Cybersecurity Brainstorming: Difference between revisions
No edit summary |
Rnagarajan (talk | contribs) |
||
Line 21: | Line 21: | ||
*using recaptcha or pictures (esp game), etc as dual key for all passwords | *using recaptcha or pictures (esp game), etc as dual key for all passwords | ||
*perhaps regulation requiring financial institutions to only accept strong or dual-key passwords | *perhaps regulation requiring financial institutions to only accept strong or dual-key passwords | ||
NYT article on bad password security: http://www.nytimes.com/2010/01/21/technology/21password.html?hp | |||
==Mesh Network Vaccination== | ==Mesh Network Vaccination== |
Revision as of 03:31, 21 January 2010
This page reflects the brainstorming and discussion of the cybersecurity group in Jonathan Zittrain's Cyberlaw: Difficult Problems Class.
For the Mozilla-icon-privacy project see: Terms of Service Brainstorming.
Problems to Tackle
Misaligned incentives have prevented industry, users, and government from solving many of the problems of cybersecurity. We're proposing three projects that will allow (power) users to increase the security of their data, as well as improve security for other people, and maybe even for the network as a whole. We may also be interested in working on the Mozilla Privacy issue.
"Safeword"
- All functionality should be inserted into the browser to appear as part of the various websites.
(1) Shows security level of user-selected password as it's typed in (for registration) (2) If user chooses weak password, auto-fill will be turned off. User must manually type in all weak passwords
- Safeword will look for keystrokes and won't send the password to the website if it doesn't sense the appropriate keystrokes
(3) Refuse password if it's been used before (for a major/important/security-sensitive site)
- for security reasons, Safeword would only save the first 4 characters of each password (not the whole thing)
(4) Periodically prompt user to change password
- this would be a suggestion, not a requirement and users could set how often it should prompt
Other Ideas:
- encrypted password storage within browser
- using recaptcha or pictures (esp game), etc as dual key for all passwords
- perhaps regulation requiring financial institutions to only accept strong or dual-key passwords
NYT article on bad password security: http://www.nytimes.com/2010/01/21/technology/21password.html?hp
Mesh Network Vaccination
Firefox plug-in used by the 5% of power users that can help patch the problems created by the larger base of security-ignorant or security-apathetic users. I made the analogy to tower defense at some point.
For your edification, see Tower Defense. Mfeld 05:18, 13 January 2010 (UTC)
Stop Badware
We propose a Firefox plug-in that would incorporate an improved Stop Badware database and automatically warn users when they attempt to access websites that are suspected of including malware or have been known to do so recently. We also propose this is included in search engines. While Firefox 3 and Google have recently implemented similar ideas, we would like to display more granular data (i.e., 99% of visitors to this site report no problems, 90% of visitors to that site), with better timing information, and automatically build in reporting of malware to the database.
Distress Password
Have 2 passwords --
- (1) secure password -- shows all emails, all data
- (2) distress password -- shows limited data (like limited profile), only showing safe data
Password Picture
Have a dual key mode of authentication for various web services: one would be the typical password, and the second would be a series of pictures. For example, when creating an account on a website for the first time, you would choose a password and choose keywords for pictures, like "animal" or "tree". Logging in would require you to enter a password as well as, from a series of pictures, choose your 1, 2, or 3 pictures that show your keyword. This would prevent robots from being able to try and guess your password, and would also prevent keystroke detectors from being fully functional.
Presentational ideas
- "This is your internet, this is your internet on botnet"
- Ham Sandwich metaphor acted out in reality
- Voiceover puppets a la JZ's video explanation of Herdict
- PSA Announcement featuring Internationally Recognized Magician Michael Feldman
- Lessig-style keynote presentation (as part)
Spot 1: Ham Sandwich (Live).
Magic Michael is happily doing a magic trick. Suddenly, he makes a ham sandwich appear out of nowhere. He asks an audience member, "And now, who would like to eat this ham sandwich?" People in the audience (kids?) react angrily. One says, "But, where did that ham sandwich come from?"
CUT TO Magic Michael, now sitting on a stool, talking to the camera: Everyone knows not to eat a mysterious ham sandwich that I make appear out of nowhere. But why do some people install software when they don't know where it came from? Hi, I'm internationally-recognized magician Michael Feldman, and I'm here to remind you how important it is to keep your computer safe. When in doubt about whether or not you should download and install a piece of software, just follow the ham sandwich rule; if it came from a stranger and you're not sure when or where it was made, don't install it - or eat it!
(looks great -- I just want some more magic puns, like "if it were a rabbit sandwich, maybe that's ok" or "installing random programs isn't magic. it's stupid.")
End with "The More You Know" music and logo? (like at the end of this stupid clip: http://www.youtube.com/watch?v=3eazYHO3Hsg&feature=related).
Spot 2: Magic Michael is seated, looking directly at the camera. "Hi, i'm internationally-recognized (and renowned) magician Michael Feldman. I can make many things disappear (hand gesture, and poorly patched together video making something disappear). But there's one thing that even I can't make disappear: the cybersecurity problem. (Michael attempts to make something symbolizing cybersecurity disappears, but fails). Remember, kids, installing random programs isn't magic. It's stupid."