Would You Compromise Your Computer For One Cent An Hour? New Study Says Many Are Happy To Do Exactly That

from the nothing-to-hide,-or-too-stupid-to-computer? dept

There are many tales in literature over millennia about people selling their soul to a malevolent deity for the right price. But at least it’s usually a good price. Recent research has discovered that we are willing to compromise our computer for no more than one cent in income.

The researchers from the Carnegie Mellon University CyLab who carried out this work, tempted users into downloading and, in many cases, actually running a Windows application on their computer. After they had agreed to take part, they were told that it was for an academic study but were given very little other information about the application. The application pretended to run a series of computational tasks and paid those who installed it one cent for every hour it was left running.

Even though a participant's machine would give them a pop up warning when they started the download to tell them that this application wanted higher level access to essential security services, 22% of them went ahead and downloaded. And when participants were offered $1 per hour, that figure rose to 43%.

With more than 1,700 downloads, the application was run about 960 times, meaning that just over half of participants fell for the ruse. Alarm bells should have rung, but they were apparently not heeded.

The fact is, this application could easily have contained malware. Participants knew little about what they were installing other than it would pay them for their processing power but they didn't seem to mind.

The ethics of this research are certainly potentially dubious. Individuals were lured into downloading this application for a seemingly good cause and we know nothing of their financial circumstances. It's a scenario that many of us can recognise in one way or another, though. We may not get a financial reward for downloading applications but how often to we click away warnings so we can get an app that offers us some other incentive, such as access to free music or movies?

Crooks will be pleased to learn from this study that it is apparently very easy to trick ordinary computer users into hosting your malware.

It is an old adage, but it is still very important to remember – if it looks too good to be true, it probably is. Do not install any application without checking if the source is reputable. Free is often good, but with free on the internet comes with many risks. This is particularly true for sites offering access to illegal movies or adult content.

Whenever you download an application from any source, trusted or otherwise, you should complete a simple mental checklist.

Did I scan for malware just before I clicked to install the application? Is my operating system warning me about the security risks with this application? Did I scan my system for malware after I installed the application? And finally, do I have up to date anti-malware software?

This all may seem tedious, but it pays to be cautious. Recent incidents have taught us that there are plenty of people out there who will take advantage of anyone who hasn't protected themselves properly. Whether this research shows that we just can't be bothered to read the pop up warnings our computers send us when we click and install or whether it shows that we are even more willing to compromise our security in the name of a quick buck, it should make us think twice about how blindly we click. Just as any character in literary history will tell you, selling your soul rarely turns out to be a good deal.

The Conversation

Andrew Smith does not work for, consult to, own shares in or receive funding from any company or organization that would benefit from this article, and has no relevant affiliations.

This article was originally published on The Conversation. Read the original article.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: malware, money, users


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Violynne (profile), 26 Jun 2014 @ 4:32am

    But what if that malware is Windows 8.1?

    *chuckles

    link to this | view in chronology ]

  • icon
    Rabbit80 (profile), 26 Jun 2014 @ 4:50am

    Can I still participate? I have a spare VM just waiting to make me money!

    link to this | view in chronology ]

    • icon
      Rikuo (profile), 26 Jun 2014 @ 5:39am

      Re:

      Precisely that. In fact, I would have dug out an old physical machine I don't give a crap about and let the code run on that (but only after verifying that the people would actually pay). There's nothing in this article that specifies that I have to run it on my high end gaming rig. I would have configured my router to only let a minimal level of traffic from the computer reach the open internet, so as to protect against the possibility of the machine being used for a DDOS.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 Jun 2014 @ 9:26am

        Re: Re:

        That, along with the fact that I can spin up a ridiculous number of VMs running linux and and Wine means I could be making as much as a couple of dollars per day.

        link to this | view in chronology ]

      • icon
        Rob (profile), 26 Jun 2014 @ 4:41pm

        Re: Re:

        Wow, all that for .01/hour, at least when the check arrives you can put it towards your electric bill.

        link to this | view in chronology ]

    • icon
      R.H. (profile), 27 Jun 2014 @ 10:09am

      Re:

      I came into the comments section to say this. I have three old systems here with no personal information on them (two don't even have OS'es installed right now) and I'd gladly join in this 'study'. Hell, I may even fire up the VM that I use to test shady executables and run it on my main machine.

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 27 Jun 2014 @ 10:34am

        Re: Re:

        " I may even fire up the VM that I use to test shady executables and run it on my main machine."

        Be careful about doing this: there exists malware that can break out of the VM and infect the actual machine.

        link to this | view in chronology ]

  • identicon
    BeanDad, 26 Jun 2014 @ 6:36am

    Many have done that for much less.

    See Seti@home

    link to this | view in chronology ]

  • identicon
    mcinsand, 26 Jun 2014 @ 6:37am

    now this is what I call a biased study!

    Semiserious here, in that the people that conducted the study not only had their thumb on the scales, but the rest of their fingers, their fists, and their donkeys.

    You can't get a meaningful read on a group's willingness to undermine their own security when the group chosen has clearly demonstrated a lack of interest or intelligence with respect to security. Pick another operating system... **ANY** operating system besides Windows... and then rerun the study get some meaningful data.

    link to this | view in chronology ]

    • identicon
      Rich Kulawiec, 26 Jun 2014 @ 7:12am

      Re: now this is what I call a biased study!

      We could (and have) (and probably will) debate the merits of this study in an academic sense. And that's fine.

      But as a real-world case study, it's spot-on, because it squarely targets point #5 here:

      The Six Dumbest Ideas in Computer Security

      By the way, Ranum's editorial/essay/rant is the most brilliant thing I've ever read on the subject of security, and I've read a lot over a very long time. An extremely good algorithm for site security is:

      1. Read that essay.
      2. Figure out which of these dumb ideas you're doing.
      3. Try to correct them.
      4. Return to step 1.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 Jun 2014 @ 11:51pm

        Re: Re: now this is what I call a biased study!

        Six damn good points in that essay. Although I would hope in the nine years since it was written, mjr has learned

        The Two Dumbest Ideas in Tech Writing:

        1. Half-hearted attempts at humor are sufficient to disguise an underlying tone of sneering condescension.

        2. Nobody has ever ignored a good idea just because of an inelegant presentation.

        link to this | view in chronology ]

    • icon
      PaulT (profile), 26 Jun 2014 @ 7:39am

      Re: now this is what I call a biased study!

      "Pick another operating system... **ANY** operating system besides Windows... and then rerun the study get some meaningful data."

      So, your definition of a meaningful study into the security habits of general public is to pick an operating system not used by a majority of the general public? Then, you'd base your results on the actions of those people who self-selected those OSes due to their higher knowledge and concern about security? Think about that, and how much bias there would be there!

      There's a number of flaws I can spot here, ranging from the venue chosen to the fact that it did not completely account for the use of UAC and some other factors that came immediately to mind. But, the OS chosen isn't really a problem, given the type of user it was meant to study.

      link to this | view in chronology ]

      • icon
        Chronno S. Trigger (profile), 26 Jun 2014 @ 8:39am

        Re: Re: now this is what I call a biased study!

        "Then, you'd base your results on the actions of those people who self-selected those OSes due to their higher knowledge and concern about security?"

        Judging from my experience with the "average" Linux user, the results would be about the same. I know far too many people who use Linux that are far less secure then they realize. They think they're L33T, but they're not.

        This is not to slam Linux or it's higher end users, but just like any operating system, it's only as secure as it's end user. Windows in the right hands can be far more secure then Linux in the wrong hands.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 26 Jun 2014 @ 9:22am

          Re: Re: Re: now this is what I call a biased study!

          ^ This. A million times this.

          I'm in the IT field and I can confirm with 99% certainty that the biggest security threat is the end user.

          link to this | view in chronology ]

          • identicon
            Michael, 26 Jun 2014 @ 9:58am

            Re: Re: Re: Re: now this is what I call a biased study!

            Actually, it is 72% end user, 21% the NSA, and 11% bad statistics.

            link to this | view in chronology ]

        • icon
          PaulT (profile), 27 Jun 2014 @ 2:16am

          Re: Re: Re: now this is what I call a biased study!

          Oh sure, if you don't know what you're really doing, you're not secure, whichever OS you choose. This is true no matter the OS. It's also true that newer versions of Windows are much more secure out of the box than they used to be, but the user's actions really determine its status.

          But, chances are that a person who really hasn't got a clue will be using Windows. The old saying that a little knowledge is more dangerous than no knowledge holds true, but the truly clueless still gravitate toward Microsoft in my experience.

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jun 2014 @ 6:45am

    Implicit trust

    they were told that it was for an academic study

    People will trust a school asking people to be part of paid research. They would trust the school to be running a computational study and wouldn't consider it to be a psychology experiment.

    Try the experiment again, but instead advertise on classifieds (ie craigslist) and make no reference to academia. It still pays better than bitcoins on an old rig, so you might get some takers but I'd bet it'd be much less than 20% of the page views.

    link to this | view in chronology ]

    • identicon
      Michael, 26 Jun 2014 @ 10:01am

      Re: Implicit trust

      People will trust a school asking people to be part of paid research

      Good tip - for all of you running phishing operations, make sure to refer to yourselves as "school researchers" rather than "wealth re-locators" or "shady companies".

      link to this | view in chronology ]

    • identicon
      Jens, 26 Jun 2014 @ 10:05am

      Re: Implicit trust

      +999
      this...

      I think the experiment was doomed the moment the user had their trust biased with "academic" association, however from the original paper:


      In September of 2010, we created a Mechanical Turk task offering workers the
      opportunity to “get paid to do nothing.” Only after accepting our task did participants
      see a detailed description: they would be participating in a research study on the “CMU
      Distributed Computing Project,” a fictitious project that we created. As part of this, we
      instructed participants to download a program and run it for an hour (Figure 1). We did
      not say what the application did. After an hour elapsed, the program displayed a code,
      which participants could submit to Mechanical Turk in order to claim their payment.

      Because this study involved human subjects, we required Institutional Review Board
      (IRB) approval.We could have received a waiver of consent so that we would not be required
      to inform participants that they were participating in a research study. However,
      we were curious if—due to the pervasiveness of research tasks on Mechanical Turk—
      telling participants that this was indeed a research task would be an effective recruitment
      strategy. Thus, all participants were required to click through a consent form. Beyond
      the consent form, there was no evidence that they were participating in a research study;
      all data collection and downloads came from a third-party privately-registered domain,
      and the task was posted from a personal Mechanical Turk account not linked to an institutional
      address. No mention of the “CMU Distributed Computing Project” appeared
      on any CMU websites. Thus, it was completely possible that an adversary had posted
      a task to trick users into downloading malware under the guise of participating in a research
      study, using a generic consent form and fictitious project names in furtherance
      of the ruse.

      link to this | view in chronology ]

  • icon
    PaulT (profile), 26 Jun 2014 @ 6:46am

    "Crooks will be pleased to learn from this study that it is apparently very easy to trick ordinary computer users into hosting your malware."

    If they didn't know this already, they *really* haven't been paying attention.

    link to this | view in chronology ]

    • identicon
      Michael, 26 Jun 2014 @ 10:02am

      Re:

      Crooks don't know that they shouldn't leave their Facebook account logged in when they leave the scene of a burglary.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jun 2014 @ 6:46am

    Trust

    Most people trust their fellow humans. Malware peddlers exploit that.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jun 2014 @ 6:58am

      Re: Trust

      ha ha ha... most people do NOT trust their fellow humans. Proven the world and history over, most people just cannot be trusted. Do you trust Bush? How about Obama?

      You Trust your Bank right? How about your Doctor? How much would you trust them if they had no legal reason to protect your private info?

      Yea, think about it some... we develop relationships as a mechanism to encourage trust to WORK out, not because we actually trust. And that same mechanism of relationship is used to punish those betraying that trust!

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jun 2014 @ 6:51am

    You forgot a few questions. Is my anti-malware/anti-virus white-listing state-sponsored malware? Has my download from an otherwise trusted source been altered on the fly by a man-in-the-middle attack?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jun 2014 @ 6:53am

    $87.60 per year

    does not seem worth it...

    How about AT LEAST $1 per hour and we can discuss.

    link to this | view in chronology ]

    • identicon
      Call me Al, 26 Jun 2014 @ 8:32am

      Re: $87.60 per year

      Chances are my electricity bill would be higher than that if my computer was running 24/7.

      link to this | view in chronology ]

      • icon
        Chronno S. Trigger (profile), 26 Jun 2014 @ 8:46am

        Re: Re: $87.60 per year

        You're electric bill would be over $720 a month? I run a higher end PC as a file server, it never shuts down. My electric bill never got over $120 a month.

        A dollar an hour to rent my processor power? I'd be tempted to take it. I've got enough horse power, I can run another VMWare slice in NAT with a nice firewall. Eh, who am I kidding, I'd take it.

        link to this | view in chronology ]

        • identicon
          Michael, 26 Jun 2014 @ 10:06am

          Re: Re: Re: $87.60 per year

          I'm pretty sure he was joking and also probably referring to the $87.60 per year.

          $1 per hour is something I would take. I have plenty of capacity to run more VM's on my network, so my setup cost would be zero. Frankly, if I could find someone that would give me $1 per hour and not notice that I was running a couple dozen, I could retire.

          link to this | view in chronology ]

  • icon
    Gracey (profile), 26 Jun 2014 @ 7:08am

    [And when participants were offered $1 per hour, that figure rose to 43%.]

    Nope, not even for $1 an hour.

    Maybe, (just maybe) if they offered more like $10/hr, I'd set up my old desktop with nothing but the OS on it and set it up there, making sure my other computers blocked all access to that one.

    Cause, well ... why not? Nothing on the computer but a bare OS and no personal information. Hook up my old wired router to our old (still active internet service) and let them have their fun while I pocket a little free change.

    But not for any amount of money would I install something like that on any current system I'm using.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jun 2014 @ 7:27am

    Far too stupid to computer. They can have access to a VM for 1¢ an hour.

    link to this | view in chronology ]

  • identicon
    Michael, 26 Jun 2014 @ 7:40am

    I would add my 2 cents to this discussion, but they still have not sent me my check.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jun 2014 @ 8:00am

    and this, my friend, is why America has stupid and/or corrupt politicians. Because we have stupid voters.

    link to this | view in chronology ]

  • identicon
    Rekrul, 26 Jun 2014 @ 8:10am

    So did they actually pay the people who ran the program?

    link to this | view in chronology ]

    • identicon
      Michael, 26 Jun 2014 @ 8:26am

      Re:

      After they sucked all of the money out of the bank accounts of the participants, they had plenty to send out checks.

      link to this | view in chronology ]

  • icon
    jo (profile), 26 Jun 2014 @ 8:51am

    Yes. I received an email from my local Post Office telling they had a package for me but it was to big to deliver to my PO Box. The email had a Please print this label and bring it with you. Oh sure. One I know how the locals work and 2 Norton didn't like it at all.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jun 2014 @ 9:06am

    Time and again, over and over, it has been proven it is the end user that is the weak link. Poor password security, poor password selection, poor judgement on what to click or nor click; nothing in this study really goes to show this is where the main core problem is.

    It really doesn't matter what OS you run. Fanboi or not of whatever your choice OS is, there is malware out there for you. Sometime ago, there was an article on a malware that would serve your version compatible with your OS and would distinguish which you had before downloading it to you. Apple has went over the 10% usage boundary making it a target for malware, Linux is right behind it.

    As many have made mention of, this is a poorly thought out study. It assumes that running something for a student to assist them in school should be a flag. I wonder if they have thought this through to the next logical step where once burned, no one will be willing to help scholastically. They've set it up to damage that trust that many have. It's akin to the infringement people that are constantly shooting themselves in their own foot.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 26 Jun 2014 @ 9:26am

      Re:

      "it is the end user that is the weak link."

      A million times this. The main purpose of most consumer antimalware software is really to protect the computer from the user making stupid decisions. Unfortunately, it's impossible to completely protect a computer against stupidity.

      I know a lot of computer professionals who have never run antimalware software on their machines, but have never had any sort of intrustion. They do this through rigorous safe computing practices.

      link to this | view in chronology ]

      • identicon
        Rich Kulawiec, 26 Jun 2014 @ 10:17am

        Re: Re:

        And that is why I advise everyone who runs a computing operation to start with the presumption that their users are lazy, careless, ignorant, hasty, gullible, naive, sporadically insane and sometimes outright hostile...and defend accordingly.

        Almost nobody takes that advice.

        The consequences of that unfortunate decision are predictable and plentiful.

        link to this | view in chronology ]

    • identicon
      Michael, 26 Jun 2014 @ 10:13am

      Re:

      once burned, no one will be willing to help scholastically

      First, you assume dumb people learn from their mistakes. Second, you assume that we will somehow eventually run out of dumb people.

      22% of people fell for this at 1 cent per hour. Multiply the population of the world - or even the US by 22% and you have a rather large sucker pool to hit up.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jun 2014 @ 1:46pm

    While I don't necessarily disagree with the general conclusions of the study (people are naive about the software they install), the methodology is iffy at best. For one thing, Mechanical Turk is a terrible place to find a research study sample. And, like many other commenters have pointed out, there's no way the researchers could know that their "subjects" were running the software on their own computers, instead of a VM, internet cafe, etc.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jun 2014 @ 3:31pm

    You forgot the most important advice. Switch to GNU/Linux!

    "In fact, Dye told WSJ that he estimates traditional antivirus detects a mere 45 percent of all attacks."

    http://www.pcworld.com/article/2150743/antivirus-is-dead-says-maker-of-norton-antivirus.htm l

    link to this | view in chronology ]

  • icon
    KoD (profile), 27 Jun 2014 @ 6:23am

    So all I need to safely make an extra $1/hr is a VM?

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.