Shostack + Friends Blog Archive


Blaming the Victim, Yet Again

malware dialog box

John Timmer [link to no longer works] of Ars Technica writes about how we ignore dialog boxes in, “Fake popup study sadly confirms most users are idiots.”

The article reports that researchers at the Psychology Department of North Carolina State University created a number of fake dialog boxes had varying sorts of clues that they were not real dialog boxes, but sham ones. The sham dialog boxes had varying levels of visual clues to help the user think they were sham. One of the fake dialogs is here:

The conclusion of many people is summed up in the title of the Ars Technica — that people are idiots.

My opinion is that this is blaming the victim. Users are presented with such a variety of elements that it’s hard to know what’s real and what’s not. Worse, there are so many worthless dialogs that pop up during normal operation that we’re all trained to play whack-a-mole with them.

I confess to being as bad as anyone. My company has SSL set up to the mail server, but it’s a locally-generated certificate. So every time I fire up the mail client, there’s a breathless dialog telling me that the certificate isn’t a real certificate. Do you know what this has taught me? To be able to whack the okay button before the dialog finishes painting.

The idiots are the developers who give people worthless dialog boxes, who make it next to impossible to import in local certificates, who train people to just make the damned dialog go away.

Computing isn’t safe primarily because the software expects the user to be a continuously alert expert. If the users are idiots, it is only because they stand for this.

10 comments on "Blaming the Victim, Yet Again"

  • Tamzen says:

    What really really gets my goat are the boxes where you get no choice, don’t want to click the answer and CAN”T CLOSE the window. Arrrrgggghhh. A special hell awaits for ones that can’t even be moved or can’t lose focus. Death to all programmers who do that!

  • Unsigned certs can be trusted about as much as signed certs if you are relatively assured the private key is safe. Add the public key to your trusted certificates. If the cert changes you’ll get prompted again at least. This is the same reasoning firefox 3 is using when asking for exceptions to self-signed https, OpenSSH has been doing it forever, and so on.
    The study confirms that trust, and therefore deception, are still perfectly healthy. Any technical control over those two can only be patchwork at best.

  • This has been one of my pet peeves for quite a while. Modal dialog boxes that don’t give enough information for a non-technical (and sometimes even a very technical) user to make a rational decision.
    So we pick OK or cancel, randomly, and hope nothing bad happens.

  • Simson says:

    Don’t you think that people just clicked on the “dumb” boxes to see what would happen?

  • Neil Gooding says:

    My problem with popup windows is a little different. I feel that the space bar shouldn’t be a special shortcut key to pressing the currently activated button.
    Simply typing a sentence (spaces between the words) into one application (a word processor) is enough to agree to a few messages that have popped up from another, without them even having had chance to even draw themselves. I find this a problem when an app takes a long time to load- I tend to switch to another app and continue working, only to find the app I launched, but don’t want right now, has popped up messages, or itself in it’s entirety has come to the fore to accept the keystrokes I thought were going into the word processor (which is of course another problem too).

  • Mordaxus says:

    re Simson:
    I think this is something we need to see the full report for. Based on what Ars Technica said, I would believe it, yes. I might think I was expected to explore, from the context of being in a psych experiment. This is also something we need to know whether the experimenters compensated for.

  • ToddH says:

    I agree that you can’t blame the users. It’s up to software designers to make products easier to use rather than falling back on a dialog. We are effectively training users to click through dialogs because they get presented with so many.
    Chris blogged on a related topic @

  • T.Lee says:

    I laughed til I cried when I read this. I deal with SAV and malware at my 20,000 person company, and I’ve been getting a lot of alerts lately that indicate we have a higher than usual level of junk getting in. So your dialog box was a perfect example of what I think about my coworkers lately. Thank you.

  • David Brodbeck says:

    Part of the problem, of course, is that users see such a variety in dialog boxes. There aren’t really a clear set of things we can tell people to look for that will tell them, “yes, this is a legitimate dialog.” And of course as soon as someone created a set of guidelines like that, malware would imitate them, and we’d be back at square one.

  • David Molnar says:

    Remind me to show you the text of the “invite user” dialogue box from the HappyFunSlanderBot facebook app sometime. (I wrote it for a reading group discussion, not intended for use as a “real” facebook application.)

Comments are closed.