Ask Slashdot: What To Tell Non-Tech Savvy Family About Malware? 340
First time accepted submitter veganboyjosh writes "I got an instant message from an uncle the other day, asking me what was in the link I sent him. I hadn't sent him a link so I figured that his account had been hacked and he'd received a malicious link from some bot address with my name in the 'From' box. This was confirmed when he told me the address the link had come from. When I tried explaining what the link was, that his account had been hacked, and that he should change the password to his @aol.com email account, his response was 'No, I think your account was hacked, since the email came from you.' I went over it again, with a real-life analog of someone calling him on the phone and pretending to be me, but I'm not sure if that sunk in or not. This uncle is far from tech savvy. He's in his 60s, and uses Facebook several times a week. He knows I'm online much more and kind of know my way around. After his initial response, I didn't have it in me to get into the whole 'Never click a link from an unfamiliar email address' bit; to him, this wasn't an unfamiliar email address, it was mine. How do I explain this to him, and what else should I feel responsible for telling him?"
Fake one yourself. (Score:5, Insightful)
Log into AOL's SMTP server with telnet and make an email that looks like it's coming from your uncle. Show him how easy it is to fake, and that the "to" field is actually incredibly untrustworthy.
Re:Fake one yourself. (Score:5, Insightful)
Re:Uhm... No, it's just spam. (Score:2, Insightful)
Re:Did the message spoof your email address (Score:5, Insightful)
I consider myself pretty savvy, but I've been fooled a couple times by "fake" emails harvesting login credentials when I was tired and not thinking.
Both times I realized within minutes that I'd been had and went and changed the passwords immediately, but it's really easy to be fooled if you aren't paying attention.
If he asks and doesn't take your advice (Score:5, Insightful)
A person can ask for advice. They can act on it as they see fit. If your adult uncle ignores your advice, you are off the hook. Maybe you know what's best for him, but if he's asked you and doesn't believe you, there's nothing you can do. I know you wish you could help, but you can't. We sell computers to people who aren't IT admins with the implication that they don't need to be one in order to operate them. Sadly this isn't true, but it's beyond your duties as a nephew to try to disabuse him of this notion.
This answer is probably less than satisfactory, but the world is an imperfect place and our ability to change that is very limited.
Perhaps other Slashdotters have some Jedi mind tricks for you to try, but I'm not optimistic, based on personal experience.
"From" is like the upper left of an envelope. (Score:5, Insightful)
Tell him that the "from" that shows up in emails is like the upper left corner of an envelope.
I could write a letter, address it, and in the upper left corner write
And you could mail the letter. And the letter might even be delivered. But that doesn't mean that the President really sent that letter. It just means that whoever sent it claimed to be someone else when they were sending it.
Keep it simple. (Score:5, Insightful)
You don't have to explain the technical details of exactly how it is forged, what headers are, how SMTP works, how malware mines personal data, or any of that. If he cared about the technical details, he'd read up on them, and then he wouldn't need you.
Keep it simple: "email is very easy to forge."
You're done. (Score:4, Insightful)
You are done.
It is not just non-tech savvy people that have this problem. My brother is, or so I thought, knowledgeable in the area of malware. One day I get a spam message sent from him, actually from his previous email address. I recognized that the message was also sent to quite a few people in his address book. After receiving a few more, I did a reply all to one of the messages, copied to his current email address and included a message that I hope you are not doing any banking or on-line shopping with that computer. His response was to send out a message to his entire address book asking people to set up their spam filters to ignore any messages from his old address.
I tried, I'm done.
The good news is that I now know of some juicy stocks that are going to really run up in price and three or four places where I can order some V1agra. Also, I was able to do all of my holiday shopping an a really great Russian sex toy shop. They even gift wrap! Everyone is going to be so surprised this year!
Again, you are done, move on.
Forget it (Score:4, Insightful)
You can tell a kid a hundred times that the stove is hot, he won't believe you until he burned his hand.
Tell him, if he chooses to ignore you, don't press on. You offered help, he declined, everything's fine. Sorry, but if ignorant people choose to reject the information they get from people who know more than them about the matter, you have to let the kid burn his hand.
Re:Uhm... No, it's just spam. (Score:5, Insightful)
When the from and to names are people who genuinely know each other, it generally means that one or the other of them's address book has been stolen. Less frequenty, it may mean that a third party (that they both know) had their address book stolen. Subby doesn't think his address book has been stolen, so that leaves the relative as the most likely victim.
Who we think the most likely victim is maybe be another story, but his logic seems fairly sound to me, if we accept the initial assumptions...
Advice (Score:5, Insightful)
I think the first thing to tell your uncle is that he should get his tech advice from a more tech savvy relative who doesn't automatically assume that a forged email is done by hacking someone's account.
Re:Nothing (Score:5, Insightful)
This used to be good advice, because Macs were such a small share of the market that the malware authors didn't bother with them. This isn't quite so true any more.
It is true that Macs are not (relatively) free from threats anymore, but damn, they sure have a lot fewer to deal with. No?
Not anymore. Remember that story posted not so long ago?
http://thenextweb.com/microsoft/2012/11/02/microsofts-security-team-is-killing-it-not-one-product-on-kasperskys-top-10-vulnerabilities-list/ [thenextweb.com]
Apple is on that list twice (QuickTime and iTunes). Adobe is there a lot. No Microsoft products.
Feel free to bring the conspiracy/fraudulent research theories but really it's time people move on with old stuff.
Re:Tagged as funny, but makes a point. (Score:5, Insightful)
This was my first thought.
Specifically, harvested from a third party who has both the poster and his uncle's email address.
In other words, the poster, veganboyjosh, should be looking into his other relatives. His aunt, his nan & pop, his mum & dad, etc. First to see if they are receiving spam from each others' addresses, and to try to narrow down who has been compromised. Start with the oldest relative and work your way down.
It's a psych problem actually... (Score:5, Insightful)
It has nothing to do with being tech savvy, smart, or old. This is the sort of news that people do NOT like hearing. You tell them their computer is infected and they get defensive because they don't want to hear they did something wrong. Even though we know it's very easy to get infected if you aren't paying attention and there are a lot of traps out there to get you, but most people do not know that.
And when you tell someone something they don't want to hear, what do they usually do? Yes, lash out at you in anger. Not unlike what the article person did, tried to turn it around and blame their friend.
Back in the early 90's, there was this local person that I did a bit a computer business with, so we knew each other decently. This one time I got a disk from him, and it was infected with the Stoned virus https://en.wikipedia.org/wiki/Stoned_(computer_virus) [wikipedia.org]. Well, it took me a bit to figure out what was going on, and that i infected a few other of my boot disks in the process (it was my first virus, how we never forget out first!). When i figured it all out and told him that I got a virus from him, he wigged out and swore that he never gave me a virus and blah blah blah. I was just warning him so he could check his disks, i wasn't blaming him for anything, yet his first reaction is to deny it happened.
You find this happens for most everything when there is a chance someone did something wrong.
Your Uncle Could Be Correct (Score:5, Insightful)
Your logic seems a bit off here.
The usual scenario for hacked account spamming is as follows: Spammer takes control of account (either via phishing, malware, or more rarely social engineering) then sends spam message out to everyone on the account's contact list. It's a great way to spam since a) the people you are sending to are usually real people and b) they will be more likely to click through since the message is coming from someone they know.
What I have not seen before is a spammer gaining control an account, getting its contact list, then sending a *single* message to that very same account from someone on that contact list. What could possibly be the point when you can do the usual trick above? Spam is a numbers game for the most part, and what you're proposing has happened seems to be one of the worst possible ways to reach as many people as possible.
I'm not saying you're wrong, but just that it doesn't quite add up.
Re:Nothing (Score:5, Insightful)
Even when you explain it to them, most of them are too dumb to understand it.
If you are a programmer, you are part of the problem. The user isn't dumb, s/he just has better things to do than become a Software Engineer just to use what has become an everyday appliance. The problem here is bad design, period. Accept that and maybe we can move on.
Uncle is *not* "far from tech savvy" (Score:2, Insightful)
"I got an instant message from an uncle the other day, asking me what was in the link I sent him."
So he knew not to click the link, even though it was apparently from you. Uncle: 1
"I hadn't sent him a link so I figured that his account had been hacked and he'd received a malicious link from some bot address with my name in the 'From' box."
Massive assumption with no basis in fact. Nephew: -1
"This was confirmed when he told me the address the link had come from."
Confirmation bias. Nephew: -1
"When I tried explaining what the link was, that his account had been hacked, and that he should change the password to his @aol.com email account, his response was 'No, I think your account was hacked, since the email came from you.'"
A fair response. Uncle: 1
"I went over it again, with a real-life analog of someone calling him on the phone and pretending to be me, but I'm not sure if that sunk in or not."
If someone calls him on the phone and pretends to be you, that doesn't mean his phone has been "hacked". Nephew: -1
"This uncle is far from tech savvy."
So far we have Uncle: 2 Nephew: -3
"He's in his 60s, and uses Facebook several times a week."
That means he can't be tech savvy? Ageism: Nephew -1. Able to use Facebook: Uncle 1
"He knows I'm online much more and kind of know my way around."
Apparently not, though.
"After his initial response, I didn't have it in me to get into the whole 'Never click a link from an unfamiliar email address' bit; to him"
He didn't click the link.
"How do I explain this to him, and what else should I feel responsible for telling him?"
Call him, tell him he's doing fine and he's more tech savvy than his Nephew.
Re:AOLOL (Score:4, Insightful)
Re:Did the message spoof your email address (Score:3, Insightful)
It's very hard to get fooled if you always think by default "it's a fake" and only revise that opinion after having convinced yourself that the mail is legit. Then the worst thing you might do when tired is to not react on a legitimate mail.
Re:Nothing (Score:5, Insightful)
None of the ten in your list are holes in operating systems; Oracle features prominently. The question is, how many trojans and viruses are there in the wild for the various OSes?
I'll believe MS is concerned with user security when they stop hiding extensions and stop mixing data and code.
Needlessly complex tools (Score:4, Insightful)
People like you are the real problem.
You mean people who recognize that others have better things to do than waste their time learning a needlessly complex device? People like you are the reason Apple and Google are worth billions and you aren't because they understand design and you pretty clearly do not.
Computers are working tools, and manipulating a tool is something that must be learned.
So we should make tools intentionally difficult to use? I should have to learn a programming language to adjust the temperature on my thermostat? If someone cannot be trained to do a simple task quickly with a tool then the tool is badly designed. That is 100% the fault of the designer. While there is a learning curve to everything, it is a question of degrees. A tool that is unnecessarily hard to learn just because the designer could not be bothered to make it simpler is a bad tool. (and the designer of that tool is bad at design) Just because you can figure it out with sufficient effort doesn't mean it is a useful application of time and effort to do so.
Many people seem to be strongly opposed to trying to understand how a computer works to use it, but sorry, that's just the way things work.
So you know everything about how how an airplane works? You know enough to do all your own home repairs, no matter how complex? You know everything about engine repair and never need a mechanic? Of course you don't. Computers are tools and you can get useful work out of a tool without knowing all the details about how it works. In fact it would be a HUGE waste of money, brains and time for you to try to learn all of that.
People not trained in the use of machine tools are not allowed to use them, it should arguably be the same thing for computers.
I run a manufacturing company that uses machine tools. Very few of our employees know how to use even most of the features of them and yet they are able to do their jobs and do them well. They are trained on the bits that apply to their job and we try to keep those as simple as possible. They don't care about all the arcane details of the tools and they don't need to. If someone cannot be trained to do a simple task quickly with a tool then the tool is badly designed. Computers are no exception.
Re:Nothing (Score:5, Insightful)
People don't usually care what "application" a window belongs to; the fact that you care on the Mac is a holdover from the Mac's single tasking heritage (where the entire menu bar paradigm originated). What people do care about is that the menu entry they select operates on the document they are working on, and people get confused about that relationship on the Mac.
SSH isn't a good option because OSX command line administration is extremely obscure. iChat is mac specific.That points out another problem with switching to Mac: if you switch your parents, you really have to buy another Mac for yourself and set up Apple-related accounts and infrastructure everywhere. You can't maintain a Mac if you don't use one yourself, it is just too different.
I went down that road; bought a Mac for my parents and a MacBook and desktop for myself. It was a lot of work. In the end, the small benefits of OS X over Windows just didn't justify the big expense and work. A couple of machine generations later, my parents are on Linux, I'm back on Windows and Linux, and we're all a lot happier.