Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Alex Scoble

On Windows Vista: Security that requires end user attention is not security

5 comments

IT TOPICS:Operating Systems, Security, Software, Windows & Microsoft

Lot of blog posts lately (like this post on Steve Lamb's blog or this one on SilverStr's blog, for example) on Windows Vista's User Account Protection and how Vista deals with security in general. In particular people are complaining about all the popups that Vista puts up when a change to the system is requested that may be harmful.

I'm of the opinion that any security scheme that requires the end user to read and participate is inherently insecure. As we've seen with phishing attacks and other social engineering efforts, most of us, geeks included are very fallible.

Most people just want to get on with the task at hand and will tend to click whatever button they think will allow them to get back to work fastest. Joel Spolsky and others have talked again and again on how any UI that requires someone to read something in order to make a decision is a poor UI. Why? Because we tend not to read things that are uninteresting to us and for the most part, verbose statements about security or some instructions on what not to enter into a UI box are very uninteresting to people when they are focused on a seemingly unrelated task.

And with the number of PCs out in the wild these days, any security effort that is doomed to even as much as a 1% failure rate is an abysmal failure as this will lead to tens, if not hundreds, of thousands of zombied PCs...in fact it already has.

But Vista was supposed to fix much of this, and while I think that some of the other initiatives put in place with Vista will make things better, the features that require user intervention to work, by design, won't work as most of us just want to get on with what we are doing.

Instead of asking the user to figure out if something is OK, the Operating System itself needs to figure out on the vast majority of situations. Yes this is a steep climb to make, but I feel that if Windows is able to keep the user queries to the bare minimum, that when they do pop up users will get that it's important and hopefully be mindful of their input.

The more Windows pops up queries for the user the less effective such a system will be.

Perhaps instead, a better method would be in most instances to just inform the user that a change had been made and to pop up a bubble in the lower right hand side of the desktop informing them that such and such was done and if they didn't mean for this to be done then click in the bubble to reverse the change. And only in the case of high risk activities ask the user if they are sure they want to continue and make them enter their password if they click Yes regardless of whether or not they are logged in as an admin.

What do you think?

Email this

Digg this

What People Are Saying

Add new comment

My experience with Vista

Submitted by Anonymous on November 9, 2006 - 9:28 P.M.

My experience with Vista actually helped me decide to finally switch to Linux.....what a breath of fresh air....

As for Vista, it isn't much more secure than Microsoft's previous products. Maybe the RTM version will be an improvement, but RC1 was nothing more than an XP makeover that seemed the product of a team that at some point actually gave up on a lot of what they were trying to accomplish. This will be the first Microsoft OS I stay away from and possibly the biggest dud since Windows ME.

Report this comment

"People just need to stop

Submitted by KiwiRed on July 19, 2006 - 9:33 A.M.

"People just need to stop using admin accounts for every day tasks" isn't really helpful when you run up against applications you are required to run as part of your job, which will only run correctly as admin. (Sometimes you just can't choose your operating environment)

Report this comment

The more Windows pops up

Submitted by Anonymous on June 9, 2006 - 8:05 P.M.

The more Windows pops up queries for the user the less effective such a system will be.

How true this is. I have had to reinstall to many systems where the IT department insisted on "security programs" be loaded onto personal machines that would access the university via the Internet. The user would guess the answer to the questions and eventually get to the point that the "protection" programs would fail, because they were only allowed to do part of job and to complete the function had been disallowed by user. Every see a virus program tell you it found a virus and is repairing it, then fail due to access not allowed. To then cycle back to virus found message and continue this loop until machine was wiped clean and reinstalled OS, lossing data in the process.

Replaced with proper automatic checking, and required regular system scans. People could use their computer.

From what I have read Vista is going in the wrong direction.

Report this comment

If you install said

Submitted by Anonymous on June 16, 2006 - 8:19 A.M.

If you install said anti-virus under an admin account most *GOOD* antivirus software will install as a service. Which will have admin priviliges, so it will not go into an infinite loop.

User Account Control only pops up when the average end user is doing something they should not be ( like messing around in control panel ). If the system is set up correctly the end user should never see it at all. If you are doing administration log into the admin account and it won't ask you for the password all the time.

UAC works very much like the linux account system, people just need to stop using admin accounts for every day tasks.

Report this comment

i dont know how many times

Submitted by Anonymous on June 3, 2006 - 11:58 A.M.

i dont know how many times people have asked me to get rid of weather bug or something cause they clicked yes to it when they were installin aim or gamespy or any other freee program. the adverage computer user isint gonna look at what there clickin yes too, inturn screwing up there computer the same as before except now they can only blame themselvs

Report this comment

Make the right browser update: Firefox 3.6

Microsoft takes aim at Google's soft underbelly: Privacy

How to protect yourself against the Chinese Google hack

Microsoft should follow Google and drop censorship in China

Editor's Picks

Mitch Wagner: Google Buzz buzzkill

Court to review standards for cell phone data requests

Researchers warn of likely attacks against Windows, PowerPoint

New Russian botnet tries to kill rival

Panasonic takes swing at rugged rivals, launches latest Toughbook tablet

Chinese artist-dissident lauds Google plan to stop censoring

Hot Posts

Google Buzz -- and you thought Facebook had privacy issues?

Posted by Barbara Krasnoff | 8 comments

Hands on with the Facebook facelift

Posted by Mitch Wagner | 30 comments

Will Apple's new Core i5 and i7 MacBook Pros have 3G?

Posted by Seth Weintraub | 10 comments

White Papers & Webcasts

High Performance for Integrating Massive Data Volumes
Processing very large data sets provides unique constraints, especially when time windows available for this processing are shrinking. This Technical White Paper presents...

Gartner Podcast: Driving SharePoint Adoption in Lotus Notes Shops
Learn how can you drive mainstream user adoption of Microsoft SharePoint when your users are committed to using email.

Improve Operational Efficiencies
Download Now

IDC Webcast: Linux Adoption in a Global Recession
Access this webcast, compliments of Novell and HP, for a limited time only!

Whitepaper: Drive SharePoint Adoption in Lotus Notes Shops
Learn how you can drive your users to Microsoft SharePoint when they rely on IBM Lotus Notes.

Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management
Download this webcast, free, compliments of Nokia.

All White Papers | All Webcasts