Day by Day Daily Cartoon by Chris Muir

The Mad Scientist... Mwahahahahahahahaha

Tuesday, January 13, 2009

Windows Vista and Jesus Christ

Hah! Betcha you didn't think I could write something coherent about the two subjects, right? Well, I can and I will. But first, some background.

One of the things that people get seriously flustered (and frustrated) about the Christian view (or doctrine) towards Jesus is our insistence that He is dual-natured; both fully God and fully Man (at the same time, but that goes without saying). Some claim He is merely a man (Muslims, you know), others that He is 'only' God (Arians come to mind). Still others say He's half/half. Hmm. Sorta biracial, you might say. Homo sapiens and Theos omnipoten, so to speak. We'll get back to that.

Moving now to the security models adopted by operating systems (and you may see why these security models are needed and how they came to be). in Unix and Unix-based (POSIX) systems, there are two kinds of users; root (superuser) and user. Remember that Unix came about on mainframes and dumb terminals; the root was the administrator and basically did all the systems work, and the users were the ones who ran programs and did their work on the computer. In Unix, it was an all-or-nothing scenario; either you were an ordinary user, or you were root.

The Microsoft approach in MS-DOS, Windows 3.x, and on through the 9x series to Windows ME was different. Because these operating systems ran on Personal Computers (PCs), the concept of root and user had absolutely no meaning, and no distinction was made. In fact, in MS-DOS, you had absolute freedom to do just about anything and everything you wanted.

Windows NT and its successors (Win2K, WinXP, Vista, Win2k3, etc etc etc) supported a more flexible security model. There are several different kinds of actions supported by every 'thing' (or object), and the combination of whether you were allowed to perform certain specific actions determined your security level. This allowed for a more granular control over which user can do what, although in the home, usually it amounted to the Unix model of having 'root' (called Administrator) and 'user' (called Limited User). In the corporate environment, it is possible to be much more fine-grained.

Now, you can probably tell what the shortcomings of the first two approaches were, and why I prefer the NT security model. Unfortunately, because a large number of people moved to Windows 2000 from Windows 9x, which made no security decisions and pretty much amounted to the 'Administrator' security level, a large number of applications made underlying assumptions that only held true if they maintained themselves at that level. Hence, even in Windows XP, if you switched to being a Limited User, oh so many programs got screwed.

In Windows Vista, Microsoft tried to change the way in which Windows worked, so that it was practical to run as Limited User and programs did not break. A lot of very interesting (and to me at least, clever) tricks were pulled off to make this happen, but I am only interested in one scenario; where you ran as a member of the Administrators group.

Strangely enough, in the usual way of things, you were a Limited User. You were given all the protections (and limitations) of the Limited User group... until you needed to do something only Administrators can do. At this point, Windows sort of stops everything and asks you whether you were sure you wanted to do something Administrator-ish. Once you said yes, Windows went ahead and did it, and then bang! you're went back to being still mostly protected as a Limited User. The difference between this and running explicitly as a Limited User is that as a Limited User, you needed to call upon a member of the Administrator group (or know the password, which is the same thing) - in this case, you're using your own authority. Doing something Administrator-ish is called elevating your rights, and when Windows asked you to confirm it, it was prompting for elevation.

Now how Windows Vista does this is not the issue here (in fact, it created two security tokens, IDs if you like, and if you could get away with using the limited one, that's what it did, otherwise it would prompt for elevation). So you could ask the question, "Am I an Administrator, or a Limited User?" The actual answer is, both. And at the same time. Go ahead and check; if you have Office 2007 installed, try to run Excel twice. You should get two windows of Excel, one with Book1, and the other with Book2. But, if you run Excel once, and then again using Run as administrator, both windows of Excel with report as Book1. That is to say, Excel is running both under you as Administrator, and you as Limited User.

Which goes back to the original issue of Jesus' nature; is He God, Man, both, or half of each? The answer is the same; He is both fully God, and fully Man, and at the same time - just as you are fully Administrator, and fully Limited User, at the same time. Now, no analogy is perfect, and the Trinity as well as the dual-nature of Jesus Christ, are and will likely remain mysteries. However, this one comes pretty close.

Are you fully Administrator (otherwise known as God-mode)? Yes; you can pretty much run everything as Administrator. One of the interesting things is that the Administrator token (or ID) is passed on, so if you initially ran Explorer in Administrator mode, everything is thereafter run using the Administrator token.

Are you fully Limited User? Yes; if you answer every elevation prompt (otherwise known as that pesky thing UAC) negatively, your privileges remain that of a Limited User for everything.

Are you both at the same time? Yes; you can mix and match all you like. As you've seen, you can run any program as Administrator and Limited User at once. In fact, that is how you are recognised by Windows, because of your two security tokens - Windows recognises you as both simultaneously, and will treat you in however you want it to.

Here's one more thing. If you were in the system as a normal Limited User, then if you needed to do something in God-mode, you needed the password of the Administrator. This is because you are actually using the authority of the Administrator to do it. In the scenario I created, you don't have to - because that authority is your own, and in your own right. Hmm, sort of like how Jesus could teach with authority, and the others could not, isn't it?

And that is how the topics of Windows Vista and Jesus Christ can be tied together.

No comments: