Slashdot Mirror
Popup Study Confirms Most Users Are Idiots
danieltdp writes "Testing students at a University, psychologists made many of them click on a dialog box that in effect said: 'You are about to install some malware. Malware is bad. By clicking yes you are failing the Windows Darwin Test.' Nearly half of them said all they cared about was getting rid of these dialogs."
"You are about to submit a bad summary. The summary is bad. By clicking yes you are failing at Slashdot Darwin Test."
Doh!
For those of you just joining us, the article says nothing of the sort. The article actually says that they created fake "Application Error" dialogs with various numbers of "fake" aspects. e.g. The cursor turning to a hand over the "Ok" button, reverse colored text, browser borders, etc. Basically, stuff that should have made it obvious that these were malware windows. Nearly half of those tested "accepted" the dialogs to get them out of the way. Some of them simply minimized them for later.
The text referred to in the summary is an image created by Ars Technica with the caption, "Even this warning might not have helped".
Javascript + Nintendo DSi = DSiCade
I think my Bad Karma would testify to that!
Beer is proof that God loves us and wants us to be happy.
The actual text was "The instruction at '0x77f41d24 referenced memory at '0x595c2a4c.' The memory could not be 'read.' Click OK to terminate program." You're right, this is not "basically" (or even remotely close to) the text in Ars's little joke screenshot or what was posted in the summary.
The average computer user is the same as average TV user, a.k.a. Joe Sixpack
<sarcasm>
*gasp*
</sarcasm>
We computer professionals stick around other computer professionals - and nonprofessionals around us absorb enough knowledge from us by osmosis. So of course it FEELS like everyone is computer literate -- but they're not. We develop software for the braindead zombies and the braindead zombies use it.
Did you know that "FTW" ("for the win") is a direct translation of "Sieg Heil"?
Summary is under ENTERTAINMENT. Tag says HUMOR. If it had been accurately reporting on the study, it would have been under SCIENCE. Read all the words.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
They didn't care if malware got installed on the researchers computers. Most university owned machines that are publicly accessible (e.g. in the library) get ghosted frequently. It doesn't matter what you do to them - tomorrow they will have a fresh install anyway.
From the article
To quote LongNoi "QZTR was right and won't leave me alone because I called him a moron when I was wrong" FYS
Quit bugging me. Much more work needs to be done to eliminate "Are you sure?" requests. Working undo is always better than asking the user and making him regret the answer seconds later.
Study determines that people ignore dire warnings after experiencing that they're virtually always overstating and end up disregarding them as an annoyance.
Same general psychological area as the boy who cried wolf.
Anyone in IT knows this, with out needing a study to be done. Next time ask the guys who have had more than 3 years experience in any IT related field!
...increasing the number of times the user has to click "OK" doesn't increase security?!? Dang, I thought I was on to something.
Love,
Microsoft Windows UAC Designer
Well? He said it was "wrong", and it is. Calling it entertainment doesn't make it less wrong.
"Read all the words."
I suggest you do the same, specifically, the one spelled "w-r-o-n-g".
To quote LongNoi "QZTR was right and won't leave me alone because I called him a moron when I was wrong" FYS
The bottom of the article has the actual conclusion that the article was trying to make:
Follow-up questions revealed that the students seemed to find any dialog box a distraction from their assigned task; nearly half said that all they cared about was getting rid of these dialogs. The results suggest that a familiarity with Windows dialogs have bred a degree of contempt and that users simply don't care what the boxes say anymore.
The authors suggest that user training might help more people recognize the risks involved with fake popups and the diagnostic signs of genuine Windows dialogs, but the fact that the students didn't appear to spend any more time evaluating the fake dialogs raises questions as to whether education is enough.
"All great wisdom is contained in .signature files"
I'm sorry, but I will not believe this data until Netcraft confirms it.
Popup study confirms most university students participating in the tests are idiots. Further research needs funding to confirm that most users are morons.
It must have been something you assimilated. . . .
We should celebrate these poor saps, for without them who would pay for the internet?
I, for one, have not seen a pop-up on any machine I am in charge of for about 3 years....
"Be light, stinging, insolent and melancholy"
the people writing the dialog boxes assume clicking no just shuts down the dialog box.
You could easily have events fire on the No as you do on the yes.
It takes a little work, but it is doable.
The Kruger Dunning explains most post on
This was not surprising and I don't place all the blame on the users.
There's a similar situation with semi experienced administrators. They may configure logging and monitoring on a system. Being security paranoid, they set the log level fairly low so they end up getting lots of alerts.
Somewhere along the line, however, the administrator stops paying as much attention. Maybe a CPU alert hits 100% every night. Then one day someone in Finance runs a half-assed join across a gateway and brings down a DB. The admin gets the alert but has gotten so used to them that it was ignored. This is worse than if he'd never gotten the alert at all.
The alerts that OSes put up (Vista, for example) and the host of browser and AV and IDE warnings get useless after a while. The system should do this transparently and not rely on the user to be the MAC layer.
My roommates' daughter, who isn't old enough to read yet, can navigate menus on the Nintendo Wii by using trial and error to determine which button "works" and which button "doesn't work" to get where she wants, then (with repetition) memorizing the position or appearance of the correct button. She has absolutely no idea what any of the text says if it isn't accompanied by pictures, but she only occasionally needs help navigating.
Shouldn't we expect better from adults using a computer?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
And we ask why Vista bothers people with UAC.
I don't think this says as much about the users as it does the usability of our computers.
Computers are commodity items now, the days where nerds interested in technical details were the primary demographic are long gone. People just want to do their job and move on with life, they don't care about memory registers or malware they just want to not be interrupted.
It really illustrates how dialog boxes as a warning system are a flawed mechanic, we got this fancy computer with a fancy operating system, why can't it figure out the right thing to do when an application tries to access memory it's not supposed to?
Guess my point is if we put as much effort into error handling and/or malware detection as we do our whiz-bang graphics, it might not even be a problem anymore.
In the users' defense, they are so used to having inexplicable and frequent error dialogs pop up under Windows, that it's not surprising that they ignore the details and just "click through". Windows creates a "little boy who cried 'wolf'" environment.
Proverbs 21:19
... replace user and try again ....
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
It's nice to see the quality of your commentary has improved to trolling typos, that's certainly better than what you usually have to say.
Way to improve yourself, keep up the work.
To quote LongNoi "QZTR was right and won't leave me alone because I called him a moron when I was wrong" FYS
Oh wait. My bad. This is the article round-about. One day on Digg, another on Slashdot, another on Fark, another on Salon, and....
You know, if we stopped this, the internet would shrink to one-twentieth of its size!
bought a mac.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Braaaaaaaaaaiiiiiiiiiiiiins.
And frankly they shouldn't have to be. I have no idea why developers seem to think they should/are. Fail safe and log it so someone who does understand what's happening can make an alternative choice.
Deleted
That is close to what I was thinking. The main difference is that I don't think it was so much, "I don't care if malware is installed on someone else's machine," as, "I don't care what this dialog says on the crappy computer they gave me to work with."
My first thought upon seeing such a dialog on a machine someone else set up for me to use for a limited, low-importance task would be irritation that they don't properly maintain their systems. If it were my system, I would pay more attention to the dialog, but on someone else's seemingly buggy Windows system, I couldn't give two cents for what the dialogs say -- that's their problem.
On the other hand, if I noticed that the dialogs were suspicious, I would actually try not to install malware on their system -- again, if I even bothered to pay attention. I'm grouchy about other people's (perceived) sloppiness -- not a jerk who'd deliberately screw someone else's machine over out of laziness.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
It isn't just Windows either. Apps in Gnome, KDE and OpenOffice also open up stupid dialogs.
It is unreasonable to consider training users to be driven by popups. What would make more sense is for programmers to design their pop up use better so that it is more meaningful for the user.
Engineering is the art of compromise.
... this popup cmes up:
You're an idiot
[Allow] or [Cancel]
Click 'Cancel'.
Have gnu, will travel.
...how best to install something like this in a login script? I would like it to run through the login process, then at the end, pop up a window such as the one described, and log the results somewhere.
It's (a lack of) conditioning. Users are going about their tasks and some popup dialog appears. They know that in order to get rid of this thing and continue what they were doing before, they click 'okay'. They've seen these sort of dialogs many times before with hopelessly cryptic information, so they don't bother reading. They want the fastest and most effortless way to return to what they were doing before. They also remember that when these dialogs show up and they click 'okay', they go away and the user can get back to whatever they were doing. From their standpoint, clicking 'ok' randomly never gave a bad result (in the short term), so they don't associate it with anything catastrophic.
If clicking 'ok' to any and all dialog boxes meant the machine instantly BSOD'd, or an electric shock or what have you, they'd pay CLOSE attention to what those dialogs said. As it stands now, users have learned that clicking 'ok' lets them get back to work.
"Testing students at a University, psychologists
Like most psychological studies, it takes a small sample of american students and extrapolates the entire world's behaviour from that.
No wonder the "science" is so bad
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Would it be better if the test subjects clicked No? If the popups were malicious then couldn't they label "OK" as "NO" and "Cancel" as "YES"? If your browser is spawning a fake popup, aren't you already screwed anyway? Or if that's not bad itself, would clicking Yes make it any worse?
And frankly they shouldn't have to be. I have no idea why developers seem to think they should/are. Fail safe and log it so someone who does understand what's happening can make an alternative choice.
Queue floods of calls to the helpdesk of "My computer locked up again and told me to call you."
There are ways of fixing the situation of course, but not without having to create a new operating system, and then getting everybody to agree to use it (including have all code not written for said operating system abandoned). In short, in two or three generations when all the people who don't know basic computer security and operation have died, and not being able to spot a phishing scam will be looked upon much the same way that being illiterate is now, then the problem will have fixed itself.
Curiosity was framed, Ignorance killed the cat.
I don't really get why clicking OK on something that vaguely looks like a system error is a problem. If it is a script running inside a web browser, the script cannot do anything that it wouldn't be able to do without the script. If it is already a process running inside the OS, it means that you are already in trouble because it could also erase files or install programs without you clicking OK.
It would be more beneficial to malware if they could make a REAL Windows dialog ("Install new software, Allow?") look like a harmless message ("Print job finished."), but that would be pretty tough to do.
Avantslash: low-bandwidth mobile slashdot.
You're the retard.
It has really paid off. The semi-idiots find the desktop 'easy', and that's what we wanted.
I mean, does anyone bother to read those popup license agreements on Windows anyway?
I sure don't.
It ain't a contract if I didn't sign it.
-- Tigger warning: This post may contain tiggers! --
"It was a legitimate question."
No it wasn't Hatta, you logging-out-to-post-as-AC-because-you-just-made-an-ass-of-yourself-by-trolling-a-typo-piece-of-crap.
To quote LongNoi "QZTR was right and won't leave me alone because I called him a moron when I was wrong" FYS
One thing worth noting is whether the students were using their own computers or computers on loan from the department. It's worth noting because most people care what happens to their own personal systems (because they're the ones who will be stuck fixing them) but care less if a school computer is infected for instance.
I'm not sure if this makes them idiots or just uncaring, either way it could be relevant.
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
Was the study done on the researcher's computer? One that the subject knows he will never see again?
I would actually have caught it, but I'm by any standards, a technically sophisticated user. But even if I realized the dialog was being "faked" with JS or whatever, I still wouldn't give a crap what happened to the grad student's computer. I'd assume one of two things: If I thought the dialog was real, then my guess would be you have some linkage looking by address into a DLL whose version has changed, or, whoever made your website is either an idiot and/or has some kind of hokey web builder tool like maybe a cracked dreamweaver or something...
Maybe, if I caught on to the game enough to realize the purpose of the experiment was to see if the user caught these error boxes, then *maybe* I'd care. Mostly I'd just laugh. The user who is savvy enough to even care about these error dialogs, probably sees right through them, and the rest, as the study unsurprisingly found, just want them to go away. I'd be thinking "you know, if I had a web based test to administer to the public, I am certain it would be from an unprivileged user account on a linux box" as I clicked whatever image I thought might make the popup go away. I might have even tried to see if I could get firefox to block it :)
-fb Everything not expressly forbidden is now mandatory.
Working in support, I have seen so many times where if an unfamiliar dialog box pops up, people either click on the option they are used to clicking on, or call support without even reading the message on the dialog box. It is like they are unable to physically see the contents of the dialog anymore, it has been beaten out of them. Often all I have to do is make them read me the dialog over the phone, which makes them process the info mentally, and they know which button they need to press then, having actually read and comprehended what was asked.
It is a very interesting problem, I think the solution is to make the buttons themselves say what they do, rather than clicking Ok or Cancel, have the button say "Exit crashed program", or "Install new program" or what have you. Always being OK or Cancel conditions people to just blindly click.
There is plenty to drink about these days...
Been that way for a while, if you ask me
You better watch out, there may be dogs about . .
I see a lot of people jumping to conclusions about how this is the fault of programmers for using the dialog box too much, etc, etc, etc. I call BS. If you write software for people who are computer illiterate (which happens a lot in my field. i write software for veterinarians), they'll click on anything and do everything, no matter the consequences. A simple "undo" isn't enough. They need to understand what they just did. If a popup don't pop up and say "you're about to delete something" they won't even know they deleted it until its too late (closing program, etc). You can't keep an infinite list of "undos" either. So, you're left to assume one of two things. 1) The person has read instructions, understands what they're doing, and understands they're responsible for breaking it OR 2) They haven't read any instructions, will click on what they think makes sense and when they break it, they call support, bitch and moan, taking up valuable time. Maybe in a bigger company, thats acceptable, however, *I* do both the programming AND support as we're a company of about 5 people. I can't be dealing with people who are idiots. I challenge anyone to make something thats completely foolproof without popups AND thats still aesthetically pleasing to look at AND easy to use.
Maybe people should just realize they're using delicate instruments and should treat them as such. These aren't toys, but systems that cost hundreds, sometimes thousands of dollars to build. Its not the programmers' fault. Its the user's. If the user refuses to educate himself to not be a fool, there's really no way to try and make something foolproof.
AKA, "What he said." (Sorry if you're a girl Hank, I'm assuming...)
Some privacy policy Slashdot.
One of my favorite hobbies is loading up Japanese arcade games in MAME and trying to figure out how to play them.
The instructor for my intro to CAD class does his lectures with the projector talking his way through the proceses, anyways, whenever he gets a box that pops up asking for his input, he'll read it out loud, replacing the 'you' with 'I', e.g. "I do not want to see this box again!", but he'll forget to check the box so he'll do the same thing again and teh box will come up again and he'll read it outloud again.
He also refers to selecting things as 'picking' and middle clicking as 'pushing the center button'. It drives me nuts.
If the tools aren't working well for people then the design of the tool is wrong.
If you build a ATM (cash dispenser) that spits out the money before it returns the card then you'll find that a not insignificant number of people leave the machine without retrieving their card. In their brains the task they are doing (getting money) is complete so they walk away.
Thus cash machines return the card first and then give you your money.
You have to design things to work the way real people work. Calling people idiots is just a cop out.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
select count(users) from world where clue > 0
Query results: 0
Well, obviously, after clicking ok on a popup, another popup should open that contains a picture of the previous popup and a message "This is what you just clicked. Are you sure it's not malware?" That should take care of it. If enough of us send suggestions to Microsoft, there may be enough time to get it into Windows 7.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
This reminds me of a gag from Mike Nesmith's Elephant Parts.
"We're not just hoping you're dumb, America... we're banking on it!"
http://www.youtube.com/watch?v=pEPxc3RW4js
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
It proves that popup dialogues are annoying.
It annoys me that, somehow, frequently, if the school is MIT, then Slashdot posts it as
"MIT's Godlike faculty show something about human nature."
but if it's NC State, also a very good school, it gets posted as:
"Some no-name school had a crazy funny study."
Every time I install a piece of "legit" software, I have to click through an agreement claiming that there is no guarantee the code will work or that it won't fry my hard drive or mess up my other software or destroy my life's work or render me sterile or cause a resonance cascade scenario. I think that sort of thing is what most trains less technical users to just "click through" anything. They click through warnings all the time and nothing bad ever happens ... at least until something bad does happen, and even then they might not understand the connection if it doesn't happen immediately.
Prov 9:8 Do not rebuke mockers or they will hate you; rebuke the wise and they will love you.
It's well known that users don't deal with pop-up dialogs very well, they are an interruption preventing the user from doing what they are trying to do. I notice a lot of users don't even notice them they just keep trying to do what they were trying to do and it takes them a while to realise that a pop-up dialog has stolen focus and is preventing them from doing anything. pop-up dialogs are just a very bad user interface. It's not a problem with the users it's a problem with the developers using them. - Jesse McNelis
...and that is all I have to say about that.
http://jessta.id.au
Our geekland propensity for dismissing users as stupid because they can't navigate cryptic interfaces just makes me laugh.
I would be interested to see what would happen in the experiment if users were given an application that used pop-ups to request that users make understandable choices, with understandable consequences.
Shouldn't that be what we are aiming for?
don't mess with those geekgrrls
That Microsoft's whole concept of improved security in Vista based on bugging the user every third time he clicks the mouse isn't valid?!
Does this surprise anyone outside of Redmond? I'm being sarcastic, of course. UAC allows Microsoft to blame the user, "After all, you _allowed_ the malware to be installed."
You are in a maze of twisty little passages, all alike.
I don't profess to being a pro at all. I don't work in IT, I know nothing about any sort programming, I can't even do basic HTML without a guide.
But I can still recognise a pop up and know they're irritating.
If each mistake being made is a new one, then progress is being made.
An excuse to continually ignore usability, something which many in the software industry already do a pretty good job of doing. Maybe 2009 will be the year of the Linux desktop..or maybe not.
The article suggests (by referring to the possibility that one user's mishandling of the dialogs, were they real malware, would have led to problems for the next user) that the user of the computer did not own that computer. If I am being tested on someone else's computer I might not care about trying to figure out whether the dialog boxes were real or were malware. I would probably be more focused on the task I was told to complete, and I would probably not feel sorry for the stupid testers who had let their systems get infected or who had directed me to navigate to malicious sites.
about installing malware on some psychologists' computer?
Lax editing confirms most slashdot submitters are idiots.
Popups should reveal the cryptic stuff only when a debug flag is set, which defaults to off in end-user builds of the software. In all other cases there should be something like "$APPNAME has crashed due to a bug. Please report the contents of $APP_DATADIR/crashlogs/$DATE.txt to us as http://domain/crashes [domain]. [OK]". The user should always know what the thing that just happened means for him, not what exactly happened. If someone really wants to know the details he can take the config file and add a line saying "Errors = verbose" or something like that.
The errors I got did that, when Firefox crashed a popup popped up in OS X telling me Firefox suffered an error and asked if I wanted to report it to Apple and the Firefox developers. It could then send a log of what happened.
Falcon
Should there be a Law?
Glad it's humor because any semblance of any reality to a threat analysis and user response is sadly lacking.
The study was for browser-based dialog threats only - RTFA.
In all cases, mousing over the "OK" button would cause the cursor to turn into a hand button, behavior more typical of a browser control....
I find it hard to express without sarcasm that when an app or machine gets buggy, the cursor or pointer may go south, and I think that this is a NOT-TOO-UNCOMMON experience - not in frequency of occurrence, but in the BREADTH of users who have experienced it.
My postulated user thinking: "OK, it went south - it's all gobblety - even the cursor is nuts...."
The "researchers'" postulated user thinking: "Galloop, galloop, galloop - well, gee, Tennessee - lookie me while I ignore gobblety - hurhur, hurhur, I don't even notice the cursormagikit change-a-late'n...."
Yes, in a perfect world, users know everything about their experience and their machine's interface. Welcome to reality. Until that's fixed, blaming users for not recognizing malware vectors is idiotic. Had users been capable of recognizing malware vectors in the first place, malware wouldn't exist.
Sorry if I'm having a bad day on this one. But if there's any merit to my point and add the fact that the sample size is small, then science this ain't. And I'm disgusted that the FA calls users idiots, right from the headline.
Pathological kinda promises Path + Logical - but instead, you get stuck with pathetic.
We are so inundated by damn buttons to click that many of us will click it to get it the hell out of the way -
Have you ever scratched an itch that you weren't supposed to scratch?
I think at some point we are reacting on a guttural level as opposed to a logical level - this leads to observably stupid behavior that is really more emotional response than true stupidity. Annoy me enough and I promise I'll start doing stupid things.
my 2 cents
Microsoft has trained people to click "OK", "Open", "Run", "Install", "Continue", or whatever button (wherever it is) that gets you past the idiot box.
Apple had until recently avoided this mistake. NOT (as some people have said) by making the buttons more meaningful, but by simply NOT trying to use warning dialogs in place of good design.
For example, Mac OS doesn't ask you if you want to move a file to the trash, and it doesn't ask you if you want to empty the trash, because these are common actions, and the dialog box becomes something you reflexively accept.
Recently, as I say, Apple has started to deviate from the path of virtue. I've caught my Mac in bed with promiscuous dialogs on many occasions.
But by comparison with Windows (particularly Vista)... my Mac's still pretty much a dialog virgin. Really.
This is an unmodified screen capture of an actual Windows dialogue box. I have no idea what program triggered it.
http://i246.photobucket.com/albums/gg109/splorpdotorg/whatwouldyoudo.jpg
(I left it onscreen until I rebooted -to be fair, this was Windows 98SE).
Please don't humanize the morons around me. It makes me very uncomfortable.
It seems that people don't care when using a public PC whether they download a U2 torrent or some nasty malware. I have to admit to downloading and storing pron (personal use) from the school library a long time ago. Everything was going fine I almost had my USB drive full of educational material then Norton started whining, long story short I had to spend the next 2 hours removing the nasty malware. I felt guilty. But I did manage to download plenty of material after all...
Not My Computer. That's what I'd imagine is going on in the subjects' heads. Here they are brought in to a professionally made and run computer lab. They are given a task and in the course of completing that task something mildly interfering happens. They dispatch the interference in order to continue with the assigned task and that action had no bad consequences. Seems like a poorly designed study to me.
Notmysig
Don't use dialog boxes to allow or reject a dangerous action.
Dialog boxes only require passive action of clicking somewhere on the screen to dismiss, or pressing a single key; this is not safe.
Reject by default, unless you have proof the user specifically asked it.
Provide the user a subtle prompt. Force the user to take explicit action; a dialog box is only used to confirm a change.
Never use a dialog box to display an error or any non-fatal caution.
If the action is severe enough; make the user type out a few words to confirm it.
> In short, in two or three generations when all the people who don't know basic computer
> security and operation have died, and not being able to spot a phishing scam will be
> looked upon much the same way that being illiterate is now, then the problem will have
> fixed itself.
It would appear that you believe that all of those who "grew up with computers" know basic computer security and operation. This is just as true as it is that all of those who "grew up with books" are able to read and understand James Joyce.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
A dialog in the web browser that contains some gobbledygook is generally either something you can safely dismiss by clicking wherever you like, or you have lost already by the time they show up.
Those dialogs that actually grant something permission to do something unsafe are designed by people who actually worry about bad press for their software (e.g., Java etc.) and try to be clear.
However, more generally, Yes/No dialog boxes should probably just be removed from UI toolkits; they are almost always bad and not needed.
It wasn't their computer! If you give me your computer to do a job for you, I don't care if the bloody thing bursts into flames or if you've sent me to a malware site.
.
Explain to me how changing a cursor to another familiar style of pointer becomes an "obvious" sign of malware.
Your browser is behaving bizarrely. An "application error" dialog pops-up. Now that is a surprise. Tell me why you shouldn't believe it is authentic?
It strikes me that these messages are like fire alarms. Let's face it: when large groups have regular drills the first response on hearing yet another alarm is not "I should probably leave reasonably quickly now" but rather "not another freaking drill/false alarm, I'm busy". They then proceed to wander out aimlessly in dribs and drabs, all assuming that it's nothing more serious than an irritating work interruption or chance to skive off. This is the same thing on a much larger scale: popup dialogs occur with depressing frequency and, not unlike fire alarms, rarely presage anything more serious than some program asking inane questions and/or dying for reasons obscure. So of course people will start to treat them with contempt! Not that this is a good thing, but it is understandable.
I don't know what the clueless nerd squad did, but very many people pointed out the real problem: the brower's UI equated "encrypted connection" with "authenticated site." The correct behavior is to treat encrypted sites with self-signed certs the same way as unencrypted sites.
Are you adequate?
I grew up surrounded with books and I can't stand James Joyce.
Possibly the same reason why people who grew up with Unix can't stand Windows... :)
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
Amen to that. Microsoft's three guiding philosophies of "good enough" and "how can we make this the users problem instead of ours" and "holy crap it worked, lets make sure they notice" manifest themselves most frequently in their own pop-up windows, modal or up from the task bar or whatever.
Every time I start my laptop it feels the need to show a bubble telling me the wireless network is connected. What do you want, a cookie?!? You know what? You're supposed to connect don't come bragging to me about it whenever you do.
The same thing happens every time I plug in a USB drive. "You have connected a removable media device. Click to close." Thanks for that, just in case I wasn't aware I plugged in a device. How thoughtful.
Whenever I put in a CD it has to autorun something because the average user has no idea how to get to the CD drive unless it pops up in front of them. Which is nice because I'd hate to be treated like a grownup and have to launch the appropriate application or file myself.
--
You are about to send off an anti-Microsoft tirade
-- Cancel ---- Allow --
You're right. Though I have Leopard I see no reason to install it.
This happens the first time I launch every single application I download or receive as a mail attachment, and as I mentioned, quite a few things that aren't even applications.
I'm glad I didn't install Leopard then. However I may get a new Mac, which Leopard will be installed on, by the end of the year.
Fslcon
Should there be a Law?
Off topic? You decide. I'm the "pc/mac guru" to about a thousand clients and fancy myself as a source of sane, but elite, advice. Anyway, when I first saw the Time Machine preference panel's giant off/on switch I thought, OK, this is the end of user confusion on the subject. Not... Yesterday a client called me, having trouble with his backup. Turns out he saw the darkened, background, non-"switch" representation of the Time Machine panel as the indicator (as opposed to the lighter part, which most people would perceive as the "switch"). Once I threw the switch, "it just worked."
Say hello to my little sig.
User Account Control is a huge failure and this is why. People don't care about what a pop-up says as long as they can get rid of it.
Crash handling should be done as a framework function that can route the app to a debugger, perform a crash report etc.
It should be relatively easy to do some sort of image analysis to see if a browser is displaying something that looks like an OS pop-up and if it is then either mask it or repaint it with a skull and crossbones.
Engineering is the art of compromise.
I am far more cautious with my home computer than with my employer's computer.
At the university I went to, the ghosted the machine the second you logged off. I couldn't imagine it being any other way. How would you even know the machine was owned? Some of the latest malware can dig itself almost as deep into the OS as you can on Linux (it is trivial to bury malware in a linux box as root)
Isn't your normal dialog. Unlike other modal dialog boxes, a UAC is a *sytem wide* model dialog box. You cannot do *shit* until you confirm it. You might snark, but I think UAC dialogs are "scary" and with a minor amount of training, they'll call you when they get one. A normal user, doing normal things should never get a UAC dialog. You should only get one when you are installing a driver, software or you have a program like Digsby or Firefox that auto-updates as part of loading itself (which is retarted, IMHO).
Unix systems blame-shift too. Once you log into root, you can install just as much malware as if you click through a UAC dialog.
What do you want them to do?
Look at your log file sometime. Full of useless crap that buries the good stuff. You've got 75% of your log full of stupid failed SSH attempts from script kiddies, 10% from "hi, I'm named and my log level is not perfect so I'm going to tell you that somebody looked for pornjunction.com and I couldn't find it". 10% for "errors" in daemons, only they aren't really errors. Then you've got 4% from some fucked up cron job. That leaves like 1% for the truely useful error message that might actually be of value.
My point? Linux, FreeBSD or any other unix OS has just as many inexplicable, frequent error messages, only instead of dialog boxes, they pollute your log files instead.
PS: The event log is no different.
I'd say that this has more to do with programming errors and cryptic error messages in those popups than anything else. I mean, how often do we see something in a popup that 1) Average Joe user doesn't have a hope of understanding, or 2) something completely unnecessary.
We, as programmers, should be ashamed for creating a "never cry wolf" scenario that has created this mentality among users. Similarly, for all those "next" button clicks with the nonsense involved. How many of us just click next, eh?
don't repeatedly do stupid things and bitch about it.
Where are the mod points when you really need them?
Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
In short, in two or three generations when all the people who don't know basic computer security and operation have died, and not being able to spot a phishing scam will be looked upon much the same way that being illiterate is now, then the problem will have fixed itself.
This is a variation on the old "Education is the solution!" mantra (which actually isn't too far from the conclusion reached in TFA).
There's only one minor problem with this mantra.
It's balls.
Albert Einstein is popularly attributed with saying that "Insanity is doing the same thing over and over again and expecting different results." Well,
we've been trying to educate people to RTFError Message over and over again for years. Why do you think that one day we'll get different results?
Which is okay because a study confirms most users are idiots... So if user shall fail we might as well make the process short... :)
Isn't the reaction of the test subjects likely to have been influenced by the fact they're not using their own PC? They're sat in a lab, with researchers having given them exact instructions of what to do, and they're suddenly confronted with unexpected dialogs. They just want to get rid of them and get on with the task at hand, possibly not taking as much care of the PC as they would their own.
the students seemed to find any dialog box a distraction from their assigned task; nearly half said that all they cared about was getting rid of these dialogs. The results suggest that a familiarity with Windows dialogs have bred a degree of contempt and that users simply don't care what the boxes say anymore.
No surprise. Most people dealing with security from a HID perspective knew that long before UAC put the final nail in the coffin.
Popup dialogs are dead. Anyone who uses them is an idiot.
Assorted stuff I do sometimes: Lemuria.org
What this tells me: users are sick of their computer interrupting them with "crap data" while they're busy trying to do something else (even if that something else is photoshopping Lindsay Lohan's head onto a poodle).
The modern GUI stopped evolving about 1987 or so. We haven't gotten past the stage where when a new condition is discovered, the system pops up an error window that requires a user to click it before normal operation can resume.
For some things, like a system halt, this is necessary. For most? Unlikely.
Pay attention, Linux GUI-heads... you Windows GUI designers too, if your company allows you.
Anti-Globalism, Traditionalism, and FreeBSD.
s/users/developers/
There, fixed it for you. It hurts, right?
Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
All this tells me is that the paradigm is wrong.
Could be a problem with the "Windows" interface.
Could be a problem with the modern GUI interface.
Maybe the PC paradigm itself is wrong.
You can shift the blame and call everyone stupid or you can try to help come up with the newer better paradigm.
No. Maybe replace James Joyce with Dostoyevsky. This is James Joyce:
A random paragraph from Finnegan's Wake via Finnegan's Wiki. Basic computer security and operation is not that complicated. Now I want soup....
Clovis
^ Clovis, look! It's that guy you are!
[Bender is checking his e-mail inside of his head]
Bender: Porn. Porn. Free porn. Get rich watching porn? I find that rather hard to believe. [reading] Scientists at West Johnson Pornoversity need test subjects to rate top quality roborotica. Ooh, top-quality.
[A "Scan for virus?" alert pops up]
Bender: Warning, perform virus scan? I'm waiting for porn over here.
[Bender repeatedly clicks "No"]
Bender: Oh, yeah, come on, baby.
[An obedience virus downloads itself into bender, and he starting babbling nonsense] ...
Nudar: Guess I was wrong. There was a robot stupid enough to download the obedience virus.
"MIT betrayed all of its basic principles."
Doesn't vim have a case-insensitive replace mode? :-P
Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
I wrote a proof of concept Mac virus back when Apple first started bragging how Mac was immune to viruses. Guess what, Mac users DEFINATELY ARE NOT.
In my test on both Windows and Mac, I found that on Windows thanks to paranoia, 5 out of 10 times, you could get a user to click ok to installing malware. On Mac, you could gain root access more than 9 out of 10 times simply by presenting what appears to be an installation application and prompting for the administrator password.
What was worse is that I performed some experiments regarding antivirus software. What I found was... Mac antivirus software was excellent about detecting Windows viruses and avoiding sending or receiving them via e-mail, but it was extremely easy to hide viruses from Mac antivirus software. In fact, it was REALLY REALLY easy to make and install OpenFirmware malware that none of the antivirus software even looked for.
Really? I wouldn't know. I've been drinking.
Choosing Windows is already an indicator of lower intelligence. Using Windows OTOH is an unfortunate consequence, for most PC users, of Microsoft's anti-competitive monopoly practices.
"Programming today is a race between
software engineers striving to build bigger
and better idiot-proof programs, and the
Universe trying to produce bigger and better
idiots. So far, the Universe is winning."
- Rich Cook
"Fish" (David B. Trout)
Were the students running this experiment on their own PCs? I'd care more about malware being installed on my own computer than on some computer I'll never use again.
It wasn't mentioned in the article, but I sadly doubt the results would be much different.
Opening a business in alcohol is a sure way to survive the recession/Depression.
Food is also a necessity, so maybe buy-up a few grocery stores.
The government is not your daddy. Its purpose is not to raid middle-class neighbors' wallets and give it to you.
I have watched with delight as this discourse has unfolded and various advocates have explained how designers, programmers, usability experts, users themselves, manufacturers, educators, and perhaps God should somehow think and work harder to ensure that software users don't make cavalier, disdainful, or uneducated choices that are harmful to themselves. Are you serious?
Before you assassinate me, be aware that I am a retired IT practitioner and executive. I made a career of developing software and managing projects with the goal of at least keeping people from hurting themselves, mainly because my employer and the stockholders' money was on the line.
But on a personal level, the owner of a computer is operating is at his own peril. There are no wrong choices that we have an ethical obligation to protect him from. To the extent that we intervene and insulate him from his mistakes we create the moral hazard of permitting him to err without consequence. This denies him the opportunity to learn and grow to be an intelligent, fully functioning, technologically competent member of the 21st Century. We are enablers of his disease, just as much as we would be for our alcoholic friend that we drive home, put to bed, lie to his wife for, and cover for with his boss.
Stop the hang-wringing. Write the program, pop up the dialog box, give the choice, take the action, and be done. If the user screws up, he can reinstall his stuff or take his box to the repair guy. He'll learn an important lesson. And you can spend your time learning to write programs that don't need so many pop-up dialogs.
The "Mind if I reboot your machine now?" dialog has to be the worst of them. There you are, innocently coding away, and a dialog pops up that will reboot your machine the second you hit "enter" which, it turns out, is a reasonably common key, and which I always seem to be just about to type when Windows decides to drop by for a chat.
It's not the average where half are under and half over, the median is the point where half are over and half under.
If we look at the wikipedia entry for average, we'll see that in addtion to the mean, "There are many other types of averages, such as median (used most often to describe house prices and incomes)." So you can use the word "average" as in the joke and still be correct.
Yes the majority of users are idiots. Why? Because they run Windows and they have been trained to expect Windows to fail frequently. They don't look at the message boxes because they don't care what they say. They're busy. Who has time to waste looking at the same error message you see 3 or 4 times a day, every day.
The problem isn't the users, it's Windows.
Fanatically anti-fanatical
To quote Trekkie Monster from the musical Avenue Q:
In volatile market, only stable investment is porn!
95% of YN dialog boxes HAVE to be clicked YES or else something adverse happens.
They pop, we say yes.
True malware attackes no matter what you say, so why would you believe its warnings?
Where is real peer review in this world? Where is the scientific method?
Try this for a study.
Clicking Yes will make this box go away forever.
Clicking No will earn you $5.
I'll bet most users will still click yes. :-)
How long does your average Joan College pretend to hover within the testgiver's proscenium arch (for what? extra credit? 5$US an hour or per session?) before saying, "Blow this...!" and getting the hell out? As a semi-pro test scorer on big national accounts I'm not allowed to mention by name, I have to say the procrustean mindset roolz when it comes to No Child Left Untested. The bright ones who recognize the boundaries of the game and scribble beyond the borders get docked for being venturesome — not overtly, in most cases, but by failing to fall inside the parameters of the rubric. So this study seems cocked to me.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
I mean, do we really need studies to tell us what is already a given? People, not just users, ARE IDIOTS.. They believe in global warming. They believe in WMD. They believe in letting our government spend OUR MONEY to bail out rich jackass financial CEOs. What else?
the sake of drinking... doesn't that... compound things?
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Matters?
SO in respomse to your question of "what does that make you?"
I'll give you this
"When a true genius appears in the world, you may know him by this sign, that the dunces are all in confederacy against him."- Jonathan Swift
Stop deluding yourself into thinking that when you find a gaggle of idiots to agreew with you that somehow their agreement means anything about the value of your opinion.
To quote LongNoi "QZTR was right and won't leave me alone because I called him a moron when I was wrong" FYS
Getting a mysterious popup on some random website while you're web surfing is one thing, but these students were specifically asked by researchers to check out these websites.
Why would a student assume that the researcher has pointed them to a harmful website? And because they were told to "watch the sites load," wouldn't at least some of them assume the popups were part of the process? Also, why would a student care if a university computer were infected with malware?
This study doesn't tell me that "most users are idiots." It tells me that most college students follow directions. I think the study would have been better if the users had found these sites without being prompted and if their own computers were at risk.
"This reminds me why I have a -6 modifier on new users."
Why, because you're a pompous dick?
To quote LongNoi "QZTR was right and won't leave me alone because I called him a moron when I was wrong" FYS
I'd be more worried if people clicked through blindly in a study where they simulated browser warning dialogs that indicated that the website was trying to do something possibly malicious (downloading a file, installing software, etc). The worst that those "error messages" could have done would be open some really bad pornsite when you clicked the 'Ok' button.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
If you had read the article and looked at the example image, you would see where the summary got that text from. Don't worry though, there are plenty of tards living kickass lives!
The world you experience is only a close approximation of reality.
"You're funny."
I know.
"But if you really want to believe I've been logging out to troll you AC, go right ahead. That just makes it funnier."
Well, you lying about it makes it "funnier" still.
And what's even "funnier" is that you obsessively denying it.
To quote LongNoi "QZTR was right and won't leave me alone because I called him a moron when I was wrong" FYS
I'm currently doing both design AND programming and I was wondering what people think of dialog boxes used for input. Yea [OK] dialogs are awful, but what other strategies can you use for data? I have a few in mind, but I'm not sure they are as effective.
There was a time, back in 1995 "when dinosaurs ruled the earth", when people paid attention to pop-up dialog boxes. Unfortunately, Windows 95 and subsequent versions of the most used desktop OS in the world made of these widgets "the boy who cried wolf".
Useless pop-up messages such as "Application X has performed an illegal operation.<OK><Cancel>" or "Invalid use of an integer at 2e0fa33 <Debug><Cancel>". People would panic and call tech support; the answer was invariably "don't worry just click <OK> or <Cancel>". AOL added to this mess by bombarding their dial-up users with pop-up ads as they were waiting to go online.
Now, after over a decade of conditioning, we wonder why people have learned to ignore the critters?
People who grew up accustomed to using Macs or Linux pay more attention to dialog boxes because there are less of them. Even I, who use a version of all three OSs, have to fight the urge to dismiss every little nonsensical popup when I am on a Windows machine.
The biggest usability problem is that in the Windows world -- especially if you are using Vista-- you have to read through 12 useless dialog boxes to find one that is actually useful. I bet the results would have been more interesting and useful if the study had included regular Mac, Linux and UNIX/CDE users.
The reason for this is that computers don't work properly, by definition .
Think about it. As soon as a piece of technology attains the degree of perfection that almost anyone can use it, the users stop referring to it as a "computer". Palm Pilots work, so people don't refer to them as computers (even though they are). Ditto smart phones, e-books, Blackberries, linux-based media centres, pocket calculators, cash registers, ATM machines, and so on.
If you got into a business where they have well-set up PC's that actually perform the jobs that their intended to do with a minumum of fuss, you'll tend to find that the users refer to them as "wordprocessors", or "terminals", or "dealing stations" or "workstations", or some other functionally-descriptive word.
If the system then starts acting up (say, network problems), you'll notice that people stop referring to their PCs as "terminals" and start going back to calling them "computers" again. "Computer" is a word that signifies compexity and unreliability.
So, if you work in an IT department, it can be educational to find out what your users call the things sitting on their desks. If they think that they're using "computers", then chances are, you have unhappy customers.
If your company's hardware runs //really// smoothly, people stop referring to the hardware at all, and instead start using more abstract terms to refer to, say, the software package.
So: the ultimate aim of IT departments should be to to try to abolish "computers" from company offices. If you still have "computers" in your company's general offices, then that's a sign of IT failure.
Eric Baird
Because the people we're trying to educate will be dead by then. Those that grow up with this stuff will already know it. It's the difference between trying to pound it into peoples heads, and them picking it up from being submerged in it culturally. Sure there will always be a select few that aren't going to get it, but there's always going to be a few that don't get something in any group. It doesn't matter if you're talking about computers, cars, or how to change a lightbulb.
Curiosity was framed, Ignorance killed the cat.
Classic! :D
Eric Baird
...and if that doesn't immediately close it, ctrl-alt-delete to see what's running, or if I really want to panic, the power plug.
I get the netflux things on cnn all the time.
Tag lost or not installed.
The problem is not that people don't read dialog boxes--it's that they don't read *period*.
People do not read signs.
They don't look at prices, they don't notice instructions, they don't pay attention to warnings.
Eene meene mutte, ...
pin pon frutti
Just play russian roulette, with the comfort of your sofa (of reinstalling in worst case);
if you don't like it you could always put away "the gun" and turn off your pc...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
The test is flawed. The test is supposed to see whether or not students would respond to fake popups in their normal browsing. However, these students were told to sit and watch as pre-determined and supposedly "safe" pages were loaded. There is a difference between getting a popup from a respected medical site, and getting one from a page that has never been visited.