Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Computer Human Interaction: Mobility, Privacy, and Security, for Cylab Partners Meeting Sep2011


Published on

This talk was for the Cylab partners meeting in 2011. I gave an overview of research my colleagues and I are doing in streamlining authentication as well as understanding human behavior at large scales.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Computer Human Interaction: Mobility, Privacy, and Security, for Cylab Partners Meeting Sep2011

  1. 1. ©2009CarnegieMellonUniversity:1 Computer Human Interaction: Mobility, Privacy, and Security Jason Hong
  2. 2. ©2011CarnegieMellonUniversity:2 Two Major Research Thrusts • Streamlining Authentication – How to simplify and strengthen authentication using sensor data? • Understanding Human Behavior at Large Scales – What can we infer about people and places based on lots of sensor data?
  3. 3. ©2011CarnegieMellonUniversity:3 Too many passwords!!!
  4. 4. ©2011CarnegieMellonUniversity:4 Problems with Passwords • People forget passwords • Susceptible to social engineering • People re-use passwords • Passwords tend to be weak in practice
  5. 5. ©2011CarnegieMellonUniversity:5 WebTicket • Cheap printable tokens for a reliable way to log in • Browser plug-in for creating new accounts – Strong passwords are assigned • Print out ticket – Ticket is encrypted to work only with specific computer(s) – QRCode: URL, user name, password
  6. 6. ©2011CarnegieMellonUniversity:6 Logging In with WebTicket
  7. 7. ©2011CarnegieMellonUniversity:7 WebTicket • Design: – Very cheap (paper + printer + webcam) – Compatible with existing systems – Easy to deploy – Easy to teach: treat it like a house key • Weaknesses: – Not meant for commonly used passwords – Tickets can get damaged or lost – Need to store main encryption key – Scale (about 15 accounts on average)
  8. 8. ©2011CarnegieMellonUniversity:8 WebTicket User Study • Three studies, 59 people total – Study 1: Lab study – Study 2: Lab study (phishing too) – Study 3: Field trial • Experiment – Two conditions: password and WebTicket – Create a few new accounts – Login to a few sites – Come back a week later, login again
  9. 9. ©2011CarnegieMellonUniversity:9 WebTicket Study Results • 1/4 of people using passwords could not login again a week later – Didn’t restrict what passwords people used • Login time for WebTicket slower at first, faster a week later • WebTicket perceived as easier and faster • Simulated phishing attack – All in password condition fell for it – 30% of people using WebTicket did (though data still encrypted)
  10. 10. ©2011CarnegieMellonUniversity:10 Ongoing and Future Work • Mobile phone version to scale up – A strong password manager – Can’t fall for phish too
  11. 11. ©2011CarnegieMellonUniversity:11 Ongoing Work • Can encode 3k data with QR codes – Ex. “Login only if in Cylab office or home” – Ex. “Login only if between 5-8pm” – Ex. “Login only if parents at home” – Ex. “Notify parents when you login” – Ex. Include face biometric data
  12. 12. ©2011CarnegieMellonUniversity:12 Casual Authentication • Use commodity sensors + behavioral models for cheap, passive, multi-factor authentication • Modulate level of authentication needed – In likely situations, make logins fast – In unlikely situations, make it reliable
  13. 13. ©2011CarnegieMellonUniversity:13 Example Scenarios • Scenario 1 – Mobile device – If in office is high, make login fast – If in Brazil, make login reliable – Location, IP address, WiFi MAC, Bluetooth devices nearby, tilt • Scenario 2 – Home – Wake up in morning, go to computer – Weight sensor in chair, height sensor via Kinect, mobile devices nearby – Use face recognition to login (fast)
  14. 14. ©2011CarnegieMellonUniversity:14 Casual Authentication • Location as a passive factor – (a) Diary study with 20 people – (b) Location traces of 30 people (a) Where people login (Hayashi and Hong, CHI 2011) (b) Where people spend time (Amini et al, Mobisys 2011)
  15. 15. ©2011CarnegieMellonUniversity:15 • Location entropy – Concept taken from ecology – Number of unique people seen in a place – Approximates public vs private • Locaccino data – 489 participants – 2.8m location sightings Characterizing Places
  16. 16. ©2011CarnegieMellonUniversity:16
  17. 17. ©2011CarnegieMellonUniversity:17 Using Location Data • Characterizing individuals – Personal frequency – Personal mobility pattern • Characterizing places – Entropy – number of unique people – Churn – same people or different – Transience – amount of time spent – Burst – regularity of people seen • Building models of people and places
  18. 18. ©2011CarnegieMellonUniversity:18 Ongoing Work • Evaluating passive factors • Developing threat models – How well person knows you – How skilled a hacker they are • Developing prototypes – Mobile case – Work/Home • Evaluating security and usability – Ease of use, time to login – False accept rates, expert analysis
  19. 19. ©2011CarnegieMellonUniversity:19 Understanding Human Behavior at Very Large Scales • Capabilities of today’s mobile devices – Location, sound, proximity, motion – Call logs, SMS logs, pictures • We can now analyze real-world social networks and human behaviors at unprecedented fidelity and scale
  20. 20. ©2011CarnegieMellonUniversity:20 • Insert graph here • Describe entropy
  21. 21. ©2011CarnegieMellonUniversity:21 Entropy Related to Location Privacy
  22. 22. ©2011CarnegieMellonUniversity:22 Results of Location Analysis • Entropy related to location privacy – Fewer concerns in “public” places (Toch et al, Ubicomp 2010) • Can predict Facebook friendships based on co-location patterns – Not just frequency, but also where – 92% accuracy (Cranshaw et al, Ubicomp 2010) • Can predict number of friends based on mobility patterns – Go out often and to high entropy places
  23. 23. ©2011CarnegieMellonUniversity:23 Augmented Social Graph
  24. 24. ©2011CarnegieMellonUniversity:24 Augmented Social Graph
  25. 25. ©2011CarnegieMellonUniversity:25 Augmented Social Graph • Online social network information + smartphone communication – Infer tie strength, roles, groups
  26. 26. ©2011CarnegieMellonUniversity:26 Potential Scenarios • Secure invitations – Who is this person friending me? – How do my friends know her? • Communication triage • Configuration of privacy policies – Tie strength strongly correlated with what personal info people willing to share (Wiese et al, Ubicomp 2011) – Communication and co-location can be used to predict tie strength • Depression / Leadership
  27. 27. ©2011CarnegieMellonUniversity:27 Summary • WebTicket – Printable tokens to login • Casual authentication – Use sensor data and models to characterize people and places – Modulate level of authentication based on situation • Understanding behavior at large scales – Opportunity to instrument the world – Augmented social graph