http://usablesecurity.com Every system has a user. Mon, 28 Jul 2008 12:40:30 +0000 http://backend.userland.com/rss092 en This brings us to the close of SOUPS 2008. Hope y'all learned something interesting. SOUPS 2009 will be held from July 15-17, 2009 in Mountain View, CA. http://usablesecurity.com/2008/07/25/soups-2009/ http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf Media buzz about this paper: * Information Week: Most Bank Sites Are Insecure * Slashdot: Most Bank Websites Are Insecure * Network World: Bank Web sites full of security holes, University of Michigan survey finds * Ars.Technica: Study: ... http://usablesecurity.com/2008/07/25/analyzing-websites-for-user-visible-security-design-flaws/ http://cups.cs.cmu.edu/soups/2008/proceedings/p107Werlinger.pdf This paper sought to examine, as it's title suggests, whether IDSs help or hinder incident detection and response. It was motivated by a discussion group a CHI 2007. Current IDSs still need human intervention to account for false positives and make use of the results. The study included 34 interviews with ... http://usablesecurity.com/2008/07/25/the-challenges-of-using-an-intrusion-detection-system-is-it-worth-the-effort/ http://cups.cs.cmu.edu/soups/2008/proceedings/p95Stedman.pdf Instant messaging has become a common form of information on the Internet, but most of the available services are not secure. There are available solutions, such as SecureIM, Pidgin-Encryption, and SILC, but they all have shortcomings compared to OTR (Off-The-Record). The goal of OTR is to make conversations online as private ... http://usablesecurity.com/2008/07/25/a-user-study-of-off-the-record-messaging/ Notes: In the design of the web whenever there was a trade-off between usability and security, usability always won. Worse, those raising the usability issues were often not usability experts, they were just using it as a wedge to get what they wanted. Usable security should be considered as part of Total ... http://usablesecurity.com/2008/07/25/soups-discussion-forums-balancing-security-usability-and-cost/ SOUPS included four parallel track discussion forums: http://cups.cs.cmu.edu/soups/2008/program.html#discuss Understanding PCI Regulations and Applying Strategies to Ensure Cardholder Privacy Moderator: Eric Offenberg, IBM Discussion topics will include: * Understanding how safeguarding customer data protects a company’s bottom line * Assessing the impact of PCI requirements on retailers, merchants, ... http://usablesecurity.com/2008/07/25/soups-discussion-forums/ http://cups.cs.cmu.edu/soups/2008/proceedings/p85Brustoloni.pdf Electronic collaboration can greatly increase productivity, but there is a risk of liability for information misuse. The current best practices are to use NDAs, but this can be cumbersome and many potential collaborations just never happen. The researchers propose that Usage Controls (i.e. Digital Rights Management) may make collaboration easier and ... http://usablesecurity.com/2008/07/25/evaluating-the-usability-of-usage-controls-in-electronic-collaboration/ http://cups.cs.cmu.edu/soups/2008/proceedings/p77Inglesant.pdf SOUPS 2008 Best Paper Award In this paper the researchers explored how to make it so that non-security specialists are able to express access control rules in formal policy terms. This is especially important because often people know what rules they want, but doesn't know how to express them. Access control is ... http://usablesecurity.com/2008/07/25/expressions-of-expertness-the-virtuous-circle-of-natural-language-for-access-control-policy-specification/ http://cups.cs.cmu.edu/soups/2008/proceedings/p65Vaniea.pdf Websites tend to have an external privacy policy and the internal implementation of that policy. The researches have continued their long-running work on SPARCLE, tool to help author and create policies that are both human and machine readable. This talk is a review and expansion of the features of the ... http://usablesecurity.com/2008/07/25/evaluating-assistance-of-natural-language-policy-authoring/ Panel Moderator: Mary Ellen Zurko, IBM Panelists: * Stuart Schechter, Microsoft * Phil Hallam-Baker, Verisign * Jon Callas, PGP * Tyler Close, HP The panel started by pointing to Usability Evaluation Considered Harmful, which claims: - a combination of methods triangulates ... http://usablesecurity.com/2008/07/24/testing-for-usable-security-what-relationship-if-any-does-it-have-to-product-design/ http://cups.cs.cmu.edu/soups/2008/proceedings/p56Saxena.pdf This research explored how to bootstrap a secure communication channel between two wireless devices when they have no prior association and no trusted third party. Examples are pairing a WLAN laptop to an access point, or a Bluetooth cellphone and headset. The proposal is to use an Out-Of-Band channel between the ... http://usablesecurity.com/2008/07/24/universal-device-pairing-using-an-auxiliary-device/ http://cups.cs.cmu.edu/soups/2008/proceedings/p35Hayashi.pdf This research proposes a graphic login system in which the presented images at login time are highly distorted versions of the images chosen at password creation time. The user should be able to recognize the distorted version of the picture they originally chose. That said, there is a trade-off in ... http://usablesecurity.com/2008/07/24/use-your-illusion-secure-authentication-usable-anywhere/ http://cups.cs.cmu.edu/soups/2008/proceedings/p44Yan.pdf CAPTCHAs were originally invented at CMU. The goal of a CAPTCHA is to allow humans through but block automated scripts. They are now widely deployed as a method of preventing spam. Text-based schemes typically require the use to complete a text recognition tasks. Some sites offer a sound-based scheme, typically for ... http://usablesecurity.com/2008/07/24/usability-of-captchas-or-usability-issues-in-captcha-design/ http://cups.cs.cmu.edu/soups/2008/proceedings/p24Dunphy.pdf Passfaces is a commercial graphical password system where the password is a sequence of face images. This leverages the fact that humans are typically rather good at facial recognition. Another motivation of Passfaces is supposedly that it is hard to write down your password to share, but are they? Often ... http://usablesecurity.com/2008/07/24/securing-passfaces-for-description/ http://cups.cs.cmu.edu/soups/2008/proceedings/p13Rabkin.pdf Security questions aren't always bad...though they often are. But, the bad news is, they are getting worse. A secret security question asks for a secret fact. A personal security question asks about something meaningful to the user, but that they are willing to share. Unfortunately, if users are willing to ... http://usablesecurity.com/2008/07/24/personal-knowledge-questions-for-fallback-authentication/ http://cups.cs.cmu.edu/soups/2008/proceedings/p1Forget.pdf The research explored a novel password selection strategy in which subjects would enter a password and have random characters shuffled in to add security to the password. The researchers explored different methods of selecting and placing the characters. The goal is not only to help users choose better passwords, but also ... http://usablesecurity.com/2008/07/24/improving-text-passwords-through-persuasion/ The second day of SOUPS 2008 opened with the award for Best Paper. This year's best paper was selected to be Expressions of Expertness: The Virtuous Circle of Natural Language for Access Control Policy Specification by Philip Inglesant, M. Angela Sasse, David Chadwick, and Lei Lei Shi. http://usablesecurity.com/2008/07/24/soups-2008-best-paper-award/ The SOUPS 2008 Poster Session took place today from 4:00 - 6:00pm, featuring sixteen new posters and showcasing twelve poster previously shown at other conferences. Each SOUPS poster is accompanied by at least a 2-page abstract, with some linking to full papers. SOUPS Poster Abstracts I was able to photograph many of ... http://usablesecurity.com/2008/07/23/soups-2008-poster-session/ SOUPS 2008 has begun! It kicked off with two parallel workshops: Workshop on Usable IT Security Management The Symposium on Accessible Privacy and Security http://usablesecurity.com/2008/07/23/soups-2008-2/ I have just completed my dissertation, which is available on my website and also in the Berkeley EECS Technical Reports archive. Here is the abstract:I examine the question of how to design election-related software, with particular attention to the threat of insider attacks, and propose the goal of simplifying the software ... http://usablesecurity.com/2007/12/22/pvote-the-dissertation/