Computer Human Interaction: Mobility, Privacy, and Security, for Cylab Partners Meeting Sep2011
Upcoming SlideShare
Loading in...5
×
 

Computer Human Interaction: Mobility, Privacy, and Security, for Cylab Partners Meeting Sep2011

on

  • 148 views

This talk was for the Cylab partners meeting in 2011. I gave an overview of research my colleagues and I are doing in streamlining authentication as well as understanding human behavior at large ...

This talk was for the Cylab partners meeting in 2011. I gave an overview of research my colleagues and I are doing in streamlining authentication as well as understanding human behavior at large scales.

Statistics

Views

Total Views
148
Views on SlideShare
148
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Images are from Paul Adam’s talk
  • Images are from Paul Adam’s talk
  • Images are from Paul Adam’s talk

Computer Human Interaction: Mobility, Privacy, and Security, for Cylab Partners Meeting Sep2011 Computer Human Interaction: Mobility, Privacy, and Security, for Cylab Partners Meeting Sep2011 Presentation Transcript

  • ©2009CarnegieMellonUniversity:1 Computer Human Interaction: Mobility, Privacy, and Security Jason Hong jasonh@cs.cmu.edu
  • ©2011CarnegieMellonUniversity:2 Two Major Research Thrusts • Streamlining Authentication – How to simplify and strengthen authentication using sensor data? • Understanding Human Behavior at Large Scales – What can we infer about people and places based on lots of sensor data?
  • ©2011CarnegieMellonUniversity:3 Too many passwords!!!
  • ©2011CarnegieMellonUniversity:4 Problems with Passwords • People forget passwords • Susceptible to social engineering • People re-use passwords • Passwords tend to be weak in practice
  • ©2011CarnegieMellonUniversity:5 WebTicket • Cheap printable tokens for a reliable way to log in • Browser plug-in for creating new accounts – Strong passwords are assigned • Print out ticket – Ticket is encrypted to work only with specific computer(s) – QRCode: URL, user name, password
  • ©2011CarnegieMellonUniversity:6 Logging In with WebTicket
  • ©2011CarnegieMellonUniversity:7 WebTicket • Design: – Very cheap (paper + printer + webcam) – Compatible with existing systems – Easy to deploy – Easy to teach: treat it like a house key • Weaknesses: – Not meant for commonly used passwords – Tickets can get damaged or lost – Need to store main encryption key – Scale (about 15 accounts on average)
  • ©2011CarnegieMellonUniversity:8 WebTicket User Study • Three studies, 59 people total – Study 1: Lab study – Study 2: Lab study (phishing too) – Study 3: Field trial • Experiment – Two conditions: password and WebTicket – Create a few new accounts – Login to a few sites – Come back a week later, login again
  • ©2011CarnegieMellonUniversity:9 WebTicket Study Results • 1/4 of people using passwords could not login again a week later – Didn’t restrict what passwords people used • Login time for WebTicket slower at first, faster a week later • WebTicket perceived as easier and faster • Simulated phishing attack – All in password condition fell for it – 30% of people using WebTicket did (though data still encrypted)
  • ©2011CarnegieMellonUniversity:10 Ongoing and Future Work • Mobile phone version to scale up – A strong password manager – Can’t fall for phish too
  • ©2011CarnegieMellonUniversity:11 Ongoing Work • Can encode 3k data with QR codes – Ex. “Login only if in Cylab office or home” – Ex. “Login only if between 5-8pm” – Ex. “Login only if parents at home” – Ex. “Notify parents when you login” – Ex. Include face biometric data
  • ©2011CarnegieMellonUniversity:12 Casual Authentication • Use commodity sensors + behavioral models for cheap, passive, multi-factor authentication • Modulate level of authentication needed – In likely situations, make logins fast – In unlikely situations, make it reliable
  • ©2011CarnegieMellonUniversity:13 Example Scenarios • Scenario 1 – Mobile device – If in office is high, make login fast – If in Brazil, make login reliable – Location, IP address, WiFi MAC, Bluetooth devices nearby, tilt • Scenario 2 – Home – Wake up in morning, go to computer – Weight sensor in chair, height sensor via Kinect, mobile devices nearby – Use face recognition to login (fast)
  • ©2011CarnegieMellonUniversity:14 Casual Authentication • Location as a passive factor – (a) Diary study with 20 people – (b) Location traces of 30 people (a) Where people login (Hayashi and Hong, CHI 2011) (b) Where people spend time (Amini et al, Mobisys 2011)
  • ©2011CarnegieMellonUniversity:15 • Location entropy – Concept taken from ecology – Number of unique people seen in a place – Approximates public vs private • Locaccino data – 489 participants – 2.8m location sightings Characterizing Places
  • ©2011CarnegieMellonUniversity:16
  • ©2011CarnegieMellonUniversity:17 Using Location Data • Characterizing individuals – Personal frequency – Personal mobility pattern • Characterizing places – Entropy – number of unique people – Churn – same people or different – Transience – amount of time spent – Burst – regularity of people seen • Building models of people and places
  • ©2011CarnegieMellonUniversity:18 Ongoing Work • Evaluating passive factors • Developing threat models – How well person knows you – How skilled a hacker they are • Developing prototypes – Mobile case – Work/Home • Evaluating security and usability – Ease of use, time to login – False accept rates, expert analysis
  • ©2011CarnegieMellonUniversity:19 Understanding Human Behavior at Very Large Scales • Capabilities of today’s mobile devices – Location, sound, proximity, motion – Call logs, SMS logs, pictures • We can now analyze real-world social networks and human behaviors at unprecedented fidelity and scale
  • ©2011CarnegieMellonUniversity:20 • Insert graph here • Describe entropy
  • ©2011CarnegieMellonUniversity:21 Entropy Related to Location Privacy
  • ©2011CarnegieMellonUniversity:22 Results of Location Analysis • Entropy related to location privacy – Fewer concerns in “public” places (Toch et al, Ubicomp 2010) • Can predict Facebook friendships based on co-location patterns – Not just frequency, but also where – 92% accuracy (Cranshaw et al, Ubicomp 2010) • Can predict number of friends based on mobility patterns – Go out often and to high entropy places
  • ©2011CarnegieMellonUniversity:23 Augmented Social Graph
  • ©2011CarnegieMellonUniversity:24 Augmented Social Graph
  • ©2011CarnegieMellonUniversity:25 Augmented Social Graph • Online social network information + smartphone communication – Infer tie strength, roles, groups
  • ©2011CarnegieMellonUniversity:26 Potential Scenarios • Secure invitations – Who is this person friending me? – How do my friends know her? • Communication triage • Configuration of privacy policies – Tie strength strongly correlated with what personal info people willing to share (Wiese et al, Ubicomp 2011) – Communication and co-location can be used to predict tie strength • Depression / Leadership
  • ©2011CarnegieMellonUniversity:27 Summary • WebTicket – Printable tokens to login • Casual authentication – Use sensor data and models to characterize people and places – Modulate level of authentication based on situation • Understanding behavior at large scales – Opportunity to instrument the world – Augmented social graph