[LINK] Study shows pop-up warnings are ineffective

Glen Turner gdt at gdt.id.au
Wed Oct 1 12:22:29 EST 2008


andrew clarke wrote:

> However, my understanding is that modern web browsers largely block
> pop-up ads.  So it's old news, but that's not the end of it.
> 
> Some people unfamiliar to the user interface of their computer
> software (versus the user interface of web sites) only have to see an
> image (or an embedded object, eg. Flash, Java, Silverlight) of a fake
> warning dialog box on a web page and they will click on it,
> practically volunteering themselves as beta testers for malware.  ;-)

Ah, good olde blame the user.

The malware authors go to extremes to avoid popup blocking and to make
their software appear real. Your example of Antivirus Xp 2008 is a fine
example -- it looks real and every user has been "educated" into the
need to run a virus scanner (Windows will even complain if you are not).

I prefer to play blame the designer. Why do web sites need to produce
popup screens? Is that need so important that it is worth the risk of
misleading users?  Why does the popup have the same window decoration
as windows from more trusted sources?

> I have not used Vista but from what I understand its UAC prompts are
> primarily designed to prompt the user for a password in the case where
> a program requires Administrator access to perform a particular
> function.  There should be no way for malware to bypass UAC, but if
> the user is determined to install a program they think is a legitimate
> virus scanner (but is actually malware) then a few pesky UAC prompts
> isn't going to stop them.

It prompts for Proceed/Deny. Malware can avoid UAC, simply by
avoiding UAC-protection operations. Unfortunately, UAC isn't
a security perimeter, so you can still do useful damage without
tripping UAC.

I've used Vista and I can't see UAC as being of much use. Firstly,
it is incredibly chatty. The third-party nature of so much Windows
software distribution means that you're forever allowing programs
to do stuff, especially when the computer is new and so much additional
software needs to be installed to get a useable box. This conditions
users into thinking that clicking Proceed is normal behaviour.

Secondly, it puts people on the spot, and in a poor mind to deny
the request. They're trying to get stuff done and UAC is getting
in the way and hassling them. The user is in a mind to click Proceed.

I much prefer the SELinux approach. Deny the activity and audit it.
Put an alert on the screen saying the activity was denied. Give a
audit review tool which allows denied requests to be authorised in
the future.  This approach moves the consideration of security out
of the heat of the moment.  Also, SELinux is a security perimeter,
which means that when it says "no" the only way of getting to "yes"
is through SELinux. It's not just asking about commonly-used exploit
paths, but policing requests through all paths.

> Many computer users are guilty of not reading every dialog box that
> prompts us to answer a question.

Many operating systems are guilty of bothering the user with questions
the operating system is in a better position to answer than the user is.

-- 
  Glen Turner   <http://www.gdt.id.au/~gdt/>


More information about the Link mailing list