Will Vista UAC be successful for home users?
The theory behind the Vista security measure called User Account Control (UAC) can’t be faulted. The idea that people should run their computers with as little access as possible to sensitive system functions has long been preached by security experts. But how to implement that idea in practice is a big question. There are already a lot of complaints as noted by Mary Jo Foley, who writes:
It seems like everyone, other than possibly Microsoft’s Vista team itself, seems to believe that the User Account Control (UAC) in Vista already needs an overhaul. The question is, who is going to do it? And what form will it take?
Changing system settings, installing new applications, updating existing applications, and many other normal operations require more privileges than using a word processor or reading an HTML page online and result in a UAC warning. Businesses have an IT staff around to do administrative tasks and can restrict most users to limited accounts. However, the home user is the IT staff and sometimes has to act like an administrator. The big practical problem is how to safely allow a PC user to sometimes have more administrative rights than at other times. With UAC in Vista, Microsoft tries to address the issue but I see at least two obstacles to the success of UAC.
The first problem with UAC is the one illustrated by the old tale about the little boy who cried wolf too often. After a number of UAC alerts, users may either get irritated and turn the warnings off or will become so inured to them that they basically ignore them and simply keep approving whatever action they are being warned against.
The second problem with home PC users is that the PC is just an appliance to most of them and their knowledge of how computers work is very limited. The majority of home PC users are not going to have the technical background to be able to tell when a UAC warning is just one of many routine messages or is actually indicative of something serious. They won’t know how to make a decision when they see a UAC alert.
This latter problem, that many home PC users have no technical background, is bigger than the UAC question. I am not sure if Microsoft and others have quite yet realized that having millions of untrained home computer users on the Internet presents an entirely different set of security problems from those appropriate to institutions with technical staff. These people in their homes are the natural prey of the zombie botnets. Somehow the spammers and the phishers and all their ilk have to be attacked more directly. You can put all the security measures you want on home PCs but if the users don’t understand them or find them too inconvenient, the security problem will remain. And it’s not just the uninformed PC owner who suffers. We all get the flood of spam and Trojans from the botnets and we all pay for the costs from phishing.
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
In her on-line column yesterday, Kim Komando states:
“Although User Account Control is a security feature, I don’t consider it terribly important. You can disable it. I have instructions on my site.”
If I read her various comments correctly, Kim Komando is not necessarily recommending that everybody turn off UAC but that she personally finds it irritating and has turned it off. Of course, she is an expert user. In one place (http://www.komando.com/tips/index.aspx?id=2862) she says “It’s a good idea. But it does get in the way of knowledgeable users. I’ve disabled mine.” Notice that she says “knowledgable users.” I hope that average users will learn to live with UAC but I have doubts.
Her reaction just illustrates the point in my post that there are real questions about the way that UAC is implemented. I am puzzled that Microsoft didn’t anticipate the practical problems of user reaction. One conspiracy-minded poster somewhere suggested that Microsoft knew that a lot of people would turn UAC off but that all they wanted was to be able to say that they had made Vista very safe and it’s the user’s fault if there are security problems.
Sorry, the comment form is closed at this time.
[...] Read More Vic [...]