Would You Compromise Your Computer For One Cent An Hour? New Study Says Many Are Happy To Do Exactly That
from the nothing-to-hide,-or-too-stupid-to-computer? dept
There are many tales in literature over millennia about people selling their soul to a malevolent deity for the right price. But at least it’s usually a good price. Recent research has discovered that we are willing to compromise our computer for no more than one cent in income.
The researchers from the Carnegie Mellon University CyLab who carried out this work, tempted users into downloading and, in many cases, actually running a Windows application on their computer. After they had agreed to take part, they were told that it was for an academic study but were given very little other information about the application. The application pretended to run a series of computational tasks and paid those who installed it one cent for every hour it was left running.
Even though a participant’s machine would give them a pop up warning when they started the download to tell them that this application wanted higher level access to essential security services, 22% of them went ahead and downloaded. And when participants were offered $1 per hour, that figure rose to 43%.
With more than 1,700 downloads, the application was run about 960 times, meaning that just over half of participants fell for the ruse. Alarm bells should have rung, but they were apparently not heeded.
The fact is, this application could easily have contained malware. Participants knew little about what they were installing other than it would pay them for their processing power but they didn’t seem to mind.
The ethics of this research are certainly potentially dubious. Individuals were lured into downloading this application for a seemingly good cause and we know nothing of their financial circumstances. It’s a scenario that many of us can recognise in one way or another, though. We may not get a financial reward for downloading applications but how often to we click away warnings so we can get an app that offers us some other incentive, such as access to free music or movies?
Crooks will be pleased to learn from this study that it is apparently very easy to trick ordinary computer users into hosting your malware.
It is an old adage, but it is still very important to remember – if it looks too good to be true, it probably is. Do not install any application without checking if the source is reputable. Free is often good, but with free on the internet comes with many risks. This is particularly true for sites offering access to illegal movies or adult content.
Whenever you download an application from any source, trusted or otherwise, you should complete a simple mental checklist.
Did I scan for malware just before I clicked to install the application? Is my operating system warning me about the security risks with this application? Did I scan my system for malware after I installed the application? And finally, do I have up to date anti-malware software?
This all may seem tedious, but it pays to be cautious. Recent incidents have taught us that there are plenty of people out there who will take advantage of anyone who hasn’t protected themselves properly. Whether this research shows that we just can’t be bothered to read the pop up warnings our computers send us when we click and install or whether it shows that we are even more willing to compromise our security in the name of a quick buck, it should make us think twice about how blindly we click. Just as any character in literary history will tell you, selling your soul rarely turns out to be a good deal.
Andrew Smith does not work for, consult to, own shares in or receive funding from any company or organization that would benefit from this article, and has no relevant affiliations.
This article was originally published on The Conversation. Read the original article.
Comments on “Would You Compromise Your Computer For One Cent An Hour? New Study Says Many Are Happy To Do Exactly That”
But what if that malware is Windows 8.1?
*chuckles
Re: Re:
Windows 8.1 isn’t malware. It’s too dumb for that.
Re: Re:
Windows 8.1 doesn’t pay you to run it.
Can I still participate? I have a spare VM just waiting to make me money!
Re: Re:
Precisely that. In fact, I would have dug out an old physical machine I don’t give a crap about and let the code run on that (but only after verifying that the people would actually pay). There’s nothing in this article that specifies that I have to run it on my high end gaming rig. I would have configured my router to only let a minimal level of traffic from the computer reach the open internet, so as to protect against the possibility of the machine being used for a DDOS.
Re: Re: Re:
That, along with the fact that I can spin up a ridiculous number of VMs running linux and and Wine means I could be making as much as a couple of dollars per day.
Re: Re: Re:
Wow, all that for .01/hour, at least when the check arrives you can put it towards your electric bill.
Re: Re:
I came into the comments section to say this. I have three old systems here with no personal information on them (two don’t even have OS’es installed right now) and I’d gladly join in this ‘study’. Hell, I may even fire up the VM that I use to test shady executables and run it on my main machine.
Re: Re: Re:
” I may even fire up the VM that I use to test shady executables and run it on my main machine.”
Be careful about doing this: there exists malware that can break out of the VM and infect the actual machine.
Many have done that for much less.
See Seti@home
now this is what I call a biased study!
Semiserious here, in that the people that conducted the study not only had their thumb on the scales, but the rest of their fingers, their fists, and their donkeys.
You can’t get a meaningful read on a group’s willingness to undermine their own security when the group chosen has clearly demonstrated a lack of interest or intelligence with respect to security. Pick another operating system… **ANY** operating system besides Windows… and then rerun the study get some meaningful data.
Re: now this is what I call a biased study!
We could (and have) (and probably will) debate the merits of this study in an academic sense. And that’s fine.
But as a real-world case study, it’s spot-on, because it squarely targets point #5 here:
The Six Dumbest Ideas in Computer Security
By the way, Ranum’s editorial/essay/rant is the most brilliant thing I’ve ever read on the subject of security, and I’ve read a lot over a very long time. An extremely good algorithm for site security is:
1. Read that essay.
2. Figure out which of these dumb ideas you’re doing.
3. Try to correct them.
4. Return to step 1.
Re: Re: now this is what I call a biased study!
Six damn good points in that essay. Although I would hope in the nine years since it was written, mjr has learned
The Two Dumbest Ideas in Tech Writing:
1. Half-hearted attempts at humor are sufficient to disguise an underlying tone of sneering condescension.
2. Nobody has ever ignored a good idea just because of an inelegant presentation.
Re: now this is what I call a biased study!
“Pick another operating system… ANY operating system besides Windows… and then rerun the study get some meaningful data.”
So, your definition of a meaningful study into the security habits of general public is to pick an operating system not used by a majority of the general public? Then, you’d base your results on the actions of those people who self-selected those OSes due to their higher knowledge and concern about security? Think about that, and how much bias there would be there!
There’s a number of flaws I can spot here, ranging from the venue chosen to the fact that it did not completely account for the use of UAC and some other factors that came immediately to mind. But, the OS chosen isn’t really a problem, given the type of user it was meant to study.
Re: Re: now this is what I call a biased study!
“Then, you’d base your results on the actions of those people who self-selected those OSes due to their higher knowledge and concern about security?”
Judging from my experience with the “average” Linux user, the results would be about the same. I know far too many people who use Linux that are far less secure then they realize. They think they’re L33T, but they’re not.
This is not to slam Linux or it’s higher end users, but just like any operating system, it’s only as secure as it’s end user. Windows in the right hands can be far more secure then Linux in the wrong hands.
Re: Re: Re: now this is what I call a biased study!
^ This. A million times this.
I’m in the IT field and I can confirm with 99% certainty that the biggest security threat is the end user.
Re: Re: Re:2 now this is what I call a biased study!
Actually, it is 72% end user, 21% the NSA, and 11% bad statistics.
Re: Re: Re: now this is what I call a biased study!
Oh sure, if you don’t know what you’re really doing, you’re not secure, whichever OS you choose. This is true no matter the OS. It’s also true that newer versions of Windows are much more secure out of the box than they used to be, but the user’s actions really determine its status.
But, chances are that a person who really hasn’t got a clue will be using Windows. The old saying that a little knowledge is more dangerous than no knowledge holds true, but the truly clueless still gravitate toward Microsoft in my experience.
Implicit trust
they were told that it was for an academic study
People will trust a school asking people to be part of paid research. They would trust the school to be running a computational study and wouldn’t consider it to be a psychology experiment.
Try the experiment again, but instead advertise on classifieds (ie craigslist) and make no reference to academia. It still pays better than bitcoins on an old rig, so you might get some takers but I’d bet it’d be much less than 20% of the page views.
Re: Implicit trust
People will trust a school asking people to be part of paid research
Good tip – for all of you running phishing operations, make sure to refer to yourselves as “school researchers” rather than “wealth re-locators” or “shady companies”.
Re: Implicit trust
+999
this…
I think the experiment was doomed the moment the user had their trust biased with “academic” association, however from the original paper:
“Crooks will be pleased to learn from this study that it is apparently very easy to trick ordinary computer users into hosting your malware.”
If they didn’t know this already, they *really* haven’t been paying attention.
Re: Re:
Crooks don’t know that they shouldn’t leave their Facebook account logged in when they leave the scene of a burglary.
Trust
Most people trust their fellow humans. Malware peddlers exploit that.
Re: Trust
ha ha ha… most people do NOT trust their fellow humans. Proven the world and history over, most people just cannot be trusted. Do you trust Bush? How about Obama?
You Trust your Bank right? How about your Doctor? How much would you trust them if they had no legal reason to protect your private info?
Yea, think about it some… we develop relationships as a mechanism to encourage trust to WORK out, not because we actually trust. And that same mechanism of relationship is used to punish those betraying that trust!
You forgot a few questions. Is my anti-malware/anti-virus white-listing state-sponsored malware? Has my download from an otherwise trusted source been altered on the fly by a man-in-the-middle attack?
$87.60 per year
does not seem worth it…
How about AT LEAST $1 per hour and we can discuss.
Re: $87.60 per year
Chances are my electricity bill would be higher than that if my computer was running 24/7.
Re: Re: $87.60 per year
You’re electric bill would be over $720 a month? I run a higher end PC as a file server, it never shuts down. My electric bill never got over $120 a month.
A dollar an hour to rent my processor power? I’d be tempted to take it. I’ve got enough horse power, I can run another VMWare slice in NAT with a nice firewall. Eh, who am I kidding, I’d take it.
Re: Re: Re: $87.60 per year
I’m pretty sure he was joking and also probably referring to the $87.60 per year.
$1 per hour is something I would take. I have plenty of capacity to run more VM’s on my network, so my setup cost would be zero. Frankly, if I could find someone that would give me $1 per hour and not notice that I was running a couple dozen, I could retire.
[And when participants were offered $1 per hour, that figure rose to 43%.]
Nope, not even for $1 an hour.
Maybe, (just maybe) if they offered more like $10/hr, I’d set up my old desktop with nothing but the OS on it and set it up there, making sure my other computers blocked all access to that one.
Cause, well … why not? Nothing on the computer but a bare OS and no personal information. Hook up my old wired router to our old (still active internet service) and let them have their fun while I pocket a little free change.
But not for any amount of money would I install something like that on any current system I’m using.
Far too stupid to computer. They can have access to a VM for 1? an hour.
I would add my 2 cents to this discussion, but they still have not sent me my check.
and this, my friend, is why America has stupid and/or corrupt politicians. Because we have stupid voters.
So did they actually pay the people who ran the program?
Re: Re:
After they sucked all of the money out of the bank accounts of the participants, they had plenty to send out checks.
Yes. I received an email from my local Post Office telling they had a package for me but it was to big to deliver to my PO Box. The email had a Please print this label and bring it with you. Oh sure. One I know how the locals work and 2 Norton didn’t like it at all.
Time and again, over and over, it has been proven it is the end user that is the weak link. Poor password security, poor password selection, poor judgement on what to click or nor click; nothing in this study really goes to show this is where the main core problem is.
It really doesn’t matter what OS you run. Fanboi or not of whatever your choice OS is, there is malware out there for you. Sometime ago, there was an article on a malware that would serve your version compatible with your OS and would distinguish which you had before downloading it to you. Apple has went over the 10% usage boundary making it a target for malware, Linux is right behind it.
As many have made mention of, this is a poorly thought out study. It assumes that running something for a student to assist them in school should be a flag. I wonder if they have thought this through to the next logical step where once burned, no one will be willing to help scholastically. They’ve set it up to damage that trust that many have. It’s akin to the infringement people that are constantly shooting themselves in their own foot.
Re: Re:
“it is the end user that is the weak link.”
A million times this. The main purpose of most consumer antimalware software is really to protect the computer from the user making stupid decisions. Unfortunately, it’s impossible to completely protect a computer against stupidity.
I know a lot of computer professionals who have never run antimalware software on their machines, but have never had any sort of intrustion. They do this through rigorous safe computing practices.
Re: Re: Re:
And that is why I advise everyone who runs a computing operation to start with the presumption that their users are lazy, careless, ignorant, hasty, gullible, naive, sporadically insane and sometimes outright hostile…and defend accordingly.
Almost nobody takes that advice.
The consequences of that unfortunate decision are predictable and plentiful.
Re: Re:
once burned, no one will be willing to help scholastically
First, you assume dumb people learn from their mistakes. Second, you assume that we will somehow eventually run out of dumb people.
22% of people fell for this at 1 cent per hour. Multiply the population of the world – or even the US by 22% and you have a rather large sucker pool to hit up.
While I don’t necessarily disagree with the general conclusions of the study (people are naive about the software they install), the methodology is iffy at best. For one thing, Mechanical Turk is a terrible place to find a research study sample. And, like many other commenters have pointed out, there’s no way the researchers could know that their “subjects” were running the software on their own computers, instead of a VM, internet cafe, etc.
You forgot the most important advice. Switch to GNU/Linux!
“In fact, Dye told WSJ that he estimates traditional antivirus detects a mere 45 percent of all attacks.”
http://www.pcworld.com/article/2150743/antivirus-is-dead-says-maker-of-norton-antivirus.html
So all I need to safely make an extra $1/hr is a VM?