1 / 43

Jason I. Hong January 31, 2006 Usable Privacy and Security

Chameleon and Kazaa. Jason I. Hong January 31, 2006 Usable Privacy and Security. Chameleon Overview. Motivation Minimize damage done by malware (viruses, worms) Insights Access control useful but too hard for typical user Leverage physical metaphor in home (plumber vs accountant)

kadeem
Download Presentation

Jason I. Hong January 31, 2006 Usable Privacy and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chameleon and Kazaa Jason I. Hong January 31, 2006 Usable Privacy and Security

  2. Chameleon Overview • Motivation • Minimize damage done by malware (viruses, worms) • Insights • Access control useful but too hard for typical user • Leverage physical metaphor in home (plumber vs accountant) • Key Ideas • Compartmentalize things into a few basic roles • Coarse-grained access control • Provide a user interface that makes it easy to understand and work with these roles

  3. Stepping Back, Bigger Picture • Kind of paper: • Design proposal introducing new user interface metaphor • Several user evaluations of design • Usable Privacy and Security themes: • Make it invisible • Make it understandable (better metaphors, visibility) • Train the users

  4. Stepping Back, Bigger Picture • Embodies good usability practices • Lo-fi paper prototypes • Iterative design (paper, VBasic, interactive version) • User studies throughout Example from iteration 1 Example from iteration 2

  5. Lo-Fi Prototype

  6. Interactive Prototype Comm. apps. Testing app. Internet app.

  7. Roles, A Short Digression • Role-based access control (RBAC) • http://csrc.nist.gov/rbac • Roles are created for various job functions in an org • Users assigned roles based on their responsibilities • Users can be easily reassigned from one role to another • Roles can be granted new permissions (or revoked) • Example roles: • Specific tasks: physician, doctor • Authority: project manager • Specific duties: duty physician, shift manager

  8. Standard Roles in Chameleon • Five standard roles • Vault - Most sensitive data • Communications - Email, IM, Web • Default - No network restrictions • Testing - Untrusted, no net • System - Operating system

  9. Standard Set of Roles • Mixed metaphors, not quite everyday roles: • Vault – a device for physically safeguarding important stuff • Communications – a collection of unrelated apps for communicating with people • Testing – ???

  10. Standard Set of Roles • Explaining to people what role they are in • Window borders subtle and easy to miss • Desktop combines multiple roles simultaneously • Very hard, could be Achilles’ heel

  11. More Thoughts on Chameleon • Assumption • Malware will happen, minimize the damage • Secrets and Lies, Bruce Schneier • prevention - facilities and systems to prevent people getting in and taking information • detection - to find out if anybody has gotten in, and compromised important information or processes • reaction - to allow the "bad guys" to be identified and their activity stopped

  12. Questions about Prevention • What do you do if a role is compromised? • How does a person know what role an app or file should be installed into? • Make sense to group “Communications” together? • IM, Web browsing, Email • Conjecture: People consider endpoint rather than mechanism used • Ex. John vs phone or email

  13. More Thoughts on Chameleon • Testing role • Personally, I’d really like this • Combine with a virtual machine • Temporarily and safely install new app and see what it’s like • Have virtual machine tell you if it has spyware or not • However, rather than a role, maybe a different metaphor

  14. Even More Thoughts • Basic ideas quite good: • Compartmentalization • Different levels of trust • But some concerns: • Too sophisticated for average home PC users? • Unclear about who the participants were • Too easy to work around the system? • Unclear how well Chameleon works • p350, People didn’t notice trickery

  15. Some Open Questions • Is the desktop the right place to do this? • People do risky actions in web browsers, email, etc • A compromised web browser can be quite dangerous too • Will changing roles become tedious? • User studies described initial reactions • Easy to overlook things, requires eternal vigilance? • Different roles are also different modes • Very easy to make errors • Solution 1: Pseudo-modes • Solution 2: Modeless (how?)

  16. Some More Open Questions • Is Chameleon’s basic metaphor right? • Mixes application-based metaphor with file-based metaphor with physical-based metaphor (home) • Alternatives: • Multiple desktops? • Multiple file systems?

  17. Some More Open Questions • Good insight: re-thinking application development • Operating system - traditional security, but no context • Application - security can be part of workflow, but duplicated work, inconsistency • Toolkit - provide lots of reusable components, but unclear on useful abstractions • Idea of a toolkit for building secure apps is a great idea, difficulty is in execution • Would it contain new UI widgets? • Security primitives? • Toolkits tend to be reductionist, but usable privacy and security seems to be holistic

  18. Kazaa File Sharing Study • Motivation • Lots of people use P2P file sharing, but how usable are they? • Insights • Seems like Lots of people sharing files accidentally • What they did • Cognitive walkthrough predicting usability problems • User study demonstrating usability problems • Proposed new design guidelines for P2P systems

  19. Stepping Back, Bigger Picture • Kind of paper: • User evaluations of existing application • Generalization of results • Paper is all evaluation, so needs more evaluation than Chameleon (which is design, implementation, plus eval) • Usable Privacy and Security themes: • Make it invisible • Make it understandable (better metaphors, visibility) • Train the users

  20. Kazaa File Sharing Study • Good and Krekelberg, CHI 2003 • Given arbitrary setup of Kazaa, could people understand what files were downloadable by others? • Found lots of people sharing inbox.dbx • Found that some people were downloading a fake inbox.dbx file

  21. Kazaa Cognitive Walkthrough • Cognitive Walkthrough • Simple usability technique, put yourself in shoes of users and try to use the interface from their perspective • Problem #1: Multiple names for similar things • My Shared Folder - a folder + all shared files • My Media - all shared files by media type • My Kazaa - all shared files by media type • Folder for downloaded files - root folder of all shared files

  22. Kazaa Cognitive Walkthrough Problem 2: Downloaded files are also shared files Problem 3: Kazaa recursively shares folders

  23. Kazaa Cognitive Walkthrough Problem 4: Can select a folder, but what files are inside? Error-prone approach. Also risk with recursive folders.

  24. Kazaa Cognitive Walkthrough Note: Gives one-time warning if you select an entire hard drive

  25. Kazaa Cognitive Walkthrough • Problem 5: Inconsistent views • Two UIs for doing similar tasks, but show different information about state of system

  26. Kazaa File Sharing Study • 12 users, 10 had used file sharing before • Figure out what files are being shared by Kazaa • Download files set to C:\ (ie all files on hard drive C:) • Results • 5 people thought it was “My Shared Folder” • which one UI did suggest

  27. Kazaa File Sharing Study • 12 users, 10 had used file sharing before • Figure out what files are being shared by Kazaa • Download files set to C:\ (ie all files on hard drive C:) • Results • 5 people thought it was “My Shared Folder” • which one UI did suggest • 2 people used Find Files to find all shared files • This UI had no files checked, thus no files shared?

  28. Kazaa File Sharing Study • 12 users, 10 had used file sharing before • Figure out what files are being shared by Kazaa • Download files set to C:\ (ie all files on hard drive C:) • Results • 5 people thought it was “My Shared Folder” • which one UI did suggest • 2 people used Find Files to find all shared files • This UI had no files checked, thus no files shared? • 2 people used help, said “My Shared Folder” • 1 person couldn’t figure it out at all • Only 2 people got it right

  29. Usability Guidelines for P2P • P2P file sharing is safe and usable if users: • Are aware of what files are being offered to others • Can determine how to share and stop sharing • Do not make dangerous errors leading to unintentional sharing of files • Are comfortable with what is being shared and confident the system is working correctly • Design suggestions: • Only allow sharing of multimedia files (…effective?) • Better feedforward • Allow exceptions to recursively shared folders

  30. Are people still accidentally sharing files? • A rough & ready experiment by your friendly instructor • eMule (open source) • Combines eDonkey and Kad file sharing networks • Different from FastTrack (Kazaa file sharing) • eMule stats • Downloaded by over 85 million people • 5.3 mil people / 633 mil files on eDonkey • 1.7 mil people / 300 mil files on Kad

  31. Design Model User Model System Image Putting Them Together • Lessons from Chameleon + Kazaa • Examples of how to run user studies • Not the most rigorous studies, but good enough to demonstrate main point • Examples of mental models

  32. Putting Them Together • Difficulty of building a good UI for privacy and security • What are better design methods? • What are better tools? • What would have helped Chameleon and Kazaa?

More Related