Britney is #1 Virus Celebrity

No France writes "The two ways for an email virus to spread is to use an exploit, or entice the user to click the link/executable. Of course the latter is the easiest, and is the most effective when used in conjunction with a celebrity's name. Despite the recent Jackson suicide emails, Britney Spears is the one to recently edge out Bill Gates as the top virus celebrity. The top 10 (in descending order): Britney Spears, Bill Gates, Jennifer Lopez, Shakira, Osama Bin Laden, Michael Jackson, Bill Clinton, Anna Kournikova, Paris Hilton, and Pamela Anderson."

sad

[calvincopter]

I don't understand how anyone can get e-mail viruses easily. i never get any e-mail viruses, but when I do, it's either too obvious and I delete them. how do you guys get e-mail viruses then?

Re:sad

[daikokatana]

Easy. Because people out there actually *want* to be fooled.

I bet you 100$ that I can go out on a sunny day, offer people a deal where they have to pay for air (or something similar), and they fork over the dough after a while of creative talking.

As long as people think that there must be at least a few mails that deliver what they promise, they'll keep on clickin'.

Re:sad

[RCanine]

You've obviously not worked with non-computer-types before. I use the word computer-types because computer-savvy does not accurately describe the phenomenon, an Individual who:

• may be (but often is not) very good with computers
• may (but often does not) use a computer every day
• may (but often does not) invest a lot of money into their own personal computer.

Yet

• Does not read warning dialogues, merely clicks "Ok" through each
• Cannot user or locate preferences, configuration or options
• Forgets about the second mouse button
• Refuses to learn anything other than the click-this-to-do-that
• Expects it to work, all of the time, no matter what
• Likes fun things like Bonzi buddies and weatherBugs
• Will not remember a new task that has more than 3 steps until they have done it four or five times with instruction.

These sort of people are the majority of computer users, and they operate on the Anton (not Pavel) Chekov theory of computer use: if there is a file attachment over the mantle in act one, it must be opened by act three.

These people are the reason why I only recommend Macs--because their system offers a lot more built-in protection between the keyboard and chair, and their software is (for the most part) easy enough to teach gradually and without a jarring, frustrating or confusing experience.

More intelligent software or users?

[Crimson+Dragon]

These kinds of stories, while making the majority among us cringe at the stupidity of the user that falls for this, underlies an important point.

THIS IS WHAT YOUR IT DEPARTMENT HAS TO DEAL WITH!

Millions of man hours and hundreds of millions of dollars go down the tubes to user ignorance. As these costs spiral, the IT sector diminishes. At some point, we will have to stop the patchwork of protecting the users from themselves and engage in the proactive education from these people so they don't hurt themselves and cost their companies, ISPs, and our economy in lost man hours and dollars. How to do this merits exploration, as for every new procedure we establish to protect the user, the user seems to find a way to break it somehow.

Re:More intelligent software or users?

[jalefkowit]

These kinds of stories, while making the majority among us cringe at the stupidity of the user that falls for this, underlies an important point.

THIS IS WHAT YOUR IT DEPARTMENT HAS TO DEAL WITH!

... at some point, we will have to stop the patchwork of protecting the users from themselves and engage in the proactive education from these people so they don't hurt themselves and cost their companies, ISPs, and our economy in lost man hours and dollars.

You're talking about educating human nature out of people. Good luck with that.

The lesson of stories like this one are not that we need to somehow engineer smarter users -- it's that modern information systems are not designed around users to begin with. They're designed around lists of features and ship-by dates.

A system should behave in a way that one would expect it to. Certain operations -- deleting things, say -- are obviously risky, and I've never met any user who didn't get that. But who would expect opening an e-mail to be a risky proposition? The fact that it undeniably is (in some environments) doesn't mean that people are stupid for not knowing which e-mails to leave closed, it means that e-mail is broken for many millions of users. The fact that e-mail as a medium can be exploited like that is a weakness of the medium, not the user.

You can lament human nature all you want, but it is what it is. A well-designed system should be able to deal with that. Having to train users to do alien things should be taken as a sign that your system may not be so well-designed, not as a sign that we need to get cracking on Human Being 2.0.

Re:More intelligent software or users?

[jalefkowit]

Good points... a few thoughts:

Antivirus software, malware removers, spam-reducing solutions.... these are not designed around users?

Nope. No, they're not. They're palliatives to problems that we have inflicted upon users, not systems designed with users in mind. How many users understand what "malware" is -- even those that run Spybot? Is a malware remover something that a user would choose to run, if they weren't forced to by imminent threat from exploitation of broken systems by malicious parties?

(None of which is to belittle the heroic work that people have done on products like Spybot to help patch these holes. It's hugely important. But can we depend forever on heroes?)

A person who has any idea that a computer is a general purpose machine... Why should anyone be surprised when it does something new or malicious?

See, this is the problem. The average user does not see their computer as a general purpose Turing device -- they see it through the prism of whatever application they happen to be using at that moment. If they're reading e-mail, the computer is an e-mail terminal. If they're browsing the Web, it's a Web terminal. If they're in Word, it's a word processor.

You and I know that the computer is a general purpose machine, infinitely reprogrammable, but the average person does not think that way. They approach the computer through a series of metaphors ("desktop", "mail", "pages"), and the vast majority expect it to follow those metaphors as closely as possible. When it doesn't -- when the abstractions start leaking -- it creates opportunites for malicious parties to exploit the user's resulting confusion.

Which is exactly what has happened with e-mail -- in certain cases it can behave in a very un-mail-like way. This behavior is being exploited to confuse users into doing the wrong thing. You can try to educate people into not doing the wrong thing, but as long as the underlying metaphor is "mail" it will be very hard to make significant progress.

Why must the responsibility be placed solely on the software developer... ruling out one possible angle that you can't disprove and blaming a group of people who, by and large, strive to produce workable solutions is an insult to the good work many among us have done.

Don't look at it as placing blame (my apologies, I didn't mean to come across as blaming you for the problem) -- look at it as opportunity. Apple's recent success in taming UNIX, and Firefox's success in taming Mozilla, should be a lesson to developers everywhere that you can really make it big by reducing complexity, locking down unnecessary options, and streamlining the user experience.

Re:More intelligent software or users?

[arkhan_jg]

Which is exactly what has happened with e-mail -- in certain cases it can behave in a very un-mail-like way. This behavior is being exploited to confuse users into doing the wrong thing. You can try to educate people into not doing the wrong thing, but as long as the underlying metaphor is "mail" it will be very hard to make significant progress.

Actually, I'd argue that email works in a very mail like way, even when it's being used against the recipient.

Say someone sends you a letter. You open it, read the pretty coloured card inside, and toss it in the bin. Thing is, you are now infected (through your skin and breathing ultra fine dust) with the infectious agent that was impregnated on the card. You now spread that virus to your family and friends by close contact (spreading on a lan).

Possible, but not likely, right?

Now imagine where 10%-20% of your letters are like this, and 60% more of them are the worst kind of fraudulent advertising and hardcore porn adverts. (numbers pulled from my server logs)
Imagine that people can send you these virus infected letters anonymously, with virtually no chance of them being caught, and even if they are, there's virtually no law's against what they're doing. Oh, and make it so sending all this crap to you is free for the sender, and is paid for by the recipient.

Think our human friendly postal mail system would survive like that? Or would it start to collapse from fear of hidden viruses, and dead postman from carrying the huge sacks of junkmail to each door every day.

In the end of the day, it's not the over-trusting user, it's not the post system that allows anonymity, it's not the lack of enforcable laws from the government, it's not the low cost of sending that causes the problems - it's all of them combined.

Altering the user metaphor for the way they interact with their computers won't make the problem go away; we need a multipronged approach, and user education to not do bloody stupid things is part of that.

To draw a metaphor; sharp knives are dangerous objects. If an adult stabbed themselves in the eye with one, because someone left a post-it note on it telling them to do so, could we legimately blame the user for being a bloody idiot? (well, as well as the post-it note leaver).

Biggest, most effective spam celebrity of them all

[ScentCone]

Is, of course, ourselves. My experience with phishing and other social-hacks-by-email suggest that the ones that seem to really trip people up are the ones that recipients think are about themselves. I have seen the enemy and he is us.

Re:Virus Drills

[Linker3000]

Pretty soon they won't check their email at all and the organisation grinds to a halt!

No Surpirise Here

[rudy_wayne]

"entice the user to click the link/executable. Of course the latter is the easiest, and is the most effective when used in conjunction with a celebrity's name. "

Proving once again that the number one security problem is not Windows, or flaws in Windows -- it is user stupidity.

Creative, but wrong.

[RealProgrammer]

I applaud your creativity, but that's bad training.

• Some users may never see the virus-laden email, since the junk email controls you have implemented (haven't you?) will catch your message.
• Users will bypass it. Word will quickly spread about the test, probably by an email "hoax warning" from that tech wannabe in the office. Users will have a heightened resistance to your mail, or on the other extreme may open it since they know it's from you.
• It sets up the IT department as the villain, perpetuating the "us vs. them" mentality.
• It doesn't give the users enough A:B comparisons between good attachments and bad ones.

Generally speaking, positive reinforcement (reward for good behavior) works better than punishment for bad behavior. Punishing bad behavior may get results, but it also reduces overall performance for both the individual and the group, by engendering fear of failure.

Negative reinforcement (rewarding good behavior by removing punishment) can work well in the right circumstances. The punishment should have been already earned and deserved, and both the good and bad behavior should be related somehow to the punishment.

Users are demanding the ability to use their email as a file copying and storage mechanism. We as sysadmins can point out that we have a much more efficient means of doing that - this file server over here - but they don't seem to like that. You can lead a horse to water but you can't make him think.

If you really want to do some training:

1. Make a fake virus that when run gives the user immediate feedback, lying to them that it's doing damage.
2. Make another attachment that just says "bad choice, I could have been a virus".
3. Make other messages that are harmless text or pdf attachments
4. Set up a formal testing session in which the users are given a bunch of regular spam, good mail, and a mix of your attachments. Tell them not to open bad attachments but to try to open the good ones.
5. After the formal training session, do a real world test in which they are rewarded for the good attachments they open. This time for the bad choices, only include the "I could have been a virus" ones.

Done in a spirit of cooperation, rather than confrontation, you should see an immediate sharp reduction in the number of viruses that people open.

Re:Lemme Guess

[Golias]

The limit of two terms for a US President goes all the way back to George Washington. A lot of our founding ideas were a reaction to what we perceived as the fundamental unfairness of the monarchy, so we took steps to rigidly limit the power of our executive. An 8-year maximum term was one of those steps.

FDR broke it by serving part of a thrid term before his death, and there were a lot of people who wanted to get a third term out of Reagan... but traditionally, it's not an option.

Even if we've got a "really great president" (which seems increasingly unlikely these days, given the candidates put up by both major parties over the last 20 years), it's two terms and out, and, generally speaking, we like it that way.