Slashdot Mirror
Creating Better Malware Warnings Through Psychology
msm1267 writes "Generic malware warnings that alert computer users to potential trouble are largely ineffective and often ignored. Researchers at Cambridge University, however, have proposed a change to the status quo, believing instead that warnings should be re-architected to include concrete, specific warnings that are not technical and rely less on fear than current alerts."
The fake warnings that get people to click on them will just copy the wording and format of the new warnings and use those to entice people to "click here to avert catastrophe".
You mean like when Microsoft Windows tells me that a zip file has "unspecified problems on the current page" or whatever it is?
Because the ones I see now are pretty meaningless and come down to something bad can happen, click Yes to say it's your fault if it does.
Oh, and browsers shouldn't be able to put up dialog boxes which look like native ones -- that would prevent some of the malware from getting onto people's machine in the first place.
Lost at C:>. Found at C.
If you click this link you will literally want to kill yourself like that time you thought you'd pulled your underwear all the way down but instead re-enacted the slicing frame scene from Cube but with poop
If you click this link you will be tricked into being tricked into giving Russians money to make a non-existent problem not go away, like that time you bought a can opener because you chipped a tooth opening a beer bottle and then never used it
If you click this link you will experience the mental equivalent of three elephant births through a human sized vagina worth of pain over the course of a week and a half
Why should anyone be running an operating system that is vulnerable to malware?
Because they want to do some work?
No sig today...
This is just based on my experience, but it seems like users are very quick to develop habits based on repetition. UAC is a good example, in that it doesn't take more than a few days to get used to clicking OK on the box that pops up when then screen fades out a little. Changing what the message says won't change that behavior.
"concrete, specific warnings" and "not technical"
"I'm so moist I'm sticking to the leather." -Kermit the Frog on The Late Late Show
So why are we giving malware programmers suggestions?
The only malware alerts I get from web sites popping up an advert claiming "my mac is running slow" offering me to download: malware. ...
Ofc. I ignore those warnings
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Because it's not possible to design a perfect computer system? Not if you want it to be customizable, anyway; you'd have to store it in ROM.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
like, say, banning for life websites serving up crapware... in the case of malware ads, banning the ad sites. and submitting the site info automatically to Spamhaus and the like. there are so many "oh, gee, we blocked content from Internet Explorer" boxes every day that it's meaningless. the content is NOT from IE, it's from slopbucket.adserver.ru or wherever.
if this is supposed to be a new economy, how come they still want my old fashioned money?
I'm not usually one to take exception to published research, but I am skeptical of this. The real problem here is that most people view computers as little black boxes that use a lot of elves and magic to keep them working. Malware, viruses, whatever, are as understandable to most people as ergot was to the Puritans in Salem, 1692. Substituting one sort of warning for another is not going to make a significant difference "in the wild," because people's frame of reference doesn't put them in the right mindset to understand what is going on. I've had extended periods of time where my hardware didn't have anti-virus installed and I never had a problem with malware. On the other hand, I have relatives who all run anti-virus and it's a slow but steady trickle of people needing me to remove stuff from their machines. The real solution, if it's even possible, is to educate users enough on their systems to where they at least have a semi-informed idea of what is going on with their hardware, and can make smart decisions on their use from that solid starting point.
I applaud them for their honesty. They could have skipped any such notice, as is typically done in the commercial world.
Table-ized A.I.
Generic malware that mimic alerts to fool computer users to click to download an exploit might be largely ineffective and often ignored. Researchers, however, have proposed a change to the status quo, believing instead that malware should be re-architected to include the same concrete, specific warnings that will be used in the future to maintain the status quo.
The more things change, the more they remain the same...
Storing it in ROM wouldn't suffice, though it would help a lot. I think your first statement was better: "it's not possible to design a perfect computer system".
I think we've pushed this "anyone can grow up to be president" thing too far.
I think the only effective preventative measures are the automated ones. Unfortunately, so many of these work relatively poorly, blocking intended software updates or changes. Ultimately though, I think improvement of the automatic process blockers/killers is the best place to put effort -- not redesigning warning dialogs for people to click through or "approve/deny".
Most users, in my experience, don't even know what's safe to approve or deny when they're prompted. With so much software doing automatic updates, they're used to things wanting to install even if they haven't intentionally installed or changed ANY of the software they use in years. So malware prompting to install, to them, is likely just "another one of those darn Adobe or Microsoft or Java apps" doing its thing. So they'll approve it when asked.
You should totally click on this link. Your mom thought it was cool.
systemd is Roko's Basilisk.
Almost no malware today has anything to do with the OS. It's possible that the radically-different SE Linux security model would help, but then look who wrote that. No, I don't think the OS is relevant here.
Socialism: a lie told by totalitarians and believed by fools.
Because the alternative is a walled garden, where you can't even write your own program and run it without doing an internship with an established company for the verifiable industry experience, starting your own company, and paying an annual fee to the operating system publisher.
The problem is that we shouldn't need the warnings at all.
Say your kid finds a web site that offers an awesome free game, and so he downloads it. Why shouldn't your computer be able to run that game (or virus) in such a way that it isn't able to take over your entire computer? The idea that programs should be able to do anything on a computer that the user running them is authorized to do is completely outdated.
When users want to access arbitrary files and make massive changes to their filesystem, they use a file browser provided by the OS, or a zip/unzip utility provided by the OS, and so in both cases there's no concern of the security of these applications. Every other program anyone uses only needs to access files specifically selected by the user, and so all that is needed is an API call to the effect of "open_whatever_file_the_user_selects()" which prompts the OS to display a file open dialogue to select which files the program should have access to and return the file handles to the program. The only other need for filesystem access I can think of is software which needs to cache data, but that doesn't require filesystem-wide access either. All it requires is that the OS give it a folder specific to that application where it can store whatever data it wants inside that folder, but not outside it.
The present state of things where programs can do anything the user is allowed to do was created before anyone thought of viruses and so it's completely outdated. Why we haven't improved upon that situation, I have no idea. It seems easy enough to do, but instead we're fucking around with the wording of our "your stupid OS will let this program do anything to your computer that you're allowed to do, which could be disastrous if the program is evil, so do you want to twiddle your thumbs today or do you dare to attempt to use your computer?" dialogue boxes. People choose to run software because the reason they own a computer is that they want to run software. It's no surprise at all that they learn to ignore their OS's warnings about how incompetent it is because if they heeded the warnings they'd never get anything done.
EZ-Warning.exe has encountered a problem and needs to
close. We are sorry for the inconvenience.
If you weren't in the middle of something, this wouldn't have made you
angry about our buggy code.
Please yell at Microsoft and IT about this problem they can't fix.
We have created an error report that won't matter if you send to us. PRISM will treat
this report as key information on how to better exploit and profile you.
To see what data the NSA deems innocuous, click here.
No, over there on the buttons not these words, you idiot.
[ Gibberish ] [ Send proof of rage ] [ Fuck it ]