Windows 7 security not worse than Vista

Screenshot of the current release of the KDE Unix desktop
Screenshot of Windows 7. Hehe, wait a minute…

Don't read too much into the heading for this post and assume that the Mac and FreeBSD guy all of a sudden thinks Windows Vista is peachy. I'm not defending the security record of Windows, I'm arguing against the assertion that fewer UAC dialog boxes will result in less security. I feel as though I'm beating a dead horse with this issue, but it keeps coming up.

Ina Fried over on CNET News.com has written an article titled Windows 7 less annoying, but also less secure? where she reports that Windows 7 will be displaying fewer of those irritating UAC warning dialog boxes whenever a user tries to do something:

Microsoft’s efforts to make Windows 7 less annoying than Vista may also be making it less secure than its predecessor.

With Windows Vista, the operating system popped up a warning any time a major change was being made to the system, whether by the OS or by a third-party application. With Windows 7, users can choose how often to be notified, with the current default set to notify only when a third-party application is making a change.

The assertion here is that UAC security dialog boxes somehow make computers more secure, and that the removal of some situations where these messages would appear therefore makes Windows 7 less secure.

The [primary] problem with this line of reasoning is that UAC security dialog boxes don't improve security to start with. All they do is train users to click the Allow button as a reflex. On Mac OS X and free software desktops such as the ones on GNU/Linux or FreeBSD, before any destructive or hardware based changes can be made, most of the time it results in a dialog box prompting the user for their password, or for a root users password. This seems to be a far more sensible way to go.

To quote a post I wrote back in May 2007 when I was rebutting another CNET article that claimed the Mac versus PC advertisement for Vista was inaccurate:

Irritating pop up messages that appear so often that people just get used to hitting "Allow" without reading what they say is no argument for security. The advertisement in question is not saying that Windows computers are too secure, the advertisement is saying that because Windows computers have so many security problems, Microsoft had to take drastic action. The result was a poorly implemented warning system that did everything to irritate end users and nothing to improve security.

Reducing the number of situations where these messages would appear in Windows 7 won't reduce security. Microsoft has made a lot of really bad moves with regards to security of their products, but reducing the verbosity of this flawed system isn't one of them. I'm not Bill Kurtis.