Vista, not improving security?

Longtime reader and correspondent Phil Daley, a developer for a software vendor, dropped me a line saying he's three weeks into a four-week project to evaluate one of his company's products on Windows Vista. The goal is to identify any problems and recommend changes and fixes.

Daley tells me his company has a dozen install issues, but they're somebody else's problem. On the other hand, he has just found one command (out of 140) that crashes in Vista but not in XP.

He isn't surprised. "I don't think you can expect apps written a year ago to support new [operating system] changes," he says.

Daley is being kind. Call me old-fashioned, but surely managing and supporting backward compatibility should be a foundational design issue for the next generation of the dominant PC operating system. No?

What's really interesting is that he notes that with Vista, running as administrator solves a lot of application problems, as does turning off user account control.

He concluded with, "It will be interesting to see what happens. If users get fed up with the new security measures will they just turn them off?"

This implies that users would prefer to get work done rather than wrestle with security systems. Who knew?

Of course Microsoft is overengineering security in Vista. It has been beaten up so badly over the hundreds of security issues in the existing versions of Windows that it had no choice; it had to build Vista like a hardened nuclear bunker with blast-proof doors surrounded by fences with really picky guards checking your credentials.

Microsoft started with "Security, what's that?" when it released MS-DOS, and got around to "Name and password is good enough" in Windows 95. But it wasn't good enough, so in Windows XP security was elevated to "Let's see your clearance and then I'll unlock it."

That has proved to be inadequate as well, so Windows Vista upped the ante to "Repel all borders and batten down the hatches and what do you want you sniveling worm of a user?" That may be going too far if the consequences are so far-reaching that they break applications.

So, what's next? Windows security will get watered down because users don't like it and won't tolerate it, or Microsoft will make it impossible to not use it.

Imagine a Windows Genuine Security scenario: Genuine Windows Security has not been run for 24 hours. Click on "I do not wish to run the Microsoft Genuine Windows Security analyzer and agree that Microsoft is not liable in any way, shape or form for any security-related issues that may arise" or "Run the Microsoft Genuine Windows Security analyzer" to proceed. Thank you. The Microsoft Genuine Windows Security analyzer has determined that the password for your account does not conform to Microsoft Password Construction Standards. Click on "Fix password" to continue or "Do not fix password" to be logged out.

Microsoft is in a unique position. The market forces bearing on it are different from those affecting other vendors. There's more wiggle room down-market in security and vendors take advantage of their relative freedom.

For example, antivirus vendors will not agree on a common naming system for viruses and worms, while the adware/spyware product vendors can't even agree on exactly what they are defending us from.

This lack of cooperation is not surprising, as all these vendors are, not unreasonably, out to make a buck, but the result is confusion.

What's missing in the attempts to make our PCs secure are simplicity of implementation, understandability of purpose, users having a sense of really needing security, and trust in the vendors.

The problem for Microsoft is it's the only company that can drive the security agenda forward, but it looks like Vista may not be the engine to make that happen.

Do you feel secure? Tell or comment on Gibbsblog.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.