The second day of SOUPS 2008 opened with the award for Best Paper.
This year’s best paper was selected to be Expressions of Expertness: The Virtuous Circle of Natural Language for Access Control Policy Specification by Philip Inglesant, M. Angela Sasse, David Chadwick, and Lei Lei Shi.
The SOUPS 2008 Poster Session took place today from 4:00 - 6:00pm, featuring sixteen new posters and showcasing twelve poster previously shown at other conferences. Each SOUPS poster is accompanied by at least a 2-page abstract, with some linking to full papers.
I was able to photograph many of the posters at high enough resolution that they can be easily read by zooming in a bit. Unfortunately, not every photo was sharp enough to read so a few posters aren’t included here.
SOUPS 2008 has begun!
It kicked off with two parallel workshops:
I have just completed my dissertation, which is available on my website and also in the Berkeley EECS Technical Reports archive.
Here is the abstract:
I examine the question of how to design election-related software, with particular attention to the threat of insider attacks, and propose the goal of simplifying the software in electronic voting machines. I apply a technique called prerendering to reduce the security-critical, voting-specific software by a factor of 10 to 100 while supporting similar or better usability and accessibility, compared to today’s voting machines. Smaller and simpler software generally contributes to easier verification and higher confidence.I demonstrate and validate the prerendering approach by presenting Pvote, a vote-entry program that allows a high degree of freedom in the design of the user interface and supports synchronized audio and video, touchscreen input, and input devices for people with disabilities. Despite all its capabilities, Pvote is just 460 lines of Python code; thus, it directly addresses the conflict between flexibility and reliability that underlies much of the current controversy over electronic voting. A security review of Pvote found no bugs in the Pvote code and yielded lessons on the practice of adversarial code review. The analysis and design methods I used, including the prerendering technique, are also applicable to other high-assurance software.
Many people contributed to the work. The more I learned about things that other graduate students have had to deal with, the more I realized how lucky I was to have Dave Wagner and Marti Hearst as advisors — they got back to me quickly, read drafts carefully, and had lots of well-thought-out and constructive comments to offer. Candy Lopez showed me around the election office in Contra Costa County and patiently explained to me how everything was done in real life. Noel Runyan and Scott Luebking taught me about accessibility, and I appreciate their advice very much even though the dissertation doesn’t address accessibility as much as it could; the research didn’t include user testing with disabled voters. Matt Bishop, Ian Goldberg, Yoshi Kohno, Mark Miller, Dan Sandler, and Dan Wallach volunteered a huge amount of time to review my source code. Joe Hall has been a great help on questions about election law and policy.
At midnight, I listened as Debra Bowen announced her official decisions on the use of electronic voting systems for next year’s elections.
I have to say I’m very impressed. A few highlights:
For Diebold, Hart, and Sequoia machines:
Congratulations, Secretary Bowen! She must have been under incredible pressure in her position, and what she came up with looks pretty good.
I transcribed the following from Secretary Bowen’s announcement (which was on a noisy conference line):
Let me provide you with a few facts that should put this decision in some perspective. First, of California’s 58 counties, fewer than half rely solely on direct-recording electronic or DRE machines for elections. Second, in last November’s election, at least two-thirds of the people who voted in California did so using a paper ballot. That includes an absentee paper ballot, and voters in that category are rapidly increasing …[?]… and many use a polling place optical scan. …[?]… I certainly don’t want to minimize the impact of this …[?]… but when you look at how people actually vote in this state, more than two-thirds and probably closer to three-quarters of the 8.9 million people who voted in California last November will not be affected by the DRE …[?]… that I am …[?]…
Also, Secretary Bowen concluded her announcement by saying:
It is my hope that voting system vendors will, starting tomorrow,
begin to evaluate the competitive advantage that could accrue from moving to open source software.
I’m posting audio clips from Monday’s public hearing on California’s Top-to-Bottom Voting Systems Review at http://usablesecurity.com/ttbr/. So far, the presentation of the accessibility and red team reports and the statements by the vendors (Diebold, Hart, and Sequoia) are posted.
Alas, here marks the close of SOUPS 2007. I hope you enjoyed all the posts. Let’s keep the discussion going!
Don’t forget to add your paper to the HCISEC Bibliography, and to join the HCISEC Yahoo! group if you’re not already a member.
See y’all at SOUPS 2008.
http://cups.cs.cmu.edu/soups/2007/proceedings/p132_krstic.pdf
It is simply the case that there is a huge number of children in the world with little to no access to a quality education system. There are people working on building schools and creating infrastructure, but that is no reason not to try and get laptops out there now. The OLPC laptop is incredibly power efficient and has a pretty decent range of hardware functionality intended to just such deployment.
Threat model:
These concerns are exacerbated by the fact that the laptops are intended to be open to hacking and exploration. To protect the system the OLPC project has implemented a security framework named Bitfrost.
Bitfrost design goals
The basic idea behind Bitfrost is to impose container-based virtualization which effectively quardon off the software on the machine so that each app is effectively independent. The hardware is designed with a hardware latch to protect the BIOS from modification by the OS. Each container has a token bucket that limits how often it can write to the NAND flash (to combat the fact that flash memory dies after too many reads). There are hard-wired LEDs for the camera and microphone that authoritatively indicate when the device is on and off. The base OS is never exposed to the user without a special “developer key”, granting only “copy-on-write” access to the typical user - this ensures the child can still customize and experiment with the OS, but can revert to a known good state at any time.
Laptops ship from the factory “deactivated” and require an activation key delivered out of band from the laptops for initial activation. This should help ensure that the laptop is not stolen on the way to its destination. Thereafter the laptops requires daily access to a “lease” server, or else it locks down until it is reactivated, which should help curtain individual laptop theft.
If you’re interested in seeing the OLPC code: http://dev.laptop.org/
http://cups.cs.cmu.edu/soups/2007/proceedings/p122_lieberman.pdf
This study explored user errors related to e-mail, specifically focusing on “Reply All” or unexpected “Reply To” headers sending responses back to the list. The consequences are usually just embarrassing, but can be serious. The researchers suggest that even if digitally signed and sealed email becomes widely used, people will still make these errors. The proposed solution is to display an image of each intended recipient rather than just recipient e-mail addresses.
The study used an extension of Gmail that displays the accompanying recipient photo as an e-mail address is entered. When the system doesn’t yet have a cached image it searches Google Images, Facebook, etc., to find an image for the e-mail. The interface makes a very apparent difference between clicking “Reply” and clicking “Reply All”. The interface was designed to be obvious at a glance, automatic, and scalable. Facemail is implemented as a Firefox extension, and was used in a “glanceability” study with 84 subjects asked to answer who an e-mail was going to and how many people it was going to after seeing a flash of the mail composition window. At 1 second Facemail did about as well as normal e-mail address displays, but as the time reduced down the benefit of Facemail became increasingly apparent.
Some risks of this technology are that it may make spoofed addresses more credible, makes message recipients more visible to shoulder-surfing, and may make it harder to lurk on mailing list. Some common errors that Facemail does not address are the potential dangers of public archiving of e-mail, getting the recipient right but sending too much information, and information disclosure outside of e-mail.
http://cups.cs.cmu.edu/soups/2007/proceedings/p112_conti.pdf
Data gathering and retention is becoming an ever greater part of using the Internet. Users can choose not to be users, or they can choose to give away their data. Google was used as an example of such a data gatherer, though it was also mentioned that Google has announced that it will only retain personally identifiable information for 18 months, but many sites have yet to make such assurances.
Goals of research
Here are some interesting findings from the paper, but the paper has much more detail:
The study involved 352 non-eng undergraduate students using a web-based 4-point Likert survey with 25 randomly ordered questions asking about web usage, search engine privacy, trust of online companies, data retention, and anonymity. The study found that 92.44% of the students indicated that they use Google as their primary search engine. The study then asked why they chose the search engine they did, with only 34% selecting 3 or 4 for “It came with my computer”, 89% indicating 3 or 4 to because “I feel it provides the best search”, and 96% giving 3 or 4 because they felt it was the easiest to use. Interesting, only 32% said they chose it because of other products offered by the company. 70.69% indicated they were comfortable with the privacy they have using their preferred search engine.
95% of respondents indicated they had used a search engine to search for their own name at least once, with 82% indicating they had used a search engine to look up contact info for friends and/or colleagues. There was an even split between the users that would choose perfect search vs. perfect privacy. The vast majority of results across companies fell between limited trust and reasonable trust.
The study then examined user perception of data retention. The vast majority of respondents indicated that they understand that data retention is occurring frequently to always, with 38% believing it would be stored for months and 45% believing it would be store for years or decades. Interestingly, for the group questions 91% of respondents indicated they hadn’t heard about the August 2006 AOL data disclosure. Only 22% of users indicated that they believed their search engine usage is anonymous, with 85% saying they don’t know any way to go about doing an anonymous search.
Marcia Lausen, http://www.designfordemocracy.org/
Marcia began the talk with a review of the infamous Florida ballot that plagued the US 2000 presidential elections. She then moved on to demonstrate an almost unbelievably worse ballot from a judicial circuit election in Chicago, which she offered to redesign. The redesigned ballot was inarguably clearer and easier to understand, raising the question of why interface designers are not more commonly involved in ballot layout.
Information Design :: Legibility vs. Creativity
The researchers then worked on applying lessons learned to other types of ballots, but ballots are really the tip of the iceberg. The design principles above were then usefully extended to redesigning voting instructions and manuals for training pollworkers. Efforts were then expanded to include class participation in design and evaluation of election related envelopes, forms, and other documentation related to the voting experience. Marcia and her students also got involved in the design of filing cabinets, pollworker trays, and other non-documentation paraphernalia.
Recent efforts have focused on spreading the word about design advancements, encouraging election officials to take interest and get involved, and getting out the vote to normally disenfranchised voters.
http://cups.cs.cmu.edu/soups/2007/program.html#discuss
Have notes from your discussion session that you’d like to share w/ those that attended one of the other ones? Post them here!
UW2SP: Usable Web 2.0 Security & Privacy
Moderator: Larry Koved (IBM T.J. Watson Research Center)
The goal of this discussion session is to establish new collaborations in topics related to usable security for Web 2.0 security and privacy.
Standardizing Usable Security and Privacy: Taking It To the Next Level, or Settling for Less?
Moderators: Mary Ellen Zurko (IBM) and Maritza Johnson (Columbia University)
This discussion session will consider the relationship between standards and standardization, and usable security and privacy, including where we are today, and where the usable security and privacy community would like to see that relationship go in the future.
One Laptop Per Child Security
Moderator: Ivan Krstic
A paper on Bitfrost, the One Laptop per Child security architecture, is being presented later at SOUPS. Usability was a crucial concern in the system’s design, and we believe Bitfrost will resist many security problems seen with today’s computers. In this discussion session, however, we wish to focus on problems that Bitfrost doesn’t solve. This includes both problems whose solutions were too hard to design or implement and problems that simply don’t have clear solutions, ranging anywhere from child-friendly authentication schemes to comprehensive browser security.