Usable Security

http://cups.cs.cmu.edu/soups/2007/proceedings/p64_bauer.pdf
Grey is a smartphone-based discretionary access-control system developed at CMU which allows for various forms of physical and digital access.  The user can select the resource for which to present authorization from the cell phone screen, and the cell phone transmits a credential to the reader guarding the resource.  If the user does not directly [...]

http://cups.cs.cmu.edu/soups/2007/proceedings/p52_krishnamurthy.pdf
Diffusion of private information to third-party sites is a growing issue.  Such diffusion occurs without direct knowledge of the users (done by browser).  Third-party sites gain knowledge about users (e.g.  IP addresses, cookies), and knowledge allows user access to first-party sites to be aggregated and correlated.  Primary goal of this work is to examine techniques [...]

http://cups.cs.cmu.edu/soups/2007/proceedings/p41_clark.pdf
This paper compares four deployment methods of Tor for Firefox.  There are numerous identifiers used while surfing the web, including those that are self-volunteered (pseudonyms, e-mail addresses, etc.), server-assigned identifier, and protocol-based (i.e.  IP address).  Tor itself actually only addresses the IP address.  Tor is often combined with Vidalia, Privoxy, Torbutton, and/or FoxyProxy. 
In most [...]

http://cups.cs.cmu.edu/soups/2007/proceedings/p29_jensen.pdf
iWatch is a webcrawler which builds a central database of global online data practices.  It starts with a seed list of the top 50 websites as reported by Comscore Media Metrix and indexes privacy related practices including cookies, webbugs, P3P, etc., while post-processing indexes data by domain, by country, cross-references lists of privacy seals, fetches [...]

http://cups.cs.cmu.edu/soups/2007/proceedings/p20_dirik.pdf
More on PassPoints!
Studies on visual attention and eye movements show that most images contain a few portions that humans typically focus on - so-called image “hotspots”.  This study seeks to device a model that enables the prediction of the entropy in a given image.  Such a model would enable the design of automatic “dictionary” attacks [...]

http://cups.cs.cmu.edu/soups/2007/proceedings/p13_kumar.pdf
Passwords are generally entered through keyboard, mouse, touch screen, or keypad.  All of these are subject to shoulder surfing.  The paper proposes using a gaze-based entry method rather than actually having to enter the password on a keypad, which avoids both shoulder-surfing and possibly keystroke logging. 
Most approaches to combat shoulder surfing add noise/ambiguity for [...]

Awarded SOUPS 2007 Best Paper
http://cups.cs.cmu.edu/soups/2007/proceedings/p1_chiasson.pdf
PassPoints is a system where the user clicks five points on an image instead of entering a textual password.  The original studies were undertaken by Susan Wiedenbeck, et al.  (click here for more info).  They found that entry was slower than text but equally memorable and that the smallest acceptable tolerance [...]

http://cups.cs.cmu.edu/soups/2007/proceedings/p100_botta.pdf

This paper seeks to survey how companies in different sectors actually handle security incidents.  Thus far they’ve had trouble getting input from outside of academia.  They analyzed their results using grounded theory.  Their main findings were that handling of security incidents is seldom handled by a single individual, but rather is typically handled by a [...]

http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf
Researches proposed an on-line game intended to teach users about phishing.  Users were shown 10 URLs before training and another 10 after, and were trained either using the game or other methods of anti-phishing training.  The results suggested that people learned about phishing better through using this game than through traditional phishing training techniques.
The paper [...]

Hi!  If you’re attending SOUPS, please help us blog the sessions, and use this blog for discussing topics related to the presentations and the conference.  You can create yourself an account on this site by following this registration link.  Enjoy the conference!

There was some questions this morning about “zombie computers” - computers that are infected such that they can be controlled by someone else.
An introductory article can be found on Wikipedia at http://en.wikipedia.org/wiki/Zombie_computer

Ben Adida and I worked together with the Samuelson Law, Technology, and Public Policy Clinic to produce a letter to the Minnesota Secretary of State in response to requests that were denied last year due to fears that they might compromise security.  The letter argues for more public disclosure of voting system information and [...]