Archive for the year 2007
I am giving a presentation later today on “protecting privacy by spying on users.” Here is the talk abstract and the slides I will be using. I am also providing a link to a paper that will be presented at a social network analysis conference in January.
Corporations are facing increasing demands to monitor their compliance with policies and regulations. Using the Enron email corpus as an example of corporate communications, the research explored methods to identify instances of password sharing, a practice that should be a security concern to any organization. Social network analysis was able to identify key creators and sharers of passwords, and an analysis of the passwords themselves showed that quality was clearly a problem. The network analysis was also able to reveal interesting communication patterns, such as sharing passwords with external accounts owned by the same person, which might have been useful as indicators of a problem in corporate systems or practices. The research also uncovered cases of possible policy violations, such as the sharing of internal and external accounts.
Here is a great article that analyzes a rather ridiculous attempt at providing two-factor authentication during online banking. Recent regulations in the US require institutions to do something beyond a simple username and password, but this implementation is laughable.
I guess you’re just out of luck if you grew up on 9th, love pie, and just can’t get enough CSI (or, god forbid, ER). Your money will be so secure that you won’t even be able to figure out what answers you need to type in to access it. Sadly, Synergy One is one of many that subscribed to this preposterous online banking system. Several others have been suckered into Cavion® and its related products. And it just keeps spreading.
Here is an interesting article on experimental bias during parapsychology research. The suggestion is that subtle remarks and prompts made by the experimenters could have influenced the responses made by the subjects while they tried to “receive” psychic information.
An analysis of conversations that took place during ganzfeld parapsychology experiments has revealed researchers may have exerted an influence on their participants.
Ganzfeld experiments involve a ‘sender’ trying to project images from a video clip to a ‘receiver’ who is incubated, blindfolded, in a sound-proof room. The ‘receiver’ reports the images they believe they are receiving to a researcher who notes them down. Crucially, the next stage involves the researcher reviewing these images with the ‘receiver’, before the ‘receiver’ attempts to identify the video clip seen by the ‘sender’ from among three decoys.
It was a study that had to be done, even though the results are kind of predictable. Some people remark, when asked to use biometric devices such as fingerprint scanners, that they are unsanitary and a health risk. The obvious question is “Are they more unsanitary than other things we touch every day, such as doorknobs?” This study tells us that the answer is “No”.
If the fingerprint-smudged glass plates on biometric devices skeeve you out, Purdue University researchers have some good news for you: The devices aren’t any germier than typical doorknobs. Christine Blomeke, a researcher and doctoral student in Purdue’s Biometric Standards, Performance and Assurance Laboratory, says the lab performed a study on this issue in light of concerns by those involved in fingerprint and hand-geometry studies at the lab. The study involved testing for two kinds of bacteria, staphylococcus aureus and E.coli.
It is time to starting thinking about the Symposium On Usable Privacy and Security (SOUPS).
This is a great conference at the intersection between human factors and security/privacy systems. The Call for Papers is now out, and I am assisting by arranging the in-depth sessions and keynote speakers. Papers are due Feb 29, and posters are due May 28. We also want to hear about your ideas for tutorials, workshops, panels, and keynote speakers.
Here are a collection of announcements concerning Canada’s plan for new legislation on identity theft. The legislation is important because it attempts to address not only the actual acts of fraudulent use of identities, but also the collection and trafficking of the information. The reaction of the Privacy Commissioner on further steps that are needed is also notable. This will be interesting legislation to watch.
Here is an interesting article by Spaf (Prof. Eugene Spafford) on the state of security research and development today. The argument is that we are spending too much time of building fixes, without addressing the root problems. In this case, the root problems include development techniques and languages, and inadequate operating systems. The analogy to sacred cows is interesting.
We know how to prevent many of our security problems — least privilege, separation of privilege, minimization, type-safe languages, and the like. We have over 40 years of experience and research about good practice in building trustworthy software, but we aren’t using much of it. Instead of building trustworthy systems (note — I’m not referring to making existing systems trustworthy, which I don’t think can succeed) we are spending our effort on intrusion detection to discover when our systems have been compromised.
While raising three teenagers, I have been impressed by their interactions with peers when it comes to friendships and emotional support. The number of spontaneous hugs is a wonderful thing to see, and something that was very uncommon when I was a male teen in the 70s.
Well, it seems that schools don’t agree, and many of them are banning hugs between children, or other forms of physical interaction. Apparently, our local primary school where my kids went has now jumped on this bandwagon. Not only are we raising our children to be overly fearful and unadventurous, we are also teaching them that healthy hugs are not appropriate.
I have been doing some reading today on Functional Near-Infrared Spectroscopy (fNIRS). This is a technique for measuring brain activity that involves shining near-infrared light into the head (usually at the forehead) and measuring the light that emerges. The light paths are affected by the amount of blood flow in the brain, so fNIRS can be used to measure blood flow, and hence, brain activity (since flow patterns are related to activity). Traditionally, this has been during using Function Magnetic Resonance Imaging (fMRI), but fNIRS is cheaper and portable.
I have long been interested in virtual presence, which is the illusion of presence created by artificial devices such as immersive displays. One of the long-standing issues in this area is how you measure this illusion, and the most common methods have used unreliable self-reports. I wonder if fMRI would be useful for measuring the illusion of presence in virtual environments?
New evaluation techniques that monitor user experiences while working with computers are increasingly necessary,” said Robert Jacob, computer science professor and researcher. “One moment a user may be bored, and the next moment, the same user may be overwhelmed. Measuring mental workload, frustration and distraction is typically limited to qualitatively observing computer users or to administering surveys after completion of a task, potentially missing valuable insight into the users’ changing experiences.” Sergio Fantini, biomedical engineering professor, in conjunction with Jacob’s human-computer interaction (HCI) group, is studying functional near-infrared spectroscopy (fNIRS) technology that uses light to monitor brain blood flow as a proxy for workload stress a user may experience when performing an increasingly difficult task.
Here is an interesting article from The Economist on the growing use of surveillance and data tracking, and the blind acceptance by citizens in most countries. I like the analogy myth of the “boiled frog” attributed to Ross Anderson at the end of the article — if the water is heated gradually enough, the frog fails to notice the difference until it is too late.
Across the rich and not-so-rich world, electronic devices are already being used to keep tabs on ordinary citizens as never before. Closed-circuit television cameras (CCTV) with infra-red night vision peer down at citizens from street corners, and in banks, airports and shopping malls. Every time someone clicks on a web page, makes a phone call, uses a credit card, or checks in with a microchipped pass at work, that person leaves a data trail that can later be tracked. Every day, billions of bits of such personal data are stored, sifted, analysed, cross-referenced with other information and, in many cases, used to build up profiles to predict possible future behaviour. Sometimes this information is collected by governments; mostly it is gathered by companies, though in many cases they are obliged to make it available to law-enforcement agencies and other state bodies when asked.