CFP v3 (un)usability opinion

[Guest]

[VitRom]

Well, after two days of gaming with v3 I have some words to say.
Xcuse me if it's already said in other topics but I don't wanna read all 40+ topiclist pages.

0. Common feelings.

Making products for housewifes ain't good way in security area. It's some low level of complexity here and falling below it makes more problems than that complexity by self.
Unfortunately seems like COMODO in they tries to make things "very easy" goes too far and got absolutely different result.

How said somebody of IT-Gurus (unexact quote): "make a system that can b used even by fool and only fool will use it".

1. HIPS rules too hard to understand (to read).

Here is no way to see that some additional data filled into app rules except stupid way to open "App Rules" than "Access Rights" and then clicks on every "Modify..." button and than on every of two tabs. What's more - in a case of "mass" exploring app rules - after closing "Modify" dialog last clicked button doesn't marked (even by std dotted "focus" frame) and user can't see which button was clicked last and which details should b opened next.

IMHO it isn't too hard to mark settings that contains additional details. For example by bolding that silly "Modify..." text. Or by changing it to "Edit" or "Set" followed with something simple text symbols like "...[o] [o]" / "...[+] [o]" / "...[+] [-]". Sure that hidden sacral meaning of that symbols understable even for interface designers. Again it isn't too hard to marks an app rules in a main list ("computer sec. policy") according to presence of such settings. And again it can b done by simple "+" after app name.

2. The "skins" too slow in some cases.

And when protection set to manual confirmation sometimes CFP makes two jobs - grabs and stacksrequests from program that waits for user decision and draws thiese cool coloured, flawored and smelled bells and wristles like three-four-five-etc-state checkboxes and buttons. This noticeable especially with some programs that uses on-screen effects like transparent windows and popups or even when opened a SysInternals ProcessExplorer (that hooks screen too). And this looks, ughm.. strange and makes feelings of too expensive program (i mean CFP) - for example checkbox "remember" are clicked already but a text drawn "skinned" while check sign still not coloured but plain old black, and wents greenish after some delay only. Pls note that my PC are fast enough for many everyday programs.

3. Configuration editors doesn't shows real configuration.

When a config editor window opened they shows just "snapshot" at a time of opening. And if CFP pops up some request and user confirms it and sets up "remember" flag than config edit window doesn't reflect changes. Moreover when a config editor closed with saving (via "Apply") so just that displayed config are writen back and result of user answer onto popup are lost.

4. Config saved too lazzy and some changes losts on reboot.

I was tired when three or four times after every reboots I've seen goddamned popus abt connections with addresses or ports that was already added as groups. And only when I've looks into "my net groups" I've seen that may groupnames are reverted back to std. And of cause all rules that refers to "LAN" group goes invalid because here is no such group but std "Local Area..." are here.

Looks stupid by I've got my custom netgroup names only after editing them then shutting down firewall than starting it again.

5. FW and HIPS rules (and politics) doesn't related no way

For example, it's impossible to create rule like "Advanced file manager" that allows direct disk access but denies any network.

=================================================================
2b continued. May b.

[VitRom]

OK, show does go on.

6. "Direct disk acces"

Well, I've reivewed my config and disabled "direct disk acces" for explorer.exe. Nothing strange, isn't it? Unfortunately, I've seen that COMODO devels assumes under this words something different from me.

After a few minutes I was shocked with a bunch (4000+) of "suspicious attempts" on a Summary screen. WTF?
OK, I'll dispose a secret: log says that "explorer.exe tries direct disk acces to..." Any versions? Ansver quickly! Well, U are wrong! To "\Device\LanmanRedirector"! I'm on LAN and of course my explorer looks for some net-resources, it's normal. But name this "DIRECT disk access"...

Up to now I've understand under "direct disk access" a something like really direct sector reading/writing and/or ATAPI commands (WinHex, a lot of tools for surface testing or SMART check) but it seems that I was wrong...

[Kyle]

Hello VitRom, Welcome to the forums.

Thank you for your opinion, I'm sure that someone from comodo will listen to you

The Comodo team in the near future are going to work on making CPF as user friendly as possible without sacrificing security.



Can you please tell us What mode you are running Fire Wall and Defense+ in?

[Kyle]

You might like to read this;

Thank you for your feedback. much appreciated..

we are working on making CFP a mass market product!

Our strategy to first make sure we build a product that protects people by building one of the most secure apps around and then start making it user friendly without sacrificing its security.

You will see gradual improvements in the coming months. Please keep the suggestions coming.

thanks
melih

Quote can be found here: http://forums.comodo.com/feedbackcommentsannouncementsnews/suggestions_for_cpf-t26598.0.html;msg193739#msg193739

[VitRom]

as user friendly as possible

it's exactly that thing that makes me nervous
Again it's a brilliant phrase (referred sometimes as "Show's Principle", and exists in an any "Murphy's laws" collection) - "Build a system that even a fool can use and only a fool will want to use it"

It isn't my first girl HIPS and firewall so of course I'm in Safe mode and moreover set "allert freq" to "high" - to produce a big number of detailed rules and then analyze it and manually convert into less detailed port-host-etc-groups-based.

[Whoop-dee-doo]

Making a program user friendly and intuitive does not mean that effectiveness and configurability are compomised.

"Build a system that even a fool can use and only a fool will want to use it"

If we followed this logic, no one would have bothered to develop windows and similar user freindly operating systems. In fact, no one would have developed user friendly systems such as iphone, ipod, Tom-tom, etc.

A good program should increase the knowledge and proficiency of novice user through a clear and intuitive interface (how many computer naive people learned how to use computers when windows came out? It was a simple interface that allowed more people to become proficient with computers!). Making a product easier to use does not reduce the program to a "fool's" level, but rather it elevates the novice user to a more proficient level.

[frogger]

I'm enjoying the learning curve myself i would not want it any other whey after all if it was so easy to use there would be no point to it. one has to learn and experiment to figure things out just my 2 cent here.

[VitRom]

Well, another one unexpected "test".

7. Yesterday I was set an option "block all reqs when closed", set HIPS to "paranoid" then exited from GUI and went of to my clients. All desktop progs still running. After some time on client PC I was need to check something at CFP PC. I've connects via RDP over 128k ADSL and starts to do something. And at sometime I've got a bunch of "a some.dll isn't win32 image" etc. Well, this dll is a simple hooker that's part of some ui improvement app.

OK, it's simple quiestion and all that I need is only launch CFP gui and set another policy or unset "block when closed", isn't it? Well, I do it and... GUI window opens and... And over entire half-hour RDP session I can't see a Def+ button drawed properly and can't click on it. At the same time a 5-6 other progs been worked absolutely fine (except I've been forced move them into corners, away from CFP gui occuped area)!

BTW after killing a problem app (and stopping an events flow) switching from one gui area to another was slow too - up to 4-5 secs for full redraw. At the same time... (c abowe).

====================================================================
Whoop-dee-doo, regardless U want a "classic"-style HIPS (CFP is one of them) CAN NOT BE maked simple enough without making some security holes. It's by definition of that style.

I've seen only one simple enough and secure (in minds at least) simultaneously product - GeSWall. It's MAC-based. Unfortunately it doesn't secure in real life - for example it can be killed by taskman 8-(  If someone (I mean COMODO. Hey, devels!) brings together a CFP low-level integration and stability and a GeSWall point of view onto protected objects classification and roules structure this can b a brilliant product. Ouh, dreams...

PS. BTW to b closely to PC world complexity Ur analogy must looks like "a GRID from iphones, a GRID from ipods, etc."

[Whoop-dee-doo]

Okay folks...I cannot believe what I am reading.  So, are you saying that a you cannot make a robust security program intuitive to use? That is total non-sense. This is the "you can't do that" mentality that everyone applied to Michael Phelps before he proved them wrong. Programs like Turbo-tax and Quicken have made filling out your tax return more simple! If you can make taxes simple, you  can certainly make a firewall and HIPS simple. Robustness of the defense does not have to be compromised for ease of use.

Also, it seems like some are saying "let's keep it complicated so the less sophisticated won't use it?" A program can certainly be made configurable so more advanced users can have exquisite control over things, but a less advanced user can have certain things automated.

 Sounds like to some of you want CFP to be a complicated Rube Goldberg contraption!.

I am sure Comodo is filled with talented "can do" people who can accomplish what you guys think is impossible:
Strong defense, but more intuitive interface.

[Melih]

I think we have to look towards new innovations to create security and usability!

As I always said, we concentrated in security first! our next stage is usability. We have lots of innovation that we will be bringing into CFP/CIS that will give the security without comprimise! Only Nothing is impossible!

Melih

[weaker]

I want to say that I strongly disagree with the OP. I think that an easy and clear UI is absolutely paramount in order to not pi** everyone off.
It is hard to make such a complex software easy enough for being useable by "housewives" but this has to be the aim: Security for everyone. And there is still lots of room for improvement in the UI part alone.

[VitRom]

Whoop-dee-doo and All, let me explain:
a "classic style" HIPS it's:
1) a list of apps,
2) a list of permissions,
3) a list of protected areas and
4) a relational web betwen them.
It can't b simplified not because "menthality" but because "a nature of things". Sorry, but it's reality where we lives.

All U can do to "simlify" (in quotes) that -- is to group some "list items" together and make user to make decision not about every relation item but a group of relations instead. It's just one more level of abstraction. But when U abstract something U drop out some details, isn't it? And all this dropped details fails into categ. "potential hole" (two words in a one term, read them together). Will this "potentials" b promoted into "real" -- it's other talk, but they are exists anyway.

A good sample of abowe it's CFP "Alert Freq" It's only groups many possible decisions into one. Yes it's simplifies a decision making but for a price of creating potential holes. If U didn't agreed then reread the previous paragraph again.

For example when U r in a default "allert freq" mode and runs some... well, "the some" that needs a bit of network and U plans use this "some" again - U allows it activity, "remembers" it and... Welcome, BackOrifice and Co - I have a bunch of allowed ports and addresses!..

A way to really simplify CFP config is
1) a nested roules hierarchy
Here under "rule" i mean a set of "elementhary rules" created according to real world activity templates (mix together udp/tcp/icmp and different addresses regardless "simplification" level)
2) a turns from total control of a system to something like MAC-based
And allows almost any prog almost everything (of course while still watching for it ) until they really tries to do something wrong

Melih, it's good that Mods reads this -- I hope they can give something to devels. Pls note that all my opinions abowe are based on a many competetive products from DefenceWall and Symantec to Kerio and ProSecurity (and many other). And all the best things in that set (regardelss users group they are aimed to) are never mix flies and beefs and focuses entirely on that aimed in general regardless what it is -- a simplest isolation (DW) or totally detailed contorl of everything (PS).

PS. Currently CFP tries to sit on two chairs simultaneously. May b it's better to create two completely different UI modes (housewife-mode and geek-mode ) and devel them independedly?

[3xist]

A Classical HIPS can be developed in about 2 weeks by an above-average developer. New Innovations end of this year and next year are going to be introduced to really improve the usability off CFP 3! (Less quite, etc without reducing security). Sandboxing looks interesting too (Due out after CIS is launched).

Josh

[VitRom]

A Classical HIPS can be developed in about 2 weeks by an above-average developer.

Sure
...And according to "90/90" rule from Murphy's Laws the next 18 weeks (at least) shall b spent by a team of nine high-average devels onto hardening this product and protecting it from a misc tricks used by malware ("unhooking" for example)

Well, still watching and waiting for "Innovations end of next year"

[Kyle]

Sure
...And according to "90/90" rule from Murphy's Laws the next 18 weeks (at least) shall b spent by a team of nine high-average devels onto hardening this product and protecting it from a misc tricks used by malware ("unhooking" for example)

Well, still watching and waiting for "Innovations end of next year"

Melih has his priority's
1, Security
2, User Friendly

I don't think this really needs to be discussed anymore.

[Tags:]