Thinking Different II
You probably know the current situation in one way or another:
You see a computer of a a friend (or just someone you know) that is not up to date, (usually it’s so not up to date, that you can see the interface and understand that), and when you give them a “tip” to update their Windows XP, they answer, “I saw the new interface in Windows XP SP2, and I didn’t like it one bit”.
Lets keep this example on Windows for now, because it’s the majority of users these days .
Then when you attempt to say something like “but Microsoft fixed a lot of security vulnerabilities”, you either get a response such as “nothing will happen to me” or you lose the conversation, and thats what I’m going to talk about in this blog entry.
I do not like the idea that an OS is binded with its GUI, because the vendor teaches the common users that GUI is the only real thing that is important. Thats true btw for many other OS’s and not just for Microsoft (Mac anyone? maybe you still use BeOS, OS/2 or even KDE/Gnome based Linux?).
The reason for that is simple. In WYSIWYG environments, you do not really know what you are getting… well you never do know what you get, but on GUI, people expect GUI updates. They do not accept that there can be other types of fixes, and they do not understand the importance of these updates.
The most scary part here, is that most of them do not think that they will be vulnerable although they do keep an AntiVirus (usually not 100% up to date), they understand that there is a spyware someplace that can hurt them, and other issues. But still, “If I can not see what was changed, why should I update ?” in the more naive response or “but nothing will happen to me, I’m behind firewall/antivirus/router/Other”.
In order to convince these people I think that we should use exploits that present the user with a GUI notification that they are vulnerable, like an “xmessage” with current user privileges (or use xhost for gaining X running option) on X based OSes, or just a popup dialog that can not be closed, or will appear at “random” .
Or just crashing programs and leaving a message in a text file on the desktop “upgrade me” or something similar.
Regardless of April’s fools day where it might be funny to see users suffer, they will also see that they are vulnerable, and be motivated to find a way to fix this problem.
Now all we should do is convince vendors to add this type of features instead of black hats breaking and entering to users’ computers and do what ever they want.