Today the USENIX folks ran a special workshop on human computer interaction, applied psychology, and computer security called UPSEC. The schedule and presentations can be found on the UPSEC program page.

Many of the presenters came from academia, and from past experience, they would usually be theoretical. But I was very happy when I found out that some talks were from applied research.

Here are my notes from the topics that I enjoyed:

  • When Errors Attack!
    • SSL certificate warnings – 68% are invalid, and many just ignore it.
    • Configuration error pages – why do we still have them?
    • Dialog boxes often look the same – people just hit continue
    • Need to reduce false alarm rate
  • Understanding Privacy Settings in Facebook with an Audience View
    • Audience aka stalker view improves the understanding of privacy settings
    • Lots of privacy settings available, not many on by default
    • As more applications are built on the Facebook API, what other privacy and security concerns will we have?
  • Biometric Daemons: Authentication via Electronic Pets
    • Domestic dog comparison
    • It should know the owner
    • It should growl at people it doesn’t know
    • It should evolve with the owner
  • Freezing More Than Bits: Chilling Effects of the OLPC XO Security Model
    • Bitfrost
    • Activation is time-duration leases obtained from home country’s anti-theft and ntp server
    • Possible to deactivate a laptop if flagged stolen, or lease runs out
    • Attractive attack targets
      • Backup server
      • Activation/Lease server
  • iPhish: Phishing Vulnerabilities on Consumer Electronics
    • iPhone/iPod touch
      • No easy way to show full URL
      • URL only displays the first set of characters
        • www.bankofamerica.thisisabadsite.com will display www.bankofamerica…..
      • Chrome is not trusted
      • URL bar is part of content page (easy to spoof)
      • SSL certificates
        • No way to view or examine
        • Can only accept or deny
      • Mail application doesn’t utilize anti-spam or anti-phishing filters

Tomorrow is the LEET workshop, and the presentation lineup looks very good. I will also be covering it, so stay tuned for my notes and impressions. Thanks to USENIX for allowing me to cover the two events.