Your hard drive will be deleted in 4m 26s, to stop please call....
November 1, 2017 10:20 PM Subscribe
A Large-Scale Analysis of Technical Support Scams.
"One of the more creative techniques was the use of verbose command-line utilities as fake virus scanners. "40% of the scammers utilized a command such as ‘‘dir /s’’ which lists files and folders present on a specific path of the filesystem. While the program is producing output, the scammer types or copy-pastes text in the command-line window, that will only appear after the program is done executing. As such, at the end of the program’s execution, the user suddenly sees text that claims that a virus has been discovered which he is likely to attribute to the “scanning” program that was just executing. This technique is likely one of the most convincing ones because i) it does not need interpretation (common messages used were “Virus detected” and “System at Risk”) and ii) as far as the user is concerned, it is his own operating system that produces this message, rather than a downloaded third-party tool."
"In general, scammers exhibited a kind demeanor. They would patiently guide us through the steps for downloading their remote administration tool, giving us step-by-step instructions for the entire process. They would take no computer knowledge for granted, even to the point of explaining us that the Windows key is the one that “looks like a flag”, between the Ctrl-key and the Alt-key on the bottom left of our keyboard. More than one scammer, after having explained to us that we are infected with malware, would open up Wikipedia pages trying to educate us of the meaning of words, such as, “trojan” and “koobface.”"
"One of the more creative techniques was the use of verbose command-line utilities as fake virus scanners. "40% of the scammers utilized a command such as ‘‘dir /s’’ which lists files and folders present on a specific path of the filesystem. While the program is producing output, the scammer types or copy-pastes text in the command-line window, that will only appear after the program is done executing. As such, at the end of the program’s execution, the user suddenly sees text that claims that a virus has been discovered which he is likely to attribute to the “scanning” program that was just executing. This technique is likely one of the most convincing ones because i) it does not need interpretation (common messages used were “Virus detected” and “System at Risk”) and ii) as far as the user is concerned, it is his own operating system that produces this message, rather than a downloaded third-party tool."
"In general, scammers exhibited a kind demeanor. They would patiently guide us through the steps for downloading their remote administration tool, giving us step-by-step instructions for the entire process. They would take no computer knowledge for granted, even to the point of explaining us that the Windows key is the one that “looks like a flag”, between the Ctrl-key and the Alt-key on the bottom left of our keyboard. More than one scammer, after having explained to us that we are infected with malware, would open up Wikipedia pages trying to educate us of the meaning of words, such as, “trojan” and “koobface.”"
I suppose you could ask your reference librarian for a hardcopy of Proceedings of the 24th Network and Distributed System Security Symposium (NDSS), 2017.
posted by pwnguin at 10:52 PM on November 1, 2017 [3 favorites]
posted by pwnguin at 10:52 PM on November 1, 2017 [3 favorites]
Every time I see an article about this sort of scam linked somewhere I wonder if that's going to be the article that happens to be an attack vector in and of itself. Paranoia!
posted by limeonaire at 11:04 PM on November 1, 2017 [8 favorites]
posted by limeonaire at 11:04 PM on November 1, 2017 [8 favorites]
If you're interested in this topic, Reply All did a two-part podcast (1, 2) recently that also happens to be one of the best podcasts I've heard this year. A tech-savvy reporter decides to see how the tech support scam plays out, and goes all the way.
posted by Homeboy Trouble at 11:08 PM on November 1, 2017 [11 favorites]
posted by Homeboy Trouble at 11:08 PM on November 1, 2017 [11 favorites]
This happened to my mom last year. She called me right in the middle of it when the guy was doing the command line “trick” (I think he used ping instead of dir). “MOM DISCONNECT HIM RIGHT NOW.” She did and thankfully that was the end of it. I’d never heard of the scam at the time. The Reply All episodes Homeboy pointed out are fantastic.
posted by not_the_water at 11:35 PM on November 1, 2017 [2 favorites]
posted by not_the_water at 11:35 PM on November 1, 2017 [2 favorites]
One of the key recommendations that the paper makes is the implementation of browser 'panic buttons' (which would close the current tab without triggering any further events and, presumably, close any chain of tabs that spawned it), which users would be encouraged to press if they felt threatened by a web page. It'd provide value not only in protecting from scams but also from other problematic web pages (such as non-scammy but buggy/crashy pages).
The challenge, as always with security UX in browsers, is in making such a button clear and unambiguous, always available, and not possible to hide at the request of a web page. We already struggle with defining the boundary between the browser chrome and the page content, as we've seen with scam web pages that e.g. set their favicon to be a "padlock" in order to pretend that the connection is over HTTPS, or that create popups without address bars and then render their own fake address bar (containing the URL of a trusted website).
I'm not sure of the answer, but my gut feeling is that we've consistently let web pages go too far in their manipulation of the space "outside" of the scope of the page (i.e. the address bar, the window itself, and so on). It seems to me that if a 'panic button' is to work, we first need to address several more-fundamental browser issues, including:
posted by avapoet at 11:57 PM on November 1, 2017 [21 favorites]
The challenge, as always with security UX in browsers, is in making such a button clear and unambiguous, always available, and not possible to hide at the request of a web page. We already struggle with defining the boundary between the browser chrome and the page content, as we've seen with scam web pages that e.g. set their favicon to be a "padlock" in order to pretend that the connection is over HTTPS, or that create popups without address bars and then render their own fake address bar (containing the URL of a trusted website).
I'm not sure of the answer, but my gut feeling is that we've consistently let web pages go too far in their manipulation of the space "outside" of the scope of the page (i.e. the address bar, the window itself, and so on). It seems to me that if a 'panic button' is to work, we first need to address several more-fundamental browser issues, including:
- Alert boxes steal focus across the entire browser. If they stole focus only within the current tab (i.e. you could switch tab or close a tab despite an alert box being present), that'd protect the vast majority of people from alert-box-based "page kidnapping". (We could optionally provide a mechanism by which a site could request permission to create modal alert boxes, in the same way as sites request permission to track geolocation or provide desktop notifications, for example.)
- Windows can go full-screen with no or minimal (or accidental) user interaction. Full-screen pages are problematic because the scammer controls everything the user sees, making it easy to e.g. fake BSODs and other error screens. Full-screening is important for games and video, but again: perhaps this is something where a site must ask for permission to be able to do it 'for itself': the only way a site should be able to be full-screened without permission is by user interaction with the chrome (e.g. selecting "Full screen [F11]" from a menu). I'm aware that a popup/overlay advising that the browser is in fullscreen mode is commonplace, but it clearly isn't working out well.
- Pop up/under windows don't make their parentage clear. It ought to be immediately apparent from a pop-up window where it spawned from and to which 'parent' it belongs. Browsers have come a long way in blocking pop-ups but while pop-ups have legitimate uses scammers will always find ways to abuse them: or maybe pop-ups as a whole need to be restricted by permission (that sites can request) too. I don't know.
posted by avapoet at 11:57 PM on November 1, 2017 [21 favorites]
I get these calls a lot. I go all slow and doddery on them while searching for "windows XP Chime" on my iPhone. I play that, tell them the computer is starting up - which takes a while - and then pretend to follow their instructions. Sometimes they catch on, sometimes I ask if I can tell them something and then gently explain tthat it's wrong to cheat people.
posted by Joe in Australia at 3:00 AM on November 2, 2017 [11 favorites]
posted by Joe in Australia at 3:00 AM on November 2, 2017 [11 favorites]
We identify malvertising as a major culprit for exposing users to technical support scams......and every other bloody thing. Said it before and I'll say it again: in 2017, installing a competent ad blocker addon in your web browser removes more threats than installing an antivirus application in your OS. It should be the first thing you add to any new installation. Do it before you even download any other security software.
posted by flabdablet at 3:39 AM on November 2, 2017 [26 favorites]
> This happened to my mom last year. She called me right in the middle of it when the guy was doing the command line “trick” (I think he used ping instead of dir). “MOM DISCONNECT HIM RIGHT NOW.”
This happened to my mom *two weeks ago,* and my dad called for assistance while my mom was still being overwhelmed with the bull. My immediate recommendation was the same; I literally had to get my dad to unplug the network cable because of it, since my mom was convinced by the show. (Keep in mind, she has a long history of clicking on pretty much every email attachment and believing every popup webpage warning of viruses, then yelling at me for what I must have done to her computer -- and the last part continued for several years after I had moved out.)
In our case, it had unfortunately gotten to the stage where they had convinced her to click "ok" on the security prompt to install their "remedy" software, and while the scammer called back half a dozen times to try to continue the scam (my dad kept hanging up on them at that point), the program they had barely managed to get her to install locked out the system when it could no longer phone home for activation (after you pay their fee, which is basically a ransom).
Had I been there, I could have recovered the system, but being on the other side of the continent I was limited in how to help them. We eventually resorted to using Windows 10's built-in Fresh Start reset function, but the computer got stuck in the process and now they simply bought a new machine and are leaving the old one for me to fix next time I visit. At least this time, my dad took the advice of having a separate account for my mom that is *not* an administrator...
posted by mystyk at 3:53 AM on November 2, 2017 [3 favorites]
This happened to my mom *two weeks ago,* and my dad called for assistance while my mom was still being overwhelmed with the bull. My immediate recommendation was the same; I literally had to get my dad to unplug the network cable because of it, since my mom was convinced by the show. (Keep in mind, she has a long history of clicking on pretty much every email attachment and believing every popup webpage warning of viruses, then yelling at me for what I must have done to her computer -- and the last part continued for several years after I had moved out.)
In our case, it had unfortunately gotten to the stage where they had convinced her to click "ok" on the security prompt to install their "remedy" software, and while the scammer called back half a dozen times to try to continue the scam (my dad kept hanging up on them at that point), the program they had barely managed to get her to install locked out the system when it could no longer phone home for activation (after you pay their fee, which is basically a ransom).
Had I been there, I could have recovered the system, but being on the other side of the continent I was limited in how to help them. We eventually resorted to using Windows 10's built-in Fresh Start reset function, but the computer got stuck in the process and now they simply bought a new machine and are leaving the old one for me to fix next time I visit. At least this time, my dad took the advice of having a separate account for my mom that is *not* an administrator...
posted by mystyk at 3:53 AM on November 2, 2017 [3 favorites]
I got the fake "Windows tech support" calls on the daily for months. Telling them I knew it was a scam did nothing; telling them my computer is a Mac finally got them to stop.
posted by misslucyjane at 4:15 AM on November 2, 2017 [2 favorites]
posted by misslucyjane at 4:15 AM on November 2, 2017 [2 favorites]
My mom loves telling the scammers "I'm on a Chromebook, and you're lying" or some variant of same. I've done well helping her.
posted by deezil at 5:16 AM on November 2, 2017 [2 favorites]
posted by deezil at 5:16 AM on November 2, 2017 [2 favorites]
Six years ago these arseholes were fun to mess with. Now there are so many of them that they're just really fucking irritating.
Got one a couple months back on a day when I had time to play. Didn't bother with the whole VM thing this time around, just took the rare opportunity to play the black pieces in a game of Help Desk vs Clueless Rube for a change; cost the smarmy bastard on the other end half an hour to get to the part of the script where he actually wants to take charge of my machine, at which point I got sick of the game and launched a bit of a tirade about what he was doing being completely dishonest and a waste of everybody's time and how did he like being scammed back for a change and he should be ashamed of himself.
But although I do count the half hour this prick wasted on me as a net good, in that it's half an hour he'll never get back to scam somebody else in, the joy has really gone out of it. I now know four families personally who have collectively spent around $1000 on this shit.
Why do people buy anything from cold callers ever? I seriously don't get it. Have any of you, or anybody you know, ever got a deal from any cold caller offering anything that you're still happy with a year down the track?
posted by flabdablet at 5:51 AM on November 2, 2017 [7 favorites]
Got one a couple months back on a day when I had time to play. Didn't bother with the whole VM thing this time around, just took the rare opportunity to play the black pieces in a game of Help Desk vs Clueless Rube for a change; cost the smarmy bastard on the other end half an hour to get to the part of the script where he actually wants to take charge of my machine, at which point I got sick of the game and launched a bit of a tirade about what he was doing being completely dishonest and a waste of everybody's time and how did he like being scammed back for a change and he should be ashamed of himself.
But although I do count the half hour this prick wasted on me as a net good, in that it's half an hour he'll never get back to scam somebody else in, the joy has really gone out of it. I now know four families personally who have collectively spent around $1000 on this shit.
Why do people buy anything from cold callers ever? I seriously don't get it. Have any of you, or anybody you know, ever got a deal from any cold caller offering anything that you're still happy with a year down the track?
posted by flabdablet at 5:51 AM on November 2, 2017 [7 favorites]
> Have any of you, or anybody you know, ever got a deal from any cold caller offering anything that you're still happy with a year down the track?
And that's a great point. I've had a few good things stem from door-to-door solicitation, as have most people I know (the key is that I was *already in the market* for what was offered, had already looked in to my options at least a little, and the timing just helped me make the leap for it -- otherwise the answer is "thanks, but no"), but you're right that I can't imaging anyone I know having come out ahead from a cold *call* in any form.
posted by mystyk at 6:08 AM on November 2, 2017
And that's a great point. I've had a few good things stem from door-to-door solicitation, as have most people I know (the key is that I was *already in the market* for what was offered, had already looked in to my options at least a little, and the timing just helped me make the leap for it -- otherwise the answer is "thanks, but no"), but you're right that I can't imaging anyone I know having come out ahead from a cold *call* in any form.
posted by mystyk at 6:08 AM on November 2, 2017
Many comments here missing the point: these aren't cold calls we're talking about. These aren't the thing where you get a phone call out of the blue telling you that there's a problem on your computer.
What we're talking about here are fake ads on the Web that tell you that you've got a virus and suggesting that you call tech support (actually the scammer) for help. Psychologically, this gets through some people's bullshit-filter because it wasn't a cold call: it was the victim calling the tech support number that "their computer" told them to.
posted by avapoet at 6:35 AM on November 2, 2017 [6 favorites]
What we're talking about here are fake ads on the Web that tell you that you've got a virus and suggesting that you call tech support (actually the scammer) for help. Psychologically, this gets through some people's bullshit-filter because it wasn't a cold call: it was the victim calling the tech support number that "their computer" told them to.
posted by avapoet at 6:35 AM on November 2, 2017 [6 favorites]
I think both are valid, or at least the larger element adds context. This story is about the deceptive pop-ups, yes. That's exactly what got my mom a few weeks back. But she's also exactly the kind of person who falls not just for that, but for so many *other* scams. And those scams still happen, every day. Looking at it in that light at least helps keep in mind that while the deceptive virus popups is a newer trend (and one that browser makers should take to heart the need to fight against strongly), it stems from within an old formula of psych manipulations.
posted by mystyk at 6:52 AM on November 2, 2017
posted by mystyk at 6:52 AM on November 2, 2017
I am incredibly cynical when it comes to any networked device, and there are still times when it takes me 2 or 3 rounds of my in-head-alarm-bells going off for me to spot some of these things.
For example, my mum had a message supposedly from whatsapp pop up on her phone telling her that she needed to pay the yearly fee and to click a link and follow the steps. The fact that whatsapp used to charge a nominal fee lulled me into saying "oh yeah, that's probably legit". My brain itched for the next ten minutes until I asked her if I could look at the message and her phone and another 5 minutes until I clocked it for the scam it was.
These scams are predatory, abusive and downright disgusting.
posted by trif at 6:57 AM on November 2, 2017 [4 favorites]
For example, my mum had a message supposedly from whatsapp pop up on her phone telling her that she needed to pay the yearly fee and to click a link and follow the steps. The fact that whatsapp used to charge a nominal fee lulled me into saying "oh yeah, that's probably legit". My brain itched for the next ten minutes until I asked her if I could look at the message and her phone and another 5 minutes until I clocked it for the scam it was.
These scams are predatory, abusive and downright disgusting.
posted by trif at 6:57 AM on November 2, 2017 [4 favorites]
To ensure that our VMs look like realistic user systems, we artificially aged our virtual machine, by installing different applications, downloading images and documents and placing them on the Windows desktop, and browsing many popular video sites, gaming sites, and news sites.
I was impressed by what they got past their IRB, but I'm even more impressed by what they got past their supervisor.
posted by solotoro at 7:01 AM on November 2, 2017 [6 favorites]
I was impressed by what they got past their IRB, but I'm even more impressed by what they got past their supervisor.
posted by solotoro at 7:01 AM on November 2, 2017 [6 favorites]
Psychologically, this gets through some people's bullshit-filter because it wasn't a cold call: it was the victim calling the tech support number that "their computer" told them to.
One of my customers, who only just caught herself on the point of giving her credit card number to one of these pricks and hung up on them to call me instead, was initially taken in by this kind of thing.
She's clueful enough to have been paying attention to general media reports about ransomware, but she doesn't really get the relationship between windows and applications. The idea that a window belongs to something abstract called a "browser" is kind of foggy for her.
She's also not particularly discerning or cautious about sites offering what ought to be obviously completely illegitimate content.
So having missed an episode of Poldark, and having forgotten how to use the Kodi media player with the ABC iView add-on I installed on her machine to let her stream these things, and having no clue at all what bookmarks are or how to create and use them, she did what she always does when she wants to go to a website: put a word in the Google box, clicked the search icon, and followed the link in the first result.
In the past she's generally lucked her way to iview.abc.net.au by doing this, but this time she got herself to some shonky video download site with a "fuck it, let them all in" policy for vetting its advertisers. Firefox having helpfully disabled the Adblock Plus extension a few update cycles back on the basis that it wasn't signed or some bloody thing, she found herself looking at a scary blinking warning that her computer had been infected with ransomware and all her files had been encrypted, complete with a whooping siren noise, a warning not to switch off the computer, and a number to call.
The idea that she could completely get rid of this simply by closing the browser never even occurred to her. As far as she was concerned her computer was showing her yet another incomprehensible message full of technical gobbledygook, it seemed to be serious, it contained the magic word "ransomware" and there was a siren! and fear just took over for a while. She didn't even turn the bloody sound down - it was still blaring away when I got there.
So fuck the pricks who set up these scams. Fuck them with a red hot cast iron dildo sideways. Fuck them for frightening people and fuck them for stealing, both from those they target and the employees they rip off.
posted by flabdablet at 7:51 AM on November 2, 2017 [12 favorites]
One of my customers, who only just caught herself on the point of giving her credit card number to one of these pricks and hung up on them to call me instead, was initially taken in by this kind of thing.
She's clueful enough to have been paying attention to general media reports about ransomware, but she doesn't really get the relationship between windows and applications. The idea that a window belongs to something abstract called a "browser" is kind of foggy for her.
She's also not particularly discerning or cautious about sites offering what ought to be obviously completely illegitimate content.
So having missed an episode of Poldark, and having forgotten how to use the Kodi media player with the ABC iView add-on I installed on her machine to let her stream these things, and having no clue at all what bookmarks are or how to create and use them, she did what she always does when she wants to go to a website: put a word in the Google box, clicked the search icon, and followed the link in the first result.
In the past she's generally lucked her way to iview.abc.net.au by doing this, but this time she got herself to some shonky video download site with a "fuck it, let them all in" policy for vetting its advertisers. Firefox having helpfully disabled the Adblock Plus extension a few update cycles back on the basis that it wasn't signed or some bloody thing, she found herself looking at a scary blinking warning that her computer had been infected with ransomware and all her files had been encrypted, complete with a whooping siren noise, a warning not to switch off the computer, and a number to call.
The idea that she could completely get rid of this simply by closing the browser never even occurred to her. As far as she was concerned her computer was showing her yet another incomprehensible message full of technical gobbledygook, it seemed to be serious, it contained the magic word "ransomware" and there was a siren! and fear just took over for a while. She didn't even turn the bloody sound down - it was still blaring away when I got there.
So fuck the pricks who set up these scams. Fuck them with a red hot cast iron dildo sideways. Fuck them for frightening people and fuck them for stealing, both from those they target and the employees they rip off.
posted by flabdablet at 7:51 AM on November 2, 2017 [12 favorites]
I got a phone call from someone saying they were from Windows tech support and that there was a problem with my computer. I replied with "dude, you're such a scammer it's not even funny" and hung up -- but not before I caught him laughing. What was interesting about it was that the caller id and the caller's accent both said "New York City", which makes me think that this is a profitable enough scam that it doesn't need to be offshored to call center sweatshops any more.
Also, I work at Microsoft which makes these calls both funnier and more painful.
posted by Slothrup at 9:39 AM on November 2, 2017 [3 favorites]
Also, I work at Microsoft which makes these calls both funnier and more painful.
posted by Slothrup at 9:39 AM on November 2, 2017 [3 favorites]
Firefox having helpfully disabled the Adblock Plus extension a few update cycles back on the basis that it wasn't signed or some bloody thing
Might want to switch her to uBlock Origin, Adblock Plus has had some issues.
posted by Chrysostom at 10:44 AM on November 2, 2017 [1 favorite]
Might want to switch her to uBlock Origin, Adblock Plus has had some issues.
posted by Chrysostom at 10:44 AM on November 2, 2017 [1 favorite]
uBlock Origin is indeed my current weapon of choice.
Main issue with Adblock Plus, as far as I know, has always been Eyeo GmbH's for-pay whitelist which it's easy enough to turn off (the option is in Filter Preferences, called "Allow some non-intrusive advertising" and it's enabled by default). There's been a completely disproportionate amount of FUD raised about that, mostly traceable back to anti-adblocker marketing shills. I've seen it referred to as a "security hole" in certain quarters, and Eyeo's ethics have been questioned though mostly by people who represent organizations whose own ethics are almost undetectable.
Main reasons I switched to uBlock Origin is because it comes with a decent set of blacklists already switched on, its author's basic posture on online advertising (burn it all down - I never want to see any of it) is perfectly aligned with my own, and it runs faster.
But I can see no real reason to repeal and replace Adblock Plus if it's already been installed and properly configured for some time and the user is already comfortable with its controls.
posted by flabdablet at 11:37 AM on November 2, 2017 [2 favorites]
Main issue with Adblock Plus, as far as I know, has always been Eyeo GmbH's for-pay whitelist which it's easy enough to turn off (the option is in Filter Preferences, called "Allow some non-intrusive advertising" and it's enabled by default). There's been a completely disproportionate amount of FUD raised about that, mostly traceable back to anti-adblocker marketing shills. I've seen it referred to as a "security hole" in certain quarters, and Eyeo's ethics have been questioned though mostly by people who represent organizations whose own ethics are almost undetectable.
Main reasons I switched to uBlock Origin is because it comes with a decent set of blacklists already switched on, its author's basic posture on online advertising (burn it all down - I never want to see any of it) is perfectly aligned with my own, and it runs faster.
But I can see no real reason to repeal and replace Adblock Plus if it's already been installed and properly configured for some time and the user is already comfortable with its controls.
posted by flabdablet at 11:37 AM on November 2, 2017 [2 favorites]
YouTube has a lot of these. The techniques used would be quite persuasive to many people, I think. The scariest one I have seen is here (sorry for the mobile link).
posted by StephenB at 11:53 AM on November 2, 2017 [2 favorites]
posted by StephenB at 11:53 AM on November 2, 2017 [2 favorites]
The creative explanations for system messages are pretty impressive, and I can see how they could be pretty convincing to someone already on edge. I've never called a tech support scammer, and have never gotten to that point in the scam with one who called me, so I hadn't seen that stuff before.
A lot of people have some really patronizing attitudes about how people who are fooled by those scams are technically inept, but really, it's not technical skills that keep most people from falling for them. It's usually just knowing that the scams exist.
posted by ernielundquist at 2:18 PM on November 2, 2017 [3 favorites]
A lot of people have some really patronizing attitudes about how people who are fooled by those scams are technically inept, but really, it's not technical skills that keep most people from falling for them. It's usually just knowing that the scams exist.
posted by ernielundquist at 2:18 PM on November 2, 2017 [3 favorites]
it's not technical skills that keep most people from falling for them
That's somewhat true.
I think it's also true that most people not only don't particularly care about what's under the hood of any of their IT devices but have been trained for years to believe that IT is the proper concern of nerds and geeks only, and that they themselves are simply not capable of understanding any of that stuff. It's a kind of mutant internalized patronization, I see it all over the place, and it makes me sad.
I'm sure that specialists in other fields - finance, for example - would observe that the same effect occurs there as well. And I'm equally sure that just as in those other fields, helping people come to grips with the fundamental underlying ideas is a worthwhile use of my time and theirs.
So I've always found it really annoying that entry-level IT courses cover none of them. Every single one I've ever seen starts with How To Launch Word, rapidly moves on to How To Make A Document Look Pretty With Word Art, and then it's just a whole pile of recipes for dealing with common tasks: click this, then click that, then click OK. There is no attempt made to explain what's actually going on inside the machine, and I think this is why the response of so many people when asked "where did you save that document you can't now find?" is not "in my Documents folder" or "I can't remember" but "in Word".
So when I'm at a customer's house, I will try to make up for this. I can't think of a single one of my regulars (who outnumber my oncers by about 20:1) who does not now understand what a file is, what a folder is, that these things exist on some physical storage device somewhere - be that internal to the machine, or sitting in your desk drawer, or off on somebody else's computer somewhere in the world - and that every OS comes with a file browser that lets you manipulate them in a consistent way regardless of what kind of information (picture, music, document, movie) they contain.
This stuff is not at all difficult to teach if you have a small and captive audience. In my experience, the main problem is overcoming the belief that all of it is just IT mumbo jumbo that I could not possibly understand and will therefore actively defend my ignorance of.
In my experience, once somebody is clear on the ideas that information comes in chunks, and that those chunks have names and sizes and physical locations, that using a computer can always be looked at as manipulating these chunks in some fashion, and that if the computer is making it hard for you to understand that this is what's happening then the computer is designed wrong, then a great deal of the feeling of intimidating arcane mystery simply evaporates.
The very first thing I try to get customers to understand is the vital importance of swearing at the device and meaning it when it does something weird and inscrutable. Machines, like dogs, can sense fear and it's important not to show them any. Unlike dogs, they neither value nor deserve affection.
Which has all got a bit rambly and incoherent, but the point is that in my experience having at least this level of knowledge does render people more scam-resistant.
** late breaking news **
Typing this reply was just this minute interrupted by a phone call, and it was "Rose from Telstra" telling me that they were receiving reports that my Internet connection was being infected by overseas hackers who want to put trojans and malware on my computer zomg and that if I did not let her log on to my computer she would have to block my Internet onoz.
I tried to engage her in a friendly discussion about what kind of success rate she was seeing from the Internet blocking threat, which I hadn't heard before and thought was quite ingenious, but she hung up on me :-(
posted by flabdablet at 8:40 PM on November 2, 2017 [6 favorites]
That's somewhat true.
I think it's also true that most people not only don't particularly care about what's under the hood of any of their IT devices but have been trained for years to believe that IT is the proper concern of nerds and geeks only, and that they themselves are simply not capable of understanding any of that stuff. It's a kind of mutant internalized patronization, I see it all over the place, and it makes me sad.
I'm sure that specialists in other fields - finance, for example - would observe that the same effect occurs there as well. And I'm equally sure that just as in those other fields, helping people come to grips with the fundamental underlying ideas is a worthwhile use of my time and theirs.
So I've always found it really annoying that entry-level IT courses cover none of them. Every single one I've ever seen starts with How To Launch Word, rapidly moves on to How To Make A Document Look Pretty With Word Art, and then it's just a whole pile of recipes for dealing with common tasks: click this, then click that, then click OK. There is no attempt made to explain what's actually going on inside the machine, and I think this is why the response of so many people when asked "where did you save that document you can't now find?" is not "in my Documents folder" or "I can't remember" but "in Word".
So when I'm at a customer's house, I will try to make up for this. I can't think of a single one of my regulars (who outnumber my oncers by about 20:1) who does not now understand what a file is, what a folder is, that these things exist on some physical storage device somewhere - be that internal to the machine, or sitting in your desk drawer, or off on somebody else's computer somewhere in the world - and that every OS comes with a file browser that lets you manipulate them in a consistent way regardless of what kind of information (picture, music, document, movie) they contain.
This stuff is not at all difficult to teach if you have a small and captive audience. In my experience, the main problem is overcoming the belief that all of it is just IT mumbo jumbo that I could not possibly understand and will therefore actively defend my ignorance of.
In my experience, once somebody is clear on the ideas that information comes in chunks, and that those chunks have names and sizes and physical locations, that using a computer can always be looked at as manipulating these chunks in some fashion, and that if the computer is making it hard for you to understand that this is what's happening then the computer is designed wrong, then a great deal of the feeling of intimidating arcane mystery simply evaporates.
The very first thing I try to get customers to understand is the vital importance of swearing at the device and meaning it when it does something weird and inscrutable. Machines, like dogs, can sense fear and it's important not to show them any. Unlike dogs, they neither value nor deserve affection.
Which has all got a bit rambly and incoherent, but the point is that in my experience having at least this level of knowledge does render people more scam-resistant.
** late breaking news **
Typing this reply was just this minute interrupted by a phone call, and it was "Rose from Telstra" telling me that they were receiving reports that my Internet connection was being infected by overseas hackers who want to put trojans and malware on my computer zomg and that if I did not let her log on to my computer she would have to block my Internet onoz.
I tried to engage her in a friendly discussion about what kind of success rate she was seeing from the Internet blocking threat, which I hadn't heard before and thought was quite ingenious, but she hung up on me :-(
posted by flabdablet at 8:40 PM on November 2, 2017 [6 favorites]
What we're talking about here are fake ads on the Web that tell you that you've got a virus and suggesting that you call tech support (actually the scammer) for help.
More than that. They have, or had, a bunch of sites with names like "quicken.techsupport.com." Google is, or was, too fucking stupid or lazy to recognize what's going on, and serves up such links near the top of a results page for "quicken tech support." Amazingly, the site tells you you need to call tech support and helpfully provides a phone number.
My mother is suspicious enough to be resistant on calls from strangers, but a call she placed herself?
Cost her several hundred dollars. And then she did it again the next tax season. At least this time she hung up before writing any checks. And she was still working at the time! Never underestimate the number of confused old retirees sitting around out there waiting to be eaten by vultures.
posted by praemunire at 9:09 PM on November 2, 2017 [1 favorite]
More than that. They have, or had, a bunch of sites with names like "quicken.techsupport.com." Google is, or was, too fucking stupid or lazy to recognize what's going on, and serves up such links near the top of a results page for "quicken tech support." Amazingly, the site tells you you need to call tech support and helpfully provides a phone number.
My mother is suspicious enough to be resistant on calls from strangers, but a call she placed herself?
Cost her several hundred dollars. And then she did it again the next tax season. At least this time she hung up before writing any checks. And she was still working at the time! Never underestimate the number of confused old retirees sitting around out there waiting to be eaten by vultures.
posted by praemunire at 9:09 PM on November 2, 2017 [1 favorite]
Which has all got a bit rambly and incoherent, but the point is that in my experience having at least this level of knowledge does render people more scam-resistant.
Oh, it totally does, and the ideal would be that people would actually understand how their computers work at least to some degree. Most software does a pretty good job of obfuscating what's going on under the hood.
My point was that very few people actually do, including those who say smug, patronizing things about scam victims. They usually don't understand how things work either. A lot of people seem to think that knowing how to navigate a user interface makes them technically proficient somehow, but it doesn't, and they don't necessarily understand why the scam claims don't make sense. They usually only recognize the scams because they're aware of them.
And I have this nagging suspicion that those patronizing attitudes play into the phenomenon. If people patronize you and treat you like you're stupid and helpless just because you fell for a (very cleverly designed) scam, you're probably less likely to ask those people for help or advice the next time.
posted by ernielundquist at 7:35 AM on November 3, 2017 [1 favorite]
Oh, it totally does, and the ideal would be that people would actually understand how their computers work at least to some degree. Most software does a pretty good job of obfuscating what's going on under the hood.
My point was that very few people actually do, including those who say smug, patronizing things about scam victims. They usually don't understand how things work either. A lot of people seem to think that knowing how to navigate a user interface makes them technically proficient somehow, but it doesn't, and they don't necessarily understand why the scam claims don't make sense. They usually only recognize the scams because they're aware of them.
And I have this nagging suspicion that those patronizing attitudes play into the phenomenon. If people patronize you and treat you like you're stupid and helpless just because you fell for a (very cleverly designed) scam, you're probably less likely to ask those people for help or advice the next time.
posted by ernielundquist at 7:35 AM on November 3, 2017 [1 favorite]
those who say smug, patronizing things about scam victims
are pretty much the only people on Earth who incontestably deserve to be scammed. Preferably for cripplingly large amounts.
posted by flabdablet at 10:58 AM on November 3, 2017
are pretty much the only people on Earth who incontestably deserve to be scammed. Preferably for cripplingly large amounts.
posted by flabdablet at 10:58 AM on November 3, 2017
Typing this reply was just this minute interrupted by a phone call, and it was "Rose from Telstra" telling me that they were receiving reports that my Internet connection was being infected by overseas hackers who want to put trojans and malware on my computer zomg and that if I did not let her log on to my computer she would have to block my Internet onoz.
A while back I had a call out of the blue from "Louis at Telstra", who had a surprisingly thick Indian accent for an Australian, demanding in no uncertain terms that if I didn't hand over my passwords, money, and life on the spot then my internet connection was going to be terminated immediately due to it being traced by the police as a source of malware, or something.
'Louis' hung up pretty quick when he discovered that I am cynical grouchy middle-aged male, with a deep voice, and no respect, patience, or civility left for scammers, especially when they interrupt my private time at home. But most of all I think it was discovering the fact that my ISP wasn't Telstra that persuaded him I wasn't a profitable mark, and it was time to move on.
Oops.
Forward a few weeks to today, and you won't be surprised to learn that my internet connection is still up and running, and that I have had no more phone calls or emails from anybody at 'Telstra', or warrants served by the police, about that incredibly urgent and serious legal problem of mine.
posted by Pouteria at 2:28 AM on November 4, 2017
A while back I had a call out of the blue from "Louis at Telstra", who had a surprisingly thick Indian accent for an Australian, demanding in no uncertain terms that if I didn't hand over my passwords, money, and life on the spot then my internet connection was going to be terminated immediately due to it being traced by the police as a source of malware, or something.
'Louis' hung up pretty quick when he discovered that I am cynical grouchy middle-aged male, with a deep voice, and no respect, patience, or civility left for scammers, especially when they interrupt my private time at home. But most of all I think it was discovering the fact that my ISP wasn't Telstra that persuaded him I wasn't a profitable mark, and it was time to move on.
Oops.
Forward a few weeks to today, and you won't be surprised to learn that my internet connection is still up and running, and that I have had no more phone calls or emails from anybody at 'Telstra', or warrants served by the police, about that incredibly urgent and serious legal problem of mine.
posted by Pouteria at 2:28 AM on November 4, 2017
My house is insulated against the web-driven variant of these scams, but based on the Reply All podcasts linked above, in future I intend to respond to the cold call version by saying politely that if your boss requires you to tell lies for money then he's probably lying to you as well, and although I'm sure you think you have a real job right now you very likely don't, and if you have not been paid your first wages yet then perhaps you should think about leaving right now and looking for a better employer because businesses in your line of work are well known for scamming their employees as well as their customers.
Will see how much of that I can get out before they hang up on me. Can do no harm, might do some good.
posted by flabdablet at 4:58 AM on November 4, 2017 [3 favorites]
Will see how much of that I can get out before they hang up on me. Can do no harm, might do some good.
posted by flabdablet at 4:58 AM on November 4, 2017 [3 favorites]
FTA: "While certain problems, e.g., the expiration of an SSL certificate, or the problem of mixed inclusions, are admittedly hard to explain to a non-technical person, we argue that explaining the concept of technical support scams, is an easier endeavor."
Okay, so I'm outing myself as a non-technical person: What is the problem of mixed inclusions?
posted by cynical pinnacle at 1:56 PM on November 4, 2017
Okay, so I'm outing myself as a non-technical person: What is the problem of mixed inclusions?
posted by cynical pinnacle at 1:56 PM on November 4, 2017
Mixed inclusions is web developer jargon to describe a website where the site you actually browse to has a secured (https://...) URL, but some of the resources the site includes (images, scripts and so forth) are pulled in from unsecured (http://...) locations.
Such sites are problematic because they appear to offer much more security than they actually implement. The use of HTTPS means that it's infeasible for e.g. a wifi-sniffing attacker in the same coffee shop as you to read or alter the content of the main site itself, but if some of what the site actually does is controlled by Javascript (which it almost certainly will be, in 2017) and that script code is not embedded in the main site but fetched from another, unsecured source, it's completely feasible to spoof that source and inject attacker-chosen behaviour into your web browser.
More on this from Mozilla.
posted by flabdablet at 10:55 PM on November 4, 2017
Such sites are problematic because they appear to offer much more security than they actually implement. The use of HTTPS means that it's infeasible for e.g. a wifi-sniffing attacker in the same coffee shop as you to read or alter the content of the main site itself, but if some of what the site actually does is controlled by Javascript (which it almost certainly will be, in 2017) and that script code is not embedded in the main site but fetched from another, unsecured source, it's completely feasible to spoof that source and inject attacker-chosen behaviour into your web browser.
More on this from Mozilla.
posted by flabdablet at 10:55 PM on November 4, 2017
Flabdablet: Thank you for the explanation with links!
I was trying to search for this by using the phrase in the FPP article ("mixed inclusions") and wasn't having much luck. "Mixed content" is giving more search hits. Thank you!
posted by cynical pinnacle at 5:57 AM on November 5, 2017
I was trying to search for this by using the phrase in the FPP article ("mixed inclusions") and wasn't having much luck. "Mixed content" is giving more search hits. Thank you!
posted by cynical pinnacle at 5:57 AM on November 5, 2017
« Older RIP Consumerist (2005-2017) | A Wolf in Dancing Shoes Newer »
This thread has been archived and is closed to new comments
posted by ActingTheGoat at 10:31 PM on November 1, 2017 [4 favorites]