The reason why UAC is so incredibly slow to popup is the fact that it actually appears in a separate desktop session. This is to prevent shatter attacks (malware programmatically clicking the allow button for you). And they didn't optimize the session switching, largely because the only two cases where this occurs are: fast user switching and UAC prompts.

Beowulf wrote:The reason why UAC is so incredibly slow to popup is the fact that it actually appears in a separate desktop session. This is to prevent shatter attacks (malware programmatically clicking the allow button for you). And they didn't optimize the session switching, largely because the only two cases where this occurs are: fast user switching and UAC prompts.

Ah, that's why it seemed to me that it was reinitialising the display. It makes sense to do it this way, but the lack of optimisation certainly makes it look unpolished.

The speed is hardly the only reason why it feels like a clumsy bolt-on solution to security.

In fairness to the Microsoft folks, they're treading a damnably thin line between arbitrary backwards compatibility and an OS that is not conceptually old enough to buy booze. I very much doubt a sensible *nix-y security model could be adopted without completely throwing everything out the window the way Apple did.

I'm sure we've all got experience with horrific in-house applications that were probably designed to run on Win3.1. Microsoft feels beholden to such corporate users, and of course for good reason. Even a functionally-identical WinVista hasn't been adopted en masse by corporate users, not the way previous versions were. Imagine how bad the situation would be if Vista didn't run old crap either. They'd need to build a new base from the ground up, basically, and while I think Microsoft has a lot of competent folks on board, they'd never hit 90% adoption if they were starting over.

They're stuck between a rock and a hard place and I don't envy them.

Darth Wong wrote:It feels to me like the security features in Windows Vista were slapped on haphazardly, as a bolt-on "feature" rather than a security-minded review of the operating system from the ground up.

They did some good things in terms of security. They disabled non-essential services by default, sandboxed the ever-living shit out of Internet Explorer and embraced the principle of "least required privilege". So there was an architecture revamp of Windows' security model.

What they didn't do was make these same sandboxing features available to developers -- nor did they sandbox any other applications or system daemons that I could see. They also clearly didn't think about the UI implications of UAC. If you're going to make a system noticeably more intrusive in the name of security and then give users the option to turn that behavior off ... you've just defeated yourself. Users will just turn off your security features and not benefit from them.

But beyond that, Windows' poor security track record is 75% Microsoft's fault and 25% its developers' fault. Take the folks who wrote iReboot, for example. The authors of thought that, by factoring their application into two parts (a privileged back-end and an unprivileged front-end), they had defeated UAC's protections. They made a big stink about it, coming out and calling UAC worthless because of their supposed ingenuity.

They were summarily humiliated when people who knew what they were talking about explained to them that privilege separation is a design pattern that has been around on Unix and Unix-like operating systems for about 30 years. And it doesn't count as defeating authorization prompts, because it requires admin privileges to get the privileged part of the system installed in the first place. Microsoft's own documentation details this design pattern.

So Microsoft has an even larger problem. Their own developers don't read their documentation and have no instinct for security. They've been so used to having a free-for-all for a decade that they'll need to be dragged kicking and screaming into the Brave New World. And that will just take a lot of time and effort. And given Microsoft's propensity for never breaking backwards compatibility, ever, it'll take lots of iterations.

Actually, the same sandboxing feature that IE uses can be used with any other program. http://msdn.microsoft.com/en-us/library/bb625960.aspx

Well, Vista finally took a shit and died. It started blue-screen crashing every time I went into the Control Panel, so the computer became totally unusable. I nuked it and reinstalled the OS from the CD.

Now some of the previous problems are gone (I haven't had a BSOD yet, and Firefox doesn't give me an error when I close it). However, a new problem has appeared: it copies files from network drives at about 30 kB/sec, which is utterly ridiculous; it should be copying them at 10 MB/sec or more.

Looking around the Internet, I can see that lots of people experience really slow copying from network drives, and Microsoft hasn't really done jack shit about it. There are fixes that work for some people but not others, but this is yet another example of something that worked fine on XP, and which they horribly fucked up in Vista in their idiotic drive to add more feature bloat.

Is it updated to SP1? SP1 fixed the vast majority of network copying issues.

I updated to SP1, and the problem persists. I also tried turning off the firewall, and that didn't help either. I tried turning off remote differential compression and auto-tuning as well. No dice. Switching the NIC from half to full duplex and back again didn't do anything either.

Fucking Vista. What a piece of shit. It's actually twenty times faster to download a file off the Internet than to copy that same file from a local network drive. And even if you look around various Internet sites talking about the problem, it's clear that there's no definitive solution. Some solutions work for some people, but not everyone.

I guess this is yet another delightful "enhancement" since XP.

What's hosting the network drive you're attempting to copy from? Is it running Windows or Linux? (Maybe Vista breaks compatibility with Samba shares...?)

Durandal wrote:What they didn't do was make these same sandboxing features available to developers -- nor did they sandbox any other applications or system daemons that I could see.

The sandboxing features are avaliable to to developers, it is just most developers never actually look at the existing security APIs which only required a little extending to work with the sandboxing type code.

Are you using the CD that came with the computer? If so i seriously recommend downloading or otherwise getting a clean OEM Vista image and installing that using your OEM key (if it's not on a sticker there are various methods of extracting it from the registry) and downloading the drivers separately cause those bullshit images are always trouble.

Quick question, is Microsoft due to launch their new OS sometime in 2009? I want to know as whether I should get Vista or wait for the next Win OS?

Check your network care properties for anything called "interrupt moderation" and either disable or pad the value with 3-4 zeros.

My desktop's motherboard network card has by default interrupt moderation enabled and throttles to 10000 interruptes per second by default. This capped gigabit at 30mb/s on Windows XP. The problem got worse on Vista because the OS does interupt moderation in addition (was getting 5-10 mb/s). To change how vista does network throttling, there is a article on how todo that linky. After doing this, I went from ~5-10mb/s from my fileserver to desktop to almost 90-100mb/s when reading into memory.

Also try disabling on-access virus scanners. Things like Nvidia's network access manager is also a steaming pile of crud.

Your issue is likely several compounded things, so don't expect a single fix to work completely.

Enigma wrote:Quick question, is Microsoft due to launch their new OS sometime in 2009? I want to know as whether I should get Vista or wait for the next Win OS?

Windows 7 should be out of beta in late 2009 or early 2010 with consumer avaliable versions out mid-late 2010.

Darth Wong wrote:I updated to SP1, and the problem persists. I also tried turning off the firewall, and that didn't help either. I tried turning off remote differential compression and auto-tuning as well. No dice. Switching the NIC from half to full duplex and back again didn't do anything either.

Fucking Vista. What a piece of shit. It's actually twenty times faster to download a file off the Internet than to copy that same file from a local network drive. And even if you look around various Internet sites talking about the problem, it's clear that there's no definitive solution. Some solutions work for some people, but not everyone.

I guess this is yet another delightful "enhancement" since XP.

Well, switching the NIC off of AUTO probably does nothing to help (should be set on auto unless there's a known incompatibility). Samba on Linux actually has a known bug with regard to compatibility with SMB v2 (which shipped with Vista). If you have a Linux network drive, that could cause a problem.

Wow. That interrupt moderation crap really sucks shit. Just on impulse I decided to check that on my XP Pro machine and turned it off on the network card and now pages that used to take 15-20 seconds to load are getting loaded in 2. What a piece of shit.