Usability and Psychology

Privacy and Security Concerns

• Google buzz abusive ex

• Choicepoint mafia data selling

• Yahoo Chinese activist

• Health status insurance and employment discrimination

• Children online

• Browser/pdf/flash/OS vulnerabilities - most systems can be casually compromised

• Strong underground economy in malware/SPAM/DDOS/phishing

• (Nearly?) All Internet systems vulnerable to targeted attack

Web Infections aka Drive-By Downloads

Internet users can be infected simply by viewing a compromised website.

Usability and Psychology• ‘Why Johnny Can’t Encrypt’ – study of encryption

program PGP – showed that 90% of users couldn’t get it right give 90 minutes

• Private / public, encryption / signing keys, plus trust labels was too much – people would delete private keys, or publish them, or whatever

• Security is hard – unmotivated users, abstract security policies, lack of feedback …

• Much better to have safe defaults (e.g. encrypt and sign everything)

• But economics often push the other way …

Hypotheses

• Data security and privacy are really hard, we are failing despite high investment

• No one cares about security and privacy, so the invisible hand reflects that

• Something is wrong with the market for data privacy and security

Hypotheses

• Data security and privacy are really hard, we are failing despite high investment

• Many things we’re not doing (cryptography, extensive code review, self insurance, etc)

• Software security knowledge is located precisely nowhere a developer spends their time. (1raindrop)

• No one cares about security and privacy, so the invisible hand reflects that

• Something is wrong with the market for data privacy and security

Hypotheses

• Data security and privacy are really hard, we are failing despite high investment

• No one cares about security and privacy, so the invisible hand reflects that

• People say they care

• Argument that “rational actors ought to care”

• Something is wrong with the market for data privacy and security

Hypotheses

• Data security and privacy are really hard, we are failing despite high investment

• No one cares about security and privacy, so the invisible hand reflects that

• Something is wrong with the market for data privacy and security

Market Failures

• Markets work when people have incentives to do the “right” thing

• How can they fail?

• Externalities

• Asymmetric/Imperfect Information

• Bounded rationality

• All present in information security and privacy!

Externalities• Occur when decisions cause external costs or benefits

to stakeholders who did not directly affect the transaction

Externalities in Web Infections

• Web infections typically affect the end users (browsers)

• Often don't know that they are infected

• If they do, they don't know why

• No incentive for sites to do the right thing

• Some evidence to suggest overt security measures actually reduce customer confidence

• Revealing infections can only harm companies brands and reputations

• Most harm is even further removed

• Attacks carried out/ phishing sites hosted/ SPAM sent from infected machines

Adverse Selection: Akerlof’s Market for Lemons

• Comes from analysis of Used Car market

• Hidden characteristics: Buyer doesn't know if the car they are buying is good or a 'lemon'

• Seller does have this information

• Given uncertainty – buyer will not pay much

• Result: Adverse Selection, sellers won't sell good cars (can't get a good price) only lemons

• Solution: Reduce customer uncertainty (Independent Inspections, Guarantees, etc)

Asymmetric Information in Web Insecurity

• End user doesn't know if site they visit is safe or attacking them

• Hosting provider doesn't know if webmaster is incompetent or malicious

• Webmasters don't know if hosting provider is secure

Adverse selection : Takes resources to be secure, so why bother if no one can notice?

Bounded Rationality• Market assumes not only perfect information, but

also perfect rationality

• Reality - Behavioral distortions

• Humans bad at assessing risk

• Tend to pick the first reasonable sounding option, not weigh all costs

• Coherent arbitrariness

• Hyperbolic discounting

Consumer Webmasters

• Most webmasters are not tech geeks

• Just want things to work

• Use off the shelf software

• Do not believe they are infected

• Do not know how to evaluate security properties of hosting providers (or that they should)

• Can not identify or remove malware

Security Decisions

Choose a password

Allow user bob access?Make a firewall exception?Share this piece of

personal information?

Trust this site?Run this script?

Write about my diagnosis on the forum?Open this email?

Install this software?

Buy from alice?

Plug Carol’s usb key into my laptop?

Drop this packet?

Hard for Machines and Humans

• Context-dependent

• Require specialized knowledge

• Dynamic : sophisticated adversaries and emerging threats

• Complex risk analysis requiring

• Large knowledge base and rationality

Usability and Psychology (2)

• 1980s concerns with passwords: technical (crack /etc/passwd, LAN sniffer, retry counter)

• 1990s concerns: weak defaults, attacks at point of entry (vertical ATM keypads), can the user choose a good password and not write it down?

• Our 1998 password trial: control group, versus random passwords, versus passphrase

• The compliance problem; and can someone who chooses a bad password harm only himself?

5+-/",6'%7%#68'%,+'-.,++'-9:+8;'

•! <.98$#%&'%7%#68'–! '-%,*+-'-.+'-.+'#"=:>-+,8?'/$,+8?'%)1'+&+#-,")$#8'

•! !9)-%#@#'%7%#68'–! -%,*+-'-.+'":+,%@)*'&"*$#'"3'#"=:>-+,8'%)1')+-/",68?'8"A/%,+'B>&)+,%0$&$@+8'

•! !+=%)@#'%7%#68'

–! -%,*+-'.>=%)8'

5+-/",6'!+#>,$-9'27%#68'

!"#$%&'()*$)++,$)*'

•! !"#$%&'()*$)++,$)*'$8'-.+':,"#+88'"3'+C:&"$@)*'

:+":&+''-.,">*.'8"#$%&'$)-+,%#@")8'-"'"0-%$)'

8+)8$@B+'$)3",=%@")D'

•! (C%=:&+'"3'-.$8'%7%#68;'

–!!:%=E:.$8.$)*'/$-.E/$-.">-'=%&$#$">8'

%7%#.=+)-'

–! F)-+,)+-'G,%>1'

–!H>8$)+88'8#.+=+'

I."'%,+'B>&)+,%0&+'

•! 5$*+,$%)'8#%='

•! G%&8+E3%6+')+/8'

•! G%6+':,"J&+8'")'8"#$%&')+-/",6''

!"#$%&'()%%#$'*)++',-.'/-%%-).+0'

-.'1.2"$."2'3$#45'

I.9'8"#$%&'+)*$)++,$)*'/",68'

•! <89#."&"*9'

•! K8%0$&$-9'

•! (#")"=$#8'"3'F)3",=%@")'!+#>,$-9'

<89#."&"*9'

•! L,>8-'$)'%>-.",$-9'

•! !#%,#$-9'

•! <+,8")%&$4%@")'

•! <+,8>%8$")'

•! M%:->,+'+,,",8'

•! !"#$%&':,""3'

K8%0$&$-9'

•! N.%=$O%'+-D'%&D'#")1>#-'%'>8%0$&$-9'8->19''

-"'-+8-'-.+'.9:"-.+8+8''

–!P%#6'"3'>)1+,8-%)1$)*'%0">-'F)-+,)+-'

–!Q$8>%&'1+#+:@");'•! ///D:%9:%&D#"=R3%6+D#"='

–!H">)1+1'%7+)@")'

•! SS':%,@#$:%)-8'%,+'8."/)'ST'/+0'8$-+8'%)1'%86'-"'1$8@)*>$8.'-.+'3,%>1'8$-+8'3,"='-.+',+%&'")+8''

–!U',+%&?'V':.$8.$)*?'W'#")8-,>#-+1':.$8.$)*?'X'3",*+1'88&'

Y+8>&-'!>==%,9'

–!VTZ':+":&+'-,>8-'8$-+8'0%8+1'")'-.+'&""6D'

–!VZ'[S\':%,@#$:%)-8',+&$+1'#.+#6+1'KYP8?'%&8"'

#.+#6+1'-.+'#+,@J#%-+'-.%-'/%8':,+8+)-+1D'

–!L/"':%,@#$:%)-8'$)'-.+'8->19'-.%-'-.+9'/">&1'")&9'

]>+8@")'%'/+08$-+ 8̂'&+*$@=%#9'$3'=",+'-.%)'-.+'

>8+,)%=+'%)1':%88/",1'/%8',+]>+8-+1D'

•! !#.+#.-+,'+-D'%&D':+,3",='%'>8%0$&$-9'8->19'"3'

/+08$-+'%>-.+)@#%@")'=+%8>,+8;'

•! I$&&'#>8-"=+,8'"3'%)'")&$)+'0%)6'+)-+,'-.+$,'

:%88/",18'+B+)'$3''

–! -.+$,'0,"/8+,8^'_LL<!'$)1$#%-",8'%,+'=$88$)*`'

–! -.+$,'8$-+a%>-.+)@#%@")'$=%*+8'%,+'=$88$)*`'

–! -.+9'%,+':,+8+)-+1'/$-.'%)'F(U'/%,)$)*':%*+`'

Y+8>&-8'

•! 2&&':%,@#$:%)-8'+)-+,+1':%88/",18'/$-.">-'

.7:8'

•! VUZ'+)-+,+1':%88/",18'/$-.">-'8$-+'

%>-.+)@#%@")'$=%*+8'

•! bUZ'+)-+,+1':%88/",18'$)'8:$-+'-.+'/%,)$)*'

:%*+'

(#")"=$#8'"3'F)3",=%@")'!+#>,$-9'

•! !+#>,$-9'$)B+8-=+)-;'

–!/.%-'$8'-.+'":@=%&'%=">)-'"3'$)B+8-=+)-'3",'

$)3",=%@")'8+#>,$-9'3",'%'*$B+)'#"=:%)9`'

•! !+#>,$-9'%8'+C-+,)%&$-9;'

•! F)#+)@B+'=$8%&$*)=+)-''

–!2)1+,8")'%)1'c"",+'$)1$#%-+8'-.%-'$)#+)@B+'

=$8%&$*)=+)-'8$*)$J#%)-&9'>)1+,=$)+8'

$)3",=%@")'

M">)-+,=+%8>,+8'

•! L+#.)$#%&';'")&9'3",':.$8.$)*?'=%&/%,+?'8:%='

•! P+*%&''

•! (1>#%@")'%)1'%/%,+)+88'

d""*&+'!%3+'H,"/8$)*'2<F'

(C-,%#-''

G+%->,+8'3,"='KYP'

e0-%$)'1"=%$)'

$)3",=%@")'%)1'#,%/&8'-.+'

:%*+'

288$*)'-.+':%*+'

%'8#",+''

H&%#6&$8-'

-.+':%*+'

F3'8#",+'f'

-.,+8."&1'

M"&&+#-'8:%='

KYP8'G,"='d=%$&'

M&%88$J+,'L,%$)'-.+'

M&%88$J+,'

•! <.$8.+,'#%)'09:%88'-.+'898-+=;'

–!H9'1$8*>$8$)*'%8'%')")a:.$8.$)*':%*+'

–!H9'=%)$:>&%@)*'-.+'-,%$)$)*'#&%88$J+,'

–!H9'8&"/$)*'1"/)':%*+'3+-#.$)*'

–!H9'.$1$)*'-.+':.$8.$)*':%*+'3,"='d""*&+'

(B%&>%@")'"3'-""&8'•! XT'2)@a:.$8.$)*'-""&8'+C%=$)+1'%,+'M%&&$)*FN'L""&0%,?'M&">1=%,6'2)@aG,%>1'

L""&0%,?'(%,-.P$)6'L""&0%,?'+H%9'L""&0%,?'G$,+3"C'SE'd""*&+?'d+"L,>8-'L,>8-I%-#.'L""&0%,?'c$#,"8"A'<.$8.$)*'G$&-+,'$)'I$)1"/8'F)-+,)+-?'(C:&",+,'U?'5+-#,%A'2)@a<.$8.$)*'L""&0%,?'5+-8#%:+'H,"/8+,'gDX?'!:""3d>%,1D'

•! L""&0%,8'=+-."1;'

–! H&%#6&$8@)*'

–! M.+#6'#")-+)-EKYP'"3'-.+':%*+'

–! c%#.$)+'&+%,)$)*'

•! (B%&>%@")'"3'%##>,%#9;'–! XTT':.$8.$)*'8$-+8'

–! 'bXh'&+*$@=%-+'KYP8'

•! (B%&>%@")'"3'B>&)+,%0$&$-9;'–! M.%)*$)*'-.+'KYP'

–! F)#,+%8$)*'-.+':%*+'&"%1'@=+'

<.$8.$)*'1+-+#@")'>8$)*'KYP8'3,"='1$i+,+)-'8">,#+8''

Y+8>&-8'

•! <.$8.$)*'1+-+#@")'1+:+)18'")'-.+'3,+8.)+88'

"3'-.+'KYP8'

•! c"8-'-""&8''1+-+#-':.$8.$)*'8$-+8'%##>,%-+&9'

%A+,'XS'",'Sj'.">,8?'0>-'=",+'-.%)'UTZ'

%7%#68'.%::+)'/$-.$)'J,8-'XS'.">,8D'

•! 2)@a:.$8.$)*'-""&8'1+-+#@")8'#%)'+%8$&9'

#$,#>=B+)-+1D'

F=:%#-'"3'8"#$%&')+-/",6'

G%=$&9'

G,$+)18'

M"&&+%*>+'

G,$+)18'"3'G,$+)18'

'I+')+B+,'=+-'

e>,'/."&+'&$3+'$8'")'-.+'$)-+,)+-k'

!"#$%&'<.$8.$)*'l%*%@#'+-D'%&'1+=")8-,%-+'-.+'+i+#@B+)+88'"3'8"#$%&':.$8.$)*'

Y+8+%,#.']>+8@")8;'

XD'_"/'=>#.'$)3",=%@")'9">'#%)'#"&&+#-`'

SD'_"/'B%&>%0&+'%,+'-.+9`'

Y+8+%,#.'=+-."1;'

2'-"-%&'"3'X?UWX'F)1$%)%'K)$B+,8$-9'8->1+)-8'"3'%*+'Xg'-"'Sj'9+%,8'%,+'

8+&+#-+1'0%8+1'")'-.+'%=">)-'"3':>0&$#&9'%B%$&%0&+'$)3",=%@")'

2A+,'.%,B+8@)*'-.+'1%-%?''-.+',+8+%,#.+,8'#")1>#-':.$8.$)*'%7%#6'")'-/"'

*,">:8'"3'8>0O+#-8;'8"#$%&')+-/",6'*,">:'%)1'#")-,"&'*,">:D''

Y+8>&-8'

•! (i+#@B+)+88'"3'!"#$%&'<.$8.$)*;'USZ'

•! (i+#@B+)+88'"3'Y+*>&%,'<.$8.$)*;'XhZ'

•! XbZ'=",+'+i+#@B+'$3'-.+'8+)1+,'$8'"3'"::"8$-+'8+C'

•! G+=%&+'8->1+)-8'%,+'=",+'8>8#+:@0&+'-"':.$8.$)*D'

•! !"#$%&':.$8.$)*'&"/+,':+":&+ 8̂'*>%,1'%*%$)8-'%7%#68D'

•! !->1+)-8'/$-.'-+#.)"&"*9'=%O",'%,+'&+88'B>&)+,%0&+'-.%)'"-.+,8D'

Mule recruitment

• Proportion of spam devoted to recruitment shows that this is a significant bottleneck

• Aegis, Lux Capital, Sydney Car Centre, etc–mixture of real firms and invented ones–some “fast-flux” hosting involved

• Only the vigilantes are taking these down–impersonated are clueless and/or unmotivated

• Long-lived sites usually indexed by Google

•! L."=%8'+-D'%&'+C:&",+'."/'=>#.'$)3",=%@")'#%)'0+'$)3+,,+1'%0">-'%'>8+,'")'8"#$%&')+-/",6'3,"=':+":&+'$)'.$8')+-/",6D'

•! 2':,$B%#9'#")m$#-'"##>,8'/.+)'-/"'>8+,8'1$8%*,++'")'/."'#%)'%##+88'-.+'#")-+)-D'

•! 'L/"'8#+)%,$"8'%,+'-+8-+1'a3,$+)18.$:'%)1'/%&&':"8-8D'

•! G,$+)18.$:;'–! 2&$#+'.$1+8'.+,'3,$+)1&$8-'

–! H"0',+B+%&8'.$8'3,$+)1&$8-'

–! F3'2&$#+'%)1'H"0'%,+'3,$+)18?'$-'$8'6)"/)'3,"='H"0D'

•! I%&&':"8-8;'–! 2&$#+ 8̂'/%&&'$8':,$B%-+''

–! H"0 8̂'/%&&'$8':>0&$#'

–! 2&$#+':"8-8'%)9-.$)*'")'H"0 8̂'/%&&?'+B+,90"19'#%)'8++'-.%-D'

–! !6$::$)*'/",6'/$-.'R2&$#+'%)1'.$n)*'-.+'0%,8'%-'V%=D'

<,$B%#9'Y$868'%-'!"#$%&'5+-/",6'

•! L.,++'#&%88$J+,'%,+'$=:&+=+)-+1;'

–!H%8+&$)+'M&%88$J+,;'

•! <,+1$#-'>8+, 8̂'%7,$0>-+8'0%8+1'")'.$8'"/)':,"J&+'

–!G,$+)1'M&%88$J+,;'

•! <,+1$#-'>8+, 8̂'%7,$0>-+8'0%8+1'")'.$8'3,$+)18^':,"J&+8'

–!I%&&'M&%88$J+,;'

•! <,+1$#-'>8+, 8̂'%7,$0>-+8'0%8+1'")'.$8'/%&&':"8-8'")'.$8'

3,$+)18^':,"J&+8'

Y+8>&-8'

!"#$%&'()*$)++,$)*'")'!"#$%&'5+-/",6'

•! d,$+,'+-D'%&D'+C:&",+1'8:%='%)1':.$8.$)*'")'L/$7+,'

•! L/$7+,'3+%->,+8;'

–! L/$7+,',+8-,$#-8'L/++-8'-"'XjT'#.%,%#-+,8'

–! KYP8'%,+':"8-+1'>8$)*'KYP'8.",-+)$)*'8+,B$#+8'

–!c+)@")8;'RO>8@)0$+0+,'<P(2!('GePPeeII'c(((kkk'oWWWW'

–! Y+-/++-8;'YL'RlH$+0+,M,+/4;'YL'-.$8'$3'>'oW'O>8@)'0$+0+,'

–! _%8.-%*8;'d+-'3,++'3"&&"/+,8'pGG'pG"&&"/'l>8@)'H$+0+,'

•! L/$7+,'>8+8'd""*&+ 8̂'!%3+0,"/8$)*'2<F'-"'1+-+#-'8:%='

•! !:%='3+%->,+8'8:+#$J#'-"'L/$7+,;'–! M%&&'">-8;'WDbaXTZ'"3'8:%='

•! I$)'%)'$L">#.'25N'%'qXbT'2::&+'*$A'#%,1'RB$#@=k.7:;EE8:%=D#"='

–! Y+-/++-8;'XDgaXXDjZ'%,+',+-/++-8'"3'0&%#6&$8-+1'KYP8'•! YL'R8#%==+,;'#.+#6'">-'-.+'F:%18'-.+,+'.%B$)*'%'*$B+%/%9'.7:;EE8:%=D#"='

–! L/++-'.$O%#6$)*;'•! SWZ'"3':.$8.$)*'%)1'=%&/%,+',+-/++-8'

–! L,+)1'8+n)*;'•! H>9'=",+'3"&&"/+,8k'.7:;EE8:%=D#"='p3/&,'

–! L,+)1'.$O%#6$)*;'•! _+&:'1")%-+'-"'p.%$@',+&$+3;'.7:;EE8:%=D#"='

Y+8>&-8'

•! VTZ'>8+,8'B$8$-'8:%='8$-+8'0+3",+'$-'$8'

0&%#6&$8-+1'

•! VUDUZ'"3'KYP8',+#+$B+')"'#&$#68?'0>-'-."8+'-.%-'

1"'%##>=>&%-+'"B+,'XDh'=$&&$")'B$8$-",8'

•! c"8-&9'>8+1'-/$7+,'3+%->,+'$8'#>,,+)-'-,+)18'

•! !>##+883>&'8:%='%##">)-8'%,+'#"=:,"=$8+1'

%##">)-8'%)1')>=0+,'"3'3"&&"/+,8'$)'-.%-'

%##">)-'

e:+)'<,"0&+=8'

•! F=:,"B+'1+-+#@")'%)1':,+B+)@")'

•! K8%0$&$-9'%)1':89#."&"*9'

•! <,$B%#9'

<,+B+)@")'%)1'N+-+#@")'

•! F=:,"B$)*'1+-+#@")',%-+'%-'-.+'+%,&9'8-%*+'"3'

-.+'%7%#6'

•! 5"'1+-+#@")'=+-."1'3",'-%,*+-+1'%7%#6'

•! 5"'1+-+#@")'=+-."1'3",'3%&8+'$)3",=%@")?'

."%C+8?'3%6+'%##">)-8'

K8%0$&$-9'%)1'<89#."&"*9'

•! 289==+-,9'$)'>8%0$&$-9'

–!_"/'-"'1+-+#-'."%C+8'%)1'3%&8+'$)3",=%@")'

•! K)1+,8-%)1'>8+, 8̂'=+)-%&'="1+&'

•! !->19'"3'>8+, 8̂'0$%8'

<,$B%#9'

•! F=:",-%)#+'"3':,$B%-+'$)3",=%@")'

•! _"/'-"'$=:,"B+':,$B%#9'

r>+8@")8`'

Y+3+,+)#+8'

•! s""03%#+;'

.7:;EE>8D-,+)1=$#,"D#"=E$=:+,$%E=1E

#")-+)-E>8E-,+)1/%-#.E,+8+%,#.%)1%)%&98$8E

-.+t,+%&t3%#+t"3t6""03%#+tO>&STTVD:13'

•! .7:;EE///D8"#$%&a+)*$)++,D",*E'