Saturday, November 27

Bad Security = Bad UI?

While poking around on the website for CMU's Usable Privacy and Security Laboratory, I came across some interesting papers from July's DIMACS Workshop on Usable Privacy and Security Software. I enjoyed several of the papers, including:

  • Matt Blaze's Toward a Broader View of Security Protocols where he advocates attention towards what he calls "Human Scale Security". His agenda is twofold: 1) apply lessons from folk process design to computer systems, potentially aligning the security intuition of laypeople with future computer security systems; and 2) apply computer security protocol design and analysis to traditional manual processes and so discover flaws in them. A cute analysis of restaurant-to-diner bill presentation protocol is included where he suggests improving the protocol (reducing six round trips to five) by handing the credit card over to the waiter when asking for the bill. This "optimization" ignores the possibility that the diner's choice of payment mechanism may depend on the amount of the bill.
  • Simson Garfinkel's Best Practices for Usable Security In Desktop Software has a nice payoff slide: The Pure Software Act of 2006 which has truth-in-labeling icons for "self-installs", "monitors", "unremovable", and so on.
  • Chris Long's Chameleon: Towards Usable RBAC describes a role-oriented shell, which I think is only a half-measure, but absolutely nails the top-level problem statement: what permissions are reasonable to grant depends on the user's context. Long uses an example I've used myself for ten years — the disk format program, signed by Microsoft or not, is malware if it is sent to you in the guise of a (say) screensaver. I call this "obtaining informed consent" and I think it may be the final security frontier.
  • Angela Sasse's Usable Security: Beyond the Interface piles on the observations until you cry uncle: we know perfectly well people don't do what security people tell them to do. She has a few suggestions on what to do about this.

Workshops like these, emphasizing human factors and economics in security (rather than, say, cryptography) show the field is coming to grips with its manifold failures. Maybe there's hope!


1 comment:

Anonymous said...

Nice collection of articles - Sasser's in particular reminds me of Richard Feynman's observation in 'The Meaning of it All' - "If the professors of English will complain to me that the students who come to the university, after all those years of study, still cannot spell "friend", I say to them that something's the matter with the way you spell friend." The picture of the guy surrounded by hundreds of Post-it notes was priceless!