Archive for July, 2007

SOUPS 2007 Closing Remarks

Friday, July 20th, 2007

Alas, here marks the close of SOUPS 2007.  I hope you enjoyed all the posts.  Let’s keep the discussion going!
Don’t forget to add your paper to the HCISEC Bibliography, and to join the HCISEC Yahoo!  group if you’re not already a member.
See y’all at SOUPS 2008.

The One Laptop Per Child Security Model

Friday, July 20th, 2007

http://cups.cs.cmu.edu/soups/2007/proceedings/p132_krstic.pdf
It is simply the case that there is a huge number of children in the world with little to no access to a quality education system.  There are people working on building schools and creating infrastructure, but that is no reason not to try and get laptops out there now.  The OLPC laptop is incredibly [...]

Facemail: Showing Faces of Recipients to Prevent Misdirected Email

Friday, July 20th, 2007

http://cups.cs.cmu.edu/soups/2007/proceedings/p122_lieberman.pdf
This study explored user errors related to e-mail, specifically focusing on “Reply All” or unexpected “Reply To” headers sending responses back to the list.  The consequences are usually just embarrassing, but can be serious.  The researchers suggest that even if digitally signed and sealed email becomes widely used, people will still make these errors.  The [...]

An Honest Man Has Nothing to Fear: User Perceptions on Web-based Information Disclosure

Friday, July 20th, 2007

http://cups.cs.cmu.edu/soups/2007/proceedings/p112_conti.pdf
Data gathering and retention is becoming an ever greater part of using the Internet.  Users can choose not to be users, or they can choose to give away their data.  Google was used as an example of such a data gatherer, though it was also mentioned that Google has announced that it will only retain [...]

Design for Democracy: Ballot + Election Design

Friday, July 20th, 2007

Marcia Lausen, http://www.designfordemocracy.org/
Marcia began the talk with a review of the infamous Florida ballot that plagued the US 2000 presidential elections.  She then moved on to demonstrate an almost unbelievably worse ballot from a judicial circuit election in Chicago, which she offered to redesign.  The redesigned ballot was inarguably clearer and easier to understand, raising [...]

SOUPS 2007 Discussion Sessions

Friday, July 20th, 2007

http://cups.cs.cmu.edu/soups/2007/program.html#discuss

Have notes from your discussion session that you’d like to share w/ those that attended one of the other ones?  Post them here!
UW2SP: Usable Web 2.0 Security & Privacy
Moderator: Larry Koved (IBM T.J.  Watson Research Center)
The goal of this discussion session is to establish new collaborations in topics related to usable security for Web 2.0 [...]

Improving Security Decisions with Polymorphic and Audited Dialogs

Friday, July 20th, 2007

http://cups.cs.cmu.edu/soups/2007/proceedings/p76_brustoloni.pdf
Users not only ignore dialogs, but will lie to them if doing so is necessary to achieve the desired behavior.  This research employs polymorphic dialogs that change each time to keep the user from learning/giving automatic answers.  Polymorphic dialogs deliberately vary the dialog such that the consequence of automatic answers becomes unpredictable and thus requires [...]

Multi-factor Authentication for Online Banking: Security or Snake Oil?

Thursday, July 19th, 2007

Introduction
Steven Myers
Historically most online banking done with password (single-factor authentication) with the password communicated over SSL/TLS secured channel.  Unfortunately, this system is vulnerable to phishing.  The FDIC and FFIEC required that all banks have “enhanced” login by the end of 2006.  Most banks took this to mean two-factor authentication.
SSL is simply not understood by users, [...]

Lessons Learned From the Deployment of a Smartphone-Based Access-Control System

Thursday, July 19th, 2007

http://cups.cs.cmu.edu/soups/2007/proceedings/p64_bauer.pdf
Grey is a smartphone-based discretionary access-control system developed at CMU which allows for various forms of physical and digital access.  The user can select the resource for which to present authorization from the cell phone screen, and the cell phone transmits a credential to the reader guarding the resource.  If the user does not directly [...]

Measuring Privacy Loss and the Impact of Privacy Protection in Web Browsing

Thursday, July 19th, 2007

http://cups.cs.cmu.edu/soups/2007/proceedings/p52_krishnamurthy.pdf
Diffusion of private information to third-party sites is a growing issue.  Such diffusion occurs without direct knowledge of the users (done by browser).  Third-party sites gain knowledge about users (e.g.  IP addresses, cookies), and knowledge allows user access to first-party sites to be aggregated and correlated.  Primary goal of this work is to examine techniques [...]

Usability of Anonymous Web Browsing: An Examination of Tor Interfaces and Deployability

Thursday, July 19th, 2007

http://cups.cs.cmu.edu/soups/2007/proceedings/p41_clark.pdf
This paper compares four deployment methods of Tor for Firefox.  There are numerous identifiers used while surfing the web, including those that are self-volunteered (pseudonyms, e-mail addresses, etc.), server-assigned identifier, and protocol-based (i.e.  IP address).  Tor itself actually only addresses the IP address.  Tor is often combined with Vidalia, Privoxy, Torbutton, and/or FoxyProxy. 
In most [...]

Tracking Website Data-Collection and Privacy Practices with the iWatch Web Crawler

Thursday, July 19th, 2007

http://cups.cs.cmu.edu/soups/2007/proceedings/p29_jensen.pdf
iWatch is a webcrawler which builds a central database of global online data practices.  It starts with a seed list of the top 50 websites as reported by Comscore Media Metrix and indexes privacy related practices including cookies, webbugs, P3P, etc., while post-processing indexes data by domain, by country, cross-references lists of privacy seals, fetches [...]