Discussion session lead by Simson Garfinkel. Free form discussion follows.
(there were other sessions, but as I only attended this one, this is the only one I got to blog)
Simson wants to talk about system constraints rather than usability constraints. In practice, focusing on one at the detriment of the other simply creates an insecurity at [...]
OpenID, as currently used for single sign-on, facilitates phishing.
Using OpenID, you can establish an account at any identity provider you like, and then use it to log in to any OpenID-enabled website. Unfortunately, the way it’s currently deployed, described, and demonstrated, OpenID makes users even more susceptible to phishing than they are without it. [...]
Ron Rivest suggests a paper-based voting system called ThreeBallot, which is unusual in that it lets voters verify the integrity of the election from end to end, but doesn’t require computers to do fancy cryptographic operations. Designers of voting schemes have long desired to enable each voter to ascertain with confidence that their ballot [...]
I had an idea yesterday evening inspired by Cynthia Kuo’s talk on phrase-based passwords. Cynthia’s research started with a popular method for choosing memorable passwords and evaluated the strength of passwords created using that method. And there was a questioner from the audience who noted that, whenever you popularize a particular formula for [...]
I have an idea about how to solve the phishing problem. Although proposals to solve phishing are not yet as common as proposals to solve spam, there certainly have been quite a few of them, so you would be right to wonder what makes this proposal any different or any more likely to work.
So, [...]
This paper proposes a scheme called Dynamic Security Skins to combat phishing.
Rachna calls phishing the “ultimate SOUPS problem” because phishers and security designers battle in the user interface, because attacks are rapidly evolving, and because it’s a real-world problem. Phishers rapidly iterate on HCI designs, exactly as we are taught to do in HCI, [...]
During the talk on PassPoints, it occurred to me that it might be interesting to combine some of those ideas with user-selected images (inspired by the work on Dynamic Security Skins).
One concern that was mentioned about PassPoints was that the images may guide people to commonly choose the same points, leading to guessable passwords. [...]
This year I attended South by Southwest for the first time and enjoyed meeting lots of interesting folks. During a session about decentralized social networks, the panelists mentioned the problem that bloggers (especially beginning bloggers) sometimes post personal information about themselves in public without realizing the risks. Often they may be unaware of [...]