Cybersecurity Brainstorming: Difference between revisions

From Cyberlaw: Difficult Issues Winter 2010
Jump to navigation Jump to search
m (UTurn to 1267401600)
Tag: Manual revert
 
(6 intermediate revisions by 6 users not shown)
Line 1: Line 1:
This page reflects the brainstorming and discussion of the cybersecurity group in [http://en.wikipedia.org/wiki/Jonathan_Zittrain Jonathan Zittrain]'s Cyberlaw: Difficult Problems Class.
This page reflects the brainstorming and discussion of the cybersecurity group in [http://en.wikipedia.org/wiki/Jonathan_Zittrain Jonathan Zittrain]'s Cyberlaw: Difficult Problems Class.
'''Note: This page was just a scratch-pad for our ideas. Our final project is [[Cybersecurity Project|here]].'''


''For the Mozilla-icon-privacy project see: [[Terms of Service Brainstorming]].''
''For the Mozilla-icon-privacy project see: [[Terms of Service Brainstorming]].''
Line 21: Line 23:
*using recaptcha or pictures (esp game), etc as dual key for all passwords
*using recaptcha or pictures (esp game), etc as dual key for all passwords
*perhaps regulation requiring financial institutions to only accept strong or dual-key passwords
*perhaps regulation requiring financial institutions to only accept strong or dual-key passwords
NYT article on bad password security: http://www.nytimes.com/2010/01/21/technology/21password.html?hp


==Mesh Network Vaccination==
==Mesh Network Vaccination==
Line 29: Line 33:
==Stop Badware==
==Stop Badware==
We propose a Firefox plug-in that would incorporate an improved Stop Badware database and automatically warn users when they attempt to access websites that are suspected of including malware or have been known to do so recently.  We also propose this is included in search engines.  While Firefox 3 and Google have recently implemented similar ideas, we would like to display more granular data (i.e., 99% of visitors to this site report no problems, 90% of visitors to that site), with better timing information, and automatically build in reporting of malware to the database.
We propose a Firefox plug-in that would incorporate an improved Stop Badware database and automatically warn users when they attempt to access websites that are suspected of including malware or have been known to do so recently.  We also propose this is included in search engines.  While Firefox 3 and Google have recently implemented similar ideas, we would like to display more granular data (i.e., 99% of visitors to this site report no problems, 90% of visitors to that site), with better timing information, and automatically build in reporting of malware to the database.
StopBadware goes independent: http://news.cnet.com/8301-27080_3-10440210-245.html


==Distress Password==
==Distress Password==
Line 34: Line 40:
:(1) secure password -- shows all emails, all data
:(1) secure password -- shows all emails, all data
:(2) distress password -- shows limited data (like limited profile), only showing safe data
:(2) distress password -- shows limited data (like limited profile), only showing safe data
==Password Picture==
Have a dual key mode of authentication for various web services: one would be the typical password, and the second would be a series of pictures.  For example, when creating an account on a website for the first time, you would choose a password and choose keywords for pictures, like "animal" or "tree".  Logging in would require you to enter a password as well as, from a series of pictures, choose your 1, 2, or 3 pictures that show your keyword.  This would prevent robots from being able to try and guess your password, and would also prevent keystroke detectors from being fully functional.


=Presentational ideas=
=Presentational ideas=

Latest revision as of 14:57, 14 August 2024

This page reflects the brainstorming and discussion of the cybersecurity group in Jonathan Zittrain's Cyberlaw: Difficult Problems Class.

Note: This page was just a scratch-pad for our ideas. Our final project is here.

For the Mozilla-icon-privacy project see: Terms of Service Brainstorming.

Problems to Tackle

Misaligned incentives have prevented industry, users, and government from solving many of the problems of cybersecurity. We're proposing three projects that will allow (power) users to increase the security of their data, as well as improve security for other people, and maybe even for the network as a whole. We may also be interested in working on the Mozilla Privacy issue.

"Safeword"

  • All functionality should be inserted into the browser to appear as part of the various websites.

(1) Shows security level of user-selected password as it's typed in (for registration) (2) If user chooses weak password, auto-fill will be turned off. User must manually type in all weak passwords

Safeword will look for keystrokes and won't send the password to the website if it doesn't sense the appropriate keystrokes

(3) Refuse password if it's been used before (for a major/important/security-sensitive site)

for security reasons, Safeword would only save the first 4 characters of each password (not the whole thing)

(4) Periodically prompt user to change password

this would be a suggestion, not a requirement and users could set how often it should prompt

Other Ideas:

  • encrypted password storage within browser
  • using recaptcha or pictures (esp game), etc as dual key for all passwords
  • perhaps regulation requiring financial institutions to only accept strong or dual-key passwords

NYT article on bad password security: http://www.nytimes.com/2010/01/21/technology/21password.html?hp

Mesh Network Vaccination

Firefox plug-in used by the 5% of power users that can help patch the problems created by the larger base of security-ignorant or security-apathetic users. I made the analogy to tower defense at some point.

For your edification, see Tower Defense. Mfeld 05:18, 13 January 2010 (UTC)

Stop Badware

We propose a Firefox plug-in that would incorporate an improved Stop Badware database and automatically warn users when they attempt to access websites that are suspected of including malware or have been known to do so recently. We also propose this is included in search engines. While Firefox 3 and Google have recently implemented similar ideas, we would like to display more granular data (i.e., 99% of visitors to this site report no problems, 90% of visitors to that site), with better timing information, and automatically build in reporting of malware to the database.

StopBadware goes independent: http://news.cnet.com/8301-27080_3-10440210-245.html

Distress Password

Have 2 passwords --

(1) secure password -- shows all emails, all data
(2) distress password -- shows limited data (like limited profile), only showing safe data

Password Picture

Have a dual key mode of authentication for various web services: one would be the typical password, and the second would be a series of pictures. For example, when creating an account on a website for the first time, you would choose a password and choose keywords for pictures, like "animal" or "tree". Logging in would require you to enter a password as well as, from a series of pictures, choose your 1, 2, or 3 pictures that show your keyword. This would prevent robots from being able to try and guess your password, and would also prevent keystroke detectors from being fully functional.

Presentational ideas

  • "This is your internet, this is your internet on botnet"
  • Ham Sandwich metaphor acted out in reality
  • Voiceover puppets a la JZ's video explanation of Herdict
  • PSA Announcement featuring Internationally Recognized Magician Michael Feldman
  • Lessig-style keynote presentation (as part)

Spot 1: Ham Sandwich (Live).

Magic Michael is happily doing a magic trick. Suddenly, he makes a ham sandwich appear out of nowhere. He asks an audience member, "And now, who would like to eat this ham sandwich?" People in the audience (kids?) react angrily. One says, "But, where did that ham sandwich come from?"

CUT TO Magic Michael, now sitting on a stool, talking to the camera: Everyone knows not to eat a mysterious ham sandwich that I make appear out of nowhere. But why do some people install software when they don't know where it came from? Hi, I'm internationally-recognized magician Michael Feldman, and I'm here to remind you how important it is to keep your computer safe. When in doubt about whether or not you should download and install a piece of software, just follow the ham sandwich rule; if it came from a stranger and you're not sure when or where it was made, don't install it - or eat it!

(looks great -- I just want some more magic puns, like "if it were a rabbit sandwich, maybe that's ok" or "installing random programs isn't magic. it's stupid.")

End with "The More You Know" music and logo? (like at the end of this stupid clip: http://www.youtube.com/watch?v=3eazYHO3Hsg&feature=related).

Spot 2: Magic Michael is seated, looking directly at the camera. "Hi, i'm internationally-recognized (and renowned) magician Michael Feldman. I can make many things disappear (hand gesture, and poorly patched together video making something disappear). But there's one thing that even I can't make disappear: the cybersecurity problem. (Michael attempts to make something symbolizing cybersecurity disappears, but fails). Remember, kids, installing random programs isn't magic. It's stupid."


Whiteboard Notes Part 1
Mesh Network Vaccination / Password Protection Ideas
Whiteboard Notes Part 2
Ideas for Incentivizing
Whiteboard Notes Part 3
Stop Badware Ideas
Whiteboard Notes Part 4
Problems Solved by "Safeword"
Whiteboard Notes Part 4
Functionality for "Safeword"