How an illusion leads to a myth about UAC

From http://www.useit.com/alertbox/dialog-box.html:
"One of the modern GUI’s greatest advances is the user illusion that the mouse pointer is an extension of your hand: you own the pointer, which has a certain physicality to it as you use it to manipulate objects on the screen. Of course, all of this is only an illusion, because the mouse pointer is really under software control. Clicking the physical mouse while the on-screen pointer rests on a picture of something isn’t really the same as clicking an object."

Unfortunately, sometimes user illusions like this leads to the myth that, for example, the OS can tell whether you or an application is trying to do something. This myth came up in debates about Vista’s UAC, like <http://groups.google.com/group/microsoft.public.windows.vista.general/browse_frm/thread/e105d5a3211c108d/d6114f3be741d1e5>.
Jimmy Brush <jb@mvps.org> in a posting in this thread described what is wrong about this myth excellently:
"Now obviously, the OS knows where the user’s mouse is and where they
click on the screen. However, the OS *does not* know what the user
intends to do with that mouse click.

From the perspective of the OS, every application that is running on
the user’s system is a block box. The OS has no idea what that
application is going to do with a mouse or keyboard input;

It doesn’t know if a mouse-click on that application’s window is meant
to format a hard drive or close the application, because the entire
purpose of the application is to translate user input into actions
that are fulfilled by the Operating System, and the OS is not involved
in this process at all.

In fact, "users" never really run applications – an application is
ALWAYS the thing that runs other applications, whether it is explorer
running an application, a utility running a secondary application to
perform some background processing, etc.

The OS has no way to tell whether the user is intending for an
application to run based on where the mouse is, what the user clicked
on, or what buttons they have pressed on the keyboard, because it has
no idea what that application has told the user and whether the
application has made the user aware that their action will result in a
program being run."

Not that your program should not maintain this illusion, of course.

Advertisements
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s