Would You Compromise Your Computer For One Cent An Hour? New Study Says Many Are Happy To Do Exactly That
from the nothing-to-hide,-or-too-stupid-to-computer? dept
There are many tales in literature over millennia about people selling their soul to a malevolent deity for the right price. But at least it’s usually a good price. Recent research has discovered that we are willing to compromise our computer for no more than one cent in income.
The researchers from the Carnegie Mellon University CyLab who carried out this work, tempted users into downloading and, in many cases, actually running a Windows application on their computer. After they had agreed to take part, they were told that it was for an academic study but were given very little other information about the application. The application pretended to run a series of computational tasks and paid those who installed it one cent for every hour it was left running.
Even though a participant's machine would give them a pop up warning when they started the download to tell them that this application wanted higher level access to essential security services, 22% of them went ahead and downloaded. And when participants were offered $1 per hour, that figure rose to 43%.
With more than 1,700 downloads, the application was run about 960 times, meaning that just over half of participants fell for the ruse. Alarm bells should have rung, but they were apparently not heeded.
The fact is, this application could easily have contained malware. Participants knew little about what they were installing other than it would pay them for their processing power but they didn't seem to mind.
The ethics of this research are certainly potentially dubious. Individuals were lured into downloading this application for a seemingly good cause and we know nothing of their financial circumstances. It's a scenario that many of us can recognise in one way or another, though. We may not get a financial reward for downloading applications but how often to we click away warnings so we can get an app that offers us some other incentive, such as access to free music or movies?
Crooks will be pleased to learn from this study that it is apparently very easy to trick ordinary computer users into hosting your malware.
It is an old adage, but it is still very important to remember – if it looks too good to be true, it probably is. Do not install any application without checking if the source is reputable. Free is often good, but with free on the internet comes with many risks. This is particularly true for sites offering access to illegal movies or adult content.
Whenever you download an application from any source, trusted or otherwise, you should complete a simple mental checklist.
Did I scan for malware just before I clicked to install the application? Is my operating system warning me about the security risks with this application? Did I scan my system for malware after I installed the application? And finally, do I have up to date anti-malware software?
This all may seem tedious, but it pays to be cautious. Recent incidents have taught us that there are plenty of people out there who will take advantage of anyone who hasn't protected themselves properly. Whether this research shows that we just can't be bothered to read the pop up warnings our computers send us when we click and install or whether it shows that we are even more willing to compromise our security in the name of a quick buck, it should make us think twice about how blindly we click. Just as any character in literary history will tell you, selling your soul rarely turns out to be a good deal.
Andrew Smith does not work for, consult to, own shares in or receive funding from any company or organization that would benefit from this article, and has no relevant affiliations.
This article was originally published on The Conversation. Read the original article.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
*chuckles
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Be careful about doing this: there exists malware that can break out of the VM and infect the actual machine.
[ link to this | view in chronology ]
Many have done that for much less.
[ link to this | view in chronology ]
now this is what I call a biased study!
You can't get a meaningful read on a group's willingness to undermine their own security when the group chosen has clearly demonstrated a lack of interest or intelligence with respect to security. Pick another operating system... **ANY** operating system besides Windows... and then rerun the study get some meaningful data.
[ link to this | view in chronology ]
Re: now this is what I call a biased study!
But as a real-world case study, it's spot-on, because it squarely targets point #5 here:
The Six Dumbest Ideas in Computer Security
By the way, Ranum's editorial/essay/rant is the most brilliant thing I've ever read on the subject of security, and I've read a lot over a very long time. An extremely good algorithm for site security is:
1. Read that essay.
2. Figure out which of these dumb ideas you're doing.
3. Try to correct them.
4. Return to step 1.
[ link to this | view in chronology ]
Re: Re: now this is what I call a biased study!
The Two Dumbest Ideas in Tech Writing:
1. Half-hearted attempts at humor are sufficient to disguise an underlying tone of sneering condescension.
2. Nobody has ever ignored a good idea just because of an inelegant presentation.
[ link to this | view in chronology ]
Re: now this is what I call a biased study!
So, your definition of a meaningful study into the security habits of general public is to pick an operating system not used by a majority of the general public? Then, you'd base your results on the actions of those people who self-selected those OSes due to their higher knowledge and concern about security? Think about that, and how much bias there would be there!
There's a number of flaws I can spot here, ranging from the venue chosen to the fact that it did not completely account for the use of UAC and some other factors that came immediately to mind. But, the OS chosen isn't really a problem, given the type of user it was meant to study.
[ link to this | view in chronology ]
Re: Re: now this is what I call a biased study!
Judging from my experience with the "average" Linux user, the results would be about the same. I know far too many people who use Linux that are far less secure then they realize. They think they're L33T, but they're not.
This is not to slam Linux or it's higher end users, but just like any operating system, it's only as secure as it's end user. Windows in the right hands can be far more secure then Linux in the wrong hands.
[ link to this | view in chronology ]
Re: Re: Re: now this is what I call a biased study!
I'm in the IT field and I can confirm with 99% certainty that the biggest security threat is the end user.
[ link to this | view in chronology ]
Re: Re: Re: Re: now this is what I call a biased study!
[ link to this | view in chronology ]
Re: Re: Re: now this is what I call a biased study!
But, chances are that a person who really hasn't got a clue will be using Windows. The old saying that a little knowledge is more dangerous than no knowledge holds true, but the truly clueless still gravitate toward Microsoft in my experience.
[ link to this | view in chronology ]
Implicit trust
People will trust a school asking people to be part of paid research. They would trust the school to be running a computational study and wouldn't consider it to be a psychology experiment.
Try the experiment again, but instead advertise on classifieds (ie craigslist) and make no reference to academia. It still pays better than bitcoins on an old rig, so you might get some takers but I'd bet it'd be much less than 20% of the page views.
[ link to this | view in chronology ]
Re: Implicit trust
Good tip - for all of you running phishing operations, make sure to refer to yourselves as "school researchers" rather than "wealth re-locators" or "shady companies".
[ link to this | view in chronology ]
Re: Implicit trust
this...
I think the experiment was doomed the moment the user had their trust biased with "academic" association, however from the original paper:
[ link to this | view in chronology ]
If they didn't know this already, they *really* haven't been paying attention.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Trust
[ link to this | view in chronology ]
Re: Trust
You Trust your Bank right? How about your Doctor? How much would you trust them if they had no legal reason to protect your private info?
Yea, think about it some... we develop relationships as a mechanism to encourage trust to WORK out, not because we actually trust. And that same mechanism of relationship is used to punish those betraying that trust!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
$87.60 per year
How about AT LEAST $1 per hour and we can discuss.
[ link to this | view in chronology ]
Re: $87.60 per year
[ link to this | view in chronology ]
Re: Re: $87.60 per year
A dollar an hour to rent my processor power? I'd be tempted to take it. I've got enough horse power, I can run another VMWare slice in NAT with a nice firewall. Eh, who am I kidding, I'd take it.
[ link to this | view in chronology ]
Re: Re: Re: $87.60 per year
$1 per hour is something I would take. I have plenty of capacity to run more VM's on my network, so my setup cost would be zero. Frankly, if I could find someone that would give me $1 per hour and not notice that I was running a couple dozen, I could retire.
[ link to this | view in chronology ]
Nope, not even for $1 an hour.
Maybe, (just maybe) if they offered more like $10/hr, I'd set up my old desktop with nothing but the OS on it and set it up there, making sure my other computers blocked all access to that one.
Cause, well ... why not? Nothing on the computer but a bare OS and no personal information. Hook up my old wired router to our old (still active internet service) and let them have their fun while I pocket a little free change.
But not for any amount of money would I install something like that on any current system I'm using.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It really doesn't matter what OS you run. Fanboi or not of whatever your choice OS is, there is malware out there for you. Sometime ago, there was an article on a malware that would serve your version compatible with your OS and would distinguish which you had before downloading it to you. Apple has went over the 10% usage boundary making it a target for malware, Linux is right behind it.
As many have made mention of, this is a poorly thought out study. It assumes that running something for a student to assist them in school should be a flag. I wonder if they have thought this through to the next logical step where once burned, no one will be willing to help scholastically. They've set it up to damage that trust that many have. It's akin to the infringement people that are constantly shooting themselves in their own foot.
[ link to this | view in chronology ]
Re:
A million times this. The main purpose of most consumer antimalware software is really to protect the computer from the user making stupid decisions. Unfortunately, it's impossible to completely protect a computer against stupidity.
I know a lot of computer professionals who have never run antimalware software on their machines, but have never had any sort of intrustion. They do this through rigorous safe computing practices.
[ link to this | view in chronology ]
Re: Re:
Almost nobody takes that advice.
The consequences of that unfortunate decision are predictable and plentiful.
[ link to this | view in chronology ]
Re:
First, you assume dumb people learn from their mistakes. Second, you assume that we will somehow eventually run out of dumb people.
22% of people fell for this at 1 cent per hour. Multiply the population of the world - or even the US by 22% and you have a rather large sucker pool to hit up.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"In fact, Dye told WSJ that he estimates traditional antivirus detects a mere 45 percent of all attacks."
http://www.pcworld.com/article/2150743/antivirus-is-dead-says-maker-of-norton-antivirus.htm l
[ link to this | view in chronology ]
[ link to this | view in chronology ]