The following is a preliminary program, subject to change.
Buses will depart at 5:15 pm for our dinner cruise, which leaves
from the Kirkland City Dock at 6 pm. Tickets
(included in registration) are required for the cruise. The cruise
will return to the dock by 9 pm and buses will return to
the conference hotel and the Microsoft Commons. We will be cruising
the waterways of Lake Washington and Lake Union. Guests will enjoy
the beautiful scenery, views of Mt. Rainier, the University of
Washington Husky Stadium, and homes of Seattle's rich and
famous. You will also see the historic houseboat community including
the "Sleepless in Seattle" houseboat, and the view of downtown Seattle.
The SOUPS ice cream social will be held at Microsoft Research
(building 99). From 3:30 to 4:45 laboratory tours will leave every 15
minutes from the building 99 atrium. Tours will last about 15 minutes.
The Microsoft laboratory tour will be conducted by Stuart Schechter and Jess Holbrook. Stuart is a Researcher at MSR and SOUPS program co-chair. Jess is a UX Research Lead on the Windows team who serves on the Trust User eXperience (TUX) advisory board. We will tour a laboratory in building 99, the heart of Microsoft Research Redmond. Topics to be discussed will include:
INVITED TALK
Adam Shostack, Microsoft - Engineers are People Too
[slides]
In "Engineers Are People, Too" Adam Shostack will address an often
invisible link in the chain between research on usable security and
privacy and delivering that usability: the engineer. All too often,
engineers are assumed to have infinite time and skills for usability
testing and iteration. They have time to read papers, adapt research
ideas to the specifics of their product, and still ship cool new
features. This talk will bring together lessons from enabling
Microsoft's thousands of engineers to threat modeling effectively,
share some new approaches to engineering security usability, and
propose new directions for research.
Adam Shostack is a program manager in Microsoft's Trustworthy
Computing Initiative, where he's focused on security and usability.
He's a veteran of several successful startups, a co-founder of the CVE
(Common Vulnerabilities and Exposures project), and co-author of the
acclaimed New School of Information Security.
PANEL
New Research Tools: Crowdsourcing and Cloud Computing
Researchers can now "outsource" work or service infrastructure to
Internet-based services, such as Amazon Mechanical Turk, Amazon EC2,
or CrowdFlower. What benefits can these services offer to
researchers? When are these services appropriate or inappropriate?
This panel will discuss best practices for deriving useful results
from these services. Also, it will debate the implications of
allowing research data - particularly human subjects' data - to reside
in the cloud.
Panelists
Sharon Chiarella
Vice President, Mechanical Turk
Sharon Chiarella joined Amazon in December 2007 as Vice President of
Amazon Mechanical Turk, an online marketplace for outsourcing work.
Sharon has over 20 years of experience developing and managing
innovative high-technology products and businesses with over 15 years
focused on Internet technologies and connected devices. Prior to
joining Amazon, Sharon was Vice President of Product Management and
Business Development at Presto Services, a Kleiner Perkins funded
startup. Sharon has held leadership positions at Yahoo!, Microsoft
and Kodak. She developed the business plan, prototypes and early
partnerships for Yahoo!’s connected device business; ran Microsoft's
WebTV and MSN dial-up businesses; led Product Management for
Microsoft's first DVR product (UltimateTV) and created the business
plan, developed and launched Kodak's online photo business. Sharon
earned her bachelor's degree in computer science from Manhattan
College and her MBA from Harvard Business School.
Lukas Biewald
Founder and CEO of CrowdFlower
Founded in 2007, CrowdFlower provides Labor-on-Demand to help
companies outsource high-volume, repetitive tasks to a
massively-distributed global workforce. Before founding CrowdFlower,
Lukas was a senior scientist and manager within the Ranking and
Management Team at Powerset, Inc., acquired by Microsoft in 2008. He
led the Search Relevance Team for Yahoo! Japan after graduating from
Stanford University with a B.S. in Mathematics and an M.S. in Computer
Science. Recently, Lukas won the Netexplorateur Award for GiveWork - a
collaboration with Samasource that brings digital work to refugees
worldwide. Lukas is also an expert level Go player.
Dave Dittrich
Senior Security Engineer and Researcher, University of Washington
Dave Dittrich is a security researcher at the Applied Physics
Laboratory at the University of Washington. Dave has a long history of
dealing with computer intrusions and security operations and has
expertise in computer forensics, botnets and the
ethical/legal/technical issues associated with responding to computer
attacks. Dave also sits on the UW's Institutional Review Board
Committee K (combined behavioral and biomedical research) and has
written several documents that deal with ethics in computer security
research. (See http://staff.washington.edu/dittrich/)
Lee Tien
Senior Staff Attorney, Electronic Frontier Foundation.
Lee Tien is a senior staff attorney with the Electronic Frontier
Foundation specializing in free speech, privacy and security issues.
As part of his practice, he represents security researchers and works
on legal/ethical policy relating to cybersecurity research.
Patrick Gage Kelley
Ph.D. Student, Carnegie Mellon University
Patrick Kelley is a Computation, Organizations and Society Ph.D. student in the CyLab Usable Privacy and Security (CUPS) Lab at Carnegie Mellon University. His work centers around designing interfaces to help users control and understand privacy policies and settings. His research towards "Designing a Privacy Label" has been selected as one of the top three pieces in the ACM Grand Finals for 2010.
POSTERS
Poster: Assessing the Usability of the new Radio Clip-based Human Interaction Proofs
Jonathan Lazar, Heidi Feng, Olusegun Adelegan, Anna Giller, Andrew Hardsock, Ron Horney, Ryan Jacob, Edward Kosiba, Gergory Martin, Monica Misterka, Ashley O'Connor, Andrew Prack, Roland Roberts, Gabe Piunti and Robert Schober
Poster: Social Sharing of Security Expertise
Puneet Kaur, Olli Immonen, Alexey Kirichenko and Kristiina Karvonen
Poster: OpenID-email Enabled Browser
San-Tsai Sun, Kirstie Hawkey and Konstantin Beznosov
Poster: Expectations, Perceptions, and Misconceptions of Personal Firewalls
Fahimeh Raja, Kirstie Hawkey, Pooya Jaferian, Konstantin Beznosov and Kellogg Booth
Poster: User preferences for biometric authentication methods and graded security on mobile phones
Hanul Sieger, Niklas Kirschnick and Sebastian Moller
Poster: Community-Based Security and Privacy Protection During Web Browsing
Max-Emanuel Maurer
Poster: An Improved Approach to Gesture-Based Authentication for Mobile Devices
Niklas Kirschnick, Sven Kratz and Sebastian Moller
Poster: Privacy Attitudes of Facebook Users
Gregory Norcie
Poster: MVP: A web-based framework for user studies in authentication
Sonia Chiasson, Chris Deschamps, Max Hlywa, Gerry Chan and Robert Biddle
Poster: Online Privacy Perception in Central Asia
Colin Birge, Cynthia Putnam and Beth Kolko
Poster: Trustworthiness and the Perception of Security
Max Shoka, Tim McKay and Valerie M. Sue
Poster: Security Through Entertainment: Using a Memory Game for Secure Device Pairing
Alexander Gallego, Nitesh Saxena and Jonathan Voris
Poster: Validating and Extending a Study on the Effectiveness of SSL Warnings
Andreas Sotirakopoulos, Kirstie Hawkey and Konstantin Beznosov
Poster: What is still wrong with security warnings: a mental models approach
Cristian Bravo-Lillo, Lorrie Cranor, Julie Downs and Saranga Komanduri
Poster: Universally Usable Privacy in Write-In Voting
Shanee Dawkins, Lauren Hamilton, Tony Sullivan and Juan Gilbert
Poster: Exploring Reactive Access Control
Michelle Mazurek, Peter Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer and Lorrie Cranor
Poster: Draw a line on your PDA to authenticate
Xiyang Liu, Zhongjie Ren, Xiuling Chang, Haichang Gao and Uwe Aickelin
Posters Showcasing Usable Privacy and Security Papers Published in the Past Year at Other Conferences
Poster: Access Control for Home Data Sharing: Attitudes, Needs and Practices
Michelle L. Mazurek, J.P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger and Michael K. Reiter
Poster: Shoulder-Surfing Resistance with Eye-Gaze Entry in Click-Based Graphical Passwords
Alain Forget, Sonia Chiasson and Robert Biddle
Poster: A Practical Attack to De-Anonymize Social Network Users
Gilbert Wondracek, Thorsten Holz, Engin Kirda and Christopher Kruegel
Poster: Visual vs. compact: a comparison of privacy policy interfaces
Heather Lipford, Jason Watson, Michael Whitney, Katherine Froiland and Robert Reeder
Poster: ColorPIN - Securing PIN entry through indirect input
Alexander De Luca, Katja Hertzschuch and Heinrich Hussmann
Poster: The True Cost of Unusable Password Policies: Password Use in the Wild
Philip George Inglesant and Martina Angela Sasse
Poster: Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions
Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Cranor and Julie Downs
Poster: Improving Phishing Countermeasures: An Analysis of Expert Interviews
Steve Sheng, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Cranor and Jason Hong
Poster: Soramame: what you see is what you control access control user interface
Nachi Ueno, Ryota Hashimoto, Michio Shimomura and Kenji Takahashi
Poster: Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach
Patrick Gage Kelley, Lucian Cesca, Joanna Bresee and Lorrie Faith Cranor
Poster: Modeling PLA Variation of Privacy-Enhancing Personalized Systems
Scott Hendrickson, Yang Wang, Andre van der Hoek, Richard Taylor and Alfred Kobsa
DISCUSSION SESSIONS
Privacy, Security, and Public Policy
Discussion leader: Janice Tsai, California Council on Science and Technology, CA Senate
The last year has been a time of significant focus on privacy. Congress has had several hearings regarding online privacy, and the FTC has become involved in issues related to online privacy, behavioral advertising, and privacy and security in cloud computing. How effective has this attention been? What kinds of issues are being discussed and what issues are actually being acted upon? This breakout session will discuss privacy and security as public policy issues and how and what should be passed into law.
IRB and HCI-Sec Research
Discussion leader: Simson Garfinkel, Naval Postgraduate School
Increasingly security researcher at universities in the US and abroad is focusing on the importance of the user---and usability research, especially field research, invariably requires the involvement of human beings. In the US such research is governed by the Common Rule (45 CFR 46) and enforced by Institutional Review Boards. (Outside the US research is typically governed by Ethics Boards that satisfy much the same function.)
For example, a significant amount of important research in computer science is performed using electronic mail archives as a data source. Many researchers have traditionally used email messages that they have personally received from friends and correspondents as the basis of their work. A significant number of publications are based on personally received messages. It is relatively rare for computer scientists and linguists to receive IRB approval for the use of such archives. Is such approval required?
The Common Rule does not apply to data sets that are anonymous. But what about data sets that can be re-identified? Are embedded names in email headers and/or bodies considered sufficient for identifying research subjects? That is, does an email message that contains a name fail to meet the requirement of 45 CFR 46.101 b(4)) of being "recorded in such a manner that subjects cannot be identified, directly or through identifiers linked to the subject?" Is English text authored by the research subject considered an identifier that can be linked to the subject? There has been considerable work in the past 20 years of using authorship patterns such as word choice and grammar to determine the identity of an author.
This breakout session will discuss the difficulty of applying the current IRB regulations to computer security research and possible ways of approaching these issues. Particular attention will be paid to email archives, network packet captures, and the re-identification of apparently anonymous data sets.
Usable Security and Privacy for Mobile Devices
Discussion leader: Marc Langheinrich, Universita della Svizzera italiana (USI)
Mobile devices in general, and mobile phones in particular, present unique challenges not only in terms of user interface, battery life, and form factor, but also in terms of ensuring their users' privacy and security. Privacy and security are often in conflict with another and have been the topic of many research projects. In this discussion session, we will try to discuss open research issues in bringing usable privacy and security to mobile phones. Possible questions include: Can we combine today's popular location sharing applications with effective privacy controls? How can we mitigate the privacy and security risks of loosing one's mobile phone? What novel challenges do mobile browsers pose in terms of security controls? And what kind of approaches are most effective for conveying security advice on mobile devices?
Integrating Usable Security and Privacy into Security Education
Discussion leader: Heather Lipford, UNC Charlotte
The importance of usability in security and privacy has been gaining acceptance in the security research community, but what about security educators? A number of faculty in our community have offered usable security and privacy courses at various universities. Yet these course are still rare. So what should the “average” security professional know about usable security? There are countless educational programs in security offered at universities and in industry training. How should usable security lessons and principles be integrated into those programs? How can we as a community impact general security and privacy education? In this discussion session we will focus on these issues, and discuss our experiences and ideas on usable security education and training.
Health Security and Privacy
Discussion leader: Tadayoshi Kohno, University of Washington
Healthcare is going digital. An increasing amount of health information is being gathered, stored, and shared digitally. There are a variety of institutions advocating the wide-scale deployment of electronic health records. Google and Microsoft and others have introduced online personal health systems for individuals to manage their own information. Advanced medical devices will be gathering health information in the home and hospital. These devices will also be affecting patients' physiology. All of these systems have important security, privacy, and safety implications, and need useful and usable mechanisms and solutions. In this breakout session we will focus on the usable security and privacy issues in health care technologies. What are the current and future usability challenges and research questions for the variety of health systems that are being developed?
SOUPS 2010 is sponsored by Carnegie Mellon CyLab and Microsoft.
