

The Perils of FUI: Fake User Interface - bdfh42
http://www.codinghorror.com/blog/archives/001164.html

======
captain-m
It always makes me smile when I get one of these on my Arch box. Especially
when it claims to have found a critical virus in C:\Program Files\\....

------
swombat
Well, how about not allowing browser windows to maximise and minimise
themselves in such a way?

------
wmf
BTW, I think this is called the trusted path problem.

------
trezor
I know I'm probably preaching to the choir, but I think the main problem with
spyware, malware and viruses today is that it is treated mainly as a
technological problem, not a social one.

People are simply not capable or willing to get knowledgeable enough about
computers to know what is normal computer-behaviour, and hence are unable to
detect when things out of the ordinary happens. Like the Fake UIs in the
article.

The result is people always pressing "Yes", "Ok" and similar when confronted
with a choice. _This_ is the problem. No technological means can stop an
attack based on this vector: people willingly opening up their machine.

Selling people anti-spyware and AV-software and telling them that it will keep
them safe is fraud at best.

~~~
stcredzero
Agreed. Any security based on users being knowledgeable about something is
doomed to fail. There are those who comment on this site that insist that SSL
certs are fine as they are, but that's really wishful thinking. It's just not
realistic to expect that all users, or even all programmers, understand the
semantics of a man in the middle attack. (There have been lots of posters here
who wish that self-signed certs would just go through without any user
notification!)

But I disagree in one sense: "No technological means can stop an attack based
on this vector: people willingly opening up their machine" in an absolute
sense is true. But greatly increased compartmentalization can greatly curtail
the damage. Right now, opening up your machine instantly gives the attacker
the keys to everything. If systems used something like capabilities, then it
would be more like. "Okay, first it asked to install software. Now it's asking
for more disk access. Now it wants my contact information...maybe something is
up here?"

Perhaps malware can be reduced to the level of SPAM today -- something that's
only still a real problem to the most clueless and gullible fraction of the
populace.

------
pavelludiq
I learned by myself to ignore those when i was 14. I didn't have any scanners
or anti-virus software installed, so it was easy to figure out that these were
fake. Jeff Atwood is probably smart enough to realize that by choosing to use
windows, he is dooming himself to the death by a thousand pop-ups.

~~~
nuclear_eclipse
I think you give Jeff Atwood too much credit...

