I agree with most of your debunking, but I think you (and many of the readers of this list) been doing high-level security work for long enough to not really remember what it is like for the average computer user (if you ever were at that level).
I have four people that I think of when I think of the "average" user (my wife doesn't count, she's lived with me for 11 years and has picked up enough to permanently disqualify her from being an average user): 1) My dad. Mostly uses the computer for email, writing, and playing games. Does some basic office apps at work. 2) My mom. Uses the computer on a daily basis in a healthcare setting, which means specialized apps. 3) My sister. Basic home user, some active levels of online chatting and forums, as well as web-based recreation. 4) A user I supported in a previous job. She didn't hate computers, but they were just tools she used to accomplish her real work. She didn't own one at home and felt no need to. Was perfectly competent within her accustomed apps, but needed serious handholding to do anything new. All four of these users are good candidates for the click-through scenario. It's taken years to train my family to *pick up the phone and call me* if they see something they don't understand. My parents are not dumb people (neither is my sister). However, they don't have the frame of reference to understand the implications of the various dialog boxes. They know that the system is trying to warn them about *something*, but they're not sure how serious it is or what the correct course of action is. After they've seen a given warning a few times, they're good to go, until it's a new application -- and then my phone starts ringing again until they get familiar with it. I remember a couple Christmases back when I visted and sat down to clean out their computers and get them up on decent anti-malware protection. My mom sat down with me to watch. As I worked my way through the various tasks, she'd ask me why I'd answered a given dialog one way for one task and a different way for another. I realized that without the basis of my years of experience to draw on, giving her clear and concise answers to her questions -- enough for her to be able to understand the principles behind my choices -- was pretty difficult. The principles are easy; the application of those principles can require experience that the average user just doesn't have. Not because they're stupid, but just because they don't have the broad POV to know why X is the right choice in this situation. This, incidentally, is why I pushed my family to use the Windows Defender beta. As malware protection, it wasn't the best on the market -- but having the community feedback integrated in the warning dialogs sure made it easier for my non-geek family to get that sense of expertise on-tap. -- Devin L. Ganger, Exchange MVP Email: [EMAIL PROTECTED] 3Sharp LLC Phone: 425.882.1032 x1011 14700 NE 95th Suite 210 Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.558.5710 (e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thor (Hammer of God) Sent: Tuesday, February 27, 2007 6:49 AM To: Murda Mcloud; Focus-MS Subject: Re: Vista "complaints" My thoughts? Well, I'll tell you ;) Complete and utter FUD. Plain and simple. And while I hate to say it, reading stuff like that makes me wonder if Whitehouse has any more grasp on reality than the man inhabiting our own Whitehouse today. Let's note this passage about what would have to happen *first*: "The most likely scenario is that a user gets compromised by malicious code, from a Trojan [horse] or a vulnerability in a third-party application like Office or a browser." Oh, the awe a magician can inspire after "The Magic Rooting" takes place. The UAC would, of course, prevent this from happening in the first place. I also doubt the "magic assumptions" of "most users would just click through without a second thought." No, users would have to enter the admin username and password to install the malicious code to begin with. If they are running as admin, then they would have the opportunity of looking at what they were running, as well as the standard "This is from an unknown publisher" dialog even after "just clicking continue." But you wouldn't be running as administrator, now would you? No, you wouldn't. There are other technical inaccuracies, but I won't bother going into them because what comes after "if I can get this installed on the box" simply doesn't matter. In general, I find ramblings about what diabolical exploits can be crafted *after* you get whatever code you need installed on the box to be comical. But when they come from someone who should absolutely know (far) better, it is simply unprofessional, and comes off like the proverbial "grasping at straws" for attention. I believe it was Will Rogers who said "People who pay for things rarely complain. It's the people you give things to that you can't please" or something along those lines. Read: People will always find something to complain about, and will often go way out of their way to find justification for it. Status: Debunked. ;) And that is the skinny on that. t On 2/26/07 8:58 PM, "Murda Mcloud" <[EMAIL PROTECTED]> spoketh to all: > What are your thoughts on this Thor? > http://www.pcworld.com/article/id,129268/article.html > > (Surprise surprise ./ are loving this) >
