Archive for July, 2006

Avoiding interface lag when using Camtasia

Friday, July 14th, 2006

A couple of people mentioned lag problems in using Camtasia for recording usability test sessions.  The symptom is that the interface-under-test slows down because of the overhead caused by the simultaneous Camtasia recording processes.
One solution that has worked for us is to use VNC (Virtual Network Computing) and Camtasia on two computers.  The subject’s computer [...]

Things to Do in Pittsburgh

Friday, July 14th, 2006

If you’re staying around in Pittsburgh and looking for stuff to do, check out the “Fun Things” link on the right, contributed by Cynthia Kuo.  Have a good time!

An Idea: Upending the Password Strength Problem

Friday, July 14th, 2006

I had an idea yesterday evening inspired by Cynthia Kuo’s talk on phrase-based passwords.  Cynthia’s research started with a popular method for choosing memorable passwords and evaluated the strength of passwords created using that method.  And there was a questioner from the audience who noted that, whenever you popularize a particular formula for [...]

Discussion on Pass-Algorithsm

Friday, July 14th, 2006

William Cheswick, Lumeta Corporation
Passwords can be sniffed
• One-time passwords defeat this
• Traditionally done with hardware (e.g.  securecard keys)
• Works for high-security areas
o Doesn’t work for banks
• Can we do this without hardware
o Human-computed response to challenge
o It would be nice is Joe Sixpack could do this
o Don’t allow dictionary attacks
• Even 4-digit PINs
• Text-based challenge-response
o Obfuscation in challenges
o User can type in junk – only a portion [...]

Teaching Usable Privacy and Security

Friday, July 14th, 2006

Moderators: Lorrie Cranor and Jason Hong, CMU
Participants of this breakout session (about 20) are mostly teachers and graduate students.  They have either taught or are planning to teach HCI and security courses, and wonder how to combine these two worlds together.  For students, they are interested in learning about this course. 
Jason started the [...]

Jennifer Rode, Carolina Johansson, Paul DiGioia, Roberto Silva Filho, Kari Nies, David Nguyen, Jie Ren, Paul Dourish, and David Redmiles: Seeing Further

Friday, July 14th, 2006

Read the paper here.
The authors describe three design principles: dynamic visualization of system activity, integration of configuration and action, and event-based architectures.
The system they studied is Impromptu, a file-sharing system where users can move coloured dots representing their files on a shared pie-shaped area.  A sector of the pie belongs to each user, and [...]

Julia Gideon, Serge Egelman, Lorrie Faith Cranor, and Alessandro Acquisti: Power Strips, Prophylactics, and Privacy, Oh My!

Friday, July 14th, 2006

Read the paper here.
The authors studied Privacy Finder, a search engine whose result lists are enhanced with privacy information from websites’ P3P policies.  Their study investigated whether this additional privacy information would affect user behaviour.
Participants in the user study were asked to shop online for two products: first, a six-outlet surge protector, and second, [...]

Policy Management discussion session - Summary and transcript

Friday, July 14th, 2006

DISCUSSION SESSION
Policy Management: A Central Theme for Usable Privacy and Security Systems
Moderator: John Karat, IBM T.J.  Watson Research Center
Twenty-five people jammed CIC 2201, a conference room intended for 12, in a session that turned out to be much more popular than anticipated.  It is somewhat surprising that so many SOUPS attendees showed [...]

Richard Newman, Sherman Gavette, Larry Yonge, and Ross Anderson: Protecting Powerline Communications

Friday, July 14th, 2006

Read the paper here.
Since homes have lots of power outlets already installed, a network that could run over the power lines would be very convenient, but needs to be secured — for example, against leaking communication over shared power lines in neighbouring houses or apartments.  So the system needs to support multiple virtual networks, [...]

Paul Karger: Privacy and Security Analysis of the Federal Employee Personal Identification and Verification Program

Friday, July 14th, 2006

Read the paper here.
In August 2004, Homeland Security directive 12 established a government-wide standard for identifying federal employees and contractors, primarily for access to federal buildings.
NIST developed FIPS 201 in response, defining two types of cards: PIV I (for quick deployment at individual agencies) and PIV II (for inter-agency use).
HSPD 12 had a requirement for [...]

Bill Cheswick: Johnny Can Obfuscate (Discussion)

Friday, July 14th, 2006

Bill suggested that logins could be strengthened against attacking eavesdroppers by using a challenge-response login simple enough to calculate in your head.  Your secret might be an algorithm like “count the number of vowels in the challenge, add the third digit that appears in the challenge, and use the sum modulo 10 as the [...]

Min Wu, Robert C. Miller, and Greg Little: Web Wallet

Friday, July 14th, 2006

Read the paper here.
Phishing is a semantic attack: it exploits the gap between user’s intentions and the system’s operation (in particular when submitting data).  The key factors are: what is the data and where will it go?
The Web Wallet is a browser sidebar that users open by pressing a secure attention key (F2).  [...]