Wednesday, April 19, 2006
Vista, Vista, Vista :-(
Paul Thurrott loves Microsoft. He runs the truly awesome SuperSite for Windows, which I read from time to time.
Today, I came across his review of the latest test builds of Windows Vista. Paul is clued, and if he's biased in any way, it'd be towards Microsoft. When Paul says great things about Microsoft products (including Vista), his reviews get floated around by Microsoft executives themselves.
So, it was a bummer to read his thoughts on the latest test builds of Vista.
What really piqued my interest was the section on User Account Protection. This morning, I echoed the same sentiments to my officemate, rather loudly, in fact loudly enough to catch a friend's attention who was walking down the hall nearby. I would repeat my exact words here, but would rather not be quoted out of context as "even Microsoft employees think UAP's a <explative> <explative> <explative>".
I don't want to be a "no bird", but I do want to be self-critical. Before Clippy shipped, how many Microsoft employees stood up and said "HEY! THIS IS GOING TO ANNOY USERS! THIS IS A REALLY REALLY BAD IMPLEMENTATION!"?
So don't get me wrong. I totally buy into the vision of UAP. But the execution in the latest builds is totally jank. Clicking on Windows Update disables the entire Windows UI and brings up a popup asking if Windows Update can run. Deleting a shortcut off the desktop does the same thing. How long will it be before users just turn the feature off like Clippy, or they just always click "Yes" like in IE? And what happens in corporate environments where IT departments force this feature on users? Users become less productive, more agitated, and Microsoft-averse.
In an attempt to be constructive here, I'd first concede that there's no silver bullet solution here yielding both security and usability. But in this case, I think the balance is tilted so far on the security side that Windows becomes unusable to the extent that users will disable the security feature altogether, and then where does that leave us? So my suggestion would be to ease up a bit. If a user explicitly takes action (i.e. drags a shortcut into the recycling bin), suppress the confirmation dialog (and don't make it so modal!). If I do a similar action twice in a row within a short time period, don't prompt me each time. Don't prompt me for common operations performed by signed software that ships with Windows (i.e. Windows Firewall).
IDEA: Do a study on some average users living with Vista (we have these users and studies set up already). Gather data on when they click Allow/Deny. Put some harmless malware-simulation software on their systems that finds creative ways to perform operations (i.e. after a user clicks something that performs a file op, the malware performs a "bad" op of its own, etc). See if the users click Allow for their own operations, and Deny for the malware operations.
(I'd also like to see their stress levels monitored, and a measure of their focus on a task they're trying to perform when these dialogs repeatedly pop up, but that is neither here nor there.)
Anyway, there's lots of room for improvement here. I hope it happens before Vista ships. I expect Microsoft customers to LOVE Vista as much as Apple customers LOVE OS X. If not, then we failed.
As with every other success and failure.. time will tell.