Deathlizard's Journal: Computer User Laws (In Soviet Russia, Trojan Exploits YOU!)

There is a set of laws that I like to keep track of for computer support purposes. Here is some of them.

Laws of computer stupidity
1) 99% of computer users do not know what they are doing.
2) Computer users do not read.
3) If a computer user can click on it, they will.
4) You can patch software, but you can't (legally) patch stupid.

Just about every security exploit you've ever seen exploits at least one of these rules. The exception to this is a self propagating worm, such as blaster, since it takes the human element out of the equation.

#1 deals with the populous as a whole. for example, in the US there are roughly 300 million people. that means roughly 3 million computer users know what they are doing. so basically, the population of Iowa has to do tech support for the entire US population. This also applies to smaller populations. such as Businesses, Universities and even developers, although it can vary much wider in smaller populations.

Anyway, considering that rule, you must assume that trying to explain security issues or even computer usage is going to go in one ear and out the other when it comes to most of the populous. This makes it very difficult to stop most of today's malware threats because most virus scanners can't keep up with the sheer number of malicious apps per day. So the best way to handle #1 in the security context is to minimize the infection vector as much as possible and to limit the choices that they can make regarding crucial decisions and make automatic choices when the choice is clear. This is why most AV software today does not include an ignore option and most automatically clean. Which leads me to #2

#2 deals with all users, Even the 1% users. and is caused by habit. People tend to not read anything. You could have a box pop up saying clicking OK in this box will format your hard drives, with an OK or Cancel button, and I would safely bet that you'll be recovering drives for a sizable amount of people.

To handle #2, the best method is to have the user do a captcha of some sort. Many OS'es do this with the administrator password prompt when you try to do an elevated privilage. It's not foolproof but it's better then nothing.

#3 is similar to #2 If presented with a button, a person will click on it. that simple. it doesn't matter what that button does, they will click it. even if they read on the button and it says to format hard drive click here. even if they know that is bad, people will click the button simply because they think the button is lying, that is until their hard drive is gone.

handling #3 can be difficult. like #1, you don't give the user something to click on. you hide or restrict it so that only experienced users that need to use it can. If it's not needed at all, don't even make the button. Although this isn't going to help if the button is designed to be malicious. (Like a malware site) This makes #3 the most exploitable of the rules.

#4 is a new rule added. basically its there for the training crowd that believe that training is all you need to fix the above. That almost never works. people will forget, people will ignore and people will just not care. Handling #4 is to apply yet another rule taught to me by one of my college professors in my user interface design class. the "premise of monkey" rule.

The Premise of Monkey
If you can't train a monkey to use it, you can't train a human to use it.

It basically comes down to simplicity. limit choices to the basic necessity of the programs functionality. The simpler it is, the easier it is to train and the less long term problems you'll have with user error. If you can't fix stupid, make the interface for the stupid to use. I know it's got that idocracy vibe to it, but it works.

Now you're probably wondering how this leads to a system getting infected. For the example, lets say someone gets a pop up that says roughly "0MG! j00 907 7EH V1RuZ!!" Rule #1 applies, so 99% of computer users are going to believe what the popup says when the 1% know it's a malicious site. Rule #2 means they'll not read the message from their real virus scanner saying they're infected because the blinking red "D4n93R!!!" banner and Big Red Pulsating Shield with a Big White X from the malware site is easier to understand than the text message from the virus scanner they've had for the past 5 years. Rule #3 means they'll press the "Cl1Ck h3r3 70 Cl34N. H0n357!" button and then press Run, and then bypass the "This is a malicious File!" Prompt, then Press Allow, and Then Put in their Password, ETC. and Rule #4 means It'll get infected 20 more times after you've formatted the drive 19 times to remove the last 19 rootkits because they keep infecting it the same way over and over and over again.