Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Privacy Security Spam

Ask Slashdot: What To Tell Non-Tech Savvy Family About Malware? 340

Posted by timothy
from the tell-them-you-made-all-of-it dept.
First time accepted submitter veganboyjosh writes "I got an instant message from an uncle the other day, asking me what was in the link I sent him. I hadn't sent him a link so I figured that his account had been hacked and he'd received a malicious link from some bot address with my name in the 'From' box. This was confirmed when he told me the address the link had come from. When I tried explaining what the link was, that his account had been hacked, and that he should change the password to his @aol.com email account, his response was 'No, I think your account was hacked, since the email came from you.' I went over it again, with a real-life analog of someone calling him on the phone and pretending to be me, but I'm not sure if that sunk in or not. This uncle is far from tech savvy. He's in his 60s, and uses Facebook several times a week. He knows I'm online much more and kind of know my way around. After his initial response, I didn't have it in me to get into the whole 'Never click a link from an unfamiliar email address' bit; to him, this wasn't an unfamiliar email address, it was mine. How do I explain this to him, and what else should I feel responsible for telling him?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: What To Tell Non-Tech Savvy Family About Malware?

Comments Filter:
  • Fake one yourself. (Score:5, Insightful)

    by jx100 (453615) on Saturday December 15, 2012 @10:16PM (#42305235)

    Log into AOL's SMTP server with telnet and make an email that looks like it's coming from your uncle. Show him how easy it is to fake, and that the "to" field is actually incredibly untrustworthy.

  • by Megahard (1053072) on Saturday December 15, 2012 @10:35PM (#42305303)
    Send a fake email from your uncle to your aunt. The more chaos you can cause, the better the lesson will sink in.
  • by Anonymous Coward on Saturday December 15, 2012 @10:36PM (#42305305)
    There's no reason whatever to think the uncle's account was hacked. None. A little knowledge is a dangerous thing.
  • by Ritchie70 (860516) on Saturday December 15, 2012 @10:44PM (#42305355) Journal

    I consider myself pretty savvy, but I've been fooled a couple times by "fake" emails harvesting login credentials when I was tired and not thinking.

    Both times I realized within minutes that I'd been had and went and changed the passwords immediately, but it's really easy to be fooled if you aren't paying attention.

  • by Rob the Bold (788862) on Saturday December 15, 2012 @10:45PM (#42305359)

    A person can ask for advice. They can act on it as they see fit. If your adult uncle ignores your advice, you are off the hook. Maybe you know what's best for him, but if he's asked you and doesn't believe you, there's nothing you can do. I know you wish you could help, but you can't. We sell computers to people who aren't IT admins with the implication that they don't need to be one in order to operate them. Sadly this isn't true, but it's beyond your duties as a nephew to try to disabuse him of this notion.

    This answer is probably less than satisfactory, but the world is an imperfect place and our ability to change that is very limited.

    Perhaps other Slashdotters have some Jedi mind tricks for you to try, but I'm not optimistic, based on personal experience.

  • by theedgeofoblivious (2474916) on Saturday December 15, 2012 @10:46PM (#42305363)

    Tell him that the "from" that shows up in emails is like the upper left corner of an envelope.

    I could write a letter, address it, and in the upper left corner write

    PRESIDENT BARACK HUSSEIN OBAMA
    1600 PENNSYLVANIA AVE. NW
    WASHINGTON, DC 20500-0003

    And you could mail the letter. And the letter might even be delivered. But that doesn't mean that the President really sent that letter. It just means that whoever sent it claimed to be someone else when they were sending it.

  • Keep it simple. (Score:5, Insightful)

    by jonadab (583620) on Saturday December 15, 2012 @10:51PM (#42305391) Homepage Journal
    Just tell him email is very easy to forge. That's it.

    You don't have to explain the technical details of exactly how it is forged, what headers are, how SMTP works, how malware mines personal data, or any of that. If he cared about the technical details, he'd read up on them, and then he wouldn't need you.

    Keep it simple: "email is very easy to forge."
  • You're done. (Score:4, Insightful)

    by Blinkin1200 (917437) on Saturday December 15, 2012 @10:58PM (#42305421)
    You did what you needed to do, you let them know they had a problem.

    You are done.

    It is not just non-tech savvy people that have this problem. My brother is, or so I thought, knowledgeable in the area of malware. One day I get a spam message sent from him, actually from his previous email address. I recognized that the message was also sent to quite a few people in his address book. After receiving a few more, I did a reply all to one of the messages, copied to his current email address and included a message that I hope you are not doing any banking or on-line shopping with that computer. His response was to send out a message to his entire address book asking people to set up their spam filters to ignore any messages from his old address.

    I tried, I'm done.

    The good news is that I now know of some juicy stocks that are going to really run up in price and three or four places where I can order some V1agra. Also, I was able to do all of my holiday shopping an a really great Russian sex toy shop. They even gift wrap! Everyone is going to be so surprised this year!

    Again, you are done, move on.
  • Forget it (Score:4, Insightful)

    by Opportunist (166417) on Saturday December 15, 2012 @11:03PM (#42305433)

    You can tell a kid a hundred times that the stove is hot, he won't believe you until he burned his hand.

    Tell him, if he chooses to ignore you, don't press on. You offered help, he declined, everything's fine. Sorry, but if ignorant people choose to reject the information they get from people who know more than them about the matter, you have to let the kid burn his hand.

  • by hidden (135234) on Saturday December 15, 2012 @11:17PM (#42305491)

    When the from and to names are people who genuinely know each other, it generally means that one or the other of them's address book has been stolen. Less frequenty, it may mean that a third party (that they both know) had their address book stolen. Subby doesn't think his address book has been stolen, so that leaves the relative as the most likely victim.

    Who we think the most likely victim is maybe be another story, but his logic seems fairly sound to me, if we accept the initial assumptions...

  • Advice (Score:5, Insightful)

    by Frankie70 (803801) on Saturday December 15, 2012 @11:45PM (#42305617)

    I think the first thing to tell your uncle is that he should get his tech advice from a more tech savvy relative who doesn't automatically assume that a forged email is done by hacking someone's account.

  • Re:Nothing (Score:5, Insightful)

    by lucm (889690) on Sunday December 16, 2012 @12:08AM (#42305685)

    This used to be good advice, because Macs were such a small share of the market that the malware authors didn't bother with them. This isn't quite so true any more.

    It is true that Macs are not (relatively) free from threats anymore, but damn, they sure have a lot fewer to deal with. No?

    Not anymore. Remember that story posted not so long ago?
    http://thenextweb.com/microsoft/2012/11/02/microsofts-security-team-is-killing-it-not-one-product-on-kasperskys-top-10-vulnerabilities-list/ [thenextweb.com]

    Apple is on that list twice (QuickTime and iTunes). Adobe is there a lot. No Microsoft products.

    Feel free to bring the conspiracy/fraudulent research theories but really it's time people move on with old stuff.

  • by FatLittleMonkey (1341387) on Sunday December 16, 2012 @01:07AM (#42305853)

    This was my first thought.

    Specifically, harvested from a third party who has both the poster and his uncle's email address.

    In other words, the poster, veganboyjosh, should be looking into his other relatives. His aunt, his nan & pop, his mum & dad, etc. First to see if they are receiving spam from each others' addresses, and to try to narrow down who has been compromised. Start with the oldest relative and work your way down.

  • by Nyder (754090) on Sunday December 16, 2012 @01:39AM (#42305933) Journal

    It has nothing to do with being tech savvy, smart, or old. This is the sort of news that people do NOT like hearing. You tell them their computer is infected and they get defensive because they don't want to hear they did something wrong. Even though we know it's very easy to get infected if you aren't paying attention and there are a lot of traps out there to get you, but most people do not know that.

    And when you tell someone something they don't want to hear, what do they usually do? Yes, lash out at you in anger. Not unlike what the article person did, tried to turn it around and blame their friend.

    Back in the early 90's, there was this local person that I did a bit a computer business with, so we knew each other decently. This one time I got a disk from him, and it was infected with the Stoned virus https://en.wikipedia.org/wiki/Stoned_(computer_virus) [wikipedia.org]. Well, it took me a bit to figure out what was going on, and that i infected a few other of my boot disks in the process (it was my first virus, how we never forget out first!). When i figured it all out and told him that I got a virus from him, he wigged out and swore that he never gave me a virus and blah blah blah. I was just warning him so he could check his disks, i wasn't blaming him for anything, yet his first reaction is to deny it happened.

    You find this happens for most everything when there is a chance someone did something wrong.

  • by Orphaze (243436) on Sunday December 16, 2012 @01:58AM (#42305975) Homepage

    Your logic seems a bit off here.

    The usual scenario for hacked account spamming is as follows: Spammer takes control of account (either via phishing, malware, or more rarely social engineering) then sends spam message out to everyone on the account's contact list. It's a great way to spam since a) the people you are sending to are usually real people and b) they will be more likely to click through since the message is coming from someone they know.

    What I have not seen before is a spammer gaining control an account, getting its contact list, then sending a *single* message to that very same account from someone on that contact list. What could possibly be the point when you can do the usual trick above? Spam is a numbers game for the most part, and what you're proposing has happened seems to be one of the worst possible ways to reach as many people as possible.

    I'm not saying you're wrong, but just that it doesn't quite add up.

  • Re:Nothing (Score:5, Insightful)

    by disambiguated (1147551) on Sunday December 16, 2012 @03:28AM (#42306117)

    Even when you explain it to them, most of them are too dumb to understand it.

    If you are a programmer, you are part of the problem. The user isn't dumb, s/he just has better things to do than become a Software Engineer just to use what has become an everyday appliance. The problem here is bad design, period. Accept that and maybe we can move on.

  • by Anonymous Coward on Sunday December 16, 2012 @03:45AM (#42306155)

    "I got an instant message from an uncle the other day, asking me what was in the link I sent him."

    So he knew not to click the link, even though it was apparently from you. Uncle: 1

    "I hadn't sent him a link so I figured that his account had been hacked and he'd received a malicious link from some bot address with my name in the 'From' box."

    Massive assumption with no basis in fact. Nephew: -1

    "This was confirmed when he told me the address the link had come from."

    Confirmation bias. Nephew: -1

    "When I tried explaining what the link was, that his account had been hacked, and that he should change the password to his @aol.com email account, his response was 'No, I think your account was hacked, since the email came from you.'"

    A fair response. Uncle: 1

    "I went over it again, with a real-life analog of someone calling him on the phone and pretending to be me, but I'm not sure if that sunk in or not."

    If someone calls him on the phone and pretends to be you, that doesn't mean his phone has been "hacked". Nephew: -1

    "This uncle is far from tech savvy."

    So far we have Uncle: 2 Nephew: -3

    "He's in his 60s, and uses Facebook several times a week."

    That means he can't be tech savvy? Ageism: Nephew -1. Able to use Facebook: Uncle 1

    "He knows I'm online much more and kind of know my way around."

    Apparently not, though.

    "After his initial response, I didn't have it in me to get into the whole 'Never click a link from an unfamiliar email address' bit; to him"

    He didn't click the link.

    "How do I explain this to him, and what else should I feel responsible for telling him?"

    Call him, tell him he's doing fine and he's more tech savvy than his Nephew.

  • Re:AOLOL (Score:4, Insightful)

    by flyingfsck (986395) on Sunday December 16, 2012 @03:50AM (#42306165)
    You should have use Xubuntu, then she would not have pestered you at all.
  • by maxwell demon (590494) on Sunday December 16, 2012 @05:40AM (#42306357) Journal

    It's very hard to get fooled if you always think by default "it's a fake" and only revise that opinion after having convinced yourself that the mail is legit. Then the worst thing you might do when tired is to not react on a legitimate mail.

  • Re:Nothing (Score:5, Insightful)

    by mcgrew (92797) * on Sunday December 16, 2012 @09:43AM (#42306937) Homepage Journal

    None of the ten in your list are holes in operating systems; Oracle features prominently. The question is, how many trojans and viruses are there in the wild for the various OSes?

    I'll believe MS is concerned with user security when they stop hiding extensions and stop mixing data and code.

  • by sjbe (173966) on Sunday December 16, 2012 @10:42AM (#42307145)

    People like you are the real problem.

    You mean people who recognize that others have better things to do than waste their time learning a needlessly complex device? People like you are the reason Apple and Google are worth billions and you aren't because they understand design and you pretty clearly do not.

    Computers are working tools, and manipulating a tool is something that must be learned.

    So we should make tools intentionally difficult to use? I should have to learn a programming language to adjust the temperature on my thermostat? If someone cannot be trained to do a simple task quickly with a tool then the tool is badly designed. That is 100% the fault of the designer. While there is a learning curve to everything, it is a question of degrees. A tool that is unnecessarily hard to learn just because the designer could not be bothered to make it simpler is a bad tool. (and the designer of that tool is bad at design) Just because you can figure it out with sufficient effort doesn't mean it is a useful application of time and effort to do so.

    Many people seem to be strongly opposed to trying to understand how a computer works to use it, but sorry, that's just the way things work.

    So you know everything about how how an airplane works? You know enough to do all your own home repairs, no matter how complex? You know everything about engine repair and never need a mechanic? Of course you don't. Computers are tools and you can get useful work out of a tool without knowing all the details about how it works. In fact it would be a HUGE waste of money, brains and time for you to try to learn all of that.

    People not trained in the use of machine tools are not allowed to use them, it should arguably be the same thing for computers.

    I run a manufacturing company that uses machine tools. Very few of our employees know how to use even most of the features of them and yet they are able to do their jobs and do them well. They are trained on the bits that apply to their job and we try to keep those as simple as possible. They don't care about all the arcane details of the tools and they don't need to. If someone cannot be trained to do a simple task quickly with a tool then the tool is badly designed. Computers are no exception.

  • Re:Nothing (Score:5, Insightful)

    by stenvar (2789879) on Sunday December 16, 2012 @12:15PM (#42307497)

    I would have said the reverse. The menu bar being at the top creates modality that makes it easy to discover which windows belonging to a given application. In the Windows/X11 world, trying to figure out which application a particular window came from can be a usability nightmare

    People don't usually care what "application" a window belongs to; the fact that you care on the Mac is a holdover from the Mac's single tasking heritage (where the entire menu bar paradigm originated). What people do care about is that the menu entry they select operates on the document they are working on, and people get confused about that relationship on the Mac.

    Or SSH or iChat/Messages screen sharing. The latter makes more sense for home use, IMO.

    SSH isn't a good option because OSX command line administration is extremely obscure. iChat is mac specific.That points out another problem with switching to Mac: if you switch your parents, you really have to buy another Mac for yourself and set up Apple-related accounts and infrastructure everywhere. You can't maintain a Mac if you don't use one yourself, it is just too different.

    I went down that road; bought a Mac for my parents and a MacBook and desktop for myself. It was a lot of work. In the end, the small benefits of OS X over Windows just didn't justify the big expense and work. A couple of machine generations later, my parents are on Linux, I'm back on Windows and Linux, and we're all a lot happier.

Every successful person has had failures but repeated failure is no guarantee of eventual success.

Working...