Usable Security

SOUPS 2008 has begun! 
It kicked off with two parallel workshops:
Workshop on Usable IT Security Management
The Symposium on Accessible Privacy and Security

I have just completed my dissertation, which is available on my website and also in the Berkeley EECS Technical Reports archive.
Here is the abstract:
I examine the question of how to design election-related software, with particular attention to the threat of insider attacks, and propose the goal of simplifying the software in electronic voting machines.  I [...]

At midnight, I listened as Debra Bowen announced her official decisions on the use of electronic voting systems for next year’s elections.
I have to say I’m very impressed.  A few highlights:

For Diebold and Sequoia, at most one DRE is allowed per polling place, and its results must be audited by [...]

I’m posting audio clips from Monday’s public hearing on California’s Top-to-Bottom Voting Systems Review at http://usablesecurity.com/ttbr/.  So far, the presentation of the accessibility and red team reports and the statements by the vendors (Diebold, Hart, and Sequoia) are posted.

Alas, here marks the close of SOUPS 2007.  I hope you enjoyed all the posts.  Let’s keep the discussion going!
Don’t forget to add your paper to the HCISEC Bibliography, and to join the HCISEC Yahoo!  group if you’re not already a member.
See y’all at SOUPS 2008.

http://cups.cs.cmu.edu/soups/2007/proceedings/p132_krstic.pdf
It is simply the case that there is a huge number of children in the world with little to no access to a quality education system.  There are people working on building schools and creating infrastructure, but that is no reason not to try and get laptops out there now.  The OLPC laptop is incredibly [...]

http://cups.cs.cmu.edu/soups/2007/proceedings/p122_lieberman.pdf
This study explored user errors related to e-mail, specifically focusing on “Reply All” or unexpected “Reply To” headers sending responses back to the list.  The consequences are usually just embarrassing, but can be serious.  The researchers suggest that even if digitally signed and sealed email becomes widely used, people will still make these errors.  The [...]

http://cups.cs.cmu.edu/soups/2007/proceedings/p112_conti.pdf
Data gathering and retention is becoming an ever greater part of using the Internet.  Users can choose not to be users, or they can choose to give away their data.  Google was used as an example of such a data gatherer, though it was also mentioned that Google has announced that it will only retain [...]

Marcia Lausen, http://www.designfordemocracy.org/
Marcia began the talk with a review of the infamous Florida ballot that plagued the US 2000 presidential elections.  She then moved on to demonstrate an almost unbelievably worse ballot from a judicial circuit election in Chicago, which she offered to redesign.  The redesigned ballot was inarguably clearer and easier to understand, raising [...]

http://cups.cs.cmu.edu/soups/2007/program.html#discuss

Have notes from your discussion session that you’d like to share w/ those that attended one of the other ones?  Post them here!
UW2SP: Usable Web 2.0 Security & Privacy
Moderator: Larry Koved (IBM T.J.  Watson Research Center)
The goal of this discussion session is to establish new collaborations in topics related to usable security for Web 2.0 [...]

http://cups.cs.cmu.edu/soups/2007/proceedings/p76_brustoloni.pdf
Users not only ignore dialogs, but will lie to them if doing so is necessary to achieve the desired behavior.  This research employs polymorphic dialogs that change each time to keep the user from learning/giving automatic answers.  Polymorphic dialogs deliberately vary the dialog such that the consequence of automatic answers becomes unpredictable and thus requires [...]

Introduction
Steven Myers
Historically most online banking done with password (single-factor authentication) with the password communicated over SSL/TLS secured channel.  Unfortunately, this system is vulnerable to phishing.  The FDIC and FFIEC required that all banks have “enhanced” login by the end of 2006.  Most banks took this to mean two-factor authentication.
SSL is simply not understood by users, [...]