programming and human factors
by Jeff Atwood
As a software developer, tell me if you've ever done this:
And let's not forget the common goating technique where you take a screenshot of someone's desktop, make it the desktop background, then proceed to hide every UI element on the screen. The anguished cries as users desperately double-triple-quadruple click on pixels that look exactly like real user interfaces can typically be heard for miles.
I bring this up to generate some sympathy. I get fooled by my own FUI -- Fake User Interface -- at least once a month. If it can happen to us, it can happen to anyone. Which means FUI can be quite dangerous in the wrong hands. Consider Ryan Meray's story:
Okay, so here's an interesting one. My girlfriend is researching stuff on lilies, so she's trying to find the website for the Michigan Regional Lily Society.The website address is http://www.mrls.org/
Feel free and browse there directly, there's nothing wrong with it. But if you don't remember the URL, your first response is to Google it. We google and get this:
http://www.google.com/search?q=Michigan+Regional+Lily+Society
Now, if you're in Firefox, everything is fine. You click that first result, and you get to their website, and you learn about lilies.
However, if you are using IE, be aware, you are about to have a Spyware/Virus alert.
Obviously, the poor Michigian Regional Lily Society has fallen prey to website hackers. (Note that it may have been fixed by the time I'm writing this -- but I duplicated everything I'm about to show you.)
The first clever point is that the website appears fine if you navigate there directly. The malicious JavaScript code inserted into the page checks the referer and does something different if you arrive there via a web search engine. This means the people who own the website, and never arrive there through Google, would be scratching their heads, wondering what all the fuss is about. So the hack survives longer.
But if you do arrive at the MRLS site through a search engine, like a huge percentage of the world does, you're redirected to:
http://scanner.antivir64.com/?aff=1050
The very first thing this page does is minimize the browser (Firefox 3, in this case) and present us with this JavaScript alert:
I'm intentionally juxtaposing the browser and the dialog here, but the browser is way off in the very lower right corner of the display and that dialog is smack dab in the middle of the screen. It is not at all clear that the dialog originated from that web page. It's a primitive technique, but it is surprisingly effective.
I didn't have the guts to click OK on that dialog; I clicked the close button. The browser then expanded to show this convincing "real time virus scan".
The static screenshot does not do it justice; the scrollbar moves, the list of files fly by as they are "scanned", and the web page rather successfully simulates an ersatz UI somewhere between Windows XP and Windows Vista. Of course, we know this Fake User Interface is completely invalid, because it is running in the browser, not on our PC. You and I may understand that distinction, but what about your parents? Your wife? Your children? Your less technically savvy friends? Will they understand this scary, authentic looking virus warning coming from an "encrypted secure site" is all a lie?
Honestly, whose PC doesn't "run slower than normal"? Maybe I would want to know if my computer is infected with Viruses, Adware or Spyware. It's all part of the culture of fear that security software companies -- and let's be honest, Windows security software companies -- cultivate so they can rake in millions of dollars per year hawking their software. The difference here, of course, is that it's increasingly difficult to tell the good guys from the bad guys. That's the downside of fear as a selling point: it cuts equally well in both directions.
Woe betide the poor user who is convinced through the trickery of FUI to install this "antivirus" software. The page does its darndest to convince you to run its payload executable. Any click on the page, no matter where, is interpreted as a download request.
The page also attempts a drive-by download, though those have been auto-blocked for years now.
It's tempting to put this down as yet another iteration of phishing, the forever hack. To be fair, this is exactly the sort of thing web browser phishing filters were designed to prevent. This site was already in the Firefox 3 phishing filter -- but it was not caught by the Internet Explorer 7 phishing filter, so I reported it.
I am all for phishing filters as another important line of defense, but like all distributed blacklists, they're only so effective.
What I'm more concerned about here is how well the user interface was spoofed. The browser FUI was convincing enough to even make me -- possibly the world's most jaded and cynical Windows user -- do a bit of a double-take. How do you protect naive users from cleverly designed FUI exploits like this one? Can you imagine your mother doing a web search on flowers -- flowers, for God's sake -- clicking on the search results to a totally legitimate website, and correctly navigating the resulting maze of fake UI, spurious javascript alerts, and download dialogs?
I know I can't. As much as I admire distributed phishing blacklist efforts, there's no way they can possibly keep pace with the rapid setup and teardown of hacked websites. How many compromised websites are out there? How many unsophisticated users surf the internet every day?
As always, we can lay a big part of the blame at Microsoft's doorstep for not adopting the UNIX policy of non-administrator accounts for regular users. But then again, if the spoofing is good enough, the FUI extra-convincing, even a Linux or OS X user could be coerced into entering their admin password for a "system security scan". Or maybe they just wanted to see the dancing bunnies.
And then, like Ryan, you're likely to end up with the same infected computer, and the same distraught spouse. All this for the love of a few lilies.
Short of user education, which is a neverending, continuous uphill battle -- how would you combat a perfectly spoofed FUI presented to a naive user?
As always, we can lay a big part of the blame at Microsoft's doorstep for not adopting the UNIX policy of non-administrator accounts for regular users. But then again, if the spoofing is good enough, the FUI extra-convincing, even a Linux or OS X user could be coerced into entering their admin password for a system security scan. Or maybe they just wanted to see the dancing bunnies.
I agree with this 100% but the thing that annoys me is that people
complain about this and then they complain about the new security features
in Vista and how it nags and prevents anything from happening and then
they go and disable the UAC and now they are just as vulnerable as any Windows XP user and then they complain when they visit a site like
this and their computer is compromised.
I see much room for improvement versus Linux' security measures
but still I believe Windows Vista is the best thing to happen to the
Windows lineup since Windows 95.
Sorry, nothing personal against you Jeff but I just have to rant about that every time I hear Windows and Security in the same sentence.
Jimmy on August 18, 2008 11:19 AMThe major problem to me here is the system message box. Why should a website be allowed to create a message box? Anyone who has now used an AJAX based site knows its possible to display an in-page message box to ask the user questions.
Something that might help is turning these style boxes in to modaless boxes that are rendered at the top of the page in a banner-ad esq style rather than a system style. This also means you could place security warnings more easily next to this box.
Doing this would encourage real website owners to use custom boxes within their pages so they are noticed, regular users meanwhile would be more inclined to ignore these style boxes, thinking its a banner ad.
Nidonocu on August 18, 2008 11:27 AMAs always, we can lay a big part of the blame at Microsoft's doorstep for not adopting the UNIX policy of non-administrator accounts for regular users. But then again, if the spoofing is good enough, the FUI extra-convincing, even a Linux or OS X user could be coerced into entering their admin password for a system security scan.
My comment is totally off-topic but whenever I see a note where it states that UNIX might be safer because how the root/admin account is managed and the system parts are secured with it, it makes me want to post a comment like this.
Let's split up the files on a computer in three different categories: 1) the system's file (c:\windows\system, /sbin/, etc etc), 2) application files (c:\program files\, /usr/bin/, etc) and 3) user files (application data, my documents, /home/username).
Which of these does the user of the computer actually care about? Indeed... the user couldn't care less if all the system files were deleted, broken or infected, as long as the user files are OK!
So what if some virus installs from the browser and quite clasically deletes all files it has access too... oh, it deleted all the files in /home/username/, but at least /sbin is untouched...! Not pretty.
thomas on August 18, 2008 11:32 AM
These guys are amazingly obnoxious and successful...
http://blog.spinn3r.com/2007/07/post-mortem-of-.html
They've busted a LOT of .edus.... They seem to target them directly as I think they're after pagerank boost and potentially weak security.
A number of top universities have been busted this way.
For example..... here's a short list of .edus we've seen compromised.
(Having a crawler which indexes 50-100M sites means we can compute interesting statistics).
http://southernct.edu
http://mtholyoke.edu
http://uvm.edu
http://cadc.auburn.edu
http://webtango.ischool.washington.edu
http://dpc.edu
http://atoc.colorado.edu
http://dm.ucf.edu
http://philosophy.missouri.edu
http://stanford.edu
http://bers.asu.edu
http://asu.edu
http://sbu.edu
http://missouri.edu
http://ucf.edu
http://connectivecorridor.syr.edu
http://syr.edu
http://tactilegraphics.ischool.washington.edu
http://washington.edu
http://brown.edu
http://stkate.edu
I encourage everyone to DOS the spammers
my own way: ab -n 10000000 -c500 http://scanner.antivir64.com/?aff=1050
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
ReferralServer: whois://whois.ripe.net:43
NetRange: 91.0.0.0 - 91.255.255.255
CIDR: 91.0.0.0/8
NetName: 91-RIPE
NetHandle: NET-91-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2005-06-30
Updated: 2005-07-22
At first, I thought this was going to be an article about usability :)
As far as phishing goes, there's no way to differentiate a legitimate UI from a fishy one. All an attacker needs to do is copy the legitimate UI. Even if they could somehow be differentiated, statistically speaking, there will always be a large number of users that will always respond to certain prompts with muscle memory, and there will always be a variety of newly deployed social engineering attacks that don't attempt to spoof any famous vendors in particular.
Profiling is pretty ineffective too: there's no correlation between language proficiency or graphics design skill and the intent to harm for profit. Also, just because you can tell a js popup from a real AV one, doesn't mean everyone else can do it too: keep in mind that Jeff's question pertains to a naive user.
Sandboxing also only does so much. If the user says yes yes yes password yes uac yes I'm the administrator for this computer, so install and run this already, the whole sandbox goes right out of the window. Proclaiming one-sidedly to be the super admin for your aunt's computer seems kinda awkward too imho: it's like gifting her with a kitchen knife set and saying i'll keep the keys to the scabbards, just in case. There was even a case in the news recently where a tech support kid hacked a woman's webcam by abusing that meme of putting trust in the technical expert.
There are way too many attack vectors. If users can't decide on their own when to click on the close button instead of the ok button, no amount of code or UI tweaks ever will.
Leo Horie on August 18, 2008 11:44 AMI can't stop laughing here...I just spent the weekend reformatting my father in law's laptop this weekend because he clicked on those links.
He's now running FF3 and I made every attempt to hide the IE icon from him.
Karthik Hariharan on August 18, 2008 12:17 PMTake a gander at this: http://www.webloyalty.com and tell me if everyone involved with the web these days is going to hell. If we had any kind of citizen protection left would any of this crap happen? Note that I said citizen because we should be collectively protecting ourselves but since we are all consumers and no longer citizens the predatory scum of the earth are allowed to feed on us. What the fuck is freecreditreport.com and why has that site not been shut down? Because aside from your open mouth and available bank balance you don't matter to anyone who matters in this world anymore. We are using our own skins for wallpaper and we cannot win.
Terrier on August 18, 2008 12:37 PMHas anyone considered suing the web site owner (the redirect-host not the infected site) for this deceitful practice? The website claims to have found something that it actually has not and is attempting to sell you a product based on false advertising. That is actionable, is it not?
Here's what I believe, and I think it coincides with your blog:
1 - No matter how many borders or messages you put around a message, people will still be able to make an FUI that will fool quite a few people.
2 - No matter how hard you make it for users to get themselves into trouble (typing a secret password, su, etc) they will jump through all the hoops to see the dancing bunnies.
So if you accept #1 and #2, the only recourses are:
1 - Prosecute the criminals.
This is very hard due to where they are, another country, etc. and whether there are laws even written for this.
2 - Make it easier to see when you are infected and easier to fix.
Windows has too many places hiding what runs when you start up: Start menu, the registry Run setting, services, etc. And then when programs are running, you can't always tell. Unless you're going to go get procmon or something it's very difficult to figure out if a process in task manager is malicious. Assuming it's even showing up in task manager.
@Luke on August: It is virtually impossible to track down the false advertisers. And even if you do, they have hundreds (if not thousands of sites) hosting these bogus ads. Shutting down one site and creating another is not a big deal (obviously).
Marketing practices can be summarized with an old adage there is a sucker born every minute. For every sucker, there are people feeding on suckers and making a bit of money on it. This is the Internet economy everybody is harping about.
If Internet was a serious business, a licence should be required to open a business (even an online business). That would make all fraudsters illegal overnight and their hosting companies directly liable.
But why? Money is good.
BugFree on August 18, 2008 1:01 PMYou know what saves me from FUI all the time? I never use the default theme. Skinning is just one line of defense and it seems flimsy, but it can be incredibly effective.
Vojislav Stojkovic on August 18, 2008 1:18 PMSometimes I wonder if there is a market for a managed PC appliance. The problem is that we are expecting ignorant users to manage their own PC - running antivirus, installing programs, that sort of thing. I wonder whether anyone would pay a service a month to get a remotely administered system where someone else automatically deals with your security, updates, etc like at a corporate environment, and all they have to do is use it and put in occasional requests for new user applications/abilities they want to do.
Remove the power and responsibility of that class of user to administer their own computer and they can't break it either. The real problem is that people are so sold on having a powerful system that they don't understand.
Mike on August 18, 2008 1:44 PMrandomize the colorscheme on installation of $OS. So no website can fake with a screenshot. prefix all alert()s with website name in title ...
allo on August 18, 2008 1:49 PMI'm digging the vista-esque website and then the XP style popup with, Your may have spyware.
On another note. I agree with everyone whose said education is the answer. If we could just educate all the non techno-savvy users to be somewhat techno-savvy I believe that 80 percent of the people who get fooled by this type of site wouldn't anymore.
Inconsistancy on August 18, 2008 1:50 PMSandboxing does work: We got this really nice computer, new, fast, perfect. And next to it an old wreck that does all our connections to the vicious outer world. With virus scanner and an image handy. If internet files are worth keeping, they get examined before they are transferred (usb) or back-upped. The tediousness of the process limits downloading too ;)
Nobody can claim he or she will see through any attack. There is good money to be made in this business so FUIs will get better:
they 'll start to understand that the details matter,
not a gif but an AJAX app which will use your purple toolbar and your font,
they will make you think that you yourself have surfed to that website ...
For the nonce it does help to be in a statistically uninterestingly small market segment: not using XP/WIN/IE, not speaking one of the major languages.
I'm confounded as to why alert boxes still don't have more flashing lights that yell danger, danger!. Calling alert(Your may have Spyware! Plaese click OK!!) shouldn't yield a message box just saying Your may have Spyware! Plaese click OK!!, it should:
a) Clearly tell you that the following message is is from the current website, and
b) the message was not issued by something that in any way can know anything about your computer, and
c) if it claims to have detected some kind of problem with your computer, it is lying, and
d) provide a way to immediately stop all scripts on the current page (like it does in Opera), and finally
e) Your may have Spyware! Plaese click OK!!.
... preferably phrased by a non-developer.
It wouldn't solve all problems (the malwarers would switch to HTML FUIs, I'd reckon).
It'll probably still be kind of This tech is tech from the tech, it cannot tech your tech, and if it says it does it's lying, do you want to stop the tech on this tech?.
But still, it's insane that a web page can allocate a _real_ UI element from the browser without the user being informed of its very unreliable source. IE gives the alert box the title Windows Internet Explorer, while FF uses the title The page at ${url} says: (but honestly, who the crap reads the title bar of a message box? I don't, and I'm paranoid). Only Opera gives any clue that perhaps this message shouldn't always really be trusted, with their stop executing scripts-checkbox.
With the security arms race between the major browsers today, it's bizarre that nothing's been done about this. It's not like it's a big measure to take, or anything.
Or can anyone come up with any compelling reasons why alert boxes shouldn't add their fair share of the culture of fear, too?
gustafc on August 19, 2008 3:01 AMThat's why my wife is forced to do all her web browsing using lynx. Sometimes I let her use Firefox, but always with NoSript thingy doing its job... oh! And she doesn't have sudo privileges. See, that was easy!
ubersoldat on August 19, 2008 3:46 AMThe problem is the need to allow interesting applications to appear in a web browser. This is at odds with actual web browsing.
IT shops want applications in a browser, and they want those applications to appear like and behave like applications everywhere. That means being able to do things like resize windows from script, eliminate chrome, and more.
I don't want web sites I'm browsing to do that, but it's hard to turn that on/off. Maybe we need more zone-specific security settings?
Phred on August 19, 2008 5:00 AMMicrosoft is partly to blame, by numbing us with endless dialog boxes asking us if we're sure. They think it's safer, but it adds to the dialog numbness. Then it says you need some crap to get rid of other crap. who's the boss here??? who pays the damn electric bill, the net bill, who owns the pc?? You do. tell it NO, under no circumstances do you want anything it offers. Not well maybe if it's free and good - nothing. That's how you have to think to survive. Your own attitude and behavior is the only protection.
Frank Rizzo on August 19, 2008 5:38 AMYou combat that very easy: Mark every webpage as a webpage and do it in such a way, that the webpage itself cannot (under no circumstances) remove this mark :-) I'm surprised the browser vendors never came up with that concept.
E.g. draw a border around every webpage and offer no way for JS code to remove this border. Then you only need to educate the user If you see this border around something on the screen, it is a webpage, not an application, don't fall for it claiming otherwise! And being a webpage, it has no access to your local system (files or hardware devices), no matter what it claims.
This way hackers could only fake it the other way round. They could intentionally draw a border around their app window looking alike - but why would they do so? What advantage do they have to pretend they are just a webpage if they are in fact a local app and already have full access to your system? In that case they better present no UI at all, so users never detect that this app is even there and running.
However, no attacking website can remove this border and thus they will always be clearly marked as web content. Or use a semi-transparent icon in the upper right corner. Maybe put a transparent watermark over the page - it's always the same concept.
The real problem though is that all current operating systems are not secure enough. In a perfectly secure operating system, all code needs to be signed (as Apple started in Leopard). You can say that you trust a vendor and thus you trust their signature. If you trusted a signature, the app gets full access as every app gets right now. But if you never trusted a signature or the code is not even signed, the app shouldn't be allowed to access anything. No network, no files, no hardware devices, nothing. Whenever the app tries to do anything, the user is prompted for permission by the system, even if it just wants to read its own config file, doesn't matter. That way the app can't do anything without the users permission and the user will get exactly informed about every action of this app (e.g. which file it tries to read, which Internet server it tries to contact).
In practice most users will download software from vendors they know and make their signature trust and never get bothered again. The OS itself is trusted by default and all default binaries of the OS are signed with a trusted signature. But as soon as you download any application from the Internet (possibly without even knowing that it got downloaded and executed), the app is like in a sandbox and only the user can remove it from there.
Then it's only a question of educating users to not just allow apps they don't know anything about to jump out of the sandbox and to educate them, that rejecting an app request usually has no negative consequences. Very often I see users clicking on Allow because they are afraid, if they don't allow it, they break something and their system cease working. This is ridiculous. If a system stops working just because you once disallow a certain action, the system is a pile of crap and should be replaced by a decent system.
A good example of software that works according to a similar concept (but not for file or device access, only for network access) is LittleSnitch for Mac (one of the little utility apps I have actually bought as all freeware alternatives suck). Thanks to LS no app on my system (not even command line ping) can send any network traffic anywhere without LS popping up and asking me for permission. Then I can choose to allow this access once, till the app terminates or forever (because I trust it). Further if it says Firefox tries to access www.google.com on port 80, I can generalize the request. Instead of just allowing this, I can say Allow all ports on this server (so 443, HTTPS would now work with Google, too) or I can say Allow all servers on this port (so all port 80 requests will work, not just those to Google) or I can say Allow any request, any server, any port to completely remove the protection of the app (again, just for the session or forever). If I made a mistake and allowed an app more than I should have or if I blocked it permanently and now certain features won't work, I can always modify the list of my permanent entries (and those for the current session as well) using a config tool. Further it detects if the hash of the binary changes, as someone could have replaced the app with another app to circumvent LS. Last but not least, LS works on kernel level using a kernel extension. A malicious tool could simply unload this kext (kexts can be unloaded at runtime in MacOS X), however, if it does so, network won't work at all anymore (this is an intentional protection of LS; it modifies the network stack in such a way, that no packets can go anywhere anymore if it's unloaded at runtime).
Mecki on August 19, 2008 5:48 AMDon't do anything about FUIs.
Each infected computer brings its tech ignorant user one little step closer to a heart attack.
So hackers and FUIs are only a part of God's evolutionary plan to wither away tech ignorance and eventually -- make world a better place.
Tomek on August 19, 2008 6:00 AMI work at a computer shop, and I can't tell you how many times I have seen similar viruses on customer's computers. From what I can gather, most of them dont' even READ dialogs before they click ok. They don't care. They just want to play their free online poker or whatever silly thing they're doing.
I have had several customers who have ACTUALLY BOUGHT vundo/virtumonde variants such as WinAntivirus Pro, XPAntivirus, VistaAntivirus, etc.
These things are fairly nasty and we usually have to scan with several tools before it's all gone.
Matthew Morgan on August 19, 2008 6:11 AMThe very first thing this page does is minimize the browser (Firefox 3, in this case) and present us with this JavaScript alert:
Certain irony in this sentence after your previous post extolling the virtues of JavaScript.
Possible solutions are blocklists at either the PC or the router level and the NoScript and plug-in for FF.
CS on August 19, 2008 6:18 AMThemes, fonts, spelling errors, exclamation marks, textual style - using these to distinguish FUIs is a dead end. The FUIs will just start to emulate the native style more accurately. And pretty much any Windows machine contains applications with such widely varying visual themes anyway that the pick your own theme solution won't be of any use. (I don't remember when I last saw a media player of any kind that looked anything like the rest of the applications).
Remember how some years ago filtering messages with wrong To: field got rid of the vast majority of spam because the spammers didn't bother to forge that? They got smarter and now they put in not only the correct To: field, but often try to also use a plausible From: field too.
TT on August 19, 2008 6:22 AMNoScript is a very useful extension to Firefox that would prevent this sort of attention diversion and spoofing. It's very easy to train users to temporarily allow a site to use Javascript; most of the time very little is added via scripts anyway.
I say this as a professional web developer who dearly loves Javascript.
I surf with scripting disabled and opt-in as needed. The world needs NoScript. The UI is fairly easy to use; clicking on a disabled section of the page will allow you to enable it. The only thing lacking IMHO is a good tutorial/walkthrough for new users.
Josh Peters on August 19, 2008 6:22 AMHmm... This simply could not happen on a real os. Even if the UI was more convincing than these and someone was going to enter their admin password for it, you just can't run code like this without the user knowing. ActiveX == BeyondFail.
dude on August 19, 2008 6:47 AMI agree with Anti-sexist Pig. The You and I may understand that distinction juxtaposed with Your wife? (and no Your husband?) seems to imply that the we who understand this distinction and are reading this article are by default heterosexual males. I am not. As a female, I find this pattern of your wife/your mother/your grandmother (but not your husband/your father/your grandfather) as examples of noobs annoying.
Werd. I don't think it's an unlikely scenario that there's a number of chicks reading this blog who get a bit irked at the way this is constantly used - certainly we've already found two (plus a sympathetic bloke-with-a-blog) who've commented.
Is it any wonder there's no girls on the internets when standard discourse about teching the tech tech all leans towards the ubiquitous suggestion that women are, like, totally thick and wouldn't know a tech if it teched right up to them and teched them in the face?
bothwell on August 19, 2008 6:58 AMI don't think anyone has mentioned yet about the ultimate type of sandbox -- a VMWare appliance that (a) is linux based, and (b) starts from a clean image every time. I find it really useful if I'm ever in dancing bunny territory:
http://www.vmware.com/appliances/directory/browserapp.html
For those suggesting that changing the chrome will help: well, yes, it'll help a savvy user _a bit_, but consider the usual smattering of desktop apps and their popup windows that are skinnable, captioned vs captionless, odd-shaped, etc. I have my own choice of background texture, fonts and colours, but many apps have their own 'exciting' UI that takes no account of my preferences.
Yes, it looks like a Windows dialog. Well, it'll be pretty trivial to make it look like a Mac instead if they could be bothered. Your average mac user might bask in the glory of thinking they don't need a virus scanner, but if a message pops up telling them their computer is slowing down or has a virus, then huge amounts of them are going to hit the 'yes' button.
mandrill
the_mandrill on August 19, 2008 6:59 AMAlt-F4 will save you all.
Andy Wong on August 19, 2008 7:16 AMMaybe we need two sorts of browsers.
One would be used only for browsing, and would only allow a limited amount of safe scripting. Nothing that could change the browser window, or open pop ups.
The other sort for web apps. This would allow the usual amount of scripting, but would only work with pages that had been specifically marked as an application. It might also require you to register a site before it could be accessed.
Steve Woods on August 19, 2008 7:17 AMSandbox those user accounts for your wife, baby.
And Virtualize. I liked your post on that :) And keep your docs on servers so you can access them from anywhere.
Greg on August 19, 2008 7:36 AMFor those who say that MS should build an AntiVirus into Windows, could you imagine the lawsuits this would cause: Microsoft has an AV built into the OS and people aren't installing my program! WAHHH!!!!!
Calvin on August 19, 2008 7:47 AMJust use SD - Spybot - http://www.safer-networking.org/index2.html
Has an app called TeaTimer which helps to prevent unwanted registry entries.
As a female, I find this pattern of your wife/your mother/your
grandmother (but not your husband/your father/your grandfather)
as examples of noobs annoying.
I agree that he probably should have said spouse, but he never said grandmother. Let's not make the poor guy out to be worse than he was.
As for the mother bit, he *was* talking about doing a web search for flowers (that was the specific site that was hacked). Perhaps your family's different than mine, but I can't imagine my dad ever visiting the Michigan Regional Lily Society website. Mom, om the other hand, I could see.
And while we are on the subject, let's not forget that women can have wives too. :-)
T.E.D. on August 19, 2008 8:03 AMI suggest a minimum skills test and a licensing program before people are allowed to use a computer.... :)
kyle on August 19, 2008 8:44 AMWow. I had Norton doing a search in the background that I'd forgotten about. It popped up as finished about half way through the article and scared the cr*p out of me.
Elk on August 19, 2008 8:53 AM@kyle: That alone is the best idea ever created.
Calvin on August 19, 2008 9:16 AMThe first thing I do with a new compy for the wife or family is to have her pick a completely nonstandard theme that she likes. That way, FUI sites that model their UI after the generic XP/Vista look, stand out visually. She may not know what the website is trying to get her to do, but she can easily recognize that the OK button looks different than normal, and different == skeptical.
Kelly on August 19, 2008 9:19 AMAntivirus is a scam. All it ever does is clean up a bunch of cookies. It slows your computer no matter what, unlike the chance of getting a virus which can be quite low if you think before downloading
The way I've got it setup, I boot with only 18 processes. If a virus came along it'd be noticed
Perhaps that's a way of having a startup virus warning system, warn the user if the number of processes opened after x seconds after startup is equal to the number they usually have on startup
If you are afraid of sharks, don't go into the ocean...
What does that have to do with it?
These idiots that write all the attack, phishing, stealing and generally 'just plain wrong' software are the sharks...
And their fins sticking up out of the water are their UIs; so you better get good at spotting them on the approach otherwise you'r gonna get bitten...
Jeff, great write up in this post, you would be surprised at how many people, us techies as well, never think about this particular type of attack, bravo!
mac on August 19, 2008 10:20 AMI love how the text Now performing system components scan is way out of line. IE CSS styling issues, anyone?
Brian Lowry on August 19, 2008 10:52 AMI think most people here are missing the point, most USERS will be pulled into this scam as it appears at first glance to tell you something is wrong. Any self respecting user will click OK as it seems to be the best bet.
Always tell everybody you meet, never click 'OK' always click 'Cancel' and if in doubt ask...
I tried to click on a bitmapped UI today. :-|
Chris J. Breisch on August 19, 2008 11:43 AMAlways tell everybody you meet, never click 'OK' always click 'Cancel' and if in doubt ask..
Is that a good idea? How do you know what the 'Cancel' button will actually do? I'd tell them to always click the little red cross.
Steve Woods on August 19, 2008 12:15 PMI got that fake virus scan UI a few month ago, simply by visiting The Drudge Report!!
It was launched by one of the pop up ads. This is apparently a big problem, a game of wack-a-mole for ad servers.
It's extremely worrisome, and I had contacted the site about it.
I was on Firefox on a Mac, so obviously I wasn't fooled.
But imagine.. a site *that* popular, and popular with people not necessarily tech savvy.
How many compromised websites are out there? Industry analysts have quoted something like just one in 30 websites is safe. Read more in the post Is Your Website Safe?
http://www.pcis.com/web/vvblog.nsf/dx/06122008033044PMVVIUEJ.htm
Well, assuming there is no exploit here, the only danger is downloading and running that executable. I've taught my parents well that just like in the real world on the streets of a large city, the web is full of crooks looking to scam you, so be cautious and alert of ANYTHING out of the ordinary. Basically, I've gotten my mom very familiarized with the concept of downloading files from Firefox, and to NOT click 'OK' on a download window that was not requested. In this case that would work, but obviously with major exploits that is not going to work.
Also, I can see how hacked legitimate websites are a really difficult thing to protect against.
On a related note, why in the BLEEP are you using Internet explorer for god sakes?? The first thing I do for novice users is to immediately switch them to firefox for basic security against most drive-by malware installs...
Great post with practical punch.
I'm not sure what the answer is. I'm pretty sure it's not user education -- that would never pass my Mom test (i.e. does it work for Mom). If prevention isn't possible, then I wish alert/recovery was better, but I think that's where backups/antivirus weight in.
J.D. Meier on August 20, 2008 2:10 AMTried to duplicate googling Michigan Regional Lily Society to get to the FUI. Apparently they've fixed it now.
Dave on August 20, 2008 2:37 AMThis reference to the screenshot as desktop background reminded me of thewebsiteisdown.com if you haven't seen it - it's hilarious!
Naoum on August 20, 2008 3:48 AMUse some obscure operating system that looks completely different, like MacOS. The scammers don't target that OS because there is such a small percentage of people using it compared to Windows.
Vadim on August 20, 2008 5:21 AMHi to everyone:
while the Fake User Interface can be a burden for the users but also CAN HELP to developer
For example (a common example) a customer ask for developer a x-application but before he want to see some screen. Of course it's impossible or required to much effort and developer time only to show some fancy screen (and the customer can retract their offering). So what's the solution?, to fake a interface, create a interface using photoshop or any other graphics tool.
I got that fake virus scan UI a few month ago, simply by visiting The Drudge Report!!
There's your problem right there. Seriously. This is a guy who exists to spread lies about the personal lives of people he disagrees with politically. You expect such a person to have moral qualms about taking money from questionable advertisers?
T.E.D. on August 20, 2008 7:38 AMMy webserver was also infected with the same Malaware could be due to some FTP client that I use !
They way they achive it by editing the .htaccess files and re-writing the redirect.
Shyam on August 20, 2008 7:41 AMhow would you combat a perfectly spoofed FUI presented to a naive user?
I wouldn't. If it is perfect (and we will see such FUIs), there's nothing you can do.
I would focus on making sure that the user can recover well from the inevitable resulting infection.
tcliu on August 20, 2008 7:55 AM I cant wait for macs to get enough market share to become a virus target.
brian on August 18, 2008 06:09 PM
Wow - that's almost the kind of low-life misanthropic scumbag sentiment that would qualify you as one of these malware/spoofing goons. Congrats!
Yes, I know that there's an annoying strand of Mac users who bleat on and on about how secure they are in their smug little world (they annoy the hell out of me too), but I wouldn't wish this kind of misery (or the fear-mongering antivirus industry) on anyone - even smug Mac users.
(BTW, I am a Mac user who works with PCs all day long, and is thankful that Macs haven't substantially caught the interest of the scumbags - /yet/).
The whole point of computers is to execute code. I should be able to safely download and run anything on my computer. The fact that you can't shows what a disgrace all operating systems are in.
** And I could care less that *nix not running as root will stop me from trashing the machine completely. If all my files are readable / deletable / corruptable you might as well take down the entire machine. Whee I can still boot, but all my files were scanned for info and uploaded to stealmyidentity.com
It's like going to an arcade where some of the machines will randomly cut your legs off at the knee, and you have no way of knowing in advance, regardless if you inserted your quarter or not.
insertcoin on August 20, 2008 8:25 AM@Rob Uttley: I agree with you about the Mac sentiment. I too am a (recent) Mac convert at home. But at work it's all PC. I feel that a Mac tends to feel more secure, but it's all in how much security you implement in either system. Yes, a Mac can be a target, even without the market share. Anyone who thinks that just becuase they haven't seen an attack in a long time doesn't mean it can't happen. I remember a saying from someone that went kinda like: The only secure computer is one that is locked in a box, secured in concrete, and sunk to the bottom of the ocean. Even then, I'm not so sure.
The irony of the beginning of the article is that not even ten minutes prior to reading this, I did that with a legitimate screenshot sent to me by support. I started to laugh when I read that.
But then the thought processes kicked in. It really isn't funny when you surf to what you thought was a safe website and get a message that looks almost exactly like a message from your antivirus software. I use AVG at home and have seen windows that look just like the alert messages from v7. I now use v8 and haven't seen a virus message window yet (fingers crossed). But I think I'd like to find a test file to see what it looks like with their new UI.
I think as a geek, one should know what the various messages look like in the preferred installed security software. This way, you will be more prepared to support your 65 year old mother who rarely does more than play solitaire, read emails, and surfs the latest political news from Michael Savage. Ok, that's my mom, but you get the point. She ISN'T going to know these messages and will call you with questions when she sees it.
And as far as making sure YOUR UI conforms to friendly and user safe ideals does nothing for the unscrupulous as***les out there that have nothing better to do than to push a virus/malware/adware onto unsuspecting, non-geek users just to maybe get a few sales out of their software redistribution site.
I had a friend who did the click and ended up disabling ALL of Norton Internet Security including the antivirus software and installing a freeware antivirus app that did nothing more than throw up ads and log surfing habits. It took me a three day, complete reinstall of Windows to clean that mess up.
John Baughman on August 20, 2008 9:52 AM Is it any wonder there's no girls on the internets when standard
discourse about teching the tech tech all leans towards the ubiquitous
suggestion that women are, like, totally thick and wouldn't know a
tech if it teched right up to them and teched them in the face?
I thought there were no girls on the internets because whenever one happens to log on (by mistake, of course), the standard discourse from all the teenage[-minded] male techs leans towards hey baby, wanna tech my tech? and show me your tech!
What I don't get is this: why do they 'need' you to click the 'ok' button? Whats to say the 'cancel' button isn't also 'rigged' with whatever payload may be on the spage?
matt on August 20, 2008 11:13 AM I got that fake virus scan UI a few month ago, simply by
visiting The Drudge Report!!
There's your problem right there. Seriously. This is a guy who exists
to spread lies about the personal lives of people he disagrees
with politically. You expect such a person to have moral qualms
about taking money from questionable advertisers?
I expected some American to reply something like this. You can't mention anything or anyone related to politics; with you guys, it's always about left vs right, black or white, and kicking anyone else in the face. Drudge is a top tier site, that's all. The ad banners are served by agencies that server THOUSANDS of web sites.
Google has also been fighting with the same problems of banner
http://www.e-consultancy.com/news-blog/363189/google-ads-used-in-spyware-phishing-scam.html
http://blog.taragana.com/index.php/archive/myspace-banner-ad-spreads-spyware/
Malicious Flash banner ad on USATODAY.com (the virus scan in this post)
http://securitylabs.websense.com/content/Alerts/3061.aspx
etc, etc..
There is a whole story about how these malicious software guys create fake companies to buy some ad space, and then the ads spew the fake virus scan very randomly, so it takes longer to get caught.
It's actually not a virus or a spyware. They sell a software that reports finding viruses, and then reports fixing them, but it actually does nothing. It begins to nag you about fatal machine problems when it's about to expire, to make you buy again an update. They basically sell Placebos Software. What's interesting is that they make enough money to buy ad spaces on large web sites.
I've seen several suggestions to just click the little red X, but might that not also activate code?
Beet on August 20, 2008 12:14 PMThis kind of threat can really harm those that are not familiar with pc. For this reason I strongly suggested to everyone to have an antivirus like AVG. AVG in the 8.0 version has a plugin for IE and firefox that shows you a little icon in the google search page, showing if the link is secure.
But in the end I think that the only solution is to teach user how to protect themselves. But if you begin to teach people: Never install anything you are sure of, never click on a link on a mail...we came to a point where the user fears to click any button on the screen.
alk.
Gian Maria on August 20, 2008 1:30 PMTo all who suggest that the Ok button isn't the only way to do this, you are correct. Clicking ANYWHERE on the window can do it; been there, seen that.
@insertcoin: Ironically, running a virus on your computer is safely done. Just had to put that out there.
As far as the faux desktops, I saw someone set their login wallpaper to their logged in wallpaper and the logged in wallpaper to the login wallpaper. Really confusing to the uninitiated...
John Baughman on August 21, 2008 2:11 AMWhat are you guys talking about? Why run noscript and other plugins that cripple the entire browser?
All major browsers are already sandboxed enough so that javascript won't be able to run executable code on your computer.
It won't matter if you click OK on a javascript dialog, nothing will happen. As long as you don't install any activex-crap or download any executables you'r fine.
The worst thing that can happen without noscript is an infite alart()-loop.
Crazy Ivan on August 21, 2008 3:55 AMRunning as non-admin certainly do help, but it only isolate viruses, not eliminate them. For example, a virus could still access your address book and files, but not someone else's. Anti-virus software would still be needed to eliminate them.
BTW, I can often tell fake UIs just by the cursor.
a friend of mine have been fooled by a fake UI as well. He got lost installing everything they proposed.
I took a thumbnail sketch and realized the fake because his OS was german and the faked XP security center screen english ;)
but they got him anyway ,(
Chris Richner on August 21, 2008 1:26 PMSome time these things are really needed for some experiment.
Hein Lehmann on August 22, 2008 4:42 AMHe gave everyone the rediculous notion that anybody can use a computer without education.
No, Steve Jobs is more to blame for this.
He gave everyone the rediculous notion that anybody can use a computer without education.
No, Steve Jobs is more to blame for this.
I think that someone at Microsoft is having a good laugh at the way that we all fall for FUI...
This last few days, I've been forced to use the Snipping Tool in Vista to create screenshots of some of our apps here. Like you say, having a screenshot of a UI is bad enough in terms of me wanting to click all the buttons etc., but this little utility goes one further:
It doesn't matter where the Snipping Tool window is on the screen, if I am doing a 'Window Snip' of a relatively small window, once I select the window the tool automatically positions itself so that the screenshot is perfectly in line with where the actual real UI was. If I get distracted even the slightest while I'm doing this then I end up with blue dots on the screenshot!!
It's been driving me mad!
C
Carl on August 22, 2008 9:41 AMI blame Bill Gates. He gave everyone the rediculous notion that anybody can use a computer without education. :)
David Meyer on August 22, 2008 10:08 AMThere should be pictures of a file KILLING YOUR CAT and BURNING DOWN YOUR HOUSE on warning dialogs...
Kalmi on August 23, 2008 6:47 AMWell, I think this is a serious problem and it will be hard to solve this properly.
I is a problem, because there is software which just spoiled the standard error channel from the computer to the user - the dialog boxes, as other stated already.
For example, the Do you want to close the application? You got unsaved stuff! does not belong in this standard error channel. The application should just restore the state at exit upon restart and present some reset-button to get the current reseting restart.
However, the result of this dialog-madness is that no one reads all those dialog boxes anymore. Thus, you can pretty much forget to add more content to them - who is going to read all that? A user will prolly think meh, its just more are you sure-yadda-yadda, yes, ok, go away. To be honest, I cannot blame them for that. I curse those XP-popup-bubbles everytime I start XP - There are wireless networks! I know, but you have a cable connection, shut up. - There is no firewall activated! There is a firewall, you just don see it, be quiet... - Look, I found a usb-device! Its a keyboard! yay! ... (but in general, I am too lazy to search for a way to deactivate them, heh).
I guess a mean way would be to remove the possiblity to just click on yes, heh. Do you want to execute this untrusted code? - click yes. This software appears malicious. Shall I stop executing it? - click no.The second step would be to remove as much techieness from the dialog boxes as possible. This software comes from a site that was marked as dangerous. If you execute it, it might damage your computer and reduce your pleasure using this computer! Do you really really trust this? (Observant readers will see that I assumed an operating-system-level site/application-flagging, like firefox does already on its browser level and possibly also remembering where software came from).
And by the way - a perfect FUI would fool everyone, because it is perfect. ;)
Bayesian filtering on the source?
Anonymous Coward on August 23, 2008 11:02 AMI'm dealing with this exact problem right now. A lady brought in a PC for me to fix and it has Windows XP Antivirus 2008 on it. One of those You have 200 spyware/virri on your computer! taskbar pop ups, then you pay them $30, put in a license code and it deactivates their popup. Add/Remove programs says that it's 2.6mb, obviously NOT an antivirus solution.
There's not much that can be done except continuous education on the subject by those who are kept in the loop. I always tell my friends/customers to never, under any circumstances download anything from the internet that says they need a virus scan, free coupons, free car, win an xbox, take a free vacation, free prostitute, etc. (Ok, so the last one was made up, but you get the point) But despite these warnings, there are those that let other people use their computer and they cause the problems. Like this lady I was referring to, it was her son that loaded this fake AV up on her machine and probably fell victim to a snazzy FUI.
Taylor on August 25, 2008 6:27 AMI got this one yesterday evening - again, first Google hit searching for (IIRC) something about a Mail problem.
Fortunately, it rang all the alarm bells (and I hadn't seen this article yet), although I didn't notice whether the IE7 title bar mentioned '... from Dell' or not.
This evening it'll be new themes, and a training session for the rest of the family.
Then I'll be installing Ubuntu/FF on the other laptop...
DavidR on August 26, 2008 10:18 AMPersonaly, i get freaked out when i get automatically transfered to another website. Last time i got transfered, it was like a pop-up that said your computer is not 100% secure. Click here to get it checked or something like that. Obviously, im not an idiot so i clicked the little X to get me out, but no matter where i clicked it would transfer me and it would start downloading something...when that happens i shut down my computer straight away to prevent anything bad getting installed. I currently have an out-of-date antivirus, which is completely useless, but whenever i try clicking the renew button it sais i can't because the antivirus i have is too old. Also, i can't download anything, which means i can't download a better antivirus...This is really starting to annoy me and i think the best option would be to buy a new laptop/computer even though i really don't want to.
Any oppinion/helping facts would be appreciated
Thanks in advance
fred on August 27, 2008 10:52 AMHas anyone here ever taken a nap after work or school and woken up in a Panic that it is 8am and run to work or school only to find no one is there?
Well, in reality, for me, it was the same day and 8pm not A.M. o clock...
I hope Dave does not delete with comment post, but Im gonna say that I run a Linux Distro as my Desktop and have not dual booted into my Windows Platform for quite sometime now.
All the viruses you describe Linux is immune from and the ones that could get through Firefox under which I am logged into the Linux OS as my username and not as root/administrator. Any virus that happen to get that far couldn't do anything major to the Operating System, although there is the possibility the virus could delete or mange or whatever files in my /home/user directory, thats about it.
Matt K. on August 31, 2008 6:13 AMI just came across this Google Chrome thing, and darned if this doesn't look like the savior of the Internet.
http://blogoscoped.com.nyud.net/google-chrome/
Ryan Meray on September 1, 2008 1:06 PMThis bad program! It sou you money profit affiliate program!
Jordani on September 5, 2008 8:57 AMWhenever things like that happen to me (it's been a long time since last time, some +2 years I think) I allways go Ctrl+Shift+Esc to open up the Task Manager and I just kill the entire browser. As suspicous as I am I don't give my 5 cents to any close button the malicious website has produced. But that's just me. :)
ObviouslySuspicious on September 8, 2008 1:52 PMJordani! This bad english! You are incomprehensible!
Spimly Spinglefinger on September 16, 2008 2:01 AMAs others said before the problem is that everyone want to use a computer but no one except IT guys want to learn and understand what is a computer, how it works, at least at the software level etc.
Some will call me Facist (Godwin is always near...) But I don't understand why you need a license to drive but not to use a computer.
Cars travels by public routes, Computers too (internet)
Cars can be dangerous to other users , Computers Too (forwarding Viruses, beeing a Zombie PC, forwarding Spam etc etc.)
so IMHO there should be a Minimum level of knowledge required to be allowed to use a computer connected to the net (idiots can still use a computer but not conenct it to the net)
@Mee
By that same regard, let's add in a license for raising children to filter out the bad parents.
HB on September 30, 2008 8:56 AMAs I've tried to explain to my parents and so many others, although the UI is convincing, the dead giveaway is usually in the atrocious spelling and grammar, random capitalization, and excessive use of exclamation marks and the word FREE.
The first paragraph in that dialog is something you'd never see in even an alpha version of a Microsoft product, or any commercial spyware/virus scanner. Then of course there's the message on the scan window below that says Your may have Spyware (my what?). And, like I said, random capitalization and exclamation marks everywhere. Everything up to the lame Protect Now vs. Ignore choice (why would you ever be given these options?), and the whole UI is positively littered with that phrase (Protect Now).
One of the most valuable classes I had in elementary school was a media class where they taught us about the different types of advertising claims and marketing language. Unfortunately, I think that most schools and boards have done away with this. Although people like you or I are able to recognize these spoofs because they make no technical sense, even the most techno-illiterate user would be able to infer from the language itself that they're being sold something.
These phishers can be brilliant hackers and scammers but the one trait they all seem to have in common is god-awful writing skills. Forget about educating users on how the system works - if we can just educate them enough to intrinsically mistrust the words free, download, now, and anything with an exclamation mark or ALL CAPS, I think we could save 9 out of 10 victims.
And I know that's an uphill battle too, and there will always be people who can't even be educated on that either. For those people I recommend shock therapy.
Aaron G on February 6, 2010 10:38 PMConspicuously absent from the discussion on how to avoid getting infected by a virus is the best current solution - antivirus software.
The best solution to keep grandma from installing fake antivirus software isn't to try to teach her about browser chrome and the mechanics of malware, it's to get there first and install a trusted antivirus program first.
I know you've dismissed antivirus software as worthless, but that doesn't really make sense in this case. AVG protects against antivir64. Done.
I just clicked through and installed from http://scanner.antivir64.com/?aff=1050. AVG (of course) detected the trojan install, and the AVG UI is well designed so ignoring the threat takes several steps and is not easy to do. Grandma is safe.
I don't run AVG on all my development machines - I'm running Vista as a limited user and that's good enough security on those machines (they don't have an e-mail client, etc.). I do run AVG on my communication computer (outlook, browsers, chat) and it has caught virus install attempts in the past year.
But, I absolutely install AVG on my parents, wife's, and other friends' computers. For precisely the reason you spelled out in your post.
Jon Galloway on February 6, 2010 10:38 PMForget about educating users on how the system works - if we can just educate them enough to intrinsically mistrust the words free, download, now, and anything with an exclamation mark or ALL CAPS, I think we could save 9 out of 10 victims.
That doesn't work, as intrinsic distrust of free is the main obstacle for me convincing people to use FOSS.
I agree with Anti-sexist Pig. The You and I may understand that distinction juxtaposed with Your wife? (and no Your husband?) seems to imply that the we who understand this distinction and are reading this article are by default heterosexual males. I am not. As a female, I find this pattern of your wife/your mother/your grandmother (but not your husband/your father/your grandfather) as examples of noobs annoying.
Anon on February 6, 2010 10:38 PM@AlphaCentauri A somewhat effective AV program is much better than none at all, especially when it comes to uneducated users. AVG scores 90+ percent on zero day threats, climbing to around 98% soon thereafter.
Focusing on the zero-day threat is a strawman argument, like dismissing airbags because they don't protect you from astroids and zombie attack. A virus takes time to propogate, so the statistics show that you're unlikely to win the un-lottery by being the unlucky one to encounter a virus first.
AVG protects from the virus listed in the blog post.
Installing one of the top AV programs immediately lowers the risk of interent usage from fairly certain to rather unlikely, especially for unsophisticated users (or sophisticated users who get sloppy).
Jon Galloway on February 6, 2010 10:38 PMThat doesn't work, as intrinsic distrust of 'free' is the main obstacle for me convincing people to use FOSS.
No, the intrinsically crappy quality of FOSS is the main obstacle for you convincing people to use FOSS. People don't mistrust free at all, they LOVE free, as long it's also easy (which all those crapware toolbars and screen savers and wallpapers are).
Aaron G on February 6, 2010 10:38 PMI am rather found of the Antivir's refund policy:
Refund Policy
If you are assured that quality of services given by us mismatches declared, you can demand return of money not later than 30 days from the date of payment, but thus your card will be blocked for payment of our services in the future.
For this purpose it is necessary for you to send inquiry with the detailed description of a problem on support@antivir64.com
I wonder how much it would cost to hire a translator - it's got to be a profitable scam.
Aaron on February 6, 2010 10:38 PMI don't know... it might not actually be FUI. It looks real to me and the installer worked. I mean, everything installed without a hitch and I now have antivirus where I didn't before.
I guess thanks would be in order.
Thanks Jeff.
rwheadon on February 6, 2010 10:38 PMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |