Program

I am (well, was by the time I finished editing this) currently at the Security and Human Behaviour conference at CMU in Pittsburgh. Here are my live notes from the presentations.

Day 1

Deception and Fraud I

Frank Stajano

Pico, a proposal for a password replacement system.can’t

Users hate passwords for perfectly legitimate usability reasons.

They also have significant other vulnerabilities.

Replacing passwords with a possible 20 year fix to gradually replace passwords, but not looking for backwards compatibility.

Get rid of memorized items.

Scalable to thousands of verifiers.

More secure (technically) than passwords.

Shift the something you know to something you have.

QR code next to the uid/pwd request read by a camera on the pico, which represents the app’s Public Key.

Initial visual comms from app to pico, followed by two way radio comms.

Two choices: set up new ID or send exitsting creds.

What about loss of a pico? Back, plus Pico-sibilings embedded in earrings, belt, watch, etc. Some or all required nearby for the Pico to opereate.Near field comms provides location-based access restrictions. Cloning of own backed-up data possible.

Patents-free, royalty-free, just acknowledge.

Matt Blaze

Matt requested no blogging.

Peter Robinson

The problems of measuring human behaviour. The use of affect (emotions) in user behaviour. Channels for communicating mental state: facce, voice, posture, gesturee.

Some complex cognitive staates require multiple seconds of moving images instead of just a single still photo to recognize.

Acting is hard, but possible – results from a session where a researcher was acting agreement, but demonstated distraction, interest etc.

Many expressions are cross-cultural, but there is a significant difference between acting and real behaviour.

Voice has many characteristics and different pair-wise comparisons using multiple factors is necessary to generate analysis.

Now using the Kinect for posture analysis.

Can we detect cognitive overload in drivers, for example? Grand Theft Auto is a much better virtual reality than the commercial ($10k) driving sumulators. Emotional engagement by using a nearby toy helicopter rather than a virtual reality is the key to getting good results.

Conditions for experiments on humans require emotional engagement.

Pam Briggs

Authentication, implied mistrust and social embarassment. Acceptable user authentication (including older people, for example); new methodologies to convery and asssess the user experience; the role of trust in mediated communication (and the emotional response to feelings of mistrust).

A standard presentation of the user authentication problem.

Security problme: memory-based systems are vulnerable to shoulder-surfing, and so users are requested to engage in shielding. Social problem: authentication implies mistrust, and that creates social awkwardness. A solution to shared interface problem is that the interface requires shielding – everyone is subject to being forced to the same actions when authenticating. Pressure grid for multi-touch display uses increase in pressure from two separate axes. Pressure grid was demonstrated to be resistant to shoulder-surfing.

Secure and usable first, then socially acceptable.

Markus Jakobsson

Spoofkiller and Fastwords.

AppSpoofing is phishing via apps. WebSpoofing uses, for example a graphics showing an apparent URL bar in a mobile web browser. Shift the focus away from preventing the user being tricked and onto the action onto benefiting the attacker. Shift the focus away from allowing the user to be tricked, and onto making the system deny the benefit to the attacker.

Fastwords: PINs are easier, but far less secure. Good passwords are weird. Fastwords use three standard words (order of the words no longer matters). Speed increase is 2-3 times for fastwords.

When fastwords are forgotten one of the words can be provided as a hint. Fastwords have a 67% recall rate after three weeks, including after hinting one word. Strong passwords have 6%.

Questions:

Matt Blaze: The gap between the research community and the people building systems is still too wide: Why Special Agent Johnny Still Can’t Encrypt.

 

Foundations I

Shari Lawrence Pfleeger

Now at the National Institute for Information Infrastructure Protection (I3P).

What are Foundations: how do we do interdisciplinary security research?

Listen to people within the team, and those who work in the area being studied. Many of our assumptions are incorrect, even when the research subjects are within the same fields. For example, certification: some employers require them, and others will discriminate against them. Throw away our own assumptions and try to document the users’ assumptions as the project proceeds.

Series of studies not just a single study. Do layering in studies. For example build on phishing studies and following up on those who previously got phished and were offered training on avoiding it, to see how well the training worked and how long the effects last.

How to improve organisational security without destroying organisational culture.

CIO of Defence Information Systems Agency mentioned that they have difficulty hiring the best people because they’re unwilling to abide by the no external devices rules.

Terence Taylor

“3.5 Billion years of an adaptation in an unpredicatble world”. Joint work with Raphael Sagarin. Book: Natural Security (UC Press). Biological systems don’t waste resources trying to predict the future states of complex and unpredictable situations, but instead uses adaptability to ccope with changes. Learn from success as well as from failures. Extend natural adapatability via symbiosis.

Differences betweeen responding and adapting.

“A modular structure of semi-autonomous parts under weak central control provides the most flexible, adaptable and reliable means of making unpredicatable challenges predictable.”

Adaptable organisms reduce uncertainity for themselves, increase it for their adversary. We often try to decrease uncertainity, thereby decreasing it for the enemy.

Michelle Baddeley

Behavioral economics: richer insights into people’s attitudes and reasons for activity and particularly into their mistakes: the role of learning and emotions.

Standard economics: people as the rational actors (unemotional decision makers), maximising utility and profitability.

Alternative economics: the bounded rationality of people, their limited individual adaptability and especially the problem of unquantifiable uncertainty. heuristics, rules of thumb, gut feelings.

Risk attitudes; time inconsistency; suspceptibility to peer pressure; emotions and viscreal factors.

Herding and social influence, and the link to evolutionary biology.

Abandon dichotomy of view between rationa/irrational and develop new ideas on the semi-rational being.

Learning theory in economics?

Dylan Evans

Identifying good forecasters. Those who says we cannot predict are often talking about and all-or-nothing absolutely correct or not predictions.

40,000 took the general knowledge Risk Intelligence test. Only 200 took the Risk Quotient preediction test.

Risk intelligence is dependent on field: domain-specific.

US weather forecasters are better than UK weather forecasters because they are required to use proper statistics from which detailed feedback can be gained (learned or taught).

Milind Tambe

Game theory for security. Assume the adversary will monitor security processes.

Stackelberg game algorithms.

Real applications at LAX police and air marshall allocations to avoid predictability.

This has not solved all the problems, but it is better than what has gone before.

How to evaluate? In extremely complex real world problems, there are no controlled experiments.

Deception and Fraud II

Eric Johnson

Changing user behaviour. CIOs now seeing user behaviour as a major issue.

Can we really educate users, or is it a pipe dream? Most security education is really boring.

In a spear phishing test 70% of students followed a link, which wen to a phishing education site. 5 weeks later a second trial was sent to the same group. Of the 70% originally only 52% followed the second link. Slightly more students approached the help desk the second time around.

Richard Clayton

What matters in URLs. Are criminals efficient in their use of phishing domain names and URLs?

The RockPhish successful group used www.realname.com.account.1234567.kjakjas.info/login.html and variants.

then used www.kjakass.com/www.barclays.com/login.html

also used cracked accounts such as www.example.info/~user/www.barclays.com/login.html.

Plus www.barclays.com.verysecure.com/login.html

some other tricks were defeated by changes to browsers.

Phishers clearly believe that users will hover over the link and see the sub-element and believe it.

Many of the phishing sites are developed using kits and the domain name is part of the kit.

New IM worm spreading at a million per week.

Shortened URLs work far less well: e.g. justinloveis.net works three times as often as shortened URLs.

Most users don’t understand URLs, they just look for the name somewhere in the URL.

Jean Camp

Privacy, uicomp and older adults. Old people (overr 65s). Much better feedback than for college students. They are privacy unconcerned (in Westin’s sense), but this is odd as they are generally risk averse. UbiComp Home Health Care is being built in with no privacy and this is worrying for ubicomp.

80 users studied in depth to develop a survey of older users.

Least willing to share their data with the vendors of ubicomp products and services, which mis-matches with the industry approach.

Users want technologies with clear intended use, clear data recipients and they prefer peers rather than paid recipients or even other family members.

David Modic

Personality and Internet Scams. Basic principle: falling for an internet scam is a failure of judgement. Are there personality traits common to vicitms? Other than Big Five, what about: Self-control? Impulsivity? Are these the same, or different?  Little data on victims and personality, more about criminals. In scams, victims are not passive, but active.

Stuart Schechter

The Security Practitioner’s Nuermburg Defence. The bystander effect, diffusion of responsibility, risk homeostasis (precautions against damge leads to riskier bahaviour). Defence in depth is bad for developers and users.  Wimberly and Liebrock, Using Fingerprint Authentication to Reduce System Security: An Empirical Study. IEEE Symposium on Security and Privacy. Users choose significantly weaker passwords when a fingerrprint authentication system is also in effect.

Password strength: “P@ssword” is a “medium strength” password, “P@$$word” is very strong. Only tell people that their password is strong. Give a legitimate reason (e.g. “100 other users are already using this password”).

Access control: don’t give false promises that can’t be kept.

Culture, Risk, and Fear

David Livingstone Smith

Dehumanization. First and Second World War dehumanization propaganda presented.

There is virtually no literature on dehumanization.

What is it about the way humans think, that allows us to think about other humans as sub-human and allow us to abuse and destroy them.

Since “the death of God” humanity is the pinnacle of existence and everything else is sub-human.

Natural Kinds are regarded as real divisions in nature “carving nature at its joints” (Plato).

Essentialism: natural kinds are thought to be defined by their essences. Essences are coree properties that an item has if and only if it is a member of the corresponding natural kind. Essence is distinct from appearance – appearance is what something seems to be, whereas essence is (part of) the “real” nature.

Dehumanization is a method of imaginatively replaces part of a group of humans’ essence with something else, allowing them to be legitimately defined as sub-human and abused or destroyed.

John Mueller

New Book: Terror, Security and Money. Follows up to Overblown. Estimataes $1bn extra direct internal spending in the US post-9/11 on “security”.

DHS has no sufficient risk analysis except for natural disasters.

Probability neglect (via Cass Sunstein): Preoccupation with the worst case scenarios; adding, rather than multiplying, probabilities; assessing relative, rather than absolute, risk; inflating the importance of terrorist targets; exaggerating terrorist capacities.

Only 31 cases of attempted terrorism in or travelling to, the US.

Acceptable Risk.

Steven LeBlanc

Studies pretty ancient pottery. Recently studied prehistoric warfare, fir in the US SW, then globally. Methods are not the key to defining warfare, outcomes are. There is a great desire in modern life to ignore the atrocities of mass deaths in prehistoric warfare.

There is evidence of an autonomous peaceful society for more than approx a century: Malthusian effects lead to competition over scarce resources. Population carrying capacity is a key indicator.

Human evolution took place during our forager period past.

Andaman islanders living in groups of 25, organised to get groups together and invade other islands.

Eskimos referred to non-eskimos as “lice”.

These fights are over women or revenge.

There was some significant evolution selection for successful warfare in prehistoric eras.

Cory Doctorow

The security syllogism: something must be done; something has been done; therefore we are safer.

Now to the copyright wars and the externalities of security decisions.

98.5% of the Wikileaks version of the Swedish anti-abuse images list contained no abuse images.

Designing devices to attack users is the current model. We need more crowd-sourcing of tracking down bad faith actors.

Baruch Fishhoff

Social and Behavioral Science Foundations of Intelligence Analysis.

Evaluate everything – we cannot trust our intuitions regarding how well methods perform. Organizations need evaluation, on order to define and reward desired performance. Customers need evaluation, in order to interpret analytical products.

Report in: Intelligence Analysis for Tomorrow.

Two thirds of the current analysts were recruited after 9/11.

Applied basic science and basic applied science.

Day 2

Usability

Cormac Herley

What is the total number of passwords in use now? From a few million in 1990, it is now probably in excess of 12 billion. 4 million new password-protected accts/day. Facebook has more accounts than entire Internet in 1995. 40% compound growth rate per year. 10k man years spent typing every week (at an average of 5s/user/day).

Mass deployed systems tend to be optimized – e.g. soda cans.

Repeated meme: we must get rid of passwords (since 1992). Passwords are still retty much the same as fifteen years ago.

From the National Strategy for Trusted Iidentities in Cyberspace: Why We Need it:

Passwords are inconvenient and insecure.

There is huge confusion on how we reached this conclusion, and therefore on what a good solution might be.

Any solution that has marginal cost per user (anything at all, rather than a small fixed cost which scales without significant per user change) will kill any system such as Facebook, which grew to almost 1 million users with effectively no funding.

The bait-and-switch of promising increased security without providing good usability is a dead loss.

Angela Sasse

Security Compliance in a High Risk Environment.

Given the difficulty in securing phyiscal environments, when things move to more embedded and ubiquitous systems the security problems will multiply.

If we design security systems for Homer Simpson we won’t design good systems.

Error includes both intentional and unintentional non-compliance, even without intent to cause bad consequences. Unintentional errors have well-defined approaches to avoid them. The bigger problem is intentional non-compliance. Reason’s Swiss Cheese Model.

The final human error in reaching a significant consequence is no more than the paper umbrella added as a final flourish to a cocktail.

Rick Wash

Influencing Folk Models of Security. How do ordinary home users think about securing their computers. Education, even of quite intelligent people, is failing in security. This means the education is poor. Folk models represent what is true, at the expense of what is false, are incomplete and inconsistent, and are the basis of most human reasoning.

Two models of virus folk models:

Viruses as buggy software: same problem as bugs in software but worse. They think that viruses must be downloaded, and therefore if they don’t download anything they’re safe.

Viruses are caused by mischievous teenagers – the skull and crossbones mark. Caught by visiting shady websites or opening shady emails.

Different understanding of viruses leads to different actions such as running A/V software, not opening emails from unknown sources etc.

“Education” is about giving different folk models – but is it necessary to replace the previous model, or give them a second model.

Models are based on narratives. Humans learn from stories.

Even mythological stories, with no basis in fact, can provide useful outcomes in change in actions.

Hotel towel re-use example; message on the leaflet:

Save monye: 16% compliance

Save Environment: 31%

Others reuse: 44%

Other people like me (who stayed in this room is the example): 49%

“People like me” is a really powerful cconcept: stories about people like me are more influential than expert advice. People know the aedvice from experts but ignore it (cf Angela Sasse’s talk).

Re-inforce: stories don’t have to be correctc to get the right answer, they just have to lead to better behaviour.

Patients like me website: stories about their own lives. Culturally shared models of how treatment works.

On a very small sample, multiple models might be OK. However, there is the possibility of overload.

Rachel Greenstadt

Adversarial Stylometry. The basic question is “who wrote this document?” Attributing documents to authors by analysing linguistic style features: word order, word choice etc.

Why is this interesting in security? State of the art can lead to 90% accuracy on good data.

Test subjects submit their own previous work (5000 words), plus 500 word “obfuscation attack” plus 500 word imitation attack.

Results from this show that deliberate attempts to obfuscate or imitate can easily defeat stylistic analysis.

How about translate into another language and then back, depends on the method of translation used – certain forms using the same analysis as the style analysis don’t give good reesults.

Imitation works reasonably well with a distinctive style like Cormac MacCarthy.

A larger set of features gives a reasonably good result in detecting imitation.

Jeff Hancock’s lying indicators show similar results to the imitation, but this requires a comparison between a known original and an imitation attack, because these measures are relative not absolute.

Privacy: people can hide their style, but can’t (easily) commit fraud.

Lorrie Cranor

Facebook Regrets and Password Policies.

2 studies that don’t have anything in common (or do they?)

Things people regret doign on social networks later. But first passwords. passwords have “passed their sell-by date” – why work on something that’s dead, but they’re not going away any time soon, so we may as well try to make the best of the situation and improve their use.

There is a wide variety of password policies.

Gather data to develop password policies, grounded in empirical data, that will maximize security without driving users crazy.

Various password policies, take a survey, come back in two days and take a further survey.

People use passwords with digits (possibly because they’re used to them being required). Symbols are not heavily used unless forced and even then their benefit is limited because of restricted use.

Basic16 provides better entropy than comprehensive8 and is easier for users.

Now Facebook Regrets:

To develop tools to help people protect their privacy on social networks. What do you nudge people about? 57% of a ~1000 US FB survey said they regret something.

Regret posting PII; Sex; relationships; profanity; alcohol and drug use; jokes; lies; informatyion about work or company; Friending or unfriending.

Why: being in a bad mood; excited; didn’t think; under the influence; didn’t mean to post it; unintended audience. Thought it was funny. Needed to vent.

Consequences: felt guilt; embarrassed; hurt relationship; offended someone; misunderstood; got into trouble.

Foundations II

Andrew Odlyzko

The Irrational Foundations of the Modern Economy.

Gullibility is essential for our economic progress. Gullibility leads to insecurity.

Beautiful illusions are preferable (and becoming more important) than cold reality.

The development of modern corporations (British context).

Early writers are very prejudiced against corporations (Adam Smith and others). Easy creation of corporations legalized in 1825 (but all shareholders have unlimited liability) and limited liability legalized in mid-1850s.

The railway juggernaut of 1845 (Punch Cartoon).

The early corporation was a fairly good response to the issue of behavioural economics.

The 1840s railway mania was 200 million pounds (the current euqivalent of $6 trn).

Result of railway mania: ruin for large classes of investors; slight loss for total investor population; clear economic gain for the nation; big gains for promoters, lawyers, engineers; possible prevention of a revolution in 1848; prevention mof huge capital outflows overseas.

Modern corporate capitalism:

investors: get gambling entertainment; promoters who create “beautiful illusions” get much of the modest returns. irrationality is thus the heart of the modern economy.

Simon Shiu

Security Decisions and Human Behaviour.

Two angles: how should decision makers take human behaviour of others and themselves into account.

Security professionals are one of the key subjects.

Experiments in decision making, Trust Economics, Information Security Lifecycle, Cloud Stewardship Economics.

Information Security Lifecycle is challenged by the move to the cloud. Cloud Stewardship Economics.

Rahul Telang

Why do users not pirate?

Napster started the culture of “everything on the internet is free” and the industries are still struggling to adapt. Why do users pirate:

cheaper (fixed cost of access then free marginal costs);

lack of availability of legal content

Movie display lifecycles have been crunched, to try to avoid unauthorised downloads.

But there are “moral” reasons why people indulge in unauthorised copying.

In 2007, NBS removed all of its content from iTunes on 1st December. Opportunity to compare before and after bittorrent data on NBS content. Obtained some previous data from iTunes on sales of the content before withdrawal. Graph shows that with some minor variation NBC and non-NBC content is similarly downloaded. Within a week of the withdrawal, there is a significant easily visible difference in increased demand for NBC content on sharing networks.

In addition, the downloading of the other channels also seems to rise, but not be as much. No apparent increase in DVD sales (but the timing makes this difficult to judge).

Henry Willis

The science of listening: how understanding risk prerceptions can lead to better policy

Perceptions of risk are eaffected by: what people know about it; where and when the event occurs; how information is preesented.

Perceptions effect decisions which effect response (and through gaming, activity of the attacker).

Communicating Risk:

1. Create an expert model (most approaches stop here)

2. Conduct model interviews with intended recipients

3. Conducted structureed interviews

4. Draft risk communication

5. Evaluate communication

Managing the various DHS risks requires comparison of different types of risk.

Similar methods used by the EPA, empirically tested and used in the UK, China and US, and recently to the UAE for environmental risks.

Bashar Nuseibeh

In the best families: tracking and relationships.

Security and privacy for mobile tracking information.

There is a significant element of analysis missing in settings such as families where there exist complex dynamics of trust and privacy.

Assumption: close-knit tracking is “safer”; “the tracked” is the vulnerable one; that controls provide privacy benefits.

Studied two extended families for three weeks. Bridging experiments, gradually adding abilities to find the discomfort levels.

Subjects had some conflicted affordances. Being given tasks allowed them to “only follow orders”. Added ability to know when being tracked. This led to some paranoia and possibility of self-censorship. Finally gave people the option of hiding their location. Felt that use of this would indicate guilt.

There was evidence of tension betweeen drives.

Mother felt that she had the right to track her 20+ y.o. son everywhere, and he disliked this but felt that he should not use the privacy settings to avoid upsetting the mother. Even in situations where there was some inconsistency but nothing beyond a mistake, significant discomfort was felt.

Privacy

Adam Joinson

3 things: the intersection of facebook and parents; crowding and behaviour; responses to over-sharing.

Crowding is not the same as density. SNS and crowding: the disruption of dynamic information sharing boundaries, overlapping social spheres. Unfettered sharing.

The privacy dictionary.

Sensitweet.

Ashkan Soltani

Platforms and privacy. “If you’re not paying for it, you’re the product being sold.”

Andrew A. Adams

Privacy by Default

Privacy by Design; Privacy Engineering; Security Engineering; AGPL v GPL

Most users never change the default settings

most users are unaware that there are settings to change

Academia.edu and Google Search Terms

Facebook (etc.) visibility: platform interests vs user interests;

who is the customer (follow the money)?

The users are revolting (Facebook Beacon, Google Buzz)

Zero-click privacy settings: Privacy by Default

Paul Syverson

Using Trust for anonymity resilience. How can we protect road warriors and their cousins?

Separate identities and routing. You can’t just anonymise yourself – you need a crowd in which to hide.

Tor was quoted by Tunisian activists as a key technology for their communications.

Alessandro Acquisti

Privacy in the age of augmented reality.

Demonstration of sousveillance by face-recognition and identity linking: your face is the link between your online and offline personae.

Re-identification from named systems (e.g. Facebook, LinkedIn) to unnamed sites (e.g. dating sites).

Clearly some links to Brin’s idea of the Transparent Society.

Facebook profiles are becoming effectively unregulated Read IDs.

The biggest future privacy threats may come in the area of augmented reality.

How do we fix the world?

Bruce Schneier

Societal Security. Historically we are pretty good at identifying and protecting the groups from insider attacks (AAA: the whole role of public law). What’s breaking this:

Organisations are larger and more powerful than human actors. more international organisations. Wikileaks are not subject to the traditional constraints on news organisations, and are not motivated by profit. Wikipedia, Tor, FLOSS.

Corporations being more profit-oriented is partly because more things are measurable.

Technology increases leverage: The Andaman islanders weere human being with human sized weapons, but now we have the possibility of humans with state-sized systems.

Our behavioural calibrations are rooted in physicality, and apply them to mutable informational  information. We’re used to speaking out of school and regretting it later, but we’re not used to broader access and permanence of record.

100 years ago there were problems with teachers being married, now there are problems with teachers on Facebook.

Cyberwar rhetoric and arms race. Weapons and tacticsc becoming democratised. Anonymous warning NATO not to mess with it.

Virgil Gligor

Informal punishment for violation of trust has much more of an impact on people’s behaviour than formal punishment: in the Paris commune, there was pickpocketing aat the public hanging of people for pickpocketing.

Usable security needs good understanding of users’ mental models.

Many volumes of computer security covering man-in-the-middle attack. What about the content of the sender’s message? Alice’s behaviour becomes interesting, if we don’t already know who Alice is?

Verification denies the need for trust? Can inputs be always verified? No. Even when inputs can be verified, is verification always efficient and practical? No and no. Is it always scalable? No.

if the received can’t be isolated, then one must trust the sender, because there is value in the act of trusting the sender.

Virgil’s work is on behavioural trust: focus solely on beliefs and preferences. What are the commonalioties between this and e-commerce and network security.

Ross Anderson

Where in the cosmic hierachy is Amazon (various online services)?

Depersonalization: we get more abuse and fraud online because the victims are not visibly people.

Recent case: student at University of Greenwich defrauded oxford professor of £18000 and got 200 hours of community service. The real world versdion would have been a minimum of three years imprisonment. The US is different.

Simon Baron-Cohen’s book “Zero Degrees of Empathy”. Relevant to online crime as well.

Photo cards on credit cards. Were the effects of photo cards to increase empathy in potential credit card fraudsters ignored?

Can we cut fraud online by re-personalising online payment. How far do we have to go? Is just a photograph enough?

Growing literature on anthropomorphism and robots.

What other kinds of gaming and adversarial behaviour would be amenable.

If we understand personalisation better, the bad guys will also understand it better and we’re into game theory arena.