I’ve seen a couple of interesting things lately, firstly a post on one of the mozilla newsgroups explaining how little people are really educated about security in general, and pop-up warnings more specifically, and how it takes a lot of time and effort to get people to actually think before they act when a warning pops up and tries to get some useful feed back.
The story to the mozilla group went along the lines of, user gets windows computer infected, computer literate friend reformats computer and installs zone alarm et al and tells computer user to only click ok on warning messages that pop up directly after you run a program. Computer user gets re-infected and computer friend asks but didn’t you use zone alarm correctly, to which the computer user replies “Yes, I clicked ok every time a warning came up”.
Moral to this story is a little education can go a long way, or alternatively just use a Mac or linux and problem solved.
Next up a link just sent to me about an online banking server (within a server farm) in New Zealand that was transmitting an expired certificate for about 11 hours, after trawling through their logs they found, out of 300 users that potentially received pop-up warnings, only 1 user refused to continue using the website. The bank in the article tried to down play to incident, saying that most people possibly saw that the warning was for an out of date certificate and the users correctly assumed very little was wrong. I think the paper doing the article should have really gone to town berating both the bank for letting this happen and for the end users, while correct this time, for simply clicking through a warning. With all the phishing scams, and people being stupid enough to let themselves get ripped off left, right and center you’d think the rest of society would have gained a clue by now, but that just doesn’t seem like it’s going to happen any time soon with all the manually user installed viruses doing the rounds.
In reality this is nothing new, after all the people that get infected time and time again generally don’t care, and this will continue to happen until they’re forced to care, usually when they loose their bank/credit card information to some scammer, then they will be screaming blue murder about how they weren’t protected when in actual fact they’re not pro-actively doing enough to protect themselves. People pro-actively protect themselves in their day to day lives from mugging (ie not walking down a dark alley in the middle of the night), it’s just a pity the analogies don’t quite transfer though I guess. Actually the internet equivalent here is having a policeman on the alley saying I wouldn’t go any further if I were you, and they keep going anyway.