There are many examples where users are now being inundated with pop-up messages asking them to respond to things they don't know about or don't understand, and it leads to weaker security overall.
Context and knowledge is everything. With it, the strangest things can make sense; without it, the strangest things sound, well, strange. For instance, I like to keep track of some of the conversations my wife Denise and I have, as many of them are positively surreal. Recently I stumbled across this fragment, written in March 2003.
Scott: Why are there so many pickles in the kitchen sink?
Denise: Because I was cleaning out the bathroom!
At the time, this probably made complete sense, but looking back now, from almost three years, I have no idea at all why scrubbing toilets and tubs necessitates loading the kitchen sink up with pickles. Or rather, I have some ideas, but I just don't want to go there.
It's not only domestic situations worthy of Christoper Durang that stress the importance of context and knowledge, but also language itself. Robert Lane Greene published an excellent piece in Slate titled "I'm Trying To Learn Arabic: Why's it taking so long?" that contained a description that made me understand just why Arabic would be very, very hard to learn.
"Arabic is a VSO language, which means the verb usually comes before the subject and object. It has a dual number, so nouns and verbs must be learned in singular, dual, and plural. A present-tense verb has 13 forms. There are three noun cases and two genders. Some European languages have just as many forms to keep track of, but in Arabic the idiosyncrasies can be mind-boggling. When Karam explains that numbers are marked for gender - but most numbers take the opposite gender from the word they are modifying - we students stare at each other in slack-jawed solidarity. When we learn that adjectives modifying nonhuman plurals always have a feminine singular form - meaning that 'the cars are new' comes out as 'the cars, she are new' - I can hear heads banging on the desks around me."
When I read that, I thought "Arabic? That's Greek to me!" (actually, that sounds more like something Denise would say), but then I realized that most of the people I run into every day would find the kinds of discussions we have on SecurityFocus - about computers, technology, and security - pretty much as incomprehensible as the dialog between Denise and I, or what Arabic is to Robert Lane Greene. Even the simple stuff - like don't click on attachments, or don't accept strange ActiveX controls, or update your anti-virus software - comes across like adjectives modifying nonhuman plurals using the feminine singular form: guaranteed to induce a "Huh?" or a glassy-eyed stare more than understanding.
Software and hardware makers have tried to compensate for this lack of knowledge and context in users in a variety of ways, and there's still a healthy debate to be had about the best way to work with Joe Average User. On one extreme, it can be argued that software and hardware should just do stuff without the user's involvement at all, because the system should know best. Virus scanning just happens in the background, and if a virus is found, it's taken care of. Why bother the user? Just do what needs to be done without informing Aunt Alice what happened, since she won't understand it anyway, and everyone's happy.
On the other extreme, you have those that believe that the user should be in charge at all times, and that it's the user's responsibility to learn how to use his or her own damn computer. The user should know how to set up her firewall, should make her own decision about what to do if a virus is found, and should be able to find out and remove any unnecessary programs that are loading on system startup.
Both of those extremes are pretty unrealistic, and it seems that most of the three major operating systems in use today - Windows, Mac OS, and Linux - come down somewhere in the middle. Oh, sure, different items in each OS will lean a bit closer towards one extreme than the other, but overall they take a middle path: notify the user as to what's going on most of the time, and let him make a choice, but phrase things in a simplified manner so even those without strong technical knowledge can participate in the decision-making process.
But that way too leads to problems, the kind of problem discovered by Professor of Psychology Robert Provine. Provine studies laughter, and determined that when people hear the sound of laughter, they laugh too. However, this reaction doesn't last forever. The more they heard, the less likely they were to laugh in return, and after the tenth clip of laughter, many were grimacing.
Now, think about how most operating systems deal currently with notifying the user. Windows Defender (the new name for the anti-spyware software Microsoft bought) leaves a window open after it finishes running. The Windows Firewall pops up a notice from the System Tray every time new software is installed that wants to open when you boot Windows, or whenever a new program tries to accept connections from outside your machine. Virtually every firewall product for Windows does the same thing. If Auto Update is set in Windows, a user may notice a little popup appear - again near the System Tray - informing him that new downloads have been installed on his computer. In fact, that little popup makes its first appearance right after a user boots her new Windows XP machine for the first time, when she's asked if she wants to create a Passport account.
The worst offender when it comes to creating a flurry of popup warnings, though, is undoubtedly Internet Explorer. Enter your password on a site? IE offers to remember it for you, with a popup. Hit a site whose certificate isn't up to date? IE warns you, with a popup. Go from an HTTP site to an HTTPS one? IE warns you, with a popup. Leave that HTTPS site for an HTTP one instead? IE warns you, with a popup. Popups everywhere!
Yes, I know that you could change your settings to disable most of these warnings. But will Joe Average User do that? Of course not. And I know that you can check boxes on those popups informing IE that you don't wish to be informed all the time. But you know what? I've taught classes in computer labs for years, and I'll walk around and gape in astonishment as I see my students press OK on those boxes - over and over and over and over again - and never once check the box that would banish those popups forever. They simply don't read the warning text; instead, they click on the OK button as fast as possible to close the box, ignoring the fact that the box may open back up in just a minute or two again.
IE's not the only browser that displays popups to the user. Firefox does this as well, but (unsurprisingly) it's a lot smarter about it. IE's default is to show the warning every single time, unless the user explicity tells it not to; Firefox shows the user the warning the first time, but the checkbox is to turn on the constant warnings, the exact opposite of IE's, which is to turn off the warnings. Since users don't read the box anyway, they press OK, and they never see another warning about entering HTTPS sites again.
The question comes down to, "What is the best way to inform your users without overwhelming them?" If you overwhelm them, they stop paying attention, and that doesn't help anyone. Constant popups of windows, warnings, and widgets don't help the user at all, and may in fact make them far more vulnerable. In fact, at one school I know, the Technology Coordinator's advice to his teachers was "If you see a box popup on your computer, just press OK." I'm sure that will definitely reduce the number of times he gets asked about popups, at least until a computer - or his network - gets engulfed in an virus infestation. Or worse.
Debian, the venerable Linux distro, has an interesting answer to this problem, at least when it comes to installing software. When a Debian user installs a new package, a program named "debconf" steps in to help configure the software by asking questions ... sometimes a lot of complicated, pretty technical questions. But debconf is also configurable so that users with different knowledge and skill levels get asked different questions. The debconf program desribes those four levels as follows:
• 'critical' only prompts you if the system might break. Pick it if you are a newbie, or in a hurry.
• 'high' is for rather important questions
• 'medium' is for normal questions
• 'low' is for control freaks who want to see everything
It's possible for users to change which level they want, but most Debian-based distros come pre-configured out of the box with a particular level already chosen. K/Ubuntu, for instance, is set to "critical", so that users hardly ever get asked difficult questions that many couldn't answer anyway. The beauty, however, is that the system adjusts itself based on the needs of users. Are you a newbie? Then "critical" is right for you. Control freak? Go with "low." Busy, but still want to know what's going on with your box? Try "high." And so on.
So why don't we see more of this? Why doesn't Windows work this way? Or Mac OS X? Or even more aspects of Linux? When a user first logs in, why isn't she asked to assess her skill level so that the system can respond accordingly? If Debian - traditionally thought of as one of the more hard-core Linux distros, although user-friendly versions like K/Ubuntu are changing that perception - can do it, why can't Microsoft? Or Apple? Or Red Hat? Or GNOME or KDE?
When most users are constantly faced with an overwhelming series of popups, notifications, and warnings, they stop paying attention. They have to. It's just too much information for them, and too often it's so incomprehensible that it might as well be written in Arabic. Better to try and target warnings and messages to a user's needs, so that when one appears, it will be taken seriously by a user and correctly acted upon. To me, that makes a lot more sense.
And now, if you'll excuse me, I'm off to clean pickles out of my kitchen sink. Don't ask ... you wouldn't understand.
Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.
Copyright © 2005, SecurityFocus
This article was originally published at SecurityFocus.