[LINK] Study shows pop-up warnings are ineffective

Stilgherrian stil at stilgherrian.com
Wed Oct 1 09:03:02 EST 2008


On 01/10/2008, at 12:37 AM, Malcolm Miles wrote:
> If they are running as a default Vista user, then the game doesn't
> even start. When they run the malware installer, the user will get a
> UAC dialog, prompting them for an adminstrative userid and password.
> As a default user, they don't have those credentials so the malware
> installer won't run. In a corporate locked-down environment you can
> configure Vista so that default users don't see a UAC prompt and any
> installs will fail.

I'v installed Vista Ultimate with default settings. The computer owner  
doesn't need to do anything when a UAC appears except click on "OK".  
No password required. I contend, as I did the other day, that the  
majority of users will be baffled by the request and will  
automatically click on "OK" so they can proceed with their life... and  
that was the point of the article cited which started this whole thread.

Talking about "a corporate locked-down environment" is all well and  
good, but the median business in Australia is a sole trader working  
from home, possible with a part-time bookkeeper. They're unlikely to  
have ANY IT support, let alone a securely configured environment. Most  
"experts" have experience in larger organisations, and perhaps should  
spend a few days in a shoe shop or a 2-man carpentry business to see  
how computers get used in those more typical environments.

This isn't about Vista, or Windows even. It's about IT systems being  
designed as if the user is an IT professional. By and large, they're  
not.

Someone said that people shouldn't be using computers in the workplace  
without appropriate training. "Should" is always such a tricky word:  
it's about what someone reckons someone else should be doing, and in  
this case ignores the actual reality "out there".

All the "security features" (if security can ever be provide by  
"features") are useless if people don't know what they mean. Saying  
they should use a different OS or be trained or whatever is a lovely  
dream, but the reality is that businesses are operating NOW using  
these (to us) terrible, risky practices and they don't even KNOW that  
what they're doing is risky, let alone what to do about it.

So, what are we going to do that will ACTUALLY fix it and which can  
ACTUALLY be achieved in a small business environment? Apart from  
whingeing, of course. ;) (Not directed at you, Malcolm, just free- 
associating off your comment about UAC.)

Stil


-- 
Stilgherrian http://stilgherrian.com/
Internet, IT and Media Consulting, Sydney, Australia
mobile +61 407 623 600
fax +61 2 9516 5630
Twitter: stilgherrian
Skype: stilgherrian
ABN 25 231 641 421



More information about the Link mailing list