Popup Study Confirms Most Users Are Idiots

danieltdp writes "Testing students at a University, psychologists made many of them click on a dialog box that in effect said: 'You are about to install some malware. Malware is bad. By clicking yes you are failing the Windows Darwin Test.' Nearly half of them said all they cared about was getting rid of these dialogs."

Summary is WRONG

[AKAImBatman]

"You are about to submit a bad summary. The summary is bad. By clicking yes you are failing at Slashdot Darwin Test."

"Testing students at a University, psychologists made many of them click on a dialog box that in effect said: 'You are about to install some malware. Malware is bad. By clicking yes you are failing the Windows Darwin Test.'

Doh!

For those of you just joining us, the article says nothing of the sort. The article actually says that they created fake "Application Error" dialogs with various numbers of "fake" aspects. e.g. The cursor turning to a hand over the "Ok" button, reverse colored text, browser borders, etc. Basically, stuff that should have made it obvious that these were malware windows. Nearly half of those tested "accepted" the dialogs to get them out of the way. Some of them simply minimized them for later.

The text referred to in the summary is an image created by Ars Technica with the caption, "Even this warning might not have helped".

The actual text

[KingSkippus]

The actual text was "The instruction at '0x77f41d24 referenced memory at '0x595c2a4c.' The memory could not be 'read.' Click OK to terminate program." You're right, this is not "basically" (or even remotely close to) the text in Ars's little joke screenshot or what was posted in the summary.

Re:The actual text

[ari_j]

The legitimate error messages of that form often do, indeed, surround "read" with quotation marks.

Re:The actual text

That's typical for these error messages in Windows. The error message is legit, this is something that a regular Windows user might see (I don't want to use the word "commonly", but it's relatively common as far as Windows error messages go). From look at the error message it looks to me like it's a basic Windows error message where the OS fills in the quoted strings (source address, target address, IO operation). All of them are double-quoted. The actual error in Windows would be printed exactly like this:

The instruction at "0x77f41d24" referenced memory at "0x595c2a4c". The memory could not be "read". Click OK to terminate program.

Even though I assume that's a template for several error scenarios, I've never seen one during my own usage that didn't specify "read". The actual text is a regular Windows error though, the display of the text was what was supposed to alert users (browser status bar, borders, close/minimize buttons, colors, etc). So it's not the error message that was supposed to be suspicious, just the context that it's shown in.

Re:The actual text

[bigstrat2003]

I've never seen one during my own usage that didn't specify "read"

If you're dealing with faulty memory (the usual reason you'll see those errors come up a lot), you'll also definitely see similar errors about "the memory could not be 'written'." The "read" version is definitely more common, though, for some reason.

Re:The actual text

[X0563511]

Smitfraud would do something like that. Start popping up errors like that and killing random (other) programs on pressing OK. Then, after a few days, start popping up actual browser popups selling tools to 'fix' windows.

When the user buys said 'fix,' someone runs of with their account information at worst, at best simply rips them off as they didn't need to 'fix' to begin with.

Re:The actual text

[Mr+Z]

*points* Hey, it's a BASIC programmer!

In C that'd be "\"read\"".

Even more importantly...

[hellfire]

The bottom of the article has the actual conclusion that the article was trying to make:

Follow-up questions revealed that the students seemed to find any dialog box a distraction from their assigned task; nearly half said that all they cared about was getting rid of these dialogs. The results suggest that a familiarity with Windows dialogs have bred a degree of contempt and that users simply don't care what the boxes say anymore.

The authors suggest that user training might help more people recognize the risks involved with fake popups and the diagnostic signs of genuine Windows dialogs, but the fact that the students didn't appear to spend any more time evaluating the fake dialogs raises questions as to whether education is enough.

The fuunt thing is

[geekoid]

the people writing the dialog boxes assume clicking no just shuts down the dialog box.
You could easily have events fire on the No as you do on the yes.
It takes a little work, but it is doable.

Re:Newsflash!

[danbert8]

Incorrect... Diffusion is a flow of material from high concentration to low concentration. Osmosis is the diffusion of water across a membrane.

Re:Study confirms most popups are idiotic

[Blakey+Rat]

Windows already has most of your suggestions implemented, the problem is that third-party developers generally ignore it.

There's:
* The Application Error Reporter tool thing for reporting crashes (without making the user click through to a website, as in your example.)
* The Error Console, a place for applications to record the technical nitty-gritty of the error without bothering the user with it.
* Some amount of different "levels" of reporting, for example, the notification tray can be used to report non-fatal errors that never-the-less need reporting.

There's no real way to make a window type that "only" the OS can use. The malware authors would just open one up, take a screenshot and change the text. If you removed the ability to take screenshots, they'd just start up VNC first and do it.

Displaying something only the OS should know is an interesting idea... like let the users customize a window border by splattering paint and then it might be blatantly obvious which windows were their personal design, and which were fakes (different splatter pattern and different colors.) Has anybody seen anything like that implemented?

Of course I'm actually overthinking this; most people would still click malicious popups even if they only remotely looked like real windows at all.

Yup.

And that is the problem

[sillypixie]

Our geekland propensity for dismissing users as stupid because they can't navigate cryptic interfaces just makes me laugh.

I would be interested to see what would happen in the experiment if users were given an application that used pop-ups to request that users make understandable choices, with understandable consequences.

Shouldn't that be what we are aiming for?

er popups

[falconwolf]

Popups should reveal the cryptic stuff only when a debug flag is set, which defaults to off in end-user builds of the software. In all other cases there should be something like "$APPNAME has crashed due to a bug. Please report the contents of $APP_DATADIR/crashlogs/$DATE.txt to us as http://domain/crashes [domain]. [OK]". The user should always know what the thing that just happened means for him, not what exactly happened. If someone really wants to know the details he can take the config file and add a line saying "Errors = verbose" or something like that.

The errors I got did that, when Firefox crashed a popup popped up in OS X telling me Firefox suffered an error and asked if I wanted to report it to Apple and the Firefox developers. It could then send a log of what happened.

Falcon

Response should be obvious

[mysidia]

Don't use dialog boxes to allow or reject a dangerous action.

Dialog boxes only require passive action of clicking somewhere on the screen to dismiss, or pressing a single key; this is not safe.

Reject by default, unless you have proof the user specifically asked it.

Provide the user a subtle prompt. Force the user to take explicit action; a dialog box is only used to confirm a change.

Never use a dialog box to display an error or any non-fatal caution.

If the action is severe enough; make the user type out a few words to confirm it.

Re:The benefit of simulated system errors?

[Pork+Flavour]

It's a lot easier to have a popup browser window which links to a site with arbitrary nasty scripts, than to embed said nasty script on the original site.

Encryption vs. authentication

[Estanislao+Mart�nez]

And yet the clueless-nerd-squad was up in arms when Firefox made it *really hard* to accidentally hit "OK" and wind up trusting a totally bogus SSL certificate.

I don't know what the clueless nerd squad did, but very many people pointed out the real problem: the brower's UI equated "encrypted connection" with "authenticated site." The correct behavior is to treat encrypted sites with self-signed certs the same way as unencrypted sites.

Re:People aren't idiots, people are people.

[Tawnos]

Almost every machine I've ever used gives money followed by cash.

Re:People aren't idiots, people are people.

[Tawnos]

Er...money followed by *card*.
Epic fail on my part, please be gentle oh mods of destiny.

Re:People aren't idiots, people are people.

[bigstrat2003]

Calling people idiots is just a cop out.

Not with computers it isn't. I work in end-user support, and, while I see people genuinely confused by shitty software sometimes (it does happen), many, many people who can't use a computer effectively are in that boat because they won't try. They've convinced themselves that the computer is a magic black box, and they can't learn to use it no matter what they do. These people are truly idiots, and it's a waste of time to try to hold their hand. Save your effort for the people who try to work with you.