Why Microsoft will fail

Poor Microsoft. The phrase "caught between a rock and a hard place" tells exactly where they are right now. The "rock" here is that Microsoft desperately needs to fix the horrible security they are famous for and the "hard place" is that their user base doesn't want them to do that.

Oh, of course the Microsoft users want to be secure. They are sick to death of worrying about viruses and zero day attacks. They are sick of virus software bogging down their work. Users WANT security. They just don't want to have to do any work.

Microsoft went a long way toward fixing security with Vista. They added User Access Controls (UAC) that pestered users with "Do you want to allow this action?" type prompts. Users hate them and no wonder: most of the time we have no idea WHY we are being asked such questions or what the effect might be if we answer yes or no.

The complaints about this feature were legion. Everybody hated them. Even people who should know better want them gone: ItWire, writing about how Windows 7 may well be a do or die effort, begs

please no more endless UAC dialogue boxes

Microsoft, ever anxious to satisfy its customers, decided that users should have control of this feature. After all, if you are always going to just hold the door open and invite any program that asks to do as it pleases, why bother to ask? So Windows 7 includes user settings to eliminate those silly questions. Do I want stuff to just install? Why, yes, thanks. Ask me no questions and I won't have to admit my woeful ignorance.

But - oops! - apparently someone has found a way to change those setting without your knowledge: Code aims to bypass UAC security in Windows 7 says that two kids came up with a way to do that. That's not too surprising by itself, but Microsoft's reaction is. They say that's OK: (from Microsoft Denies Windows 7 UAC Vulnerability)

"However, Microsoft is standing by the change to UAC's default setting, saying it was the result of "a great deal of usability feedback on UAC prompting behavior," and that the feature cannot be exploited unless there is already malicious code running on the machine and "something else has already been breached.""

Well, yeah, and we all know THAT will never happen.