Your SlideShare is downloading. ×
Computer Human Interaction: Mobility, Privacy, and Security, for Cylab Partners Meeting Sep2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Computer Human Interaction: Mobility, Privacy, and Security, for Cylab Partners Meeting Sep2011

108

Published on

This talk was for the Cylab partners meeting in 2011. I gave an overview of research my colleagues and I are doing in streamlining authentication as well as understanding human behavior at large …

This talk was for the Cylab partners meeting in 2011. I gave an overview of research my colleagues and I are doing in streamlining authentication as well as understanding human behavior at large scales.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
108
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Images are from Paul Adam’s talk
  • Images are from Paul Adam’s talk
  • Images are from Paul Adam’s talk
  • Transcript

    • 1. ©2009CarnegieMellonUniversity:1 Computer Human Interaction: Mobility, Privacy, and Security Jason Hong jasonh@cs.cmu.edu
    • 2. ©2011CarnegieMellonUniversity:2 Two Major Research Thrusts • Streamlining Authentication – How to simplify and strengthen authentication using sensor data? • Understanding Human Behavior at Large Scales – What can we infer about people and places based on lots of sensor data?
    • 3. ©2011CarnegieMellonUniversity:3 Too many passwords!!!
    • 4. ©2011CarnegieMellonUniversity:4 Problems with Passwords • People forget passwords • Susceptible to social engineering • People re-use passwords • Passwords tend to be weak in practice
    • 5. ©2011CarnegieMellonUniversity:5 WebTicket • Cheap printable tokens for a reliable way to log in • Browser plug-in for creating new accounts – Strong passwords are assigned • Print out ticket – Ticket is encrypted to work only with specific computer(s) – QRCode: URL, user name, password
    • 6. ©2011CarnegieMellonUniversity:6 Logging In with WebTicket
    • 7. ©2011CarnegieMellonUniversity:7 WebTicket • Design: – Very cheap (paper + printer + webcam) – Compatible with existing systems – Easy to deploy – Easy to teach: treat it like a house key • Weaknesses: – Not meant for commonly used passwords – Tickets can get damaged or lost – Need to store main encryption key – Scale (about 15 accounts on average)
    • 8. ©2011CarnegieMellonUniversity:8 WebTicket User Study • Three studies, 59 people total – Study 1: Lab study – Study 2: Lab study (phishing too) – Study 3: Field trial • Experiment – Two conditions: password and WebTicket – Create a few new accounts – Login to a few sites – Come back a week later, login again
    • 9. ©2011CarnegieMellonUniversity:9 WebTicket Study Results • 1/4 of people using passwords could not login again a week later – Didn’t restrict what passwords people used • Login time for WebTicket slower at first, faster a week later • WebTicket perceived as easier and faster • Simulated phishing attack – All in password condition fell for it – 30% of people using WebTicket did (though data still encrypted)
    • 10. ©2011CarnegieMellonUniversity:10 Ongoing and Future Work • Mobile phone version to scale up – A strong password manager – Can’t fall for phish too
    • 11. ©2011CarnegieMellonUniversity:11 Ongoing Work • Can encode 3k data with QR codes – Ex. “Login only if in Cylab office or home” – Ex. “Login only if between 5-8pm” – Ex. “Login only if parents at home” – Ex. “Notify parents when you login” – Ex. Include face biometric data
    • 12. ©2011CarnegieMellonUniversity:12 Casual Authentication • Use commodity sensors + behavioral models for cheap, passive, multi-factor authentication • Modulate level of authentication needed – In likely situations, make logins fast – In unlikely situations, make it reliable
    • 13. ©2011CarnegieMellonUniversity:13 Example Scenarios • Scenario 1 – Mobile device – If in office is high, make login fast – If in Brazil, make login reliable – Location, IP address, WiFi MAC, Bluetooth devices nearby, tilt • Scenario 2 – Home – Wake up in morning, go to computer – Weight sensor in chair, height sensor via Kinect, mobile devices nearby – Use face recognition to login (fast)
    • 14. ©2011CarnegieMellonUniversity:14 Casual Authentication • Location as a passive factor – (a) Diary study with 20 people – (b) Location traces of 30 people (a) Where people login (Hayashi and Hong, CHI 2011) (b) Where people spend time (Amini et al, Mobisys 2011)
    • 15. ©2011CarnegieMellonUniversity:15 • Location entropy – Concept taken from ecology – Number of unique people seen in a place – Approximates public vs private • Locaccino data – 489 participants – 2.8m location sightings Characterizing Places
    • 16. ©2011CarnegieMellonUniversity:16
    • 17. ©2011CarnegieMellonUniversity:17 Using Location Data • Characterizing individuals – Personal frequency – Personal mobility pattern • Characterizing places – Entropy – number of unique people – Churn – same people or different – Transience – amount of time spent – Burst – regularity of people seen • Building models of people and places
    • 18. ©2011CarnegieMellonUniversity:18 Ongoing Work • Evaluating passive factors • Developing threat models – How well person knows you – How skilled a hacker they are • Developing prototypes – Mobile case – Work/Home • Evaluating security and usability – Ease of use, time to login – False accept rates, expert analysis
    • 19. ©2011CarnegieMellonUniversity:19 Understanding Human Behavior at Very Large Scales • Capabilities of today’s mobile devices – Location, sound, proximity, motion – Call logs, SMS logs, pictures • We can now analyze real-world social networks and human behaviors at unprecedented fidelity and scale
    • 20. ©2011CarnegieMellonUniversity:20 • Insert graph here • Describe entropy
    • 21. ©2011CarnegieMellonUniversity:21 Entropy Related to Location Privacy
    • 22. ©2011CarnegieMellonUniversity:22 Results of Location Analysis • Entropy related to location privacy – Fewer concerns in “public” places (Toch et al, Ubicomp 2010) • Can predict Facebook friendships based on co-location patterns – Not just frequency, but also where – 92% accuracy (Cranshaw et al, Ubicomp 2010) • Can predict number of friends based on mobility patterns – Go out often and to high entropy places
    • 23. ©2011CarnegieMellonUniversity:23 Augmented Social Graph
    • 24. ©2011CarnegieMellonUniversity:24 Augmented Social Graph
    • 25. ©2011CarnegieMellonUniversity:25 Augmented Social Graph • Online social network information + smartphone communication – Infer tie strength, roles, groups
    • 26. ©2011CarnegieMellonUniversity:26 Potential Scenarios • Secure invitations – Who is this person friending me? – How do my friends know her? • Communication triage • Configuration of privacy policies – Tie strength strongly correlated with what personal info people willing to share (Wiese et al, Ubicomp 2011) – Communication and co-location can be used to predict tie strength • Depression / Leadership
    • 27. ©2011CarnegieMellonUniversity:27 Summary • WebTicket – Printable tokens to login • Casual authentication – Use sensor data and models to characterize people and places – Modulate level of authentication based on situation • Understanding behavior at large scales – Opportunity to instrument the world – Augmented social graph

    ×