Basically, Ars Technica is a techie website, so Non computer-literate = idiot.
On the other hand, based on my experiences doing desktop support, the problem isn’t that the users don’t recognize a genuine Windows dialog box, it’s more that they don’t bother to read what’s on the the dialog boxes and just panic and click OK when they see one to make it go away…
It’s been a while since I’ve messed with dialog boxes in javascript or whatever Windows’ script is (wscript?), but I don’t think you have the same level of control over them that you do from compiling native apps. This page was focusing on pop-ups and dialog boxes from within the browser.
Exactly. Users logging onto computers where I work are supposed always to authenticate to the server. But there is a checkbox to login workstation only that we use for troubleshooting when there are problems. Some users always use that because it gets them logged in faster without having the computer check for updates what whatnot from the network.
I put together a small script that detects if they’ve done this and pops up a dialog that tells them to contact the help desk if they’re having trouble and not to log in workstation only. Then when they click okay it logs them back off.
Just after I installed it on a workstation I watched a user log in three times with the workstation only option. Click OK, and go through it all again. I pointed out to her what it was saying before she did it a fourth time.
Napier - I agree with what I think you are saying - if the authors of the study considered the “correct” response to force-quit the application, then they were expecting too much computer literacy from an average user - how many people will know the subtleties between closing a window or terminating the application from the right-click action on the taskbar? From reading the ars technica article, I still don’t know what they think the correct response to such a dialog box would be.
Yes, but the semi-legitimate software is not going to show a dialog box with the text specified in the OP: “The instruction at '0x77f41d24 referenced memory at ‘0x595c2a4c.’ The memory could not be ‘read.’ Click OK to terminate program.”
That is very true, I have seen users do that myself. But the test as described in the OP does not demonstrate this. If I saw a dialog box as described in the OP, even if I read it carefully, I would still think that the proper response is to click OK. A good test would be one where clicking OK is obviously wrong. Like the example I had in my OP:
Can you give a technical example of how something like this is supposed to work? If you can modify a pop-up into a trap, trying to trick the user to press an OK button so that you can then do nefarious action X, what is to prevent you from doing nefarious action X without showing the pop-up in the first place?
Often times though, the pop up box is the equivelent of “You are going to accept candy from a stranger…OK” and no other option.
Yes, but I didn’t eloquent the “returning control to program”. I got a lot of those dialog boxes, especially in pop up form before I installed AdBlock. I always just right clicked on the taskbar to close, because even clicking the “X” on the window would be identical to clicking “Okay”. You can tell because the little hand (or whatever your interface uses to let you know it’s a clickable link) doesn’t change back to an arrow when you move it off the button.
Can somebody fight my ignorance on how malware can be installed without authorization by the user to run the .exe file? Doesn’t Windows let you know and ask for authorization before it executes anything you haven’t already installed (or is that what the ‘trick’ is)?
Which is why the dialog box should be closed with the other methods suggested, instead of by haphazardly clicking the button.
I know that, but some people don’t. Actually, I think the point I was trying to make was somewhat in reference to someone else mentioning something about people not reading the dialogs. I was pointing out that sometimes (even if you do read the dialog) you don’t have any choice other then OK (I’m talking about legit windows dialogs).
Those people are idiots.
But, on a serious note, if we replaced the term idiot with “not computer/Windows savy”, it’s an accurate statement, and what a less abrasive title of the article would be.
I don’t think so. I have done a limited amount of Windows programming, but closing an app like that still returns control to the app, just as will clicking the X box, or File|Exit, system menu Close, or ALT-F4. A “polite” application is supposed to then do whatever cleanup it needs to do to shut down in an orderly fashion and then close. A malware application can do whatever it wants.
If you have Quicken you can see for yourself that exiting the program in any of these ways will still result in a prompt to ask if you want to back up your files.
The only way to close an application without giving it a chance to do anything is to go to Task Manager, Processes, and end the process. That blows it out of the water with no mercy.
I went back and read this article, which was a summary of study to be published in its full form somewhere else.
I agree with those who say that if a web site or software can generate a fake dialog box, it can pretty much do whatever it wants without waiting for you to push an OK button. Really excellent malware can do whatever it wants without you ever finding out, much less asking your permission.
All the fake dialog boxes I have ever seen are just an advertising ploy to try to get you to click to a web site. Now, if they can generate a fake dialog box as a pop-up, they can just generate the destination web site as a pop-up. But getting you to read a sentence in a dialog box saying your computer is vulnerable to viruses is going to get your attention a little better than just another web site for a virus package.
I’m not computer savy enough to know exactly what a malicious webpage can or can’t do, but I’ve seen lots of fake messages designed to simulate a Windows dialog pop up on my browser.
I haven’t clicked on them, so I don’t know what they really do, or why they wait for your click to do them, but I do know one thing for sure–no one ever designed a deliberately deceptive pop-up out of altruism. They’re trying to trick me into something, and I’d rather not be tricked.
Most of them are pretty obvious about what they do - you can tell from the status bar. They’re either ads that direct you to a webpage I’m not interested in (probably one that will try to get me to voluntarily download malware) or they are themselves permissions to download malware. (Usually some kind of spyware, not a virus.)
I don’t know why they trick me into clicking a box instead of just doing what they want to do. Maybe they get paid for each click on athe ad. Maybe they do it because a victim is less likely to run a malware cleaner on their system if something downloads in response a button they clicked than otherwise. Maybe they only want to victimize people they see as deserving. (Haven’t you read about Anonymous?) I don’t really care. I think anyone who clicks OK on an obviously fake and deceptive message, whether it comes through e-mail, a pop-up, or a regular website, IS an idiot. Even if it’s no worse than clicking a banner ad, it’s still incredibly stupid.
OK, Cooking is correct, a quick test of Quicken shows it queries you before quitting, even if you do so by right clicking Close on it in the Task Bar. At this point I’d tentatively stipulate that Task Manager is the only method of closing an application without giving it the chance to do something first. Truly, though, I bet there’s an exception to that too. I can imagine some little process someplace that keeps testing whether some app is still running and when first it appears not to be, whammo, etc etc. I am not sure there is ANY foolproof method for closing a program without its permission.
In practice, I don’t know how to use Windows without also having programs start up and interfere with my work. I know damn well that I never gave my permission for them, no matter what anybody says about the secret meanings and obligations associated with the various OK buttons it looked necessary to click over the years.
Question 1: What is the “right” way to get rid of an unwanted dialog box?
Question 2: How close to your answer to #1 does somebody’s typical reaction to an unwanted dialog have to be, so as not to be an idiot user?
Sure. Your browser has experienced an error and must terminate. Click here to close your browser. I have no power to direct your browser to Rick Astley videos, but I can nonetheless cause you to view one if you believe my misleading message and click that link.
Same thing applies to these fake dialog boxes. The point is not that some malicious application is opening a pop-up box – as many have pointed out, if badapp.exe is already running, it can do pretty much whatever it wants. The point is that someone has hijacked another application, such as a browser, and is seeking to leverage the limited capabilities that they have by tricking you into taking an affirmative action (clicking) to achieve whatever nefarious end they desire.
Another example, in e-mail this time: Dude, you’ve just got to see this photo of Britney! It’s the hotzors: [attachment badapp.jpg.exe].
You mean that I can have code on a HTML page that will display a dialog box trying to get me to go to a hyperlink, but I couldnt have code on the same HTML page that would just instruct my browser to go to that URL? That doesn’t sound right to me.
After reading what CookingWithGas said, the only way to not return control to the application (in the Windows OS) is to kill it in Task Manager. Is that the method you use?
I see also that CookingWithGas and Alan Smithee both suggest that there might be reasons to pop up a dialog box inviting you to take an action rather than just perform the action - to get the attention of the user, to allay their suspicions, or what not. I can see that.
I’ll return to the example in the OP. If, when running an application (including a web browser), a dialog box is displayed saying “The instruction at '0x77f41d24 referenced memory at ‘0x595c2a4c.’ The memory could not be ‘read.’ Click OK to terminate program.”, I am thinking that most people besides Windows developers (and maybe evne them) would click OK. (Perhaps this should be an IMHO question.) And I don’t think that this shows a negligent lack of knowledge of how to use a computer.
It’s somewhat hard to tell, as the article only gives one example of the fake popups, and I can’t find any primary source for the research. At best, therefore, this is shoddy science reporting, since the reader has absolutely no way of verifying any of the information.
I’d say that the example I linked to would absolutely not prove stupidity for an average user to click on it - you’d need to be relatively familiar with the real Windows dialog in question in order to notice the clues that it’s not real. I’d have spotted it for sure, but I’d bloody well hope so, because I teach computing for a living and spend more time looking at the Windows GUI than is strictly healthy. From the descriptions in the article, it sounds like two of the three fakes were pretty subtle, and roughly half the users clicked on each. They then describe a third fake:
If lots of people clicked on this, then yes, I’d say that was mildly stupid. Tellingly, however, the article makes no mention of how many users clicked on this one; they just leave it hanging with the implication that the users treated it the same as the other two. Which again is shoddy practice; they’ve selectively quoted the results to make maximum impact.
So no, I’d say that with the information presented, you absolutely can’t say that “users are idiots.” It may or may not demonstrate something about the efficacy of dialog boxes as a mode of getting valid user consent. We can’t tell, because the article is too wrapped up in mocking people (as you correctly surmised).
This is exactly what I hate about popular science reporting. It’s riddled with absolute shod like this. This is not to say the study in question is rubbish - it appears to have been selectively presented and over-interpreted. But this is entirely standard, and goes largely unquestioned.
I found the news release from the university where the study was made, no link to the actual study though.
Regarding the question of how to close them - I think (although again I can’t be sure because of the crappy attribution) that the point of the fakes was specifically to emulate web pop-ups, which present themselves in Internet Explorer windows, and need to induce the user to click on content within them in order to reach an unwanted site, or initiate the installation of some malware. So clicking the X will get rid of them just fine - they don’t have full control of the window.
Indeed as pointed out above, if the popups were custom software with full access to all window click events, there’d no longer be any reason for them to seek user input, since they’d be running with full user (and thus probably administrator) privileges anyway. The whole point of fake dialog boxes like these is to try and trick the user into escalating the privileges of a bit of software, e.g. getting them to install something off the web. Once it’s running on your machine, all bets are off.
Assuming the popups are trying to install something, presumably if you click “OK” then you’ll still get a (genuine) dialog asking if it’s okay to run/install said executable, but then apparently 25% of the students said they clicked OK on all pop-ups. Now that I would call silly - if you get a Windows dialog saying “do you want to run this piece of software” when you’re not trying to run software, and still click OK, that’s pretty dumb. But then they didn’t study that, so we’ve got no way of knowing what the subjects would have done.
If someone is already viewing your whole page, you can certainly redirect them elsewhere. You might not have full control of the page that spawns the popup, though. Maybe you’re using some exploit to get your pop-up on to an innocent third party site, and by so doing are trying to trick users to your site/install your software/whatever. For example, MySpace got hit by a vulnerability a while back whereby someone managed to inject javascript onto a whole bunch of user pages. This then tried to install an executable file on the machine of anyone viewing that page. Just because a pop-up appears on a legitimate site doesn’t necessarily mean it’s legit, too.
(I stretch the definition of “legitimate” for MySpace. :))
