*
programming and human factors
by Jeff Atwood
*
In an era of instant online worldwide connectivity, protecting users from themselves is a lot harder than it used to be. For one thing, full trust can't be trusted. And then there are all those dancing bunnies to contend with:
What's the dancing bunnies problem?It's a description of what happens when a user receives an email message that says "click here to see the dancing bunnies".
The user wants to see the dancing bunnies, so they click there. It doesn't matter how much you try to disuade them, if they want to see the dancing bunnies, then by gum, they're going to see the dancing bunnies. It doesn't matter how many technical hurdles you put in their way, if they stop the user from seeing the dancing bunny, then they're going to go and see the dancing bunny.
There are lots of techniques for mitigating the dancing bunny problem. There's strict privilege separation - users don't have access to any locations that can harm them. You can prevent users from downloading programs. You can make the user invoke magic commands to make code executable (chmod +e dancingbunnies). You can force the user to input a password when they want to access resources. You can block programs at the firewall. You can turn off scripting. You can do lots and lots of things.
However, at the end of the day, the user still wants to see the dancing bunny, and they'll do whatever is necessary to bypass your carefully constructed barriers in order to see the bunny.
Here's hoping Longhorn (aka Windows Vista) is the first Microsoft OS to default users to non-administrator accounts. Because users can't help themselves-- they just have to poke the bunny.
I think the real solution, if there is one, is high-speed virtualization. The user will always play in a sandbox that looks and performs exactly like their current installation, but is in fact a Virtual PC style image. If something bad happens, you just ball it up and throw it away.
Poke the Bunny is pretty good, though. That's all I'm saying.
Jeff Atwood on July 25, 2005 2:05 AMThis is the liberal approach in which the government protects citizens from themselves. How about the conservative approach where citizens can poke the bunny if they feel like it and if it bites them, so be it?
I think sometimes as application designers we take protecting users from themselves too far. Like you point out in the end it can't be done anyway. Far better to design simple clean applications that discourage bunny poking BY ACCIDENT, but if the user decides they want to poke the bunny well so be it.
Ole Eichhorn on July 25, 2005 2:24 AMHow about the conservative approach where citizens can poke the bunny if they feel like it and if it bites them, so be it?
Well, the problem is that *everyone* gets bitten. Once a machine is hijaacked, it becomes a zombie that is under total control of the hacker. It is then used to send out spam, perform distributed denial of service attacks, and other nefarious things.
So it's really about protecting the public good.
The same argument applies to motorcycle helmet laws. If some jackass decides he wants to ride without a helmet, that's fine until he has an accident, becomes severely brain damaged, and racks up a multi-million dollar insurance bill that the rest of us then have to foot through increased healthcare insurance premiums.
Like you point out in the end it can't be done anyway
I think it can be done if everything is virtualized all the time. The upcoming hardware hooks for faster virtualization (Pacifica, and Vanderpool) make this at least feasible.
Jeff Atwood on July 25, 2005 3:49 AMLots of pictures of Oolong the rabbit:
http://www.fsinet.or.jp/~sokaisha/rabbit/rabbit.htm
Sadly, Oolong passed away in Jan 2003; he was 8 years old:
http://sokaisha.hp.infoseek.co.jp/030108/030108.htm
Jeff Atwood on July 25, 2005 5:46 AMWell, I'm delighted to say that when I went to poke the bunny Mozilla told me I was missing a plugin and _I didn't install the plugin_ just to be able to poke the bunny. Har-har. Nonetheless, a true fact.
mike on July 25, 2005 1:09 PMproblem in that case is the way insurance works, not the way motorcycles work
Actually it's a problem in the way people work, because they optimize for themselves, eg, the Tragedy of the Commons. I don't like insurance either but it is compatible with realistic modes of observed human behavior.
There will still be a way for people to harm themselves
I disagree. Can you harm yourself in a Virtual PC image? If you get in trouble you just shut it down and undo the last set of changes. Or, instantly spin up a new one from any "restore point" in the last few months or years. Poof. Problem solved. Apps / viruses cannot escape from Virtual PC!
Education is always good of course, but to argue that we can ONLY fix this through education and shouldn't bother with the technical hurdles is a little irresponsible.
Jeff Atwood on July 27, 2005 2:12 AMJeff, I have to disagree.
(I disagree about motorcycle helmets, too. If someone wants to kill themselves, they should do it. The problem in that case is the way insurance works, not the way motorcycles work. But I digress.)
Virtualizing hardware isn't going to protect you from dancing bunnies. There will still be a way for people to harm themselves.
(Same point about managed code protecting you from memory leaks. Sure, you don't have to remember to delete objects, but you do have to remember to NULL points, so what's the difference? And it is just as hard to track down a bogus reference count as it is to track down a leaked object. But I digress again.)
I really think education is the best you can do, not some global mechanism of "protecting the public good".
Ole Eichhorn on July 27, 2005 1:56 PMVirtualisation brings one BIG broblem - if user indeed does something stupid, you still have to distinguish between whats right and wrong, because all user data, documents are still product of a program running in VM, and you cant trash them.
Keff on April 21, 2006 4:39 AM"Can you harm yourself in a Virtual PC image?" You can - very easily, just see a dancing bunny, create some important content, and then try undoing dancing bunny... See?
Keff on April 21, 2006 4:46 AM because all user data, documents
create some important content
Most users aren't creating any content or documents. And for the few that are, their content/document is often lightweight enough for them to use server-based solutions (eg, Writely, Tadalist, Hotmail, del.icio.us etc).
For the tiny, tiny minority that are creating a lot of heavyweight content using heavy client tools, they need to pull that content through the VM-- maybe in a shared folder.
Jeff Atwood on April 21, 2006 9:56 AMI tried to see the Dancing Bunny. I even clicked to install the plug-in. But god-damn it, I'm running as a non-Administrator and couldn't do it! Time to runas... Administrator and try again!
Rob on March 28, 2007 11:51 AM"Of course the problem then is that people aren't going to start up a new virtual machine just to see the dancing bunny"
No problem, just automate: Isolate all external communication (disk drives, e-mails, web pages) into its own "Quarantine" VPC automatically. Only shift Word Documents etc *into* that VPC, never out.
That way, if you click the bunny, you'll only lose important data that's been Quarantined. Every 'x' days, you could move the Quarantined data to a third VPC, so if you bunnied, you could retrieve anything 'x' days old. 'x' is defined by the time it would take for a virus to have been detected elsewhere.
Of course, a user could be persuaded to move all their documents into the Quarantine area, but that's time consuming. And easily overcome by storing a backup copy of the data when you move it into Quarantine.
deworde on November 13, 2007 10:37 AMYou were so right about the dancing bunnies.
http://www.xbox.com/en-US/games/b/boogiebunniesxboxlivearcade/
engtech on April 2, 2008 11:15 AMThe conservative method is to pray to god to smite the virus then tax the operator who downloaded the virus, the operator who attempts to run it, and the owner of the computer for allowing operators to be stupid.
Nothing is foolproof fools are too ingenious.
Randy on April 7, 2008 11:56 AMYou overestimate the insulating power of the virtual machine. It only insulates if you start up a separate VM for each task. But that keeps apps from being able to benefit from other apps (ever import a spreadsheet into a text document or paste values from a document into an email message?). Part of the value of the OS is that it preserves state and grows with you. Remembering to automatically check all the boxes I want (proper defaults) is called "streamlining" (not "reckless"). People just do not want to burden of running every task in isolation. Hence, the VM is not a practical Silver Bullet for daily use. Effective, yes. But too much for every application.
i think you mean the 'dancing pigs problem' you're not the first to get it wrong, but dancing pigs was the original name for the problem, not dancing bunnies, not even if dancing bunnies are more successful at propagating. ;)
http://en.wikipedia.org/wiki/Dancing_pigs
kesuki on May 14, 2008 8:19 AMAh sayed, put the bunny...back...in the box
Cameron Poe (Nicholas Cage) from ConAir
Wile_E_Coyote on August 19, 2008 11:32 AMWhat if the dancing bunnies find out they're in a sandbox and won't play together because of it? In the end viewers will still find out ways of getting them out of the box in order to see them dancing.
Syockit on October 15, 2008 10:09 AMThere was one, and the concept worked quite well. I have no idea how well it worked in production.
www.greenborder.com
google bought them though, and I don't know what happened to the technology.
goodb0fh on January 25, 2009 9:47 AMwhy would you want to restrict users from anything, unless it's yours and you dont want people to see it or something?
warn them that bunnies are not good for them. if they ignore you, they'll suffer the consequences.
just don't treat them like children.
want to see dancing bunny
create important content
undo dancing bunny
Not a problem, if the dancing bunny wasn't in the same virtual machine as the important content. Of course the problem then is that people aren't going to start up a new virtual machine just to see the dancing bunny (because it's just so much extra hassle when I can just do it right here).
Dancing pig? Pass.
Dancing bunnies? ....must...click
Maybe we cannot make the Odds zero. But, we can shrink them substantially. On Average, 114 security layers between an honest user and a Dancing Bunny should reduce the odds of success to only 1 person on the entire Internet.
As a simple model lets take the odds that an honest person would commit a trivial, unaccountable crime at about 17% -- See Freakonomics for odds of white-collar honesty with bagels. Take R as .17.
Then, take N as the number of security barrier a user must circumvent in order to get the Dancing Bunny. No for a tiny bit of binomial theorem, ("with many cheerful facts about the square of the hypotenuse.”)
1 = 1**N = ((1-R) + R)**N
Let K be the times the user successfully reaches the Dancing Bunny.
Then, the odds of a Dancing Bunny Install, DBI, are as follows.
DBI = N! / (K! * (N-K)!) * (1-R)**(N-K) * R**N
Lets assume that even one download of the Dancing Bunny is toxic. K needs to be zero as a goal.
For K=0; DBI = (1-R)**N
Then, N is the number of security barriers that need to be in place to make the odds of Successfully Downloading the Dancing Bunny less than 1 person on the entire Internet. Assume the Internet has 1.7 Billion users that are all honest but otherwise tempted to download the Dancing Bunny.
1 / 1,700,000,000 = (1 - .17)**N
N is approximately, 114, security measures between the honest but tempted user and that Dancing Bunny Install.
To be honest, that is a lot of security steps. But, I think it illustrates that the Dancing Bunny Install problem is impossible. Or in classic Matrix Lines, “while assiduously avoided, it is not without a measure of control.” – the Architect.
A Slightly more realistic level of Dancing Bunny Security Controls:
The model may be imperfect, but it does illustrate the level of thought that needs to be put into the Security Measures that one does put in place.
Half the companies in the USA have 19 or less people in them.
If one Dancing Bunny Install per year is the toxic line of concern, then we need less than 1 in 19 installs of the Dancing Bunny to be successful.
1/19 >= (1-R)**N
N >= 15.8 Security Measures.
In the case of Wrong headed or Even Felony levels of ability and determination to do harm by installing the Dancing Bunny, things get a bit tougher.
Plausible estimate of the Mistake Rates of a Trained Professional, M=0.33%.
Plausible estimate of the Felony Rate per year in the USA, F=0.01%
The good news is that these odds are low enough we have to take into account the possibility that a Professional Blunder or a Felony just may not take place in any single year.
Odds of No Blunder for a 19 Person team, (1-.0033)**19 = 93.9%
Odds of No Felony for a 19 Person team, (1-.0001)**19 = 99.8%
But, In the case of a Blunder or Felony, the security measures to prevent the Install of the Dancing Bunny need to be rather serious.
Professional Blunder:
1/19 >= (1-.0033)**N, N>=890.8 Security Measures needed to prevent the Dancing Bunny Install.
Felony Case:
1/19 >= (1-.0001)**N, N>=29442.9 Security Measures needed to prevent the Dancing Bunny Install.
I was fascinated by the pseudo-conservative fantasy that every individual should be totally free to do what he or she chooses to as long as the individual is willing to suffer the potential consequences. Today's 'conservatism' is more reasonably termed 'Right Libertarianism' (yes, there are also several flavors of 'Left Libertarianism' as well). The Right Libertarianism takes essentially Ayn Rand's Objectivist view that each individual should be free to strategize her behavior solely to increase her own perceived best interests - which Rand assures us are measured in units with a dollar sign (the only 'value' or morality she advocates). Conservatives ignore (or fail to understand) that, unless you live alone in the deep woods or on an otherwise deserted island, almost everything you do has consequences not only for yourself, but for others, sometimes the entire community or society, as well. You can't pretend that selfish individualism is the only virtue and that a sense of community is a vice.
If I were to assume any of my job applicants thought like Ole Eichhorn and Alice, I would be a bloody fool to hire them in any position where their work computer is linked into the corporate intranet. If I found any of my employees who believed in that philosophy, I'd have to decide either to move them to a job that does not require interconnectivity or I'd have to replace them faster than a ZagNut bar lasts in the hand of a fat boy.
It is extremely rare to find any computer that, if infected with a sufficiently clever enough virus, won't continue to spread the infection, either by emailing everybody in the personal or corporate address books copies of the dancing bunny email, or simply infecting common servers which would, in turn pass it along.
Remember that EVERYBODY will encounter a multitude of variations of the dancing bunny link (some fiendishly clever and virtually irresistable) and that even top-tier programmers, let alone the non-technical user community, are going to be snagged at least some times.
The object of security and regulations is not to protect an individual from her own stupidity, carelessness, or lack of perfect knowledge and an ability to invariably make perfectly rational decisions (the latter two being a core tenet of Right Libertarianism, unregulated laissez-faire free markets, and Randian Objectivism), but to protect the rest of the community from having to suffer the consequences of harmful individual actions. In other words, I could care less if a mine owner ignores or violates safety regulations as long as the owner is working the mine alone. But, the minute he hires employees and sends them unknowingly into his unsafe mine, it is no longer a question of the individual's right to be free of regulations.
If anybody cares to look up the PCL-R 20-question test to diagnose psychopaths (Professor Robert Hare developed this test and it is the gold standard around the world - and is the test used by everybody from psychiatrists to FBI profilers) and compared it question by question with Ayn Rand's philosophy or the Cato Institute's multitudinous position papers, you would come to the inescapable conclusion that the radical individualism that is currently worshiped by today's conservatives is a social and political system that basically elevates psychopathy as the only value set that is politically and ideologically accepted, and requires that the "ultimate free person" is a psychopath (or at least is willing to emulate psychopaths in his behavior).
As a programmer with 35 years of experience (the last 26 as a consultant to Fortune 50 companies architecting, designing and coding mission critical enterprise applications), I feel that we should be considering any and every way to block the potential harm of dancing bunny attacks and all other current exploits, and intently working on finding newer defenses as the black hats continue to find newer exploits.
Blue Sun on June 30, 2011 3:23 PMThe comments to this entry are closed.
| Content (c) 2011 Jeff Atwood. Logo image used with permission of the author. (c) 1993 Steven C. McConnell. All Rights Reserved. |
Subscribe in a reader
Subscribe via email