Would You Compromise Your Computer For One Cent An Hour? New Study Says Many Are Happy To Do Exactly That

from the nothing-to-hide,-or-too-stupid-to-computer? dept

There are many tales in literature over millennia about people selling their soul to a malevolent deity for the right price. But at least it’s usually a good price. Recent research has discovered that we are willing to compromise our computer for no more than one cent in income.

The researchers from the Carnegie Mellon University CyLab who carried out this work, tempted users into downloading and, in many cases, actually running a Windows application on their computer. After they had agreed to take part, they were told that it was for an academic study but were given very little other information about the application. The application pretended to run a series of computational tasks and paid those who installed it one cent for every hour it was left running.

Even though a participant's machine would give them a pop up warning when they started the download to tell them that this application wanted higher level access to essential security services, 22% of them went ahead and downloaded. And when participants were offered $1 per hour, that figure rose to 43%.

With more than 1,700 downloads, the application was run about 960 times, meaning that just over half of participants fell for the ruse. Alarm bells should have rung, but they were apparently not heeded.

The fact is, this application could easily have contained malware. Participants knew little about what they were installing other than it would pay them for their processing power but they didn't seem to mind.

The ethics of this research are certainly potentially dubious. Individuals were lured into downloading this application for a seemingly good cause and we know nothing of their financial circumstances. It's a scenario that many of us can recognise in one way or another, though. We may not get a financial reward for downloading applications but how often to we click away warnings so we can get an app that offers us some other incentive, such as access to free music or movies?

Crooks will be pleased to learn from this study that it is apparently very easy to trick ordinary computer users into hosting your malware.

It is an old adage, but it is still very important to remember – if it looks too good to be true, it probably is. Do not install any application without checking if the source is reputable. Free is often good, but with free on the internet comes with many risks. This is particularly true for sites offering access to illegal movies or adult content.

Whenever you download an application from any source, trusted or otherwise, you should complete a simple mental checklist.

Did I scan for malware just before I clicked to install the application? Is my operating system warning me about the security risks with this application? Did I scan my system for malware after I installed the application? And finally, do I have up to date anti-malware software?

This all may seem tedious, but it pays to be cautious. Recent incidents have taught us that there are plenty of people out there who will take advantage of anyone who hasn't protected themselves properly. Whether this research shows that we just can't be bothered to read the pop up warnings our computers send us when we click and install or whether it shows that we are even more willing to compromise our security in the name of a quick buck, it should make us think twice about how blindly we click. Just as any character in literary history will tell you, selling your soul rarely turns out to be a good deal.

The Conversation

Andrew Smith does not work for, consult to, own shares in or receive funding from any company or organization that would benefit from this article, and has no relevant affiliations.

This article was originally published on The Conversation. Read the original article.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Violynne (profile), Jun 26th, 2014 @ 4:32am

    But what if that malware is Windows 8.1?

    *chuckles

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Rabbit80 (profile), Jun 26th, 2014 @ 4:50am

    Can I still participate? I have a spare VM just waiting to make me money!

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Rikuo (profile), Jun 26th, 2014 @ 5:39am

    Re:

    Precisely that. In fact, I would have dug out an old physical machine I don't give a crap about and let the code run on that (but only after verifying that the people would actually pay). There's nothing in this article that specifies that I have to run it on my high end gaming rig. I would have configured my router to only let a minimal level of traffic from the computer reach the open internet, so as to protect against the possibility of the machine being used for a DDOS.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    BeanDad, Jun 26th, 2014 @ 6:36am

    Many have done that for much less.

    See Seti@home

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    mcinsand, Jun 26th, 2014 @ 6:37am

    now this is what I call a biased study!

    Semiserious here, in that the people that conducted the study not only had their thumb on the scales, but the rest of their fingers, their fists, and their donkeys.

    You can't get a meaningful read on a group's willingness to undermine their own security when the group chosen has clearly demonstrated a lack of interest or intelligence with respect to security. Pick another operating system... **ANY** operating system besides Windows... and then rerun the study get some meaningful data.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 6:45am

    Implicit trust

    they were told that it was for an academic study

    People will trust a school asking people to be part of paid research. They would trust the school to be running a computational study and wouldn't consider it to be a psychology experiment.

    Try the experiment again, but instead advertise on classifieds (ie craigslist) and make no reference to academia. It still pays better than bitcoins on an old rig, so you might get some takers but I'd bet it'd be much less than 20% of the page views.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    PaulT (profile), Jun 26th, 2014 @ 6:46am

    "Crooks will be pleased to learn from this study that it is apparently very easy to trick ordinary computer users into hosting your malware."

    If they didn't know this already, they *really* haven't been paying attention.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 6:46am

    Trust

    Most people trust their fellow humans. Malware peddlers exploit that.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 6:51am

    You forgot a few questions. Is my anti-malware/anti-virus white-listing state-sponsored malware? Has my download from an otherwise trusted source been altered on the fly by a man-in-the-middle attack?

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 6:53am

    $87.60 per year

    does not seem worth it...

    How about AT LEAST $1 per hour and we can discuss.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 6:58am

    Re: Trust

    ha ha ha... most people do NOT trust their fellow humans. Proven the world and history over, most people just cannot be trusted. Do you trust Bush? How about Obama?

    You Trust your Bank right? How about your Doctor? How much would you trust them if they had no legal reason to protect your private info?

    Yea, think about it some... we develop relationships as a mechanism to encourage trust to WORK out, not because we actually trust. And that same mechanism of relationship is used to punish those betraying that trust!

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Gracey (profile), Jun 26th, 2014 @ 7:08am

    [And when participants were offered $1 per hour, that figure rose to 43%.]

    Nope, not even for $1 an hour.

    Maybe, (just maybe) if they offered more like $10/hr, I'd set up my old desktop with nothing but the OS on it and set it up there, making sure my other computers blocked all access to that one.

    Cause, well ... why not? Nothing on the computer but a bare OS and no personal information. Hook up my old wired router to our old (still active internet service) and let them have their fun while I pocket a little free change.

    But not for any amount of money would I install something like that on any current system I'm using.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Rich Kulawiec, Jun 26th, 2014 @ 7:12am

    Re: now this is what I call a biased study!

    We could (and have) (and probably will) debate the merits of this study in an academic sense. And that's fine.

    But as a real-world case study, it's spot-on, because it squarely targets point #5 here:

    The Six Dumbest Ideas in Computer Security

    By the way, Ranum's editorial/essay/rant is the most brilliant thing I've ever read on the subject of security, and I've read a lot over a very long time. An extremely good algorithm for site security is:

    1. Read that essay.
    2. Figure out which of these dumb ideas you're doing.
    3. Try to correct them.
    4. Return to step 1.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 7:27am

    Far too stupid to computer. They can have access to a VM for 1¢ an hour.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 7:32am

    Re:

    Windows 8.1 isn't malware. It's too dumb for that.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    PaulT (profile), Jun 26th, 2014 @ 7:39am

    Re: now this is what I call a biased study!

    "Pick another operating system... **ANY** operating system besides Windows... and then rerun the study get some meaningful data."

    So, your definition of a meaningful study into the security habits of general public is to pick an operating system not used by a majority of the general public? Then, you'd base your results on the actions of those people who self-selected those OSes due to their higher knowledge and concern about security? Think about that, and how much bias there would be there!

    There's a number of flaws I can spot here, ranging from the venue chosen to the fact that it did not completely account for the use of UAC and some other factors that came immediately to mind. But, the OS chosen isn't really a problem, given the type of user it was meant to study.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Michael, Jun 26th, 2014 @ 7:40am

    I would add my 2 cents to this discussion, but they still have not sent me my check.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 8:00am

    and this, my friend, is why America has stupid and/or corrupt politicians. Because we have stupid voters.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Rekrul, Jun 26th, 2014 @ 8:10am

    So did they actually pay the people who ran the program?

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Michael, Jun 26th, 2014 @ 8:26am

    Re:

    After they sucked all of the money out of the bank accounts of the participants, they had plenty to send out checks.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Call me Al, Jun 26th, 2014 @ 8:32am

    Re: $87.60 per year

    Chances are my electricity bill would be higher than that if my computer was running 24/7.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Chronno S. Trigger (profile), Jun 26th, 2014 @ 8:39am

    Re: Re: now this is what I call a biased study!

    "Then, you'd base your results on the actions of those people who self-selected those OSes due to their higher knowledge and concern about security?"

    Judging from my experience with the "average" Linux user, the results would be about the same. I know far too many people who use Linux that are far less secure then they realize. They think they're L33T, but they're not.

    This is not to slam Linux or it's higher end users, but just like any operating system, it's only as secure as it's end user. Windows in the right hands can be far more secure then Linux in the wrong hands.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    Chronno S. Trigger (profile), Jun 26th, 2014 @ 8:46am

    Re: Re: $87.60 per year

    You're electric bill would be over $720 a month? I run a higher end PC as a file server, it never shuts down. My electric bill never got over $120 a month.

    A dollar an hour to rent my processor power? I'd be tempted to take it. I've got enough horse power, I can run another VMWare slice in NAT with a nice firewall. Eh, who am I kidding, I'd take it.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    jo (profile), Jun 26th, 2014 @ 8:51am

    Yes. I received an email from my local Post Office telling they had a package for me but it was to big to deliver to my PO Box. The email had a Please print this label and bring it with you. Oh sure. One I know how the locals work and 2 Norton didn't like it at all.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 9:06am

    Time and again, over and over, it has been proven it is the end user that is the weak link. Poor password security, poor password selection, poor judgement on what to click or nor click; nothing in this study really goes to show this is where the main core problem is.

    It really doesn't matter what OS you run. Fanboi or not of whatever your choice OS is, there is malware out there for you. Sometime ago, there was an article on a malware that would serve your version compatible with your OS and would distinguish which you had before downloading it to you. Apple has went over the 10% usage boundary making it a target for malware, Linux is right behind it.

    As many have made mention of, this is a poorly thought out study. It assumes that running something for a student to assist them in school should be a flag. I wonder if they have thought this through to the next logical step where once burned, no one will be willing to help scholastically. They've set it up to damage that trust that many have. It's akin to the infringement people that are constantly shooting themselves in their own foot.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 9:22am

    Re: Re: Re: now this is what I call a biased study!

    ^ This. A million times this.

    I'm in the IT field and I can confirm with 99% certainty that the biggest security threat is the end user.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    John Fenderson (profile), Jun 26th, 2014 @ 9:26am

    Re:

    "it is the end user that is the weak link."

    A million times this. The main purpose of most consumer antimalware software is really to protect the computer from the user making stupid decisions. Unfortunately, it's impossible to completely protect a computer against stupidity.

    I know a lot of computer professionals who have never run antimalware software on their machines, but have never had any sort of intrustion. They do this through rigorous safe computing practices.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 9:26am

    Re: Re:

    That, along with the fact that I can spin up a ridiculous number of VMs running linux and and Wine means I could be making as much as a couple of dollars per day.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Michael, Jun 26th, 2014 @ 9:58am

    Re: Re: Re: Re: now this is what I call a biased study!

    Actually, it is 72% end user, 21% the NSA, and 11% bad statistics.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Michael, Jun 26th, 2014 @ 10:01am

    Re: Implicit trust

    People will trust a school asking people to be part of paid research

    Good tip - for all of you running phishing operations, make sure to refer to yourselves as "school researchers" rather than "wealth re-locators" or "shady companies".

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Michael, Jun 26th, 2014 @ 10:02am

    Re:

    Crooks don't know that they shouldn't leave their Facebook account logged in when they leave the scene of a burglary.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Jens, Jun 26th, 2014 @ 10:05am

    Re: Implicit trust

    +999
    this...

    I think the experiment was doomed the moment the user had their trust biased with "academic" association, however from the original paper:


    In September of 2010, we created a Mechanical Turk task offering workers the
    opportunity to “get paid to do nothing.” Only after accepting our task did participants
    see a detailed description: they would be participating in a research study on the “CMU
    Distributed Computing Project,” a fictitious project that we created. As part of this, we
    instructed participants to download a program and run it for an hour (Figure 1). We did
    not say what the application did. After an hour elapsed, the program displayed a code,
    which participants could submit to Mechanical Turk in order to claim their payment.

    Because this study involved human subjects, we required Institutional Review Board
    (IRB) approval.We could have received a waiver of consent so that we would not be required
    to inform participants that they were participating in a research study. However,
    we were curious if—due to the pervasiveness of research tasks on Mechanical Turk—
    telling participants that this was indeed a research task would be an effective recruitment
    strategy. Thus, all participants were required to click through a consent form. Beyond
    the consent form, there was no evidence that they were participating in a research study;
    all data collection and downloads came from a third-party privately-registered domain,
    and the task was posted from a personal Mechanical Turk account not linked to an institutional
    address. No mention of the “CMU Distributed Computing Project” appeared
    on any CMU websites. Thus, it was completely possible that an adversary had posted
    a task to trick users into downloading malware under the guise of participating in a research
    study, using a generic consent form and fictitious project names in furtherance
    of the ruse.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Michael, Jun 26th, 2014 @ 10:06am

    Re: Re: Re: $87.60 per year

    I'm pretty sure he was joking and also probably referring to the $87.60 per year.

    $1 per hour is something I would take. I have plenty of capacity to run more VM's on my network, so my setup cost would be zero. Frankly, if I could find someone that would give me $1 per hour and not notice that I was running a couple dozen, I could retire.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Michael, Jun 26th, 2014 @ 10:13am

    Re:

    once burned, no one will be willing to help scholastically

    First, you assume dumb people learn from their mistakes. Second, you assume that we will somehow eventually run out of dumb people.

    22% of people fell for this at 1 cent per hour. Multiply the population of the world - or even the US by 22% and you have a rather large sucker pool to hit up.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Rich Kulawiec, Jun 26th, 2014 @ 10:17am

    Re: Re:

    And that is why I advise everyone who runs a computing operation to start with the presumption that their users are lazy, careless, ignorant, hasty, gullible, naive, sporadically insane and sometimes outright hostile...and defend accordingly.

    Almost nobody takes that advice.

    The consequences of that unfortunate decision are predictable and plentiful.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    Mason Wheeler (profile), Jun 26th, 2014 @ 10:24am

    Re:

    Windows 8.1 doesn't pay you to run it.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 1:46pm

    While I don't necessarily disagree with the general conclusions of the study (people are naive about the software they install), the methodology is iffy at best. For one thing, Mechanical Turk is a terrible place to find a research study sample. And, like many other commenters have pointed out, there's no way the researchers could know that their "subjects" were running the software on their own computers, instead of a VM, internet cafe, etc.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 3:31pm

    You forgot the most important advice. Switch to GNU/Linux!

    "In fact, Dye told WSJ that he estimates traditional antivirus detects a mere 45 percent of all attacks."

    http://www.pcworld.com/article/2150743/antivirus-is-dead-says-maker-of-norton-antivirus.htm l

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    Rob (profile), Jun 26th, 2014 @ 4:41pm

    Re: Re:

    Wow, all that for .01/hour, at least when the check arrives you can put it towards your electric bill.

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Anonymous Coward, Jun 26th, 2014 @ 11:51pm

    Re: Re: now this is what I call a biased study!

    Six damn good points in that essay. Although I would hope in the nine years since it was written, mjr has learned

    The Two Dumbest Ideas in Tech Writing:

    1. Half-hearted attempts at humor are sufficient to disguise an underlying tone of sneering condescension.

    2. Nobody has ever ignored a good idea just because of an inelegant presentation.

     

    reply to this | link to this | view in thread ]

  41.  
    icon
    PaulT (profile), Jun 27th, 2014 @ 2:16am

    Re: Re: Re: now this is what I call a biased study!

    Oh sure, if you don't know what you're really doing, you're not secure, whichever OS you choose. This is true no matter the OS. It's also true that newer versions of Windows are much more secure out of the box than they used to be, but the user's actions really determine its status.

    But, chances are that a person who really hasn't got a clue will be using Windows. The old saying that a little knowledge is more dangerous than no knowledge holds true, but the truly clueless still gravitate toward Microsoft in my experience.

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    KoD (profile), Jun 27th, 2014 @ 6:23am

    So all I need to safely make an extra $1/hr is a VM?

     

    reply to this | link to this | view in thread ]

  43.  
    icon
    R.H. (profile), Jun 27th, 2014 @ 10:09am

    Re:

    I came into the comments section to say this. I have three old systems here with no personal information on them (two don't even have OS'es installed right now) and I'd gladly join in this 'study'. Hell, I may even fire up the VM that I use to test shady executables and run it on my main machine.

     

    reply to this | link to this | view in thread ]

  44.  
    icon
    John Fenderson (profile), Jun 27th, 2014 @ 10:34am

    Re: Re:

    " I may even fire up the VM that I use to test shady executables and run it on my main machine."

    Be careful about doing this: there exists malware that can break out of the VM and infect the actual machine.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.