Chameleon and Kazaa
Jason I. Hong
January 31, 2006
Usable Privacy and Security
Chameleon Overview
•
Motivation
– Minimize damage done by malware (viruses, worms)
•
Insights
– Access control useful but too hard for typical user
– Leverage physical metaphor in home (plumber vs accountant)
•
Key Ideas
– Compartmentalize things into a few basic roles
• Coarse-grained access control
– Provide a user interface that makes it easy to understand
and work with these roles
Stepping Back, Bigger Picture
•
Kind of paper:
– Design proposal introducing new user interface metaphor
– Several user evaluations of design
•
Usable Privacy and Security themes:
 Make it invisible
 Make it understandable (better metaphors, visibility)
 Train the users
Stepping Back, Bigger Picture
•
Embodies good usability practices
– Lo-fi paper prototypes
– Iterative design (paper, VBasic, interactive version)
– User studies throughout
Example from iteration 1
Example from iteration 2
Lo-Fi Prototype
Interactive Prototype
Comm.
apps.
Internet
app.
Testing
app.
Roles, A Short Digression
•
Role-based access control (RBAC)
–
–
–
–
–
•
http://csrc.nist.gov/rbac
Roles are created for various job functions in an org
Users assigned roles based on their responsibilities
Users can be easily reassigned from one role to another
Roles can be granted new permissions (or revoked)
Example roles:
– Specific tasks: physician, doctor
– Authority: project manager
– Specific duties: duty physician, shift manager
Standard Roles in Chameleon
•
Five standard roles
–
–
–
–
–
Vault
Communications
Default
Testing
System
- Most sensitive data
- Email, IM, Web
- No network restrictions
- Untrusted, no net
- Operating system
Standard Set of Roles
•
Mixed metaphors, not quite everyday roles:
– Vault – a device for physically safeguarding
important stuff
– Communications – a collection of unrelated apps
for communicating with people
– Testing – ???
Standard Set of Roles
•
Explaining to people what role they are in
– Window borders subtle and easy to miss
– Desktop combines multiple roles simultaneously
– Very hard, could be Achilles’ heel
More Thoughts on Chameleon
•
Assumption
– Malware will happen, minimize the damage
•
Secrets and Lies, Bruce Schneier
 prevention - facilities and systems to
prevent people getting in and taking
information
 detection - to find out if anybody has
gotten in, and compromised important
information or processes
 reaction - to allow the "bad guys" to be
identified and their activity stopped
Questions about Prevention
•
What do you do if a role is compromised?
•
How does a person know what role an app or file
should be installed into?
•
Make sense to group “Communications” together?
– IM, Web browsing, Email
– Conjecture: People consider endpoint rather than
mechanism used
– Ex. John vs phone or email
More Thoughts on Chameleon
•
Testing role
–
–
–
–
–
Personally, I’d really like this
Combine with a virtual machine
Temporarily and safely install new app and see what it’s like
Have virtual machine tell you if it has spyware or not
However, rather than a role, maybe a different metaphor
Even More Thoughts
•
Basic ideas quite good:
– Compartmentalization
– Different levels of trust
•
But some concerns:
– Too sophisticated for average home PC users?
• Unclear about who the participants were
– Too easy to work around the system?
– Unclear how well Chameleon works
• p350, People didn’t notice trickery
Some Open Questions
•
Is the desktop the right place to do this?
– People do risky actions in web browsers, email, etc
– A compromised web browser can be quite dangerous too
•
Will changing roles become tedious?
– User studies described initial reactions
– Easy to overlook things, requires eternal vigilance?
– Different roles are also different modes
• Very easy to make errors
• Solution 1: Pseudo-modes
• Solution 2: Modeless (how?)
Some More Open Questions
•
Is Chameleon’s basic metaphor right?
– Mixes application-based metaphor with
file-based metaphor with
physical-based metaphor (home)
•
Alternatives:
– Multiple desktops?
– Multiple file systems?
Some More Open Questions
•
Good insight: re-thinking application development
– Operating system - traditional security, but no context
– Application
- security can be part of workflow,
but duplicated work, inconsistency
– Toolkit
- provide lots of reusable components,
but unclear on useful abstractions
•
Idea of a toolkit for building secure apps
is a great idea, difficulty is in execution
– Would it contain new UI widgets?
– Security primitives?
– Toolkits tend to be reductionist, but usable privacy
and security seems to be holistic
Kazaa File Sharing Study
•
Motivation
– Lots of people use P2P file sharing, but how usable are they?
•
Insights
– Seems like Lots of people sharing files accidentally
•
What they did
– Cognitive walkthrough predicting usability problems
– User study demonstrating usability problems
– Proposed new design guidelines for P2P systems
Stepping Back, Bigger Picture
•
Kind of paper:
– User evaluations of existing application
– Generalization of results
– Paper is all evaluation, so needs more evaluation than
Chameleon (which is design, implementation, plus eval)
•
Usable Privacy and Security themes:
 Make it invisible
 Make it understandable (better metaphors, visibility)
 Train the users
Kazaa File Sharing Study
•
•
•
•
Good and Krekelberg, CHI 2003
Given arbitrary setup of Kazaa, could people
understand what files were downloadable by others?
Found lots of people sharing inbox.dbx
Found that some people were downloading a fake
inbox.dbx file
Kazaa Cognitive Walkthrough
•
Cognitive Walkthrough
– Simple usability technique, put yourself in shoes of users and
try to use the interface from their perspective
•
Problem #1: Multiple names for similar things
–
–
–
–
My Shared Folder
My Media
My Kazaa
Folder for downloaded files
- a folder + all shared files
- all shared files by media type
- all shared files by media type
- root folder of all shared files
Kazaa Cognitive Walkthrough
Problem 2: Downloaded files
are also shared files
Problem 3: Kazaa recursively
shares folders
Kazaa Cognitive Walkthrough
Problem 4: Can select a folder,
but what files are inside?
Error-prone approach. Also risk
with recursive folders.
Kazaa Cognitive Walkthrough
Note: Gives one-time warning
if you select an entire hard drive
Kazaa Cognitive Walkthrough
•
Problem 5: Inconsistent views
– Two UIs for doing similar tasks, but show different
information about state of system
Kazaa File Sharing Study
•
•
12 users, 10 had used file sharing before
Figure out what files are being shared by Kazaa
– Download files set to C:\
•
(ie all files on hard drive C:)
Results
– 5 people thought it was “My Shared Folder”
• which one UI did suggest
Kazaa File Sharing Study
•
•
12 users, 10 had used file sharing before
Figure out what files are being shared by Kazaa
– Download files set to C:\
•
(ie all files on hard drive C:)
Results
– 5 people thought it was “My Shared Folder”
• which one UI did suggest
– 2 people used Find Files to find all shared files
• This UI had no files checked, thus no files shared?
Kazaa File Sharing Study
•
•
12 users, 10 had used file sharing before
Figure out what files are being shared by Kazaa
– Download files set to C:\
•
(ie all files on hard drive C:)
Results
– 5 people thought it was “My Shared Folder”
• which one UI did suggest
– 2 people used Find Files to find all shared files
• This UI had no files checked, thus no files shared?
– 2 people used help, said “My Shared Folder”
– 1 person couldn’t figure it out at all
– Only 2 people got it right
Usability Guidelines for P2P
•
P2P file sharing is safe and usable if users:
– Are aware of what files are being offered to others
– Can determine how to share and stop sharing
– Do not make dangerous errors leading to unintentional
sharing of files
– Are comfortable with what is being shared and confident the
system is working correctly
•
Design suggestions:
– Only allow sharing of multimedia files (…effective?)
– Better feedforward
– Allow exceptions to recursively shared folders
Are people still accidentally sharing files?
•
A rough & ready experiment by your friendly instructor
– eMule (open source)
– Combines eDonkey and Kad file sharing networks
– Different from FastTrack (Kazaa file sharing)
•
eMule stats
– Downloaded by over 85 million people
– 5.3 mil people / 633 mil files on eDonkey
– 1.7 mil people / 300 mil files on Kad
Putting Them Together
•
Lessons from Chameleon + Kazaa
– Examples of how to run user studies
• Not the most rigorous studies, but good enough to
demonstrate main point
– Examples of mental models
Design Model
User Model
System Image
Putting Them Together
•
Difficulty of building a good UI for privacy and security
– What are better design methods?
– What are better tools?
– What would have helped Chameleon and Kazaa?