security-centered design

52
SECURITY- CENTERED DESIGN Chris Shiflett shiflett.org @shiflett Tuesday, February 21, 12

Upload: chris-shiflett

Post on 01-Nov-2014

4.778 views

Category:

Technology


0 download

DESCRIPTION

Security is more than filtering input and escaping output (FIEO), and it’s more than cross-site scripting (XSS) and cross-site request forgeries (CSRF). Security isn’t even always black and white. In order to create a more secure user experience, we need to understand how people think. Perception is as important as reality, and meeting user expectations is a fundamental of good security. In this multifarious talk, I’ll introduce some of what I have learned about cognitive psychology, exploring topics such as change blindness and ambient signifiers, and I’ll show some real-world examples that demonstrate the profound impact human behavior can have on security.

TRANSCRIPT

Page 1: Security-Centered Design

SECURITY-CENTERED

DESIGNChris Shiflett

shiflett.org@shiflett

Tuesday, February 21, 12

Page 2: Security-Centered Design

Tuesday, February 21, 12

Page 3: Security-Centered Design

STOP

Tuesday, February 21, 12

Page 4: Security-Centered Design

STOPCollaborate & Listen

Tuesday, February 21, 12

Page 5: Security-Centered Design

Tuesday, February 21, 12

Page 6: Security-Centered Design

Who am I? Web craftsman from Brooklyn, NY, working on Mapalong and Brooklyn Beta from Studiomates.

Tuesday, February 21, 12

Page 7: Security-Centered Design

Psychology Fun– Ambient Signifiers, Change Blindness

Authentication & Phishing– Password Anti-Pattern, OAuth, Facebook Connect

Examples– SmugMug Privacy, Facebook Worm, Twitter Don’t Click

TALK OUTLINE

Tuesday, February 21, 12

Page 8: Security-Centered Design

AMBIENT SIGNIFIERS

Tuesday, February 21, 12

Page 9: Security-Centered Design

Tokyo Subway

Tuesday, February 21, 12

Page 10: Security-Centered Design

Tokyo Subway

Tuesday, February 21, 12

Page 11: Security-Centered Design

Ambient Umbrella

Tuesday, February 21, 12

Page 12: Security-Centered Design

Ambient SSL

Tuesday, February 21, 12

Page 13: Security-Centered Design

Login Seals

Tuesday, February 21, 12

Page 14: Security-Centered Design

CHANGE BLINDNESS

Tuesday, February 21, 12

Page 15: Security-Centered Design

Tuesday, February 21, 12

Page 16: Security-Centered Design

STOP

Tuesday, February 21, 12

Page 17: Security-Centered Design

STOPHammertime

Tuesday, February 21, 12

Page 18: Security-Centered Design

Tuesday, February 21, 12

Page 19: Security-Centered Design

Tuesday, February 21, 12

Page 20: Security-Centered Design

Tuesday, February 21, 12

Page 21: Security-Centered Design

Tuesday, February 21, 12

Page 22: Security-Centered Design

Tuesday, February 21, 12

Page 23: Security-Centered Design

DERREN BROWN

Tuesday, February 21, 12

Page 24: Security-Centered Design

PASSWORDANTI-PATTERN

Tuesday, February 21, 12

Page 25: Security-Centered Design

Tuesday, February 21, 12

Page 26: Security-Centered Design

Tuesday, February 21, 12

Page 27: Security-Centered Design

OAUTHhttp://shiflett.org/blog/2010/sep/twitter-oauth

Tuesday, February 21, 12

Page 28: Security-Centered Design

Tuesday, February 21, 12

Page 29: Security-Centered Design

FACEBOOK CONNECT

Tuesday, February 21, 12

Page 30: Security-Centered Design

Tuesday, February 21, 12

Page 31: Security-Centered Design

Tuesday, February 21, 12

Page 32: Security-Centered Design

Tuesday, February 21, 12

Page 33: Security-Centered Design

THE WEB IS NOT OBVIOUS

Tuesday, February 21, 12

Page 34: Security-Centered Design

Tuesday, February 21, 12

Page 35: Security-Centered Design

OPENIDhttp://openid.net/

OAUTHhttp://oauth.net/

OPENID & OAUTH HYBRIDhttp://j.mp/openidoauth

SHARED RESPONSIBILITYhttp://simonwillison.net/2009/Jul/16/responsibility/

Tuesday, February 21, 12

Page 36: Security-Centered Design

SMUGMUG PRIVACY

Tuesday, February 21, 12

Page 37: Security-Centered Design

Tuesday, February 21, 12

Page 38: Security-Centered Design

Pave the cow paths. Accommodate users’ expectations and tendencies; don’t try to modify them.

Tuesday, February 21, 12

Page 39: Security-Centered Design

Tuesday, February 21, 12

Page 40: Security-Centered Design

Be Humble

Tuesday, February 21, 12

Page 41: Security-Centered Design

FACEBOOK WORM

Tuesday, February 21, 12

Page 42: Security-Centered Design

Tuesday, February 21, 12

Page 43: Security-Centered Design

Tuesday, February 21, 12

Page 44: Security-Centered Design

TWITTER DON’T CLICK

Tuesday, February 21, 12

Page 45: Security-Centered Design

Tuesday, February 21, 12

Page 46: Security-Centered Design

Tuesday, February 21, 12

Page 47: Security-Centered Design

Tuesday, February 21, 12

Page 48: Security-Centered Design

Tuesday, February 21, 12

Page 49: Security-Centered Design

Security and User Experience– http://shiflett.org/blog/2008/jan/security-and-user-experience

Ambient Signifiers– http://shiflett.org/blog/2007/feb/ambient-signifiers

Facebook Worm– http://shiflett.org/blog/2008/nov/facebook-worm

Twitter Don’t Click Exploit– http://shiflett.org/blog/2009/feb/twitter-dont-click-exploit

RELATED POSTS

Tuesday, February 21, 12

Page 50: Security-Centered Design

Tree– http://flickr.com/photos/stuckincustoms/529110230

Cow path– http://flickr.com/photos/suda/672714986

My backyard– http://flickr.com/photos/shiflett/3261447115

PHOTOS

Tuesday, February 21, 12

Page 51: Security-Centered Design

Tuesday, February 21, 12

Page 52: Security-Centered Design

Follow me on Twitter– @shiflett

Comment on my blog– shiflett.org

Email me– [email protected]

FEEDBACK?

Tuesday, February 21, 12