*
programming and human factors
by Jeff Atwood
*
In an era of instant online worldwide connectivity, protecting users from themselves is a lot harder than it used to be. For one thing, full trust can't be trusted. And then there are all those dancing bunnies to contend with:
What's the dancing bunnies problem?It's a description of what happens when a user receives an email message that says "click here to see the dancing bunnies".
The user wants to see the dancing bunnies, so they click there. It doesn't matter how much you try to disuade them, if they want to see the dancing bunnies, then by gum, they're going to see the dancing bunnies. It doesn't matter how many technical hurdles you put in their way, if they stop the user from seeing the dancing bunny, then they're going to go and see the dancing bunny.
There are lots of techniques for mitigating the dancing bunny problem. There's strict privilege separation - users don't have access to any locations that can harm them. You can prevent users from downloading programs. You can make the user invoke magic commands to make code executable (chmod +e dancingbunnies). You can force the user to input a password when they want to access resources. You can block programs at the firewall. You can turn off scripting. You can do lots and lots of things.
However, at the end of the day, the user still wants to see the dancing bunny, and they'll do whatever is necessary to bypass your carefully constructed barriers in order to see the bunny.
Here's hoping Longhorn (aka Windows Vista) is the first Microsoft OS to default users to non-administrator accounts. Because users can't help themselves-- they just have to poke the bunny.
I think the real solution, if there is one, is high-speed virtualization. The user will always play in a sandbox that looks and performs exactly like their current installation, but is in fact a Virtual PC style image. If something bad happens, you just ball it up and throw it away.
Posted by Jeff Atwood View blog reactions
« Show, Don't Tell The D.I.Y. PC »
Lots of pictures of Oolong the rabbit:
http://www.fsinet.or.jp/~sokaisha/rabbit/rabbit.htm
Sadly, Oolong passed away in Jan 2003; he was 8 years old:
http://sokaisha.hp.infoseek.co.jp/030108/030108.htm
Jeff Atwood on July 25, 2005 04:46 AMWell, I'm delighted to say that when I went to poke the bunny Mozilla told me I was missing a plugin and _I didn't install the plugin_ just to be able to poke the bunny. Har-har. Nonetheless, a true fact.
mike on July 25, 2005 12:09 PMPoke the Bunny is pretty good, though. That's all I'm saying.
Jeff Atwood on July 25, 2005 01:05 PMThis is the liberal approach in which the government protects citizens from themselves. How about the conservative approach where citizens can poke the bunny if they feel like it and if it bites them, so be it?
I think sometimes as application designers we take protecting users from themselves too far. Like you point out in the end it can't be done anyway. Far better to design simple clean applications that discourage bunny poking BY ACCIDENT, but if the user decides they want to poke the bunny well so be it.
Ole Eichhorn on July 25, 2005 01:24 PM> How about the conservative approach where citizens can poke the bunny if they feel like it and if it bites them, so be it?
Well, the problem is that *everyone* gets bitten. Once a machine is hijaacked, it becomes a zombie that is under total control of the hacker. It is then used to send out spam, perform distributed denial of service attacks, and other nefarious things.
So it's really about protecting the public good.
The same argument applies to motorcycle helmet laws. If some jackass decides he wants to ride without a helmet, that's fine until he has an accident, becomes severely brain damaged, and racks up a multi-million dollar insurance bill that the rest of us then have to foot through increased healthcare insurance premiums.
> Like you point out in the end it can't be done anyway
I think it can be done if everything is virtualized all the time. The upcoming hardware hooks for faster virtualization (Pacifica, and Vanderpool) make this at least feasible.
Jeff Atwood on July 25, 2005 02:49 PMJeff, I have to disagree.
(I disagree about motorcycle helmets, too. If someone wants to kill themselves, they should do it. The problem in that case is the way insurance works, not the way motorcycles work. But I digress.)
Virtualizing hardware isn't going to protect you from dancing bunnies. There will still be a way for people to harm themselves.
(Same point about managed code protecting you from memory leaks. Sure, you don't have to remember to delete objects, but you do have to remember to NULL points, so what's the difference? And it is just as hard to track down a bogus reference count as it is to track down a leaked object. But I digress again.)
I really think education is the best you can do, not some global mechanism of "protecting the public good".
Ole Eichhorn on July 27, 2005 12:56 PM> problem in that case is the way insurance works, not the way motorcycles work
Actually it's a problem in the way people work, because they optimize for themselves, eg, the Tragedy of the Commons. I don't like insurance either but it is compatible with realistic modes of observed human behavior.
> There will still be a way for people to harm themselves
I disagree. Can you harm yourself in a Virtual PC image? If you get in trouble you just shut it down and undo the last set of changes. Or, instantly spin up a new one from any "restore point" in the last few months or years. Poof. Problem solved. Apps / viruses cannot escape from Virtual PC!
Education is always good of course, but to argue that we can ONLY fix this through education and shouldn't bother with the technical hurdles is a little irresponsible.
Jeff Atwood on July 27, 2005 01:12 PMVirtualisation brings one BIG broblem - if user indeed does something stupid, you still have to distinguish between whats right and wrong, because all user data, documents are still product of a program running in VM, and you cant trash them.
Keff on April 21, 2006 03:39 AM"Can you harm yourself in a Virtual PC image?" You can - very easily, just see a dancing bunny, create some important content, and then try undoing dancing bunny... See?
Keff on April 21, 2006 03:46 AM> because all user data, documents
> create some important content
Most users aren't creating any content or documents. And for the few that are, their content/document is often lightweight enough for them to use server-based solutions (eg, Writely, Tadalist, Hotmail, del.icio.us etc).
For the tiny, tiny minority that are creating a lot of heavyweight content using heavy client tools, they need to pull that content through the VM-- maybe in a shared folder.
Jeff Atwood on April 21, 2006 08:56 AM> want to see dancing bunny
> create important content
> undo dancing bunny
Not a problem, if the dancing bunny wasn't in the same virtual machine as the important content. Of course the problem then is that people aren't going to start up a new virtual machine just to see the dancing bunny (because it's just so much extra hassle when I can just do it right here).
I tried to see the Dancing Bunny. I even clicked to install the plug-in. But god-damn it, I'm running as a non-Administrator and couldn't do it! Time to runas... Administrator and try again!
Rob on March 28, 2007 10:51 PM"Of course the problem then is that people aren't going to start up a new virtual machine just to see the dancing bunny"
No problem, just automate: Isolate all external communication (disk drives, e-mails, web pages) into its own "Quarantine" VPC automatically. Only shift Word Documents etc *into* that VPC, never out.
That way, if you click the bunny, you'll only lose important data that's been Quarantined. Every 'x' days, you could move the Quarantined data to a third VPC, so if you bunnied, you could retrieve anything 'x' days old. 'x' is defined by the time it would take for a virus to have been detected elsewhere.
Of course, a user could be persuaded to move all their documents into the Quarantine area, but that's time consuming. And easily overcome by storing a backup copy of the data when you move it into Quarantine.
deworde on November 13, 2007 10:37 AMYou were so right about the dancing bunnies.
http://www.xbox.com/en-US/games/b/boogiebunniesxboxlivearcade/
engtech on April 2, 2008 10:15 PMThe conservative method is to pray to god to smite the virus then tax the operator who downloaded the virus, the operator who attempts to run it, and the owner of the computer for allowing operators to be stupid.
Nothing is foolproof fools are too ingenious.
Randy on April 7, 2008 10:56 AMYou overestimate the insulating power of the virtual machine. It only insulates if you start up a separate VM for each task. But that keeps apps from being able to benefit from other apps (ever import a spreadsheet into a text document or paste values from a document into an email message?). Part of the value of the OS is that it preserves state and grows with you. Remembering to automatically check all the boxes I want (proper defaults) is called "streamlining" (not "reckless"). People just do not want to burden of running every task in isolation. Hence, the VM is not a practical Silver Bullet for daily use. Effective, yes. But too much for every application.
i think you mean the 'dancing pigs problem' you're not the first to get it wrong, but dancing pigs was the original name for the problem, not dancing bunnies, not even if dancing bunnies are more successful at propagating. ;)
http://en.wikipedia.org/wiki/Dancing_pigs
kesuki on May 14, 2008 07:19 PM| Content (c) 2008 Jeff Atwood. Logo image used with permission of the author. (c) 1993 Steven C. McConnell. All Rights Reserved. |
Subscribe in a reader
Subscribe via email