You are disabling UAC. Cancel or Allow?

So, about a week ago, I used Vista for the first time (in case you haven’t heard, Vista is this new thing they have out now that’s supposed to be all that and a bag of chips when it comes to security.)

Oh wait, maybe I should start earlier than that. So, a few months ago, while fast-forwarding the TiVo, Diana and I came across the Apple “I’m a Mac” where there’s the “Vista dude” (my short-lived hero) who kept asking the PC “cancel or allow” for everything that he did. And, while I thought the commercial was humorous, I put the underlying message in the same place where I put Apple’s “no malware for Mac” message; namely in that part of my brain reserved for obviously-biased marketing spin (I think this one fell somewhere inbetween the Oracle “Unbreakable” campaign and Richard Nixon’s “I am not a crook” speech.) In other words, I disregarded it.

Fast forward to using Vista again. So, I’m clicking around and doing stuff, installing software, changing settings, and so on. And boy-howdy if Apple wasn’t right on the money. Install software – “cancel or allow,” apply patches – “cancel or allow,” change the theme – “cancel or allow,” delete a shortcut from the start menu – “cancel or allow.” Man, what a pain in the neck! Needless to say, I did what any sane security professional would do – disabled UAC. Because it was killing me… Next on the agenda was the box that kept asking me (I’m paraphrasing now) “ is attempting to establish a connection. Block Once, Block Always, Unblock.” Painful.

Now, you might say that disabling these features is a step in the wrong direction… after all, shouldn’t we be pushing forward into the great new frontier of the OS asking me permission before the CPU executes an instruction? No. Well, at least I don’t think so. Look, asking the user is the wrong approach in a security context; it hasn’t worked with browsers and it won’t work here. Don’t believe me? To illustrate it is true, I need cite only the highly-scientific “Simon Says” series experiments. OK, so I’m being snarky. But isn’t it really the same thing? “Simon Says”… “Duck-Duck-Goose”… “Mother May I’… All of these are games founded on the principle of habituation – namely, that people when asked to perform the same activity over and over again start to perform it without awareness of the differences of the event. Look, I guarantee you that if you show me the same dialog box 100,000 times that I’ll stop reading it and just click “yes.” I’ve actually gotten pretty good at still ignoring the dialog when the buttons are reversed (viz WinZip’s shareware “register winzip” dialog.)

So, here’s my question. What exactly are we trying to prevent? Can’t we have it where the unusual behavior prompts the dialog box rather than the things we do all the time? Like maybe if deleting the shortcut from the desktop didn’t give me the “cancel or allow” box but sending my banking password to a site in lithuania did (no offense to lithuanians… just grabbed a far-off sounding place from the top of my head.)

Anyway, now back to your regularly-scheduled rant-free day.