As seen in the Windows 7 blog:
There has been no report of a way for malware to make it onto a PC without consent.Sigh. Great, so your approach is working perfectly. You've gone from a system where malware installs itself while the user is doing things, to one where you bombard the user with generic, indistinguishable, relentless queries as to whether its okay to do the thing they just clicked on, and hidden in that avalanche of requests is one that is actually from a piece of malicious software, which gets approved as a matter of course, but its not Microsoft's fault anymore. Brilliant. But completely shallow, self-serving, missing the point, blame-the-victim mentality at its best (worst?)!
Many, many pundits critizied MS for its onerous UAC when it first came out. As they reasonably should have. And many of them made this exact point: if you bombard the end-user with questions that they don't understand and give equal weight to things that are ordinary with things that might actually be of concern, then they're not going to take you seriously and they're not going to spend time evaluating every single query before answering.
I mean, gosh, how many of you are familiar with "The boy who cried wolf" at Microsoft? Anyone? Anyone?
So here we are, looking towards the next version of UAC, and someone is actually foolish enough to make the exact claim that everyone denounced as stupid and self-serving for Microsoft to do: "Not our fault, you pressed okay."
Any security design that requires constant authorizations for even mundane tasks is going to create the boy-who-cried-wolf problem. Its going to cause users eyes to glass over. Its going to cause knee-jerk acceptance of the "ok" button everytime that interface is presented. IT IS NOT, at its most basic level, A SOLUTION. Its merely a way to push the blame onto the end-user. Its ... a ... marketing ... tool.
And most end-users aren't even stupid enough to confuse the two. Microsoft is only fooling themselves. When Vista's UAC first came out, everyone immediately glomed to the fact that this is not a secure system, or a useful answer or approach or remdy to the underlying first-principles cause of the problem: malicious software getting installed or otherwise allowed access to our computers.
In their defense, I certainly grant that this is a difficult and complex issue. However, I don't actually think its beyond the resources at Microsoft to solve it in a way that is genuinely useful and usable by its customers and business users.
I don't think most of this is that difficult for most users to understand: run programs at only the level of access that they actually need, and no more.
If there were a SIMPLE way to grant some programs more access than the default (which would be set to a low, harmless level), then users could grok this. They could easily distinguish that their anti-virus software needs full access to their machines, but the latest toolbar from Yahoo does not!
But since Microsoft's UAC is too fucking stupid to distinguish between the user clicking on an applet in the control panel, and a bit of software trying to install itself from a web site or removable media, then there is no way that end-users are going to be able to distinguish between when a security authorization is actually meaningful or routine.
Microsoft utterly dropped the ball here. They did nothing to improve the actual situation. All they did was blame the end-user and create a stupid self-justifying system to prove themselves un-culpable.
Its a shitty way to handle this situation, and I for one am neither amused nor tricked into believing their bullshit.
Microsoft's UAC is the biggest "fuck you" to its customers that they've probably ever done. And until they take a deep breath, and admit the truth, there is little chance of actual forward progress or rational conversation on the issue to be had.
Posts
No comments:
Post a Comment