Jeff Atwood of Coding Horror wrote some months back on the fake user interface, and its ability to trick innocent users into running malicious software. It was on my to-do list for a while, but now I noticed a link to another post from three years ago, discussing the “dancing bunnies” problem (aka the “dancing pigs” problem), as formulated by Larry Osterman:
It’s a description of what happens when a user receives an email message that says “click here to see the dancing bunnies”.
The user wants to see the dancing bunnies, so they click there. It doesn’t matter how much you try to dissuade them, if they want to see the dancing bunnies, then by gum, they’re going to see the dancing bunnies. It doesn’t matter how many technical hurdles you put in their way, if they stop the user from seeing the dancing bunny, then they’re going to go and see the dancing bunny.
Dance, Bunny! Dance!
The original discussion back then was as to the need for antivirus. Today we regularly use antivirus, adware removal, spyware detection, anti-phishing, spam filters, firewalls, server-side protection, permission management, homepage kidnapping prevention, internet zones and site certificates, and people still want to see the dancing bunnies! Only problem is, their PCs are so slow due to all the security software that they can’t get it running.
Now, what if we were just walking down the street and someone said “Hey, bud, want to see some dancing bunnies?”
You’d probably run like hell, won’t you? Look INSIDE the box? What are you, crazy or something? Every alarm system in your head will go off if someone just came towards you looking like that. The problem is, we don’t see emails and web pages as shady little guys with gray trench coats and hats going “Hey, bud”. We’re too used to TV and books, and TV and books can’t hurt you, can they?
Whom Can You Trust?
When I access my work mail from the web, I get a security warning about an expired certificate. That’s OK; our IT goes “that’s our warning”. Just confirm it anyway. Internet Explorer warns me every time, while Firefox lets me set a permanent exception, so I’m using Firefox for mail access even though it looks a little strange. My OS warns me about running any file that’s not local, and the first time I run a file I downloaded.
It really does beat the point, does it? On one side, there are all these friendly interfaces and authoritative messages, on the other side, tired warnings and checkboxes that say, “Always allow”. Besides, we really do want to see the dancing bunnies.
I don’t even believe in the “virtual sandbox OS” suggested by Jeff. How about this:
You’d confirm it in a second, because you trust the friendly sites, because you are used to the nice emails from friends sending you dancing bunnies. More dancing bunnies please.
Websites are Strangers in Dark Alleys
Until this realization is hammered deep into the user’s mind, no security can be good enough. We must tap into the same inner protocols that intuitively make us realize danger is about. None of these friendly notifications will do. Here is my suggestion for a warning screen:
The picture will change randomly, of course. If you click on that without considering physical harm, well, bud, you have worse problems than viruses.
Maybe I’m being naïve. What do you think?