Forgot your password?
typodupeerror
Security

Creating Better Malware Warnings Through Psychology 85

Posted by Unknown Lamer
from the this-web-page-will-eat-your-cat dept.
msm1267 writes "Generic malware warnings that alert computer users to potential trouble are largely ineffective and often ignored. Researchers at Cambridge University, however, have proposed a change to the status quo, believing instead that warnings should be re-architected to include concrete, specific warnings that are not technical and rely less on fear than current alerts."
This discussion has been archived. No new comments can be posted.

Creating Better Malware Warnings Through Psychology

Comments Filter:
  • Waste of Time (Score:4, Informative)

    by Anonymous Coward on Tuesday January 07, 2014 @02:27PM (#45889687)

    The fake warnings that get people to click on them will just copy the wording and format of the new warnings and use those to entice people to "click here to avert catastrophe".

    • by Anonymous Coward on Tuesday January 07, 2014 @02:39PM (#45889897)

      I don't know what the article said. I was afraid to download the paper linked because it occurred to me that it might have been one of the very malware warnings they were talking about since they said "Reading this May Harm Your Computer: The Psychology of Malware Warnings".

      Preeety clever guys, but I ain't gonna let y'all pull a fast one on me

      • by Pope (17780) on Tuesday January 07, 2014 @03:22PM (#45890465)

        Maybe you should read about this one weird computer security tip discovered by a mom. Malware writers hate her!

        • by Lazere (2809091)
          That sounds amazing! Where can I read more about this, haphazardly animated ad?
        • by ancientt (569920)
          Mod parent up. I'm submitting to seenonslash.
        • Maybe you should read about this one weird computer security tip discovered by a mom. Malware writers hate her!

          People viewing this warning, also clicked on these:
          Solve the Captcha to Remove Her Towel!
          \V/ Download Now \V/
          Let your PC make US $$$ while you sleep.
          Bitcoin trading is Hard. BTC Millionaire Secrets Revealed
          You're the <% $UCKER %>th Visitor! Claim Your Prize!

    • by Anonymous Coward

      I did not RTFA, but the general practice of scaring the user needs to stop - even from the point of view of the AV vendors. Most AV products show warnings like "Potentially unwanted product" using the exact same design/messaging as they show warnings for actual viruses. Yes, it's a good idea to alert the user. No, it's not a good idea to do so in a way that makes them believe their world is about to end because they might see an ad or something.

      • by Anonymous Coward

        Well, then you're not going to like the article. It says to tell the user "this IS bad and WILL damage your computer" instead of "this may be a potential hazard".

        • Re:Waste of Time (Score:4, Interesting)

          by geminidomino (614729) on Tuesday January 07, 2014 @04:29PM (#45891241) Journal

          Right, but the point of the article is to do so on sites that ARE bad and WILL drive-by software that will try to log your keystrokes, steal your passwords and account numbers, and use your computer to send out spam (concrete threats), and not "this could be something scary and microsoft doesn't approve" because you have a GUI IP scanner installed.

      • I especially like it when AV software flag a keygen for being a keygen. No, not because the keygen also has a trojan or whatever, but that it is a keygen. The explanation usually states "keygens may contain malware" - so, tell me whether it actually contains malware or not - maybe that's why I scanned it with the AV software...

        • by tlhIngan (30335)

          I especially like it when AV software flag a keygen for being a keygen. No, not because the keygen also has a trojan or whatever, but that it is a keygen. The explanation usually states "keygens may contain malware" - so, tell me whether it actually contains malware or not - maybe that's why I scanned it with the AV software...

          The problem is, a lot (if not most) keygens are wrapped in ways that make it impossible to tell. After all, a wrapped keygen is a trojan, and it's so easy to do tons of things that no

          • by Anonymous Coward

            The problem is, a lot (if not most) keygens are wrapped in ways that make it impossible to tell. After all, a wrapped keygen is a trojan, and it's so easy to do tons of things that no anti-malware can detect them call because it's so easy to do. All the trojan has to do is spawn a downloader process, then launch the real keygen, and you're none the wiser.

            There's nothing any anti-malware can do about it - there's no way to tell if it's a clean keygen or a wrapped one. Heck, many of them are also packed EXEs just like the keygens themselves.

            And yes, trojans are impossible to scan - your malware scanner might detect when the wrapped keygen actually downloads a known piece of malware, but that downloader will quietly run in the background until someone actually analyzes it.

            Sandboxie [sandboxie.com] is your friend. :)

  • You mean like when Microsoft Windows tells me that a zip file has "unspecified problems on the current page" or whatever it is?

    Because the ones I see now are pretty meaningless and come down to something bad can happen, click Yes to say it's your fault if it does.

    Oh, and browsers shouldn't be able to put up dialog boxes which look like native ones -- that would prevent some of the malware from getting onto people's machine in the first place.

    • by gstoddart (321705)

      My other personal favorite is some of the dumb warnings from IE -- you are about to use the internet, are you sure you really want to do that? followed by when you use the internet, people can see what you do, are you sure?.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      Oh, and browsers shouldn't be able to put up dialog boxes which look like native ones

      Pretty hard to prevent when they can display arbitrary images. You'd have to do something they couldn't replicate, like personalizing it per user, or using a reserved part of the screen.

      • by ancientt (569920)
        Oh, I like that. Pick your own warning totem from this list or from this handy Yahoo/Google/AnythingButBing search.
      • Re:Hmmm ... (Score:4, Insightful)

        by lgw (121541) on Tuesday January 07, 2014 @05:07PM (#45891615) Journal

        Pretty hard to prevent when they can display arbitrary images. You'd have to do something they couldn't replicate, like personalizing it per user, or using a reserved part of the screen.

        Trivial: just put a very obvious and different border around any dialog raised by the browser, like thick red and black hashing or something equally unsubtle. It's wouldn't solve every problem, but making it really obvious when it's a pop-up would help.

        Or, better, just remove the whole horrible idea of pop-ups from the world of browsers. It solves a problem that no longer exists in tabbed browsing. Restrict web pages from opening anything but a new tab, and nothing of value will be lost.

        • Pretty hard to prevent when they can display arbitrary images. You'd have to do something they couldn't replicate, like personalizing it per user, or using a reserved part of the screen.

          Trivial: just put a very obvious and different border around any dialog raised by the browser, like thick red and black hashing or something equally unsubtle. It's wouldn't solve every problem, but making it really obvious when it's a pop-up would help.

          Your "trivial" solution won't help when the pop-up is a floating div on a web page instead of an actual window. You need to decorate the real OS windows in a way that an attacker cannot know ("personalizing it per user", in GP AC's words). This is similar to the "personal security image" used by some banking and credit card sites, where an attacker trying to make a fake login page has no way of knowing what picture is supposed to be next to the password entry box.

      • by satuon (1822492)

        You can't duplicate the cursor behavior, though - if the image is a link, it shows, the cursor turns to a hand.

    • Or like the apoplectic fit browsers go into every time you want to use a self signed cert! Yes, my router/ap/storage appliance is self signed. Shut up already!

      Or the "You didn't check all the boxes in your jar" java warning that pops up every time you open a Trendnet camera, AND CAN NOT BE OVERRIDDEN!

      No wonder people ignore them now.
      • by Anonymous Coward

        my router/ap/storage appliance is signed by the NSA

        FTFY. Or did you memorize the thumbprint of your cert and check it against the thumbprint the "apoplectic" browser alert to make sure you're talking to who you think you're talking to?

        • Re:Hmmm ... (Score:4, Interesting)

          by vux984 (928602) on Tuesday January 07, 2014 @03:09PM (#45890285)

          The NSA would use a major signing authority so as to avoid any warnings. And it would say it was signed by whoever they wanted it to say it was signed by because... NSA.

          You are actually better off using your own PKI all the way up and adding your own root certs etc to your browsers if you are concerned about the NSA.

          This isn't actually bad advice in general.

          • by ancientt (569920)

            How would this work exactly? I'm used to having my browser and OS start with trusted roots, but I can imagine taking them out and replacing them with my own, then having to add in cert by cert, individually and specifically trusting each one. It sounds like a real hassle, but one that would grow easier as time goes on. I use NoScript to do very much the same thing, but it's no defense against MITM. Is there some system where there is a web of trust being built to do the same thing? I would *really* like to

      • by vux984 (928602)

        Or like the apoplectic fit browsers go into every time you want to use a self signed cert! Yes, my router/ap/storage appliance is self signed. Shut up already!

        The browser warning is correct. You don't know the identity of the computer you are connecting to. Only that it was signed at some point, by somebody.

        Verify the cert, then add the signing chain to your browser. The warning goes away and you actually know you are talking to your device.

        • The browser warning is correct. You don't know the identity of the computer you are connecting to. Only that it was signed at some point, by somebody.

          You know something more. It was signed at some point, by somebody who is either you or pretending to be you. Well, not helpful.

        • The browser warning is correct. You don't know the identity of the computer you are connecting to. Only that it was signed at some point, by somebody.

          If I just took the access point out of the box, and I am connecting to it on a local network, I am fairly sure I know EXACTLY the identity of the computer I am connecting to. And as I am in the networking industry, and do this all the time in lots of locations, I see the warning a whole lot.

          • by drinkypoo (153816)

            If I just took the access point out of the box, and I am connecting to it on a local network, I am fairly sure I know EXACTLY the identity of the computer I am connecting to.

            The computer doesn't know you did that, and there's no good way for it to know that which wouldn't involve digital signatures...

            • If I just took the access point out of the box, and I am connecting to it on a local network, I am fairly sure I know EXACTLY the identity of the computer I am connecting to.

              The computer doesn't know you did that, and there's no good way for it to know that which wouldn't involve digital signatures...

              How about "Accept this cert forever, regardless of what IP it is on."
              Or, "Accept self signed certs on local subnets."
              Problem solved in two optional check boxes.

        • by sjames (1099)

          Whereas with an 'official' cert you can rest assured that someone somewhere (possibly using photoshop) convinced one of hundreds of companies you've never heard of to take their money and issue a cert.

      • Browsers only warn you about self-signed certs if you don't install your CA certificate on that browser, which is completely reasonable and they absolutely should be doing that, given you're asking them for a secure connection and they're not getting anything from the server indicating that there's a genuinely secure connection in progress.

      • by jd2112 (1535857)

        Or like the apoplectic fit browsers go into every time you want to use a self signed cert! Yes, my router/ap/storage appliance is self signed. Shut up already!

        Why do browsers show warnings when self-signed certs are encountered?
        A self-signed cert says 'I am yourbank.com because I say I am.'
        A certificate from a CA says 'I am yourbank.com and Verisign can vouch for me.'

        • Or like the apoplectic fit browsers go into every time you want to use a self signed cert! Yes, my router/ap/storage appliance is self signed. Shut up already!

          Why do browsers show warnings when self-signed certs are encountered?

          A self-signed cert says 'I am yourbank.com because I say I am.'

          A certificate from a CA says 'I am yourbank.com and Verisign can vouch for me.'

          Or perhaps 'the Hong Kong Post Office can vouch for me'.

        • A certificate from a CA says 'I am yourbank.com and Verisign can vouch for me.'

          It's more like "I am yourbank.com because I gave Verisign $500, behold my green lock icon!".

  • by kruach aum (1934852) on Tuesday January 07, 2014 @02:35PM (#45889821)

    If you click this link you will literally want to kill yourself like that time you thought you'd pulled your underwear all the way down but instead re-enacted the slicing frame scene from Cube but with poop

    If you click this link you will be tricked into being tricked into giving Russians money to make a non-existent problem not go away, like that time you bought a can opener because you chipped a tooth opening a beer bottle and then never used it

    If you click this link you will experience the mental equivalent of three elephant births through a human sized vagina worth of pain over the course of a week and a half

    • by gstoddart (321705)

      Of course, the problem with your warnings is they need a warning to precede them.

      Because, well, ick.

      • Warning: I heard you like warnings, so I put a warning on your warning so you can... uh... be warned of the warning.

      • by lgw (121541)

        Warning: reading the following warning will make you feel like that time when you didn't notice in time that something had crawled into your beer can and died.

  • by asmkm22 (1902712) on Tuesday January 07, 2014 @02:46PM (#45889999)

    This is just based on my experience, but it seems like users are very quick to develop habits based on repetition. UAC is a good example, in that it doesn't take more than a few days to get used to clicking OK on the box that pops up when then screen fades out a little. Changing what the message says won't change that behavior.

    • This is just based on my experience, but it seems like users are very quick to develop habits based on repetition. UAC is a good example, in that it doesn't take more than a few days to get used to clicking OK on the box that pops up when then screen fades out a little. Changing what the message says won't change that behavior.

      When the safety feature interrupts you more often than it protects you, it becomes an annoyance, not a safety feature. Like the apoplectic fit browsers go into every time you want to use a self signed cert! Yes, my router/ap/storage appliance is self signed. Or the "You didn't check all the boxes in your jar" java warning that pops up every time you open a Trendnet camera, and can not be permanently OKed.

      • by Anonymous Coward

        Yeah, other fields figured that out decades ago.
        Safe operating procedures and safety features that prevent the operator from doing their job *will* get ignored/removed/disabled.

    • by zakkudo (2638939)

      This is a very Windows-ish problem. I always read dialogs on Linux and Mac OS X. I tried doing that for a while on Windows, and found out that most of them are meaningless, overly vague, or just plain overely intrusive. I found myself ignoring them on Windows like everybody else does.

      Microsoft is the primary perpitrator of this problem. They are the reason that 90% of the casual computer users ignore any and all dialogs. It's aggrivating as a web dev and you have to double-think yourself because of MS

      • by asmkm22 (1902712)

        It's not just Windows. I see it on Mac's where it prompts the user to enter their credentials again to make sure (they of course blindly enter them without asking why). It's also really common on the web, from SSL warnings to overlay ads to ToS agreements to initial browser settings dialogue. People have been trained to click past whatever pops up.

        • by zakkudo (2638939)

          I haven't been on a mac since 10.4 I think. So, it might have changed. I always at least felt like I knew why the credential dialogs were popping up on a Mac when I was using it.

          In the end, after having not used much MS Windows since around the beginning of the XP era, when I came back, at first I read some of the dialogs, then I realized 90% of them weren't really readable to begin with. And then I realized they hide dirty installs in those dialogs that they trained you to ignore...

          Meh. Anyway, those a

    • I think the only effective preventative measures are the automated ones. Unfortunately, so many of these work relatively poorly, blocking intended software updates or changes. Ultimately though, I think improvement of the automatic process blockers/killers is the best place to put effort -- not redesigning warning dialogs for people to click through or "approve/deny".

      Most users, in my experience, don't even know what's safe to approve or deny when they're prompted. With so much software doing automatic upda

  • by barakn (641218) on Tuesday January 07, 2014 @02:54PM (#45890111)

    "concrete, specific warnings" and "not technical"

    • Re: (Score:3, Funny)

      by Tablizer (95088)

      "concrete, specific warnings" and "not technical"

      "Don't click the purple button shaped like the bow-tie Justin Beiber wore on 'Dancing with Stars' last week".

      See, it can be done.

    • I've gone through pieces of my software and made sure that each error message is clear and understandable, and explains exactly what the user needs to do to fix the problem.

      It's not easy, requires a lot of debugging, and I estimate that it will at least double the time of development of moderately complicated projects (if all you have is a webpage like facebook, you can say, "please reload the page" or "try again in ten minutes" and hopefully that will fix things).

      The time is doubled, and you don't nor
  • So why are we giving malware programmers suggestions?
  • The only malware alerts I get from web sites popping up an advert claiming "my mac is running slow" offering me to download: malware.
    Ofc. I ignore those warnings ...

  • like, say, banning for life websites serving up crapware... in the case of malware ads, banning the ad sites. and submitting the site info automatically to Spamhaus and the like. there are so many "oh, gee, we blocked content from Internet Explorer" boxes every day that it's meaningless. the content is NOT from IE, it's from slopbucket.adserver.ru or wherever.

  • I'm not usually one to take exception to published research, but I am skeptical of this. The real problem here is that most people view computers as little black boxes that use a lot of elves and magic to keep them working. Malware, viruses, whatever, are as understandable to most people as ergot was to the Puritans in Salem, 1692. Substituting one sort of warning for another is not going to make a significant difference "in the wild," because people's frame of reference doesn't put them in the right min
    • by jader3rd (2222716)

      The real problem here is that most people view computers as little black boxes that use a lot of elves and magic to keep them working.

      There's the problem. We need to inform people that computers are little black boxes that use smoke to keep them working. How do I know? Because every time I've seen the smoke escape from the computer, it stopped working.

      • The real problem here is that most people view computers as little black boxes that use a lot of elves and magic to keep them working.

        There's the problem. We need to inform people that computers are little black boxes that use smoke to keep them working. How do I know? Because every time I've seen the smoke escape from the computer, it stopped working.

        The empirical evidence is, indeed, compelling. My results correspond to your own.

  • Generic malware that mimic alerts to fool computer users to click to download an exploit might be largely ineffective and often ignored. Researchers, however, have proposed a change to the status quo, believing instead that malware should be re-architected to include the same concrete, specific warnings that will be used in the future to maintain the status quo.

    The more things change, the more they remain the same...

  • You should totally click on this link. Your mom thought it was cool.

  • The problem is that we shouldn't need the warnings at all.

    Say your kid finds a web site that offers an awesome free game, and so he downloads it. Why shouldn't your computer be able to run that game (or virus) in such a way that it isn't able to take over your entire computer? The idea that programs should be able to do anything on a computer that the user running them is authorized to do is completely outdated.

    When users want to access arbitrary files and make massive changes to their filesystem, they us

    • Because it's a lot harder than you think it is.

      Part of what you apparently want is sandboxing, which is a great idea in theory but tends to fail in practice. Java applets are sandboxed, for example, and everybody's telling me not to trust them at all. Turns out it's really hard to make a secure sandbox that allows useful actions. Moreover, there's increased pressure to allow general-purpose applications to run in the browser.

      It really isn't easy to separate actions into "would be approved by the use

  • EZ-Warning.exe has encountered a problem and needs to
    close. We are sorry for the inconvenience.

    If you weren't in the middle of something, this wouldn't have made you
    angry about our buggy code.

    Please yell at Microsoft and IT about this problem they can't fix.

    We have created an error report that won't matter if you send to us. PRISM will treat
    this report as key information on how to better exploit and profile you.

    To see what data the NSA deems innocuous, click here.
    No, over there on the buttons not these wo

If money can't buy happiness, I guess you'll just have to rent it.

Working...