usability and psychology - drexel ccigreenie/cs475/cs475-13-02.pdf · usability and psychology (2)...
TRANSCRIPT
Usability and Psychology
Thursday, January 24, 2013
Privacy and Security Concerns
• Google buzz abusive ex
• Choicepoint mafia data selling
• Yahoo Chinese activist
• Health status insurance and employment discrimination
• Children online
• Browser/pdf/flash/OS vulnerabilities - most systems can be casually compromised
• Strong underground economy in malware/SPAM/DDOS/phishing
• (Nearly?) All Internet systems vulnerable to targeted attack
Thursday, January 24, 2013
Web Infections aka Drive-By Downloads
Internet users can be infected simply by viewing a compromised website.
Thursday, January 24, 2013
Usability and Psychology• ‘Why Johnny Can’t Encrypt’ – study of encryption
program PGP – showed that 90% of users couldn’t get it right give 90 minutes
• Private / public, encryption / signing keys, plus trust labels was too much – people would delete private keys, or publish them, or whatever
• Security is hard – unmotivated users, abstract security policies, lack of feedback …
• Much better to have safe defaults (e.g. encrypt and sign everything)
• But economics often push the other way …
Thursday, January 24, 2013
Hypotheses
• Data security and privacy are really hard, we are failing despite high investment
• No one cares about security and privacy, so the invisible hand reflects that
• Something is wrong with the market for data privacy and security
Thursday, January 24, 2013
Hypotheses
• Data security and privacy are really hard, we are failing despite high investment
• Many things we’re not doing (cryptography, extensive code review, self insurance, etc)
• Software security knowledge is located precisely nowhere a developer spends their time. (1raindrop)
• No one cares about security and privacy, so the invisible hand reflects that
• Something is wrong with the market for data privacy and security
Thursday, January 24, 2013
Hypotheses
• Data security and privacy are really hard, we are failing despite high investment
• No one cares about security and privacy, so the invisible hand reflects that
• People say they care
• Argument that “rational actors ought to care”
• Something is wrong with the market for data privacy and security
Thursday, January 24, 2013
Hypotheses
• Data security and privacy are really hard, we are failing despite high investment
• No one cares about security and privacy, so the invisible hand reflects that
• Something is wrong with the market for data privacy and security
Thursday, January 24, 2013
Market Failures
• Markets work when people have incentives to do the “right” thing
• How can they fail?
• Externalities
• Asymmetric/Imperfect Information
• Bounded rationality
• All present in information security and privacy!
Thursday, January 24, 2013
Externalities• Occur when decisions cause external costs or benefits
to stakeholders who did not directly affect the transaction
Thursday, January 24, 2013
Externalities in Web Infections
• Web infections typically affect the end users (browsers)
• Often don't know that they are infected
• If they do, they don't know why
• No incentive for sites to do the right thing
• Some evidence to suggest overt security measures actually reduce customer confidence
• Revealing infections can only harm companies brands and reputations
• Most harm is even further removed
• Attacks carried out/ phishing sites hosted/ SPAM sent from infected machines
Thursday, January 24, 2013
Adverse Selection: Akerlof’s Market for Lemons
• Comes from analysis of Used Car market
• Hidden characteristics: Buyer doesn't know if the car they are buying is good or a 'lemon'
• Seller does have this information
• Given uncertainty – buyer will not pay much
• Result: Adverse Selection, sellers won't sell good cars (can't get a good price) only lemons
• Solution: Reduce customer uncertainty (Independent Inspections, Guarantees, etc)
Thursday, January 24, 2013
Asymmetric Information in Web Insecurity
• End user doesn't know if site they visit is safe or attacking them
• Hosting provider doesn't know if webmaster is incompetent or malicious
• Webmasters don't know if hosting provider is secure
Adverse selection : Takes resources to be secure, so why bother if no one can notice?
Thursday, January 24, 2013
Bounded Rationality• Market assumes not only perfect information, but
also perfect rationality
• Reality - Behavioral distortions
• Humans bad at assessing risk
• Tend to pick the first reasonable sounding option, not weigh all costs
• Coherent arbitrariness
• Hyperbolic discounting
Thursday, January 24, 2013
Consumer Webmasters
• Most webmasters are not tech geeks
• Just want things to work
• Use off the shelf software
• Do not believe they are infected
• Do not know how to evaluate security properties of hosting providers (or that they should)
• Can not identify or remove badware
Thursday, January 24, 2013
Security Decisions
Choose a password
Allow user bob access?Make a firewall exception?Share this piece of
personal information?
Trust this site?Run this script?
Write about my diagnosis on the forum?Open this email?
Install this software?
Buy from alice?
Plug Carol’s usb key into my laptop?
Drop this packet?Thursday, January 24, 2013
Hard for Machines and Humans
• Context-dependent
• Require specialized knowledge
• Dynamic : sophisticated adversaries and emerging threats
• Complex risk analysis requiring
• Large knowledge base and rationality
Thursday, January 24, 2013
Usability and Psychology (2)
• 1980s concerns with passwords: technical (crack /etc/passwd, LAN sniffer, retry counter)
• 1990s concerns: weak defaults, attacks at point of entry (vertical ATM keypads), can the user choose a good password and not write it down?
• Our 1998 password trial: control group, versus random passwords, versus passphrase
• The compliance problem; and can someone who chooses a bad password harm only himself?
Thursday, January 24, 2013
!"#$%&'()*)+',()&"(#-&""(#./",0(
•! 1-.,2+)3()*)+',(–! (#)&4"#(#-"(#-"(+%5/6#"&,7($2&",7()89("3"+#&%82+,(
•! :.8#)+;+()*)+',(–! #)&4"#(#-"(%/"&);84(3%42+(%<(+%5/6#"&,()89(8"#$%&',7(,%=$)&"(>638"&)?232;",(
•! :"5)8;+()*)+',(
–! #)&4"#(-65)8,(
!"#$%&'(:"+6&2#.(@*)+',(
Thursday, January 24, 2013
!"#$%&'()*$)++,$)*'
•! !"#$%&'()*$)++,$)*'$-'./+'0,"#+--'"1'+20&"$3)*'
0+"0&+''./,"4*/'-"#$%&'$).+,%#3")-'."'"5.%$)'
-+)-$36+'$)1",7%3")8'
•! (2%70&+'"1'./$-'%9%#:-;'
–!!0%7<0/$-/$)*'=$./<=$./"4.'7%&$#$"4-'
%9%#/7+).'
–! >).+,)+.'?,%4@'
–!A4-$)+--'-#/+7+'
Thursday, January 24, 2013
!"#$%&'$()*+'&%,*'$
•! -./'&.%+$01%2$
•! 3%*0'45%6'$+'70$
•! 3%6'$8	*'0$#+$0#1.%*$+':7#&6$$
Thursday, January 24, 2013
!"#$%&'()%%#$'*)++',-.'/-%%-).+0'
-.'1.2"$."2'3$#45!
Thursday, January 24, 2013
!"#$%&'()*$+,-(,++.(,-$/&.0%$
•! 1%#'"&*&-#$
•! 2%)3(*(4#$
•! 5'&,&6('%$&7$8,7&.6)9&,$:+';.(4#$
Thursday, January 24, 2013
!"#$%&'&(#)
•! *+,"-)./)0,-%&+.-#)
•! 1$0+$.-#)
•! !2+"&/0'.304&/)
•! !2+",0".&/)
•! 506-,+2)2++&+")
•! 1&$.0')6+&&7)
Thursday, January 24, 2013
!"#$%&%'()
•! *+#,%-#).'/)#&/)012340')#)4"#$%&%'()"'43())
'1)'."')'+.)+(51'+."."))
–!6#07)18)423.9"'#23%2:)#$14');2'.92.')
–!<%"4#&)3.0.5=12>)•! ???/5#(5#&/01,@8#7./01,)
–!A1423.3)#B.2=12)
•! CC)5#9=0%5#2'")#9.)"+1?2)CD)?.$)"%'.")#23)#"7)'1)3%"=2:4%"+)'+.)89#43)"%'.")891,)'+.)9.#&)12."))
–!E)9.#&F)G)5+%"+%2:F)H)012"'940'.3)5+%"+%2:F)I)819:.3)""&)
Thursday, January 24, 2013
!"#$%&'($))*+,'
–!-./'0"10%"'&+$#&'#2&"#'3*#"4'15'&6"'%1178'
–!-/'9:;'0*+<=20*5&#'+"%2"4'=6"=7"4'>!?#@'*%#1'
=6"=7"4'&6"'="+<A=*&"'&6*&'B*#'0+"#"5&"48'
–!CB1'0*+<=20*5&#'25'&6"'#&$4,'&6*&'&6",'B1$%4'15%,'
D$"#<15'*'B"3#2&"E#'%"F2<)*=,'2G')1+"'&6*5'&6"'
$#"+5*)"'*54'0*##B1+4'B*#'+"D$"#&"48'
Thursday, January 24, 2013
•! !"#$"#%$&'$%(')*('+$&,-&.')'/0)12*2%3'0%/43'-,'
5$102%$')/%#$67")7-6'.$)0/&$08'
•! 92**'"/0%-.$&0'-,')6'-6*26$'1)6:'$6%$&'%#$2&'
+)005-&40'$;$6'2,''
–! %#$2&'1&-50$&0<'=>>?!'2642")%-&0')&$'.20026@A'
–! %#$2&'02%$B)/%#$67")7-6'2.)@$0')&$'.20026@A'
–! %#$3')&$'+&$0$6%$4'52%#')6'CDE'5)&626@'+)@$A'
Thursday, January 24, 2013
!"#$%&#'
•! (%%')*+,-.)*/&#'"/&"+"0')*##12+0#'1.&32$&'
34)#'
•! 567'"/&"+"0')*##12+0#'1.&32$&'#.&"'
*$&3"/,-*,2/'.8*9"#'
•! :67'"/&"+"0')*##12+0#'./'#).&"'&3"'1*+/./9'
)*9"'
Thursday, January 24, 2013
!"#$#%&"'(#)(*$)#+%,-#$(./"0+&12(
•! ./"0+&12(&$3/'1%/$14(
–!56,1(&'(16/(#7-%,8(,%#0$1(#)(&$3/'1%/$1()#+(
&$)#+%,-#$('/"0+&12()#+(,(9&3/$("#%7,$2:(
•! ./"0+&12(,'(/;1/+$,8&124(
•! *$"/$-3/(%&',8&9$%/$1((
–!<$=/+'#$(,$=(>##+/(&$=&",1/'(16,1(&$"/$-3/(
%&',8&9$%/$1('&9$&?",$182(0$=/+%&$/'(
&$)#+%,-#$(
Thursday, January 24, 2013
!"#$%&'(&)*#'&*+
•! ,&-.$/-)0+1+"$02+3"'+4./*./$56+()07)'&6+*4)(+
•! 8&5)0++
•! 9:#-);"$+)$:+)7)'&$&**+
Thursday, January 24, 2013
!""#$%&'()%&*+",-./#&012&
345+(65&&
7%(58+%-&)+"9&:;<&
=>5(./&?"9(./&
./)"+9(@"/&(/?&6+(,$-&5A%&
B(#%&
0--.#/&5A%&B(#%&
(&-6"+%&&
*$(6C$.-5&
5A%&B(#%&
2)&-6"+%&D&
5A+%-A"$?&
E"$$%65&-B(9&
:;<-&7+"9&!9(.$&
E$(--.F%+&G+(./&5A%&
E$(--.F%+&
Thursday, January 24, 2013
•! !"#$"%&'()*'+,-)$$'."%'$,$.%/0'
–!1,'2#$34#$#*3')$')'*5*6-"#$"#*3'-)3%'
–!1,'/)*#-47)8*3'."%'.&)#*#*3'(7)$$#9%&'
–!1,'$75:#*3'25:*'-)3%';%.("#*3'
–!1,'"#2#*3'."%'-"#$"#*3'-)3%';&5/'<5537%'
Thursday, January 24, 2013
!"#$%#&'()'*)+''$,)•! -.)/(&0123,23(4)+''$,)56#73(58)#95):#$$3(4;<)=''$>#9?):$'%87#9@)/(&0A9#%8)
=''$>#9?)!#9+2B3(@)=''$>#9?)5C#D)=''$>#9?)A395*'6)EF)G''4$5?)G5'=9%,+)=9%,+H#+I2)=''$>#9?)J3I9','K)L23,23(4)A3$+59)3()H3(8'M,);(+59(5+?)!61$'959)N?)O5+I9#K)/(&0L23,23(4)=''$>#9?)O5+,I#15)C9'M,59)PQ-?)R1''*G%#98Q)
•! =''$>#9,)75+2'8S)
–! C$#I@$3,&(4)
–! :25I@)I'(+5(+FTUB)'*)+25)1#45)
–! J#I23(5)$5#9(3(4)
•! !"#$%#&'()'*)#II%9#IDS)–! -..)123,23(4),3+5,)
–! )V-W)$543&7#+5)TUB,)
•! !"#$%#&'()'*)"%$(59#>3$3+DS)–! :2#(43(4)+25)TUB)
–! ;(I95#,3(4)+25)1#45)$'#8)&75)
Thursday, January 24, 2013
!"#$"#%&'()*)+,-%'.$#%&'/01$'23-4'(#5)3)%*'$-.3+)$''
Thursday, January 24, 2013
!"#$%&#'
•! ()*#)*+,'-"&"./0+'-"1"+-#'0+'&)"'23"#)+"##'
02'&)"'4!5#'
•! 60#&'&00%#''-"&".&'1)*#)*+,'#*&"#'7..$37&"%8'
79"3':;'03';<')0$3#='>$&'?03"'&)7+'@AB'
7C7.D#')711"+'E*&)*+'F3#&':;')0$3#G'
•! H+/I1)*#)*+,'&00%#'-"&"./0+#'.7+'"7#*%8'
.*3.$?J"+&"-G'
Thursday, January 24, 2013
!"#$%&'()'*(%+$,'-.&/(01'
2$"+,3'
20+.-4*'
5(,,.$67.'
20+.-4*'()'20+.-4*'
'8.'-.9.0'".&'
Thursday, January 24, 2013
!"#$%&'()$(*+)$*,$'-$.&)$*-.)#-)./$
Thursday, January 24, 2013
!"#$%&'()$*)$+,'-%,%.#'/01'%&'2/3"+*04%0/'0)/'/5/#.6/+/**'"7'*"#$%&'8)$*)$+,'
9/*/%4#)':;/*."+*<'
=1'>"?'3;#)'$+7"43%."+'@";'#%+'#"&&/#0A'
B1'>"?'6%&;%C&/'%4/'0)/@A'
9/*/%4#)'3/0)"2<'
D'0"0%&'"7'=EFG='H+2$%+%'I+$6/4*$0@'*0;2/+0*'"7'%,/'=J'0"'BK'@/%4*'%4/'
*/&/#0/2'C%*/2'"+'0)/'%3";+0'"7'8;C&$#&@'%6%$&%C&/'$+7"43%."+'
DL/4')%46/*.+,'0)/'2%0%E''0)/'4/*/%4#)/4*'#"+2;#0'8)$*)$+,'%M%#N'"+'0?"'
,4";8*'"7'*;CO/#0*<'*"#$%&'+/0?"4N',4";8'%+2'#"+04"&',4";81''
Thursday, January 24, 2013
Thursday, January 24, 2013
!"#$%&#'
•! ()"*+,"-"##'./'0.*12%'341#41-56'789'
•! ()"*+,"-"##'./'!"5$%2:'341#41-56';<9'
•! ;=9'>.:"'")"*+,"'1/'&4"'#"-?":'1#'./'.@@.#1&"'#"A'
•! B">2%"'#&$?"-&#'2:"'>.:"'#$#*"@+C%"'&.'@41#41-5D'
•! 0.*12%'@41#41-5'%.E":'@".@%"F#'5$2:?'2521-#&'2G2*H#D'
•! 0&$?"-&#'E1&4'&"*4-.%.5I'>2J.:'2:"'%"##',$%-":2C%"'&42-'.&4":#D'
Thursday, January 24, 2013
Thursday, January 24, 2013
Thursday, January 24, 2013
Thursday, January 24, 2013
Thursday, January 24, 2013
Mule recruitment• Proportion of spam devoted to recruitment shows
that this is a significant bottleneck• Aegis, Lux Capital, Sydney Car Centre, etc
–mixture of real firms and invented ones–some “fast-flux” hosting involved
• Only the vigilantes are taking these down–impersonated are clueless and/or unmotivated
• Long-lived sites usually indexed by Google
Thursday, January 24, 2013
•! !"#$%&'()*'%+'(,-+#.('"#/'$01"'234#.$%5#3'1%3'6('234(..(7'%6#0)'%'0&(.'#3'%+'3()/#.8'4.#$'-(#-+('23'"2&'3()/#.8*'
•! 9'-.2:%1;'1#3<21)'#110.&'/"(3')/#'0&(.&'72&%=.(('#3'/"#'1%3'%11(&&')"('1#3)(3)*'
•! '!/#'&1(3%.2#&'%.(')(&)(7'>4.2(37&"2-'%37'/%++'-#&)&*'
•! ?.2(37&"2-@'–! 9+21('"27(&'"(.'4.2(37+2&)'
–! A#6'.(:(%+&'"2&'4.2(37+2&)'
–! B4'9+21('%37'A#6'%.('4.2(37&C'2)'2&'83#/3'4.#$'A#6*'
•! D%++'-#&)&@'–! 9+21(E&'/%++'2&'-.2:%)(''
–! A#6E&'/%++'2&'-06+21'
–! 9+21('-#&)&'%3;)"23='#3'A#6E&'/%++C'(:(.;6#7;'1%3'&((')"%)*'
–! F82--23='/#.8'/2)"'G9+21('%37'"2H3=')"('6%.&'%)'I%$*'
J.2:%1;'K2&8&'%)'F#12%+'L()/#.8'
Thursday, January 24, 2013
•! !"#$$%&'())*+$#%(#$%*,-'$,$./$01%
–!2()$'*.$%3'())*+$#1%
•! 4#$0*&/%5)$#6)%(7#*85/$)%8()$0%9.%"*)%9:.%-#9+'$%
–!;#*$.0%3'())*+$#1%
•! 4#$0*&/%5)$#6)%(7#*85/$)%8()$0%9.%"*)%<#*$.0)6%-#9+'$)%
–!=(''%3'())*+$#1%
•! 4#$0*&/%5)$#6)%(7#*85/$)%8()$0%9.%"*)%:(''%-9)/)%9.%"*)%
<#*$.0)6%-#9+'$)%
Thursday, January 24, 2013
!"#$%&#'
Thursday, January 24, 2013
!"#$%&'()*$)++,$)*'")'!"#$%&'-+./",0'
•! 1,$+,'+.2'%&2'+34&",+5'64%7'%)5'48$68$)*'")'9/$:+,'
•! 9/$:+,';+%.<,+6='
–! 9/$:+,',+6.,$#.6'9/++.6'."'>?@'#8%,%#.+,6'
–! ABC6'%,+'4"6.+5'<6$)*'ABC'68",.+)$)*'6+,D$#+6'
–!E+)F")6='GH<6F)I$+I+,'JC(K!('LMCCMMNN'E(((OOO'PQQQQ'
–! B+./++.6='B9'GRS$+I+,T,+/U='B9'.8$6'$;'<'PQ'H<6F)'I$+I+,'
–! V%68.%*6='1+.';,++';"&&"/+,6'WLL'WL"&&"/'R<6F)'S$+I+,'
•! 9/$:+,'<6+6'1""*&+X6'!%;+I,"/6$)*'KJY'."'5+.+#.'64%7'
Thursday, January 24, 2013
•! !"#$%&'#()*'+%+"',-.,%(/%01-2'*3%–! 4#55%/)(+3%6789:;<%/&%+"#$%
•! =->%#>%-0/),?%@AB%#%C:8;%@""5'%D-E%,#*F%GH-,I$J?2"3KK+"#$7,/$%
–! L'(1''(+3%:7M9::7N<%#*'%*'(1''(+%/&%O5#,P5-+('F%QLR+%•! L0%G+,#$$'*3%,?',P%/)(%(?'%S"#F+%(?'*'%?#H->D%#%D-H'#1#T%?2"3KK+"#$7,/$%
–! 01''(%?-U#,P->D3%•! V6<%/&%"?-+?->D%#>F%$#51#*'%*'(1''(+%
–! 0*'>F%+'W>D3%•! X)T%$/*'%&/55/1'*+J%?2"3KK+"#$7,/$%Y&15*%
–! 0*'>F%?-U#,P->D3%•! Z'5"%F/>#('%(/%Y?#-I%*'5-'&3%?2"3KK+"#$7,/$%
Thursday, January 24, 2013
!"#$%&#'
•! ()*'$#"+#',-#-&'#./0'#-&"#'1"23+"'-&'-#'
1%/45%-#&"6'
•! (787*'32'9!:#'+"4"-,"';3'4%-45#<'1$&'&=3#"'&=/&'
63'/44$0$%/&"'3,"+'>8?'0-%%-3;',-#-&3+#'
•! @3#&%A'$#"6'&B-C"+'2"/&$+"'-#'4$++";&'&+";6#'
•! D$44"##2$%'#./0'/443$;&#'/+"'430.+30-#"6'
/443$;&#'/;6';$01"+'32'23%%3B"+#'-;'&=/&'
/443$;&'
Thursday, January 24, 2013
!"#$%&'()*#+,%
•! -+"'(.#%/#0#12($%3$/%"'#.#$2($%
•! 4,3)5*506%3$/%",617(*(86%
•! &'5.316%
Thursday, January 24, 2013
!"#$#%&'%()%*(+#,#-&'%(
•! ./0"'$1%2(*#,#-&'%("),#(),(,3#(#)"45(6,)2#('7(
,3#()8)-9(
•! :'(*#,#-&'%(/#,3'*(7'"(,)"2#,#*()8)-9(
•! :'(*#,#-&'%(/#,3'*(7'"(7)46#(1%7'"/)&'%;(
3')<#6;(7)9#()--'=%,6(
Thursday, January 24, 2013
!"#$%&%'()#*+),"(-./&/0()
•! 1"(223'4()%*)5"#$%&%'()
–!6/7)'/)+3'3-')./#83")#*+)9#&"3)%*9/42#:/*)
•! !*+34"'#*+)5"34;")23*'#&)2/+3&)
•! <'5+()/9)5"34;")$%#")
Thursday, January 24, 2013
!"#$%&'(
•! )*+,"-%.&/(,0(+"#$%-/(#.0,"*%1,.(
•! 2,3(-,(#*+",$/(+"#$%&'(
Thursday, January 24, 2013
!"#$%&'$()
Thursday, January 24, 2013
!"#"$"%&"'(
•! )**+#,&"-(
./0-112'34$"%567&$*3&*61760"$7,1651
&*%4"%412'14$"%58,4&.1$"'",$&.,%5,%,9:'7'1
4.";$",9;#,&";*#;<**+#,&";=29>??@305#(
•! ./0-118883'*&7,9A"%B7%""$3*$B1(
Thursday, January 24, 2013