Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Saturday November 22 2014, @11:15AM   Printer-friendly
from the Danger!-Will-Robinson!-Danger! dept.

Vance and BYU colleagues Bonnie Anderson and Brock Kirwan carried out the experiment to better understand how people deal with online security risks, such as malware. They found that people say they care about keeping their computers secure, but behave otherwise—in this case, they plowed through malware warnings.

“We see these messages so much that we stop thinking about them,” Vance said. “In a sense, we don’t even see them anymore, and so we often ignore them and proceed anyway.”

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by zugedneb on Saturday November 22 2014, @11:36AM

    by zugedneb (4556) on Saturday November 22 2014, @11:36AM (#118742)

    “We see these messages so much that we stop thinking about them,” Vance said. “In a sense, we don’t even see them anymore, and so we often ignore them and proceed anyway.”

    Actually, no... The problem is that the computer and it's flaws makes absolutely no sense, to anyone...
    I have given support to people around me for some time... Most of the problems with the computer was not a consequence of the direct action of any of the users... If they did not ask for something, it should not happen - yontoo, ask toolbar, driver problems and so forth...

    People think of objects (the computer) as an actual physical object obeying basic action-reaction laws, where it is easy to see who/what stands for the actions, what the target of action is, and what just tags along...
    The computer however is no such object. It is more a linguistic object condensed into matter :D - every action (string of instructions) has side effects beyond the cognitive horizon (cool phrase) of both the user and the programmer...

    --
    old saying: "a troll is a window into the soul of humanity" + also: https://en.wikipedia.org/wiki/Operation_Ajax
    • (Score: 3, Interesting) by ticho on Saturday November 22 2014, @12:02PM

      by ticho (89) on Saturday November 22 2014, @12:02PM (#118745) Homepage Journal

      So, what seems to be a more correct solution - dumbing down the messages, or making users educated?

      • (Score: 3, Insightful) by zugedneb on Saturday November 22 2014, @12:12PM

        by zugedneb (4556) on Saturday November 22 2014, @12:12PM (#118746)

        1. context - authority
        - every warning must be within some comprehensible context, given by an authority in that context...
        example: if Joe wants to buy something on the net, the authority there would be VISA, because he will use his visa...
        Joe, in his infinite dumbness, might even think that for an internet store to use VISA, they must be registered and acknowledged by VISA... Well, what does he know, hehehe?

        2. the actual warning must make SENSE
        let me illustrate with an example: Medusa
        two guys go into some ancient ruin, where one knows about Medusa, but the other not...
        suddenly there is the sound of silent movement behind them, and the conversation goes like this:
        -Dude, don't turn back...
        -Wut?
        -what the fuck you ever do, just don't turn around...
        -fuck is your problem?
        -I fucking warned you, don't the fuck turn around...
        -Fuck you mother fucker, I turn where the fuck I want to, if I want to turn around I fucking do s... (turns to stone)
        -wow man, I did warn him

        No matter how much you educate, if things don't make sense, than they don't make sense...
        btw, you can not educate, only make more paranoid...

        --
        old saying: "a troll is a window into the soul of humanity" + also: https://en.wikipedia.org/wiki/Operation_Ajax
        • (Score: 2, Funny) by drgibbon on Saturday November 22 2014, @12:33PM

          by drgibbon (74) on Saturday November 22 2014, @12:33PM (#118748) Journal

          Example lacks fuck.

          --
          Certified Soylent Fresh!
          • (Score: 2) by maxwell demon on Saturday November 22 2014, @12:56PM

            by maxwell demon (1608) on Saturday November 22 2014, @12:56PM (#118752) Journal

            ITYM: Fucking example fuckingly lacks fucking fuck.

            --
            The Tao of math: The numbers you can count are not the real numbers.
            • (Score: 1) by dlb on Saturday November 22 2014, @05:17PM

              by dlb (4790) on Saturday November 22 2014, @05:17PM (#118821)
              Yes, it hadn't even begun to access the full potential of The F Word [youtube.com].
              • (Score: 1) by zugedneb on Saturday November 22 2014, @07:27PM

                by zugedneb (4556) on Saturday November 22 2014, @07:27PM (#118879)

                hmm, it was thought as hillbilly comedy...
                in all serious military and scify films, when something is really important, the f word shows up...

                it fits a lot for this case:
                -wow omfg this site is extra extra dangerous
                -wow omfg you have to run this program, your computer is infected
                -and so forth...

                point is, no matter the emphasis, if the problem makes no sense, the warning makes no sense

                --
                old saying: "a troll is a window into the soul of humanity" + also: https://en.wikipedia.org/wiki/Operation_Ajax
                • (Score: 1) by dlb on Saturday November 22 2014, @08:29PM

                  by dlb (4790) on Saturday November 22 2014, @08:29PM (#118897)

                  hmm, it was thought as hillbilly comedy...

                  Your post was humorous. And I thought maxwell demon's post added to the humor, hence my posting the link to the most versatile word in the English Language.

      • (Score: 3, Insightful) by bzipitidoo on Saturday November 22 2014, @01:44PM

        by bzipitidoo (4388) on Saturday November 22 2014, @01:44PM (#118761) Journal

        Dumbing down the messages will not work. The messages themselves can't be trusted. Often, some scary message is itself a lie that tries to push and trick the user into creating the very security breach the message purportedly warns against. "Dear Yahoo mail user, we have detected unusual activity on your email account. You should change your password immediately. Go _here_ to change your password." It's urgent, they say, because your email account will be deleted within 24 hours if you do nothing. Spam filters routinely allow those messages, despite the relative obviousness of the fakery.

        Worse in many ways are the legitimate security messages. I shake my head whenever I see a genuine email with a security warning and a convenient link to the actual website. Browsers do a poor job. Use https to visit a site with an expired ceritifcate, and Firefox gives this dire warning and asks the user to jump through a bunch of hoops to connect. Where that is really annoying is when you're on an old PC that thinks it's Jan 1, 1980 or 1990 or some date more than 10 years ago because its CMOS battery died, and the browser believes that and gives the same dire warnings, this time because the cert is not valid until some date in the future. Go to the http port instead, and you avoid the whole mess.

        If anything, the messages should be smarter. A false positive because the security software wasn't programmed to handle a relatively common contingency, like the PC clock having a wrong and very old date, is the last thing you want to bug users about. False positives over simple problems like that deserve to be ignored. Nanny messages are also bad, frequently dumb and insulting at the same time. I was once blocked from visiting the libpng website. Why? Because in addition to genuine security threats, the nanny software was also programmed to block porn, and PNG might be used for porn. Microsoft is also hugely guilty of conflating real security problems with bull. Windows Genuine Advantage and Trusted Computing are cases in point. You got to love it when they try to claim that allowing you to do things that might look like piracy, like running a copy of Windows that appears to be unvalidated whether or not it actually is, is somehow a threat to your security.

        • (Score: 2) by frojack on Saturday November 22 2014, @06:25PM

          by frojack (1554) on Saturday November 22 2014, @06:25PM (#118850) Journal

          Warning about self signed certificates is another pet peave of mine. Google Chrome won't let you go to a web site with a self signed cert. Firefox will with a warning.

          But Google itself uses a self signed certificate!

          --
          No, you are mistaken. I've always had this sig.
    • (Score: 2) by GungnirSniper on Saturday November 22 2014, @04:38PM

      by GungnirSniper (1671) on Saturday November 22 2014, @04:38PM (#118802) Journal

      Most of the problems with the computer was not a consequence of the direct action of any of the users... If they did not ask for something, it should not happen - yontoo, ask toolbar, driver problems and so forth...

      If the users leave the defaults checked to install bundled software, can we say they didn't ask for those things?

      Users will click through anything to get a program installed, and "free" software often takes advantage of this to add additional programs to generate revenue. Often these bundled programs install toolbars and change the homepage of the browsers. IE used to prompt to confirm the change, but it doesn't seem to be consistent.

      Adobe Flash defaults to bundling McAfee Security Scan Plus. [adobe.com]
      Oracle Java defaults to bundling the Ask Toolbar and changes the user's homepage. [java.com]

      Another big offender for getting users' eyes to glaze over are the big AV makers. By constantly reminding users "Hey, look at us, we caught a cookie! Renew now!" users become accustomed to seeing negligible warnings. Yet these same AV makers refused to block or even prompt on browser changers. Since these adware companies are legal, and doing anything to protect against their installation methods could cause a lawsuit, the big vendors don't take action. This is why Malwarebytes is so popular.

      Nor should Windows get a free pass on its lack of proper install/uninstall methods. If we remove something, say like the Ask Toolbar, Windows should change back any settings in the browsers the installation made in the first place. Even AVG requires a special utility to uninstall its own toolbar. [avg.com] That's pathetic, and they require JS to show their website.

      It may also be a good idea for Windows to have an update repository that includes things like Flash and Java. Requiring each application to have its own update mechanism and boot-time update check is something that should have gone away a decade ago. It is inexcusable from a system administration standpoint.

  • (Score: 4, Insightful) by q.kontinuum on Saturday November 22 2014, @12:29PM

    by q.kontinuum (532) on Saturday November 22 2014, @12:29PM (#118747) Journal

    I ignore these warnings because I assume they won't affect a Fedora installation (which might be wrong due to Java support or malware actually targeted at Linux, but unlikely due to the small market share).

    Others might rely on some security software too much. Or they still think Malware always asks for permission to install. Or they are hormon-controlled [==insane] at that particular moment due to the nature of the page content...

    --
    Registered IRC nick on chat.soylentnews.org: qkontinuum
  • (Score: 1) by Rosco P. Coltrane on Saturday November 22 2014, @12:52PM

    by Rosco P. Coltrane (4757) on Saturday November 22 2014, @12:52PM (#118750)

    It's the edge effects of applying patches. For instance, I can't count the number of times I've applied security-related patches from Microsoft, only to discover they break this-or-that OS functionality, or one of my drivers has stopped working correctly, or Microsoft has decided to disable a feature without asking anybody anything, etc...

    Microsoft has broken more stuff on my computer than any malware ever did. As a result, I don't patch Windows anymore. I rely on a lightweight antivirus, security addons in Firefox and good habits when browsing the web.

    • (Score: 1) by RedGreen on Saturday November 22 2014, @03:41PM

      by RedGreen (888) on Saturday November 22 2014, @03:41PM (#118781)

      Yes too bad windows is such a pain gave up on it a decade and a half ago. Now with my OS X or Linux machines update comes along I clone the OS to spare partition boot into that apply update run it for few days to check for problems if none clone it back to the main partition and carry on. I do believe there are similar tools now for windows you should give them a try.

      --
      "I modded down, down, down, and the flames went higher." -- Sven Olsen
      • (Score: 1) by dlb on Saturday November 22 2014, @04:08PM

        by dlb (4790) on Saturday November 22 2014, @04:08PM (#118792)

        Now with my OS X or Linux machines update comes along I clone the OS to spare partition

        That sounds like a lot of work. My Macs update maybe once or twice a month, and time machine does a nice job keeping a running backup anyway, but my Linux Mint sends updates daily. Sometimes two or three times a day. Like most people, my computers are tools I use to do work. If the upkeep of the tool gets in the way of doing the job at hand, then it's human nature to skimp on that upkeep.

        • (Score: 2) by HiThere on Saturday November 22 2014, @10:56PM

          by HiThere (866) Subscriber Badge on Saturday November 22 2014, @10:56PM (#118947) Journal

          The interesting thing here is that before I switched to Linux I was a happy Mac user. Then a security upgrade came along that included an EULA ... which I read. Essentially what it said was that if I installed the security upgrade I gave Apple ownership of everything in the computer. (I would have been a shared ownership, but still.....) The next day I was using Linux for everything that touched the net, and the upgrade was refused. I've still got that Mac, but it's been unplugged for over 5 years now. Still, there are some proprietary packages that are still holding my data hostage, so I can't just ditch it. Contemplating this, I've not only been reluctant to fork over any more money for proprietary hardware, but even for proprietary software that runs on Linux.

          OTOH, there are a couple of packages that I would still be buying if they ran on Linux. Deneba Canvas (a graphics program), Finale (a music score editing program), and probably WordPerfect...though that would depend on just how well they implemented things. The original Linux version was not great. (The Canvas Linux program, however, was good enough that I'd have Red Hat installed if necessary to use it...but they only released a beta, and that for only a week or so. So system upgrades have made it unusable. (With these packages you *can* export usable files, though often only print images. You just need to think about it while you're doing the work, as they don't have standard file formats.)

          --
          Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
  • (Score: 2) by Justin Case on Saturday November 22 2014, @12:58PM

    by Justin Case (4239) on Saturday November 22 2014, @12:58PM (#118753) Journal

    We needed a study? Anyone who has done deskside support already knows this. People do not see those warnings that pop up. Stop them one second after they clicked through it and they will swear it was never there.

    People have been trained by thousands of experiences with their "desktop" to play whack-a-mole with dialog pop-ups.

    User: I want to get to goal A.

    Computer: Sorry but I refuse to do anything until you acknowledge this warning.

    User: You're in my way. How do I make you go away?

    And this in turn is because certain vendor$ and developer$ wanted to do bad things with their software.

    Vendor: Look, ooh shiny, buy!

    Security researcher: But that's dangerous.

    Vendor: Look, ooh shiny, buy!

    Security researcher: Watch as I blow up your house.

    Vendor: Oh dear! Well we can't remove this well established "feature" now so we'll punt responsibility to the user.

    User: ????? Click!

    • (Score: 4, Interesting) by maxwell demon on Saturday November 22 2014, @01:10PM

      by maxwell demon (1608) on Saturday November 22 2014, @01:10PM (#118756) Journal

      This has nothing to do with GUIs. This would happen exactly the same with security questions on the terminal ("Are you sure (Y/N)?") Indeed, it did happen with security questions on the terminal (e.g. Computer: Formatting C: will destroy all the data on it. Really continue? User: Yes — a second later: Wait ... C:? I wanted to formal the floppy in A:! Damn ...).

      There's however one advantage for terminal questions: There's a good chance that they are still on the screen when things start going wrong, so at least retroactively you can see what you did wrong.

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 4, Interesting) by Justin Case on Saturday November 22 2014, @01:32PM

        by Justin Case (4239) on Saturday November 22 2014, @01:32PM (#118758) Journal

        > they are still on the screen when things start going wrong, so at least retroactively you can see what you did wrong.

        Yes that's what I said/meant to say. The pop-up disappears and a second later the user actually believes it was never there. You can't teach them what went wrong because their internal experience does not match what you are saying.

  • (Score: 1) by cellocgw on Saturday November 22 2014, @03:45PM

    by cellocgw (4190) on Saturday November 22 2014, @03:45PM (#118783)

    This was made pretty darn clear the moment the various geniuses at Redmond and at 1 Infinity Way started putting those "are you sure" and "enter password" popup windows. nobody likes them and nobody cares.

    --
    Physicist, cellist, former OTTer (1190) resume: https://app.box.com/witthoftresume
  • (Score: 1) by dlb on Saturday November 22 2014, @04:19PM

    by dlb (4790) on Saturday November 22 2014, @04:19PM (#118797)
    What I don't like are those update popups from Adobe on Windows. How do I know it's from Adobe? I don't. Why can't Windows do like Apple and bundle all updates through one mechanism/store/site/whatever? (But then again, that opens up a whole 'nother debate.)
    • (Score: 2) by frojack on Saturday November 22 2014, @08:42PM

      by frojack (1554) on Saturday November 22 2014, @08:42PM (#118901) Journal

      There are a lot of updates that come via windows update that originated from some other company, often intel.

      But I can't see why Microsoft would want to take responsibility for approving Adobe updates since Adobe code is so atrocious.
      That's just asking for trouble, guilt by association. He who touches it last acquires all blame.

      --
      No, you are mistaken. I've always had this sig.
    • (Score: 1) by Gravis on Sunday November 23 2014, @04:51AM

      by Gravis (4596) on Sunday November 23 2014, @04:51AM (#119038)

      Why can't Windows do like Apple and bundle all updates through one mechanism/store/site/whatever?

      the idea of a centralized repository seems to finally be getting a chance in windows 10. *sigh* microsoft is always playing catch-up to linux software.