Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Best Practices for Usable Security in Desktop Software Simson L. Garfinkel DIMACS Workshop on Usable Privacy and Security Software Rutgers University.

Published byMarilynn Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Best Practices for Usable Security in Desktop Software Simson L. Garfinkel DIMACS Workshop on Usable Privacy and Security Software Rutgers University."— Presentation transcript:

1 1 Best Practices for Usable Security in Desktop Software Simson L. Garfinkel DIMACS Workshop on Usable Privacy and Security Software Rutgers University July 9, 2004,

2 2 Hypothesis C, C++ Failure to check args, etc… Common Programming Errors Buffer overflows, SQL injection, etc… Common Security Errors ?? Common Errors in UI and interaction design Privacy compromises, lost data, misconfigurations … Common Security Errors If Then…

3 3 Goals: 1.Identify common errors in UI design that create security and privacy failings. 2.Make it seem easy. “Most really breakthrough conceptual advances are opaque in foresight and transparent in hindsight.” ---Alan Cooper

4 4 Don’t lie to the user… (Aligning Interface, Information and Action) ROADMAP: 1.Sanitizing disks and files 2.Sanitizing browser history 3.Spyware

5 5 Deletion and Sanitization Why study deletion? –Affects everybody: we all have private or security-critical information that needs to be deleted. –Lots of lore, not a lot of good academic research.

6 6 Today’s desktop systems do a nice job on “delete”… 1. Start with an icon you want to delete 3. Trash icon changes 4. Right-click for empty 6. File is gone 5. Confirm empty 2. Drag it to the trash

7 7 Double-click on “Recycle Bin” for more info… Just like PGP 5.0: Good by conventional standards, but does not encourage secure computing practices… Good feedback Good help

8 8 Recovery after confirmation… Can you get back a file after you empty the trash? Sure!

9 9 The Paradox of “Delete” Delete File can be recovered with “undelete” or forensic efforts. Tossed files randomly get shred Backups provide protection. Intentionally overwritten file cannot be recovered from disk. Special utilities overwrite slack space. Backups don’t get shred. Unlinks file from directory. Put blocks on free list. Allow space to reused. Overwrites file blocks. “Shred” “Toss” Thanks to Clay Bennett at Christian Science Monitor

10 10 Sanitization is a big problem “Remembrance” study: –200 hard drives purchased –more than 1/3 had data that been deleted but could be recovered! Hypothesis: data was there because of usability failures…

11 11 Drives in storage 200 drives >80GB images (small drives)

12 12 DOS FORMAT misrepresents its functionality A:\>format c: WARNING, ALL DATA ON NON-REMOVABLE DISK DRIVE C: WILL BE LOST! proceed with Format (Y/N)?y Formatting 1,007.96M 100 percent completed. Writing out file allocation table Complete. “Data Passed” is a Usability Problem!

13 13 Approach #1: Distinguish “Toss” from “Shred” Following publication of “Remembrance,” Apple added “Secure Empty Trash” to MacOS 10.3. “Secure Empty” takes much longer than regular empty. ≈5 min instead of 5 sec

14 14 But separating is not enough… Is this “toss” or “shred?” (“Empty Trash” or “Secure Empty Trash”) Toss! This is “Shred”

15 15 Other Problems with Separation Apple’s approach was a “pasted on fix.” Not consistently applied throughout user interface. Doesn’t apply to other applications, unlink() Users may not know what “Secure Empty Trash” means…

16 16 The dirty life of a disk block… Free block pool Allocated blocks unlink() Trash Can directory “Empty Trash” “Secure Empty Trash” scrubber Notice: Once a disk block is “emptied,” you can’t go back and “securely” empty it!

17 17 Alternative: Redesign the interaction Removed files go onto “old file” list. Kernel grabs free blocks first, then blocks from “old files.” Make “shred” an explicit operation at the interface. –(extend to backup with individual encryption keys for each file) ( simulation )

18 18 “Clean object reuse…” Free pool of clean blocks Allocated blocks unlink() Trash Can directory block allocation Scheduled shredding -or- “Shred now” Blocks awaiting shredder… “Move trash to shredder…” (simulation)

19 19 What about “whoops?” “Darn! I didn’t mean to hit shred.” Don’t use a “swat box”: (“this action cannot be undone…”) Instead: (simulation)

20 20 Best Practices Distinguish “toss” from “shred.” Don’t use a “swat box” to confirm an action that can’t be undone! –It’s easier to beg for forgiveness than ask for permission –Let people change their minds. –“Polite Software Is Self-Confident” (Cooper, p. 167) ≠

21 21 What else do you clear? “Files” can be tossed or shredded… Clear History “Erase my tracks.” “History” is cleared…

22 22 IE: Clearing History 1. Select “Internet Options” 2. Select “Clear History” 3. Confirm (no “undo”)

23 23 Clearing History Safari makes it easier. Give the ability to remove personal information where it is displayed… It’s obvious because you see it!

24 24 Interaction puns One action means two things… Clear History Clear Cache Clear Cookies “Erase my tracks.” Many actions for one thing…

25 25 Cache and Cookies are not obvious… What’s a Cache? Where’s the cache?... We’ve had a huge public education campaign to teach people about the “cache…”

26 26 Cache and Cookies are not obvious… What’s a Cache?

27 27 Each History item points to its entry in the “cache”… … …disk blocks… Clearing the history could automatically clear the cache.

28 28 But what about “Secure Empty Trash?” “Clear History,” “Clear Cache” and “Reset Browser” don’t sanitize! The privacy protecting features give a false sense of security.  Libraries  Kiosks  Shared Machines

29 29 Best Practices Allow personal information to be corrected or deleted where it is shown. If you “toss” potentially sensitive information, shred the bytes! –Especially if you are tossing for privacy.

30 30 Spyware, Adware, and Informed Consent What if the software tries to hide it’s activities?

31 31 Example 2: Gator and GAIN GATOR eWallet? “The Gator eWallet is provided free by GAIN Publishing. “The Gator eWallet is part of the GAIN Network. “This software also occasionally displays pop up ads on your computer screen based on your online behavior.”

32 32 Gator’s Disclosure on download page

33 33 Gator… Comes with Gator eWallet, Precision Time, Date Manager, OfferCompanion, Weatherscope, and SearchScout Toolbar

34 34 Gator License Agreement… Words: 6,645 Key Provisions: –Displays pop-up advertisements. –Determines your interests by monitoring your web surfing behavior, including the URLs you type. –Software updates itself –Any use of a “packet sniffer” is “strictly prohibited” PLEASE READ THE GAIN PUBLISHING PRIVACY STATEMENT AND END USER LICENSE AGREEMENT (COLLECTIVELY "Terms and Conditions") CAREFULLY AND MAKE SURE YOU UNDERSTAND THEM. THEY CONTAIN IMPORTANT INFORMATION THAT YOU SHOULD KNOW BEFORE ACCEPTING ANY GAIN-Supported Software (DEFINED BELOW). The GAIN Publishing Terms and Conditions describe the operation of the GAIN-Supported Software you are about to download and the terms and conditions that govern your use of this software. GAIN Publishing ("GP") provides you the opportunity to download a software product you desire at no charge or a reduced charge in return for your agreement to also download GP's software product which will periodically … buried

35 35 “Here’s what we do know… - Some of the Web pages viewed - The amount of time spent at some Web sites - Some click history, including responses to some online ads - Standard web log information and system settings (except that IP addresses are not stored) - What software is on the personal computer (but no information from those programs) -First name, country, city, and five digit ZIP -Non-personally identifiable information on Web pages and forms - Software usage characteristics and preferences - For Gator(r) eWallet users, your master password, if you choose to create one

36 36 People are bad at reading legal documents Not a new problem! Solution: - Standardized Labels of product actions. - Logos of special significance

37 37 1906 Pure Food and Drug Act Required disclosure of narcotics and other substances. “Warning --- May be Habit Forming” (got the cocaine out of coca-cola) http://www.cfsan.fda.gov/~lrd/history1.html

38 38 The Pure Software Act of 2006 Hook: Starts Automatically Dial: Places a Call Modify: Alters OS Monitors you when not active program Displays Pop-Ups Remote Control Self-Updates Stuck: Cannot be Uninstalled S. Garfinkel, “The Pure Software Act of 2006” TechnologyReview.com, April 7, 2004 http://www.technologyreview.com /articles/wo_garfinkel040704.a sp (simulated icons)

39 39 Gator with Icons hook monitors Pop- ups Self- updates (simulation)

40 40 Icons force disclosure of things that the lawyers might have forgotten. (e.g. ) Having an icon isn’t good or bad. (e.g. ) Notes on the icons…

41 41 Summary Don’t lie to the user. Rethink functionality beneath the interface. Mandate disclosure of hidden functionality Acknowledgements: Matthew Bouchard (icon design) Alma Whitten (mentioned warning labels in “Why Johnny…”) Rob Miller, David Clark, Min Wu, Steven Bauer (MIT) Jonathan Zittrain (Harvard Law)

Download ppt "1 Best Practices for Usable Security in Desktop Software Simson L. Garfinkel DIMACS Workshop on Usable Privacy and Security Software Rutgers University."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Accessing and Using the e-Book Collection from EBSCOhost ® When an arrow appears, click to proceed to the next slide at your own pace. To go back, click.

Accessing and Using the e-Book Collection from EBSCOhost ® When an arrow appears, click to proceed to the next slide at your own pace. To go back, click.
1 of 2 By observing the guidelines below and performing regular maintenance on your computer, you can help keep your computer safe and maintain optimum.

1 of 2 By observing the guidelines below and performing regular maintenance on your computer, you can help keep your computer safe and maintain optimum.
Computing Fundamentals Module Lesson 5 — File Management with Windows Explorer Computer Literacy BASICS.

Computing Fundamentals Module Lesson 5 — File Management with Windows Explorer Computer Literacy BASICS.
1 Secure Interaction Design Kami Vaniea. 2 Overview Designing secure interfaces  Design principles Firefox extensions  Cookies  Phishing  Tracking.

1 Secure Interaction Design Kami Vaniea. 2 Overview Designing secure interfaces  Design principles Firefox extensions  Cookies  Phishing  Tracking.
1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.

1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.
People and Security. Contents People and security – what is the problem? Why usable security is important Introduction to usability principles Best Practices.

People and Security. Contents People and security – what is the problem? Why usable security is important Introduction to usability principles Best Practices.
Operating System Customization

Operating System Customization
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Usable Security: Part 2 Dr. Kasia Muldner.

Usable Security: Part 2 Dr. Kasia Muldner.
Meeting your new mac. Topics  Why mac?  Desktop  Web browsing  Mac mail  Burning CDs  Getting help.

Meeting your new mac. Topics  Why mac?  Desktop  Web browsing  Mac mail  Burning CDs  Getting help.
Spyware! THE BAD, THE WORSE, AND THE Ugly … ARE ALL INDICATIONS THAT SPYWARE MAY BE TAKING OVER YOUR COMPUTER!

Spyware! THE BAD, THE WORSE, AND THE Ugly … ARE ALL INDICATIONS THAT SPYWARE MAY BE TAKING OVER YOUR COMPUTER!
CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.
What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.

What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
How to Protect Your PC Grayware Adware, Malware, Spyware.

How to Protect Your PC Grayware Adware, Malware, Spyware.
Format Scandisk Defragmentation Antivirus Compression Software

Format Scandisk Defragmentation Antivirus Compression Software
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
KEEP YOUR COMPUTE SAFE AND HOW TO FIX IT 1. OBJECTIVE Keep your computer safe. -Not about spam, phishing or browser hijacks Designed for the non-geek.

KEEP YOUR COMPUTE SAFE AND HOW TO FIX IT 1. OBJECTIVE Keep your computer safe. -Not about spam, phishing or browser hijacks Designed for the non-geek.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.

Similar presentations

Ads by Google