Britney is #1 Virus Celebrity

No France writes "The two ways for an email virus to spread is to use an exploit, or entice the user to click the link/executable. Of course the latter is the easiest, and is the most effective when used in conjunction with a celebrity's name. Despite the recent Jackson suicide emails, Britney Spears is the one to recently edge out Bill Gates as the top virus celebrity. The top 10 (in descending order): Britney Spears, Bill Gates, Jennifer Lopez, Shakira, Osama Bin Laden, Michael Jackson, Bill Clinton, Anna Kournikova, Paris Hilton, and Pamela Anderson."

More intelligent software or users?

[Crimson+Dragon]

These kinds of stories, while making the majority among us cringe at the stupidity of the user that falls for this, underlies an important point.

THIS IS WHAT YOUR IT DEPARTMENT HAS TO DEAL WITH!

Millions of man hours and hundreds of millions of dollars go down the tubes to user ignorance. As these costs spiral, the IT sector diminishes. At some point, we will have to stop the patchwork of protecting the users from themselves and engage in the proactive education from these people so they don't hurt themselves and cost their companies, ISPs, and our economy in lost man hours and dollars. How to do this merits exploration, as for every new procedure we establish to protect the user, the user seems to find a way to break it somehow.

Re:More intelligent software or users?

[jalefkowit]

These kinds of stories, while making the majority among us cringe at the stupidity of the user that falls for this, underlies an important point.

THIS IS WHAT YOUR IT DEPARTMENT HAS TO DEAL WITH!

... at some point, we will have to stop the patchwork of protecting the users from themselves and engage in the proactive education from these people so they don't hurt themselves and cost their companies, ISPs, and our economy in lost man hours and dollars.

You're talking about educating human nature out of people. Good luck with that.

The lesson of stories like this one are not that we need to somehow engineer smarter users -- it's that modern information systems are not designed around users to begin with. They're designed around lists of features and ship-by dates.

A system should behave in a way that one would expect it to. Certain operations -- deleting things, say -- are obviously risky, and I've never met any user who didn't get that. But who would expect opening an e-mail to be a risky proposition? The fact that it undeniably is (in some environments) doesn't mean that people are stupid for not knowing which e-mails to leave closed, it means that e-mail is broken for many millions of users. The fact that e-mail as a medium can be exploited like that is a weakness of the medium, not the user.

You can lament human nature all you want, but it is what it is. A well-designed system should be able to deal with that. Having to train users to do alien things should be taken as a sign that your system may not be so well-designed, not as a sign that we need to get cracking on Human Being 2.0.

Re:More intelligent software or users?

[jalefkowit]

Good points... a few thoughts:

Antivirus software, malware removers, spam-reducing solutions.... these are not designed around users?

Nope. No, they're not. They're palliatives to problems that we have inflicted upon users, not systems designed with users in mind. How many users understand what "malware" is -- even those that run Spybot? Is a malware remover something that a user would choose to run, if they weren't forced to by imminent threat from exploitation of broken systems by malicious parties?

(None of which is to belittle the heroic work that people have done on products like Spybot to help patch these holes. It's hugely important. But can we depend forever on heroes?)

A person who has any idea that a computer is a general purpose machine... Why should anyone be surprised when it does something new or malicious?

See, this is the problem. The average user does not see their computer as a general purpose Turing device -- they see it through the prism of whatever application they happen to be using at that moment. If they're reading e-mail, the computer is an e-mail terminal. If they're browsing the Web, it's a Web terminal. If they're in Word, it's a word processor.

You and I know that the computer is a general purpose machine, infinitely reprogrammable, but the average person does not think that way. They approach the computer through a series of metaphors ("desktop", "mail", "pages"), and the vast majority expect it to follow those metaphors as closely as possible. When it doesn't -- when the abstractions start leaking -- it creates opportunites for malicious parties to exploit the user's resulting confusion.

Which is exactly what has happened with e-mail -- in certain cases it can behave in a very un-mail-like way. This behavior is being exploited to confuse users into doing the wrong thing. You can try to educate people into not doing the wrong thing, but as long as the underlying metaphor is "mail" it will be very hard to make significant progress.

Why must the responsibility be placed solely on the software developer... ruling out one possible angle that you can't disprove and blaming a group of people who, by and large, strive to produce workable solutions is an insult to the good work many among us have done.

Don't look at it as placing blame (my apologies, I didn't mean to come across as blaming you for the problem) -- look at it as opportunity. Apple's recent success in taming UNIX, and Firefox's success in taming Mozilla, should be a lesson to developers everywhere that you can really make it big by reducing complexity, locking down unnecessary options, and streamlining the user experience.

Biggest, most effective spam celebrity of them all

[ScentCone]

Is, of course, ourselves. My experience with phishing and other social-hacks-by-email suggest that the ones that seem to really trip people up are the ones that recipients think are about themselves. I have seen the enemy and he is us.