This older El Reg article about Windows Vista security nails something I’ve noticed a few times before and is definitely a problem which doesn’t have a quick and easy solution.
Asking a user to confirm a potentially risky operation is useless, because in most cases the user doesn’t have a bloody clue what the message is talking about anyway.
I’ve noticed this with ZoneAlarm for instance. I use it, and I think it’s great. Whenever some application is trying to access the internet, I have to confirm if it’s allowed to do so or not.
Cool as hell, and there’s no way that Media Player is going to be accessing the net when it doesn’t have to. It’s probably just checking for updates, but I don’t want it anyway.
The problem is I pretty much know what process name links to what piece of software, so I know what to trust and what not. I know that dllhost.exe is something that Windows uses internally, and after yet another Windows secuity fix there’s a chance ZoneAlarm sees it has been changed and asks to reconfirm if the process is allowed to access the internet.
I know this, and click “Yes” . But the unsavvy user might click “No” as the listed executables name doesn’t ring a bell whatsoever.
And then they suddenly can’t surf the net anymore, and have to call tech support… or me, in case I know them.
They will learn from this experience however, clever as they are, and the next time they get one of those nasty techy questions they don’t really understand, they will just click “Yes“. It might be a trojan this time, but at least everything will keep working that way won’t it? Which is exactly what they want.
So ZoneAlarm becomes completely useless in the hands of a noob, and the same is bound to happen witht he Vista security warnings. People will simly click the “OK” button anyway if they get a popup asking them if they want to run a potentially dangerous command. That last sentence alone is enough to make a simply user trip, so what’s the point? They will click ok because they will soon learn that sometimes things don’t work when you click “Cancel“.
In the end there’s always tech support, or me, when things go badly wrong…