Do I feel lucky markets in everything?

Here is a new paper by Christin, Egelman, Vidas, and Grossklags, entitled “It’s All About the Benjamins”:

We examine the cost for an attacker to pay users to execute arbitrary code—potentially malware. We asked users at home to download and run an executable we wrote without being told what it did and without any way of knowing it was harmless. Each week, we increased the payment amount. Our goal was to examine whether users would ignore common security advice—not to run untrusted executables—if there was a direct incentive, and how much this incentive would need to be. We observed that for payments as low as $0.01, 22% of the people who viewed the task ultimately ran our executable. Once increased to $1.00, this proportion increased to 43%. We show that as the price increased, more and more users who understood the risks ultimately ran the code. We conclude that users are generally unopposed to running programs of unknown provenance, so long as their incentives exceed their inconvenience.

The article is here (pdf), for the pointer I thank Bruce Schnier.

Comments

Funny, I almost decided not to install an ad-blocker to reduce space requirements for Zotero project management on Firefox, until I noticed that the origin of the file was mozilla.org. Maybe I'm naive and have too much confidence in open source, but I trust open source more than closed source. At least there's a half a chance to find the bugs before they find us.

Trusting it because it comes from "mozilla.org" is the same as trusting it because it comes from "microsoft.org".

Application security people are really busy, and there's no reason to think they are reviewing everything mozilla does for free. To be fair, mozilla pays out up to $3000 for reporting a remotely exploitable bug to them; but that's only a few days consulting fees. Pinkie Pie is good, but expensive.

Of course the point of malware is to cause more inconvenience than the user expects. "Why is my computer so slow" (it's a zombie used by gangsters to crack passwords). "Why do I have these mysterious payments from my bank account" (malware stole your login details).

In many times and places you could have done a study that concluded
"We conclude that citizens are generally unopposed to drinking water containing foeces of unknown provenance, so long as their incentives exceed their inconvenience."

Its 'Schneier'.

https://www.schneier.com/blog/archives/2014/06/paying_people_t.html

I prefer "shneer"

"untrusted executables" is, in itself, a strange phrase.

I'm not sure we have any good way to decide if & how to trust an executable.

If it's signed by a trusted certificate.

Ha ha, good one!

I'm no expert in these things but I presume there is a possibility that the "user" was a machine remotely controlled by a hacker.

How does this differ from the well-known effect of paying a prostitute more money not to wear a condom? (Not that I would know about such things I hasten to add, just that a lot of economists seem to do research in this area)

Isn't this both obvious and trivial?

The fact that people will run dangerous software for money is not particularly interesting. However, the fact that they will do so for $1 or less is.

page 10 of the paper:

" ....40% of the respondents came from India...."

Yeah, that makes it a bit less interesting.

Good point, but the number of people in India makes this absolute statistic of 40% less impressive.

Clone a VM to run something for 1USD? Naaa....

Page 6 of the paper: Virtual Machine Detection.

Essentially, no go.

"Clone a VM to run something for 1USD? Naaa…."

Clone? Of course not. However, take a Snapshot, run the executable, then roll back to the Snapshot, maybe.

That in my book is a variant of cloning. Especially if you are on a COW filesystem...

I would read the money as evidence that the sponsor has good faith. Who would pay a dollar each to target random computers?

This is a good point.

It is an excellent point, unless the expected value of the hack exceeds a dollar.

Lets remember that the experiment is contrived. To the benign researchers, it was worth a buck from a research grant

Malicious hackers would likely not get a dollar of benefit, but it is not inconceivable that they could, especially if the code spreads.

Another example of Rational # Smart.

Comments for this post are closed