D2CA.ORG - Dan's 20th Century Abandonware - Microsoft® Bob™ Exhibit

It was shown on the Microsoft Bob sign in page that anyone can change any user's password (then optionally enter their account), add, remove, and "reinstate" user accounts -- before even signing in to Microsoft Bob. That is frightening enough.

But now, take a look at even more potential havoc that can be wreaked once a person has signed in to Microsoft Bob....

Bob's "Security"
Unlike Windows 95 and Windows NT, whose security can be set up so users can have separate desktop setups that can't be accessed by other user accounts, the "rooms" in Microsoft Bob's "home" are shared by default, meaning any user can enter any room. That sharing allows all the users to add, modify, or delete program items and/or room "decorations" -- or even delete the room itself (except for the Public Family Room)! If a user makes changes to a room, those changes are seen by all other users. One person could set up the room one way, then another could log in and change it. The first user would return to find the room altered to the second user's arrangement.

There are no controls in place to stop any user from altering a shared room -- except making the shared room password protected or private to one user. Then, of course, the room is no longer shared.

Microsoft Bob was designed to let you make copies of rooms for private or shared use. Bob's utopian concept is that you are supposed to be a "good" user and only make private or password protected copies of rooms for your personal use, which you can modify to your liking, and leave the shared rooms alone for all to use -- unfettered and unaltered.

That's all nice and well, but what kind of a world do we really live in?

Microsoft Bob also allows the default shared rooms, except for the "Public Family Room," to be made private as well -- by anyone and with no restrictions -- meaning none of the other users can access it unless the user who made it private changes it back to a shared room. Those same shared rooms can also be password protected to allow only those with the password access to them. But worse still, those rooms can be deleted as well.

Even more serious, Microsoft Bob's security is "first come, first serve." In other words, a user could log in to Bob for the first time and "steal" one or all of the default shared rooms, except the Public Family Room. Subsequent users would have no access to those rooms. Or, the first user could log in and password protect one or all of the rooms, again, except the Public Family room, and force all the other users to enter a password to access those rooms. Consequently, a second user could use a password to enter a room, then change the password to have control of the room for themselves -- locking out the original user who password protected it. A third user could gain access to the new password and delete the room so the second user couldn't have it.

And what is perhaps the greatest lapse in Microsoft Bob's security is that anyone can log in as Guest and lock out all the other users from one or all available shared rooms, except the Public Family Room, by making them private or password protecting them. Worse yet, anyone can log in as Guest and delete those shared rooms -- no log in user account required.

While nobody can lock out the Public Family Room, every user has the ability to make changes to the contents in it. One user can move a chair. A second user can move it back to its original position. A third user can delete the chair and replace it with a different chair. The first user can delete the different chair and put the original back. A fourth user can delete all the program items in the room. A fifth user can add ten different programs outside of Microsoft Bob. The second user can reset the room to its default state. And on and on it goes....

The "chaos" even two users can create in Microsoft Bob is frightening enough, but what is amazing is Microsoft Bob makes no provision for an "administrator" account to manage, override, or prevent users from doing the very things it is trying to prevent by having security in the first place.

Microsoft Bob plainly states in the graphic above, "Note: If a room isn't listed, someone has deleted it from the home or excluded you by making it private."

There is no security administration at all Microsoft Bob.

Two users could make using Microsoft Bob a sheer nightmare. Can you imagine ten or more users in the same "home?"

If you cannot have control over user security in a system, what is the point of having user accounts?

Do you feel "secure" with Bob?

<< PREV NEXT >>