Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> The software install is to unlock optional features on the device, and that can be done after the user has authenticated to the host and gone through a security elevation prompt.

That's not true. It may help you to watch the video.

The user was authenticated as a regular logged-in user. It was the driver installation that had elevated rights as SYSTEM, and there was no security elevation prompt.



Yeah, that's my point. There should be no automatic rights elevation. Adding a driver should require a prompt, period.

I assume the mouse driver only bypasses it because it wants to have the driver installed before the user has logged in.


I'm reading the "can" here as normative, i.e. because the optional stuff CAN be done after auth, it SHOULD be restricted to being done only after auth.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: