Our Chief Security Advisor often writes what's on his mind and sends it to us internally at Microsoft or includes it on the security newsletter.

How many times have you struggled when presented with perfectly proper pop-ups asking you if you want to allow something to happen on your computer?  User Access Control (UAC) was of course meant to give computer users the opportunity . . . or, more importantly, the right to determine whether a critical activity such as downloading a software program could happen.  Before UAC the computer user faced the daunting challenge of automatic downloads without any user intervention, and the possibility of a crashed program or computer.   Of course it would be best if the user had absolute control . . .he said after reading so many complaints from “computer rights” people who wanted to know how many “1s” and “0s” were being fed into their computer.

So . . . there you have it.  Now tell me again why you aren’t happy?

Most of us just ‘want the computer to work’, and we want it to intuitively know what we want.  That’s reasonable enough, isn’t it?  Do computer users really want to have to decide whether the Active X script is needed?  Or do we want someone to decide for us . . .  Do you ask - “What is Active X” and if my computer needs it to download what I want, then why are you asking me?”  Of course, the technical folks in the crowd guffaw at such seeming ignorance.  But the vast masses of computer users frankly just don’t know whether they should “Allow” something, or if it really is ok to “Agree” when asked in order to complete a download of a desired software program, or application.  We just want it to work and to work properly, and most importantly, we want to trust Microsoft or any software, hardware, or process provider - that’s why we trade with one business over another, isn’t it?

Trust is earned over a long period.  But it only takes a few seconds to destroy it.  I was asked a few days ago why it is that before certain Microsoft websites are loaded the user receives a notification that the registration or certification is not valid, and the user must decide whether to allow it to load.   Hey, if I get a notification about a Microsoft site, the very company that I trust, am I to now mistrust Microsoft, or mistrust the whole warning system altogether?  But let’s think about this for a moment.  A quick analogy is in order.  I drive a 1999 Mercedes.  It drives and rides like a dream.  Yet it has one very irritating fault - the tail light fixtures are constantly overheating causing the bulbs to burn out and a nagging dash light “you have a faulty light” to come on.  It bugs me to no end (not to mention the cost of having it replaced), and at first I wondered if Mercedes can’t get a stinking tail light problem right, what about the rest of the car?  Yet, I wouldn’t think of getting rid of the car - it’s a mechanical marval.  And, the Merc repair people tell me that this fault has been taken care of in newer versions.  So I drive on.

Is this any different than the pop up telling us that a particular Microsoft site is not certified or registered properly.  I don’t think so.  A minor irritation?  Sure.  But such matters are soon fixed and we carry on because we know the trust we have placed in Microsoft to help make a more secure computing experience has been earned over a long period.  The odd irritant is just that.  But just as when that oil light glows on the dashboard and you know instinctively to check the oil, the same goes for when deciding to Allow, or Agree, or say Yes.  You’ve got to do a bit of checking because as when your oil light came on it’s up to you to decide if it’s safe to proceed. 

But there’s the rub.   Many people do not instinctively know what to do when they are asked to Allow, to say Yes, or to Agree.  Not because they don’t want to know, they simply have not had sufficient experience to know.  The computer and the Internet are fantastic tools.  But safe computing does not mean it’s always someone else’s responsibility.  Each of us is responsible for what we allow to take place on our computer.  The days of not taking responsibility are gone.  The computer is your car, you’ll have the odd irritation, but overall you can trust Microsoft to continue to make sure your computing experience is safe and secure - but when you are asked whether to Agree, to say Yes, or Allow, it will take a bit of work on your part to know for certain what to do until you are acting decisively, instinctively.

Learn more about safe computing.  Click on www.GetSafeOnline.org or www.Microsoft.com/Protect

If you have concerns, or comments, please send me an email at EdGibson@Microsoft.com .  I would love to hear from you.

Edward P Gibson
Chief Security Advisor
Microsoft Ltd