Friday, July 17, 2009

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction." -- Albert Einstein

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

-- Richard Power

The success of the fifth annual Symposium on Usable Privacy and Security (SOUPS) -- more papers submitted than ever before, more papers accepted than ever before, more attendees registered than ever before -- is an affirmation of the usability concept and its vital role in the development of security and privacy strategies.

On the third and final day of SOUPS 2009, Lorrie Cranor, the driving force behind both SOUPS and the CUPS from whence it poured, was unable to attend the morning session, she was across town, keynoting on "Teaching Johnny Not to Fall for Phish" at the Sixth Conference for E-Mail and Anti-Spam.

The research of Cranor and her CUPS colleagues demonstrates that user education can indeed play a critical role in the fight against phishing, etc., IF the tools utilized are engaging, enlightening and designed to exploit the "teachable moment." It has also led to the formation of Wombat Security Technologies.

In the technical paper session on Passwords and Authentication, Alexander De Luca of the Media Informatics Group at University of Munich presented Look into my Eyes! Can you guess my Password?, co-authored with his University of Munich colleagues Martin Denzel and Heinrich Hussmann.

In the same session, Stuart Schechter of Microsoft presented 1 + 1 = You: Measuring the comprehensibility of metaphors for configuring backup authentication, co-authored with his Microsoft colleague, Robert Reeder.

The work of De Luca, Denzell and Hussman explored the potential of having users authenticate themselves, particularly at terminals in public places, by drawing shapes with their eyes.

The work of Schechter and Reeder explored the issues involved in user-chosen challenge questions (e.g., the kind you answering when you've lost your password or user ID in Hotmail or G-mail), and showed that somewhat better results were achieved if the user had to take an exam and get a passing grade.

These and other presentations I attended were fascinating.

Our problem is, however, that the challenge in cyber security and privacy is not one of cleverness, but one of consciousness.

We are still between worlds, really.

The Information Age that Alvin Toffler heralded as the "Third Wave" has already broken over our heads, it has already swept us away; but, in many ways, our minds are still on the shore, or reaching back toward the shore, wanting to somehow, impossibly, to take it with us.

In the 1990s, the news was that the periphery between the network and the Internet no longer existed. Here and now, at the end of the first decade of the 21st Century, the news is that the periphery between the mind and the World Wide Web is gone.

The implications are profound.

Some months ago, at dinner with a colleague from inside the US intelligence community's own attempt to comprehend this Brave New World, we discussed these issues at great depth, and both came to the same conclusion: most of the human race will not recognize the world in which they live and work even as soon as ten years from now.

Most of what we are trying to accomplish in cyber security and privacy is based on a paradigm that has been eclipsed; no, not an IT-related paradigm, an old paradigm of the human psyche and its relationships to both the natural world and the digital world, and the interpenetration of all three.

There is something profoundly new coming in the realm of cyber security and privacy.

You and I will recognize it when we see it because not only will we not have seen it before, it will change the way we perceive problems and approach solutions.

It may well come from such academic research. That's why participating in conference such as SOUPS is of great importance.

But it will not reflect superior cleverness, it will signal a shift in consciousness.

Of course, meanwhile, we must rely on superior cleverness, and that too is a reason to participate in SOUPS, etc.

For more commentary on SOUPS 2009, go to the CUPS Blog.

Speaking of which, I will be blogging from Blackhat later this month and from the USENIX Security Symposium in August. Stay tuned.

Summary of SOUPS 2009 Posts:

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

SOUPS 2009 Mental Modes Session: Study Demonstrates that Pursuit of Seamless Security can Lead to New Dangers, Particularly for Mobile Users

SOUPS 2009 Best Paper Award Goes to "Ubiquitous Systems and the Family: Thoughts about the Networked Home"

SOUPS 2009 Tutorial Explores Challenges of Evaluating Usable Security and Privacy Technology

CUPS Related Posts:

CyLab Seminar Series Notes: User-Controllable Security and Privacy -- Norman Sadeh asks, "Are Expectations Realistic?"

CyLab Research Update: Locaccino Enables the Watched to Watch the Watchers

CyLab Chronicles: Wombat, the Latest CyLab Success Story

CyLab Chronicles: Q&A w/ Norman Sadeh

CyLab Chronicles: Q&A w/ Lorrie Cranor

Culture of Security: CUPS Research Takes on Both Widespread Attack Method & Dangerous Meme (Available to Cylab Partners Only)