Would You Compromise Your Computer For One Cent An Hour? New Study Says Many Are Happy To Do Exactly That

from the nothing-to-hide,-or-too-stupid-to-computer? dept

There are many tales in literature over millennia about people selling their soul to a malevolent deity for the right price. But at least it’s usually a good price. Recent research has discovered that we are willing to compromise our computer for no more than one cent in income.

The researchers from the Carnegie Mellon University CyLab who carried out this work, tempted users into downloading and, in many cases, actually running a Windows application on their computer. After they had agreed to take part, they were told that it was for an academic study but were given very little other information about the application. The application pretended to run a series of computational tasks and paid those who installed it one cent for every hour it was left running.

Even though a participant’s machine would give them a pop up warning when they started the download to tell them that this application wanted higher level access to essential security services, 22% of them went ahead and downloaded. And when participants were offered $1 per hour, that figure rose to 43%.

With more than 1,700 downloads, the application was run about 960 times, meaning that just over half of participants fell for the ruse. Alarm bells should have rung, but they were apparently not heeded.

The fact is, this application could easily have contained malware. Participants knew little about what they were installing other than it would pay them for their processing power but they didn’t seem to mind.

The ethics of this research are certainly potentially dubious. Individuals were lured into downloading this application for a seemingly good cause and we know nothing of their financial circumstances. It’s a scenario that many of us can recognise in one way or another, though. We may not get a financial reward for downloading applications but how often to we click away warnings so we can get an app that offers us some other incentive, such as access to free music or movies?

Crooks will be pleased to learn from this study that it is apparently very easy to trick ordinary computer users into hosting your malware.

It is an old adage, but it is still very important to remember – if it looks too good to be true, it probably is. Do not install any application without checking if the source is reputable. Free is often good, but with free on the internet comes with many risks. This is particularly true for sites offering access to illegal movies or adult content.

Whenever you download an application from any source, trusted or otherwise, you should complete a simple mental checklist.

Did I scan for malware just before I clicked to install the application? Is my operating system warning me about the security risks with this application? Did I scan my system for malware after I installed the application? And finally, do I have up to date anti-malware software?

This all may seem tedious, but it pays to be cautious. Recent incidents have taught us that there are plenty of people out there who will take advantage of anyone who hasn’t protected themselves properly. Whether this research shows that we just can’t be bothered to read the pop up warnings our computers send us when we click and install or whether it shows that we are even more willing to compromise our security in the name of a quick buck, it should make us think twice about how blindly we click. Just as any character in literary history will tell you, selling your soul rarely turns out to be a good deal.

The Conversation

Andrew Smith does not work for, consult to, own shares in or receive funding from any company or organization that would benefit from this article, and has no relevant affiliations.

This article was originally published on The Conversation. Read the original article.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Would You Compromise Your Computer For One Cent An Hour? New Study Says Many Are Happy To Do Exactly That”

Subscribe: RSS Leave a comment
Rikuo (profile) says:

Re: Re:

Precisely that. In fact, I would have dug out an old physical machine I don’t give a crap about and let the code run on that (but only after verifying that the people would actually pay). There’s nothing in this article that specifies that I have to run it on my high end gaming rig. I would have configured my router to only let a minimal level of traffic from the computer reach the open internet, so as to protect against the possibility of the machine being used for a DDOS.

mcinsand (profile) says:

now this is what I call a biased study!

Semiserious here, in that the people that conducted the study not only had their thumb on the scales, but the rest of their fingers, their fists, and their donkeys.

You can’t get a meaningful read on a group’s willingness to undermine their own security when the group chosen has clearly demonstrated a lack of interest or intelligence with respect to security. Pick another operating system… **ANY** operating system besides Windows… and then rerun the study get some meaningful data.

Rich Kulawiec (profile) says:

Re: now this is what I call a biased study!

We could (and have) (and probably will) debate the merits of this study in an academic sense. And that’s fine.

But as a real-world case study, it’s spot-on, because it squarely targets point #5 here:

The Six Dumbest Ideas in Computer Security

By the way, Ranum’s editorial/essay/rant is the most brilliant thing I’ve ever read on the subject of security, and I’ve read a lot over a very long time. An extremely good algorithm for site security is:

1. Read that essay.
2. Figure out which of these dumb ideas you’re doing.
3. Try to correct them.
4. Return to step 1.

Anonymous Coward says:

Re: Re: now this is what I call a biased study!

Six damn good points in that essay. Although I would hope in the nine years since it was written, mjr has learned

The Two Dumbest Ideas in Tech Writing:

1. Half-hearted attempts at humor are sufficient to disguise an underlying tone of sneering condescension.

2. Nobody has ever ignored a good idea just because of an inelegant presentation.

PaulT (profile) says:

Re: now this is what I call a biased study!

“Pick another operating system… ANY operating system besides Windows… and then rerun the study get some meaningful data.”

So, your definition of a meaningful study into the security habits of general public is to pick an operating system not used by a majority of the general public? Then, you’d base your results on the actions of those people who self-selected those OSes due to their higher knowledge and concern about security? Think about that, and how much bias there would be there!

There’s a number of flaws I can spot here, ranging from the venue chosen to the fact that it did not completely account for the use of UAC and some other factors that came immediately to mind. But, the OS chosen isn’t really a problem, given the type of user it was meant to study.

Chronno S. Trigger (profile) says:

Re: Re: now this is what I call a biased study!

“Then, you’d base your results on the actions of those people who self-selected those OSes due to their higher knowledge and concern about security?”

Judging from my experience with the “average” Linux user, the results would be about the same. I know far too many people who use Linux that are far less secure then they realize. They think they’re L33T, but they’re not.

This is not to slam Linux or it’s higher end users, but just like any operating system, it’s only as secure as it’s end user. Windows in the right hands can be far more secure then Linux in the wrong hands.

PaulT (profile) says:

Re: Re: Re: now this is what I call a biased study!

Oh sure, if you don’t know what you’re really doing, you’re not secure, whichever OS you choose. This is true no matter the OS. It’s also true that newer versions of Windows are much more secure out of the box than they used to be, but the user’s actions really determine its status.

But, chances are that a person who really hasn’t got a clue will be using Windows. The old saying that a little knowledge is more dangerous than no knowledge holds true, but the truly clueless still gravitate toward Microsoft in my experience.

Anonymous Coward says:

Implicit trust

they were told that it was for an academic study

People will trust a school asking people to be part of paid research. They would trust the school to be running a computational study and wouldn’t consider it to be a psychology experiment.

Try the experiment again, but instead advertise on classifieds (ie craigslist) and make no reference to academia. It still pays better than bitcoins on an old rig, so you might get some takers but I’d bet it’d be much less than 20% of the page views.

Jens says:

Re: Implicit trust


I think the experiment was doomed the moment the user had their trust biased with “academic” association, however from the original paper:

In September of 2010, we created a Mechanical Turk task offering workers the
opportunity to ?get paid to do nothing.? Only after accepting our task did participants
see a detailed description: they would be participating in a research study on the ?CMU
Distributed Computing Project,? a fictitious project that we created. As part of this, we
instructed participants to download a program and run it for an hour (Figure 1). We did
not say what the application did. After an hour elapsed, the program displayed a code,
which participants could submit to Mechanical Turk in order to claim their payment.

Because this study involved human subjects, we required Institutional Review Board
(IRB) approval.We could have received a waiver of consent so that we would not be required
to inform participants that they were participating in a research study. However,
we were curious if?due to the pervasiveness of research tasks on Mechanical Turk?
telling participants that this was indeed a research task would be an effective recruitment
strategy. Thus, all participants were required to click through a consent form. Beyond
the consent form, there was no evidence that they were participating in a research study;
all data collection and downloads came from a third-party privately-registered domain,
and the task was posted from a personal Mechanical Turk account not linked to an institutional
address. No mention of the ?CMU Distributed Computing Project? appeared
on any CMU websites. Thus, it was completely possible that an adversary had posted
a task to trick users into downloading malware under the guise of participating in a research
study, using a generic consent form and fictitious project names in furtherance
of the ruse.

Anonymous Coward says:

Re: Trust

ha ha ha… most people do NOT trust their fellow humans. Proven the world and history over, most people just cannot be trusted. Do you trust Bush? How about Obama?

You Trust your Bank right? How about your Doctor? How much would you trust them if they had no legal reason to protect your private info?

Yea, think about it some… we develop relationships as a mechanism to encourage trust to WORK out, not because we actually trust. And that same mechanism of relationship is used to punish those betraying that trust!

Chronno S. Trigger (profile) says:

Re: Re: $87.60 per year

You’re electric bill would be over $720 a month? I run a higher end PC as a file server, it never shuts down. My electric bill never got over $120 a month.

A dollar an hour to rent my processor power? I’d be tempted to take it. I’ve got enough horse power, I can run another VMWare slice in NAT with a nice firewall. Eh, who am I kidding, I’d take it.

Michael (profile) says:

Re: Re: Re: $87.60 per year

I’m pretty sure he was joking and also probably referring to the $87.60 per year.

$1 per hour is something I would take. I have plenty of capacity to run more VM’s on my network, so my setup cost would be zero. Frankly, if I could find someone that would give me $1 per hour and not notice that I was running a couple dozen, I could retire.

Gracey (profile) says:

[And when participants were offered $1 per hour, that figure rose to 43%.]

Nope, not even for $1 an hour.

Maybe, (just maybe) if they offered more like $10/hr, I’d set up my old desktop with nothing but the OS on it and set it up there, making sure my other computers blocked all access to that one.

Cause, well … why not? Nothing on the computer but a bare OS and no personal information. Hook up my old wired router to our old (still active internet service) and let them have their fun while I pocket a little free change.

But not for any amount of money would I install something like that on any current system I’m using.

Anonymous Coward says:

Time and again, over and over, it has been proven it is the end user that is the weak link. Poor password security, poor password selection, poor judgement on what to click or nor click; nothing in this study really goes to show this is where the main core problem is.

It really doesn’t matter what OS you run. Fanboi or not of whatever your choice OS is, there is malware out there for you. Sometime ago, there was an article on a malware that would serve your version compatible with your OS and would distinguish which you had before downloading it to you. Apple has went over the 10% usage boundary making it a target for malware, Linux is right behind it.

As many have made mention of, this is a poorly thought out study. It assumes that running something for a student to assist them in school should be a flag. I wonder if they have thought this through to the next logical step where once burned, no one will be willing to help scholastically. They’ve set it up to damage that trust that many have. It’s akin to the infringement people that are constantly shooting themselves in their own foot.

John Fenderson (profile) says:

Re: Re:

“it is the end user that is the weak link.”

A million times this. The main purpose of most consumer antimalware software is really to protect the computer from the user making stupid decisions. Unfortunately, it’s impossible to completely protect a computer against stupidity.

I know a lot of computer professionals who have never run antimalware software on their machines, but have never had any sort of intrustion. They do this through rigorous safe computing practices.

Rich Kulawiec (profile) says:

Re: Re: Re:

And that is why I advise everyone who runs a computing operation to start with the presumption that their users are lazy, careless, ignorant, hasty, gullible, naive, sporadically insane and sometimes outright hostile…and defend accordingly.

Almost nobody takes that advice.

The consequences of that unfortunate decision are predictable and plentiful.

Michael (profile) says:

Re: Re:

once burned, no one will be willing to help scholastically

First, you assume dumb people learn from their mistakes. Second, you assume that we will somehow eventually run out of dumb people.

22% of people fell for this at 1 cent per hour. Multiply the population of the world – or even the US by 22% and you have a rather large sucker pool to hit up.

Anonymous Coward says:

While I don’t necessarily disagree with the general conclusions of the study (people are naive about the software they install), the methodology is iffy at best. For one thing, Mechanical Turk is a terrible place to find a research study sample. And, like many other commenters have pointed out, there’s no way the researchers could know that their “subjects” were running the software on their own computers, instead of a VM, internet cafe, etc.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...