Slashdot Mirror
People Ignore Software Security Warnings Up To 90% of the Time, Says Study (phys.org)
An anonymous reader quotes a report from Phys.Org: A new study from BYU, in collaboration with Google Chrome engineers, finds the status quo of warning messages appearing haphazardly -- while people are typing, watching a video, uploading files, etc. -- results in up to 90 percent of users disregarding them. Researchers found these times are less effective because of "dual task interference," a neural limitation where even simple tasks can't be simultaneously performed without significant performance loss. Or, in human terms, multitasking. For example, 74 percent of people in the study ignored security messages that popped up while they were on the way to close a web page window. Another 79 percent ignored the messages if they were watching a video. And a whopping 87 percent disregarded the messages while they were transferring information, in this case, a confirmation code. For example, Jenkins, Vance and BYU colleagues Bonnie Anderson and Brock Kirwan found that people pay the most attention to security messages when they pop up in lower dual task times such as: after watching a video, waiting for a page to load, or after interacting with a website. For part of the study, researchers had participants complete computer tasks while an fMRI scanner measured their brain activity. The experiment showed neural activity was substantially reduced when security messages interrupted a task, as compared to when a user responded to the security message itself. The BYU researchers used the functional MRI data as they collaborated with a team of Google Chrome security engineers to identify better times to display security messages during the browsing experience.
I get various security errors/warnings occasionally. Usually they are informing me that security that I did not care about is not present. For example, a warning about a self signed cert on a website that I wouldn't mind using over plain text: that still more secure than plain old http, so I click off the warning. If it is a site that I normally trust and give personal information to (like log in), I don't mind using it when the security is broken, but I won't hand over private data. Continuing despite a warning is not necessarily ignoring it.
The "Check Engine Light" of the computer world.
There are just way too many of them and they are simply too hard for a normal user to evaluate whether the risk is truly severe or just another attempt of somebody to fleece them.
Health care example:
Monitor shows the patient is in asystole. On assessment the patient is alert, talking, and in no apparent distress. Diagnosis is it is the equipment, not the patient, who disturbed the night's routine. Outcome? You lecture the patient for exceeding the devices operating parameters and tell him/her to quit moving and perspiring so that the monitoring devices may correctly interpret typical human norms.
Time is what keeps everything from happening all at once.
Maybe they are already used to scam security pop ups on their computers, so only respond to ones when something isn't playing in their browser.
And that has nothing to do with an inability to multitask, but rather
is safer computing.
They will happily install anything you throw at it.
"Is Chrome crashing, showing unusual startup pages, toolbars, or unexpected ads you can't get rid of, or otherwise changing your browsing experience? You may be able to fix the problem by running the Chrome Cleanup Tool."
Maybe you guys should focus on why Chrome is so easy to anally rape in the first place.
In my experience, 90% of security warnings are rubbish. For example, I recall when UAC came to Windows Vista. I don't ever recall clicking deny/cancel/no (or whatever it was) with the possible exception of a situation like "oops, I meant to click the executable right next to that one."
Same deal with Java applets. My bank uses a Java applet for depositing checks. I get a warning from the browser every single time, despite selecting the "always trust applets from this publisher" (or something like that option).
Of course, there are lots of software packages with instructions like "Step 1: Disable your antivirus." or, worse, "Step 1: If you get any security warning dialogs just click to accept them."
In fact, I've never encountered a single person who can actually point to an occasion where a security dialog alerted them to a real threat that was then neutralized. Even worse, one of the more common warnings (the untrusted SSL certificate/issuer) has confused people even more into thinking that "red address bar means not secure and green lock means secure", when in fact your browser's trust of the certificate's issuer has exactly zero impact on how secure the connection is. We've been conditioned to treat all these warnings as noise. Incidentally, people ignore speed limit signs at least 90% of the time for exactly the same reason: we've been taught that they're meaningless.
Running wrong OS, get a security warning. Running on the wrong hardware, get a security warning. It's no wonder most users see security warnings as overblown BS.
Time is what keeps everything from happening all at once.
Slashdot at FBI couldn't resist a Google Chrome story.
People that use Linux and BSD do read the warnings, they are just in normal English unlike spyware corporations.
Google, Microsoft, Facebook, Markmonitor, Cloudflare, Twitter, others
You have your documents up, half written, spread sheets with data you need for on-call, a long running backup in a window you forgot to run in Screen or tmux, and any other number of things that mean you can't reboot right now. Especially if it's going to be a reboot that says "don't turn off your computer, we're messing with shit for 30 minutes." We have boss' breathing down our necks for productivity, there's no time to reboot and wait.
Besides, it might make me lose my place when browsing imgur. Fuck that! :)
This sig intentionally left blank.
People ignore all sorts of warnings. It's how we do. There are still people smoking when every single pack of cigarettes they buy has a big sign that says, "These motherfuckers will kill you dead, dummy, and in a really horrible way". What was the last time anyone "closed cover before striking"? A Texas man sees a sign that says, "No Swimming - Alligators." He immediately says, "Man, fuck that alligator", jumps in the water and is instantly eaten by an alligator.
http://www.unilad.co.uk/video/...
Chinese-made fireworks have a big-ass label (in English) that says, "Set on ground, light fuse and GET AWAY". Did that stop this guy from putting one in his pants and then blowing himself up? No sir, it did not. Because for human beings, warnings are really just dares.
https://youtu.be/8Yagjf5B2tw
You are welcome on my lawn.
Warnings. Its a gimmick in social engineering, really. If we ignore our own security ever, then we can't blame the software for selling us short. It's more of a marketing gimmick and liability issue for the software vendors. They can't possibly save us from ourselves. They can manage to let us fool ourselves if that's our preferred frame of mind. Honestly, we always knew we are not in control, but like a fatal car crash, we just figured it only happened to somebody else. Welcome to denial, its all the rave - everybody is doing it.
We all have a little Hillary in us ;-)
Table-ized A.I.
Speed limits are typically set to 85th percentile after measuring actual traffic with those rubber hoses stretched across the roadway (1 hose = measures flow; 2 hoses = measures both flow and speed).
Result: except in some very rare cases, only 15% actually ignore the speed limits. (Hint: If 90% ignored the speed limit during the monitoring period, then the speed limit would raise to the new 85th percentile, instead of remaining at the 10th percentile.)
This program has successfully erased your bootable hard drive. Erase another?
[ OK ]
Why do I have to click 'OK' to every disastrous pop-up warning on my screen?
It's NOT OK!
I'm not allowed to click GODDAMMIT or WTF, I have to click OK or forever look at the stupid dialog box. This box appears only at times of greatest inconvenience and always cheerfully asks for an 'OK'. I'm not usually feeling cheerful after these fatal crashes and I'm reluctant to say OK. Whoever designed the OK dialog for unpleasant events should die a thousand horrible deaths at the hands of a crazed Slobbovian machinist, pig farmer and torturing apprentice.
...omphaloskepsis often...
I use Sandboxie a lot for software evaluation purposes. However, when I right click an executable and want to choose "Run Sandboxed" that entry is right next to the "Run as Administrator" menu item. Late at night it's easy to click the wrong one, with potentially disastrous* consequences! The UAC prompt saved me a couple of times.
Since then I've found moving to virtual machines with snapshots has been an easier and safer way for testing unknown software.
*Time vs time. Everything is backed up and best practices are always followed. But it's always a question of how much time is available to recover.
Browsing the net, endless meaningless things pop up with absolutely no relevance to the user. We get really good at clicking unwanted junk off the screen. Result, what's the first instinct? Lunge to get rid of that distraction. No matter how locked down one's browser is, some message frequently interferes, and we become very well trained to set the distraction aside. Every once in a long while, the distraction has value. Or, had, before I killed it and then wondered if maybe I was a bit hasty.
Don't step on the baby.
And even worse the cretins at Microsoft took out the functionality from Windows 7 and above that allowed you to stop popups staling focus.
Every single week at work I end up clicking an unknown button on a prompt because I'll be in the middle of typing something and a dialogue will pop up, steal focus, and whatever keystrokes I'm doing at the time ends up clicking a button on a prompt I don't even get a chance to read as by the time I notice it's stolen focus I've already typed ahead causing me to inadvertently send keystrokes to the prompt.
This regularly causes me to lose work as the prompts will cause my machine to reboot right in the middle of doing something important etc. etc.
Under XP you could make a registry change which would totally block focus being stolen by anything. Under Windows 7 and above they deliberately took out this functionality.
I would *very* much like to meet the arsesholes at Microsoft who removed this feature and shake them warmly by the throat. After which I would put on my size 12 hobnail boots and kick their fucking heads right off their bodies..
They're total cretins.
The slightly less than average user can't (easily) tell the difference between a valid security message and a browser popup claiming that something dire will happen unless they click on this message and run this program, so they ignore them all.
Just last night I had to tell my mother that the browser complaining about being out of date and to upgrade was probably valid.
Also in the same call, had to try and reassure her that smart meters weren't going to burst into flame and/or make her sick with the power of wireless electromagnetic radiation. ...and she still decided not to get one because of all the random people on the internet claiming they were evil. "But this guy is a M.D. from England! He's got to know all about it right?"
Here they only lower the speed limit, but they rarely enforce it so people drive as they see fit.
The few that follows the speed limit causes some "interesting" driving.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
This means all we need to do is to give the user 10 warnings and statistically they'll pay attention.
Take your "browser's trust of the certificate's issuer has exactly zero impact on how secure the connection is". That feels pretty true to you, right? Except, if the browser doesn't trust the certificate issuer the connection isn't "secure" in any meaningful way.
Imagine if your local bank has a great new scheme they'll keep your valuables 100% secure. They have a steel bank vault, with armed guards and you can keep your stuff in it entirely free of charge. Brilliant right? And it's also really convenient, you can just drop by any time, drop stuff off or pick it up. So can anybody else. Wait a minute though, how "secure" is this facility? Well it's 100% secure. Except, it ignores who owns the stuff. If you drop off a gold bar, and then somebody else walks in and takes it, eh, no problem, we've securely held on to the gold bar until someone collected it. Oh! Is that not what you wanted? But you were so sure you only cared about keeping things "secure" and not making them "secure" against anything.
Without verifying the other party's identity a "secure" connection is worthless because you have no idea who you're "securely" communicating with, and so absolutely anybody can intercept or alter everything and you're none the wiser.
Speed limits are typically set to 85th percentile after measuring actual traffic
Translation: In the event of a severe budget crunch, the local PD figures they can pull over up to 15% of all the cars using the main highway through town if they divert manpower from all non-traffic divisions.
This is all the developers' fault. They are so fucking lazy that they think throwing up a dialog is a solution to the problem. After all, if the user clicks on it, they assented, right?
Microsoft is by far the worst offender, but they are not alone. And this abdication of responsibility by programmers has trained the users to just blindly click away warnings. And they are right: 99% of the time they are bullshit, a symptom of a problem the developers should have fixed.
"I know I will be modded down for this": where's the option '-1, Asking for it'?
I use Sandboxie a lot for software evaluation purposes. However, when I right click an executable and want to choose "Run Sandboxed" that entry is right next to the "Run as Administrator" menu item. Late at night it's easy to click the wrong one, with potentially disastrous* consequences! The UAC prompt saved me a couple of times.
Easy solution: Set windows to run everything as administrator. Then the incorrect menu item will not appear.
"People Ignore Software Security Warnings Up To 90% of the Time*"
- *Study has a 10% margin for error...
(I'm joking but.. you know).
Even worse, one of the more common warnings (the untrusted SSL certificate/issuer) has confused people even more into thinking that "red address bar means not secure and green lock means secure", when in fact your browser's trust of the certificate's issuer has exactly zero impact on how secure the connection is.
So umm... how else would one... you know....um...ah... be able to tell how secure the connection actually is? Are they supposed to guess? Check to see if the evil bit is set? What do you recommend?
I've lost count of the number of times something popped up while I'm typing, just as I'm about to press the Enter or ESC keys, leaving me wondering what I just broke or signed up to.
In Windows 10, non-critical messages are signaled in the status bar. A flashing icon could be less destructive than an easily-dismissed dialog.
Garry Knight
What was the security warning about? And what was required of me?
To me this is kind of the important part in combination with this: "when security messages interrupted a task". As I have learned from my parents, you don't go haphazardly interrupting people with some kind of nonsense. If you do, you can expect to be ignored or be told off. If a security warning is about to inform me that a scheduled scan will start in an hour, or a patch will be downloaded. I'll ignore it. It doesn't require my attention at this time and I was busy with something. It interrupted me with nonsense so it's annoying me and I clicked it away. Another point of contention is if the message requires me to do something like restarting the system. If I'm in the process of doing something that needs up time (be it from watching a video, to copying files), I will complete that task first. Task prioritization is key here and interrupting me is again, annoying. Even if it does want me to do something.
So yeah, I get where these figures come from. Not at all astounding to me.
Here, speed limits are set absurdly low so as to create probable cause for the police to pull anyone over at any time. 25mph on my road, and its the middle of nowhere. The middle of town where the school is, is 30mph.
People seem to do what they think will benefit them. Speed limits are very much like pop up warnings, people ignore them when they feel justified to do so. We have become a society where people make up their own minds and decide for themselves. As one once said, "A little knowledge is dangerous". It's always that argument that it will never happen to me. I can disregard the warnings because I can handle it.
The 85% of cars would be driving faster, but since you can't literally drive through the car in front of you, you can only go as fast as the car in front of you.
The only way to correctly figure the 85th percentile would be to only measure car's speed that had no car around being impeded by another car. Counting two cars at the same mph (as the rubber counter does) is bad data as clearly the person following behind would be driving faster as they caught up to the person.
Completely off-topic, but shockingly insightful.
227-3517
You get a Potato and YOU get a potato and YOU GET A POTATO!!!
UAC was actually designed to be bad. Microsoft wanted to change developer's behaviour, stop them making every app install a background task that starts at boot, dumping files all over the place and generally behaving badly. But at the same time they didn't want to break backwards compatibility, so UAC was invented.
UAC annoys the user. Developers try to avoid creating UAC prompts that annoy their customers. By the time Windows 7 rolls around, most apps are better behaved. Unfortunately, people are also de-sensitized to UAC warnings.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I'm a civil engineer and I call bullshit. That's how engineering studies recommend speed limits that are then completely ignored by government officials who insist on keeping a stupidly low speed limit "for the children" and for revenue generation.
Yes it's an anecdote! Were you expecting original research in a Slashdot comment?
Notice the world hasn't ended despite people ignoring security warnings. They were unnecessary. People tend to ignore spam.
That's a somewhat funny saying over here. It means "it's fscked up, but I don't care because {it works / it's not my fault / I need it now / it can't be improved / it's temporary / etc.).
Such messages come and go and we sometimes don't even understand the problem. And the minute someone starts explaining it, that's when we use a golden opportunity to review a mental list of things to buy later at the supermarket. There's also the inevitable comment on how "that guy comes again with his paranoia, like the world is after him."
It doesn't help that "professional" coders pay zero attention to security -- if they hinder their productivity because of those issues, well, they won't be employed enough to do the next version... if you create a culture of "that OS is sh*tty anyway", it's not easy to convince users to keep a safety attitude. Try to promote safe driving while making sure cars are sold without effective safety equipment.
Are just as annoying when programming as when browsing.
"you MUST UPDATE" usually leads to "download and install this update".
If I am programming on a browser web interface, it has been known to interfere with what I am working on.
If I am in an IDE, it usually tells me to restart. F-IT!
If the update is important, maybe I'll interfere with what I am doing.
Why, oh why, didn't Windows and Linux put in as part of the os a little section that keeps track of other software update notifications, like
in the control panel somewhere, so they can be handled at a convenient time?
Note: near-daily notifications to upgrade to AVG pro, update adobe, upgrade adobe, buy the pro version of some software... drive me nuts.
nagging, that's what it is, just like a shriveled-up fishwife.
reminds me of an original star trek episode with the guy Harvey Mudd....
Ignoring messages (read: popups) "when going to close a web page"? Of course I'm going to ignore those--I don't think I've ever seen a legitimate security warning when I was trying to close a page, but I have seen a lot of sleazy attempts to prevent me from leaving someone's web site. What action is it that I'm performing by closing the web page that I might be making a mistake with? What alternative path is being suggested to me there, just leave the page up forever?
In the other direction, paying attention to warnings "after interacting with a web site" makes sense--if the site is lying to me about its identity or doing sleazy things with javascript, telling me about that lets me know that I should probably trust it less and at least think twice about providing sensitive information to it or downloading executables from it.
I agree, if we were to avoid everything with a security warning, we might just aswell throw out this internet because it can't be used without warnings...which is probably the goal , to obscure information from the global population for the sole purpose of people in power wanting to keep their easy power.
This has nothing to do with "dual task interference", it comes from "I just want the damned thing to work".
So my browser tells me something-something-Flash-something, do I really want to watch that YouTube video? That question has only one possible answer: "Kittens". No one, ever, not even the most paranoid of security researchers, has ever intentionally said "no, never mind, I don't really need to see kittens, thanks for the warning, Firefox!".
The real problem here (if any) comes from too damned much crying wolf. People ignore warnings because we see dozens of them every day, and 99.9% of them mean absolutely nothing (and the remaining 0.01% just mean that if the NSA has already infiltrated your ISP, they can use what you want to do to maybe get a bit more access to your home PC).
Even antivirus software has this problem - Yes, I know that netcat can be a "hacking" tool; it's also really fucking useful.
If you want to know who you are communicating with, you better be using DANE, and not accept any of the default certificates in any of the browsers that have still not revoked the certificates of the CA that recently admitted to giving a CA-certificate to a company that makes MITM boxes.
These days, self signed is more trustworthy than a certificate signed by a CA.
A web of trust.
Do I trust the Chinese certificate authority? No. So, if my browser trust that CA (like Firefox, Chrome and IE does), by definition, I do not trust the browser and the certificates it trusts.
PGP got it right, the whole certificate authority system is broken by design.
By "rolls around" you mean "gets forcefully updated to Windows 10", right? When Windows 7 came out, the first thing a gamer did was to disable UAC.
In fact, you are wrong about the backwards compatibility thing. UAC is not something the OS does when you do something that needs admin permissions, it's something that the developers need to call before doing any such thing. E.g. RDPCLIP (part of Microsoft Remote Desktop) does not know about UAC, so it fails silently when copying to a protected directory. Instead you need to copy to a non-protected directory, then use explorer to move the files to the protected directory.
Sure two tasks at once is more difficult, but a task is just a sequence of events. Interleave two different sequences and you have a new, single sequence - one task. Of course, that would mean people would actually have to care in the first place.
How many /. readers ignored this topic because the headline contains the words "Security Warning"?
Another completely obvious fact which somehow industry has overlooked.
How would this be?
Well, let's see: each person's career depends on making his boss feel good and not rocking the boat. So the programmer does what he is told, chuckling about how stupid it is every day. His boss does what the committee says is right, shrugging off his frustration. The committee does whatever it can achieve agreement on among its members, while being "safe" because committees are ruled by fear. Its members are doing what they think the CEO wants, and he does what he thinks the shareholder wants, which generally means whatever is easy and inoffensive.
In this way, we all play "follow the leader" and end up approving stupid ideas because each person is afraid to push back against accepted "knowledge."
Enjoy your dysfunctional GUIs, badly-conceived products, stupid movie sequels and other committee output.
Alternative Right.
TFA has results for when it's the best time to throw up a security alert - but these times can also be used by advertisers to display ads
Because logically it also means at little as 0%. It means fuck all. Let's stop encouraging advertisers to talk this shit. ;) Sex Panther is the one exception.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
Unfortunately the alternative for most people would be "not getting any work done" until you are either able to successfully research the particular security message in depth and make an informed decision, or hire and expert to look at it. Obviously neither of these is a realistic alternative. People have to get work done.
In 2016 it's essentially impossible to 'secure' a computer anyway, even if it's not connected to the Internet and never was in the first place. Malware, spyware, trojans, rootkits, virii, zero-day exploits are everywhere, including methods of electromagnetically or even accoustically observing a computer in operation from a distance and determining what's being done on it -- and of course if you connect to the Internet, having every single packet sniffed, sifted, and sorted to produce a personal profile of the user, for marketing and government spying purposes. The only 'computer' that's even relatively safe would be one that is completely and totally read-only, retaining nothing but what's in the ROMs when you shut it off. The 'Age of Information' has been twisted and subverted into a dystopian 'Age of Surveillance and Spying' that only seems to really benefit nosy governments, greedy marketers, and criminal organizations.
Go outside. Leave your phone and other so-called 'Internet of Things' gadgets at home. Get some exercise. Stay away from places with cameras and other surveillance. Talk to real, living people instead of using so-called 'social media'. Buy a real paper book, not e-books. Go home at night and actually sleep, instead of staying up to all hours watching TV or staring at a computer screen.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
This wouldn't have anything to do with the lawyer fecal matter scattered all over every product in our society, would it? When the entire world is covered in warnings because society is so litigious that we have to try and idiot proof everything (WARNING: Plastic bag is not intended for consumption! Do not place plastic bag over your head!), do you really expect a normal person to pay attention?
Did you even think before you posted? Your suggestion only makes sense if you imagine a one-lane road that's filled to capacity.
Most roads have at least 2 lanes in each direction, and rush hour does not occur 24/7.
Those little tubes measure traffic 24/7 for a week, and the people who analyze the data aren't morons.
My municipality only seems to have tubes long enough to span one lane. I suppose it's a budget cutting measure, but I've only ever seen them do the traffic speed/volume checks where the roads only have one lane in each direction. Could also be that the areas with more than one lane (each dir) have speed limits too high for the tubes to stay put (55-65mph).
For example, I recall when UAC came to Windows Vista.
The UAC prompt isn't a warning in the typical sense. It is a request for elevated privileges. The system must receive a response to determine whether or not the process is granted those privileges. The warning text is supposed to discourage users, but the prompt is necessary because the process will not be granted those privileges in the absence of user consent.
I get a warning from the browser every single time, despite selecting the "always trust applets from this publisher" (or something like that option).
Agree here. Either the browser is stupid, or the publisher is stupidly using different certificates every time.
Of course, there are lots of software packages with instructions like
They are working around false positives. Antivirus vendors are pretty much the undisputed kings of crying wolf.
In fact, I've never encountered a single person who can actually point to an occasion where a security dialog alerted them to a real threat that was then neutralized.
The malware developers generally try to avoid generating unexpected warnings, so I wouldn't be surprised if most alerts are merely noise.
I've personally declined to log into my banks' web sites when they had SSL certificate issues, but I don't know if it was caused by configuration issues on their end or a MITM. I didn't exposed my credentials, so I never bothered to follow up.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
When Windows 7 came out, the first thing a gamer did was to disable UAC.
Maybe the dim-witted ones.
Most games trigger UAC because they want to write to the Program Files directory, either to change their config files or to store saves. Installing them to any other directory avoids this problem.
Some really legacy games require admin rights because they make system calls that are privileged, write to the HKLM registry hive (instead of the user hive), or write to the Windows directory. Very very few fall into this category, and they can be tweaked by configuring them to always run with those privileges. There is an option in the Windows UI to do that.
In any case, disabling UAC is basically never necessary to get games working if you understand how it works.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
For instance, I freeze certain apps on my phone and unfreeze them only when I want to use them (games, etc) because updates cause the Wool and Placation Affect (call it WPA if you want):
Wool = pulling the wool over consumers' eyes with the new "SECURITY ALERT OMG OMG" version update that suddenly may 1) not have a security issue and adds other "features" like ads, lockouts of old free features, new pay-teaser features, etc, or 2) has a real security issue but bundles 1)'s items in.
Placation = Tries to add a piece of something into the software to make the consumer feel better about now having to pay for a feature, being bombarded with more ads, etc.
Then there's the Google Update Effect (GUE) - Put out updates, but don't say a damn thing. Following Microsoft's behavior, disgustingly. Update to the "Google" App (and all of the others under Google, actually) say "Bug fixes and performance improvements", or BFPI. There is absolutely no list of what those bug fixes or performance enhancements were. Actually, all of Google's apps do the same thing sans "Maps", which usually has some new feature they can make some money off of while costing the consumer nothing but "WOW, I wanna do that!" Disclaimer: yesterday's Google App update says "We're excited to introduce the 2016 Doodle Fruit Games! For a limited time only, play free games in the Google app. Just tap the homepage Doodle to play. Ready, set, fruit!....", and then mentions getting the latest on the olympic games, blah blah. It's the first time I've seen that app say anything other than BFPI.
Microsoft, as mentioned above, bundles crap into their "security updates" that the user can very strongly not want or actually refuse to accept, IF THEY KNEW ABOUT IT. MS doesn't mention that part, just the "Hey, security!! Install now, Slow McSlowerton!"
It's a bit deeper than "timing", "interference", and other assumed things mentioned in the article. Yes, there are intelligent people that actually analyze what they're getting themselves into and don't just click "GO! AWESOME, I WANT IT!" willy-nilly.
P.S. There is a game - Words With Friends on 'droid and the web. It's a Scrabble knock-off. It updates its program features and interface behavior in the background, live, while playing the game. It releases actual release-class updates to be installed when they want to bundle ads in to work around ad-blocking components or circumvent user findings to work around their crap.
Seems to me all these are all "computer security has expired! click here to update [and pay money]."
However, multiple warnings lead to "alarm fatigue" i.e. part of a situation that caused a B1 in flight test to crash. Lots of warning lights for low/moderate stuff, crew acknowledge the alarms and proceed on. Then comes CG warning but they didn't pay much attention to it, until the aircraft tilts and stalls. from http://www.nasa.gov/connect/eb...
mfwright@batnet.com
Certificate warnings are the worst IMO. You have to click Additional Information in order to get even the most basic information about the warning, which is stupid right from the start.
Who Obtained the Cert? Often, the name isn't spelled the way, or formatted the way, we are used to dealing with companies in.
What Does a Cert Class Really Mean? Certs aren't all created equal, but the user has to click 6 things to even find that out?
Who Issued the Cert? There's no quick, reliable way for an ordinary user to know that The Kingdom Of Severus Snape isn't a reliable cert authority.
Do I Care That the Cert Expired? Expired certs are the #1 certificate problem, by far. Most of the time it's due to an admin somewhere losing track of this. I've literally seen site certs that expired several years back and were routinely used by clicking through the warning. With no ill effects except that you are training the users to not care about cert errors.
TLS certificate not trusted.
Most the time this is IMPORTANT.
But too often, it just tells me "somebody did not setup the right CA certificates for you".
And try to root your nexus phone. On every boot you get a "This device is inscure, read more at goo.gl/blablub" warning, because i have an unlocked bootloader.
Fuck you, i choose to have one. Please notice me, when something actually replaced something without my command.