Re: Security warnings and obedience to authority
Duane [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Nelson B wrote: Two buttons: rip me off, protect me from the rip off would undoubtedly change user responses. I doubt it, their ISP/tech support etc would tell them to ignore it as an over reaction... Rather then trying to explain the finer details of what exactly is occurring, this isn't a black and white situation and that's why it's failing to cope with it. That is exactly why i wanted to use multiple sensor input: visual AND auditive. simple buttons don't work, nor do % as it requires users to think and most people just don't think. period. Fabrizio ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security warnings and obedience to authority
On Thu, 11 Aug 2005, Fabrizio Marana wrote: Duane [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Nelson B wrote: Two buttons: rip me off, protect me from the rip off would undoubtedly change user responses. I doubt it, their ISP/tech support etc would tell them to ignore it as an over reaction... Rather then trying to explain the finer details of what exactly is occurring, this isn't a black and white situation and that's why it's failing to cope with it. That is exactly why i wanted to use multiple sensor input: visual AND auditive. simple buttons don't work, nor do % as it requires users to think and most people just don't think. period. But the issue is never that simple. If the software knows with 100% certainty that the user is going to a ripoff site, it could just prevent the navigation. The only reason the software has to ask is that it doesn't know for sure. -- ?!ng ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security warnings and obedience to authority
Fabrizio Marana wrote: As Ping points out in his blog, there are two steps in a typical phishing attack: first the email message, then the website. So when the end-user clicks on the link to the website, (s)he has already accepted an authority twice. Unfortunately for us, the authority of the phisher... I have found that many end users misinterpret the purpose of the dialogs that ask them whether to continue or stop. They completely fail to understand that the message is: We're giving you a chance to protect yourself from a potential bad guy and instead interpret the message as If you want to continue to do the thing you wanted to do, you must jump through this hoop by pressing continue now. IOW, they totally fail to comprehend WHY this hoop exists. They have no perception that they are being protected from potential evil by this. I found that users think that the browser is asking them to do something, and they obediently do what it asks. It says press continue and so they do. This is not just a browser problem. There are firewall products that attempt to stop previously unknown and unapproved programs from accessing the internet. They pop-up dialogs for such programs, asking the user whether to allow the program to proceed or not. Many users always approve everything, out of a sense of obedience. The master (computer) holds up the hoop and says jump boy, and they jump. I think this is a UI problem. Perhaps if the buttons were labelled Take me to the bad guy anyway protect me from this bad guy they'd get it. People being people and all end-users being dumb ;) we now have a steep mountain to climb to win back the user's trust. Win back? I don't think we've lost any trust. The KISS solution (Keep It Simply Stupid) to getting this message across in the GUI is: 1/ Use a funky background and font colour: GMail uses a white font on a red background. 2/ Use sound: An authorative voice telling the end-user SECURITY WARNING! You are being ripped off! 3/ Use animation: An animated GIF of a wallet being drained of money. 4/ All of the above Two buttons: rip me off, protect me from the rip off would undoubtedly change user responses. -- Nelson B ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security warnings and obedience to authority
Nelson B wrote: Two buttons: rip me off, protect me from the rip off would undoubtedly change user responses. I doubt it, their ISP/tech support etc would tell them to ignore it as an over reaction... Rather then trying to explain the finer details of what exactly is occurring, this isn't a black and white situation and that's why it's failing to cope with it. When does black and white security ever work in situations where end users don't understand the context? What's needed is something like spamassassin, which ranks sites based on a set of criteria and then tells the user this site is 5% likely to be bad, or 95% likely to be bad... etc etc etc... Not all popups mean bad things and by labelling it as such you simple end up back to square one when users need to go to sites that aren't bad... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers In the long run the pessimist may be proved right, but the optimist has a better time on the trip. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security warnings and obedience to authority
Frank Hecker: I thought this was an interesting blog post, with obvious implications for the issue of warning dialogs in Firefox, Thunderbird, etc. http://usablesecurity.com/2005/07/19/obedience-to-authority/ Florian Weimer wrote: all-too-common security warnings are not effective at all because users tend to increase their productivity by blinding clicking away Lev Walkin wrote: Instead of the simple Yes/No warning dialogs, an application could display something like: In order to proceed with a potentially unsafe choice, please enter the following random dictionary word into an input area below: CONTEMPLATE +-+ |_| +-+ It could, but i suspect that such a measure would quickly become reviled. Getting into an arms race against one's own users just looks like an unpleasant road to go down. Making the awareness part of the main task is likely to be more successful. Admittedly it is a very tricky design challenge to find clever ways to do that, but it will probably work better than adding irrelevant chores for users to do. -- ?!ng ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security warnings and obedience to authority
As Ping points out in his blog, there are two steps in a typical phishing attack: first the email message, then the website. So when the end-user clicks on the link to the website, (s)he has already accepted an authority twice. Unfortunately for us, the authority of the phisher... People being people and all end-users being dumb ;) we now have a steep mountain to climb to win back the user's trust. Milgram not only raised the issue that Ping is describing here, but also points us to a solution as he found out that when the immediacy of the victim was increased, compliance decreased. Therefore we are only faced with establishing a higher authority to the end-user then the one of the phisher in a way that can't be imitated. The KISS solution (Keep It Simply Stupid) to getting this message across in the GUI is: 1/ Use a funky background and font colour: GMail uses a white font on a red background. 2/ Use sound: An authorative voice telling the end-user SECURITY WARNING! You are being ripped off! 3/ Use animation: An animated GIF of a wallet being drained of money. 4/ All of the above :) Fabrizio Florian Weimer [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] * Frank Hecker: I thought this was an interesting blog post, with obvious implications for the issue of warning dialogs in Firefox, Thunderbird, etc. http://usablesecurity.com/2005/07/19/obedience-to-authority/ This is certainly a problem. The more significant issue (and I believe it's been raised multiple times on this list) is that all-too-common security warnings are not effective at all because users tend to increase their productivity by blinding clicking away warnings. Even Emacs' yes-or-no-p quickly becomes equivalent to y-or-n-p, at least in my experience. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security warnings and obedience to authority
* Frank Hecker: I thought this was an interesting blog post, with obvious implications for the issue of warning dialogs in Firefox, Thunderbird, etc. http://usablesecurity.com/2005/07/19/obedience-to-authority/ This is certainly a problem. The more significant issue (and I believe it's been raised multiple times on this list) is that all-too-common security warnings are not effective at all because users tend to increase their productivity by blinding clicking away warnings. Even Emacs' yes-or-no-p quickly becomes equivalent to y-or-n-p, at least in my experience. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
