Archive for July, 2008

SOUPS 2009?

Friday, July 25th, 2008

This brings us to the close of SOUPS 2008.  Hope y’all learned something interesting.
SOUPS 2009 will be held from July 15-17, 2009 in Mountain View, CA.

Analyzing Websites for User-Visible Security Design Flaws

Friday, July 25th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf
Media buzz about this paper:
* Information Week: Most Bank Sites Are Insecure
* Slashdot: Most Bank Websites Are Insecure
* Network World: Bank Web sites full of security holes, University of Michigan survey finds
* Ars.Technica: Study: websites of financial institutions insecure [...]

The Challenges of Using an Intrusion Detection System: Is It Worth the Effort?

Friday, July 25th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p107Werlinger.pdf
This paper sought to examine, as it’s title suggests, whether IDSs help or hinder incident detection and response.  It was motivated by a discussion group a CHI 2007.
Current IDSs still need human intervention to account for false positives and make use of the results.  The study included 34 interviews with those related to security and [...]

A User Study of Off-the-Record Messaging

Friday, July 25th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p95Stedman.pdf
Instant messaging has become a common form of information on the Internet, but most of the available services are not secure.  There are available solutions, such as SecureIM, Pidgin-Encryption, and SILC, but they all have shortcomings compared to OTR (Off-The-Record).
The goal of OTR is to make conversations online as private and secure as face-to-face conversations.  [...]

SOUPS Discussion Forums: Balancing Security, Usability, and Cost

Friday, July 25th, 2008

Notes:
In the design of the web whenever there was a trade-off between usability and security, usability always won.  Worse, those raising the usability issues were often not usability experts, they were just using it as a wedge to get what they wanted.
Usable security should be considered as part of Total Cost of Ownership.  In a [...]

SOUPS Discussion Forums

Friday, July 25th, 2008

SOUPS included four parallel track discussion forums:
http://cups.cs.cmu.edu/soups/2008/program.html#discuss
Understanding PCI Regulations and Applying Strategies to Ensure Cardholder Privacy
Moderator: Eric Offenberg, IBM
Discussion topics will include:
* Understanding how safeguarding customer data protects a company’s bottom line
* Assessing the impact of PCI requirements on retailers, merchants, banks, and other affected corporations.
[...]

Evaluating the Usability of Usage Controls in Electronic Collaboration

Friday, July 25th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p85Brustoloni.pdf
Electronic collaboration can greatly increase productivity, but there is a risk of liability for information misuse.  The current best practices are to use NDAs, but this can be cumbersome and many potential collaborations just never happen.
The researchers propose that Usage Controls (i.e.  Digital Rights Management) may make collaboration easier and more productive and may even [...]

Expressions of Expertness: The Virtuous Circle of Natural Language for Access Control Policy Specification

Friday, July 25th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p77Inglesant.pdf
SOUPS 2008 Best Paper Award
In this paper the researchers explored how to make it so that non-security specialists are able to express access control rules in formal policy terms.  This is especially important because often people know what rules they want, but doesn’t know how to express them.
Access control is the ability to permit or [...]

Evaluating Assistance of Natural Language Policy Authoring

Friday, July 25th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p65Vaniea.pdf
Websites tend to have an external privacy policy and the internal implementation of that policy.
The researches have continued their long-running work on SPARCLE, tool to help author and create policies that are both human and machine readable.  This talk is a review and expansion of the features of the Author Policy interface.
The framework allows [...]

Testing for Usable Security - What Relationship, If Any, Does It Have To Product Design?

Thursday, July 24th, 2008

Panel Moderator: Mary Ellen Zurko, IBM
Panelists:
* Stuart Schechter, Microsoft
* Phil Hallam-Baker, Verisign
* Jon Callas, PGP
* Tyler Close, HP
The panel started by pointing to Usability Evaluation Considered Harmful, which claims:
- a combination of methods triangulates and enriches discussion of a [...]

Universal Device Pairing using an Auxiliary Device

Thursday, July 24th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p56Saxena.pdf
This research explored how to bootstrap a secure communication channel between two wireless devices when they have no prior association and no trusted third party.  Examples are pairing a WLAN laptop to an access point, or a Bluetooth cellphone and headset.
The proposal is to use an Out-Of-Band channel between the devices created with human perceptible [...]

Use Your Illusion: Secure Authentication Usable Anywhere

Thursday, July 24th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p35Hayashi.pdf
This research proposes a graphic login system in which the presented images at login time are highly distorted versions of the images chosen at password creation time.  The user should be able to recognize the distorted version of the picture they originally chose.  That said, there is a trade-off in that as distortion increases the [...]