Do I feel lucky markets in everything?

by on June 20, 2014 at 2:06 am in Economics, Law, Uncategorized, Web/Tech | Permalink

Here is a new paper by Christin, Egelman, Vidas, and Grossklags, entitled “It’s All About the Benjamins”:

We examine the cost for an attacker to pay users to execute arbitrary code—potentially malware. We asked users at home to download and run an executable we wrote without being told what it did and without any way of knowing it was harmless. Each week, we increased the payment amount. Our goal was to examine whether users would ignore common security advice—not to run untrusted executables—if there was a direct incentive, and how much this incentive would need to be. We observed that for payments as low as $0.01, 22% of the people who viewed the task ultimately ran our executable. Once increased to $1.00, this proportion increased to 43%. We show that as the price increased, more and more users who understood the risks ultimately ran the code. We conclude that users are generally unopposed to running programs of unknown provenance, so long as their incentives exceed their inconvenience.

The article is here (pdf), for the pointer I thank Bruce Schnier.

Nathan W June 20, 2014 at 2:11 am

Funny, I almost decided not to install an ad-blocker to reduce space requirements for Zotero project management on Firefox, until I noticed that the origin of the file was mozilla.org. Maybe I’m naive and have too much confidence in open source, but I trust open source more than closed source. At least there’s a half a chance to find the bugs before they find us.

Dan Weber June 20, 2014 at 9:23 am

Trusting it because it comes from “mozilla.org” is the same as trusting it because it comes from “microsoft.org”.

Application security people are really busy, and there’s no reason to think they are reviewing everything mozilla does for free. To be fair, mozilla pays out up to $3000 for reporting a remotely exploitable bug to them; but that’s only a few days consulting fees. Pinkie Pie is good, but expensive.

Adrian Ratnapala June 20, 2014 at 2:27 am

Of course the point of malware is to cause more inconvenience than the user expects. “Why is my computer so slow” (it’s a zombie used by gangsters to crack passwords). “Why do I have these mysterious payments from my bank account” (malware stole your login details).

In many times and places you could have done a study that concluded
“We conclude that citizens are generally unopposed to drinking water containing foeces of unknown provenance, so long as their incentives exceed their inconvenience.”

carlospln June 20, 2014 at 2:27 am
Dan Weber June 20, 2014 at 9:14 am

I prefer “shneer”

Rahul June 20, 2014 at 2:36 am

“untrusted executables” is, in itself, a strange phrase.

I’m not sure we have any good way to decide if & how to trust an executable.

Alex Godofsky June 20, 2014 at 8:16 am

If it’s signed by a trusted certificate.

Dan Weber June 20, 2014 at 9:14 am

Ha ha, good one!

Chris June 20, 2014 at 2:41 am

I’m no expert in these things but I presume there is a possibility that the “user” was a machine remotely controlled by a hacker.

So Much for Subtlety June 20, 2014 at 3:52 am

How does this differ from the well-known effect of paying a prostitute more money not to wear a condom? (Not that I would know about such things I hasten to add, just that a lot of economists seem to do research in this area)

Isn’t this both obvious and trivial?

dan1111 June 20, 2014 at 4:19 am

The fact that people will run dangerous software for money is not particularly interesting. However, the fact that they will do so for $1 or less is.

Rahul June 20, 2014 at 5:22 am

page 10 of the paper:

” ….40% of the respondents came from India….”

dan1111 June 20, 2014 at 5:55 am

Yeah, that makes it a bit less interesting.

Willitts June 20, 2014 at 11:34 am

Good point, but the number of people in India makes this absolute statistic of 40% less impressive.

Someone from the other side June 20, 2014 at 4:17 am

Clone a VM to run something for 1USD? Naaa….

Rahul June 20, 2014 at 5:18 am

Page 6 of the paper: Virtual Machine Detection.

Essentially, no go.

JWatts June 20, 2014 at 2:11 pm

“Clone a VM to run something for 1USD? Naaa….”

Clone? Of course not. However, take a Snapshot, run the executable, then roll back to the Snapshot, maybe.

Someone from the other side June 21, 2014 at 3:36 am

That in my book is a variant of cloning. Especially if you are on a COW filesystem…

nl7 June 20, 2014 at 8:30 am

I would read the money as evidence that the sponsor has good faith. Who would pay a dollar each to target random computers?

dan1111 June 20, 2014 at 10:24 am

This is a good point.

Willitts June 20, 2014 at 11:32 am

It is an excellent point, unless the expected value of the hack exceeds a dollar.

Lets remember that the experiment is contrived. To the benign researchers, it was worth a buck from a research grant

Malicious hackers would likely not get a dollar of benefit, but it is not inconceivable that they could, especially if the code spreads.

Willitts June 20, 2014 at 11:29 am

Another example of Rational # Smart.

Comments on this entry are closed.

Previous post:

Next post: