This brings us to the close of SOUPS 2009.
It’s sad. I know. But never fear! SOUPS 2010 beacons!
So, here’s hoping I’ll see all you usable security folks at Microsoft’s campus in Seattle around this time next year!
Moderator: Luke Kowalski, Corporate UI Architect, Oracle
Stuart Schechter, Microsoft Research
David Recordon, Open Platforms Tech Lead, SixApart
David Sward, Director of User Centered Design, Symantec
Nancy Frishberg, User Experience Strategist and BayChi chair
Rashmi Sinha, CEO, SlideShare
The opening premise is that Open Source is a neutral factor on usability of security software.
One of the first myths of open source [...]
http://cups.cs.cmu.edu/soups/2009/proceedings/a15-smetters.pdf
Diana Smetters and Nathan Good
Access control is a specification of policy indicating who can do what to whom. Access control is hard to use. People often get around it by granting overly permissive capabilities. Looking at Windows XP, there are over a dozen of checkboxes that can be flipped for each file! However, people like [...]
http://cups.cs.cmu.edu/soups/2009/proceedings/a14-kluever.pdf
Kurt Kluever and Richard Zanibbi
CAPTCHA’s are used for a variety of purposes, but most generally to combat spammers. A desirable CAPTCHA should be automatically generated, should not rely on secret databases or algorithms, should be usable, and should be hard to spoof. Most existing CAPTCHAs fail in one or more of these respects, usually usability.
This [...]
http://cups.cs.cmu.edu/soups/2009/proceedings/a13-chow.pdf
Richard Chow, Ian Oberst and Jessica Staddon
It is often important to share sensitive documents, but protecting privacy is important. A typical solution is do redact important bits, but often the redacted information can be recovered. Another approach is is to sanitize the data by replacing specific terms with more general terms that hide the underlying [...]
http://cups.cs.cmu.edu/soups/2009/proceedings/a12-halprin.pdf
Ran Halprin and Moni Naor
Random number generation is important for many security tasks - especially cryptography. And yet getting good random numbers is notoriously difficult in practice. Sources of randomness traditionally include “secret” data such as MAC addresses; real-time data such as hard-disk access and click timing; physical sources such as lava lamps, cloud [...]
http://cups.cs.cmu.edu/soups/2009/proceedings/a11-kainda.pdf
Ronald Kainda, Ivan Flechais and Andrew William Roscoe
Out-of-band device pairing refers to pairing devices using a channel external to the devices themselves, such as through user interactions. Technical security is achieved by using protocols based on formal proofs and are governed by the quality of the secrets involved. However, the security achieved in practice must [...]
http://cups.cs.cmu.edu/soups/2009/proceedings/a10-kobsa.pdf
Alfred Kobsa, Rahim Sonawalla, Gene Tsudik, Ersin Uzun and Yang Wang
Secure device pairing refers to the pairing two or more devices in a manner that can be trusted such that the users pair the devices they believe they are pairing without allowing a malicious third-party to join in the process. Generally this has to be [...]
Discussion session lead by Simson Garfinkel. Free form discussion follows.
(there were other sessions, but as I only attended this one, this is the only one I got to blog)
Simson wants to talk about system constraints rather than usability constraints. In practice, focusing on one at the detriment of the other simply creates an insecurity at [...]
http://cups.cs.cmu.edu/soups/2009/proceedings/a9-schechter.pdf
Stuart Schechter and Robert Reeder
What to do when the user forget their password? A common method is to provide security questions. Unfortunately, an initial analysis of the most commonly used security questions found that none were all that great, suffering from either poor memorability or poor security. What about e-mail based recovery? This doesn’t work [...]
http://cups.cs.cmu.edu/soups/2009/proceedings/a8-just.pdf
Mike Just and David Aspinall
Challenge questions often serve as part of a password recover mechanism, though are sometimes included along with conventional authentication. For a long time there was little research in this area, but some studies have emerged recently, generally concluding that challenge questions are neither very usable nor secure.
This study sought to [...]
http://cups.cs.cmu.edu/soups/2009/proceedings/a7-deluca.pdf
Alexander De Luca, Martin Denzel and Heinrich Hussmann
Many password entry systems suffer from weakness against attacks where the attacker can view either the keyboard or screen. The proposal is to use eye movements for password entry, building off the findings of EyePassword, Eye Gestures, and PassShapes. The researchers implemented EyePassShapes, in which the user traces [...]