New IE8 Features for Anti-Phishing

The next version of Internet Explorer 8 will have new features to protect people from phishing attacks. Some of these features were developed by CMU's very own Serge Egelman. Nice work Serge!

Some highlights include:

• Better warning messages (based on our past work on warnings in web browsers [PDF])
  
• Better heuristics for detecting scams (I'd be interested in learning more about how these work)
  
• Anti-malware support
  

Really interesting article in the NYTimes about the Eye-Fi card, which also geotags your photos for you using Skyhook.

Also, see below about interesting news about the location capabilities of the next iPhone.

NYTimes

[The Eye-Fi Share card] is a 2-gigabyte memory card ($100), compatible with most digital cameras, with a twist: it has Wi-Fi networking built in. Each time you bring your camera home to your wireless network, it transmits your photos back to the
computer, automatically and wirelessly. It can also upload them to Flickr, Picasa or another online photo-gallery site, automatically and wirelessly.

You know how your digital camera gives every photo an invisible time and date stamp? Well, the Eye-Fi Explore ($130) card invisibly stamps every photo with where you took it.

...

(Indeed, the new iPhone, coming July 11, incorporates both G.P.S. and Skyhook. It even has a third location system, developed by Google, that pinpoints your location by studying your proximity to cellphone towers. That iPhone will really know where you are.)

World of Warcraft introducing 2-Factor Authentication

I didn't expect to have two posts in a row about World of Warcraft, but I found this one too interesting to resist. It looks like Blizzard will be making physical tokens available for customers to purchase, to increase the security of their accounts. Apparently, there have been many hacked accounts, leading to the loss of (virtual) gold and items. This was a venue for phishing and malware that I didn't see coming, but it makes sense once you see how the value chain eventually ends up as cash.

http://us.blizzard.com/support/article.xml?articleId=24660&rhtml=true

A fun read about a scientific conference held in World of Warcraft about World of Warcraft.

Thus began the first scientific conference held in Azeroth, the online universe inhabited by millions of people playing World of Warcraft. Anyone who has been part of a conference's organizing committee knows that some glitches and mishaps are just unavoidable. And as usual, the problems that actually did occur were unforeseen. It was a success nonetheless. By the end of the third day, a real scientific exchange took place, I married one of the conference participants, and within an hour of the wedding, we were all dead.

...

With fireworks bursting and confetti still drifting all around the dancing mob of wedding guests, Catullus announced the final event: a massive attack on Sentinel Hill, an Alliance stronghold. As we surged over the hills around the unsuspecting fort, everyone yelled, "For Science!" Bainbridge had enlisted the help of Alea Iacta Est, the largest guild in Azeroth. At first it seemed we were unbeatable. The 70th-level characters among us cut down the Sentinel Hill guards where they stood. We boiled up the spiral staircase to the platform atop the tower. It was so crowded that I could hardly see the parapets. Several people tumbled off during our celebratory dance.

But it wasn't long before Alliance players learned about the Science guild raid on Sentinel Hill. Word spread that "the scientists are running amok!"

http://www.sciencemag.org/cgi/content/full/320/5883/1592c

Microsoft Hires CastleCops founder

Microsoft has hired Paul Laudanski, the man behind the anti-phishing Castlecops.com website, to help with the software company's phishing and spam investigations.

Laudanski, a former volunteer firefighter, announced the move on Castlecops.com last week, saying that he's looking to find someone else to run the site that he founded in 2002.

http://www.techworld.com/security/news/index.cfm?newsID=101724&pagtype=samechan

Walt Mossberg on Protecting Yourself from Identity Theft

You know phishing has become a mainstream problem when Walt Mossberg writes about it.

When most people think about Internet security problems, they focus on viruses and spyware -- technological attacks that can usually be mitigated by technological defenses. But the most insidious Internet security problems today rely on human gullibility, not tricky software...These types of attacks are called "social engineering," and they are used by criminals to steal your money and identity, and to plant on your computer malicious software that can be used to keep ripping you off.

Innovation

John Seely Brown presents a nice framework for thinking about innovation:

• Incremental innovation, that is "cheaper, thinner, faster and, of course, more features."
  
• Architectural innovations, which involve "a restructuring of the very building blocks of a product family, industry, or infrastructure." Think Skype or Cloud Computing, which offers a new way of doing something we're already doing.
  
• Disruptive innovations, which are innovations that "cause us to see and interact with the world differently." Examples include Memex, automobiles, and Sketchpad.
  

Attorney General Mukasey Outlines Criminal Threats to Infrastructure

Article in CNN describes Mukasey's description of the problems. Most relevant for our work in computer science:

The use of cyberspace to target U.S. victims and infrastructure, jeopardizing the security of personal information, the stability of business and government infrastructures and the security and solvency of financial investment markets.

Business Week on E-Spionage

Business Week has a really interesting article on the growing threat of e-spionage.

The U.S. government, and its sprawl of defense contractors, have been the victims of an unprecedented rash of similar cyber attacks over the last two years, say current and former U.S. government officials. "It's espionage on a massive scale," says Paul B. Kurtz, a former high-ranking national security official. Government agencies reported 12,986 cyber security incidents to the U.S. Homeland Security Dept. last fiscal year, triple the number from two years earlier. Incursions on the military's networks were up 55% last year, says Lieutenant General Charles E. Croom, head of the Pentagon's Joint Task Force for Global Network Operations. Private targets like Booz Allen are just as vulnerable and pose just as much potential security risk.

...

On Apr. 8, Homeland Security Dept. Secretary Michael Chertoff called the President's order a cyber security "Manhattan Project."

http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm?ch

Utility of Multicore Chips?

I have to admit that I'm a skeptic of multicore chips. Even though they're part of many CPUs shipping today, it's just not clear to me what problem they solve. We've already had marginal returns on CPU performance, in terms of human productivity. The bottleneck just isn't the microprocessor anymore.

Don Knuth also sees some challenges for multicore:

Let me put it this way: During the past 50 years, I’ve written well over a thousand programs, many of which have substantial size. I can’t think of even five of those programs that would have been enhanced noticeably by parallelism or multithreading. Surely, for example, multiple processors are no help to TeX.

On the other hand, multicore might represent an opportunity. One of the trends in research this past decade has been novel ways of "wasting" CPU to enable other desirable properties, such as security and usability. All we need now is a clearer path for making this happen.

Google Lookup Feature

This is a really neat feature in Google Spreadsheets:

• To insert the number of Internet users in Paraguay:
  =GoogleLookup("Paraguay"; "internet users")
  
• To insert the Earned Run Average of Roger Clemens:
  =GoogleLookup("Roger Clemens"; "earned run average")
  

http://documents.google.com/support/spreadsheets/bin/answer.py?answer=54199

NYTimes: It Takes a Cyber Village to Catch an Auto Thief

I like this idea of "open-source crime solving", as it reminds me a lot of PhishTank and CastleCops. It is, however, an idea that is fraught with issues of trust, reliability, and vigilantism.

Online auto forums have helped unravel crimes before. Two years ago, a detective in Los Angeles used the forum on FreshAlloy.com, a Nissan enthusiast site, to track down victims of an elaborate fraud scheme. (That case, too, involved Nissan Skylines.)

The Beyond.ca site had also played a role in earlier cases of what might be called open-source crime solving. A year ago one of its members saw a hit-and-run accident a block in front of him, said Shelton Kwan, who co-founded the site with his cousin Ken Chan in 2002. “He took pictures. And the guy who got hit was another member of ours.”

NYTimes Link

Free Public Wifi!

Finally, an explanation for why I keep seeing "Free Public Wifi" in more and more places.

...Windows XP and friends are designed to pretend to be certain kinds of WiFi networks that you might have connected to in the past (a so-called AdHoc or peer-to-peer WiFi network). AdHoc networks aren't that common, but the point is that if you ever tried to connect to one with your WinXP laptop, later on it will broadcast to the world that it is that network.

Then other laptops will see that network, and some will try to connect, and they are then "infected" with this broadcasting "virus." It's not a traditional computer virus of course, just a set of behaviors that spread virally. The most widely spread early names will continue to spread even more because of the nature of this system. Ever see a network called "Free Public WiFi" but when you connect, it didn't work? Congratulations, you are now part of the problem....

http://www.kpao.org/2008/03/stunningly-dumb-windows-design.html

CMU HCII's Johnny Lee featured in Business Week Interview

Apparently, an interview with Business Week reveals that CMU's very own Johnny Lee is now the leader of a cult! :)

Congratulations Johnny!

Over the past 12 months, a series of quirky but compelling videos uploaded to Google's (GOOG) YouTube have been delighting hackers, designers, and tech tinkerers worldwide. The videos, which feature modifications of Nintendo's (NTDOY) popular Wii
console to create everything from mind-boggling 3D images to interactive whiteboards, have earned their creator a cultlike following and inspired countless other experiments.

Article

Twenty Years of Four HCI Conferences

This is an interesting article showing various visualizations of four different HCI conferences: CHI, UIST, InfoViz, and AVI. There is certainly an element of belly gazing going on here, but I also think it's interesting what kinds of conclusions can be drawn from the different visualizations.

http://www.informaworld.com/smpp/content~content=a789632485~db=all~order=page

The authors also present some strategies for producing key publications:

• Have the right idea at the right time
  
• Collaborate with other senior researchers
  
• Supervise a good number of (good) students
  
• Publish in the right conferences
  
• 
  

HCII candidates for YouTube Awards

"The Human-Computer Interaction Institute is well represented among the nominees for the second annual YouTube Awards. http://www.youtube.com/ytawards07 .

The video of Prof. Randy Pausch’s Sept. 18 lecture, “Really Achieving Your Childhood Dreams,” has been nominated for Most Inspirational. PhD student Johnny Chung Lee and his “Head Tracking for Desktop VR” video are nominated in the Instructional Video category.

Winners will be chosen based on popular voting. Individuals can vote once a day in each of the 12 YouTube categories through March 19. "

Phishing Attack against CMU

Well, this was bound to happen sooner or later, but there was a recent phishing attack targeting members of the CMU community. And, no, this wasn't an experiment from our research team.

SCS Computing Facilities has received the following announcement from campus
Computing Services.

*** To verify the authenticity of this message, see Security News &
Events at ***

WHO: Everyone
WHAT: Phishing Emails Sent to Carnegie Mellon Accounts
WHEN: Feb 21, 2008

HOW: Fraudulent emails have recently been sent to Carnegie Mellon
email accounts claiming to be from the "CMU SUPPORT TEAM
" asking people to reply with their "CMU Webmail
account" passwords.

...

Gorgeous Virtual Book

This is a digital online book that demonstrates a variety of user interactions. It's really beautiful and well done.

http://www.rubenswieringa.com/code/as3/flex/Book/

Why Programming Languages need More HCI

I just posted a comment to Lambda the Ultimate trying to clarify some misunderstandings about user testing and HCI. Here is the original comment, and my reply is below.

I just created an account to reply to the above post. Just for background purposes, I teach human-computer interaction at Carnegie Mellon University, and am part of the School for Computer Science.

I believe the above poster is making a similar argument that Doug Engelbart made a long time back about the difference between tricycles and bicycles. More specifically, if ease of use was all that mattered, then we would all be riding tricycles.

However, I believe that the above post shows a common misunderstanding of the nature of user tests, and human-computer interaction more broadly. Specifically, HCI is not just about ease of use for "walk up and use" interfaces. We advocate that designers should understand the context of use, set appropriate goals, and measure that we are achieving those goals. Like security or performance, it is holistic and something that has to be intentionally designed in from the beginning, rather than slapped on at the end.

There have also been several studies looking at expert performance of user interfaces, spanning several weeks or months, to measure such things as learnability and overall performance. I believe these kinds of studies could address many of the concerns the above post makes.

Human-computer interaction can also provide new insights for programming languages. To give a concrete example, I will refer readers to the Natural Programming project at CMU, which is looking at how programmers (and non-programmers) already work and developing better tools to streamline those existing practices.

This project has led to better debugging tools (supporting "why" and "why not" questions, which turned out to be how every programmer studied phrased their debugging questions), a better understanding of what kinds of APIs are easier to use (it turns out, quite surprisingly, that objects with lots of constructors don't fare as well as those with simple ones), and better ways of validating that data is correct. Companion projects at other universities have also examined, for example, the role of gender and programming (finding that men tend to tinker a lot more when programming and debugging, which may suggest better ways of teaching computer science).

So, in a narrow sense, I would agree that user testing for ease of use is not enough, but I would also argue that human-computer interaction has *a lot* more to offer programming languages than may appear on first glance.

Resolved: Should Squirrels be Considered the Superior Species on Earth?

After watching this video of squirrels running thru obstacle courses, I'm not so sure we humans should be so proud of our achievemenets:

http://www.maniacworld.com/squirrel-obstacle-course.html

When Toolkits Go Bad

As someone who has been involved in the development of some user interface toolkits, I have to admit I'm simultaneously amused and really annoyed at this latest development, namely phishing toolkits that lower the barriers to entry for criminals.

http://news.netcraft.com/archives/2008/01/22/mrbrain_stealing_phish_from_fraudsters.html

The tools and code provided by Mr-Brain are designed to make it extremely easy for other fraudsters to deploy realistic phishing sites. Only a very basic knowledge of programming is required to configure the PHP scripts to send victims' details to the fraudsters' chosen electronic mail address. Deploying one of these fully working kits can be done in as little as one minute – another factor that adds to their appeal.

This one toolkit, however, is somewhat humorous in that it tries to scam the scammers.

Careful inspection of the configuration script reveals deceptive code that hides the true set of electronic mail addresses that are contacted by the kit – every fraudster who uses these kits will unwittingly send a copy of each victim's details back to the Mr-Brain group.

No honor among thieves, apparently.

San Juan Airport Wifi

While on a layover in the San Juan airport in Puerto Rico, I was checking if there were any WiFi access points around, and see this humorously named hotspot.

The Higest Rated Youtube Video of all time is...

by the HCII's very own Johnny Lee, on using Nintendo Wiimotes for head-mounted virtual reality. 1.7 million views since it was posted 2 weeks ago. Way to go Johnny!

http://www.youtube.com/watch?v=Jd3-eiid-Uw

This Blog is Rated: College Undergrad

Get a Cash Advance

Anti-Phishing Phil on CMU's main home page

http://www.cmu.edu/homepage/collaboration/2007/fall/to-spot-a-scam.shtml

Carnegie Mellon University computer scientists have developed an interactive, online game featuring a little fish named Phil who teaches players cybersecurity tips. "Anti-Phishing Phil" helps users to better recognize and avoid email "phishing" and other Internet scams.

Crayon Physics Game

This is a really cute game that has a nice, sketchy aesthetic.

Google's OpenSocial Platform

Many of you have probably heard about this new OpenSocial platform that Google has released, which is basically an open form of FaceBook that various other social network platforms (like Orkut, Ning, LinkedIn, Hi5, Friendster, Salesforce.com, Oracle, iLike, Flixster, RockYou, and Slide) will conform to.

What's interesting here is that we actually covered this topic in our Social Web course (with some help from Information Rules), discussing why leaders tend to opt for closed platforms (primarily because they can force a lock-in and ensure customers) while a common strategy for those not in the lead to band together under an open platform to try and beat the leader. History may not repeat itself, but it does have themes.

Some of the questions in class included what Google's strategy would be (keep in mind that this was before the OpenSocial announcement), whether it would fit into their long-term goals ("take over the world", as one student said), and whether they could get others to play ball (the answer apparently being "yes"). Another point of discussion was what kind of apps could be built on top if there were a unified "friend" network.

The real surprise, however, is that MySpace is also joining this OpenSocial platform. This suggests to me that MySpace thinks it is far, far behind the apps curve, and is hoping for a small slice of a larger pie. I find this quite surprising, given MySpace's large user base, definitely something I wouldn't have predicted.

See here for more details:
http://www.news.com/8301-13577_3-9809413-36.html

Why Should Any Smart Object Be Stealable?

I've been wondering for a while that, given the cost of "smart" objects, why don't more of them don't have anti-theft mechanisms built in? It seems that there are two basic approaches here: make the stolen object useless, or make it (or the thief) really easy to find.

An example of making the smart object useless comes from a post by Ed Felten talking about how DRM can be used for good, to help prevent your stuff from being stolen.

http://www.freedom-to-tinker.com/?p=1180

How might this work? One possibility is that when the device [iPod] is plugged in to a charger it hasn’t seen before, it makes a noise and prompts the user to enter a password on the iPod’s screen. If the correct password is entered, the device will allow itself to be recharged by that charger in the future. The device will become associated with a group of chargers over time.

There are obvious holes with this approach, most notably stealing the charger, but it seems to me a generally good idea.

An example of making it easier to find the thief is FlickrBooth, which uploads pictures taken from a Mac's iSight camera to Flickr. There's already been one well-publicized example of successfully catching a thief.

A variant I'd like to see: something that can fingerprint the output media of cameras, so if anyone uploads a picture from that camera, you can find it. For example, Flickr already posts a lot of metadata about the camera that took the picture. So somehow record your camera's metadata in a "safe" place, and then use that to search for it if it ever gets stolen. Another possibility: I'm sure some cameras also have unique characteristics. The one I had that was stolen had a subtle scratch mark on all photos. It would be nice to be able to scan lots of images and find if anyone is publishing photos with it.

Anti-Phishing Phil used in High School Class

Just heard about this, our game Anti-Phishing Phil is being used in a high school class, where the topic is "things that can get you in trouble online".

I like this excerpt from the teacher:

I’m doing a unit right on about plagiarism, scams, spam, phishing, urban legends, and all sorts of other things that can get you in trouble online. Students are fascinated by anything that’s illegal, so it’s actually going pretty well.

...

Even with a minimal game structure, students focus on the play and don’t seem to notice that they are being taught a whole set of skills and knowledge. But when it’s over, they can answer my questions. Great stuff.

Wanted: A PowerPoint Shrinker

I've noticed that you can often substantially reduce the size of PowerPoint files simply by saving the same file to a new filename. I just did this for a lecture on social networking theory, and it went from 7 megs to 3.5 megs.

I'm trying to guess why PowerPoint does this, and not coming up with any good ideas. It can't be for undo, since PowerPoint eliminates your undo queue whenever you normally save. It might be for faster saves, though I never notice any difference between saving normally and saving to a new file.

At any rate, one thing that would be really nice would be something that did this automatically before emailing it out or posting it on your web site, just imagine the savings!

Clever "Wheel of Lunch" Mashup

Finally, a technologically sound answer to the eternal question "where should we go for lunch?". Take Yahoo Local, mix with Wheel of Fortune, and you have Wheel of Lunch.

http://www.coverpop.com/wheeloflunch/

Buy that song now, through your iPhone

This is a brilliant idea and a really compelling use of ubicomp technologies.

http://www.nytimes.com/2007/10/01/technology/01impulse.html

Like that song you hear playing at Starbucks, but just cannot wait until you get to a computer to download the song?

Starting tomorrow at certain Starbucks stores, a person with an iPhone or iTunes software loaded onto a laptop can download the songs they hear over the speakers directly onto those devices. The price will be 99 cents a song, a small price, Starbucks says, to satisfy an immediate urge.

Anti-Phishing Phil in the News

Anti-Phishing Phil is in the news (1) (2) (3) (4) (5) (6) (7).

Anti-Phishing Phil is a game we've created to teach people not to fall for phishing attacks (ie those fake "please update your account" emails that lead to identity theft).

Try out the game here!

You can also read our research paper here (PDF).

Web Component Architectures

After seeing Fernanda Viegas and Martin Wattenberg's excellent talk about Many Eyes, a web site for social visualizations, it dawned on me that the web is starting to move towards a component architecture based on Application Service Providers.

To wit, if you want a video on your blog, you turn to YouTube, which makes it easy to embed one into your blog page. If you want a map, you turn to Google Maps. And now with Many Eyes, if you want an interactive visualization, you turn to them.

It's pretty clear Google has already caught on to this idea a while back, given their recent efforts in making it easier to embed Google Maps into web pages and their recent announcement about embedding embedding Google books as well.

One of my colleagues, Brad Myers, commented that there may be interesting analogies with ActiveX components. There used to be a somewhat active market for Visual Basic components about a decade ago (no idea how it's faring now). These components made it much easier to build an application, providing things like calculators, timers, clocks, graphs, and so on, rather than having to roll your own.

If this notion of web components is a viable one, it will be very interesting to see how things play out, in terms of what the market would be, viable business models (can there be any small players here?), programming these components, frameworks so that they can interact and play well with each other, distributing the content, and so on. Very interesting indeed.

Programmer Archaeologists

In his book A Deepness in the Sky, sci-fi author Vernor Vinge describes the profession of Programmer Archaeologists. The basic idea was that in the far future, pretty much every piece of software you could imagine has already been created. So, rather than creating new software, the job of the Programmer Archaeologist would be to search for software close to what you wanted, and then adapt that software for your particular needs.

There is a forthcoming paper at UIST2007 (User Interface Software and Technology)that takes us a step closer to this world. Entitled Assieme: Finding and Leveraging Implicit References in a Web Search Interface for Programmers (PDF), it describes a search engine that provides not only documentation of APIs, but also finds snippets of examples. A nice idea, and well-executed.

Google docs has an alpha feature?

This is new: companies used to release products and label them as alpha or beta. Then, web sites rolled out the perpetual beta. Now, Google Docs has a search and replace feature that is labeled alpha. I hope this is something that will not catch on, but as Software-as-a-Service becomes more pervasive, I'm afraid it will.





(FYI this screenshot also shows a working version of the syllabus for The Social Web course that I will be co-teaching this fall)

How much is a review on Slashdot worth?

Our book, The Design of Sites, was recently reviewed on Slashdot. I actually disagree with the reviewer on several points, in particular that patterns need to be "an elusive insight or 'trick of the trade'", but the main point I want to write about today is how much a review is worth.

About once a day, I check how our book is doing on Amazon.com. Ever since our second edition came out in December 2006, it's been hovering around 2500-4000 in terms of overall sales rank. Checking this morning, our book is at #388. Assuming that Amazon's sales follow a Zipf curve (or is it power law or Pareto? I can never remember), this means a heavy increase in sales.

The problem, though, is that Amazon doesn't reveal what their rankings actually mean, and I only see how many books we sell in 6-month periods, so it's hard to say more with any precision.

TRANSCOM, General Norty Schwartz, and the Future of Carbon

A few weeks ago, as part of the Computer Science Study Panel, I had the opportunity to meet General Norty Schwartz, a four-star general that is currently the head of TRANSCOM. TRANSCOM is a unified command charged with all of the transportation issues in the military. As you might imagine, it is a pivotal but underappreciated part of the military.

Talking with General Schwartz was a really fun and insightful experience. He struck me as someone who is slow and steady, rock-solid reliable, the kind of person you would want managing your transportation needs.

However, the thing that pleasantly surprised me was General Schwartz' interests in carbon. Right now, among all of the cabinet departments, the Dept of Defense is the largest consumer of carbon-based fuels, and within the DoD, TRANSCOM is the largest consumer. He mentioned how this wasn't sustainable, and that they were looking into long-term solutions to this problem.

While I realize that his statement wasn't for reasons of being green, it's good to know that this issue is on the radar screen. I also hope it will translate into a shift in how transportation is handled in the DoD for the better.

Anti-Phishing Phil in Portuguese

Wow, this is really cool! Portugal Telecom has taken our Anti-phishing Phil game, but has replaced our fish with a frog. It's like I'm reliving my Frogger days!

http://seguranca.sapo.pt/phishingze/

Jim Morris' Notes on Venture Capitalists

My department's former dean has a blog entry about a panel of venture capitalists, hosted by Berkeley and CMU West. My favorite point:

Avoid Web 2.0 companies based upon AAA - Ajax, Adsense, and Arrogance

This makes me wonder what the carrying capacity of Adsense is. How many companies / blogs out there can Adsense fully support?