Re: Security and the User experience

"Rob R. Ainscough" <robains@xxxxxxxxxxx> wrote in message news:OV2maQAsGHA.4004@xxxxxxxxxxxxxxxxxxxxxxx
My answers are inline with yours...


The problem:

User installs an application that needs to communicate to SQL servers and/or FTP servers and/or web services. Being a good user they have some type of firewall and anti-virus software (most of the time it is preconfigured so the user doesn't even know what they have). The problem, whenever the user installs any applications (or even games) they are either presented with a message saying "block/unblock" message and sometimes even messages suggesting the application could be a virus. So the user doesn't really understand this message at all and could pick either option or just ignore the message entirely (and in many cases with games, the message is hidden behind the full screen DX9 game so the user is completley unaware until after then exit the game wondering why it doesn't work. In some cases the firewall/anit-virus software will not even provide a prompt and just block the application 24/7. As a result the application may not work and/or the user can't play online and you get one very frustrated user (either in a work environment or a home environment). In fact, users get so frustrated that they stop using their PC and move on to other things in life.

Microsoft do seem to be aware of this user experience problem after my initial look at Beta 2 of Vista and how it grays out everything except the program needing communication. Unfortunately, this is still "in the way" for your average user and I don't believe this will help increase the PC base of users. We've been hovering at 1 in 5 people having computers for a long time now so there is obviously a large "market share" to tap into.

I have a possible solution:

Any application that will be released on a public level should register itself with an authority. The OS will then query the authority whenever any application is installed, if the application has been validated by the authority installation, then communications will be permitted for that application. This process could become automated (similiar to how SSL certifications are aquired) at trusted companies/sites. What this does is provide user confidence and at the same time insulates them from having to deal with security.

While this is a good idea in theory, the resources that it would require are too great. If 1 in 5 people are using a computer, and they all try the same (or different, for that matter) application at the same time, it would crash the 'authority'. The authority that would hold this information would have to have a backbone to the Internet, and would have to have a lot of servers to handle the load. Before anyone says that Microsoft has that capability, they don't. It would be a little more indepth then just going to hotmail and getting your e-mail. They would have to set up servers all over the world, and have them all replicate the information at the same time.


I think Microsoft really need to smell the coffee here, because their path of "that's just the way it is" does nothing for anyone involved in the business of PC's and software development. What I'm seeing in Vista is better, but doesn't go far enough to insulate the user from security. In fact, in Microsoft's own book(s) on security, they clearly identify that security should NOT be in the way. I for one would like to see even a modest increase in market share from 1 in 5 people to 2 in 5 people (that's effectively doubling market share) -- this is good for everyone. What Microsoft are failing to do is accept the reality of their situation (you can't tell the user it's their job to ensure their secure, they will just simply say no it isn't and stop using the PC -- not up for debate period), sure it will require more work, more money, and new "entities" to manage my proposed solution but the long term benefits will easily pay off and since we already have entities that do very similar functionality (Verisign, Networksolutions, etc. etc.).

What do you think?

Rob.

I would tend to agree with you about Microsoft needing to smell the coffee. And to an extent, they are. However, the *nix OS's have basically the same feature (albeit not as intrusive as UAC) called "superuser". Microsoft is just trying to make a variation of that, but it's still too intrusive. I would venture to say though that even the *nix OS' distributors and probably even Apple will still say that it's the users job to make sure their computer is secure.

Before I get flamed for the last sentence, let me clarify it a little. Yes it's the responsibility of Microsoft, the *nix distributors and coders, and Apple to provide us with secure code. But, it's up to the end-user to make sure they get the updates that will make the code (and their computers) secure. It's also up to the end-user to do whatever is necessary to make sure their computer is secure (meaning antivirus, firewall, and antispyware).

You are right though that something has to be done. If it wouldn't be too unmanagable, and if there was a foolproof way to ensure that the system wouldn't be violated, I would completely agree with your concept.




--
Patrick Dickey.

smile... someone out there cares deeply for you.
http://www.microsoft.com/protect
http://update.microsoft.com
http://www.pats-computer-solutions.com

.