strawberryJAMM's Security and User Experience WebLog

Long time gone and not coming back

It's been a long time since I posted here, and that's because I left Microsoft back in November of 2005. As I was no longer working in Windows Security I no longer had anything to say on this subject and I didn't feel like this was the right place for me to continue posting about User Experience.

I haven't restarted a "professional" blog at this point in time, but I have maintained a personal blog at Live Spaces where I might start posting User Experience related topics again - I've been working in the Online Casino Game industry since March 2007, which has a very different set of user experience challenges from Security (although there is, as you might expect, a certain amount of overlap).  If you see this, and liked what I have had to say in the past, feel free to check it out.

Signing Off,
Jenni

Customer Feedback Wicki for Windows Security Access Control

Hi folks.

My current possition at Microsoft is as a Program Manager (PM) on the Security User Experience team in the Windows Security Access Control (WSAC) group.  I'm just posting this to mention a new set of Wiki pages at Channel9 that have been put in place.  WSAC is looking for customer feedback on the features in our areas of responsiblity, especially as implemented in Windows Vista and (eventually) Windows Server codenamed Longhorn.

The home page of the set is at the following URL:  http://channel9.msdn.com/wiki/default.aspx/Channel9.WinSecurityAccessControlFeedback

WSAC's areas of responsibility are as follows:

• Auditing, Authentication, Authorization - AAA
  • Audit
  • Audit Collection Services - ACS
  • Code Integrity
  • Process Isolation
  • Secure Input
  • Software Restriction Policy
  • Windows Security Protocols
  • User Account Protection - UAP (a.k.a. Least-privileged User Account - LUA; or Non-Admin)
  • XrML Technologies
• Credential Management - CredMan
  • Electronic ID
  • Public Key Infrastructure - PKI
• Cryptography - Crypto
  • Cryptography
  • Cryptographic Services
• Information Protection Platform - IPP
  • Encrypting File System - EFS
  • Rights Management Services - RMS
• Security User Experience - SecUX
  • Accessibility
  • Interaction Design
  • Interface Design
  • Usability
  • User Assistance/Help

So, if you have something to share about any of these features, especially if it's in relation to Beta1 of Windows Vista, please visit the URL above and leave us your comments.  We can't wait to hear what you have to say, so do it today!

Fear and Loathing in Las Seguridades (Security)

  Fear.  Anger.  Distrust.

  These will motiviate users to change their behaviour when it comes to securing their computers

  At least that's the way Frank Hayes sees it in his article "Fear, Anger, Distrust".

  Hayes discusses two surveys that came out last week: The Pew Internet & American Life Project on spyware and related problems, and a Ponemon Institute survey (reported on by Computerworld.com columnist Larry Ponemon) of 400 people who had had personal data leaked to the world.  While neither one of these surveys intended to be about what makes users change what they do, Hayes' gives us the numbers to show us how fear, anger and distrusted had changed the behaviour of the study's participants.

  Unfortunately, Hayes gently reminds us, relying on these particular motivators to change users' habits isn't the best idea:

<quote>

So users will change -- if they get afraid, angry or distrustful. That might be useful in getting them to stop doing risky, insecure things. But only if you make sure they're not afraid, angry or distrustful in your direction.

So threatening them with punishment for breaking security rules won't work. Neither will trying to force them to obey or lying to them. No wonder IT's standard techniques for getting users to behave always fail. They're exactly the wrong approach.

</quote>

  This, of course, begs the question:  "What is exactly the right approach?"  That's a tough one and even Hayes avoids answering it.  He does, however, offer a few additional insights "beyond fear, anger and distrust" gleaned from these two studies and then wraps up with the following:

<quote>

[N]ow that you know the strongest motivators of change for users, you want their fear, anger and distrust aimed squarely at security threats -- where they belong.

</quote>

  Read the article for the full meal deal.

______________________________

  So, just to be a bit silly, here's a "recipe" for the "right approach":

• Start with what users like and toss in what users do
• Pour in what users expect and what users need.
• Mix well and sit in front of a usability study
• Skim off any fear, anger and distrust
• Bake iteratively over a release cycle and serve to millions.

;-)

  Any thoughts on "the right approach"?  Please leave a comment!

______________________________

PS: For the curious, "Las Seguridades" = "The Securities". ;-)

Usable Security - a new Usability and Security blog

Well, I'm a bit late to the party but that doesn't mean I can't still welcome Ping and his Usable Security blog to the intersection of User Experience Ave. and Security St. ;-)

It's nice to see someone else blogging in this area.  I look forward to reading through (and commenting on!)the posts and comments made about Usable Security since the first post on March 12, 2005.

Back in the Blogosphere

  To anyone who follows my blog, my apologies for the three month-ish absence.  Real life reared it's ugly head and various circumstances of health, happiness and quality of life collided, thereby requiring that I take a short leave of absence from work.  During this time, I felt that it was also wise to keep all things work related at arms length, and so I allowed this blog to languish.

  And now I'm back, and raring to go.  Expect me to start posting again very soon. :-)

--Jenni (aka strawberryJAMM)

mmmmmmmmmm..... This is not a Test. The World Is Flat. I Repeat, This is not a Test.... mmmmmmmmmm.....

Someone on a mailing list I'm on passed along the URL to the article "It's a Flat World, After All," by Thomas L. Friedman, author of "The World Is Flat: A Brief History of the Twenty-First Century," from which the article is adapted (and which is now on my list of "books to read").

Friedman has quite a lot of interesting things to say in his seven web pages about the current status of the globalization process that started when Columbus safely returned home (thereby proving the world was round). ;This event kicked off an era where countries were globalizing for resources and imperial conquest, followed by the industrial revolution starting an era where companies were globalizing for markets and labor, and lead inexorably to the information era, where technology has "leveled the field" enabling individuals and small groups to globalize.

  Around about the third page of the article, Friedman poses the question "How did the world get flattened, and how did it happen so fast?" He follows that up with a list of 10 events and forces, that all occurred or came together during the 1990’s, converging right around 2000.  The first three world flatteners "created the new platform for collaboration":

• Nov 9, 1989 – The Berlin Wall Comes Down (and Microsoft Windows 3.0 goes up)
• Aug 9, 1995 – Netscape Goes Public (bringing the internet and the dot-com boom with it)
• Workflow Revolution – Application to Application infrastructure (Enables outsourcing Y2K bug fixes to Indian engineers)

The next six world flatteners were the new ways in which individuals and companies could collaborate on work and share knowledge using the platform the first three created:

• Outsourcing – work could be digitized, disaggregated and shifted to any place in the world where it could be done better and cheaper
• Off-shoring – send the whole factory from Canton, Ohio, to Canton, China
• Open-sourcing – whole new operating systems are written by engineers collaborating online and working for no pay.
• Insourcing – let a company like UPS come inside my company and take over my logistics operations
• Supply-chaining – create a global supply chain so efficient that when an item is sold in Arkansas, another is immediately made in China. (This is Wal-Mart’s specialty)
• Informing – allow anyone to collaborate with, and mine, unlimited data all by themselves (This is Google, Yahoo and MSN Search)

  The tenth and final world flattener, he called "The Steroids":

• Wireless and Voice over Internet Protocol (VoIP) – the other collaboration methods areturbocharged: you can now do any one of them, from anywhere, with any device

  Friedman follows up his discussion of these ten "World Flatteners" with the following quote:

<quote>

The world got flat when all 10 of these flatteners converged around the year 2000. This created a global, Web-enabled playing field that allows for multiple forms of collaboration on research and work in real time, without regard to geography, distance or, in the near future, even language. ''It is the creation of this platform, with these unique attributes, that is the truly important sustainable breakthrough that made what you call the flattening of the world possible,'' said Craig Mundie, the chief technical officer of Microsoft.

</quote>

  As if the leveling of the playing field was not enough on its own, Friedman points out another convergence that occurred at roughly the same time: The three billion new players who walked, and often ran, from the sidelines and straight into the game.  That is, all the people of China, India, Russia, Eastern Europe, Latin America and Central Asia who were suddenly no longer restricted from joining the free market after their economies and political systems opened up during the course of the 1990's.

  >Friedman does go on to note that not everyone has access to this platform yet, but more people have access to it in more places on more days than ever before, and it the numbers are only increasing across the board with time.  What I found particularly interesting was his and others thoughts that the so-called "IT Revolution" of the past 20 years was nothing more than the warm-up act – the first steps that forged, sharpened and distributed all the tools the world needed to collaborate and connect.  The main act is only just beginning as we move on into the era where technology REALLY transforms every aspect of business, government, society and life.

  Another quote that caught my attention:

<quote>

When the world is flat, you can innovate without having to emigrate. This is going to get interesting. We are about to see creative destruction on steroids.

</quote>

This got me thinking about how this trend is already changing immigration patterns into countries like the USA and Canada.  There are tough requirements in these countries around who they will allow a company to bring in to work – ostensibly to protect their own citizens from the risk of loosing job opportunities to someone from another country. But, what happens when the companies really do not need to bring the people in to the country to get the work done? When the better educated, gung-ho people are not here but there? The jobs will be lost just the same – in fact, even more so. There are, of course, rules and regulations regarding what kind of offshore holdings a company can legally have, or how much offsite consulting they can legally utilize, but I wonder if, in the long run, this kind of locked down policing of global employment will do more harm than good?

  You can already see this happening with help lines – you are more likely to get someone with a "friendly Indian lilt" answering your request for help, especially outside of North American working hours (8am EST to 6pm PST), than someone living closer to home, when you call a 24/7 help line. Even at Microsoft, we have staff working our internal corporate technical help desk lines in India in addition to staff in Denver, Colorado and some city in California. Truthfully, it does makes sense – over there, they are just waking up while, over here, it’s after dinner and we’re just trying to download our email or copy a document off of the corporate network Why hire people to work a "graveyard shift" when there are humans who can do the work as a "morning shift"?

Another quote, this one from Rajesh Rao, a young Indian Entrepreneur that Friedman spoke with, digs into the issue much more deeply:

There is no time to rest. That is gone. There are dozens of people who are doing the same thing you are doing, and they are trying to do it better. It is like water in a tray: you shake it, and it will find the path of least resistance. That is what is going to happen to so many jobs – they will go to that corner of the world where there is the least resistance and the most opportunity.

...

[Americans and Western Europeans would] be better off thinking about how you can raise your bar and raise yourselves into doing something better. Americans have consistently led in innovation over the last century. Americans whining -- we have never seen that before.

As Friedman says, "This is Not a Test" – it is time for the United States (and its cadres) to wake up and take a good long look at the other kids on the playground and in the classrooms. It will not be long before just getting by, by doing what has always been done and always worked, will not even get a "Satisfactory" grade from the World-at-Large.

We need to get going immediately. It takes 15 years to train a good engineer, because, ladies and gentlemen, this really is rocket science. So parents, throw away the Game Boy, turn off the television and get your kids to work. There is no sugar-coating this: in a flat world, every individual is going to have to run a little faster if he or she wants to advance his or her standard of living. When I was growing up, my parents used to say to me, "Tom, finish your dinner -- people in China are starving." But after sailing to the edges of the flat world for a year, I am now telling my own daughters, "Girls, finish your homework -- people in China and India are starving for your jobs."

  I don’t know about you, but I’m already sitting on the edge of my seat, popcorn and a Coca-Cola in hand.  The previews have ended, the digital sound check is just fading away, and the movie studio logo is rolling. In the next 10 to 20 years, there is going to be a spectacular, mind-blowing show unfolding around us. I sure wouldn’t miss this for anything in the world. Besides, I have a vested interest – I am expecting to write a line or two of the screenplay after all. ;-D

--
Jenni A. M. Merrifield =:= strawberryJAMM

LUA in the News

strawberryJAMM moves to Blogs @ TechNet

So, the proverbial cat is out of the bag - Microsoft has opened up blogs.technet.com, giving Microsoftie bloggers with more of an IT Pro focus than a Developer focus a place to call their own.  Since I tend towards the former more than the latter, my blog is now over on TechNet, effective immediately.

Although redirects will be left in place so that old  links and RSS feeds will continue to work, if you want to update the ol' favourites and page links all you should need to do is replace the "msdn" in the server name with "technet".  The same should be true for RSS feeds, plus there's an ATOM feed available now too.  In any case, here are all the relevant URLs:

• URL:  http://blogs.technet.com/strawberryjamm/
• RSS 2.0: http://blogs.technet.com/strawberryjamm/rss.aspx
• ATOM 3.0: http://blogs.technet.com/strawberryjamm/atom.aspx 

Jenni

Adobe Photoshop CS activation doesn't play well with LUA

Arrggggg!!! The longer I run as LUA, the more and more I feel the pain.  I'm so glad we're working to improve this situation in Longhorn.

Last weekend I upgraded from Adobe Photoshop 6 to Photoshop CS.  With Photoshop CS you are now required to "activate" the product within 30 days.  Since this was a new, legitimate version of the software, purchased for work use, I decided to go through the activation process during the installation process (which was, of course, run under MakeMeAdmin).

Then I tried to launch my newly installed Photoshop CS ("Woohoo!  Play time!") only to receive the following error message:

Title: Program Activation
Message: Current user account does not have the privileges to perform product activation Run this application from a user account with administrative privileges or contact your system administrator.

[underline added for emphasis]

Clicking "OK", of course, closed the error message and closed Photoshop CS. 

Just in case I mis-remembered saying "yes" to activation during installation, I tried running Photoshop CS again under MakeMeAdmin: The program launches with no problems, doesn't ask me to activate and the "Help>Activate..." menu item is disabled.  OK, great - the application is definitely activated now.  I close the application and try again as LUA - the same error appears.  ("Grrrrrr...")  I decide to be sure I've covered all my bases and try running under the local admin account (program runs, no activation request, disabled activation menu item) then go back to LUA again (same error again).

In what I actually expect to end up as a wild goose chase, I hit the new MSN search engine with the terms "Photoshop CS" activation windows, and, variously, non-admin, lua, problem, error, and troubleshoot.  This eventually leads me to a KB article at Adobe's support site titled Troubleshoot Activation Errors (Photoshop CS on Windows).  Although it is focused more on problems arising when/if Photoshop CS demands a re-activation, it actually contained one useful tidbit of information, located under the "Advanced Troubleshooting" section (the only other item in "Advanced Troubleshooting" is "Reformat your drive and install only windows and Photoshop CS..." =-O)

5 . Set the Adobe LM Service to start automatically.

1. Log in to the computer as administrator.

2. Choose Start > Settings > Control Panel.

3. Double-click Administrative Tools and then double-click Services.

4. Right-click Adobe LM Service and choose Properties.

5. Choose Automatic from the Startup Type pop-up menu.

6. Restart the computer and then start Photoshop to try to activate it again.

"Hm," I think to myself, "I bet the application is trying to start and stop this service every time it launches.  If I set the service to automatic, as suggested, then it will start on its own and the activation check should go through under LUA."  So I tried it and ... Hallelujah, it worked!  Hooray!  A workaround!!

There is, of course, one downside -- the service is now always on in the background, completely unnecessarily, using 1,684K of my computer's memory.  This is a fairly small price to pay, I suppose, but it still irks me.  One other way to resolve the issue and get around this downside is to leave the service set to Manual, then, before launching Photoshop CS, use RunAs to launch the services management tool under a local administrator account and start the service.  Then, once Photoshop CS is up and running, stop the service and close the services management tool. This removes the ~1.5M drag on memory, but requires me to remember to do an additional four-steps when I need to open the application -- open services management as Admin, start service, {open Photoshop}, stop service, close services management.  This actually annoys me more than the memory drag irks me, so I left the service on Automatic.  (It should actually be possible to write a script that would automate the process, I'll have to give that some further thought...) 

In the end, I'm flabbergasted that this issue exists in the first place.  Why on earth should anyone have to run a Graphics Application as an Administrator just so it can confirm that an activation process has already been completed?  Obviously Adobe set the service to manual so that it would only run when required but this has brought us to this completely ridiculous situation.  There are other ways to confirm a successful activation process that don't need a {beep}-ing SERVICE!  And while I know software piracy is a big problem in the industry that hurts the bottom line of software companies around the world, for heaven's sake even Windows is happy enough once activation has been completed.

Longhorn is coming folks, and that will increase the amount of LUA users out there.  If you're a company that develops software for average users, make sure your developers and testers are familiar with techniques for developing and testing under LUA, and make them use them.

Jenni

ASIDE: Since upgrading Photoshop also upgrades ImageReady, a companion web-graphics oriented application, and I also upgraded from Illustrator 10 to Illustrator CS, I immediately also checked out both of those applications under LUA.  To my utter amazement, they both run just fine -- neither appear to require a similar activation process.
=JAMM

Internet Explorer 7

Today, in his keynote for the 2005 RSA conference, Bill Gates announced, among other things, that Microsoft would be releasing a new version of Internet Explorer for the XP SP2 platform.  Internet Explorer 7 (IE7) is expected to continue with advancements already in Windows XP SP2 by adding additional security to the platform while still maintaining its current levels of extensibility and compatibility.  Betas are expected to be sometime this summer.

Here are a few related links:

• Internet Explorer 7 is on the Horizon
• RSA Keynote Press Release

This is a Good Thing^(TM), and I think Dean, from the IE Team, puts it best in his "IE Blog" post about the IE7 announcement:

[The IE Team is] committing to deliver a new version of Internet Explorer for Windows XP customers. Betas of IE7 will be available this summer. This new release will build on the work we did in Windows XP SP2 and (among other things) go further to defend users from phishing as well as deceptive or malicious software.

Why? Because we listened to customers, analysts, and business partners. We heard a clear message: “Yes, XP SP2 makes the situation better. We want more, sooner. We want security on top of the compatibility and extensibility IE gives us, and we want it on XP. Microsoft, show us your commitment.”

I think of today’s announcement as a clear statement back to our customers: “Hey, Microsoft heard you. We’re committing.”

The only thing that I'd still like to know myself is whether IE7 will bring with it improved support for open standards such as CSS, XHTML, PNG, SVG, MathML, &c in addition to improved security.  And it looks like I'm not the only one either, based on a quick scan of the first ten or fifteen comments to Dean's post.  I think I'll have to skim through them (there are 354 as of 4:47pm PST) to see if Dean or anyone else on the IE team has responded to the queries from my "creative" kith and kin.

More Tips and Tricks for the LUA User

Aaron Margosis has just posted four more columns with LUA Tips and Tricks on his "Non-Admin Blog":

1. Managing Power Options as a Non-Administrator
2. Remembering Calculator and Character Map Settings
3. Ctrl-C Doesn't Work in RUNAS or MakeMeAdmin Command Shells
4. Changing the System Date, Time and/or Time Zone

Check 'em out. :-)

Geo-Blog - Where Blogs Meet Maps and Location

At BlogMap you can geo-code your blog by entering a primary city, zip/postal code, country and your blog feed URL.  Then you can link to your own BlogMap or display it as an inline image (you should be able to see a blog map for this blog just to the right of this paragraph) using a fairly simple URL!

Very cool, if you ask me. :-)

[edit: link correction, plus added break to clear past right float image]

A New Wiki for the LUA / Non-Admin community

Well, isn't this nice.  The "least-privileged user" concept with Windows is slowly picking up speed and getting ready to take off - come check out the new Non-Admin Wiki that was just launched by Jonathan Hardwick.

(Wiki's are great - now those of us who champion the principle of Least-Privlege on Windows can get our collective wisdom into one place and give others a place to find out what to do and how to become a true "LUA Believer".  Soon everyone will be doing it - so why not jump in now so you can claim to be one of the first, the proud, the NON-ADMINS!)

[edit: added a link to Jonathan's Blog]

Now playing: "New Trees at Knockaun" by "Triona Ní Dhomhnaill" in Windows Media Player 10.

Least-Privileged Users, Add/Remove Programs and System Management Server

"Using a Least-Privileged User Account" OR "Woohoo, I've been published on microsoft.com!"

  Well, not to toot my own horn too loudly, but I've had my first external facing document, Using a Least-Privileged User Account (LUA), published on TechNet as part of the monthly Microsoft Security Newsletter for January 2005.  This newsletter is considered the authoritative information source for understanding the Microsoft security strategy and priorities and is written for IT professionals, developers, and business managers.

  The article is fairly brief and just quickly touches on a few of the key issues around the principle of "least-privilege".  Anyone who has been a victim of viruses, worms, and other malicious software (malware) should appreciate this principle - after all, if all processes ran with the smallest set of privileges needed to perform the user's tasks, it would be more difficult for malicious and annoying software to infect a machine and propagate to other machines.  Unfortunately, successfully taking advantage of this principle as a method of defence against external attacks by setting up LUA accounts for daily use is not at all straightforward so my article discusses some of these pitfalls and then points readers to some very useful resource sites to help with this process.

  Please take a moment to read my article and, if you do, consider leaving a comment or sending email to our feedback alias (lua-qa@microsoft.com) with your thoughts about the article or around the principle of "least-privilege" in general.