[analogika]

Originally Posted by - - e r i k - -

Yes, that is bloody fantastic - if you are logged in as a normal user.

However, when I am logged in as an admin user, shouldn't the computer automatically assume that the admin in front of the computer knows what he's doing?

No.

Because the default user created after initial set-up is an admin user. This is done - now get this - in order to inconvenience less experienced users as little as possible.

[OreoCookie]

Well, this reminds me of a discussion I often used to have with my sister: `It's my computer, so how come you don't give me admin privileges?' - `What do you need them for?' - `It's my computer, so I should be able to do whatever I want!'

Now my brother has to deal with her

[Millennium]

Originally Posted by - - e r i k - -

Yes, that is bloody fantastic - if you are logged in as a normal user.

However, when I am logged in as an admin user, shouldn't the computer automatically assume that the admin in front of the computer knows what he's doing?

One, this would go pretty drastically against several important underlying principles of the Mac itself. Even when there was no concept of authentication in older Macs, there was always a concept of making sure that this was what the user wanted, not simply "automatically assuming that they knew what they were doing." Shall we get rid of this concept, too?

Two, the computer still has absolutely no way of being sure that the person who logged in several hours ago is still the one at the computer. This is the point of authentication: to make sure that this is still the proper person. This is the kind of thing that cannot simply be assumed.
[quote]An admin does have the right to install systemwide applications, to download whatever he wants and run whatever he wants. I proposed the fact that the admin permissions in these cases could not require an admin password for as long as that admin is using the computer (if it's idle for say more than a minute, the next operation would require a password).

Sudo even works like this, you don't have to type in the frickin' root password every time you need to do operations the next five minutes after the first operation.

This is only because of the way Apple has configured it, and it is not a good thing.

Sudo assumes that once you have typed in the first password you know what you are doing without nagging you again for a while.

sudo doesn't assume that you know what you're doing; it assumes that you are still the one issuing commands. As others have noted in this thread, some vulnerabilities have been found which go directly back to this problem, and one of the fixes they suggest is removing the timer. This is also why sudo is not not included standard on many Unix distributions, and why it usually doesn't include the timer even when it is included.

As it stands now, there's not much difference between a normal user and an admin. The computer does not trust you to make your own decisions, and it often leads to an alienation between computer and user.

The computer trusts the user just fine. What it doesn't trust is "that guy at the keyboard", because it cannot assume that person's identity. The entire point of authentication is to make sure it knows who that person is; once it knows this, it then proceeds to trust that person.

This is part of the problem; you do not understand the purpose of passwords. There is a very real difference between authentication and authorization. You assume that passwords are used for authorization; in fact, they are not. That is what permissions are for. Passwords are used for authentication, and nothing more. Once you understand this, everything makes sense.

Case in point: Users who don't dare to run software update because it requires them to type in their passwords.

That is their problem, not Apple's. They, too, need to be taught what exactly it means to type in a password.

I am just asking this simple question: Why as an admin shouldn't the computer trust that what I am doing is the right thing (while I am using the computer after I log in)?

The computer does trust you. But it trusts you, and nobody else. That is why it needs to make sure that you are the one issuing these commands.

Or, to put it another way, the computer trusts you, but should it trust everybody? That is what it means to remove authentication; it means that anybody can issue commands and have them accepted. Surely you don't think this is a good idea, do you?

[asdasd]

"We have an answer in the way Mail auto-saves a new message as a draft. After a given time the unfinished messaged is stored. Mail will quit without needing a save dialog, without asking for a password. When you re-open Mail your message is right there ready to continue.
"

Gavin,

I agreed with that idea in my post. It would just take time to implement the automatic logout in the other session, but Apple have API there for that - ans I suspect the main reason for automatic Logout in 10.4 is to solve this issues.

[- - e r i k - -]

Originally Posted by Millennium

Or, to put it another way, the computer trusts you, but should it trust everybody? That is what it means to remove authentication; it means that anybody can issue commands and have them accepted. Surely you don't think this is a good idea, do you?

I have never once argued for the removal of authentication. I think you are mistaking me for mAxximo here. I did however argue for a user-set convenience versus security slider, where even the lowest security level is much higher than any other desktop OS. It's just the god damn nagging and constantly telling the computer that "yes I AM sure I want to do this" again and again that just leads to the dulling of real human's security sensitivity.

[Millennium]

Originally Posted by - - e r i k - -

I have never once argued for the removal of authentication. I think you are mistaking me for mAxximo here.[/b]

By making it an option, you are asking for its removal, because that is how it will be used. Optional security is worse than none at all. It's the entire reason Windows is so insecure; it's actually got a very good model built-in, but because it's all optional nobody uses it. It doesn't help that much of it is off by default, but even what's on by default gets turned off by most users. The same would happen for OSX if you had your way, and the results would mirror what has happened on Windows.

I did however argue for a user-set convenience versus security slider, where even the lowest security level is much higher than any other desktop OS.

You don't get it: we're already at the bare minimum. To remove anything at this point puts us at Windows-level security. This is what real security means, and yes, it's annoying sometimes, but if you don't want your machine being broken into or used as a zombie then this is what you have to do. It's like putting your name on papers for school.

It's just the god damn nagging and constantly telling the computer that "yes I AM sure I want to do this" again and again that just leads to the dulling of real human's security sensitivity.

You still don't get it. You're not telling the computer "yes, I AM sure I want to do this" with authentication. You're telling it "Yes, I'm here, and this request comes from me." It's a different question.

Maybe something could be said for incorporating the authentication dialog into the "Are you sure..." message, so that one dialog could ask both questions at once. This does not, however, remove the need for authentication; it just takes one mouseclick out of the process. The wording for such a dialog is likely to get pretty sketchy also; I'm not sure of a good way to make it clear exactly what's going on.

Now, if you really want to make things less "intrusive", the real answer is to come up with a less "intrusive" method of authentication. For example, several IBM computers -particularly its recent laptops- come with a small fingerprint scanner which can be used in place of passwords. Instead of typing in your password, you just put your finger on the scanner for a second, and away you go. Authentication is preserved, but you don't have to think as much. Of course, to do this you need a scanner, you're completely hosed if the scanner fails, and what happens if you've cut your finger and you have a bandage on it?

OK, so maybe that doesn't work. Let's try something a bit less exotic: USB tokens. These devices have a small amount of storage (not unlike a thumb drive) which contains data for a username and a digital certificate. When a machine needs to authenticate, it looks at for the token and the signature on it, and if they match then you're good to go. No muss, no fuss, and there doesn't have to be any UI or interaction for it at all unless authentication fails. mAxximo would love it. Of course, what happens if you lose the key? Even worse, what happens if the key is stolen? This is a poor solution for laptops, because any thief is likely to pick up both the computer and the key at the same time. These same issues apply to smart cards and similar devices.

Other ideas? Authentication is not going away, and it is a Good Thing that it's not going away, so let's do something constructive by finding better authentication methods. However, I think you'll find that good methods don't just drop out of the sky; they're surprisingly difficult to come up with. This is a problem that humans have been trying to wrestle with for thousands of years, long before computers were ever created. Passwords are not perfect, but the idea behind it -"tell me something that only you and I would know"- is one of the best yet devised.

[lookmark]

Originally Posted by - - e r i k - -

It's just the god damn nagging and constantly telling the computer that "yes I AM sure I want to do this" again and again that just leads to the dulling of real human's security sensitivity.

This is a really good point, w/r/t the effects these dialogs have on users. Ironically, the more "Are you sure?" dialogs a user sees, the less attention he or she will pay to them.

If they're necessary for better security, so be it.... but I wouldn't make the mistake of thinking that the current UI is an ideal solution. It's worst failing, I think, is that doesn't much help to either (a) shield users from making decisions they don't always understand and (b) educate them. If the user says, "yes, yes, allright, I'm here" too often -- w/o knowing when to say "no" -- the difference between asking and not asking grows somewhat thin.

Supposedly, Microsoft is completely revamping their security for Longhorn, and it'll be interesting to see what innovations they come up with. Yes, I know, I just used "Microsoft", "security", and "innovation" in the same sentence. (I have sinned!) But if it's one thing history has taught us, it's that MS only gets creative when it feels its dominance is genuinely threatened. Or maybe the petri dish will outwit them. We'll see.

[mAxximo]

Originally Posted by - - e r i k - -

I have never once argued for the removal of authentication. I think you are mistaking me for mAxximo here.

No, I've never said that.

[mAxximo]

Originally Posted by Millennium

Passwords are not perfect, but the idea behind it -"tell me something that only you and I would know"- is one of the best yet devised.

Passwords are OK for the time being. The problem is how bad implemented they are in OS X. Ask me for a password at login, that's fine. But after that let me set my own preferences for FUS, Shutdown, App installing, moving stuff to the Trash and the rest of the things I don't feel like asking permission to unix. Let ME set the level of security I'm confortable with, screw mothership's control.

[OreoCookie]

Originally Posted by mAxximo

Passwords are OK for the time being. The problem is how bad implemented they are in OS X. Ask me for a password at login, that's fine. But after that let me set my own preferences for FUS, Shutdown, App installing, moving stuff to the Trash and the rest of the things I don't feel like asking permission to unix. Let ME set the level of security I'm confortable with, screw mothership's control.

You are asked for a password every time something could go wrong:

FUS: it's like logging in and out. If you have several users for one reason or another, you should understand why you do have several users.

Shutdown: you are only asked for a password if another user is still logged in. Again, this is a useful feature, because it prevents you from killing someone else's work.

Non-critical preferences (like Desktop & Screensaver or Dock don't require you to enter a password. When a System Pref affects all users, it will ask.

[jon l. dawson]

I'd only like to add that it isn't necessarily about who's at the computer, what about a backdoor, what about vnc that has been hacked, then someone could be controlling your admin desktop from remote. Better to have password protection as a last measure of security if that ever happens.

[Millennium]

Originally Posted by mAxximo

Passwords are OK for the time being. The problem is how bad implemented they are in OS X. Ask me for a password at login, that's fine. But after that let me set my own preferences for FUS, Shutdown, App installing, moving stuff to the Trash and the rest of the things I don't feel like asking permission to unix. Let ME set the level of security I'm confortable with, screw mothership's control.

You don't get it. These are the points where authentication is most needed. You are not qualified to set the level of security of your own machine, precisely because you do not understand this fact.

And what is this "mothership's control"? The one in control of your machine is you. All the machine is asking to do is verify that you are, in fact, the one who wants to perform these actions. The computer isn't trying to determine whether you are allowed to do these things. It already knows that, because you've already configured it that way (you did this when you made an Admin user). What it's trying to determine is who's at the keyboard. What, pray tell, is the matter with this?

[Millennium]

Originally Posted by jon l. dawson

I'd only like to add that it isn't necessarily about who's at the computer, what about a backdoor, what about vnc that has been hacked, then someone could be controlling your admin desktop from remote. Better to have password protection as a last measure of security if that ever happens.

That's true, it's not just about who is at the computer. I'm using it as a real-world example, but also as a metaphor. mAxximo does not appear to get the metaphor part of things -not surprising, as he has yet to conceive of a 'user' as anything but a the machine's owner, sitting at a keyboard- but as an example it still holds true.

[jon l. dawson]

I can't believe this discussion is still going on. On a multiuser system, like OS X, having this type of security not only makes sense but it's necessary for the integrity of the system. I'm happy that it asks me for a password if there is another user logged in, sometimes I forget, it serves as a reminder, I can ask my girlfriend then "Hey, can I log you out, do you have anything you need to save?" If not, it's really trivial to just type my password in and be done with it. Of course, I like many others don't bother to shut down very often, and my system's performance does not degrade over days or even weeks that I keep it running for. I have it go to sleep after a few hours of inactivity, and the Mini barely uses much power to begin with.

It's just weird to see someone attacking a security policy that I'm grateful to have. It's a relief to have a desktop OS that is actually secure. You'll notice that newer Linux desktops have adopted this way of verifying administrator privileges before issuing a command that would affect other users. It's good to have that. I really dont see why you'd want to turn it off.

[mAxximo]

Originally Posted by Millennium

mAxximo does not appear to get the metaphor part of things -not surprising, as he has yet to conceive of a 'user' as anything but a the machine's owner, sitting at a keyboard- but as an example it still holds true.

You don't appear to get that I understand every bit of it, the problem is I think it sucks to be stuck with a security scheme conceived by computer geeks with a totally different purpose than personal computers in mind at a time when usability, convenience and user-friendliness weren't even on the map.
Security is great, the unix idea of it it's not.

[jon l. dawson]

Originally Posted by mAxximo

Security is great, the unix idea of it it's not.

You haven't offered a better solution. Removing the security is not my idea of more "user-friendly" security, because uh, then it ceases to exist.

[OreoCookie]

Originally Posted by mAxximo

You don't appear to get that I understand every bit of it, the problem is I think it sucks to be stuck with a security scheme conceived by computer geeks with a totally different purpose than personal computers in mind at a time when usability, convenience and user-friendliness weren't even on the map.
Security is great, the unix idea of it it's not.

Again, it's not unix, it's the basic idea of the Mac.

Create a bogus document in a random Mac app. Try to close the document without saving -- what button is preselected? Yes, it's the `safe' choice. Look at older versions of MacOS: it's the same.

It's not a computer scheme used by geeks, on the contrary. Things that are potentially dangerous are made more difficult, yes. But the other way around wouldn't make it easier for `average users', the way you propose things should be makes it easier for professionals and geeks.

If you want things to be `easier' look at the windows side. That's why even `secured' systems are hacked.

[Millennium]

Originally Posted by mAxximo

You don't appear to get that I understand every bit of it...

You consistently mistake authentication for authorization. This, in and of itself, unequivocally indicates a lack of understanding of the two most basic concepts in security. Without an underatanding of these two concepts, it is safe to assume that you understand nothing at all.

...the problem is I think it sucks to be stuck with a security scheme conceived by computer geeks with a totally different purpose than personal computers in mind at a time when usability, convenience and user-friendliness weren't even on the map.

The most important aspect of any feature is that it does what it's supposed to do. Usability, convenience, and user-friendliness are important concerns, but they are secondary concerns. Yes, even on the Mac.

Your insistence on "non-intrusive security", whereby you wish to be able to remove authentication from critical points, is unworkable. It is not secure, and it cannot be secure, because it leaves gaping holes. This is what you don't understand: what OSX has is the absolute minimum necessary for any semblance of security already. There is no gray area in between; we are at the bottom of the barrel, and the only way to get any lower is to get out of it, which nobody wants. Until you understand this, you are not qualified to complain.

What needs to be done is to retain the basic minimum concepts necessary for security, and this includes some form of authentication -not necessarily passwords, but some means of proving the identity of the person issuing the command- at every single sensitive action. It would seem logical that the way to make things "less intrusive" is to create "less intrusive" forms of authentication. I have mentioned two such forms above, including one which worked completely automatically with no need for a UI at all; from the user's perspective it would be as though it weren't even happenning, which should be enough to quell even your whining. However, I also pointed out flaws in each of these methods. This is not to say that passwords are perfect, but for general use they are better than the alternatives.

Can you think of a better method of authentication? Since you say you don't know much in this area -a claim that I wouldn't dream of disputing- then let's take it out of the context of computing, and break it down into terms that anyone can understand.

The hero of our story is a woman named Alice. Alice has a friend named Bob. One day, someone walks up to her and claims to be Bob. How can Alice know that this person really is Bob?

This question may sound absurdly simple, but bear with me and give me some answers. Don't hold any answers back; even something as simple as "just looking at him" could be considered a valid way of recognizing somebody. The thing is, this concept of "recognizing somebody" is a form of authentication. In looking at the way people recognize each other, we find ways that computers could recognize people. Surely this is how non-geeks would design this sort of thing?

As a concept, authentication is as ancient as sentience itself. The newborn puppy which recognizes its mother by smell is performing authentication just as surely as the guard who runs the President's ID card through reader.When you understand this, I think you will begin to understand security better.

Security is great, the unix idea of it it's not.

You have yet to show me anything better, or even point me in the general direction of anything better. Do keep in mind that your "usable security" has to be at least as effective as "unusable security" for it to even be worth the slightest consideration.

[leperkuhn]

Millennium, just give up. He's not going to understand any of it, because he's not reading what's written. These threads are getting really old.. there are over 300 posts here and so much of it is maxximo complaining because the computer has scaled beyond what he is used to.

What you really want is the computer to know that it's always you, and not to be bothered. Until the computer can verify that without the use of a password, you are going to be prompted for one. Maybe when you jack in, like the matrix, we can abandon passwords. till then.. it's really not a big deal, unless you install a few dozen programs every single day.

[rmongold]

I've read through the majority of this thread, and I'm not frankly sure what it is that some of these people are doing that requires so much authentication... The majority of the tasks I perform on my Mac, it just does without any pause. The only times I get prompted is when I'm installing some items (and really, only the ones with installers as the drag and drop installations don't ask me - unless the disc image in which they're packaged does). So, unless I spent a *huge* amount of time performing installations, where do the numbers come from?

As for the prompt for all logged-in user's passwords on shutdown, it's a necessary thing. That said, I do like the idea of being able to bypass it via some sort of "Saved State" feature whereby everything that any other user was doing is preserved and re-launched at the next startup (if the person who logs into the machine at the next startup is not the person who shut it down, the computer could load that user's saved state first with any other user states being loaded in the background so as not to negatively impact performance on the front-most user's applications). Once all that's done, you'd still need passwords to switch from user to user, so you're not compromising the security of the machine, you're just marrying the security with the convenience of not having to have all logged-in user's around to provide passwords when the computer needs to be restarted/shutdown.

[rmongold]

Originally Posted by leperkuhn

it's really not a big deal, unless you install a few dozen programs every single day.

Exactly what I was thinking.

[mAxximo]

Originally Posted by Millennium

You consistently mistake authentication for authorization. This, in and of itself, unequivocally indicates a lack of understanding of the two most basic concepts in security.

Stop being such a nerd and try to understand the basic concepts of what I'm trying to say.

Usability, convenience, and user-friendliness are important concerns, but they are secondary concerns. Yes, even on the Mac.

This, in and of itself, unequivocally indicates a lack of understanding of what it is a Mac.

[Chuckit]

Folks, please do not respond to whatever it is Max just said. He's obviously not interested in what you have to say. I've got him blocked, and you'd really be doing yourselves a favor by doing the same. I'm getting sick of flame wars.

[Don Pickett]

Originally Posted by mAxximo

Stop being such a nerd and try to understand the basic concepts of what I'm trying to say.

He understands them. It is you who do not understand the argument at hand. Your use of personal attacks pretty much underscores this.

This, in and of itself, unequivocally indicates a lack of understanding of what it is a Mac.

Please provide a source which back this up. Otherwise, it's just your opinion.

[Millennium]

Originally Posted by mAxximo

Stop being such a nerd and try to understand the basic concepts of what I'm trying to say.

Stop pretending to understand physics when you can't even tell me what matter is.

This, in and of itself, unequivocally indicates a lack of understanding of what it is a Mac.

Even on a Mac, ease of use was always secondary to making sure it worked (not necessarily that it worked well, but that it worked). The easiest computer in the world is worthless if it doesn't work.

Ease of use was always the top concern after this, but even on the Mac, people understood that a word processor had to be able to work with text, or it wasn't worth anything. Similarly, a security system has to be able to keep your system safe, or it's worthless. Everything they did was towards taking a word processor and making it as easy to use as possible, while still doing what needed done.

Security is like that. If it's not secure, then it doesn't matter how easy-to-use it is: it's worthless.

[mAxximo]

Originally Posted by Don Pickett

Your use of personal attacks pretty much underscores this.

I haven't seen you this worried when the centre of the attacks was me. Why would that be?

[OreoCookie]

Guys, I think we've seen the best of this discussion. I'm closing this thread for good. Enjoy your Friday. Have a beer, relax, and chill out.