thoughtcrumbs : january 2000

Risky behavior in bed

I'm sitting on my white duvet eating a beet salad.

The "U" in SOUPS

I'm attending the Symposium on Usable Privacy and Security (SOUPS) this week. In its second year, the ACM conference strives to understand the known weakest link in security: the human. The focus this year is phishing and passwords. Humans are particularly susceptible to URL typos (a la Bankofthevvest.com), homographic attacks (substituting a unicode "a"-like character in paypal.com, taking you to a different domain) and picture-in-picture attacks because we've become accustomed to trusting cues within the browser. And it's unreasonable to expect people to remember random mixed-case alphanumeric passwords that change regularly and are different for all of their accounts. Our brains just don't work that way. Some highlights from the conference:

Skinny-dipping on the Internet: A Windows machine connected to the Internet without anti-virus software will be infected in 11 minutes. Anti-virus software takes 14 minutes to install. (Oh, and that's the fastest software. Mcafee 2006 takes 136 minutes and 8 reboot cycles.)

Lorrie Cranor, the conference organizer, received an email from the Nigerian government with registrations for three Nigerian attendees. The email included a request for travel visas, a typical request for conferences with international attendees. The credit cards went through. Lorrie showed the email on the overhead and asked whether we thought it was a scam. She thought so, but her staff didn't. Eventually they found out the cards were stolen. Lorrie suggested that the Nigerian government probably wouldn't use three exclamation points in the subject line.

Passpet: A password helper app that doesn't suck. Ping Ye and Kragen Sitaker developed a Firefox extension that generates secure passwords. It's a unique animal icon (e.g. goldfish, frog) that stores your own labels ("petnames") for each website you trust (e.g. Citibank.com is "my bank"). Because each user has a different animal, attackers can't chrome-spoof a Passpet (like they can a standard password entry dialog box). The Passpet runs a double hash on the site label and URL to create a secure password. Passpet remembers these passwords for each website for you, and all you need is a single secret (like "wonderland is fun") that you tell to Passpet before using it. When you click the Passpet on a known (labeled) site, it enters your username and password for you. You can't enter a password in a spoofed site, because it's not labeled. Passpet will refuse. Encrypted versions of your site labels are stored on a server of your choice so you can access your Passpet from any computer.

Gender differences in password management: Shirley Gaw presented a qualitative study of undergrads' perceptions about password management. They believe that hackers, competitors, and friends are the people most motivated and able to break into their accounts. Friends. She didn't focus on gender, but did mention that two female participants feared that their ex-boyfriends would compromise their accounts. Do guys worry about their girlfriends hacking their accounts? Perhaps they should listen to Barcelona's shell account song.

Cracking mnemonic phrase-based passwords: Lots of organizations encourage employees to generate passwords by using the first letter from a memorable phrase. But these phrase-based passwords are as easy—perhaps even easier—to crack because people pick publicly available phrases. In the study, 53% of the participants chose googleable phrases like:

• "I wish I were an Oscar Meyer weiner"
• My name is Inigo Montoya. You killed my father. Prepare to die.
• Kelly Clarkson lyrics

Cynthia Kuo and colleagues compared regular and phrase-based passwords, cracking them with a John the Ripper dictionary, a new 400,000-word phrase dictionary (about 1/3 the size of John the Ripper), and a brute force character-frequency attack. With this tiny proof-of-concept phrase dictionary, they cracked as many passwords as John the Ripper does. Frightening. Phrase-based passwords are still good, just don't choose a song lyric or movie line.

Unicode attacks: There are 2.6 billion possible URLs using unicode characters that look exactly like those in "citibank." Nifty IRI-based phishing chart at the City University of Hong Kong.

Customized spamming and phishing: Data mining is getting so good (think gmail ads) that soon spam and phishing will be customized to an individual level, but still generated automatically. So signature-based spam/phishing detection will be ineffective.

Smiling baby: As an aside, Lorrie has the most well behaved and adorable baby in the world. She attended the entire conference from Lorrie's lap. She was awake about as much as the adult participants.

Julie Downs: "To escape a bear, you don't have to run faster than the bear, just faster than the other people." Phishers just have to be smarter than the stupidest internet users.

Rob Franco (of Microsoft, when his IE demo didn't work): "Every Microsoft demo begins with an excuse."

Naive computer user: "I have Norton Antibiotics running on my computer."

A more thorough summary of the conference is on Ping's Usable Security blog.

Like a box full of caffeinated puppies

Went to the Book 'Em benefit last night at the Mr. Roboto Project in Wilkinsburg. Book 'Em sends books to prisoners, and four alt punk bands performed for the cause. A bit of scene-setting is necessary:

The heat: It was sixth-circle-of-hell hot in the tiny room, sweltering with the bodies of a hundred hipsters. Everyone fled from the sweaty womb between bands to the refreshing Pittsburgh July chill.

T-shirts: Every t-shirt was chosen with care. From the military block print of the word "Cursive" to the sleeveless Chinese take-out restaurant in Portland to the record labels to the gambling rehab clinic.

The bands: By far the best was Endless Mike and the Beagle Club, a seven-person unit, three of whom seemed to be devoted solely to playing various percussive toys and falling down a lot. Infectious, shouty pop that's impossible to resist a la The Long Winters, or maybe The Polyphonic Spree sans choir robes. The band members are smiley and exuberant, and the songwriting was surprisingly high quality and coordinated. Somewhat less interesting were the headliners, This Bike is a Pipe Bomb, (a fan of whom had an unfortunate incident with security at an Ohio University), with pretty incoherent punk rock. The bass player had broken her hand, so she substituted the obvious replacement for her bass: the glockenspiel.

BTW, Book 'Em needs dictionaries and help with shipping costs.

Abdul Hakeem Walk

Tomorrow I'm going to go on this walk to raise $12,000 for Abdul Hakeem and his family. They lost their home in Fallujah two years ago to a mortar bomb and my friend Maria is leading a walk with No More Victims to help the family rebuild their home and pay for medical expenses.

Two ways to help:

• Sponsor me. I'm collecting donations through PayPal until Wednesday morning (July 12).
  
  
• Come on the walk. It's Sunday from 1:00-4:00 and starts at The Islamic Center, 4100 Bigelow Blvd., Oakland.

Barmy

Review of Among the Thugs over in Reading.

Group wedgies

Egads, I just celebrated the birthday of Baby America in a deathmatch of Trivial Pursuit, girls against boys. Both teams earned all but one wedgie (as Amy insisted they're called), and in a delirious fit in the fourth hour of the game (fueled by sumptuous potluck fare and sangria), we decided on a sudden death round: whichever team answered the most questions on a single card would win. We did have the luxury of the 2006 edition, so the pop culture and geography questions were actually attainable.

Overall, the cognitive and social psychology processes were fascinating: watching same-sex groups make decisions in the presence of the opposite sex. The guys were more likely to offer wild answers individually and then stick to their choices in the face of team dissent, while the women were more likely to offer ideas tentatively or acquiesce to one teammate's strong hunch. Although both teams had their confident and hedgy moments. But we won 5 to 4, in the end. Good ol' Gorbachev and Heceta Head Lighthouse.

On a tangential foodie note, I learned that my bricolage quinoa fruit salad was delightful. Cinnamon and tarragon worked well with the olive oil and oj vinaigrette.