Fake popup study

Perry E. Metzger perry at piermont.com
Wed Sep 24 17:45:14 EDT 2008 

Jim Youll <jim at cr-labs.com> writes:
> I think it's got to be said that it's not apparent that the end-users
> are the /idiots/ who should be called out for "failing" this study.
>
> "We" gave them these interfaces, protocols and technologies that
> allow for things to go so badly wrong. Nothing in the world required
> the technology ecosystem to become what it is, except design
> decisions that were (and are) made well out of the sphere of
> influence of mere "idiot users."
>
> This stuff was designed and shepherded to market by the modern
> captains of industry, by rock star developers and wünderkinden.
>
> When a real engineer builds a bridge that falls down, we blame the
> engineer, not gravity.

419 scams are not caused by bad interfaces or bad engineering.
Phishing is, but clearly not all con games are, and con games are
remarkably profitable.

Although it is true that there are better and worse interfaces, and
that many of the interfaces we use right now are rather on the worse
side, it is apparent that one of the issues we have is the astonishing
depth of human stupidity.

> I'll even argue from the other direction just to make it complete.
> Even if they are all idiots: when a population you serve outnumbers
> you by 1,000 to 1 and keeps blowing itself up when using your stuff,
> it's time to idiot- proof the product.

To quote a common observation: You can't make things perfectly idiot
proof because idiots are too ingenious.

I was having a discussion over lunch about a week ago with a couple of
pretty well known security people (one of them might pipe up on the
list). We were considering what would happen in a particular seemingly
foolproof system with a trusted channel if someone got a message via
an untrusted channel saying...

  "Now, to complete your book purchase, the trusted system is going to
   say "If you press "YES", you're going to send all the money you
   have in the world to a con man in Nigeria" -- this is
   normal. Please press yes when it says that."

...a large fraction of users would just press "YES".

I don't want to claim that there is no place for better human factors
work in security engineering. There clearly is. However, I will
repeat, that is not the only story here, and it is not unreasonable to
note that there are people who are clearly nearly impossible to
protect with almost any level of human factors engineering and
security technology.


Perry
-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list