Slashdot Mirror
Creating Better Malware Warnings Through Psychology
msm1267 writes "Generic malware warnings that alert computer users to potential trouble are largely ineffective and often ignored. Researchers at Cambridge University, however, have proposed a change to the status quo, believing instead that warnings should be re-architected to include concrete, specific warnings that are not technical and rely less on fear than current alerts."
The fake warnings that get people to click on them will just copy the wording and format of the new warnings and use those to entice people to "click here to avert catastrophe".
You mean like when Microsoft Windows tells me that a zip file has "unspecified problems on the current page" or whatever it is?
Because the ones I see now are pretty meaningless and come down to something bad can happen, click Yes to say it's your fault if it does.
Oh, and browsers shouldn't be able to put up dialog boxes which look like native ones -- that would prevent some of the malware from getting onto people's machine in the first place.
Lost at C:>. Found at C.
If you click this link you will literally want to kill yourself like that time you thought you'd pulled your underwear all the way down but instead re-enacted the slicing frame scene from Cube but with poop
If you click this link you will be tricked into being tricked into giving Russians money to make a non-existent problem not go away, like that time you bought a can opener because you chipped a tooth opening a beer bottle and then never used it
If you click this link you will experience the mental equivalent of three elephant births through a human sized vagina worth of pain over the course of a week and a half
I once went to a natural history museum with out-of-date dinosaur exhibits. They put up a sign saying something like, "Note: This exhibit no longer reflects current paleontological understanding."
Why should anyone be running an operating system that is vulnerable to malware?
This is just based on my experience, but it seems like users are very quick to develop habits based on repetition. UAC is a good example, in that it doesn't take more than a few days to get used to clicking OK on the box that pops up when then screen fades out a little. Changing what the message says won't change that behavior.
"concrete, specific warnings" and "not technical"
"I'm so moist I'm sticking to the leather." -Kermit the Frog on The Late Late Show
So why are we giving malware programmers suggestions?
The only malware alerts I get from web sites popping up an advert claiming "my mac is running slow" offering me to download: malware. ...
Ofc. I ignore those warnings
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
like, say, banning for life websites serving up crapware... in the case of malware ads, banning the ad sites. and submitting the site info automatically to Spamhaus and the like. there are so many "oh, gee, we blocked content from Internet Explorer" boxes every day that it's meaningless. the content is NOT from IE, it's from slopbucket.adserver.ru or wherever.
if this is supposed to be a new economy, how come they still want my old fashioned money?
I'm not usually one to take exception to published research, but I am skeptical of this. The real problem here is that most people view computers as little black boxes that use a lot of elves and magic to keep them working. Malware, viruses, whatever, are as understandable to most people as ergot was to the Puritans in Salem, 1692. Substituting one sort of warning for another is not going to make a significant difference "in the wild," because people's frame of reference doesn't put them in the right mindset to understand what is going on. I've had extended periods of time where my hardware didn't have anti-virus installed and I never had a problem with malware. On the other hand, I have relatives who all run anti-virus and it's a slow but steady trickle of people needing me to remove stuff from their machines. The real solution, if it's even possible, is to educate users enough on their systems to where they at least have a semi-informed idea of what is going on with their hardware, and can make smart decisions on their use from that solid starting point.
Generic malware that mimic alerts to fool computer users to click to download an exploit might be largely ineffective and often ignored. Researchers, however, have proposed a change to the status quo, believing instead that malware should be re-architected to include the same concrete, specific warnings that will be used in the future to maintain the status quo.
The more things change, the more they remain the same...
The big, scary, alerts are already driven by psychologists, only they work in the marketing department; the only department that matters in anti-virus companies any more.
I think the only effective preventative measures are the automated ones. Unfortunately, so many of these work relatively poorly, blocking intended software updates or changes. Ultimately though, I think improvement of the automatic process blockers/killers is the best place to put effort -- not redesigning warning dialogs for people to click through or "approve/deny".
Most users, in my experience, don't even know what's safe to approve or deny when they're prompted. With so much software doing automatic updates, they're used to things wanting to install even if they haven't intentionally installed or changed ANY of the software they use in years. So malware prompting to install, to them, is likely just "another one of those darn Adobe or Microsoft or Java apps" doing its thing. So they'll approve it when asked.
Sure, but most people don't work for McAfee or F-Secure. I totally undertand why they need to run malware-support OSes. You can't really work in the AV business, without seeing things through the eyes of virus users, understanding why they choose the malware that they do, and knowing what makes a person decide to give high (or at least user-level) privileges to hostile softare.
But most people never really have reason to be virus users, even in their jobs. Not only do I never really need to run malware, but nobody in my company is required to install malware either. Not desk people, not production, not sales -- nobody ever needs to run phishing forms, spambots, or anything else like that which needs a Microsoft Windows runtime to be available. And if someone ever really did want to get phished, the developers all have VMs that we'd be happy to help walk someone through.
You should totally click on this link. Your mom thought it was cool.
systemd is Roko's Basilisk.
Amazing how nobody writing widely-used software thought of this before. It's apparent immediately to me, like when I'm trying to decide which updates to install in windows, or which services running in the background are not needed on this particular machine and let's turn them off.
Just try and read the given explanations and divine some meaning from them. None of what they say is relevant or useful or meaningful to the professional, nevermind the layman.
This is one reason why I ran from windows years ago, then ran away from linux, to try a Real Unix (all three of the FOSS BSDs back then, so not in trademark, but certainly in lineage) instead. Apart from more mature code, the documentation is actually readable and mostly correct too.
Also: Stop saying "the user". You're talking not some vague somebody nobody really cares about. You are talking to *me*, so act like it.
Who is this *me*? Depending on just what you're writing, a fellow developer, or an overworked sysadmin or troubleshooter trying to fix up your mess, or a user you have to explain just what you're on about. But I am a person, and you, dear warning writer, may as well be concrete about that.
And why limit yourself to warnings? Learn to write, and write some readable documentation. Maybe some enterprising soul might deign to read it, too. I know I do, all the time.
So what this research really shows, is a large amount of failing to think of computer-using people as people capable of following any kind of instructions. This has long been deliberate, as part of the marketing shtick ("intuitive! no training needed!") but the long-term result is masses of people, including supposedly "digital natives", that cannot fix their own computer.
And now we see we can't even fault them, because we've given them no incentive and every disincentive to heed any advice, especially any warning, at all. Cry wolf, etc.
The problem is that we shouldn't need the warnings at all.
Say your kid finds a web site that offers an awesome free game, and so he downloads it. Why shouldn't your computer be able to run that game (or virus) in such a way that it isn't able to take over your entire computer? The idea that programs should be able to do anything on a computer that the user running them is authorized to do is completely outdated.
When users want to access arbitrary files and make massive changes to their filesystem, they use a file browser provided by the OS, or a zip/unzip utility provided by the OS, and so in both cases there's no concern of the security of these applications. Every other program anyone uses only needs to access files specifically selected by the user, and so all that is needed is an API call to the effect of "open_whatever_file_the_user_selects()" which prompts the OS to display a file open dialogue to select which files the program should have access to and return the file handles to the program. The only other need for filesystem access I can think of is software which needs to cache data, but that doesn't require filesystem-wide access either. All it requires is that the OS give it a folder specific to that application where it can store whatever data it wants inside that folder, but not outside it.
The present state of things where programs can do anything the user is allowed to do was created before anyone thought of viruses and so it's completely outdated. Why we haven't improved upon that situation, I have no idea. It seems easy enough to do, but instead we're fucking around with the wording of our "your stupid OS will let this program do anything to your computer that you're allowed to do, which could be disastrous if the program is evil, so do you want to twiddle your thumbs today or do you dare to attempt to use your computer?" dialogue boxes. People choose to run software because the reason they own a computer is that they want to run software. It's no surprise at all that they learn to ignore their OS's warnings about how incompetent it is because if they heeded the warnings they'd never get anything done.
EZ-Warning.exe has encountered a problem and needs to
close. We are sorry for the inconvenience.
If you weren't in the middle of something, this wouldn't have made you
angry about our buggy code.
Please yell at Microsoft and IT about this problem they can't fix.
We have created an error report that won't matter if you send to us. PRISM will treat
this report as key information on how to better exploit and profile you.
To see what data the NSA deems innocuous, click here.
No, over there on the buttons not these words, you idiot.
[ Gibberish ] [ Send proof of rage ] [ Fuck it ]