Wednesday, 24 September 2008

Pop-ups held in contempt

To click or not to click? That is a question internet users have to ask themselves frequently. When a pop-up message appears on the screen it's often hard to know whether to click OK, Cancel or the 'X' button at the top-right of the window. The pop-up could be a genuine system message, a firewall alert or a fake prompt designed to install malware on the computer. But unless you're thoroughly clued-up, you probably won't notice the difference.

When faced with a pop-up message it can be hard to choose the right answer, but it seems that normal users (who aren't obsessed with internet security) don't really see this choice as something worth serious consideration. They will just click whatever button makes the pop-up go away. This contempt for pop-up messages makes the life of online criminals easier. It should also cause concern for anti-virus companies that rely on customers making the right choices when faced with pop-up alerts generated by their products.

Over the last few months I've been involved heavily in testing anti-malware software. This process has included joining AMTSO (Anti Malware Testing Standards Organisation), developing dynamic and realistic anti-virus tests as well as discussing how normal people respond when faced with a pop-up window.

Lots of anti-virus programs display messages at the moment when the system is exposed to a threat. Some of these pop-ups provide information only, and disappear of their own accord. Others require the user to decide what the product does next.

When this happens, a product that gives its user a hint (such as making a particular choice the default - usually by highlighting the appropriate button) is taking some of the responsibility for protecting the system, while handing some back to the user. A product that provides no hint is essentially passing the buck completely.

If you pick the wrong option, and an infection takes hold, it's all your fault. You chose your computer's destiny, now live with it. You can't blame the anti-virus software. Or can you?

Security products should not hand responsibility for detecting malicious files or system behaviour to users, unless they explicitly ask for it. Anti-virus and firewall programs often display obscure messages that are rarely helpful for normal people whose interest in heuristics or network ports is limited. And if the report on Ars Technica is accurate, responses to these messages will be random at best.

Maybe, as the report claims, "most users are idiots", but many of them are also paying customers who have entrusted the safety of their home computers to internet security software. They might treat pop-ups with contempt, but that does not mean they should themselves be held in contempt by the experts.

Let's have an end to pop-up messages that ask if a threat should be deleted or ignored. Let's stop assuming that a human can be a more effective virus-detector than a specialist computer program. And let's pass responsibility for virus detection handling back to those who know and care more about internet security than the majority of those on the internet.