Dancing pigs

Last updated February 22, 2024

In computer security, "dancing pigs" is a term or problem that explains computer users' attitudes towards computer security. It states that users will continue to pick an amusing graphic even if they receive a warning from security software that it is potentially dangerous.^[1] In other words, users choose their primary desire features without considering the security. "Dancing pigs" is generally used by tech experts and can be found in IT articles.

Origins

The term originates from a remark made by Edward Felten, an associate professor at Princeton University:

Given a choice between dancing pigs and security, users will pick dancing pigs every time.^[2]

Bruce Schneier states:

The user's going to pick dancing pigs over security every time.^[3]

Bruce Schneier expands on this remark as follows:

If J. Random Websurfer clicks on a button that promises dancing pigs on his computer monitor, and instead gets a hortatory message describing the potential dangers of the applet—he's going to choose dancing pigs over computer security any day. If the computer prompts him with a warning screen like: "The applet DANCING PIGS could contain malicious code that might do permanent damage to your computer, steal your life's savings, and impair your ability to have children," he'll click OK without even reading it. Thirty seconds later he won't even remember that the warning screen even existed.^[4]

The Mozilla Security Reviewers' Guide states:

Many of our potential users are inexperienced computer users, who do not understand the risks involved in using interactive Web content. This means we must rely on the user's judgement as little as possible.^[5]

A widely publicized 2009 paper^[6] directly addresses the dancing pigs quotation and argues that users' behavior is plausibly rational:

While amusing, this is unfair: users are never offered security, either on its own or as an alternative to anything else. They are offered long, complex and growing sets of advice, mandates, policy updates and tips. These sometimes carry vague and tentative suggestions of reduced risk, never security.^[7]

Experimental support

One study of phishing found that people really do prefer dancing animals to security. The study showed participants a number of phishing sites, including one that copied the Bank of the West home page:^[8]

For many participants the "cute" design, the level of detail and the fact that the site does not ask for a great deal of information were the most convincing factors. Two participants mentioned the animated bear video that appears on the page, (e.g., "because that would take a lot of effort to copy"). Participants in general found this animation appealing and many reloaded the page just to see the animation again.

Schneier believes the dancing pigs problem will lead to crime, a key threat. He said: "The tactics might change ... as security measures make some tactics harder and others easier, but the underlying issue is constant." Ignoring computer security can inflict various types of damage resulting in significant losses.^[9]

Related Research Articles

Java applets were small applications written in the Java programming language, or another programming language that compiles to Java bytecode, and delivered to users in the form of Java bytecode. The user launched the Java applet from a web page, and the applet was then executed within a Java virtual machine (JVM) in a process separate from the web browser itself. A Java applet could appear in a frame of the web page, a new application window, a program from Sun called appletviewer, or a stand-alone tool for testing applets.

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

Bruce Schneier is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Center for Internet & Society as of November, 2013. He is a board member of the Electronic Frontier Foundation, Access Now, and The Tor Project; and an advisory board member of Electronic Privacy Information Center and VerifiedVoting.org. He is the author of several books on general security topics, computer security and cryptography and is a squid enthusiast.

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.

In computing, Download.ject is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. Either the password policy is merely advisory, or the computer systems force users to comply with it. Some governments have national authentication frameworks that define requirements for user authentication to government services, including requirements for passwords.

Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the Norton 360 security suite.

Anti-phishing software consists of computer programs that attempt to identify phishing content contained in websites, e-mail, or other forms used to accessing data and block the content, usually with a warning to the user. It is often integrated with web browsers and email clients as a toolbar that displays the real domain name for the website the viewer is visiting, in an attempt to prevent fraudulent websites from masquerading as other legitimate websites.

An error message is the information displayed when an unforeseen problem occurs, usually on a computer or other device. Modern operating systems with graphical user interfaces, often display error messages using dialog boxes. Error messages are used when user intervention is required, to indicate that a desired operation has failed, or to relay important warnings. Error messages are seen widely throughout computing, and are part of every operating system or computer hardware device. The proper design of error messages is an important topic in usability and other fields of human–computer interaction.

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

A password manager is a computer program that allows users to store and manage their passwords for local applications or online services such as web applications, online shops or social media. A web browser generally has a built in version of a password manager. These have been criticised frequently as many have stored the passwords in plaintext, allowing hacking attempts.

Defensive computing is a form of practice for computer users to help reduce the risk of computing problems, by avoiding dangerous computing practices. The primary goal of this method of computing is to be able to anticipate and prepare for potentially problematic situations prior to their occurrence, despite any adverse conditions of a computer system or any mistakes made by other users. This can be achieved through adherence to a variety of general guidelines, as well as the practice of specific computing techniques.

A security question is form of shared secret used as an authenticator. It is commonly used by banks, cable companies and wireless providers as an extra security layer.

<span class="mw-page-title-main">Clickjacking</span> Malicious technique of tricking a Web user

Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Tabnabbing is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular websites by impersonating those sites and convincing the user that the site is genuine. The attack's name was coined in early 2010 by Aza Raskin, a security researcher and design expert. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of browsers to navigate across a page's origin in inactive tabs a long time after the page is loaded. Tabnabbing is different from most phishing attacks in that the user no longer remembers that a certain tab was the result of a link unrelated to the login page, because the fake login page is loaded in one of the long-lived open tabs in their browser.

Mac Defender is an internet rogue security program that targets computers running macOS. The Mac security firm Intego discovered the fake antivirus software on 2 May 2011, with a patch not being provided by Apple until 31 May. The software has been described as the first major malware threat to the Macintosh platform. However, it is not the first Mac-specific Trojan, and is not self-propagating.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

References

↑ Mooney, Greg. "Dancing Pigs and Other Dangers: 3 Popular Email Cons". DMSi. Archived from the original on 2020-07-21. Retrieved 2020-07-21.
↑ Gary McGraw and Edward Felten: Securing Java (John Wiley & Sons, 1999; ISBN 0-471-31952-X), Chapter one, Part seven
↑ Mills, Elinor (October 23, 2009). "Q&A: Schneier warns of marketers and dancing pigs". CNET. Retrieved 12 February 2013.
↑ Bruce Schneier: Secrets and Lies (John Wiley & Sons, 2000; ISBN 0-471-45380-3), p262
↑ "Mozilla Security Review and Best Practices Guide". Mozilla Foundation. 17 May 2002. Retrieved 2 February 2015.
↑ Pothier, Mark (11 April 2010). "Please Do Not Change Your Password" . The Boston Globe . Retrieved 2 February 2015.
↑ Cormac Herley (2009). So Long and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users (PDF). New Security Paradigms Workshop. Archived from the original (PDF) on 2016-03-28.
↑ Rachna Dhamija, J. D. Tygar and Marti Hearst. "Why Phishing Works" (PDF). Archived from the original (PDF) on 2008-03-06. Retrieved 2011-05-25.
↑ Mills, Elinor (October 23, 2009). "Q&A: Schneier warns of marketers and dancing pigs". CNET. Retrieved 12 February 2013. The tactics might change--phishing, pharming, key logging, social engineering, password guessing, whatever--as security measures make some tactics harder and others easier, but the underlying issue is constant

External links

Beware of the dancing bunnies Larry Osterman's WebLog
Strider HoneyMonkey Project

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Mooney, Greg. "Dancing Pigs and Other Dangers: 3 Popular Email Cons". DMSi. Archived from the original on 2020-07-21. Retrieved 2020-07-21.

[2] Gary McGraw and Edward Felten: Securing Java (John Wiley & Sons, 1999; ISBN 0-471-31952-X), Chapter one, Part seven

[3] Mills, Elinor (October 23, 2009). "Q&A: Schneier warns of marketers and dancing pigs". CNET. Retrieved 12 February 2013.

[4] Bruce Schneier: Secrets and Lies (John Wiley & Sons, 2000; ISBN 0-471-45380-3), p262

[5] "Mozilla Security Review and Best Practices Guide". Mozilla Foundation. 17 May 2002. Retrieved 2 February 2015.

[6] Pothier, Mark (11 April 2010). "Please Do Not Change Your Password" . The Boston Globe . Retrieved 2 February 2015.

[7] Cormac Herley (2009). So Long and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users (PDF). New Security Paradigms Workshop. Archived from the original (PDF) on 2016-03-28.

[8] Rachna Dhamija, J. D. Tygar and Marti Hearst. "Why Phishing Works" (PDF). Archived from the original (PDF) on 2008-03-06. Retrieved 2011-05-25.

[9] Mills, Elinor (October 23, 2009). "Q&A: Schneier warns of marketers and dancing pigs". CNET. Retrieved 12 February 2013. The tactics might change--phishing, pharming, key logging, social engineering, password guessing, whatever--as security measures make some tactics harder and others easier, but the underlying issue is constant

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]