Jason I. Hong Human Computer Interaction, Security, and Privacy

Jason I. Hong

Human Computer Interaction,Human Computer Interaction,Security, and PrivacySecurity, and Privacy

Everyday Security Problems



Everyday Security is Important

• People increasingly asked to make trust decisions– Open this email attachment?– Install and run this software?– Enter username and password?

• Consequence of wrong trust decision can be dramatic– Spyware– Malware (viruses, worms)– Identity theft

• But these trust decisions only part of bigger picture of usable privacy and security…

Costs of Unusable Security & Privacy High

• Still lots of unpatched Windows machines• Phishing web sites increasing by 28% each month• Lots of PCs infected with spyware• Users have more passwords than they can remember

and practice poor password security• Enterprises store confidential information on laptops

and mobile devices that are frequently lost or stolen

Grand Challenge

“Give end-users security controls they can understandand privacy they can control forthe dynamic, pervasive computing environments of the future.”

- Computing Research Association 2003

Good Usability is Key

• Still lots of unpatched Windows machines• Phishing web sites increasing by 28% each month• Lots of PCs infected with spyware (avg. = 25)• Users have more passwords than they can remember



• Design / implementation failure, but…

• Not man-in-middle• Not encryption failure• A lot of people don’t realize you have to keep system up to date

Good Usability is Key

• Still lots of unpatched Windows machines• Phishing web sites increasing by 28% each month• Lots of PCs infected with spyware (avg. = 25)• Users have more passwords than they can remember



• SSL, email headers, certificates, URLs pretty much all in place

• A lot of people still fall for simple attacks, just straight email

• Don’t realize mail is spoofable• Can’t differentiate fake sites from real web sites

Main Points of Today’s Talk

• People are a critical and often overlooked aspect of the systems we design

• We need to design systems that mesh well with people’s existing knowledge and abilities

• Otherwise, your security mechanisms will be:– Overlooked (leading people to do “the wrong thing”), or

– Subverted (so people can get their work done)

Outline

• Whirlwind Overview of HCI-Security– Passwords

– File permissions

– Web

• Design Guidelines

Outline



– Web


PasswordsTypical Advice

• Pick a hard to guess password• Don’t use it anywhere else• Change it often• Don’t write it down

• Implications?

Many Homes and Offices

Bank = b3aYZ Amazon = aa66x!Phonebill = p$2$ta1Work = xyzzy123

Solutions?

• Password Keeper Software– Run on PC, in web browser, or handheld

– Only remember one password

• Single sign-on– Login once to get access to all your passwords

• PwdHash Web Browser plug-in (Stanford)– User only needs to remember one password

– Automatically hashed by web site

Biometrics

Graphical Passwords

“Forgotten Password” Mechanism

• Email password or magic URL to address on file• Challenge questions

For all practical purposes, this is the standard way to access infrequently used sites

Summary: Solving the password proliferation problem

• Existing solutions (password keepers and fingerprint readers) let users to cope, but still have problems

• Graphical passwords look promising, but more research needed

• Need to think about solutions that eliminate passwords altogether

File Permissions

• Rob Reeder and Roy Maxion (here at CMU)

• Old MS Windows file sharing UI

• Let’s say you wanted to make sure user Alice couldn’t see your files– (or let unscrupulous Republican

aides see your files)

Steps to Do Check Permissions

Salmon User Interface


• Add users you are interested in seeing or modifying permissions for


• Expand file permissions• (Turns out that in user studies, some people didn’t realize Change Permissions and Take Ownership also had to be changed)• Still a lot of permissions, perhaps collapse into most important

Salmon User Interface• Preview effects of permissions before making changes• Shows effective permissions after merging all user and group permissions

Kazaa File Sharing Study

• Good and Krekelberg, CHI 2003• Given an arbitrary setup of Kazaa, would people

be able to understand what files could in theory be downloaded by others?





• Three main problems with Kazaa UI– Any guesses?


• Three main problems with Kazaa UI– Downloaded files folder is also shared folder

• Users have to realize this, or very bad things happen



– Kazaa recursively shares folders• Again, users have to know this beforehand



– Kazaa recursively shares folders

– Inconsistent views• Two UIs for doing similar tasks, but show different

information about state of system


• 12 users, 10 had used file sharing before• Figure out what files are being shared by Kazaa

– Download files set to C:\ (ie all files on hard drive C:)

• Results– 5 people thought it was “My Shared Folder”

• which one UI did suggest– 2 people used Find Files to find all shared files

• This UI had no files checked, thus no files shared?– 2 people used help, said “My Shared Folder”– 1 person couldn’t figure it out at all– Only 2 people got it right

Summary: File Sharing

• Understanding what is and isn’t being shared is difficult– But can lead to bad situations

– Need to make an “invisible” aspect of system “visible”

• Need to make controls simple• Need to provide useful feedback

• More on this in the Design part of talk…

Outline



– Web


User Conceptions of Web Security

• Friedman et al, CHI2003• What do people think the lock icon in browsers mean?

• Survey of 72 people– 24 rural Maine

– 24 suburban NJ

– 24 high-tech CA

User Conceptions of Web Security

• Recognize a secure connection vs non-secure– About half could (https, lock icon)

• Participants asked to draw a secure connection– ~40% got a “right” answer

– 14% people thought of it as a secure place vs secure in transit

• Ex. Data safe on server and protected by firewall

• High-tech people not always accurate

Web Cookies

• Cookies are small pieces of data for tracking– Session state, personalization, etc

• Can also be potential privacy risk– DoubleClick, web image bugs

• Public understanding of cookies and implications slowly growing

Providing Better Awareness

Acumen Collaborative Filtering

Summary: Web

• Users conceptions of security don’t always match system designers

• Current browser cookie interfaces still don’t make sense to users

• New approaches should be explored and tested– Make cookies more visible

– Use community recommendations to manage cookies

Outline



– Web


Design Guidelines

• Whole courses you can take

• Two parts today:– General human-computer interaction (most)

– Specific to hci-security (unfortunately short)

HCI Approach to UI Design

Design

Organizational & Social Issues

Technology Humans

Tasks

• Other considerations we won’t look at– Business models, level of fun

Myths about Good Design

• Myth 1: Good design is just common sense– why are there so many bad web sites? hard to use apps?

• Myth 2: Only experts create good designs– experts faster, this course is on simple and effective

techniques anyone can apply

• Myth 3: We can fix the user interface at the end– good design is more than just user interface

– having right features, building those features right

• Myth 4: Good design takes too long / costs too much– simple and effective techniques that can reduce total

development time & cost (finds problems early on)

Myths about Good Design (cont.)

• Myth 5: Good design is just cool graphics– graphics part of bigger picture of what to communicate & how

• Myth 6: Customers can rely on documentation & help– help is the last resort of a frustrated customer

• Myth 7: Marketing takes care of understanding customer needs– does not help you understand behavior

– what people say vs. what they do and what they actually need

• Myth 8: Quality Assurance ensures our product works– QA makes sure product meets specification, not what happens

w/ real customers on real problems

Who Builds User Interfaces?

• A team of specialists (ideally)– graphic designers– interaction / interface designers– information architects– technical writers– marketers– test engineers– usability engineers– software engineers– users

How to Design and Build UIs

• User interface design process• Usability goals• User-centered design• Task analysis & contextual inquiry• Rapid prototyping• Evaluation• Programming

DesignExploration

Evaluate Execute

Proposal:Demos/Lo Fi Prototypes(How)

Work together torealize the designin detail.

Evaluate withCustomers

DesignDiscovery

Customers, Products,Business, Marketing



Design Definition:- Design Problem Statement- Targeted User Roles (Who)- Targeted User Tasks (What)- Design Direction Statements

Specification:Hi Fidelity, Refined Design - Based on customer feedback - Foundation in product reality - Refined Design description

Storyboard

Customers: - Roles (Who) - Tasks (What) - Context (Stories)Marketing: - Business Priorities - MessagesTechnology: - Products - ArchitectureDesign: - Leading/competing technologies

Review & Iterate

based on slide by Sara Redpath, IBM & Thyra Trauch, Tivoli

User Interface Development Process

Iteration

Design

Prototype

Evaluate

At every stage!

Design

• Design is driven by requirements– what the artifact is for– not how it is to be implemented– e.g., PDA not as important as “mobile” app.

• A design represents the artifact– for UIs these representations include (?)

• screen sketches or storyboards• flow diagrams/outline showing

task structure• executable prototypes

– representations simplify

Write essay start word processor write outline fill out outlineStart word processor find word processor icon double click on iconWrite outline write down high-level ideas

.

.

.

Web Design RepresentationsSite Maps Storyboards

Schematics Mock-ups

Usability Goals?

According to the ISO:The effectiveness, efficiency, and satisfaction with which specified users achieve specified goals in particular environments

• This does not mean you have to create a “dry” design or something that is only good for novices – it all depends on your goals

Usability Goals

– Learnable• faster the 2nd time & so on

– Memorable• from session to session

– Flexible• multiple ways to accomplish tasks

– Efficient• perform tasks quickly

– Robust• minimal error rates• good feedback so user can recover

– Pleasing• high user satisfaction

– Fun

• Set goals early & later use to measure progress• Goals often have tradeoffs, so prioritize• Example goals

User-centered Design

• Cognitive abilities– perception– physical manipulation– memory

• Organizational / job abilities • Keep users involved throughout

– developers working with target users– think of the world in users terms– understanding work process– not technology-centered/feature driven

• Observe existing work practices• Create examples and scenarios of actual use• “Try-out” new ideas before building software

?

Task Analysis & Contextual Inquiry

Rapid Prototyping

Fantasy Basketball

• Build a mock-up of design so you can quickly test

• Low fidelity techniques– paper sketches– cut, copy, paste

• Interactive prototyping tools– HTML, Visual Basic,

HyperCard, Director, Flash, DENIM, etc.

• UI builders– Visual Studio .NET,

JBuilder…

Low-fi Sketches & Storyboards

Low-fi Sketches & Storyboards

ESP

ESP

Evaluation

• Test with real users (participants)– w/ interactive prototype– low-fi with paper “computer”

• Build models– GOMS

• Low-cost techniques– expert evaluation– walkthroughs – online testing

Conducting a Test

Conducting a Test

Conceptual Models

• Mental representation of how object works & how interface controls affect it

• People may have preconceived models that are hard to change– (4 + 5) vs. (4 5 +)– dragging to trash?

• delete file but eject disk

• Interface must communicate model– visually– online help and documentation can help,

but shouldn’t be necessary

Refrigerator

Problem: freezer too cold, but fresh food just right

freezer

fresh food

Refrigerator Controls

What is your conceptual model?

Normal Settings C and 5Colder Fresh Food C and 6-7Coldest Fresh Food B and 8-9Colder Freezer D and 7-8Warmer Fresh Food C and 4-1OFF (both) 0

A B C D E

7 6 5 4 3

7 6 5 4 3

A B C D E

independent controls

coolingunit

coolingunit

A Common Conceptual Model

• Now can you fix the problem?• Possible solutions

– make controls map to user’s model– make controls map to actual system

7 6 5 4 3

A B C D E

coolingunit

Actual Conceptual Model

• Users get model from experience & usage– through system image

• What if the two models don’t match?

Design Model User Model

System Image

Design Model & User Model

Conceptual Model Mismatch

• Mismatch between designer’s & user’s conceptual model leads to…– Slow performance– Errors

• And inability to recover– Frustration– ...

HCI-Security

• Make it “just work”– Invisible security

– Ex. SSL, HTTPS

• Train the user– Ex. Corporate training, military

– Unlikely for consumers, however

• Make security and privacy understandable– Make it visible

– Make it intuitive

– Use metaphors that users can relate to

HCI-Security

• Developers should not expect users to make decisions they themselves can’t make

1. Get the defaults right

2. “Present choices, not dilemmas”– Chris Nodder (in charge of user experience for XP SP2)

Firefox security assumptions

1. Users want to believe that their products are keeping them secure.

2. Users do not want to be responsible for, nor concern themselves with, their own security.

3. We know more about security than our users do.

- Blake Ross

Optimistic vs Pessimistic Security

• Pessimistic Security tries to prevent problems– Ex. Access control lists

– Basically anything that needs lots of configuration up front

• Optimistic Security tries to detect problems and fix afterwards– Ex. Emergency rooms

– Ex. Some help desks

– Ex. AT&T Friend Finder

• Depends on your goals, needs, and risks

Main Points of Today’s Talk

• People are a critical and often overlooked aspect of the systems we design

• We need to design systems that mesh well with people’s existing knowledge and abilities

• Otherwise, your security mechanisms will be:– Overlooked (leading people to do “the wrong thing”), or

– Subverted (so people can get their work done)

Further Reading

http://cups.cs.cmu.edu/soups/

http://designofsites.com/purchase.htm

General HCIEmpathy

• Let’s say you’re an engineer• Developed a great VCR

– Uber-remote control

– High fidelity

– The whole works!

• However, complaints start coming in…– Can’t figure out how to record something

– Can’t figure out how to view TV channels when VCR on

– Can’t figure out how to change clock time

• Natural engineer reaction?

They must be stupid!

General HCIEmpathy

• Suppress this, and see things from their point of view• Slashdot, help desk jokes, etc

– Naïve users

– Naïve brain surgeon?

• We are designing systems for people• We want to see our systems succeed• Can be painful process, but empathy and respect for

users necessary to good design

Documents

Jason I. Hong Human Computer Interaction, Security, and Privacy