[YaBa]

He's wrong. We do need an expert mode, at least to remove UAC in a simple way and allow us to mess around at will.

Let's see, UAC is nice for your grandmother who might click on something that it shouldn't, yet, we, advanced users are constantly annoyed by those cof,cof "security" features who get in the way when doing something.

Yet, your grandmother will eventually get ransomware or malware despite the UAC and other features, so, what's the point!??!

At the moment I just remember UAC, but there are plenty of features that we want to turn off with a simple button and we can't, unless we play around with the registry or 3rd party apps.

And this is why power users love Linux, we can do whatever we want, if we break it, it's fine and we can learn with it. At this rate, your computer will no longer be "your" computer, Microsoft will own it and you will like it.

[mschuster91]

> Let's see, UAC is nice for your grandmother who might click on something that it shouldn't, yet, we, advanced users are constantly annoyed by those cof,cof "security" features who get in the way when doing something.

Even for us power users, we might hit some drive-by exploit, a friend might send us something that got wormed or whatever. And now, unless that malware comes with a UAC bypass/privilege escalation exploit which is worth millions of dollars, we get an unexpected UAC prompt and have a chance to stop a minute and actually notice that something is Not Right.

[hun3]

> drive-by exploit

It's worth noting that UAC is not a security boundary[1]. Sure, a safeguard mechanism, but not a security feature against stealth rootkits trying to escalate from non-privileged environment.

[1]: https://security.stackexchange.com/questions/189491/microsof...

[dist-epoch]

Unfortunately as more and more software is installed only for the user (in AppData), the malware can just infect a binary from there (Chrome, Discord, VS Code, ....)

[josephg]

Yeah - I’ve had this rant more times than I can count. Modern PC security is stupid because it protects users from other users (what other users?) but it doesn’t protect users from bad software they run on their own account. When the computer only has 1 user anyway, there isn’t much practical difference between the root user and my user account. But the elephant in the room is software supply chain attacks and malware. The fact any program I run can do anything it wants with all my files is ridiculous and appalling.

Phones get it right. The Facebook app on my phone can’t read Gmail’s data. And Gmail can’t access my photos without permission. On desktop any program can read or write to any of my files. And my files - photos, work, code - matter a lot more to me than anything my OS works hard to protect.

There’s no good technical reason, either. It’s a problem of pure inertia.

[vondur]

Apple kind of does this with the MacOS now. It will continuously ask you for each app to give it permissions to specific folders (downloads, home directory) plus can the app use the camera, the microphone etc.. I feel like most people blindly just tap yes to get it out of the way and use the app they just installed.

[josephg]

Its certainly a start.

People like to hate on the permission dialog boxes on MacOS - but each app only needs to ask you once for permission. I don't think I've seen one of these dialog boxes for months. And they add a remarkably large amount of security to the overall system given how little they inconvenience users in the steady state of system execution.

But they're a very coarse brush. Once an application has permission to access some folder, it can do anything it wants there. And only certain folders and permissions are protected. (I think any app can read / write any data in ~/Library).

I think the desktop security environment would work extremely differently if it were designed today. I'd love to see more people experimenting with ideas.

[malfist]

Another example, for the love of God, let me disable windows defender without jumping through a bunch of hoops or installing another antivirus.

[RunSet]

https://www.sordum.org/9480/defender-control-v2-1/

[dist-epoch]

UAC is the Windows equivalent of sudo.

Do you disable sudo on your Linux box or run everything as root?

[YaBa]

Not really, you use sudo when needed, at your will, not when Linux thinks you need it. I can just setuid some executable, how do you do it with Windows?

[Longhanks]

You can absolutely log in as root and run anything with no questions asked.

Where’s that login for windows for those who want that?

[jkrejcha]

You can login as Administrator if you enable the user account. You can also just turn admin approval mode to "never ask" in the Control Panel.

While you can't login as SYSTEM (since it's not really a user account), you can trivially open a shell under it's account (and you can do everything you need as an administrator anyway, so there's really no point).

[RulerOf]

I used to use a PowerShell snippet for adding SeBackupPrivilege and SeRestorePrivilege to an app or explorer window. That will let you read/write anywhere on disk.