the problem is not people downloading stuff, but people downloading stuff that crosses the security barrier which the browser sandbox forms. So downloading MP3s is ok, and there is a whole class of applications that are totally ok and harmless - nobody needs real hard drive access for a funny flash game.
I think there was once at a time some Microsoft .NET stuff which was supposed to give such fine-grained access levels to downloaded applications, where apps could request only small permissions. That doesn’t seem to have worked yet, but if the incentive for developers is users will be bugged by a scary password dialog if they run my app, that might work.
Java web start and I think regular Java apps also once had something like this, where apps running on the client (not applets) could request only some partial rights. But the only distinction was no rights or all rights, which doesn’t really help
An important aspect of these attacks is that fooling users generates money through various pay-per-click schemes, worms which deliver the cookie payload (or worse), later used to click the unique click… In other words, fooling users is a serious business which, for some, generates an income far better than the best consulting fees in IT business.
Sad fact is that a black-belt in fooling users pays better than a black-belt in not-fooling users. But that’s a topic unto itself.
Keep in mind that fooling users is not illegal and gets officially classified under Online Marketing.
For what it’s worth, my girlfriend has been educated by me about these things, so as soon as that FUI popped up, I heard a plaintive cry from her computer room: Ryyyyyyyannnnn! I’ve got spyware popups!
She knew to click the X’s, not the ‘cancel’ buttons, and a thorough scan of her system showed us that while the installer was downloaded, it didn’t execute.
Disaster averted.
Who knew how dangerous gardening could be to your IT health?
If you’ve installed Vista then you have got so desensitized to clicking ‘Yes’ every 5 minutes that this is just going to sail right by. Security requires education about difficult topics and isn’t really going to help since most people just want to watch videos and read email.
I love your site, but is there any chance you could be a bit more diverse with your examples of useless users? I’m pretty sure this isn’t the first time you’ve used your wife or your mother for this. I’m neither wife, nor mother, nor indeed female, but am beginning to feel offended. For the record, my mother is indeed pretty gormless about such things, but my wife is a smart non-IT-industry user.
As much as I admire distributed phishing blacklist efforts, there’s no way they can possibly keep pace with the rapid setup and teardown of hacked websites. How many compromised websites are out there? How many unsophisticated users surf the internet every day?
I think that is why it is up to the companies developing Anti-virus software to design a way to prevent the bad-guys from being able to spoof them. As a security initiative, Anti-virus software should be developed so that it is easily identified by the person using it (based on What you have, What you know, and/or Who you are). This could be something as simple as a big, bold label that has some kind of unique trait about yourself, always in the same spot. That way, if you don’t see Mike T. in green, bold letters in the upper-right hand part of the window, you know it’s not your software. I know this wouldn’t prevent everyone from clicking the wrong thing, but it might help.
Gary Schubert: go visit a site that starts with ‘g00d-stuff’ and ends with ‘.com’ without NoScript and tell us how the fact that you know what you are doing helps.
If you really know what you are doing you don’t visit sites with g00d-stuff in their names. I don’t have NoScript. I also know what I’m doing, therefore I didn’t go to that site.
Actually, on Vista, no account is administrator by default, that’s the whole point of UAC.
I know that it’s just going to become another prompt to some people, but if you were on XP as a standard user, you’d get the same prompt, it would just ask for a password too (it’s the same on Vista if you’re not admin btw).
The biggest problem is not that people are uneducated about these things, but that they simply don’t want to know. MS already puts about 10 warnings saying this may harm your computer and only click continue if you trust this publisher etc, but people just ignore it because they want thier dancing bunnies, or, in this case, free antivirus.
I’m not a Mac zealot or anything (far from it), but use OSX. Apple have strict standards as to how applications should look, so a FUI like that would look out of place. On Windows, design decisions are left solely up to the developer (coughItunescough), so it’s far easier to trick users into thinking they are looking at a real application.
@allied: People don’t generally run windows xp as non-administrator, because it’s such a bitch to get anything working then. A lot of the same goes for Windows Vista, unfortunately, because UAC is necessarily a bolt-on, meaning some software publishers still force their customers to run as administrators.
Not that it helps much. The goal of this kind of software is to get itself installed on your system and use your resources, whether to run as part of a botnet or to steal your credentials for whatever. (your bank, myspace, world of warcraft, you name it) The only upside of running as administrator (for the trojan, anyway) is that it makes it a lot easier to install a rootkit and hide its presence from the user. But other than that, execution of the binary in a normal (non-sandboxed) environment is already game over.
Oh and I was also wondering about the perpetual wife/mother examples. How’s your wife with computers Jeff?
Sometimes when i’m watching a screencast, and the person scrolls to another piece of code, i find myself clicking on their scrollbars to jump back up and look at something.
I had to fix a friend’s computer a few days ago, which seems to be infected as it was prompting some unwanted ‘beware, virus spotted’. After a few tries, I discovered the computer was truly infected, but by a virus specially designed for selling antivirus.
He altered the wallpaper to emule a virus warning and replaced the screensaver by the well-known ‘blu screen’ followed by a fake xp boot. On top of that he was also pretty tough and gave me hard time to evict him.
Build a decent OS. Upon reviewing the following items, it’s apparent this is the only solution.
Build browsers that actually sandbox the web. For example, throw ActiveX out the window. It was a really bad idea to begin with. Also, javascript should not take full control of the browser. Every time the browser wants to download something, only allow the user to save the file. Never ask about immediately running a downloaded program.
Fix virus scanners. Between all the crap that McAfee/Norton/etc installs on a machine it’s really hard to tell them apart for adware/malware. As a matter of fact, just build it into the OS. Those guys are ripoff artists anyway. I personally believe opening the windows kernel back up for them was a really bad idea.
Education will never work so get off that horse already. No one has time to read all of the boxes that show up on a daily basis. Which leads to my next item. Hell, I’d actually be surprised anyway read this far in my post.
Get rid of pop ups completely. They are only used for adware, marketing, and techno speak. Normal people stopped reading them long ago. As a matter of fact they usually just close their eyes and click randomly on the screen until they go away. If you have to pop something up as an alert then the application is already doing the wrong thing. Besides the fact that Apple has proven with Time Machine that Infinite Undo for EVERYTHING is much better.
Simplify application installation / uninstallation. Honest to god why are apps allowed to install anything near the OS? The Registry is a waste of space. I should be able to go to an application directory, push the delete key, and have it GONE. Why do OS’s even allow hidden files (even from itself) to begin with? Stupid.
Everything an application needs to run should be installed in ITS application folder, sharing that crap was a bad idea to begin with.
Maybe if all the browsers supported some type of Report Spyware button. So that when someone like Jeff or another techy notices its a bad site they report it and the rest of the noob people benifit.
