Usable Privacy and Security and Mobile Social Services Jason Hong
My Two Areas of Interest Usable Privacy and Security –“Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.” - CRA –Anti-phishing Mobile Social Computing –Using sensing, wireless networking, and mobile devices to facilitate awareness, communication, and coordination –Mobile phones
Everyday Privacy and Security Problem
This entire process known as phishing
Phishing is a Plague on the Internet Estimated 3.5 million people have fallen for phishing Estimated $350m-$2b direct losses a year 9255 unique phishing sites reported in June 2006 Easier (and safer) to phish than rob a bank
Project: Supporting Trust Decisions Goal: help people make better online trust decisions –Currently focusing on anti-phishing Large multi-disciplinary team project at CMU –Six faculty, five PhD students, undergrads, staff –Computer science, human-computer interaction, public policy, social and decision sciences, CERT
Our Multi-Pronged Approach Human side –Interviews to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm
Usable Privacy and Security Supporting Trust Decisions
Results of Evaluation Have to fall for phishing to be effective? How well do people retain knowledge after a week? Correctness
Results of Evaluation Have to fall for phishing to be effective? How well do people retain knowledge after a week? Correctness
Anti-Phishing Phil
PILFER Anti-Phishing Filter Example heuristics combined in SVM –IP addresses in link ( –Age of linked-to domains (younger domains likely phishing) –Number of domain names in links –Number of dots in URLs –SpamAssassin rating
Robust Hyperlinks Developed by Phelps and Wilensky to solve “404 not found” problem Key idea was to add a lexical signature to URLs that could be fed to a search engine if URL failed –Ex. How to generate signature? –Found that TF-IDF was fairly effective Informal evaluation found five words was sufficient for most web pages
Adapting TF-IDF for Anti-Phishing Can same basic approach be used for anti-phishing? –Scammers often directly copy web pages –With Google search engine, fake should have low page rank FakeReal
Evaluating CANTINA
My Two Areas of Interest Usable Privacy and Security –“Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.” - CRA –Anti-phishing Mobile Social Computing –Using sensing, wireless networking, and mobile devices to facilitate awareness, communication, and coordination –Mobile phones
Mobile Social Computing New ways for people to organize and coordinate with one another –Smart Mobs –Gawker Stalker
Mobile Social Computing New ways for people to organize and coordinate with one another –Smart Mobs –Gawker Stalker –MySpace Mobile
Mobile Social Computing IMBuddy Facilitate coordination and communication by letting people request contextual information via IM –Interruptibility (via SUBTLE toolkit) –Location (via Place Lab WiFi positioning) –Active window Balance privacy with utility Few privacy concerns –Safe defaults –Often wanted to share more Currently developing Facebook widget
Mobile Social Computing inTouch System to facilitate awareness and communication for small groups –Dual-career families Real-time info about people Faster messaging using contextual information –Location, calendar, traffic, etc
Mobile Social Computing Whisper Social Event Service Help people with events when mobile –Find nearby social events –Notify friends of social events –Organize friends to go to events
Research Style Observe & understand how people actually use tech Design and implement systems Evaluate systems with users Iterate
Jason Hong Newell Simon Hall 2504D