Last week a Microsoft exec revealed that Vista's User Account Control (UAC) scheme was designed from the ground up to keep people safe by constantly annoying them. Microsoft needs to learn that security through annoyance isn't the way to keep users safe --- or to keep them as customers.
David Cross, a Microsoft product unit manager who helped develop UAC, told the RSA 2008 conference in San Francisco last week, "The reason we put UAC into the platform was to annoy users. I'm serious."
How does annoying users with endless prompts make them safer? Cross said that Microsoft hopes that annoying users will force software makers to create safer code. You'll have to bear with me as I explain this, because the thinking is rather convoluted.
Cross claimed that insecure code triggers UAC prompts. Software with too many UAC prompts, he said, would make it less likely that that users would want to run that software. Software makers (ISVs), seeing this, will write more secure code, so that they don't lose customers, he believes.
We needed to change the ecosystem. UAC is changing the ISV ecosystem; applications are getting more secure. This was our target--to change the ecosystem. The fact is that there are fewer applications causing prompts. Eighty percent of the prompts were caused by 10 apps, some from ISVs and some from Microsoft. Sixty-six percent of sessions now have no prompts.
The numbers sound impressive, but they don't actually say much. He notes, for example, that 66% of sessions now have no prompts, but doesn't say what percent of sessions had no prompts when Vista was launched. So we don't know whether the percent is going down, and whether UAC has in fact made applications safer.
Cross also cited figures showing that 88% of users are running UAC. That's not nearly as impressive as it sounds, though. UAC is turned on by default, and it'll take you a bit of digging to find out how to turn it off. Most users won't know that it even can be turned off, much less know how to do it.
I believe that there's a chance that UAC will make people less secure, not more secure. If you run Vista as an administrator, UAC is easier to deal with than if you run it as a normal user. So more people are likely to run it as an administrator, which by its very nature is less secure than running as a normal user.
Even if UAC does make people more secure, though, it's not the real answer to security woes. Microsoft needs to lock down the operating system better, not hope that by annoying users, the company will force software makers to write more secure code. The more it annoys people, the more they'll consider moving to an alternative operating system. At a time when Vista still hasn't gotten widespread acceptance, that's the last thing that Microsoft needs.