Re: Fake popup study
On Sep 23, 2008, at 6:15 PM, Sandy Harris wrote: From Slashdot: Psychologists gave university students phony popups with various malware warning signs. Many just clicked. http://arstechnica.com/news.ars/post/20080923-study-confirms-users-are-idiots.html I think it's got to be said that it's not apparent that the end-users are the /idiots/ who should be called out for failing this study. We gave them these interfaces, protocols and technologies that allow for things to go so badly wrong. Nothing in the world required the technology ecosystem to become what it is, except design decisions that were (and are) made well out of the sphere of influence of mere idiot users. This stuff was designed and shepherded to market by the modern captains of industry, by rock star developers and wünderkinden. When a real engineer builds a bridge that falls down, we blame the engineer, not gravity. Bad people have always existed in the world. When developers pretend they don't exist and people are then victimized, we're supposed to continue to accept the bluster about technology rock stars, and therefore conclude that the customers (who outnumber the developers by what, 1,000 to 1?) are the idiots? Let's reconsider that. Seriously, let's shout it down. It's a ridiculous proposition that's tiring to hear time and again. I'll even argue from the other direction just to make it complete. Even if they are all idiots: when a population you serve outnumbers you by 1,000 to 1 and keeps blowing itself up when using your stuff, it's time to idiot- proof the product. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fake popup study
Jim Youll [EMAIL PROTECTED] writes: I think it's got to be said that it's not apparent that the end-users are the /idiots/ who should be called out for failing this study. We gave them these interfaces, protocols and technologies that allow for things to go so badly wrong. Nothing in the world required the technology ecosystem to become what it is, except design decisions that were (and are) made well out of the sphere of influence of mere idiot users. This stuff was designed and shepherded to market by the modern captains of industry, by rock star developers and wünderkinden. When a real engineer builds a bridge that falls down, we blame the engineer, not gravity. 419 scams are not caused by bad interfaces or bad engineering. Phishing is, but clearly not all con games are, and con games are remarkably profitable. Although it is true that there are better and worse interfaces, and that many of the interfaces we use right now are rather on the worse side, it is apparent that one of the issues we have is the astonishing depth of human stupidity. I'll even argue from the other direction just to make it complete. Even if they are all idiots: when a population you serve outnumbers you by 1,000 to 1 and keeps blowing itself up when using your stuff, it's time to idiot- proof the product. To quote a common observation: You can't make things perfectly idiot proof because idiots are too ingenious. I was having a discussion over lunch about a week ago with a couple of pretty well known security people (one of them might pipe up on the list). We were considering what would happen in a particular seemingly foolproof system with a trusted channel if someone got a message via an untrusted channel saying... Now, to complete your book purchase, the trusted system is going to say If you press YES, you're going to send all the money you have in the world to a con man in Nigeria -- this is normal. Please press yes when it says that. ...a large fraction of users would just press YES. I don't want to claim that there is no place for better human factors work in security engineering. There clearly is. However, I will repeat, that is not the only story here, and it is not unreasonable to note that there are people who are clearly nearly impossible to protect with almost any level of human factors engineering and security technology. Perry -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fake popup study
On Sep 24, 2008, at 5:45 PM, Perry E. Metzger wrote: Jim Youll [EMAIL PROTECTED] writes: I think it's got to be said that it's not apparent that the end-users are the /idiots/ who should be called out for failing this study. We gave them these interfaces, protocols and technologies that allow for things to go so badly wrong. Nothing in the world required the technology ecosystem to become what it is, except design decisions that were (and are) made well out of the sphere of influence of mere idiot users. This stuff was designed and shepherded to market by the modern captains of industry, by rock star developers and wünderkinden. When a real engineer builds a bridge that falls down, we blame the engineer, not gravity. 419 scams are not caused by bad interfaces or bad engineering. Phishing is, but clearly not all con games are, and con games are remarkably profitable. The article and the study concerned user vulnerabilities compounded by poor user interfaces and poor underlying architectures. I was addressing my comments toward the study generally, and to the inappropriate but common tone of the article, in particular, not to other out-of-band issues. There are many risks in the world. I see in that study some confirmation that poor design has made certain of those risks worse. I was having a discussion over lunch about a week ago with a couple of pretty well known security people (one of them might pipe up on the list). We were considering what would happen in a particular seemingly foolproof system with a trusted channel if someone got a message via an untrusted channel saying... Now, to complete your book purchase, the trusted system is going to say If you press YES, you're going to send all the money you have in the world to a con man in Nigeria -- this is normal. Please press yes when it says that. ...a large fraction of users would just press YES. Straw man. I don't want to claim that there is no place for better human factors work in security engineering. There clearly is. However, I will repeat, that is not the only story here, and it is not unreasonable to note that there are people who are clearly nearly impossible to protect with almost any level of human factors engineering and security technology. Considering the magnitude and frequency of losses that apparently occur through these technologies, and the fact that the crypto and security technologies are pretty far evolved and seem to work well if used well, I would counter that human factors are just about all we should be worrying about right now, if we hope to ever make online activities as safe as they should be. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fake popup study
Jim Youll [EMAIL PROTECTED] writes: I was having a discussion over lunch about a week ago with a couple of pretty well known security people (one of them might pipe up on the list). We were considering what would happen in a particular seemingly foolproof system with a trusted channel if someone got a message via an untrusted channel saying... Now, to complete your book purchase, the trusted system is going to say If you press YES, you're going to send all the money you have in the world to a con man in Nigeria -- this is normal. Please press yes when it says that. ...a large fraction of users would just press YES. Straw man. Hardly. In fact, it is a very important thing to bear in mind, as is the output of that study. The whole point of the study (which you feel had an inappropriate tone) and of such gedankenexperiments is to understand the problem space better. At one time, we believed that with enough crypto, we would be safe, but we were disabused of that notion -- crypto is a great tool but not a panacea. Now the notion seems to be that with enough human factors, we will be safe. It appears this, too, is not a panacea. Considering the magnitude and frequency of losses that apparently occur through these technologies, and the fact that the crypto and security technologies are pretty far evolved and seem to work well if used well, I would counter that human factors are just about all we should be worrying about right now, if we hope to ever make online activities as safe as they should be. There are all sorts of things to worry about. Human factors are clearly an important component, but I think that the study (yes, the one which you feel had an inappropriate tone) is important -- some people are too stupid to trust. Clearly, by eliminating decisions people have to make (such as by removing non-secure modes of operation), eliminating means by which people can leak valuable information (such as by eliminating passwords that they can give to fake customer service representatives and the like), cleaning up the human factors, etc., we can make things much better. However, the lesson of this sort of study is that we may never be able to fix the problem. You contend the engineers are at fault, but clearly they are only partially at fault -- there are (as I said) some people who are too stupid to protect. We probably should not be surprised by this -- there are clearly people we do not allow to cross the street on their own (young children, some mentally ill people, etc), so there is perhaps a class of people who should not be allowed to do unsupervised banking on the basis that they cannot be trusted to protect themselves adequately. Perry -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fake popup study
[EMAIL PROTECTED] (Perry E. Metzger) on Wednesday, September 24, 2008 wrote: I don't want to claim that there is no place for better human factors work in security engineering. There clearly is. However, I will repeat, that is not the only story here, and it is not unreasonable to note that there are people who are clearly nearly impossible to protect with almost any level of human factors engineering and security technology. I would suggest that, in the real world, most of the people that are nearly impossible to protect, don't have much money. Now real world scams have been around for quite a while, and we teach about them in school. However they still work with some people, which is why those people don't have much money. Online scams are newer, and many of their victims left school long before the scams became popular. I expect the online situation will stabilize in about the same way as the real world one has. Cheers - Bill - Bill Frantz| The first thing you need when | Periwinkle (408)356-8506 | using a perimeter defense is a | 16345 Englewood Ave www.pwpconsult.com | perimeter. | Los Gatos, CA 95032 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fake popup study
On Sep 24, 2008, at 6:39 PM, Perry E. Metzger wrote: The whole point of the study (which you feel had an inappropriate tone) and of such gedankenexperiments is to understand the problem space better. Clarification: not the study. I believe the article had an inappropriate tone. Calling victims of inadequate user interfaces idiots is inappropriate and spits in the face of the evidence. It's still a fact that when a majority of a population of operators of any equipment is experiencing poor outcomes just using it as normal people do, then there is a screaming need to fix that equipment. If the blame the idiot thinking were accepted in other domains, we'd still have factory workers chopping off their limbs on a daily basis because any non-idiot should be smart enough to step back when the press is coming down. The simple fact is that normal people make mistakes and experience momentary slips as part of their ordinary existence. It's a designer's job to consider the users of an engineered device, to consider what their /entirely expected/ failings will be, and to work to prevent them. The current approaches do not work well to prevent the expected human failures. Therefore, the current approaches are inadequate. The study suggests that people should be expected to make errors using current user interfaces shoved in their faces by the stuff behind the scenes that never should have been so insecure in the first place. Why all the shock and outrage then? Security and OS builders would do well to consider how nuanced certain other things are, that just work right. As a quick example, I've not looked at the code but i can definitely tell that a hell of a lot of scrubbing is done on the trackpad inputs from this laptop, so that cursor motion is reliable and predictable, despite my imprecise finger movements. I look forward to seeing such nuance in user safety someday and will never be satisfied calling the majority of the population idiots because some human-built device has gotten lots of them into unexpected trouble. At one time, we believed that with enough crypto, we would be safe, but we were disabused of that notion -- crypto is a great tool but not a panacea. Now the notion seems to be that with enough human factors, we will be safe. It appears this, too, is not a panacea. protect themselves adequately. Human factors haven't received nearly enough attention, and as long as human factors failings are dismissed as the fault of idiot users, they never will. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fake popup study
[EMAIL PROTECTED] (Perry E. Metzger) on Wednesday, September 24, 2008 wrote: there are clearly people we do not allow to cross the street on their own (young children, some mentally ill people, etc), so there is perhaps a class of people who should not be allowed to do unsupervised banking on the basis that they cannot be trusted to protect themselves adequately. My 96 year old mother does not have a check book or credit cards. All her bills are paid through her lawyer's office. QED. Cheers - Bill --- Bill Frantz| gets() remains as a monument | Periwinkle (408)356-8506 | to C's continuing support of | 16345 Englewood Ave www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fake popup study
Jim Youll [EMAIL PROTECTED] writes: On Sep 24, 2008, at 6:39 PM, Perry E. Metzger wrote: The whole point of the study (which you feel had an inappropriate tone) and of such gedankenexperiments is to understand the problem space better. Clarification: not the study. I believe the article had an inappropriate tone. Calling victims of inadequate user interfaces I don't think all the interfaces in question are inadequate. There are glaring exceptions, such as the various interfaces in browsers to determine if an SSL connection is trustworthy. However, not all the interfaces are inadequate. idiots is inappropriate and spits in the face of the evidence. Does it? Are there really no people to whom one can apply that involved? I have heard of cases in which, in spite of having been told point blank by security people not to send any further money to a 419 scammer, people have continued sending it because, after asking the 419 people if they were a scam, were assured by them that they were legitimate. Indeed, I've heard of worse. Short of of a court imposed conservatorship, how is one to protect someone like that? It is clear that user interfaces will always need to to allow people to do things like transferring money or installing software, and it is equally clear that such operations will always have some potential for danger. Some people will not pay attention to warning signs of danger in such interfaces regardless of how prominently they are displayed, and we cannot make such things perfectly safe. We can fancy up our language if you insist. For example, we can be more polite (by speaking of users with limited security problem detection skills and such). However, in the end, not all of these people are victims of anything other than themselves. It's still a fact that when a majority of a population of operators of any equipment is experiencing poor outcomes just using it as normal people do, then there is a screaming need to fix that equipment. Actually, a majority don't experience trouble. A majority *are* infected with malware, but not because of any fault of their own -- driveby and other infection systems are just too pervasive, and the majority use an operating system that is very full of holes. However, most people seem to recognize 419 scams, phishing email, etc. The problem is that a substantial minority do not, and a worse problem is that a fraction of those cannot regardless of how much user education is applied. As I noted, we should indeed improve our interfaces, reduce the number of opportunities such people have for causing themselves harm (thus the notion of always on security etc.) and take all other reasonable measures. However, it is important, as I said, to see the limits. Some people will always aim the gun at their feet and fire, no matter how many trigger interlocks we add. Perry -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fake popup study
At one time, we believed that with enough crypto, we would be safe, but we were disabused of that notion -- crypto is a great tool but not a panacea. Now the notion seems to be that with enough human factors, we will be safe. It appears this, too, is not a panacea. What you mean, We? I said ages ago that you cannot produce trust with cryptography, no matter how much cryptography you use. That's a bow towards Lao Tzu's original, you cannot produce kindness with cruelty, no matter how much cruelty you use. To quote Crispin Cowan on phishing, it (and other con jobs) are a security failure on the device that sits between the keyboard and chair. Until we can issue patches on that device, we're getting nowhere. Even after, it's a long road ahead. I think you can prove that it's impossible to stop cons. What we *can* do is lower the number of them. But we're not going to get anywhere when we blame the victims. I'm with Jim Youll on this, the people who think the users are idiots just don't get it. Jon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fake popup study
Steven M. Bellovin [EMAIL PROTECTED] writes: Human factors haven't received nearly enough attention, and as long as human factors failings are dismissed as the fault of idiot users, they never will. Strong agreement. I don't disagree that much more needs to be done on human factors. I just don't see it as a panacea. I also think understanding just how little you can expect from the users, and what the limits are, is critical. I have a friend who's mother got conned after a stroke left her excessively credulous. He arranged for caretakers to read all her physical and electronic mail before letting her have it. Understanding the limitations of your user community is important. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fake popup study
On Wed, 24 Sep 2008 20:43:53 -0400 Perry E. Metzger [EMAIL PROTECTED] wrote: Steven M. Bellovin [EMAIL PROTECTED] writes: Human factors haven't received nearly enough attention, and as long as human factors failings are dismissed as the fault of idiot users, they never will. Strong agreement. I don't disagree that much more needs to be done on human factors. I just don't see it as a panacea. There are no panaceas in this business. As I told my class yesterday, if they learn nothing else they should remember that security is a systems property, and everything interacts. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
