Fake popup study sadly confirms most users are idiots
By John Timmer | Published: September 23, 2008 - 05:15AM CT
Going to a webpage, you are presented with dialog boxes emulating Windows dialog boxes. The dialog boxes say
“The instruction at '0x77f41d24 referenced memory at ‘0x595c2a4c.’ The memory could not be ‘read.’ Click OK to terminate program.”
There are 4 different dialog boxes, all with the same text, but some look more real (look more like a standard Windows dialog box), some look more fake.
The results:
“Of the 42 students, 26 clicked the OK button for the “real” dialog. But 25 clicked the same button for two of the fakes, and 23 hit OK on the third (the one with the status bar showing). Only nine of them closed the window—two fewer than had closed the real dialog. In all cases, a few of the users simply minimized the window or dragged it out of the way, presumably leaving the machine’s next user at risk.”
My question is: if an application has the capability of displaying this fake dialog box on my screen, how much more dangerous is it to click OK than any other course of action? It’s not like a malware program would treat the fact that I closed the window instead of clicking OK any differently. And anyway, the dialog box only had one button! What would a “smart” user do? Immediately unplug the computer?
A better test would have been a realistic dialog box saying something like
“The publisher could not be verified. Are you sure you want to run this software?” Run / Cancel
Then someone clicking “Run” without thinking would be an idiot.
Okay can authorize the .exe file to run. If you close the window (preferably by Alt-F4 or right clicking on the tab on the task bar), it doesn’t authorize the .exe file to run. Note that hitting Cancel can be the same as hitting Okay, as the buttons can be made to do whatever the app likes, hence why closing is the best option.
But if my application is capable of displaying a dialog box with whatever text it wants, then why even bother displaying a dialog box in the first place? Do whatever you want to do without the dialog box. Or change the dialog box to say “Process Completed - Click [OK] to continue.”
But if somebody doesn’t know this, why does clicking OK make them an idiot? You have to do something, after all. I’m afraid this “not familiar with the detailed ins and outs of Windows = idiot” equation annoys me.
Right. There are plenty of people who use computers but have never once used a Windows computer. There are people who use computers but have never once used a GUI, and not just blind people with screenreaders. Frankly, this aspect of Windows (making ‘OK’ and ‘Cancel’ the only buttons on dialog windows regardless of context) has always been horribly misdesigned precisely because it’s so confusing.
Would you accept stranger from a candy? Why would you authorize a program to run if you didn’t know what it was.
A lot of time these fake dialog boxes are just .JPGs, especially if they’re within a browser. Another type is a popup box from a browser. Simply clicking “Okay” on these is just not good computing practices. I probably would use the term, “not computer* savy”, instead of idiot, but it’s still not smart, regardless.
The dialog box saying “The instruction at '0x77f41d24 referenced memory at ‘0x595c2a4c.’ The memory could not be ‘read.’ Click OK to terminate program.” came from program malware.exe. If program malware.exe is a nefarious program, then why would it even popup a fake dialog box with that text in the first place? Why not just go ahead and do whatever it is that malware.exe wants to do?
The dialog box saying “The instruction at '0x77f41d24 referenced memory at ‘0x595c2a4c.’ The memory could not be ‘read.’ Click OK to terminate program.” came from Windows, because the operating system realized that program malware.exe tried to do something “bad”. But if the dialog box is from the OS, then I should trust that clicking OK will terminate the program.
The dialog box saying “The instruction at '0x77f41d24 referenced memory at ‘0x595c2a4c.’ The memory could not be ‘read.’ Click OK to terminate program.” was displayed by my browser firefox.exe (or ie.exe or opera.exe or chrome.exe or safari.exe) because the code on the webpage told it to display that message. Is this any different thatn situation 1)?
3 a) IF the code on the webpage told the browser to display that message, then couldn’t the code on the webpage do whatever it wants?
or
3 b) If the code on the webpage can tell my browser firefox.exe (or ie.exe or opera.exe or chrome.exe or safari.exe) to display any random message, then it does not matter what the dialog box says - any time I see a dialog box in my browser, I need to force quit the application because clicking on any button is stupid.
If 3 b) is the correct answer, then yes, I’m a stupid computer user because I would click OK on the dialog box in the study. I do not force quit my browser every time I see a dialog box.
In any other situation (1, 2 or 3a), it seems to me that it is acceptable to assume that the dialog box is correct, because a malicious program would not bother displaying a message giving you the opportunity to terminate it in the first place.
By the way, my question is not “are computer users, in general, idiots” or “are people, in general, idiots” - I think we all know the answer to that question. What I am wondering is if the test as described in the OP shows that computer users are idiots. I don’t understand how the actions of the people in the test showed idiocy.
There’s at least a dozen different buttons that can be displayed in a Windows dialogue box—OK and Cancel are only two. If the buttons do not match the context that the dialogue appears in, then it’s the fault of the application writer, not Windows.
I’m also having trouble working out exactly what the study implies. If a piece of malware displays the box, then it’s easy for the malware author to capture the Windows event WM_CLOSE (or whatever it is), and do whatever he wants on it firing, the same as if the user had pressed OK. It’s not as if pressing Alt+F4 means anything, when you have access to the whole Windows message pump, as far as I know.
Besides Arnold’s good points, consider also that these people presumably were not using their own computers. If I’m using a strange computer and weird popups appear, I would assume the computer has a virus or something, but I wouldn’t worry about it because it’s not my computer.
The only thing this study shows is that our desktop environments are very insecure (not placing blame, just making a statement of fact) and therefore people must be trained to avoid situations like the ones presented.
Calling users “idiots” when they have less knowledge than those of us that work in the industry shows a lack of insight by the author of the article.
I think it shows them to be conditioned to be apathetic to windows errors, but not idiots. They were just hitting whatever they could to get them out of the way. I don’t see any reason for malware to have a dialog box like that either, so I don’t see the harm. Now, if they had one that said “Trojan.exe is attempting to access passwords.dat* file. Do you wish to allow this? Y/N?” they might be onto something.
*made up file as I am not familiar with windows’ sensitive files
I think that Santo Rugger is the first one here to “get it”, namely that there are several ways to close an application, and (correct me if I’m not getting it, Santo) many of them still hand control to the application, including clicking on any Windows form inside the window, or clicking on the “close button” (the “X” at the right of the title bar); whereas, right clicking on an app’s representation on the task bar and selecting “close” does not return any control to the app. Is that right?
OK, I have done enough programming for Windows in the last year, some of it in Microsoft Visual Studio, to be well ahead of the pack of Windows users, ahead of the dividing line between idiot and not. I’m worrying about the dividing line for Windows programmers, true, but I couldn’t possibly be an idiot user. But it was only two weeks ago that I worked out how to intercept the user interface event generated by a mouse down on the close button with a filter, to do something other than just close. And I actually didn’t know and am still not sure that the other methods you mention actually kill apps without returning control to them. I SURE don’t know which Windows versions behaved which ways on each of these methods.
The OP seems destined to raise this question: which specific details of Windows, or in this case closing errant apps without returning control to them in the process, should programmers be able to count on “non-idiot” users integrating into their work habits? If we want to vote, I say Windows was supposed to attract the sort of users who would say “what does “returning control” mean”, i.e. Windows is designed for people who would not even be able to answer the test question incorrectly, let alone correctly.
But the whole discussion begs a further question: we all recognized the dialog boxes, which only occur when Windows completely screws up. In fact we were comfortable thinking about judging the rendering accuracy of the dialog box. They are pretty damn common, aren’t they? So, who’s the idiot now???
There’s plenty of nastyware that does just that and they don’t even usually bother with dialog boxes at all. But lots of stuff is out there that’s “semi-legitimate.” Typically bundled with freeware, these kinds of programs install any of several kinds of spyware that can report your browsing habits and other information back to a data harvester. They aren’t breaking any laws because you gave them permission to install the software when you clicked OK.