John Richard Moser
nigelenki at comcast.net
Sun Aug 21 12:50:34 CDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Matthew Paul Thomas wrote:
> On 20 Aug, 2005, at 12:55 AM, John Richard Moser wrote:
>>> In a paper (''work in progress'') entitled "Designing a Secure and
>>> Friendly Operating System," I wrote a section about an "assistant" to
>>> help the user with the system, primarily to deliver security concerns
>>> This looks like it'd be simple to implement if I had time. The
>>> question is, would anyone actually care?
> Previous assistance systems seem to have failed for a combination of
> 1. People assume (often correctly) that if the software isn't smart
> enough to be easy to use in the first place, it's not going to be
> smart enough to help them use it either, so they don't invoke the
> assistance function voluntarily. Example: anything in a "Help" menu
> or behind a "Help" button.
> 2. Exacerbated by the previous problem, writing assistive text is
> unrewarding, so it gets done mainly by people motivated by either
> money or the mere satisfaction of authorship. These people, while
> well-meaning, often aim for word count at the direct expense of
> helpfulness. Example: much of the help in Gnome.
> 3. The assistance is too difficult to author. Example: the Apple Guide
> in classic Mac OS -- Apple used it, but very few other vendors did.
I am looking at how to implement the API, trying mainly to squash it
into a few basic but direct, simple functions. At the risk of adding
twice as many functions, I made the 3 configurable settings into 6
functions, rather than leave the duty of setting up the configuration to
the programmer by setting up a structure in some oddly complex way. (of
course the somosis_get_config() function still returns this junk; but breh)
> 4. Useful assistance needs to be written by people who are (a) good at
> writing, (b) good at guessing/measuring the problems people have,
> and (c) knowledgable enough to give solutions to those problems.
> These people are rare. Example: most Free Software.
Yeah that's the hard part :)
> Your proposed system would solve problem 1, and if the interface design
> encouraged short text, it would solve problem 2 as well. This is a good
> start. Problems 3 and 4 are still open, though.
>>> The basic idea is to give applications an interface to a daemon to
>>> have it supply assistive support to new users; primary function of
>>> course is to deliver security concerns.
> I don't understand the "of course" part. The help system in the Grand
> Theft Auto games is an excellent example of the kind of just-in-time
> help you are talking about, but its prompts aren't "security concerns"
> (at least, not in the sense of computer security).
Ideally your apps are easy to use anyway; the user is still going to
blatantly ignore the "New updates are available" bubble because he
doesn't care, he's still going to ignore the "SUID binaries being
installed" warning in Autopackage (if autopackage ever implements such a
warning), he's still going to rabidly download and install whatever
regardless of the dangers, and thus his system will quickly become a
riddled hell of spyware and viruses.
This 'assistant' idea came out of a paper I'm working on about creating
a secure desktop OS; mainly, exploit squashing is put into place using
kernel and compiler hardening. These things aren't new, they're just
rarely used. A cleaned up ProPolice (terminates program safely on stack
buffer overflow) got an OK to commit on the gcc mailing list. PaX has
been around since 2000 and can stop code injection and ret2libc by
shifting the address space around randomly and making sure no memory is
write/execute. GrSecurity builds around PaX with facilities to prevent
the escape of chroot() jails, named pipe spoofing, /tmp file races, and
I picked apart each of these things, started writing up the theory
behind them, recommending how to improve the implementation, and the
course to take to deploy a desktop OS utilizing them. Along with this,
the 'proper' use of Autopackage (which just happens to supply the
functionality I need) and the package manager together is lain out; as
well as an explaination of separating /home from / (either logically or
physically) for durability if the system itself is damaged and needs to
In the end I recognized that no matter how much PaX or SELinux I throw
at something, until I start getting in the end user's way, he's still
going to be able to break his system by installing viruses and spyware
and other setuid trojan crap without remorse. I realized that a few
simple concepts need to be explained; but "dumping" that on the user
would result in blatant ignorance. To that end, I came up with simply
inlining the information just-in-time to pass the user critical,
The fact that this facility is useful as an "assistant" is just an
afterthought that I was nice enough to include in the theoretical
write-up. . . .
>>> A better assistant would give multiple classes and levels of
>>> information, allowing the user to essentially set the verbosity of the
>>> assistant in a fine-grained manner.
> I disagree. The usual answer to "How much help do you want?" would be
> "How am I supposed to know, I haven't tried doing anything yet".
And the usual answer to "it looks like you're writing a letter, would
you like help?" would be "NO FUCKING GO AWAY." Not always, but often.
>>> The text provided by the assistant should be brief, explaining in most
>>> basic terms the alert being raised. This will ensure that the user
>>> does not have to spend large amounts of time reading any given alert;
>>> a half screen of text will easily signal a user to not bother reading.
> This is good (though belied by your example below).
The example below was 3 times longer before I trimmed it; it took me an
hour to try and cut it down.
>>> The assistant should be capable of producing interesting visual
>>> effects, such as moving to a specific menu or button, highlighting
>>> text and widgets independent of the application,
> This is what the coach marks did in Apple Guide from Mac OS 7.5 to 8.1.
>>> and producing word bubbles.
> It would be great to see sophisticated assistance functions like this
> in Ubuntu, if they avoided the mistakes of the past
>>> As with all alerts, the initial introduction of the assistant should be
>>> brief, but complete. It should explain the function and importance of
>>> the assistant, for example with security alerts. It should also notify
>>> the user of initial innundation so that he will not simply switch it
>>> off after a few minutes. A potential description for a theoretical
>>> assistant called
is shown below. Note the brieverity and
>>> the use of
such as identity theft and viruses in the second
>>> Welcome to your new Linux system!
>>> Please read this introduction carefully to prevent identity theft and
>>> viruses and to protect your privacy.
>>> While we have done our best to protect your system from worms and
>>> malicious hackers, we cannot protect the system from the user in
>>> control of it. Therefore, to protect you from identity theft scams
>>> and viruses, we have created SOMOSIS, Simple Online Memoranda
>>> Offloading Secure Information Strategy, to help protect you from
>>> common scams and help you make security-conscious decisions.
>>> SOMOSIS appears when a security concern is first raised. It is
>>> designed to appear less frequently as you use your system by not
>>> displaying the same messages repeatedly; however, the first few
>>> alerts, mainly explaining anti-phishing tools and encrypted e-mail,
>>> may be seen rather quickly. By explaining such tools as they are
>>> first needed, we hope to help you to protect yourself from those
>>> dangers we could not handle automatically.
>>> SOMOSIS may also be configured to act as an assistant and teach you
>>> about the general use of your system and your applications. This
>>> functionality is configurable to a large degree. Would you like to
>>> learn more about the SOMOSIS system?
> Here's an approximation of how this intro would read to a typical human:
> Welcome to your new Linux system!
> Please read this introduction carefully to prevent identity theft and
> xxxxxxx xxx xx protect your privacy.
> While we have xxxx xxx xxxx xx xxxxxxx xxxx xxxxxx xxxx xxxxx xxx
> xxxxxxxxx xxxxxxx, xx xxxxxx xxxxxxx xxx xxxxxx xxxx xxx xxxx xx
> xxxxxxx xx xx. Txxxxxxxx, xx xxxxxxx xxx xxxx xxxxxxxx xxxxx xxxxx
> xxx xxxxxxx, xx xxxx xxxxxxx SOMOSIS, Sxxxxx Oxxxxx Mxxxxxxxx
> Oxxxxxxxxx Sxxxxx Ixxxxxxxxxx Sxxxxxxx, xx xxxx xxxxxxx xxx xxxx
> xxxxxx xxxxx xxx xxxx xxx xxxx xxxxxxxx-xxxxxxxxx xxxxxxxxx.
> SOMOSIS xxxxxxx xxxx x xxxxxxxx xxxxxxx xx xxxxx xxxxxx. Ix xx
> xxxxxxxx xx xxxxxx xxxx xxxxxxxxxx xx xxx xxx xxxx xxxxxx xx xxx
> xxxxxxxxxx xxx xxxx xxxxxxxx xxxxxxxxxx; xxxxxxx, xxx xxxxx xxx
> xxxxxx, xxxxxx xxxxxxxxxx xxxx-xxxxxxxx xxxxx xxx xxxxxxxxx x-xxxx,
> xxx xx xxxx xxxxxx xxxxxxx. Bx xxxxxxxxxx xxxx xxxxx xx xxxx xxx
> xxxxx xxxxxx, xx xxxx xx xxxx xxx xx xxxxxxx xxxxxxxx xxxx xxxxx
> xxxxxxx xx xxxxx xxx xxxxxx xxxxxxxxxxxxx.
> SOMOSIS xxx xxxx xx xxxxxxxxxx xx xxx xx xx xxxxxxxxx xxx xxxxx xxx
> xxxxx xxx xxxxxxx xxx xx xxxx xxxxxx xxx xxxx xxxxxxxxxxxx. Txxx
> xxxxxxxxxxxxx xx xxxxxxxxxxxx xx x xxxxx xxxxxx. Wxxxx xxx xxxx xx
> xxxxx xxxx xxxxx xxx SOMOSIS xxxxxx?
> Saying "Please read this introduction carefully" will not protect you
> from the relentless human intolerance for text that is Getting In Their
> Way. Fortunately, that whole intro is unnecessary.
Fail. Introduction to the assistant is critical; although it could be
shorter, I hope. Luke Swartz' paper, "Why People Hate the Paperclip,"
confirms this assumption.
3.2.3 Mental Model of the Paperclip
Informants were asked a number of questions designed to determine their
mental model of the paperclip; that is, how they think it works. These
questions included, "When has it appeared?", "What do you think triggers
it?", and "What is it supposed to do"?
Again, answers correlated largely with level of computing experience.
Four informants, two beginners and two advanced beginners, seemed
confused about what the Office Assistant does. One advanced-beginner
informant noted that it, "tells me I've done something wrong; It's
supposed to stop you so you don't continue on to make a mistake." The
other confused advanced beginner said, similarly, "It tells me when I
need help." While the proactive feature does indeed try to step in when
the user is attempting to do something that is impossible, this doesn't
seem to characterize the Assistant's intended or actual role. The two
beginner informants were confused as to what the paperclip did. One
noted, "I don't know what the h*** it was for. There's no manual that
tells you what it does. The only thing I'm sure it does is it wiggles
when the computer's working."
The other informants had more accurate mental models of the Office
Assistant. They all spoke about being able to type words or questions
into its search box. Two people noted that it tends to pop up when one
is encountering an unfamiliar feature: "It seems to know when I haven't
done something before." Three informants noted that it offers
assistance in writing letters. Two informants associated the Assistant
with other automatic tools in Microsoft Word, like AutoComplete and
AutoFormat. As one put it, "it puts bullets where it thinks the bullets
Two interesting points present themselves here: First, beginners--the
people who are supposed to be helped the most by the Office
Assistant--are at least somewhat confused about what it is supposed to
do. Especially given that beginners won't naturally turn to the
computer for help (as they seek out people instead, as described in
3.2.2), it may be especially important to introduce such users to what
the Assistant does and how to use it effectively.
Second, that even relatively experienced users attribute a number of
actions (such as automatic formatting) to the Office Assistant suggests
that users are so used to the direct-manipulation application-as-tool
metaphor, that any amount of independent action will be ascribed to the
agent. For these users, the agent has taken on agency for the program
Beginners don't even know what the hell the thing does; and if they see
it and are partially familiar with the Office Assistant, they'll assume
it gives useless information.
Bolding could possibly help with the fact that the thing is too long;
but it needs shortening. Bolding would "effectively shorten" the length
by pulling the user's attention to useful things and letting him ignore
the rest, without just saying "protect your privacy, viruses, security,
anti-identity-theft, click the little bubble, it might show up a lot at
first, it'll go away." It still needs to be cut down.
> Your basic idea is great, but on Ubuntu-specific mailing lists, it
> would probably meet with more success if developed into a working
> Debian package. If you're capable of implementing it yourself, one
> possible approach would be to draft a spec on the Ubuntu wiki
> <https://wiki.ubuntu.com/>, and see if you can get someone to sponsor
> it as a bounty. Let me know off-list if you need help drafting a spec.
I'm a poor college student working 2 jobs and trying to 12-credit each
semester :( Most accurately, I don't have time to code these things; I
have time to tell people what to do and watch them laugh at me though. :P
> -- Matthew Thomas
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
Creative brains are a valuable, limited resource. They shouldn't be
wasted on re-inventing the wheel when there are so many fascinating
new problems waiting out there.
-- Eric Steven Raymond
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the ubuntu-devel