Slashdot Mirror
Popup Study Confirms Most Users Are Idiots
danieltdp writes "Testing students at a University, psychologists made many of them click on a dialog box that in effect said: 'You are about to install some malware. Malware is bad. By clicking yes you are failing the Windows Darwin Test.' Nearly half of them said all they cared about was getting rid of these dialogs."
"You are about to submit a bad summary. The summary is bad. By clicking yes you are failing at Slashdot Darwin Test."
Doh!
For those of you just joining us, the article says nothing of the sort. The article actually says that they created fake "Application Error" dialogs with various numbers of "fake" aspects. e.g. The cursor turning to a hand over the "Ok" button, reverse colored text, browser borders, etc. Basically, stuff that should have made it obvious that these were malware windows. Nearly half of those tested "accepted" the dialogs to get them out of the way. Some of them simply minimized them for later.
The text referred to in the summary is an image created by Ars Technica with the caption, "Even this warning might not have helped".
Javascript + Nintendo DSi = DSiCade
The actual text was "The instruction at '0x77f41d24 referenced memory at '0x595c2a4c.' The memory could not be 'read.' Click OK to terminate program." You're right, this is not "basically" (or even remotely close to) the text in Ars's little joke screenshot or what was posted in the summary.
The average computer user is the same as average TV user, a.k.a. Joe Sixpack
<sarcasm>
*gasp*
</sarcasm>
We computer professionals stick around other computer professionals - and nonprofessionals around us absorb enough knowledge from us by osmosis. So of course it FEELS like everyone is computer literate -- but they're not. We develop software for the braindead zombies and the braindead zombies use it.
Did you know that "FTW" ("for the win") is a direct translation of "Sieg Heil"?
Summary is under ENTERTAINMENT. Tag says HUMOR. If it had been accurately reporting on the study, it would have been under SCIENCE. Read all the words.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
They didn't care if malware got installed on the researchers computers. Most university owned machines that are publicly accessible (e.g. in the library) get ghosted frequently. It doesn't matter what you do to them - tomorrow they will have a fresh install anyway.
From the article
To quote LongNoi "QZTR was right and won't leave me alone because I called him a moron when I was wrong" FYS
Quit bugging me. Much more work needs to be done to eliminate "Are you sure?" requests. Working undo is always better than asking the user and making him regret the answer seconds later.
Study determines that people ignore dire warnings after experiencing that they're virtually always overstating and end up disregarding them as an annoyance.
Same general psychological area as the boy who cried wolf.
The bottom of the article has the actual conclusion that the article was trying to make:
Follow-up questions revealed that the students seemed to find any dialog box a distraction from their assigned task; nearly half said that all they cared about was getting rid of these dialogs. The results suggest that a familiarity with Windows dialogs have bred a degree of contempt and that users simply don't care what the boxes say anymore.
The authors suggest that user training might help more people recognize the risks involved with fake popups and the diagnostic signs of genuine Windows dialogs, but the fact that the students didn't appear to spend any more time evaluating the fake dialogs raises questions as to whether education is enough.
"All great wisdom is contained in .signature files"
I'm sorry, but I will not believe this data until Netcraft confirms it.
the people writing the dialog boxes assume clicking no just shuts down the dialog box.
You could easily have events fire on the No as you do on the yes.
It takes a little work, but it is doable.
The Kruger Dunning explains most post on
This was not surprising and I don't place all the blame on the users.
There's a similar situation with semi experienced administrators. They may configure logging and monitoring on a system. Being security paranoid, they set the log level fairly low so they end up getting lots of alerts.
Somewhere along the line, however, the administrator stops paying as much attention. Maybe a CPU alert hits 100% every night. Then one day someone in Finance runs a half-assed join across a gateway and brings down a DB. The admin gets the alert but has gotten so used to them that it was ignored. This is worse than if he'd never gotten the alert at all.
The alerts that OSes put up (Vista, for example) and the host of browser and AV and IDE warnings get useless after a while. The system should do this transparently and not rely on the user to be the MAC layer.
My roommates' daughter, who isn't old enough to read yet, can navigate menus on the Nintendo Wii by using trial and error to determine which button "works" and which button "doesn't work" to get where she wants, then (with repetition) memorizing the position or appearance of the correct button. She has absolutely no idea what any of the text says if it isn't accompanied by pictures, but she only occasionally needs help navigating.
Shouldn't we expect better from adults using a computer?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I don't think this says as much about the users as it does the usability of our computers.
Computers are commodity items now, the days where nerds interested in technical details were the primary demographic are long gone. People just want to do their job and move on with life, they don't care about memory registers or malware they just want to not be interrupted.
It really illustrates how dialog boxes as a warning system are a flawed mechanic, we got this fancy computer with a fancy operating system, why can't it figure out the right thing to do when an application tries to access memory it's not supposed to?
Guess my point is if we put as much effort into error handling and/or malware detection as we do our whiz-bang graphics, it might not even be a problem anymore.
In the users' defense, they are so used to having inexplicable and frequent error dialogs pop up under Windows, that it's not surprising that they ignore the details and just "click through". Windows creates a "little boy who cried 'wolf'" environment.
Proverbs 21:19
And frankly they shouldn't have to be. I have no idea why developers seem to think they should/are. Fail safe and log it so someone who does understand what's happening can make an alternative choice.
Deleted
It isn't just Windows either. Apps in Gnome, KDE and OpenOffice also open up stupid dialogs.
It is unreasonable to consider training users to be driven by popups. What would make more sense is for programmers to design their pop up use better so that it is more meaningful for the user.
Engineering is the art of compromise.
An idiot has lower cognitive and social ability than a moron. I would expect that if the university students are idiots, then most users are just bags of water and foul smelling gasses.
"There can be little doubt that union activities lead to continuous and progressive inflation." F. A. Hayek
"Testing students at a University, psychologists
Like most psychological studies, it takes a small sample of american students and extrapolates the entire world's behaviour from that.
No wonder the "science" is so bad
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
I don't really get why clicking OK on something that vaguely looks like a system error is a problem. If it is a script running inside a web browser, the script cannot do anything that it wouldn't be able to do without the script. If it is already a process running inside the OS, it means that you are already in trouble because it could also erase files or install programs without you clicking OK.
It would be more beneficial to malware if they could make a REAL Windows dialog ("Install new software, Allow?") look like a harmless message ("Print job finished."), but that would be pretty tough to do.
Avantslash: low-bandwidth mobile slashdot.
Buy a Mac, so that your stupidity doesn't damage your OS! Apple should start a new advertising campaign with that one.
One thing worth noting is whether the students were using their own computers or computers on loan from the department. It's worth noting because most people care what happens to their own personal systems (because they're the ones who will be stuck fixing them) but care less if a school computer is infected for instance.
I'm not sure if this makes them idiots or just uncaring, either way it could be relevant.
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
Was the study done on the researcher's computer? One that the subject knows he will never see again?
I would actually have caught it, but I'm by any standards, a technically sophisticated user. But even if I realized the dialog was being "faked" with JS or whatever, I still wouldn't give a crap what happened to the grad student's computer. I'd assume one of two things: If I thought the dialog was real, then my guess would be you have some linkage looking by address into a DLL whose version has changed, or, whoever made your website is either an idiot and/or has some kind of hokey web builder tool like maybe a cracked dreamweaver or something...
Maybe, if I caught on to the game enough to realize the purpose of the experiment was to see if the user caught these error boxes, then *maybe* I'd care. Mostly I'd just laugh. The user who is savvy enough to even care about these error dialogs, probably sees right through them, and the rest, as the study unsurprisingly found, just want them to go away. I'd be thinking "you know, if I had a web based test to administer to the public, I am certain it would be from an unprivileged user account on a linux box" as I clicked whatever image I thought might make the popup go away. I might have even tried to see if I could get firefox to block it :)
-fb Everything not expressly forbidden is now mandatory.
Working in support, I have seen so many times where if an unfamiliar dialog box pops up, people either click on the option they are used to clicking on, or call support without even reading the message on the dialog box. It is like they are unable to physically see the contents of the dialog anymore, it has been beaten out of them. Often all I have to do is make them read me the dialog over the phone, which makes them process the info mentally, and they know which button they need to press then, having actually read and comprehended what was asked.
It is a very interesting problem, I think the solution is to make the buttons themselves say what they do, rather than clicking Ok or Cancel, have the button say "Exit crashed program", or "Install new program" or what have you. Always being OK or Cancel conditions people to just blindly click.
I see a lot of people jumping to conclusions about how this is the fault of programmers for using the dialog box too much, etc, etc, etc. I call BS. If you write software for people who are computer illiterate (which happens a lot in my field. i write software for veterinarians), they'll click on anything and do everything, no matter the consequences. A simple "undo" isn't enough. They need to understand what they just did. If a popup don't pop up and say "you're about to delete something" they won't even know they deleted it until its too late (closing program, etc). You can't keep an infinite list of "undos" either. So, you're left to assume one of two things. 1) The person has read instructions, understands what they're doing, and understands they're responsible for breaking it OR 2) They haven't read any instructions, will click on what they think makes sense and when they break it, they call support, bitch and moan, taking up valuable time. Maybe in a bigger company, thats acceptable, however, *I* do both the programming AND support as we're a company of about 5 people. I can't be dealing with people who are idiots. I challenge anyone to make something thats completely foolproof without popups AND thats still aesthetically pleasing to look at AND easy to use.
Maybe people should just realize they're using delicate instruments and should treat them as such. These aren't toys, but systems that cost hundreds, sometimes thousands of dollars to build. Its not the programmers' fault. Its the user's. If the user refuses to educate himself to not be a fool, there's really no way to try and make something foolproof.
If the tools aren't working well for people then the design of the tool is wrong.
If you build a ATM (cash dispenser) that spits out the money before it returns the card then you'll find that a not insignificant number of people leave the machine without retrieving their card. In their brains the task they are doing (getting money) is complete so they walk away.
Thus cash machines return the card first and then give you your money.
You have to design things to work the way real people work. Calling people idiots is just a cop out.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Well, obviously, after clicking ok on a popup, another popup should open that contains a picture of the previous popup and a message "This is what you just clicked. Are you sure it's not malware?" That should take care of it. If enough of us send suggestions to Microsoft, there may be enough time to get it into Windows 7.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Our geekland propensity for dismissing users as stupid because they can't navigate cryptic interfaces just makes me laugh.
I would be interested to see what would happen in the experiment if users were given an application that used pop-ups to request that users make understandable choices, with understandable consequences.
Shouldn't that be what we are aiming for?
don't mess with those geekgrrls
An excuse to continually ignore usability, something which many in the software industry already do a pretty good job of doing. Maybe 2009 will be the year of the Linux desktop..or maybe not.
Popups should reveal the cryptic stuff only when a debug flag is set, which defaults to off in end-user builds of the software. In all other cases there should be something like "$APPNAME has crashed due to a bug. Please report the contents of $APP_DATADIR/crashlogs/$DATE.txt to us as http://domain/crashes [domain]. [OK]". The user should always know what the thing that just happened means for him, not what exactly happened. If someone really wants to know the details he can take the config file and add a line saying "Errors = verbose" or something like that.
The errors I got did that, when Firefox crashed a popup popped up in OS X telling me Firefox suffered an error and asked if I wanted to report it to Apple and the Firefox developers. It could then send a log of what happened.
Falcon
Should there be a Law?
Microsoft has trained people to click "OK", "Open", "Run", "Install", "Continue", or whatever button (wherever it is) that gets you past the idiot box.
Apple had until recently avoided this mistake. NOT (as some people have said) by making the buttons more meaningful, but by simply NOT trying to use warning dialogs in place of good design.
For example, Mac OS doesn't ask you if you want to move a file to the trash, and it doesn't ask you if you want to empty the trash, because these are common actions, and the dialog box becomes something you reflexively accept.
Recently, as I say, Apple has started to deviate from the path of virtue. I've caught my Mac in bed with promiscuous dialogs on many occasions.
But by comparison with Windows (particularly Vista)... my Mac's still pretty much a dialog virgin. Really.
This is an unmodified screen capture of an actual Windows dialogue box. I have no idea what program triggered it.
http://i246.photobucket.com/albums/gg109/splorpdotorg/whatwouldyoudo.jpg
(I left it onscreen until I rebooted -to be fair, this was Windows 98SE).
Please don't humanize the morons around me. It makes me very uncomfortable.
Don't use dialog boxes to allow or reject a dangerous action.
Dialog boxes only require passive action of clicking somewhere on the screen to dismiss, or pressing a single key; this is not safe.
Reject by default, unless you have proof the user specifically asked it.
Provide the user a subtle prompt. Force the user to take explicit action; a dialog box is only used to confirm a change.
Never use a dialog box to display an error or any non-fatal caution.
If the action is severe enough; make the user type out a few words to confirm it.
> In short, in two or three generations when all the people who don't know basic computer
> security and operation have died, and not being able to spot a phishing scam will be
> looked upon much the same way that being illiterate is now, then the problem will have
> fixed itself.
It would appear that you believe that all of those who "grew up with computers" know basic computer security and operation. This is just as true as it is that all of those who "grew up with books" are able to read and understand James Joyce.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I don't know what the clueless nerd squad did, but very many people pointed out the real problem: the brower's UI equated "encrypted connection" with "authenticated site." The correct behavior is to treat encrypted sites with self-signed certs the same way as unencrypted sites.
Are you adequate?
I grew up surrounded with books and I can't stand James Joyce.
Possibly the same reason why people who grew up with Unix can't stand Windows... :)
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
Look at your log file sometime. Full of useless crap that buries the good stuff. You've got 75% of your log full of stupid failed SSH attempts from script kiddies, 10% from "hi, I'm named and my log level is not perfect so I'm going to tell you that somebody looked for pornjunction.com and I couldn't find it". 10% for "errors" in daemons, only they aren't really errors. Then you've got 4% from some fucked up cron job. That leaves like 1% for the truely useful error message that might actually be of value.
My point? Linux, FreeBSD or any other unix OS has just as many inexplicable, frequent error messages, only instead of dialog boxes, they pollute your log files instead.
PS: The event log is no different.
Really? I wouldn't know. I've been drinking.