- Engima 2017 Notes
- Low cost
- Role based Access Control - AWS IAM
- User defined function that evaluates to false/true
- Rule looks like this:
@rule('invalid_user, ...)
def invalid_user (rec):
return true- More activity in Amygdala related to more distrust.
- Don't make people think of things they don't do in offline situations
- Example: Store credit card at checkout.
- Don't make people think about uncertainity (50/50 risk).
- People hate ambiguity (no/little information about risk and reward) even more than uncertainity.
- Activity in Amygdala doesn't clearly mean that people distrust online activity, but it may be related.
- 100 chips in bag. Red or Blue. No other color.
- If I draw Red, you win!
- But I may not tell you how many Red chips there are.
- Result: Finding out more data makes you more confident. (Makes sense.)
- Don't focus on trust -- focus on uncertainity.
- Favorable and unfavorable information has value for uninformed.
- How people feel is critical in determining how people act.
- If asked to choose between dancing pigs and usable security, users would always choose dancing pigs. That's sad.
- Most people don't notice the "Chrome cleanup tool" message popup.
- We're bad at multi-tasking. Performance on all tasks suffers.
- Security messages are displayed usually as a result of a security event without regard to user's current task. (Cue: Microsoft Update doalog)
- Ran a study
- Have a baseline task.
- Then have a memory task (6 digit number to remember).
- Then added a task to install a Chrome extension that may have dangerous permissions.
- Results:
- High dual task message: Warning disregard: 22.9%
- Showing warning later: Warning disregard: 7.4%
- Low DTI times:
- After video completes.
- Waiting for download to complete (or start?)
- Brain not good at handling interruptions.
- Timing a security messages makes a marked improvement.
- Observed in all animal life. Including human brain.
- Each display of warning, brain pays less and less attention.
- 40 real world wawrnings in FMRI scanner.
- Dramatic drop in activity after second exposure to warning and drop off after successive exposures.
- Also increase in boredom.
- Then added animations to the warnings. Swirl, Jingle, ...
- Notably better results.
- Still led to bordom and ignoring warnings with polymorphic warnings but still higher than static warnings.
- Install 3 apps from a category of apps every day.
- Warning on install.
- If they ignored warning, that was counted as disregard.
- Chose 4 really bad warnings.
- Polymorphic warnings (different warning format over 15 days) had better effect.
- Dismissing one kind of notification (eg system notification on phone) can carry over to rare security events.
- User may already be deeply habituated.
- Design security messages to be visually distinct and/or different mode of dismissal.
Not only think about the bad guys, but also think about the user who needs to respond to the security warnings, etc.
- There's an app for that! To measure and track all your signals and activity.
- Helps people keep track of their life, fun activities, etc.
- Idea: Devices attached with brain. Non-invasive.
- But, wait.. Malware! In the brain!
- Any malicious app that extracts private information about the user.
- Why/how does it work:
- A malicious app could intercept the digitized signal from the sensor to the signal processing app.
- Event Related Potentials (ERPs): Responses associated with specific sensory, cognitive, and motor events.
-
During the game:
- 5 different stimuli for 7 seconds at a time.
- Different logos such as Starbucks, ...
- Measured ERPs
-
Brain signals can then be used to find out:
- Coffee preferences, but also
- Religious preferences,
- Political preferences, etc.
- Privately held thoughts can be captured(?)
...
- Idea: Neural signals should be treated as PII
-
When a journalist is kidnapped, you can help them financially but not erase the horror.
-
When they die, there's absolutely nothing you can do for them.
-
Technical attacks against journalists but not enough security community focus.
-
Motivated state actors have the resources to find vulnerabilities and deploy them as needed.
-
Focus on security requirements for a journalist, and then
-
Adopt those products/ideas to people at large.
-
Being a journalist used to be expensive: Camera, Printing press, reach, ...
-
That's not true anymore.
-
Everyone has a camera now, and a blog, or Medium.
- Everyone should have the ability to be safe about their communications.
- Computers today are garbage. We need better computers.
- How do we distinguish between acts of journalism and acts of alternate reality.
- There are good journalists, there are bad journalists. And then, there are liars.
- What should be focus on?
- Passwords are garbage. Phishing is easy.
- #1 priority is to make authentication work.
- Hardened or proven kernels.
- Why not focus on anonymity?
- Not a lot of people die because of lack of anonymity.
- Plus, there are some good tools already for that.
- Don't just think about Snowden.
- Write your password on a paper and put it in your wallet instead of using passwords.
- To meet him, send SMS on his phone.
- I am going to interview him so this is public information anyway.
- Civilian undercover police officer tries to eavesdrop.
- My phone keeps me safe. Got arrested. Tweeted. Got friends' help.
- Except one thing: I can't really have a girlfriend.
- Family had lost son to political violence earlier.
- He did not want mom to know about the girlfriend.
- Does not hold for whistle blowers. But,
- How can I prove that I took this picture at this place at this time.
- How to fight with fake news and people wrongly calling correct information hoax.
- Anonymity is useful but counter to this problem.
- Reliable delivery of messages is part of security.
- Usable, reliable.
- Allows wide reach.
- Protect privacy and dignity of personal life.
- Documentation: In all languages that it's going to be used.
- Examples:
- For older people.
- Older people will be 20% of population of US by 2030.
- http://www.weteachwelearn.org/2012/12/how-to-influence-people-with-persuasive-triggers/
- Conducted study. Participants did not know about the goal of the study.
- Record all the extensions that they install every time during the 15 day study period.
- Will send them a phishing email.
- Try to understand the susceptibility of older adults to phishing.
- 158 participants. North Central Florida. Male and Female.
- Parking Violation e-mail. Authority Weapon + Legal Case.
- Results
- Legal related emails had much higher phishing success.
- More for older people than younger.
- Recommendations
- Anti-phishing detection
- Anti-phishing training