Jason I. Hong

January 31, 2006

Usable Privacy and Security

Chameleon and KazaaChameleon and Kazaa

Chameleon Overview

• Motivation– Minimize damage done by malware (viruses, worms)

• Insights– Access control useful but too hard for typical user

– Leverage physical metaphor in home (plumber vs accountant)

• Key Ideas– Compartmentalize things into a few basic roles

• Coarse-grained access control

– Provide a user interface that makes it easy to understand and work with these roles

Stepping Back, Bigger Picture

• Kind of paper:– Design proposal introducing new user interface metaphor

– Several user evaluations of design

• Usable Privacy and Security themes: Make it invisible Make it understandable (better metaphors, visibility) Train the users

Stepping Back, Bigger Picture

• Embodies good usability practices– Lo-fi paper prototypes

– Iterative design (paper, VBasic, interactive version)

– User studies throughout

Example from iteration 1 Example from iteration 2

Lo-Fi Prototype

Interactive Prototype

Internetapp.

Testingapp.

Comm.apps.

Roles, A Short Digression

• Role-based access control (RBAC)– http://csrc.nist.gov/rbac

– Roles are created for various job functions in an org

– Users assigned roles based on their responsibilities

– Users can be easily reassigned from one role to another

– Roles can be granted new permissions (or revoked)

• Example roles:– Specific tasks: physician, doctor

– Authority: project manager

– Specific duties: duty physician, shift manager

Standard Roles in Chameleon

• Five standard roles– Vault - Most sensitive data

– Communications - Email, IM, Web

– Default - No network restrictions

– Testing - Untrusted, no net

– System - Operating system

Standard Set of Roles

• Mixed metaphors, not quite everyday roles:– Vault – a device for physically safeguarding

important stuff

– Communications – a collection of unrelated apps for communicating with people

– Testing – ???

Standard Set of Roles

• Explaining to people what role they are in– Window borders subtle and easy to miss

– Desktop combines multiple roles simultaneously

– Very hard, could be Achilles’ heel

More Thoughts on Chameleon

• Assumption– Malware will happen, minimize the damage

• Secrets and Lies, Bruce Schneier prevention - facilities and systems to

prevent people getting in and taking information

detection - to find out if anybody has gotten in, and compromised important information or processes

reaction - to allow the "bad guys" to be identified and their activity stopped

Questions about Prevention

• What do you do if a role is compromised?

• How does a person know what role an app or file should be installed into?

• Make sense to group “Communications” together?– IM, Web browsing, Email

– Conjecture: People consider endpoint rather than mechanism used

– Ex. John vs phone or email

More Thoughts on Chameleon

• Testing role– Personally, I’d really like this

– Combine with a virtual machine

– Temporarily and safely install new app and see what it’s like

– Have virtual machine tell you if it has spyware or not

– However, rather than a role, maybe a different metaphor

Even More Thoughts

• Basic ideas quite good:– Compartmentalization

– Different levels of trust

• But some concerns:– Too sophisticated for average home PC users?

• Unclear about who the participants were

– Too easy to work around the system?

– Unclear how well Chameleon works• p350, People didn’t notice trickery

Some Open Questions

• Is the desktop the right place to do this?– People do risky actions in web browsers, email, etc

– A compromised web browser can be quite dangerous too

• Will changing roles become tedious?– User studies described initial reactions

– Easy to overlook things, requires eternal vigilance?

– Different roles are also different modes• Very easy to make errors• Solution 1: Pseudo-modes• Solution 2: Modeless (how?)

Some More Open Questions

• Is Chameleon’s basic metaphor right?– Mixes application-based metaphor with

file-based metaphor with physical-based metaphor (home)

• Alternatives:– Multiple desktops?

– Multiple file systems?

Some More Open Questions

• Good insight: re-thinking application development– Operating system - traditional security, but no context– Application - security can be part of workflow,

but duplicated work, inconsistency

– Toolkit - provide lots of reusable components, but unclear on useful abstractions

• Idea of a toolkit for building secure apps is a great idea, difficulty is in execution– Would it contain new UI widgets?– Security primitives?– Toolkits tend to be reductionist, but usable privacy and

security seems to be holistic

Kazaa File Sharing Study

• Motivation– Lots of people use P2P file sharing, but how usable are they?

• Insights– Seems like Lots of people sharing files accidentally

• What they did– Cognitive walkthrough predicting usability problems

– User study demonstrating usability problems

– Proposed new design guidelines for P2P systems

Stepping Back, Bigger Picture

• Kind of paper:– User evaluations of existing application

– Generalization of results

– Paper is all evaluation, so needs more evaluation than Chameleon (which is design, implementation, plus eval)

• Usable Privacy and Security themes: Make it invisible Make it understandable (better metaphors, visibility) Train the users

Kazaa File Sharing Study

• Good and Krekelberg, CHI 2003• Given arbitrary setup of Kazaa, could people

understand what files were downloadable by others?

• Found lots of people sharing inbox.dbx• Found that some people were downloading a fake

inbox.dbx file

Kazaa Cognitive Walkthrough

• Cognitive Walkthrough– Simple usability technique, put yourself in shoes of users and

try to use the interface from their perspective

• Problem #1: Multiple names for similar things– My Shared Folder - a folder + all shared files

– My Media - all shared files by media type

– My Kazaa - all shared files by media type

– Folder for downloaded files - root folder of all shared files

Kazaa Cognitive Walkthrough

Problem 2: Downloaded files are also shared files

Problem 3: Kazaa recursivelyshares folders

Kazaa Cognitive Walkthrough

Problem 4: Can select a folder, but what files are inside? Error-prone approach. Also riskwith recursive folders.

Kazaa Cognitive Walkthrough

Note: Gives one-time warningif you select an entire hard drive

Kazaa Cognitive Walkthrough

• Problem 5: Inconsistent views– Two UIs for doing similar tasks, but show different

information about state of system

Kazaa File Sharing Study

• 12 users, 10 had used file sharing before• Figure out what files are being shared by Kazaa

– Download files set to C:\ (ie all files on hard drive C:)

• Results– 5 people thought it was “My Shared Folder”

• which one UI did suggest

Kazaa File Sharing Study

• 12 users, 10 had used file sharing before• Figure out what files are being shared by Kazaa

– Download files set to C:\ (ie all files on hard drive C:)

• Results– 5 people thought it was “My Shared Folder”

• which one UI did suggest

– 2 people used Find Files to find all shared files• This UI had no files checked, thus no files shared?

Kazaa File Sharing Study

• 12 users, 10 had used file sharing before• Figure out what files are being shared by Kazaa

– Download files set to C:\ (ie all files on hard drive C:)

• Results– 5 people thought it was “My Shared Folder”

• which one UI did suggest

– 2 people used Find Files to find all shared files• This UI had no files checked, thus no files shared?

– 2 people used help, said “My Shared Folder”

– 1 person couldn’t figure it out at all

– Only 2 people got it right

Usability Guidelines for P2P

• P2P file sharing is safe and usable if users:– Are aware of what files are being offered to others

– Can determine how to share and stop sharing

– Do not make dangerous errors leading to unintentional sharing of files

– Are comfortable with what is being shared and confident the system is working correctly

• Design suggestions:– Only allow sharing of multimedia files (…effective?)

– Better feedforward

– Allow exceptions to recursively shared folders

Are people still accidentally sharing files?

• A rough & ready experiment by your friendly instructor– eMule (open source)

– Combines eDonkey and Kad file sharing networks

– Different from FastTrack (Kazaa file sharing)

• eMule stats– Downloaded by over 85 million people

– 5.3 mil people / 633 mil files on eDonkey

– 1.7 mil people / 300 mil files on Kad

Putting Them Together

• Lessons from Chameleon + Kazaa– Examples of how to run user studies

• Not the most rigorous studies, but good enough to demonstrate main point

– Examples of mental models

Design Model User Model

System Image

Putting Them Together

• Difficulty of building a good UI for privacy and security– What are better design methods?

– What are better tools?

– What would have helped Chameleon and Kazaa?