A Microsoft manager has said one of the security features in Vista was deliberately designed to "annoy users" in order to put pressure on third-party software makers to make their applications more secure.
David Cross, a product unit manager at Microsoft, was the group program manager in charge of designing User Account Control (UAC), which, when activated, requires people to run Vista in standard user mode rather than having administrator privileges, and offers a prompt if they try to install a program.
"The reason we put UAC into the [Vista] platform was to annoy users — I'm serious," said Cross, speaking at the RSA Conference in San Francisco on Thursday. "Most users had administrator privileges on previous Windows systems and most applications needed administrator privileges to install or run."
Cross claimed that annoying users had been part of a Microsoft strategy to force independent software vendors (ISVs) to make their code more secure, as insecure code would trigger a prompt, discouraging users from executing the code.
"We needed to change the ecosystem," said Cross. "UAC is changing the ISV ecosystem; applications are getting more secure. This was our target — to change the ecosystem. The fact is that there are fewer applications causing prompts. Eighty percent of the prompts were caused by 10 apps, some from ISVs and some from Microsoft. Sixty-six percent of sessions now have no prompts," said Cross.
Cross claimed it is a myth that users just turn UAC off, saying that Microsoft had collected opt-in information from users which showed that 88 percent were running UAC. Cross said it was also a myth that users blindly accept prompts without reading them.
"It's a myth that users click 'yes', 'yes', 'yes', 'yes'," said Cross. "Seven percent of all prompts are cancelled. Users are not just saying 'yes'."
Security company Kaspersky has in the past severely criticised UAC, claiming in March last year that it would make Vista less secure than XP.
At this year's RSA Conference, however, the security specialist seemed to have changed its tune. Jeff Aliber, Kaspersky's US senior director of product marketing, said: "[With Windows], there is a large attack surface with a number of entry points," said Aliber. "Anyone trying to shrink that attack surface and promote secure apps development has to be a good thing."
Prior to the launch of Vista, Kaspersky issued a report in January 2007 which said UAC would be ineffectual. The company claimed that many applications perform harmless actions that, in a security context, can appear to be malicious. As UAC flashes up a warning every time such an action is performed, Kaspersky said that users would be forced to either blindly ignore the warning and allow the action to be performed or disable the feature to stop themselves going "crazy".
"If the user were to be notified about every one of these actions with a request for confirmation or a request to enter a password, the user will either go crazy or disable the security feature," said Kaspersky.
Talkback
But what about the "feature" that takes it several hours to copy a few megs of videos off a memory stick? Obviously that was designed to annoy the hell out of the user, but to what ends this time?
I also admire the way they designed the software to hog resources and require a ludicrous amount of computing power to perform no better than XP on a system with a fraction of the CPU, RAM and HDD capacities. Obviously a deliberate attempt to get hardware vendors to make better processors and drop prices.
I take my hat off to Microsoft. Even cleverer than I first thought.
(may contain traces of sarcasm)
I love it that the guy's name is "Cross".
The first thing I did was to turn it off. That and other superflous parts of Vista.
Mind you when I try to fix a friends PC and tell him he needs anti virus, etc, he snarls at me 'If Windows was so Fxxxxxxx Good - why do we need all these other security programs?'
Well, Vista annoys me so much, I am going back to XP or Ubuntu.
KJR
I just bought a new laptop, and of course it came with VIRUS, I mean VISTA installed. I put up with it for 2 days, and then formatted the hard drive and installed PCLinuxOS. It now runs faster, uses less memory, is more productive, and I have to enter a password if I want to do something that requires root privilege. VISTA is a UFE. (useless fragment of excrement)
...that part of the cost of the laptop is the Vista install. MS will be able to claim one more sales figure and - as far as the stats go - you're using it.
I like that Dell do supply (a very VERY small number of) machines with XP still on, but I don't like how they charge you extra for them. Likewise, their incredibly limited range of machines featuring Ubuntu isn't as impressive as I'd have hoped - and considering they have a "free" OS on them, they're pretty pricey.
A shame they don't do a "no OS supplied" option at £100 or whatever less, and you can then choose to install whatever you want on there at your own cost.
We can thank Micro$oft for taking customer choice out of computer buying. If I could have bought the pieces I would have built my own, but that isn't an option yet, for laptops. I asked the salesman about a reduction for no OS, and he said they were locked into a deal with M$, so their hands were tied too. Shameful.
Shameful is right. I'm assuming there must be a dealer out there somewhere who'll put together a laptop with no OS. Of course, are the public liable to act with their wallets and go there? Chances are, it would be a small company and therefore have higher prices than, say, Dell. And would anyone pay *more* for less, when they can pay less and just ditch the included OS?