*
programming and human factors
by Jeff Atwood
*
As a software developer, tell me if you've ever done this:
And let's not forget the common goating technique where you take a screenshot of someone's desktop, make it the desktop background, then proceed to hide every UI element on the screen. The anguished cries as users desperately double-triple-quadruple click on pixels that look exactly like real user interfaces can typically be heard for miles.
I bring this up to generate some sympathy. I get fooled by my own FUI -- Fake User Interface -- at least once a month. If it can happen to us, it can happen to anyone. Which means FUI can be quite dangerous in the wrong hands. Consider Ryan Meray's story:
Okay, so here's an interesting one. My girlfriend is researching stuff on lilies, so she's trying to find the website for the Michigan Regional Lily Society.The website address is http://www.mrls.org/
Feel free and browse there directly, there's nothing wrong with it. But if you don't remember the URL, your first response is to Google it. We google and get this:
http://www.google.com/search?q=Michigan+Regional+Lily+Society
Now, if you're in Firefox, everything is fine. You click that first result, and you get to their website, and you learn about lilies.
However, if you are using IE, be aware, you are about to have a Spyware/Virus alert.
Obviously, the poor Michigian Regional Lily Society has fallen prey to website hackers. (Note that it may have been fixed by the time I'm writing this -- but I duplicated everything I'm about to show you.)
The first clever point is that the website appears fine if you navigate there directly. The malicious JavaScript code inserted into the page checks the referer and does something different if you arrive there via a web search engine. This means the people who own the website, and never arrive there through Google, would be scratching their heads, wondering what all the fuss is about. So the hack survives longer.
But if you do arrive at the MRLS site through a search engine, like a huge percentage of the world does, you're redirected to:
http://scanner.antivir64.com/?aff=1050
The very first thing this page does is minimize the browser (Firefox 3, in this case) and present us with this JavaScript alert:
I'm intentionally juxtaposing the browser and the dialog here, but the browser is way off in the very lower right corner of the display and that dialog is smack dab in the middle of the screen. It is not at all clear that the dialog originated from that web page. It's a primitive technique, but it is surprisingly effective.
I didn't have the guts to click OK on that dialog; I clicked the close button. The browser then expanded to show this convincing "real time virus scan".
The static screenshot does not do it justice; the scrollbar moves, the list of files fly by as they are "scanned", and the web page rather successfully simulates an ersatz UI somewhere between Windows XP and Windows Vista. Of course, we know this Fake User Interface is completely invalid, because it is running in the browser, not on our PC. You and I may understand that distinction, but what about your parents? Your wife? Your children? Your less technically savvy friends? Will they understand this scary, authentic looking virus warning coming from an "encrypted secure site" is all a lie?
Honestly, whose PC doesn't "run slower than normal"? Maybe I would want to know if my computer is infected with Viruses, Adware or Spyware. It's all part of the culture of fear that security software companies -- and let's be honest, Windows security software companies -- cultivate so they can rake in millions of dollars per year hawking their software. The difference here, of course, is that it's increasingly difficult to tell the good guys from the bad guys. That's the downside of fear as a selling point: it cuts equally well in both directions.
Woe betide the poor user who is convinced through the trickery of FUI to install this "antivirus" software. The page does its darndest to convince you to run its payload executable. Any click on the page, no matter where, is interpreted as a download request.
The page also attempts a drive-by download, though those have been auto-blocked for years now.
It's tempting to put this down as yet another iteration of phishing, the forever hack. To be fair, this is exactly the sort of thing web browser phishing filters were designed to prevent. This site was already in the Firefox 3 phishing filter -- but it was not caught by the Internet Explorer 7 phishing filter, so I reported it.
I am all for phishing filters as another important line of defense, but like all distributed blacklists, they're only so effective.
What I'm more concerned about here is how well the user interface was spoofed. The browser FUI was convincing enough to even make me -- possibly the world's most jaded and cynical Windows user -- do a bit of a double-take. How do you protect naive users from cleverly designed FUI exploits like this one? Can you imagine your mother doing a web search on flowers -- flowers, for God's sake -- clicking on the search results to a totally legitimate website, and correctly navigating the resulting maze of fake UI, spurious javascript alerts, and download dialogs?
I know I can't. As much as I admire distributed phishing blacklist efforts, there's no way they can possibly keep pace with the rapid setup and teardown of hacked websites. How many compromised websites are out there? How many unsophisticated users surf the internet every day?
As always, we can lay a big part of the blame at Microsoft's doorstep for not adopting the UNIX policy of non-administrator accounts for regular users. But then again, if the spoofing is good enough, the FUI extra-convincing, even a Linux or OS X user could be coerced into entering their admin password for a "system security scan". Or maybe they just wanted to see the dancing bunnies.
And then, like Ryan, you're likely to end up with the same infected computer, and the same distraught spouse. All this for the love of a few lilies.
Short of user education, which is a neverending, continuous uphill battle -- how would you combat a perfectly spoofed FUI presented to a naive user?
Atwood, of course there is a good solution, but its not obvious, and from seeing so many misguided suggestions in your comments, its no wonder that we are where we are.
Ian on August 18, 2008 2:46 AMvery helpful of you to point out the problem but what about offering solutions Ian.
what i ended up doing on my sister's pc was changing all the browser shortcuts so that they would start in limited user mode. seams to work but i get the feeling she is just more careful after i whinged the whole time i was making her pc run properly again.
Reader101 on August 18, 2008 3:14 AMI am going to talk to my local FUI expert. He is working from home and does not seem to mind it.
BugFree on August 18, 2008 3:55 AMMy Wife ran into this exact same scam last week on some other web site. Luckily this was on my Mac Book Pro laptop, so all I had to do was delete 15 or so exe files from the download folder.
Edward J. Stembler on August 18, 2008 4:03 AMRe: Antivirus programs:
http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.VirusYearlyStats
This is a table with the percentage of malware infections detected during the last 12 months by various AV programs on day zero, before anyone had distributed copies of those particular samples. Even the best program missed one malware program in twenty, and some well known and well respected programs did miserably. (I don't know about anyone else, but I've seen a lot more than twenty emails with links to malware in my inbox lately, almost every one of them on an innocent site that has been hacked.) If you check the short term stats elsewhere on the site, you will also see that individual AV programs move up and down the list as variants of malware come out that they are not good at detecting -- no one program is consistently the best.
I regularly download samples of the malware I find through links in spam and submit them to www.virustotal.com, virusscan.jotti.org and until recently, Castlecops.com's Unknown Files forum. The results are quite discouraging. A sample is considered pretty well detected if no more than 50% of programs miss it.
In short, I would never assume a download is safe based solely on a lack of complaint from my fully-updated, high quality AV program. You have to look at the provenance of the download. Before I download something that appears to be legitimate, I want to know who wrote the software, who else recommends it, and whether anyone is posting on forums asking how to remove it. You really can get some very high quality free programs on the internet, so the fact that it is free isn't necessarily a red flag. But people don't know they should research a program before downloading, and they don't know which sites' recommendations are reliable if they do. If you google the name of a scam antispyware program, your top hits will include a lot of scam product review websites recommending it.
Similarly, if I come across a download via suspicious means, I don't need anyone to tell me it's probably malware. For instance, I don't subscribe to CNN updates, so any links in an email that claims to come from CNN is certain to be malware -- if my AV program doesn't think so, I submit the sample to them to add to their definitions.
Of course, with so many otherwise harmless sites being hacked, and now with cache poisoning, even following a bookmark to a site a user knows and trusts is not 100% safe. I use NoScript to block javascript with all but the most trusted sites. Whether I know what I'm doing is beside the point; I don't get to see the source code before the site loads in my browser.
As far as non-administrative accounts for users: It's a great idea. We do it for our employees' computers, since our business requires us to interact with companies that insist we use Internet Explorer. Unfortunately, it also seems to prevent Windows Updates from installing in XP unless an administrator logs into each computer every week (and then sits there during the download while logged in with our own passwords). It may be blocking some AV program updates as well. It's insane.
AlphaCentauri on August 18, 2008 4:23 AMIn Firefox go to tools options content tab, then click advanced to bring up the advanced javascript options configuration menu. Unclick everything on that dialog, this will disallow scripts from being able to move, resize, raise/lower, etc. existing windows.
In my experience, these features are never worthwhile, more often than not even when they are used by non-malicious sites they are an annoyance, and they allow malicious sites to manipulate your browser window and trick you. Note that this does not prevent a site from opening up a new window (when you click on a button, for example) which has a specific size, etc. so it really does not limit web designers to do fancy things with new browser windows, it just makes it so that nobody can surprise you with those features.
Robin Goodfellow on August 18, 2008 4:26 AMI've noticed banks in particular have tried to jack up the security by having every user pick an image and then forcing every user to confirm that it's the right image when they login. Not quite the same thing as the FUI but the goal here is to add a bit of personalization that cannot be spoofed in an easy way. (I'm sure there are clever ways to get around such a thing, of course.)
If every OS window had some tiny thing in it that made it clear that it was real and the browser was not, or vice versa... anyway, but to dream.
Shmork on August 18, 2008 4:50 AMI agree with Jon that some AV should be run (I use the free AntiVir and have been very pleased) but Jeff rather scoffs at this idea which I think is like promoting driving without seatbelts (I don't have the links to his posts handy).
The web is dangerous, period. When you connect you are open for attack. Many people should probably not use it because the attacks are so sophisticated.
Like driving, if you surf the web you must accept some risk.
Steve on August 18, 2008 5:43 AMOh, I was in no way implying one should not have an AV program! After all, if you trust a website and allow javascript for it, you are vulnerable if it is hacked. In fact, after submitting some of these viruses and seeing my own AV program not performing too well, I abandoned it mid-subscription and bought a different one because I do consider them very important -- I just don't abandon my own better judgment just because I've got a good one.
BTW, here's an analysis of one I got spammed for just now. 8/35 programs were able to detect it (jeez, you'd think anything named ecard.exe would automatically be detected by now ;) )
http://www.virustotal.com/analisis/28b64d84673fb36d4812353e8360a403
It was missed by AntiVir, Avast, AVG, Dr. Web, Kaspersky, McAfee, Microsoft, Norman, TrendMicro, and Webwasher, among others, and two of the ones that did raise alarms only called it suspicious. (Some of the other top programs were not among those tested, so they won't get a copy of the sample to add to their definitions in case they don't detect it on day 0.)
AlphaCentauri on August 18, 2008 5:55 AMI like the comment above about allowing for customizable sites, but you know, that's really not practical. What is practical though, is a themed user interface on the OS. During install of the OS (or the first load if it's a store-bought machine) Have a few really easy screens with some basic theme choices. Choose your color with no default. Choose your window style with no default. Make the combinations of choices too robust to bother trying to find a common scheme.
Bill on August 18, 2008 6:19 AMThis is exactly like the ATM keypad FUIs.
B on August 18, 2008 6:33 AMTrain people in such a way they get jaded about these warnings.
Chui on August 18, 2008 6:34 AMBrowsers should not offer you the option to execute downloaded files directly. The user must then separately navigate to the download folder and run the downloaded file.
That should solve 90% of the problem i reckon.
stephen on August 18, 2008 6:37 AMI think part of the problem is how browser security has been misrepresented in the past. People worry that websites will put cookies on their computer that will somehow infect their system and that just using a browser somehow opens their computer to all kinds of attacks. What they didn't hear is that browsers and websites don't have access to their entire system unless they allow it. No one tells them that their browser can't know that their system is infected and whatever else, and they should ignore and cancel anything that tells them so. Users should be informed that they shouldn't download anything that they didn't seek out unless they research it first. Basically, if they didn't directly ask for it, they should be very cautious.
FUIs are just going to become more and more sophisticated and will evolve with the look of operating systems and browsers. I think that if we could teach people to avoid things they didn't ask for that we could go a long way towards avoiding the problem.
Brad on August 18, 2008 6:54 AMFor a start: never, ever, ever allow the browser chrome (address bar, nav buttons, status bar, etc.) to be hidden, or allow the browser window itself to be hidden/resized/moved/etc. I know Firefox has settings that allow you to enable or disable these things, and I always disable them. That way you at least get *some* indication that the window you're looking at is a website and not a real application, and it's harder to pull windowing tricks that make you lose track of what just happened.
David on August 18, 2008 6:59 AMHow about some combination of sandboxing and whitelisting by default? There's a very powerful presumption that, ultimately, the user has to have 'control' over what goes on his or her computer-- maybe this presumption needs to be revisited.
MattF on August 18, 2008 6:59 AMWeb Browsers are responsible for a major part in fighting these types of attacks.
Identifying and blocking specific types of scripts can also prevent these attacks rather than trying to block just a single website.
Niyaz PK on August 18, 2008 7:01 AMIt happens everyday, and had happened with me once. You take care a lot of times, but once in a while, you do falter( And I am a hyper-techie type of person). And FUIs(good term) do increase the technophobia for elderly people
Varun Mahajan on August 18, 2008 7:02 AMProblems like this will persist as long as
1) People insist on using tools that they openly do not understand. Like web browsers.
2) Microsoft continues pitching products to people who use tools that they openly do not understand.
3) Microsoft continues to produce tools that are insecure by design.
Or, to be less verbose
This problem will persist forever.
Matt on August 18, 2008 7:03 AMThe FUI looks convincing but I think the file download dialog should give it away for most people. At least I tell my family and friends to never download and run any files from the web or e-mail like that.
Kalle on August 18, 2008 7:03 AMUsers are getting sophisticated enough, but the attacks are getting more sophisticated. Social engineering attacks like this almost always work atleast on a small subset of users.
When taking the amount of traffic in the internet into account, this small percentage becomes a very scary number.
My sister recently came to me with 'Antivirus 200' (or something like that). I immediately knew what happened, but she thought she was doing the right thing.
leppie on August 18, 2008 7:05 AMThe solution seems to be simple - end the monoculture of static themes. If every user had to pick colors and styles for his desktop theme on the first login, with NO DEFAULT VALUES, it would be much harder to successfully spoof a window. Alternatively, it shouldn't be that hard to write a browser plugin that automatically hides images behind a warning if they contain typical Windows elements, just like certain programs detect porn by looking for certain commonalities.
In the end, though, nothing is ever 100% secure, and it doesn't need to be. Viruses aren't actually the major threat people perceive them to be. While yes, they do make your PC slower, so does the new Office you installed, and while yes, they send your clicks to nefarious advertising companies, my mum just really doesn't care.
J. Stoever on August 18, 2008 7:06 AMThe FUI looks convincing but I think the file download dialog should give it away for most people.
I don't know, Kalle. You think users are actually reading and understanding the file download dialog, much less the warning?
http://www.codinghorror.com/blog/archives/000114.html
Dialog boxes usually say If you want to tech the tech, you need to tech the tech with the teching tech tech. Tech the tech? Yes / No
Jeff Atwood on August 18, 2008 7:06 AMThis is really difficult. With the graphical expressiveness that people need to build meaningful applications, you'll always be able to fake web applications.
I think it will be pretty hopeless to prevent websites from faking real UIs. The better way to go is making the warnings even bigger when crossing a security line. In this case, you stop visiting a website and start downloading executable code that will be executed outside of the sandbox.
This should give a really huge, really annoying warning. Maybe you should even be required to type your password, or the sentence I realize this might fry my computer, before being able to execute code from the internet outside of a sandbox. After all, this should be a very uncommon operation, so it's reasonable to bug users about it.
Mac OS X at least displays an additional warning about downloaded code, where it came from and the time when you downloaded before executing the program. But something that requires typing would be a lot better, as people tend to dismiss dialogs without thinking (being trained by gazillions of annoying senseless messages in Windows programs).
Martin Probst on August 18, 2008 7:06 AMA part of my friend's business is to talk to people through messenger type application, so it got them all, and he has a lot of people he doesn't know about.
So, some week ago he got this MSN type message popup from some random guy named with a common name, so he just clicked it. Luckyly, he didn't seem to get anything from this click after scanning his computer.
Even if I browse with NoScript, I find it hard to know what's fake or when it comes to download files from Filefront or anything like this. The file could be anything.
Allov on August 18, 2008 7:08 AMI cant wait for macs to get enough market share to become a virus target.
brian on August 18, 2008 7:09 AMNaive users can not be protected until they get sophisticated
Nikos on August 18, 2008 7:12 AMBeing a non-administrator would definitely help, but it doesn't prevent the problem. All it does is limit the scope of the infection. Someone in Vista (or Gnome or KDE or OSX) running Firefox as a limited user can still run systemscan.exe, and that program can still send itself in emails, set up fake webservers (on higher number ports, of course), scan the network, steal passwords, and set itself to start up again when the user logs in.
It would be a bit easier to clean up, I suppose.
Poor English is also usually a dead give-away.
Your may have Spyware!
Lee on August 18, 2008 7:13 AMJava applets, when launching new frame windows, had some piece of chrome that was impossible to remove; can't remember if it was the titlebar, or I think it was a status bar kinda thing. And I think for some of the browsers/VMs it was an annoying yellow-background type of style. Not a complete answer, but better than nothing. Setting other limits also probably makes sense, like not allowing absolute screen positioning, so that you can conveniently 'hide' the browser's This is a FUI! chrome off-screen, or with a second FUI window, etc.
Patrick Mueller on August 18, 2008 7:14 AMI recently saw something very similar, animated to look like the real thing, but it was hilariously obviously faked in the browser - I was running FF2 on PC Linux OS.
Back in Windows, one thing that helps is to change your colour scheme (title bars, fonts) and not use the defaults, these spoofs always use the most popular defaults. So if you've set your system to use purple title bars and the browser spoof comes up in XP blue or silver, it's obvious. (Also comes in handy to tell the source of pop up dialogs when running virtual machines, or VNC etc).
MartinC on August 18, 2008 7:15 AMThe very first thing this page does is minimize the browser (...)
Javascript that resizes the browser should die.
manu on August 18, 2008 7:17 AMOne word: NoScript
Ciaran on August 18, 2008 7:19 AMPoor English is also a dead give away: 'Your may have Spyware!'
Lee on August 18, 2008 7:19 AMIt's hard for people to understand that browsers can't know their systems are infected if Windows Update can look into their computer and know which updates they need.
AlphaCentauri on August 18, 2008 7:20 AMMaybe the OS can constantly scan the UI for instances of certain security icons and graphics? But then we would inevitably get into a reverse CAPTCHA problem.
Maybe it should be a hardware solution... Microsoft could bundle a USB light that only they can turn on when using Windows Update, Defender, or other approved programs. Kind of like when browsers change the address bar color when on a secure site. Then you tell grandma to never trust any security warnings unless that light is on.
Daniel Sims on August 18, 2008 7:21 AMMy uncle had something like this come up for him, but at the time he was already infected with something on his machine which was causing these popups to appear. He called me up before clicking on one of the dialogs that came up. The guy is not a dumb guy, but the window that came up looked very convincing, windows logo the whole bit, claiming that he needed to download such and such antivirus to clean his machine off.
I explained that his machine was already infected and that was why he was getting these popups (they would come up whenever he opened the browser).
I had him install and run SuperAntiSpyware and that found a crapload of stuff on his machine. Seemed to fix everything.
I think he recently switched to a Mac.
Harvey on August 18, 2008 7:23 AMHow about having a way to customize your native window headers in a way that the spoofer will have not way to anticipate? Perhaps it's not possible on an OS which by default runs everything as the equivalent of root, but I'm ignoring that pathological case.
I've noticed that on linux, the spoofed dialogs that look like windows dialogs really stand out as being fake. Yahoo mail has this thing where you tell it the location on your local machine of a custom icon file, which it will display. Yahoo-mail spoof sites won't have this info, so won't be able to display the icon. Similarly, the window manager could put some custom image in the window header, or whatever, and spoof windows would lack this feature, making them more obviously fake. Now if the browser allows websites to create native windows, this won't work, of course.
I'm with the first poster though -- why in the hell does the browser permit web pages to minimize it, hide various UI features, prevent clicking on window close buttons, block 'ctrl-W', etc? What is the point of having these capabilites?
I wrote about it 4 months ago: http://cranked.me/2008/04/zomg-viruses.html
Please don't forget comments that look like a part of official messages from your blogging engines, from authentic blogging engine domain, and look like 'Please see 'here''
The solution? Use a safe operating system. Your sister/mom/dad/granny will not be able to break anything if they run under their own account with stripped rights.
Gary Schubert on August 18, 2008 7:25 AMWhen I was looking into OpenID I noticed that MyOpenID (https://www.myopenid.com/) has an anti-spoofing feature where you upload a custom image which is displayed on every page once you are logged in. This allows you to (hopefully) spot if the web page isn't from the correct source.
Applied to this problem, by making your UI unique in some way, you should be able to spot when a user interface element is fake.
Mike H on August 18, 2008 7:26 AMThe giveaway of boxes where you have to click OK or Yes is also zero for the vast majority of computer users, educated or not. There are so many boxes to click OK/Yes in your daily routine that people just don't read them.
When the confirmation for Are you sure you want to close Word and Do you want to install this nefarious executable look identical safe for the words, people are going to click OK almost every time.
The reason for this unexpected behavior is that we have learned to decide what we want BEFORE the box pops ups. When we click the X, we have already decided that yes, we want Word closed, so we click OK. When we click on the FUI Virus scanner, we have already decided that yes, we want to proceed and remove the virus. We aren't going to consider clicking Abort on a box that we expect to lead to the removal of the virus, and because of that we don't read it.
The solution to the problem is, of course, to make the user actively do something that forces him to consciously recognize that he has to make a serious decision. If instead of a Yes/No box there was a text field, where the user had to enter yes i really want to install this suspicious file, I'd expect the amount of people who still want to see the dancing bunny to go down considerably.
J. Stoever on August 18, 2008 7:28 AM2 Ciaran: NoScript won't help in case of non-tech-savvy user. They will just use IE because Firefox doesn't show pages correctly.
Gary Schubert on August 18, 2008 7:28 AMOn the resizing and hiding firefox windows:
http://goodblimey.com/archives/2004/06/05/stop-browser-resizing-in-firefox/
jauco on August 18, 2008 7:28 AMIn the end, though, nothing is ever 100% secure, and it doesn't need to be. Viruses aren't actually the major threat people perceive them to be. While yes, they do make your PC slower, so does the new Office you installed, and while yes, they send your clicks to nefarious advertising companies, my mum just really doesn't care.
Excuse me ....
viruses are big business today. Having a virus infested PC these days means in most of the cases that you are now a part of a botnet. Sending spam and contributing to DDOS attacks to whomever the controller wants. In essence, your PC is no longer yours, It wont be long until we see ransom asked to have your PC functioning again.
Virusses are a very grave threat these days, but not to the infected PC, but towards everyone else. That is why most virusses are so harmless to the PC they infect. It is beneficial for them that the PC ramains functioning and operational.
Boran on August 18, 2008 7:29 AMI get these on my Mac and giggle at the idea that my Windows directory is infected on it. You'd think they'd do some basic OS filtering...
ceejayoz on August 18, 2008 7:30 AMEleven words: NoScript is tedious if you already know what you are doing.
Craptaculus on August 18, 2008 7:31 AM@Marting Probst,
I think you are correct that this should be an uncommon operation (downloading and executing code from a website). However, the reality (and maybe the problem) is that it is not.
As an admin, I am installing things constantly, but that is not much of a problem. Except the problem is, when I see my not-too-web-savvy friends on the web, they are constantly downloading things (I mean constantly). Even more than I am. Regular users constantly download and execute things—that's why they use the internet. They get music, screensavers, games, videos, demos, and whatever else says download me!
People are generally just clicking on whatever looks like fun, and honestly they might not even really care if it breaks something in the OS. It's not like they have to fix it.
So, I would have to agree, the solution would be to make it so they can't install things if they do not understand the implications—but would they use a computer then?
Why won't it let me do this!?
Practicality on August 18, 2008 7:33 AMNot have the windows for programs and documents use the same ui.
sam on August 18, 2008 7:33 AM2 Craptaculus: go visit a site that starts with 'g00d-stuff' and ends with '.com' without NoScript and tell us how the fact that you know what you are doing helps.
Gary Schubert on August 18, 2008 7:38 AMSimilarly to what J. Stoever was saying about not using the default GUI, one approach to the problem is to undermine the attacker's ability to spoof the GUI by using a different GUI than the attacker expects. As a Linux user, whenever I see these sorts of things pop up on my desktop, I just slough it off because I know those Windows-style widgets and mock Windows apps don't belong on my XFCE desktop.
It's not enough just to break the homogeneity of the UI though, as the user may still be duped. If you're using an entirely different OS than the attacker expects, then even if you download the payload it isn't going to do the attacker much good.
Xyz on August 18, 2008 7:38 AMI have to say, I disagree that Microsofts security model would make any impact on this type of hack.
This FUI is making you think it is one of the good guys and therefore even if by default you weren't in as an Administrator, you would want to be in order to get this virus checker to work, right?
The only way around this problem is to educate all internet users that what they see isn't always real. More importantly, if you have specifically asked for something, don't do it. Any recommendations by any website should be considered completely unreliable.
Obviously this isn't an easy thing to do and as always us techs will continue to get calls from friends and families asking us to unwravel the horrendous state their home pc's have gotten into.
One thing I've started doing is installing a virtual temporary pc onto friends computers. If you want to browse the web, use this. A small lesson to explain everything will be gone as soon as they shut down and they're as safe as houses.
Robin
Robin Day on August 18, 2008 7:39 AM@ Aaron G: What will you do once your dad will come with infected machine and tell you that the website didn't contain bad spelling/grammar, random capitalization, exclamation marks and a word 'FREE'?
I bet a bottle of Jack Daniels' there exists at least one malware site with perfect grammar and no phrases like Your may have Spyware!
Gary Schubert on August 18, 2008 7:44 AMLynx
DanF on August 18, 2008 7:50 AM Poor English is also usually a dead give-away.
Your may have Spyware!
I'm not so sure about that. The latest versions of McAfee have some blatant spelling and grammatical errors in the installers of their Dutch software :)
Best regards,
Onno
The FUI looks convincing but I think the file download dialog should give it away for most people.
I don't know, Kalle. You think users are actually reading and understanding the file download dialog, much less the warning?
Well I hope most people do. But of course there will always be people who don't know what they are doing. But I'm not sure there is anything that could protect them... ;-)
Kalle on August 18, 2008 7:52 AMMy mother uses FF3 with NoScript ^_^
bothwell on August 18, 2008 7:57 AMKeep in mind that sometimes the faking of thick clients is intentional and not with bad intentions at all..
More and more web pages try to offer the full package.
Part of the expirience is showing a full interface with elements the user already knows from other software.
So any technique that disables/scans for those elements is out of the question.
A great way to block about 80% of the threats is block all exe's. Your average grandma has no need for anything executable on the pc. If she wants something installed for a particular purpose, she'll be on your phone anyway because the step-by-step wizard is too hard.
also, browse opera ;)
Boersnoes on August 18, 2008 7:59 AM@Lee Many people who don't have English as their first language (or even second language), will not noticed mistakes in grammar or spelling. Also, as Jeff already pointed out, many (most?) users don't actually read the contents of the dialogs.
Although some people will always be tricked, I think many problems can be avoided by following two simple rules:
1) Always read the message text.
2) Never agree (i.e. click Yes) to something you don't fully understand.
This will work most of the time, as long as the dialogs themselves haven't been hijacked or faked (i.e. in Jeff's example, both the JavaScript dialog and the download dialog are genuine, so just clicking Cancel and No would prevent infection).
Anders Sandvig on August 18, 2008 8:01 AM@ Practicality
the problem is not people downloading stuff, but people downloading stuff that crosses the security barrier which the browser sandbox forms. So downloading MP3s is ok, and there is a whole class of applications that are totally ok and harmless - nobody needs real hard drive access for a funny flash game.
I think there was once at a time some Microsoft .NET stuff which was supposed to give such fine-grained access levels to downloaded applications, where apps could request only small permissions. That doesn't seem to have worked yet, but if the incentive for developers is users will be bugged by a scary password dialog if they run my app, that might work.
Java web start and I think regular Java apps also once had something like this, where apps running on the client (not applets) could request only some partial rights. But the only distinction was no rights or all rights, which doesn't really help :-(
Martin Probst on August 18, 2008 8:04 AMJeff,
An important aspect of these attacks is that fooling users generates money through various pay-per-click schemes, worms which deliver the cookie payload (or worse), later used to click the unique click... In other words, fooling users is a serious business which, for some, generates an income far better than the best consulting fees in IT business.
Sad fact is that a black-belt in fooling users pays better than a black-belt in not-fooling users. But that's a topic unto itself.
Keep in mind that fooling users is not illegal and gets officially classified under Online Marketing.
BugFree on August 18, 2008 8:16 AMWow, lot of comments. Anyway, interesting stuff, and I really like the term FUI.
Will on August 18, 2008 8:18 AMWait? I thought JavaScript was the bestest!?!?!
-N
NRR on August 18, 2008 8:18 AMNow if the popup said Woe betide you if you don't save this file!
Listening to some old songs this weekend Jeff? :)
Joe on August 18, 2008 8:20 AMFor what it's worth, my girlfriend has been educated by me about these things, so as soon as that FUI popped up, I heard a plaintive cry from her computer room: Ryyyyyyyannnnn! I've got spyware popups!
She knew to click the X's, not the 'cancel' buttons, and a thorough scan of her system showed us that while the installer was downloaded, it didn't execute.
Disaster averted.
Who knew how dangerous gardening could be to your IT health?
Ryan Meray on August 18, 2008 8:21 AMIf you've installed Vista then you have got so desensitized to clicking 'Yes' every 5 minutes that this is just going to sail right by. Security requires education about difficult topics and isn't really going to help since most people just want to watch videos and read email.
That's quite a clever attack; it even gets around Google's protection against sites that may harm your computer.
Firefox's NoScript plugin does an excellent job, disabling JavaScript, Flash, and more by default and using a whitelist approach to turn it back on.
Did you or Ryan inform MRLS of this, Jeff? I tried the link to Ryan's page, but got a we're still building this site message.
Alastair Smith on August 18, 2008 8:37 AMI love your site, but is there any chance you could be a bit more diverse with your examples of useless users? I'm pretty sure this isn't the first time you've used your wife or your mother for this. I'm neither wife, nor mother, nor indeed female, but am beginning to feel offended. For the record, my mother is indeed pretty gormless about such things, but my wife is a smart non-IT-industry user.
Some background:
http://www.tbray.org/ongoing/When/200x/2005/03/20/Women
Perhaps one to post about? In the meantime, keep teching the tech!
Anti-sexist Pig on August 18, 2008 8:37 AMAs much as I admire distributed phishing blacklist efforts, there's no way they can possibly keep pace with the rapid setup and teardown of hacked websites. How many compromised websites are out there? How many unsophisticated users surf the internet every day?
I think that is why it is up to the companies developing Anti-virus software to design a way to prevent the bad-guys from being able to spoof them. As a security initiative, Anti-virus software should be developed so that it is easily identified by the person using it (based on What you have, What you know, and/or Who you are). This could be something as simple as a big, bold label that has some kind of unique trait about yourself, always in the same spot. That way, if you don't see Mike T. in green, bold letters in the upper-right hand part of the window, you know it's not your software. I know this wouldn't prevent everyone from clicking the wrong thing, but it might help.
Mike on August 18, 2008 8:43 AMGary Schubert: go visit a site that starts with 'g00d-stuff' and ends with '.com' without NoScript and tell us how the fact that you know what you are doing helps.
If you really know what you are doing you don't visit sites with g00d-stuff in their names. I don't have NoScript. I also know what I'm doing, therefore I didn't go to that site.
Do I win a prize?
Bob on August 18, 2008 8:48 AMI clicked on the direct link, nothing happens, page renders fine.....
I clicked on the google search link, click on the first results from google, nothing happens, page renders fine.....
I typed in the url my firefox address bar, nothing happens, page renders fine....
Oh.. shit, I forgot, I'm using Ubuntu with Firefox 3.
Alfred Toh on August 18, 2008 8:49 AMActually, on Vista, no account is administrator by default, that's the whole point of UAC.
I know that it's just going to become another prompt to some people, but if you were on XP as a standard user, you'd get the same prompt, it would just ask for a password too (it's the same on Vista if you're not admin btw).
The biggest problem is not that people are uneducated about these things, but that they simply don't want to know. MS already puts about 10 warnings saying this may harm your computer and only click continue if you trust this publisher etc, but people just ignore it because they want thier dancing bunnies, or, in this case, free antivirus.
Allied on August 18, 2008 8:52 AMI've always thought that JavaScript alerts look far too much like regular system alerts.
Mattkins on August 18, 2008 8:53 AMI'm not a Mac zealot or anything (far from it), but use OSX. Apple have strict standards as to how applications should look, so a FUI like that would look out of place. On Windows, design decisions are left solely up to the developer (*cough*Itunes*cough*), so it's far easier to trick users into thinking they are looking at a real application.
Matt on August 18, 2008 9:10 AM@allied: People don't generally run windows xp as non-administrator, because it's such a bitch to get _anything_ working then. A lot of the same goes for Windows Vista, unfortunately, because UAC is necessarily a bolt-on, meaning some software publishers still force their customers to run as administrators.
Not that it helps much. The goal of this kind of software is to get itself installed on your system and use your resources, whether to run as part of a botnet or to steal your credentials for whatever. (your bank, myspace, world of warcraft, you name it) The only upside of running as administrator (for the trojan, anyway) is that it makes it a lot easier to install a rootkit and hide its presence from the user. But other than that, execution of the binary in a normal (non-sandboxed) environment is already game over.
Oh and I was also wondering about the perpetual wife/mother examples. How's your wife with computers Jeff? :)
wds on August 18, 2008 9:12 AMSometimes when i'm watching a screencast, and the person scrolls to another piece of code, i find myself clicking on their scrollbars to jump back up and look at something.
Darren Kopp on August 18, 2008 9:18 AMI had to fix a friend's computer a few days ago, which seems to be infected as it was prompting some unwanted 'beware, virus spotted'. After a few tries, I discovered the computer was truly infected, but by a virus specially designed for selling antivirus.
He altered the wallpaper to emule a virus warning and replaced the screensaver by the well-known 'blu screen' followed by a fake xp boot. On top of that he was also pretty tough and gave me hard time to evict him.
Kynes on August 18, 2008 9:24 AMA couple of thoughts:
0. Build a decent OS. Upon reviewing the following items, it's apparent this is the only solution.
1. Build browsers that actually sandbox the web. For example, throw ActiveX out the window. It was a really bad idea to begin with. Also, javascript should not take full control of the browser. Every time the browser wants to download something, only allow the user to save the file. Never ask about immediately running a downloaded program.
2. Fix virus scanners. Between all the crap that McAfee/Norton/etc installs on a machine it's really hard to tell them apart for adware/malware. As a matter of fact, just build it into the OS. Those guys are ripoff artists anyway. I personally believe opening the windows kernel back up for them was a really bad idea.
3. Education will never work so get off that horse already. No one has time to read all of the boxes that show up on a daily basis. Which leads to my next item. Hell, I'd actually be surprised anyway read this far in my post.
4. Get rid of pop ups completely. They are only used for adware, marketing, and techno speak. Normal people stopped reading them long ago. As a matter of fact they usually just close their eyes and click randomly on the screen until they go away. If you have to pop something up as an alert then the application is already doing the wrong thing. Besides the fact that Apple has proven with Time Machine that Infinite Undo for EVERYTHING is much better.
5. Simplify application installation / uninstallation. Honest to god why are apps allowed to install anything near the OS? The Registry is a waste of space. I should be able to go to an application directory, push the delete key, and have it GONE. Why do OS's even allow hidden files (even from itself) to begin with? Stupid.
Everything an application needs to run should be installed in ITS application folder, sharing that crap was a bad idea to begin with.
Maybe if all the browsers supported some type of Report Spyware button. So that when someone like Jeff or another techy notices its a bad site they report it and the rest of the noob people benifit.
Gary Schubert: go visit a site that starts with 'g00d-stuff' and ends with '.com' without NoScript and tell us how the fact that you know what you are doing helps.
Bob: If you really know what you are doing you don't visit sites with g00d-stuff in their names. I don't have NoScript. I also know what I'm doing, therefore I didn't go to that site.
Do I win a prize?
I won't say that it is possible to click on a link in a text message from a trusted friend who is a tech-savvy.
I will choose another scenario. Page shows on a first page of search engine result pages. Your action?
You have two choices (even if the link will look suspicious to you):
1. Pee your pants and don't go there
2. Boldly go there and either find the information you need or laugh at puny attempts of Antivirus XP 64 2008 (c)(R)(tm)(nt) to scan 'C:\Windows\System32' folder on your Linux box.
Great timing. I actually went through this very with my mother on the phone last week. The key to diagnosing it on the phone was the right-click then view source. Otherwise it was very hard to distinguish.
Stephane Grenier on August 18, 2008 9:48 AMMy first thought has already been commented above -- the showstopper should be the do you want to run native code? dialog. I try to encourage family+friends _never_ to say yes unless they already understand the software they're installing. This goes for Java Web Start, Webex, etc. etc. -- which could count as malware depending on who you're talking to.
This tends not to work because of the tendency towards instant gratification.
My second thought was, we should start smacking (or smacking harder) the growing population of Ajax developers who are calling for the relaxation of well-placed security mechanisms in the browser. (You know, all those nasty sandbox restrictions are forcing them to write code properly, which takes too long.)
A family member's computer was infected with antivirusxp2008 just recently. The screen-shots above look eerily similar. I was wondering how in the world it got on there. I think you've answered that one for me. The malware/virus itself was about as nasty as they come. Given that there was no real data on the machine, I wiped it clean and reinstalled the OS (it was the fastest solution). When I give them the computer back it will have Norton, Spybot, Defender, and IE's phising filter installed or enabled, along with a stern warning from me about clicking on dialogs like the ones above.
Scott Marlowe on August 18, 2008 9:54 AMIn addition to the quest for a phishing solution for the flower searching masses, the concept of spear phishing takes this FUI to a new, more personal, level:
http://www.microsoft.com/protect/yourself/phishing/spear.mspx
It seems that you have been practicing spear phishing on yourself…? So maybe the real question is How can Jeff protect his computer from himself, and still be happy with his quality of life?
me -- possibly the world's most jaded and cynical Windows user
Ha! A truly cynical user would surf with JavaScript disabled.
Adrian on August 18, 2008 9:55 AMGary Schubert: 1. Pee your pants and don't go there
2. Boldly go there and either find the information you need or laugh at puny attempts of Antivirus XP 64 2008 (c)(R)(tm)(nt) to scan 'C:\Windows\System32' folder on your Linux box.
Actually, I go for option 3, which is similar to option 2 but snazzier:
3. Use OSX.
Bob on August 18, 2008 10:01 AMThe heart of the problem isn't the web browser or user awareness, it's the spammers/hacker's themselves.
Too often, they face no consequenses for their actions. What's to detere them?
We had a website hacked at my old company and a PayPal spoof was put up on our page (which the URL was then sent to unsuspecting prey).
We sent the FBI our server logs and other information we dug up about what had happened. Do you know what we got back? A confirmation email is about it.
We had the State Police come in to investigate too and they pretty much told us that nothing was going to happen, they get too many of these complaints to handle.
Kris on August 18, 2008 10:13 AMAnd because they're out of country, it's hard to get the juristiction to do anything. Too many forgein countries are lacks on these sort of laws... just look at where the hacking is coming from, I'm willing to bet it's mostly outside of the US.
Kris on August 18, 2008 10:14 AMHow to combat spoofing? Easy. Customize the web site per user. Spoofing only works when users have basically the same view of the website (one spoof - many victims). So if, for example, eBay would let you configure a custom background color, you should be able to notice that the page you're viewing is some spoof (that won't know your choice of color). A real solution is a bit more complex (like maybe a secret keyword configured in the browser that only the browser can render within password controls or into the url bar, etc.), but the idea is the same. Customize the UI per user so spoofing (which relies on most users expecting to see basically the same UI) stops working. It can be a browser based solution, or something web sites offer to their users (some already do).
But then again, if the spoofing is good enough, the FUI extra-convincing, even a Linux or OS X user could be coerced into entering their admin password for a system security scan. Or maybe they just wanted to see the dancing bunnies.
Not any Linux operator worth their salt. Even a mildly savvy junior Linux scout know which apps ask for the root password; any app which did so unexpectedly would stand out like so: OH_MY_GOODNESS_SYSTEM_ATTACK_IN_PROGRESS.
Ubuntu, unfortunately, is probably making this much more likely than I'd like to think....
Tarkin on August 18, 2008 10:20 AMI've always thought a new R needs to be added to the education system. Reading writing and arithmetic are fine till they are all done on computers. At which point you really need to start teaching computer use to everyone. These problems would vanish if you were thought from primary school how computers work. Its hard to find analogues given the scope that computers change how things work to show by example. But its becoming necessary that everyone be thought to a basic level of computer literacy.
Duggy on August 18, 2008 10:21 AMThe slickest hack I've seen was on one of my sites... someone got in and changed my Google Adsense ads to their's.
Of course I reported them to Google when I realized it, but who knows if they did anything about it and who knows how much money they raised before they were stopped.
Kris on August 18, 2008 10:21 AMIf you want to prevent the FUIs, you need to make errors significant.
For instance, if every time you started your car, your oil light came on, just to remind you to check your oil once in awhile your car would probably be in pretty bad shape after a few missed oil change dates.
At Microsoft I think one of their metrics for measuring success of code, is how many error boxes it pops up (higher = better).
Brad on August 18, 2008 10:21 AMInstead of blaming the stupid users or Microsoft, how about some actual technical suggestions?
For example, if JavaScript dialog boxes looked different, and were visually attached to the browser pane that spawned them (kinda like how some OSX popups are attached to the window frame), then it would be much easier to see that the web page is the one putting up the message. Right now it just says The page at X says... which is really easy to miss.
Browsers should, by default, not allow for resizing the browser window, hiding it, or hiding any of the chrome. I know FF has options for this, but those capabilities should never be granted for web pages.
Ben Hollis on August 18, 2008 10:24 AMUse Lynx ;-)
Grossman, for example, uses Firefox with the NoScript, Flashblock, SafeHistory, Adblock Plus and CustomizeGoogle add-ons for most of his web surfing, all to improve on the less-than-ideal state of today's web.' http://www.theregister.co.uk/2008/06/23/marginal_browser_security_protections/
I think the search engines and web sites need to be more aggressive and proactive, and held accountable. In one respect, ease of entry is a good thing, but someone or something has to bring the infrastructure or technology to a - whole - new - level.
dj on August 18, 2008 10:30 AM@Anders:Many people who don't have English as their first language (or even second language), will not noticed mistakes in grammar or spelling.
I'm here to tell you that even native English speakers often will not notice mistakes in grammar and spelling, either because their brain auto-corrects or (more often) they routinely make exactly the same mistakes themselves. Most Americans can't write worth a spit.
Bob: Actually, I go for option 3, which is similar to option 2 but snazzier:
3. Use OSX.
http://www.channelregister.co.uk/2008/03/28/mac_hack/
99 security updates for Safari: http://search.info.apple.com/?q=safari+securitytype=kbdloadsearch=Searchlr=lang_ensearch=Go
I'm sorry to tell you that, Bob, but Apple sucks even more than Microsoft. The only reason Apple customers are safer now is because noone needs them.
Gary Schubert on August 18, 2008 10:32 AMWindows Vista runs as a non-admin user by default, even when running as Administrator. Had you attempted to run this software, you would have received a UAC prompt if you were running as Admin and a password prompt if you were running as non-Admin.
I agree that this is a problem and it's really, really easy for non-technical users to be fooled. Right now, the best defense against this stuff is education combined with updated software and anti-malware protection.
Carl@Brightrev on August 18, 2008 11:01 AMI work on Macs most of the time. The argument that Apple advocates standard interfaces, so these spoofs don't look right on a Mac is laughable - almost every Apple Design Award winner uses nonstandard interfaces.
But what IS important is the font used; every screenshot of a WIndows (or windows-esque) dialog looks wrong on a Mac, since the FONTS are just plain wrong. Dead giveaway for me. Not for Mom or Grandma, sure, but it is for me.
Bob G. on August 18, 2008 11:02 AMHow can 3 fellow programmers create a successful business?
-the 1st one writes viruses
-the 2nd one writes anti-virus software
-the 3rd one writes an operating system to reduce the size of the (anti-)virus executables.
Back to FUI issue:
Build a REALLY good anti- virus/spyware in the OS so whenever something get's downloaded from the Internet (Web, FTP, E-Mail, Instant Messaging, p2p, etc) it gets scanned before it's allowed to run.
To all of you OSX fanboys: what about a site that determines the client's OS a presents you with a different, native FUI?
James on August 18, 2008 11:03 AMThis is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
| Content (c) 2009 Jeff Atwood. Logo image used with permission of the author. (c) 1993 Steven C. McConnell. All Rights Reserved. |
Subscribe in a reader
Subscribe via email
Posted by: |