Comments on: Challenges: Simon Says http://usablesecurity.com/?p=45 Every system has a user. Mon, 06 Sep 2010 09:20:03 +0000 http://wordpress.org/?v=abc By: Ping http://usablesecurity.com/?p=45#comment-175 Ping Tue, 09 Aug 2005 03:14:40 +0000 http://usablesecurity.com/2005/07/16/simon-says/#comment-175 <blockquote>Once you can define it you can code it and build it into the system that the wrong ones aren’t allowed to work at all.</blockquote> Right. If it's possible to detect a situation that is definitely an attack, then the software can simply prohibit it. The trickier problems have to do with things like SSL, where encryption is safer but (as you pointed out) it's not currently practical to expect every website to use encryption. <blockquote>And petnames, while a good idea, still need to rely on some form of central, unique identifier (like DNS) which can be attacked.</blockquote> No, they don't. Petnames are labels for unforgeable keys. No central coordination is necessary to use petnames.

Once you can define it you can code it and build it into the system that the wrong ones aren’t allowed to work at all.

Right. If it’s possible to detect a situation that is definitely an attack, then the software can simply prohibit it. The trickier problems have to do with things like SSL, where encryption is safer but (as you pointed out) it’s not currently practical to expect every website to use encryption.

And petnames, while a good idea, still need to rely on some form of central, unique identifier (like DNS) which can be attacked.

No, they don’t. Petnames are labels for unforgeable keys. No central coordination is necessary to use petnames.

]]> By: Stu http://usablesecurity.com/?p=45#comment-162 Stu Fri, 29 Jul 2005 00:21:19 +0000 http://usablesecurity.com/2005/07/16/simon-says/#comment-162 Its a nice idea, but is missing one clear consequence - the only way possible to make encryption/authenication the norm is to make it easy to get. If its easy to get then the bad guys can easily get it and there is no difference noticable to the average user. Cost is far less of an issue for sellers than ease of use, and for customers cost isn't an issue at all so all they see is how easy/hard it is to use and make a decision based on that. What about all the random webpages about someones pet cat or last holiday photos - are you expecting these to be encrypted and authenticated too??? These make up far more of the www than corporate sites. "A better strategy might be to always show some type of indicator and have it look obviously right when things are right and obviously wrong when things are wrong." I'd suggest that being able to define what is "obviously wrong" and what is "obviously right" (with nothing missed out in the middle) is far more important than how you display it to the user. Once you can define it you can code it and build it into the system that the wrong ones aren't allowed to work at all. And petnames, while a good idea, still need to rely on some form of central, unique identifier (like DNS) which can be attacked. Its a nice idea, but is missing one clear consequence - the only way possible to make encryption/authenication the norm is to make it easy to get. If its easy to get then the bad guys can easily get it and there is no difference noticable to the average user. Cost is far less of an issue for sellers than ease of use, and for customers cost isn’t an issue at all so all they see is how easy/hard it is to use and make a decision based on that.
What about all the random webpages about someones pet cat or last holiday photos - are you expecting these to be encrypted and authenticated too??? These make up far more of the www than corporate sites.

“A better strategy might be to always show some type of indicator and have it look obviously right when things are right and obviously wrong when things are wrong.” I’d suggest that being able to define what is “obviously wrong” and what is “obviously right” (with nothing missed out in the middle) is far more important than how you display it to the user. Once you can define it you can code it and build it into the system that the wrong ones aren’t allowed to work at all.

And petnames, while a good idea, still need to rely on some form of central, unique identifier (like DNS) which can be attacked.

]]> By: Ryan http://usablesecurity.com/?p=45#comment-157 Ryan Sun, 24 Jul 2005 22:57:22 +0000 http://usablesecurity.com/2005/07/16/simon-says/#comment-157 I think the real issue is that people rely on the DNS for solving the identity problem. Petnames, directories (I think Cameron's work is probably relevant here) and the ultimate elimination of the DNS will solve this problem. Once we have a petname-only world, we have a solution that satisfies your criteria of showing some type of indicator that is obviously right or wrong. Of course that depends on one's definition of right and wrong. I'm assuming that a Petname is about as right as you can get, and the absence of a petname is about as wrong as you can get (at least, for humans). In terms of your own work, it comes down to the principle of least surprise: "is the site I'm looking at the one *I* *named* in that label?" Petnames all but guarantee this to be case. DNS cannot, but people assume it can, and are frequently surprised when DNS does not meet expectations. I think the real issue is that people rely on the DNS for solving the identity problem. Petnames, directories (I think Cameron’s work is probably relevant here) and the ultimate elimination of the DNS will solve this problem.

Once we have a petname-only world, we have a solution that satisfies your criteria of showing some type of indicator that is obviously right or wrong. Of course that depends on one’s definition of right and wrong. I’m assuming that a Petname is about as right as you can get, and the absence of a petname is about as wrong as you can get (at least, for humans).

In terms of your own work, it comes down to the principle of least surprise: “is the site I’m looking at the one *I* *named* in that label?” Petnames all but guarantee this to be case. DNS cannot, but people assume it can, and are frequently surprised when DNS does not meet expectations.

]]> By: Ping http://usablesecurity.com/?p=45#comment-152 Ping Sun, 24 Jul 2005 05:07:38 +0000 http://usablesecurity.com/2005/07/16/simon-says/#comment-152 It can, but i claim it's a terrible way to convey information to humans. It can, but i claim it’s a terrible way to convey information to humans.

]]> By: coderman http://usablesecurity.com/?p=45#comment-151 coderman Sun, 24 Jul 2005 02:39:26 +0000 http://usablesecurity.com/2005/07/16/simon-says/#comment-151 <i>Is a Simon Says problem solved simply by inverting the sense of the indicator? Sometimes, but it might not be that easy. For example, if browsers showed a lack-of-encryption indicator instead of an encryption-present indicator, that would probably be an improvement. But since (at least for now), most web sessions are not encrypted, the lack-of-encryption indicator would be on most of the time.</i> the only robust solution is to make encryption and authentication the norm as you suggest; any deviation from that would be considered an exceptional and rare event. this is Hard (tm) - changing long familiar user behavior. the processing cost of encryption is now close to negligable: VIA's C5P core can process 1,832,151,000 bytes of AES ECB / sec (half that for CBC) for instance. [this is also less susceptible to side channel attacks like cache timing and power usage] the expensive and most vulnerable step in the process will be key distribution for trusted parties - i'm not sure how identity management would be implemented for a process and large and varied as software development and distribution. microsoft released something interesting recently: <a href="http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.html" rel="nofollow">www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.html</a> "The Laws of Identity" the inclusion of "Directed Identity" is interesting and probably relevant. Is a Simon Says problem solved simply by inverting the sense of the indicator? Sometimes, but it might not be that easy. For example, if browsers showed a lack-of-encryption indicator instead of an encryption-present indicator, that would probably be an improvement. But since (at least for now), most web sessions are not encrypted, the lack-of-encryption indicator would be on most of the time.

the only robust solution is to make encryption and authentication the norm as you suggest; any deviation from that would be considered an exceptional and rare event. this is Hard ™ - changing long familiar user behavior.

the processing cost of encryption is now close to negligable: VIA’s C5P core can process 1,832,151,000 bytes of AES ECB / sec (half that for CBC) for instance. [this is also less susceptible to side channel attacks like cache timing and power usage]

the expensive and most vulnerable step in the process will be key distribution for trusted parties - i’m not sure how identity management would be implemented for a process and large and varied as software development and distribution.

microsoft released something interesting recently:
http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.html
“The Laws of Identity”

the inclusion of “Directed Identity” is interesting and probably relevant.

]]> By: SOAPbox http://usablesecurity.com/?p=45#comment-150 SOAPbox Sun, 24 Jul 2005 01:03:11 +0000 http://usablesecurity.com/2005/07/16/simon-says/#comment-150 <strong>Nothing Causes Action</strong> Gregory Bateson pointed out long ago that Nothing can be a cause. So the non-arrival of a message may convey significant information. (As Bateson puts it, it is "a difference that makes a difference".) Nothing Causes Action

Gregory Bateson pointed out long ago that Nothing can be a cause. So the non-arrival of a message may convey significant information. (As Bateson puts it, it is “a difference that makes a difference”.)

]]>