Chameleon and Kazaa Jason I. Hong January 31, 2006 Usable Privacy and Security Chameleon Overview • Motivation – Minimize damage done by malware (viruses, worms) • Insights – Access control useful but too hard for typical user – Leverage physical metaphor in home (plumber vs accountant) • Key Ideas – Compartmentalize things into a few basic roles • Coarse-grained access control – Provide a user interface that makes it easy to understand and work with these roles Stepping Back, Bigger Picture • Kind of paper: – Design proposal introducing new user interface metaphor – Several user evaluations of design • Usable Privacy and Security themes: Make it invisible Make it understandable (better metaphors, visibility) Train the users Stepping Back, Bigger Picture • Embodies good usability practices – Lo-fi paper prototypes – Iterative design (paper, VBasic, interactive version) – User studies throughout Example from iteration 1 Example from iteration 2 Lo-Fi Prototype Interactive Prototype Comm. apps. Internet app. Testing app. Roles, A Short Digression • Role-based access control (RBAC) – – – – – • http://csrc.nist.gov/rbac Roles are created for various job functions in an org Users assigned roles based on their responsibilities Users can be easily reassigned from one role to another Roles can be granted new permissions (or revoked) Example roles: – Specific tasks: physician, doctor – Authority: project manager – Specific duties: duty physician, shift manager Standard Roles in Chameleon • Five standard roles – – – – – Vault Communications Default Testing System - Most sensitive data - Email, IM, Web - No network restrictions - Untrusted, no net - Operating system Standard Set of Roles • Mixed metaphors, not quite everyday roles: – Vault – a device for physically safeguarding important stuff – Communications – a collection of unrelated apps for communicating with people – Testing – ??? Standard Set of Roles • Explaining to people what role they are in – Window borders subtle and easy to miss – Desktop combines multiple roles simultaneously – Very hard, could be Achilles’ heel More Thoughts on Chameleon • Assumption – Malware will happen, minimize the damage • Secrets and Lies, Bruce Schneier prevention - facilities and systems to prevent people getting in and taking information detection - to find out if anybody has gotten in, and compromised important information or processes reaction - to allow the "bad guys" to be identified and their activity stopped Questions about Prevention • What do you do if a role is compromised? • How does a person know what role an app or file should be installed into? • Make sense to group “Communications” together? – IM, Web browsing, Email – Conjecture: People consider endpoint rather than mechanism used – Ex. John vs phone or email More Thoughts on Chameleon • Testing role – – – – – Personally, I’d really like this Combine with a virtual machine Temporarily and safely install new app and see what it’s like Have virtual machine tell you if it has spyware or not However, rather than a role, maybe a different metaphor Even More Thoughts • Basic ideas quite good: – Compartmentalization – Different levels of trust • But some concerns: – Too sophisticated for average home PC users? • Unclear about who the participants were – Too easy to work around the system? – Unclear how well Chameleon works • p350, People didn’t notice trickery Some Open Questions • Is the desktop the right place to do this? – People do risky actions in web browsers, email, etc – A compromised web browser can be quite dangerous too • Will changing roles become tedious? – User studies described initial reactions – Easy to overlook things, requires eternal vigilance? – Different roles are also different modes • Very easy to make errors • Solution 1: Pseudo-modes • Solution 2: Modeless (how?) Some More Open Questions • Is Chameleon’s basic metaphor right? – Mixes application-based metaphor with file-based metaphor with physical-based metaphor (home) • Alternatives: – Multiple desktops? – Multiple file systems? Some More Open Questions • Good insight: re-thinking application development – Operating system - traditional security, but no context – Application - security can be part of workflow, but duplicated work, inconsistency – Toolkit - provide lots of reusable components, but unclear on useful abstractions • Idea of a toolkit for building secure apps is a great idea, difficulty is in execution – Would it contain new UI widgets? – Security primitives? – Toolkits tend to be reductionist, but usable privacy and security seems to be holistic Kazaa File Sharing Study • Motivation – Lots of people use P2P file sharing, but how usable are they? • Insights – Seems like Lots of people sharing files accidentally • What they did – Cognitive walkthrough predicting usability problems – User study demonstrating usability problems – Proposed new design guidelines for P2P systems Stepping Back, Bigger Picture • Kind of paper: – User evaluations of existing application – Generalization of results – Paper is all evaluation, so needs more evaluation than Chameleon (which is design, implementation, plus eval) • Usable Privacy and Security themes: Make it invisible Make it understandable (better metaphors, visibility) Train the users Kazaa File Sharing Study • • • • Good and Krekelberg, CHI 2003 Given arbitrary setup of Kazaa, could people understand what files were downloadable by others? Found lots of people sharing inbox.dbx Found that some people were downloading a fake inbox.dbx file Kazaa Cognitive Walkthrough • Cognitive Walkthrough – Simple usability technique, put yourself in shoes of users and try to use the interface from their perspective • Problem #1: Multiple names for similar things – – – – My Shared Folder My Media My Kazaa Folder for downloaded files - a folder + all shared files - all shared files by media type - all shared files by media type - root folder of all shared files Kazaa Cognitive Walkthrough Problem 2: Downloaded files are also shared files Problem 3: Kazaa recursively shares folders Kazaa Cognitive Walkthrough Problem 4: Can select a folder, but what files are inside? Error-prone approach. Also risk with recursive folders. Kazaa Cognitive Walkthrough Note: Gives one-time warning if you select an entire hard drive Kazaa Cognitive Walkthrough • Problem 5: Inconsistent views – Two UIs for doing similar tasks, but show different information about state of system Kazaa File Sharing Study • • 12 users, 10 had used file sharing before Figure out what files are being shared by Kazaa – Download files set to C:\ • (ie all files on hard drive C:) Results – 5 people thought it was “My Shared Folder” • which one UI did suggest Kazaa File Sharing Study • • 12 users, 10 had used file sharing before Figure out what files are being shared by Kazaa – Download files set to C:\ • (ie all files on hard drive C:) Results – 5 people thought it was “My Shared Folder” • which one UI did suggest – 2 people used Find Files to find all shared files • This UI had no files checked, thus no files shared? Kazaa File Sharing Study • • 12 users, 10 had used file sharing before Figure out what files are being shared by Kazaa – Download files set to C:\ • (ie all files on hard drive C:) Results – 5 people thought it was “My Shared Folder” • which one UI did suggest – 2 people used Find Files to find all shared files • This UI had no files checked, thus no files shared? – 2 people used help, said “My Shared Folder” – 1 person couldn’t figure it out at all – Only 2 people got it right Usability Guidelines for P2P • P2P file sharing is safe and usable if users: – Are aware of what files are being offered to others – Can determine how to share and stop sharing – Do not make dangerous errors leading to unintentional sharing of files – Are comfortable with what is being shared and confident the system is working correctly • Design suggestions: – Only allow sharing of multimedia files (…effective?) – Better feedforward – Allow exceptions to recursively shared folders Are people still accidentally sharing files? • A rough & ready experiment by your friendly instructor – eMule (open source) – Combines eDonkey and Kad file sharing networks – Different from FastTrack (Kazaa file sharing) • eMule stats – Downloaded by over 85 million people – 5.3 mil people / 633 mil files on eDonkey – 1.7 mil people / 300 mil files on Kad Putting Them Together • Lessons from Chameleon + Kazaa – Examples of how to run user studies • Not the most rigorous studies, but good enough to demonstrate main point – Examples of mental models Design Model User Model System Image Putting Them Together • Difficulty of building a good UI for privacy and security – What are better design methods? – What are better tools? – What would have helped Chameleon and Kazaa?