Research Project Pays People To Download, Run Executables

msm1267 (2804139) writes Incentivized by a minimal amount of cash, computer users who took part in a study were willing to agree to download an executable file to their machines without questioning the potential consequences. The more cash the researchers offered, capping out at $1, the more people complied with the experiment. The results toss a big bucket of cold water on long-standing security awareness training advice that urges people not to trust third-party downloads from unknown sources in order to guard the sanctity of their computer. A Hershey bar or a Kennedy half-dollar, apparently, sends people spiraling off course pretty rapidly and opens up a potential new malware distribution channel for hackers willing to compensate users. The study was released recently in a paper called: "It's All About The Benjamins: An empirical study on incentivizing users to ignore security advice." While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1.

I'll upgrade my flash player

[jolyonr]

for $5!

Re:Did they say HOW to run it?

[fuzzyfuzzyfungus]

"Because the Red Pill VM-detection routine [28] only works reliably on single-CPU computers, we also collected information on the number of CPUs. Using Red Pill, we detected the presence of a VM on a single participant’s machine. Examining each partic- ipants’ process lists, we were able to confirm that this participant was running VMware. Additionally, we detected VMware Tools running on an additional fifteen machines (sixteen in total), and Parallels Tools running on a single machine. Thus, we can con- firm that at least seventeen participants (1.8% of 965) took the precaution of using a VM to execute our code. Eleven of these participants were in the $1.00 condition, five were in the $0.50 condition, and one was in the $0.01 condition. The information we collected on participants’ motherboards was not useful in determining VM usage."

Apparently you weren't the only one who thought so; but the numbers were small. 16 VMware VMs, 1 Parallels (which, since the study required windows to participate, may have been a security measure or may have been a mac user willing to hose his 'everything I need windows for' machine...)

No word, obviously, on anybody who is a bit more subtle about their VM usage; but I'd be shocked if that number is high.

Re:Business plan

1. Set up VM
2. Download all the crap they ask me to
3. Profit

Seriously, what kind of idiot would download an unknown executable on his main PC to earn a fucking dollar?

They usually do it for free.

All About the Georges

[FranklinWebber]

> 'a paper called: "It's All About The Benjamins: An empirical study...'

> 'cash the researchers offered, capping out at $1, ...'

Because they never offered more than one "George", their paper's title is clearly overstated.

Duh

[rabtech]

People were happy to install ActiveX controls to "Punch the Monkey" in 1998. Nothing has changed since then.

It's also why the Android security model is a complete joke and always has been.

Any security model that requires users to make perfect security decisions is an automatic failure because there is no "undo", so one mistake after 10 years of perfect vigilence owns your entire machine.

Biased sample

[penguinoid]

This was done via the Mechanical Turk, so it's already filtered for people willing to do computery things for money. It would be a different story if this was a random website with the author anonymous.

Re:Biased sample

[rogoshen1]

i think you're missing the point.. it's not about the payout, or the self selected sample.

The takeaway should be that people will be less than cautious when it comes to getting some perceived benefit. That psychology is universal, the only variable being what is sufficient motivation. (free pr0n, free movies/tv shows/music etc, or in this case poor indians and $1.)

Re:Hmmm

[petes_PoV]

But the demographics of the downloaders varied with the amount offered. So, at the lowest level there were very few westerners who took the bait. As the reward increased, the proportion grew. If you were planning to use a similar process to grab some confidential or profitable data off the participant's machine, you should take into account the likelihood of poor vs. rich participants' computers having anything you would be looking for.

Re:Did they say HOW to run it?

[John+Bokma]

And you would all do that for just a buck?

Re:It's a world-wide study. Not an american one.

[unrtst]

So, since purchasing power of the $1 wasn't taken into account, the results are flawed, since the reward will vary so much depending on the wealth of the individuals taking part.

From TFS, "While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1."

So, for $0.01, fewer than 50% of respondents (let's just guess around 45%... I'm not going to bother reading the article, but if it was only 10%, then they wouldn't have said "fiewer than half").
And for $0.50, 58%.
And for $1, 64%.

Generally, getting lots of people infected is not an attempt to get EVERYONE infected, and at $1 it was only 68% anyway... so just spend your money more wisely and only offer $0.01, but hit a MUCH larger audience. The math of it:

Spend $10.
Offering $1 = 10 offers = 6.4 people
Offering $0.01 = 1000 offers = 450 people

Sorry, but let's just put aside the purchasing power stuff for a minute, since $0.01 isn't going to buy much anywhere (even if it does buy a little more in third world countries).

Re:Did they say HOW to run it?

[FatdogHaiku]

http://xkcd.com/350/