Archive for July, 2005

Challenges: Simon Says

Saturday, July 23rd, 2005

Time for another challenge.  Today, I’d like to describe what I call the “Simon Says” problem.
A Simon Says problem occurs when the safe course of action requires the user to respond to the absence of a stimulus.

Challenges: Obedience to Authority

Tuesday, July 19th, 2005

From time to time, I’ll highlight some of the special challenges faced by designers of usable security.  Let’s start with a fairly obvious problem that’s often exploited in security attacks on people:
The “Obedience to Authority” problem occurs when the safe course of action requires the user to reject or contravene an apparently authoritative command.
“Obedience [...]

We’re Not Alone

Monday, July 18th, 2005

Hurrah!  There is another blog out there on security and usability.  (And by another Canadian, to boot.) Thanks for dropping by; I look forward to reading more and hope we can have some interesting and productive discussions.

When User Studies Attack

Friday, July 8th, 2005

71% of office workers stopped in the London Underground seemed willing to give their password in exchange for a chocolate bar, but we don’t know if those passwords were real.  MailFrontier ran an online phishing IQ test, but it’s not externally valid because the user has the wrong primary task.
Rob Miller highlighted three challenges [...]

Social Navigation

Friday, July 8th, 2005

This talk discussed the effects of social indicators, such as crowds, empty spaces, or traces left behind by the presence of people, on user’s security decisions.  Sometimes people follow the norm they observe, and sometimes they intentionally avoid the popular choice.  Inspired by an earlier study demonstrating that users unintentionally shared sensitive files [...]

Attacking Information Visualization Systems

Friday, July 8th, 2005

This paper talks about ways that data can be engineered to defeat information visualization tools that administrators may be using.  The speaker, Greg Conti, showed us a visualization tool for IP packets called rumint that he’s developing for use at DEFCON.

Dynamic Security Skins

Friday, July 8th, 2005

This paper proposes a scheme called Dynamic Security Skins to combat phishing.
Rachna calls phishing the “ultimate SOUPS problem” because phishers and security designers battle in the user interface, because attacks are rapidly evolving, and because it’s a real-world problem.  Phishers rapidly iterate on HCI designs, exactly as we are taught to do in HCI, [...]

Usability of Security Administration

Friday, July 8th, 2005

This morning’s panel compared the design of usable security for end users and for security administrators.  Kosta Beznosov introduced the panel and raised the question of the boundary between users and administrators: what about systems where users are responsible for some amount of self-administration?  Mary Ellen Zurko extended the comparison to three groups: [...]

The HCISEC mailing list

Thursday, July 7th, 2005

There is a YahooGroups mailing list for people interested in HCI and security issues.
Information can be found at http://groups.yahoo.com/group/hcisec/

Should Grandma be on the Internet?

Thursday, July 7th, 2005

I spent quite a few years building early community access systems and conducting public training sessions about the wonders of the Internet (see the National Capital FreeNet).
With today’s serious problems that we have been discussing, including viruses, spyware, trojans, phishing, browser hijacking, etc., I am left worndering if, at least for the time being, my [...]

User-Selected PassPoints Images

Thursday, July 7th, 2005

During the talk on PassPoints, it occurred to me that it might be interesting to combine some of those ideas with user-selected images (inspired by the work on Dynamic Security Skins).
One concern that was mentioned about PassPoints was that the images may guide people to commonly choose the same points, leading to guessable passwords.  [...]

Privacy Guidelines for Location Disclosure

Thursday, July 7th, 2005

This paper describes a study that tested how and when people chose to reveal their location information using a mobile phone.  From time to time users would receive messages requesting their location and they could choose how and whether to reply.  The phone also offered automatic disclosure functions (to periodically send location information [...]