Date
|
Topics
|
Assignment
To be done before coming to class
|
Monday, January 11 |
01. Course overview and introductions (Lujo and Nicolas) [SLIDES]
|
No readings for this class.
|
Wednesday, January 13 |
02. Introduction to security; usable encryption (Lujo)
[SLIDES]
|
Optional reading:
- Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, and Uwe Sander. Helping Johnny 2.0 to Encrypt His Facebook Conversations. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12)
- [HCI] Shirley Gaw, Edward W. Felten, and Patricia Fernandez-Kelly. Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted Email. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2006. (CHI '06)
- Sumeet Gujrati and Eugene Y. Vasserman. The usability of Truecrypt, or how I learned to stop whining and fix an interface. In Proceedings of the third ACM Conference on Data and Application Security and Privacy, 2013. (CODASPY '13)
- [HCI] Scott Ruoti, Nathan Kim, Ben Burgon, Timothy van der Horst, Kent Seamons. Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13)
- [Security] Mark D. Ryan. Enhanced certificate transparency and end-to-end encrypted mail. In Proceedings of the 21st Annual Network & Distributed System Security Symposium, 2014. (NDSS '14)
|
Monday, January 18 |
No class due to Martin Luther King, Jr. Day |
No readings for this class. |
Wednesday, January 20 |
03. Reasoning about the human in the loop (Nicolas)
[SLIDES | Privacy Illustrated]
|
Optional reading:
- Anne Adams and Martina Angela Sasse. Users Are Not The Enemy. In Communications of the ACM, Volume 42, Issue 12, pp. 40-46, December 1999.
- L. Jean Camp. Reconceptualizing the Role of Security User. In Daedalus, Volume 140, Number 4, pp. 93-107, Fall 2011.
- W. Keith Edwards, Erika Shehan Poole, and Jennifer Stoll. Security Automation Considered Harmful? In Proceedings of the 2007 New Security Paradigms Workshop, 2007. (NSPW '07)
- Steven Furnell. Making security usable: Are things improving? In Computers & Security, Volume 26, Issue 6, pg. 434-443, September 2007.
- M.E. Kabay. Using Social Psychology to Implement Security Policies. In Computer Security Handbook, 4th edition, 2002.
- Butler Lampson. Usable Security: How to Get It. In Communications of the ACM, Volume 52, Issue 11, pp. 25-27, November 2009.
|
Monday, January 25 |
04. Introduction to privacy; the difficulty of measuring privacy (Nicolas)
[SLIDES]
Homework 1 due
|
Optional reading:
- Alex Braunstein, Laura Granka, and Jessica Staddon. Indirect Content Privacy Surveys: Measuring Privacy Without Asking About It. In Proceedings of the Seventh Symposium on Usable Privacy and Security, 2011. (SOUPS '11)
- Lorrie Faith Cranor, Adam L. Durity, Abigail Marsh, and Blase Ur. Parents' and Teens' Perspectives on Privacy In a Technology-Filled World. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14)
- Alexei Czeskis, Ivayla Dermendjieva, Hussein Yapit, Alan Borning, Batya Friedman, Brian Gill, and Tadayoshi Kohno. Parenting from the Pocket: Value Tensions and Technical Directions for Secure and Private Parent-Teen Mobile Safety. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10)
- Giovanni Iachello and Jason Hong. End-User Privacy in Human-Computer Interaction. In Foundations and Trends in HCI, Volume 1, Number 1, pp. 1-137, 2007.
- Scott Lederer, Jason I. Hong, Anind K. Dey, James A. Landay. Personal Privacy through Understanding and Action: Five Pitfalls for Designers. Carnegie Mellon University Technical Report. Human-Computer Interaction Institute. Paper 78. 2004.
|
Wednesday, January 27 |
05. Introduction to experimental design: overview of methods, ethics/deception, and ecological validity (Nicolas)
[SLIDES]
|
Optional reading:
|
Monday, February 1 |
06. Introduction to crowdsourced studies (Nicolas)
[SLIDES]
Homework 2
due
Discuss course
projects in class
|
- [Required for 9-unit and 12-unit students] Richard Shay, Saranga Komanduri, Adam L. Durity, Philip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Can long passwords be secure and usable?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2014. (CHI '14)
- [Required for 9-unit and 12-unit students] Manya Sleeper, Justin Cranshaw, Patrick Gage Kelley, Blase Ur, Alessandro Acquisti, Lorrie Faith Cranor, and Norman Sadeh. "I read my Twitter the next morning and was astonished": A Conversational Perspective on Twitter Regrets. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13)
- [Required only for 12-unit students] Ruogu Kang, Stephanie Brown, Laura Dabbish, and Sara Kiesler. Privacy Attitudes of Mechanical Turk Workers and the U.S. Public. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14)
Optional reading:
- Michael Buhrmester, Tracy Kwang, and Samuel D. Gosling. Amazon's Mechanical Turk: A New Source of Inexpensive, Yet High-Quality, Data?. In Perspectives on Psychological Science, Volume 6, Number 1, pp. 3-5, 2011.
- Panagiotis G. Ipeirotis. Demographics of Mechanical Turk. New York University Technical Report, 2010.
- Panagiotis G. Ipeirotis, Foster Provost, and Jing Wang. Quality Management on Amazon Mechanical Turk. In Proceedings of the ACM SIGKDD Workshop on Human Computation, 2010. (HCOMP '10)
- Patrick Gage Kelley. Conducting usable privacy and security studies with Amazon's Mechanical Turk. In Proceedings of the Usable Security Experiment Reports Workshop, 2010. (USER '10)
- Aniket Kittur, Ed H. Chi, and Bongwon Suh. Crowdsourcing User Studies With Mechanical Turk. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2008. (CHI '08)
|
Wednesday, February 3 |
07. Qualitative studies: surveys, interviews, focus groups, and diary studies (Guest lecture by Manya Sleeper)
[SLIDES]
|
Optional reading:
|
Monday, February 8 |
08. Usable privacy and security in the home; analyzing qualitative data (Guest lecture by Blase Ur)
[SLIDES]
|
Optional reading:
- [HCI] A.J. Brush, Jaeyeon Jung, Ratul Mahajan, and Frank Martinez. Digital Neighborhood Watch: Investigating the Sharing of Camera Data Amongst Neighbors. In Proceedings of the 2013 conference on Computer Supported Cooperative Work, 2013. (CSCW '13)
- Eun Kyoung Choe, Sunny Consolvo, Jaeyeon Jung, Beverly Harrison, Julie Kientz, and Shwetak Patel. Investigating Receptiveness to Sensing and Inference in the Home Using Sensor Proxies. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing, 2012. (UbiComp '12)
- [Security] Tamara Denning, Tadayoshi Kohno, and Henry M. Levy. Computer Security in the Modern Home. In Communications of the ACM, Volume 56, Issue 1, pp. 94-103, January 2013.
- Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig, and Jesse Walker. Challenges in Access Right Assignment for Secure Home Networks. In Proceedings of the 5th USENIX Workshop on Hot Topics in Security. (HotSec'10)
- Michelle L. Mazurek, J.P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter. Access Control for Home Data Sharing: Attitudes, Needs and Practices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2010. (CHI '10)
- Stuart Schechter. The User IS the Enemy, and (S)he Keeps Reaching for that Bright Shiny Power Button! In Proceedings of the Workshop on Home Usable Privacy and Security, 2013. (HUPS '13)
|
Wednesday, February 10 |
09. Practicalities of research: IRBs and teamwork (Abby) [SLIDES]
Homework 3 due
Project preference forms also due
|
No readings for this class.
|
Monday, February 15 |
10. Quantitative data collection; field studies; hypothesis testing; simulating attack scenarios (Lujo)
[SLIDES]
Homework 4
due
Project teams assigned (no written assignment)
|
Optional reading:
- Lazar et al. Research Methods in Human-Computer Interaction. Chapter 12: Automated Data Collection Methods
- Devdatta Akhawe and Adrienne Porter Felt. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. In Proceedings of the 22nd USENIX Security Symposium, 2013. (USENIX '13)
- Alexander De Luca, Marc Langheinrich, and Heinrich Hussmann. Towards Understanding ATM Security - A Field Study of Real World ATM Use. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10)
- Dinei Florêncio and Cormac Herley. A Large-Scale Study of Web Password Habits. In Proceedings of the 16th international conference on World Wide Web, 2007. (WWW '07)
- Yang Wang, Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, and Norman Sadeh. A Field Trial of Privacy Nudges for Facebook. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2014. (CHI '14)
|
Wednesday, February 17 |
11. Security warnings (Lujo)
[SLIDES]
Project proposal due
|
Optional reading:
- Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, and Saranga Komanduri. Bridging the gap in computer security warnings: A mental model approach. In IEEE Security and Privacy magazine, Volume 9, Issue 2, pp. 18-26, March 2011.
- Cristian Bravo-Lillo, Lorrie Faith Cranor, Saranga Komanduri, Stuart Schechter, and Manya Sleeper. Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14)
- Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, Saranga Komanduri, Stuart Schechter, and Manya Sleeper. Operating system framed in case of mistaken identity. In Proceedings of the 2012 ACM SIGSAC conference on Computer & Communications Security, 2012. (CCS '12)
- [HCI] Serge Egelman, Lorrie Faith Cranor, and Jason Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2008. (CHI '08)
- David Modic and Ross J. Anderson. Reading this May Harm Your Computer: The Psychology of Malware Warnings. Available online on SSRN, 2014.
- [HCI] Na Wang, Jens Grossklags, and Heng Xu. An Online Experiment of Privacy Authorization Dialogues for Social Applications. In Proceedings of the 2013 conference on Computer Supported Cooperative Work, 2013. (CSCW '13)
|
Monday, February 22 |
12. Analyzing quantitative data with statistics (Nicolas)
[SLIDES]
Homework 5 due
|
Optional reading:
|
Wednesday, February 24 |
13. Text passwords; graphical passwords (Nicolas)
[SLIDES]
|
- [Required for 9-unit and 12-unit students] Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. Measuring Password Guessability for an Entire University. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)
Optional reading:
- Robert Biddle, Sonia Chiasson, and P.C. van Oorschot. Graphical Passwords: Learning from the First Twelve Years. In ACM Computing Surveys, Volume 44, Issue 4, August 2012.
- [Security] Joseph Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012. (S&P '12 / Oakland '12)
- Joseph Bonneau and Stuart Schechter. Towards reliable storage of 56-bit secrets in human memory. In Proceedings of the 23rd USENIX Security Symposium, 2014. (USENIX '14)
- Sonia Chiasson, Alain Forget, Elizabeth Stobert, P.C. van Oorschot, and Robert Biddle. Multiple password interference in text and click-based graphical passwords. In Proceedings of the 2009 ACM SIGSAC conference on Computer & Communications Security, 2009. (CCS '09)
- [Security] Darren Davis, Fabian Monrose, and Michael K. Reiter. On user choice in graphical password schemes. In Proceedings of the 13th USENIX Security Symposium, 2004. (USENIX '04)
- Eiji Hayashi, Jason Hong, and Nicolas Christin. Security through a different kind of obscurity: Evaluating Distortion in Graphical Authentication Schemes. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11)
- [Security] Ari Juels and Ronald L. Rivest. Honeywords: Making Password-Cracking Detectable. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)
- Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, and Stuart Schechter. Telepathwords: Preventing Weak Passwords by Reading Users' Minds. In Proceedings of the 23rd USENIX Security Symposium, 2014. (USENIX '14)
- [HCI] Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman. Of passwords and people: Measuring the effect of password-composition policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11)
- Daniel McCarney, David Barrera, Jeremy Clark, Sonia Chiasson, Paul C. van Oorchot. Tapas: Design, Implementation, and Usability Evaluation of a Password Manager. In Proceedings of the 28th Annual Computer Security Applications Conference, 2012. (ACSAC '12)
- [HCI] Florian Schaub, Marcel Walch, Bastian Könings, and Michael Weber. Exploring the Design Space of Graphical Passwords on Smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13)
- [Security] David Silver, Suman Jana, Dan Boneh, Eric Chen, and Collin Jackson. Password Managers: Attacks and Defenses. In Proceedings of the 23rd USENIX Security Symposium, 2014. (USENIX '14)
- [HCI] Elizabeth Stobert and Robert Biddle. The Password Life Cycle: User Behaviour in Managing Passwords. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14)
- Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)
- Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. In Proceedings of the 21st USENIX Security Symposium, 2012. (USENIX '12)
|
Monday, February 29 |
14. Authentication in practice: challenge questions, two-factor auth, and biometrics (Lujo)
[SLIDES]
Homework 6 due
IRB applications must be submitted to the IRB no later than this date
|
Optional reading:
- Chandrasekhar Bhagavatula, Blase Ur, Kevin Iacovino, Su Mon Kywe, Lorrie Faith Cranor, and Marios Savvides. Biometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption. In Proceedings of the NDSS Workshop on Usable Security, 2015. (USEC '15)
- [Application] Eric Grosse and Mayank Upadhyay, Authentication at Scale, IEEE Security & Privacy (magazine), vol. 11, no. 1, pp. 15-22, January-Febuary 2013.
- Eiji Hayashi, Sauvik Das, Shahriyar Amini, Jason Hong, Ian Oakley. CASA: Context-Aware Scalable Authentication. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13)
- Anil K. Jain, Arun Ross, and Salil Prabhakar. An introduction to biometric recognition. In IEEE Transactions on Circuits and Systems for Video Technology, Volume 14, Issue 1, pp. 4-20, 2004.
- [HCI] Mike Just and David Aspinall. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the Fifth Symposium on Usable Privacy and Security, 2009. (SOUPS '09)
- Kat Krol, Eleni Philippou, Emiliano De Cristofaro, and M. Angela Sasse. "They brought in the horrible key ring thing!" Analysing the Usability of Two-Factor Authentication in UK Online Banking. In Proceedings of the NDSS Workshop on Usable Security, 2015. (USEC '15)
- [Security] Tey Chee Meng, Payas Gupta, and Debin Gao. I can be You: Questioning the use of Keystroke Dynamics as Biometrics. In Proceedings of the 20th Annual Network & Distributed System Security Symposium, 2013. (NDSS '13)
- Saurabh Panjwani and Edward Cutrell. Usably Secure, Low-Cost Authentication for Mobile Banking. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10)
- Robert W. Reeder and Stuart Schechter. When the Password Doesn't Work: Secondary Authentication for Websites. In IEEE Security and Privacy magazine, Volume 9, Issue 2, pp. 43-49, March 2011.
- Stuart Schechter, Serge Egelman, and Robert W. Reeder. It's not what you know, but who you know: A social approach to last-resort authentication. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2009. (CHI '09)
|
Wednesday, March 2 |
15. In-class midterm exam 1
|
No readings for this class.
|
Monday, March 7 |
No class due to spring break
|
No readings for this class.
|
Wednesday, March 9 |
No class due to spring break
|
No readings for this class.
|
Monday, March 14 |
16. SSL, PKIs, and secure communication (Nicolas)
[SLIDES]
|
Optional reading:
- Devdatta Akhawe, Bernhard Amann, Matthias Vallentin, and Robin Sommer. Here's My Cert, So Trust Me, Maybe? Understanding TLS Errors on the Web. In Proceedings of the 22nd international conference on World Wide Web, 2013. (WWW '13)
- [Economics] Hadi Asghari, Michel J.G. van Eeten, Axel M. Arnbak, and Nico A.N.M. van Eijk. Security Economics in the HTTPS Value Chain. In Workshop on the Economics of Information Security, 2013. (WEIS '13).
- [Security] Jeremy Clark and Paul C. van Oorschot. SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, 2013. (S&P '13 / Oakland '13)
- [Security] Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. The Matter of Heartbleed. In Proceedings of the 14th ACM Internet Measurement Conference, 2014. (IMC '14)
- Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, and Matthew Smith. Rethinking SSL Development in an Appified World. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)
- Simson L. Garfinkel and Robert C. Miller. Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express. In Proceedings of the First Symposium on Usable Privacy and Security, 2005. (SOUPS '05). Also go through the The Johnny 2 Construction Kit for Testing Email Security from the SOUPS 2006 Security User Studies Workshop User Studies Construction Kits collection.
- Michael Kranch and Joseph Bonneau. Upgrading HTTPS in Mid-Air: An Empirical Study of Strict Transport Security and Key Pinning. In Proceedings of The 2015 Network and Distributed System Security Symposium, 2015. (NDSS '15)
- Christopher Soghoian and Sid Stamm. Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL. In Proceedings of the 15th international conference on Financial Cryptography and Data Security, 2011. (FC '11)
- [HCI] Andreas Sotirakopoulos, Kirstie Hawkey, and Konstantin Beznosov. On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings. In Proceedings of the Seventh Symposium on Usable Privacy and Security, 2011. (SOUPS '11)
- Pawel Szalachowski, Stephanos Matsumoto, and Adrian Perrig. PoliCert: Secure and Flexible TLS Certificate Management. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14)
|
Wednesday, March 16 |
17. Usability of privacy policies and the dimensions of privacy notice (Lujo)
[SLIDES]
|
Optional reading:
- [HCI] Rebecca Balebako, Richard Shay, and Lorrie Faith Cranor. Is Your Inseam a Biometric? Evaluating the Understandability of Mobile Privacy Notice Categories. Carnegie Mellon University Technical Report CMU-CyLab-13-011, 2013.
- Travis D. Breaux and Florian Schaub. Scaling Requirements Extraction to the Crowd: Experiments with Privacy Policies. In 22nd IEEE International Requirements Engineering Conference, 2014. (RE '14)
- Lorrie Faith Cranor, Praveen Guduru, and Manjula Arjula. User interfaces for privacy agents. In ACM Transactions on Computer-Human Interaction (TOCHI), Volume 13, Issue 2, pp. 135-178, June 2006.
- Pedro G. Leon, Justin Cranshaw, Lorrie Faith Cranor, Jim Graves, Manoj Hastak, Blase Ur, and Guzi Xu. What Do Online Behavioral Advertising Disclosures Communicate to Users? In Proceedings of the 11th annual ACM Workshop on Privacy in the Electronic Society, 2012. (WPES '12)
- [HCI] Aleecia McDonald, Robert W. Reeder, Patrick Gage Kelley, and Lorrie Faith Cranor. A Comparative Study of Online Privacy Policies and Formats. In Proceedings of the 9th International Symposium on Privacy Enhancing Technologies, 2009. (PETS '09)
- Joel R. Reidenberg, Travis D. Breaux, Lorrie Faith Cranor, Brian French, Amanda Grannis, James T. Graves, Fei Liu, Aleecia M. McDonald, Thomas B. Norton, Rohan Ramanath, N. Cameron Russell, Norman Sadeh, Florian Schaub. Disagreeable Privacy Policies: Mismatches between Meaning and Users' Understanding. In Berkeley Technology Law Journal, vol. 30, 2015 (forthcoming).
|
Monday, March 21 |
18. Progress report presentations
Project progress report due
|
|
Wednesday, March 23 |
19. Designing a usable, short-form privacy notice (Blase Ur)
[SLIDES]>
Homework 7 due
|
|
Monday, March 28 |
20. Privacy and security for mobile and ubicomp devices (Lujo)
[SLIDES]
|
- [Required for 9-unit and 12-unit students] Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. Android Permissions: User Attention, Comprehension, and Behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12)
- [Required for 9-unit and 12-unit students] Jason Hong. Considering privacy issues in the context of Google Glass. In Communications of the ACM, Volume 56, Issue 11, pp. 10-11, November 2013.
Optional reading:
- [HCI] Rebecca Balebako, Jaeyeon Jung, Wei Lu, Lorrie Cranor, and Carolyn Nguyen. "Little Brothers Watching You:" Raising Awareness of Data Leaks on Smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13)
- Serge Egelman, Sakshi Jain, Rebecca S. Portnoff, Kerwell Liao, Sunny Consolvo, and David Wagner. Are You Ready to Lock? Understanding User Motivations for Smartphone Locking Behaviors. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14)
- [HCI] Patrick Gage Kelley, Lorrie Faith Cranor, and Norman Sadeh. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13)
- [Security] Benjamin Livshits and Jaeyeon Jung. Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications. In Proceedings of the 22nd USENIX Security Symposium, 2013. (USENIX '13)
- [Security] Iasonas Polakis, Panagiotis Ilia, Federico Maggi, Marco Lancini, Georgios Kontaxis, Stefano Zanero, Sotiris Ioannidis, and Angelos D. Keromytis. Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14)
- [Security] Shashi Shekhar, Michael Dietz, and Dan S. Wallach. AdSplit: Separating smartphone advertising from applications. In Proceedings of the 21st USENIX Security Symposium, 2012. (USENIX '12)
|
Wednesday, March 30 |
21. Making privacy and anonymity tools usable (Nicolas)
[SLIDES]
Homework 8 due
|
Optional reading:
- [Security] Simurgh Aryan, Homa Aryan, and J. Alex Halderman. Internet Censorship in Iran: A First Look. In Proceedings of the 3rd USENIX Workshop on Free and Open Communications on the Internet, 2013. (FOCI '13)
- [Security] Roger Dingledine, Nick Matthewson, and Paul Syverson. Tor: The Second-Generation Onion Router. In Proceedings of the 13th USENIX Security Symposium, 2004. (USENIX '04)
- [Security] Aaron Johnson, Chris Wacek, Rob Jansen, Micah Sherr, and Paul Syverson. Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)
- [Security] Marc Juarez, Sadia Afroz, Gunes Acar, Claudia Diaz, and Rachel Greenstadt. A Critical Evaluation of Website Fingerprinting Attacks. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14)
- [Security] Prateek Mittal, Matthew Wright, and Nikita Borisov. Pisces: Anonymous Communication Using Social Networks. In Proceedings of the 20th Annual Network & Distributed System Security Symposium, 2013. (NDSS '13)
- [Security] Tao Wang, Xiang Cai, Rishab Nithyanand, Rob Johnson, and Ian Goldberg. Effective Attacks and Provable Defenses for Website Fingerprinting. In Proceedings of the 23rd USENIX Security Symposium, 2014. (USENIX '14)
- [Security] Eric Wustrow, Scott Wolchok, Ian Goldberg, and J. Alex Halderman. Telex: Anticensorship in the Network Infrastructure. In Proceedings of the 20th USENIX Security Symposium, 2011. (USENIX '11)
|
Monday, April 4 |
22. Designing privacy tools for web browsing (Nicolas)
[SLIDES]
|
Optional reading:
- [Security] Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14)
- Gaurav Aggarwal, Elie Bursztein, Collin Jackson, and Dan Boneh. An analysis of private browsing modes in modern browsers. In Proceedings of the 19th USENIX Security Symposium, 2010. (USENIX '10)
- Rachna Dhamija and J.D. Tygar. The Battle Against Phishing: Dynamic Security Skins. In Proceedings of the First Symposium on Usable Privacy and Security, 2005. (SOUPS '05)
- Jonathan R. Mayer and John C. Mitchell. Third-Party Web Tracking: Policy and Technology. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, 2013. (S&P '13 / Oakland '13)
- Franziska Roesner, Christopher Rovillos, Tadayoshi Kohno, and David Wetherall. ShareMeNot: Balancing Privacy and Functionality of Third-Party Social Widgets. In USENIX ;login: magazine, Volume 37, Number 4, August 2012.
- Blase Ur, Pedro G. Leon, Lorrie Faith Cranor, Richard Shay, and Yang Wang. Smart, Useful, Scary, Creepy: Perceptions of Behavioral Advertising. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12)
|
Wednesday, April 6 |
23. Social networks and privacy (Guest lecture by Manya Sleeper)
[SLIDES]
Homework 9 due
|
- [Required for 9-unit and 12-unit students] Maritza Johnson, Serge Egelman, and Steven M. Bellovin. Facebook and Privacy: It's Complicated. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12)
Optional reading:
- Lujo Bauer, Lorrie Faith Cranor, Saranga Komanduri, Michelle L. Mazurek, Michael K. Reiter, Manya Sleeper, and Blase Ur. The Post Anachronism: The Temporal Dimension of Facebook Privacy. In Proceedings of the 12th annual ACM Workshop on Privacy in the Electronic Society, 2013. (WPES '13)
- Michael S. Bernstein, Eytan Bakshy, Moira Burke, and Brian Karrer. Quantifying the Invisible Audience in Social Networks. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13)
- Sanjay Kairam, Michael J. Brzozowski, David Huffaker, and Ed H. Chi. Talking in Circles: Selective Sharing in Google+. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2012. (CHI '12)
- Huina Mao, Xin Shuai, and Apu Kapadia. Loose Tweets: An Analysis of Privacy Leaks on Twitter. In Proceedings of the 10th annual ACM Workshop on Privacy in the Electronic Society, 2011. (WPES '11)
- Manya Sleeper, Rebecca Balebako, Sauvik Das, Amber Lynn McConahy, Jason Wiese, and Lorrie Faith Cranor. The Post that Wasn't: Exploring Self-Censorship on Facebook. In Proceedings of the 2013 conference on Computer Supported Cooperative Work, 2013. (CSCW '13)
- Fred Stutzman, Ralph Gross, and Alessandro Acquisti. Silent Listeners: The Evolution of Privacy and Disclosure on Facebook. In Journal of Privacy and Confidentiality, Volume 4, Number 2, pp. 7-41, 2012.
- Yang Wang, Saranga Komanduri, Pedro Giovanni Leon, Gregory Norcie, Alessandro Acquisti, and Lorrie Faith Cranor. "I regretted the minute I pressed share": A Qualitative Study of Regrets on Facebook. In Proceedings of the Seventh Symposium on Usable Privacy and Security, 2011. (SOUPS '11)
- Jason Watson, Andrew Besmer, Heather Richter Lipford. +Your Circles: Sharing Behavior on Google+. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12)
|
Monday, April 11 |
24. User education/training; anti-phishing (Lujo)
[SLIDES]
|
- [Required for 9-unit and 12-unit students] Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why Phishing Works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2006. (CHI '06)
Optional reading:
- Alessandro Acquisti and Jens Grossklags. Privacy and rationality in individual decision making. In IEEE Security and Privacy magazine, Volume 3, Issue 1, pp. 26-33, January 2005.
- Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, and Jason I. Hong. Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14)
- Serge Egelman, David Molnar, Nicolas Christin, Alessandro Acquisti, Cormac Herley, and Shriram Krishnamurthi. Please Continue to Hold: An empirical study on user tolerance of security delays. In Workshop on the Economics of Information Security, 2010. (WEIS '10).
- Marian Harbach, Markus Hettig, Susanne Weber, and Matthew Smith. Using personal examples to improve risk communication for security & privacy decisions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2014. (CHI '14)
- Cormac Herley. Why do Nigerian Scammers say they are from Nigeria? In Workshop on the Economics of Information Security, 2012. (WEIS '12).
- Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. Teaching Johnny Not to Fall for Phish. In ACM Transactions on Internet Technology (TOIT), Volume 10, Issue 2, May 2010.
- Fanny Lalonde Lévesque, Jude Nsiempba, José M. Fernandez, Sonia Chiasson, Anil Somayaji. A Clinical Study of Risk Factors Related to Malware Infections. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)
- Sören Preibusch, Kat Krol, and Alastair R. Beresford. The Privacy Economics of Voluntary Over-disclosure in Web Forms. In Workshop on the Economics of Information Security, 2012. (WEIS '12).
|
Wednesday, April 13 |
25. Behavioral Economics; Prospect Theory (Nicolas)
[SLIDES]
|
Optional reading:
|
Monday, April 18 |
26. In-class midterm exam 2
|
No readings for this class.
|
Wednesday, April 20 |
27. Access control and policy configuration (Lujo)
[SLIDES]
Homework 10
due
|
Optional reading:
- Serge Egelman, Andrew Oates, and Shriram Krishnamurthi. Oops, I Did It Again: Mitigating Repeated Access Control Errors on Facebook. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11)
- Pooya Jaferian, Hootan Rashtian, and Konstantin Beznosov. To Authorize or Not Authorize: Helping Users Review Access Policies in Organizations. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14)
- Peter F. Klemperer, Yuan Liang, Michelle L. Mazurek, Manya Sleeper, Blase Ur, Lujo Bauer, Lorrie Faith Cranor, Nitin Gupta, and Michael K. Reiter. Tag, You Can See It! Using Tags for Access Control in Photo Sharing. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2012. (CHI '12)
- Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea. More than skin deep: Measuring effects of the underlying model on access-control system usability. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11)
- [Security] Franziska Roesner, Tadayoshi Kohno, Alexander Moshchuk, Bryan Parno, Helen J. Wang, and Crispin Cowan. User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012. (S&P '12 / Oakland '12)
- Diana Smetters and Nathan Good. How Users Use Access Control. In Proceedings of the Fifth Symposium on Usable Privacy and Security, 2009. (SOUPS '09)
- Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, and Michael K. Reiter. Studying access control usability in the lab: Lessons learned from four studies. In Proceedings of the 2012 Workshop on Learning from Authoritative Security Experiment Results, 2012. (LASER '12)
|
Monday, April 25 |
28. Mental models and folk models of security; non-US perspectives in research; the usability of software updates (Nicolas)
[SLIDES]
|
Optional reading:
|
Wednesday, April 27 |
29. Usable privacy and security in safety-critical devices (Lujo)
[SLIDES]
|
Optional reading:
- [Security] Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. Comprehensive Experimental Analyses of Automotive Attack Surfaces. In Proceedings of the 20th USENIX Security Symposium, 2011. (USENIX '11)
- [Security] Shane S. Clark, Benjamin Ransford, and Kevin Fu. Potentia est Scientia: Security and Privacy Implications of Energy-Proportional Computing. In Proceedings of the 7th USENIX conference on Hot Topics in Security, 2012. (HotSec '12)
- [Security] Tamara Denning, Kevin Fu, and Tadayoshi Kohno. Absence Makes the Heart Grow Fonder: New Directions for Implantable Medical Device Security. In Proceedings of the 3rd USENIX conference on Hot Topics in Security, 2008. (HotSec '08)
- Kevin Fu and James Blum. Inside Risks: Controlling for Cybersecurity Risks of Medical Device Software. In Communications of the ACM, Volume 56, Issue 10, pp. 21-23, October 2013.
- [Economics] Martin S. Gaynor, Muhammad Zia Hydari, and Rahul Telang. Is Patient Data Better Protected in Competitive Healthcare Markets? In Workshop on the Economics of Information Security, 2012. (WEIS '12).
- [Security] Masoud Rostami, Ari Juels, and Farinaz Koushanfar. Heart-to-Heart (H2H): Authentication for Implanted Medical Devices. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)
|
May 6, 2016 (Final exam period) |
FINAL PROJECT PRESENTATIONS in Baker Hall A53, at 8:30am
Your final papers are also due at the beginning of this timeslot, to be
emailed to both professors and the TA.
|
---
|