User Access Control security flaw in Windows 7 beta

Sac­ri­fic­ing secu­ri­ty for usabil­i­ty: UAC secu­ri­ty flaw in Win­dows 7 beta:

By default, Win­dows 7’s UAC set­ting is set to “Noti­fy me only when pro­grams try to make changes to my com­put­er” and “Don’t noti­fy me when I make changes to Win­dows set­tings”. How it dis­tin­guish­es between a (third par­ty) pro­gram and Win­dows set­tings is with a secu­ri­ty cer­tifi­cate. The applications/applets which man­age Win­dows set­tings are signed with a spe­cial Microsoft Win­dows 7 cer­tifi­cate. As such, con­trol pan­el items are signed with this cer­tifi­cate so they don’t prompt UAC if you change any sys­tem set­tings.

The Achilles’ heel of this sys­tem is that chang­ing UAC is also con­sid­ered a “change to Win­dows set­tings”, cou­pled with the new default UAC secu­ri­ty lev­el, would not prompt you if changed. Even to dis­able UAC entire­ly.

Whoops. This one is a bit of a show­stop­per. I’m very hap­py with the re-imag­ined User Access Con­trol in Win­dows 7 (I believe it’s pret­ty much what it should have been in Vista) but this def­i­nite­ly needs fixed. I agree com­plete­ly with Long Zheng’s pro­posed solu­tion:

Microsoft can imple­ment with­out sac­ri­fic­ing any of the ben­e­fits the new UAC mod­el pro­vides, and that is to force a UAC prompt in Secure Desk­top mode when­ev­er UAC is changed, regard­less of its cur­rent state. This is not a fool-proof solu­tion (users can still inad­ver­tent­ly click “yes”) but a sim­ple one.

(Via I Start­ed Some­thing.)

When Spellcheckers go bad

Skin­flints error prompts apol­o­gy:

First Bus has apol­o­gised to res­i­dents of a Falkirk vil­lage after wrong­ly labelling it Skin­flints on timeta­bles.
The error was made for bus­es trav­el­ling to Skin­flats, near Grange­mouth, which has a pop­u­la­tion of about 350.

I was brought up about three miles from there. OK, it’s a depress­ing place — flat as a pan­cake on a riv­er estu­ary, hous­ing stock pret­ty much all from the 1930s. But the peo­ple are fine!

(Via BBC News.)

Windows 7 can be added to domains offline!

I have been wait­ing for this to hap­pen for twelve years, ever since my first mul­ti­ple-thou­sand-seat Win­dows desk­top roll­out — Win­dows 7 (and Win­dows Serv­er 2008 R2) can be added to domains with­out phys­i­cal­ly being con­nect­ed to that domain over a net­work

This is done with a new com­mand — djoin.exe — added into these prod­ucts. It’s used (on an exist­ing machine in the domain) to gen­er­ate a block of infor­ma­tion in a file, that can be used on anoth­er machine to auto­mat­i­cal­ly join the domain with­out being con­nect­ed at that time.

This is fan­tas­ti­cal­ly use­ful for any­one per­form­ing big cor­po­rate roll­outs – where it’s not always pos­si­ble to build the machines in situ. Any con­sul­tan­cy work­ing on a build-and-cus­tomise desk­top project for a client is going to absolute­ly love this.

Found on bink.nu.

Flower: Zen Gaming

Here’s a bit of Wednes­day beau­ty for you:

Cus­tom trail­er for the game put togeth­er by a YouTube user set to “Gold in the Air of Sum­mer” by Kings of Con­ve­nience

Flower is the sort of game that appeals to me. It’s beau­ti­ful. It’s sim­ple. And it’s the antithe­sis of adren­a­line-pump­ing must-fight must-win games —

Joys­tiq writes: “The premise is sim­ple. You are a gust of wind inside a flower’s dream and you must car­ry petals to oth­er flow­ers in order to progress to the end of the lev­el. There’s no time lim­it, no haz­ards, no points sys­tem and, real­ly, no way to fail.”

Flower is set for release in ear­ly Feb­ru­ary.

(Via towleroad.)

Cameron promises to publish all UFO files

Cameron promis­es to pub­lish all UFO files:

Tory leader David Cameron has vowed to pub­lish any secret files that may exist on UFOs if he becomes prime min­is­ter.

Of course, when he doesn’t (because there are none) or if there are redac­tions (for obvi­ous rea­sons) or even if they say that there are no sight­ings that don’t have at least a plau­si­ble sci­en­tif­ic expla­na­tion, he’ll be accused of a cov­er-up.

Is there noth­ing this man won’t promise in order to get elect­ed?

(Via The Glas­gow Her­ald.)

Department of Judge not, lest ye be Judged

Cre­ation­ists Tell Sir David Atten­bor­ough To Burn In Hell:

Telling the mag­a­zine [the Radio Times] that he was also asked why he did not give “cred­it” to the Lord, Sir David con­tin­ued: “They always mean beau­ti­ful things like hum­ming­birds.

I always reply by say­ing that I think of a lit­tle child in East Africa with a worm bur­row­ing through his eye­ball.

The worm can­not live in any oth­er way, except by bur­row­ing through eye­balls.

I find that hard to rec­on­cile with the notion of a divine and benev­o­lent cre­ator.”

I do, too.

(Via The Glas­gow Her­ald.)