Thinking about an "abuser" and not only a "user"

8 Jan 2009 - 10:11am
5 years ago
9 replies
415 reads
Ali Naqvi
2008

I am watching a discussion with Dr. Herbert Thompson:
"Dr. Herbert Thompson is an internationally renowned expert in application
security testing, research and training. He was Security Innovation’s
second employee, joining Founder Dr. James Whittaker in 2002. Dr. Thompson
earned his PhD in Applied Mathematics from Florida Institute of Technology
and is co-author or editor of 12 books, including “How to Break Software
Security: Effective Techniques for Security Testing.” Dr. Thompson has
authored more than 50 academic and industrial articles on software
security."

He talks about IT firms forgetting security threats/issues when developing
IT products. We as Interaction Designers also stress the importance of
user interaction but do we include abusers too?

Dr. Thompson talks about an airline incident where he was able to hack
into a system due to boredom. He believes that the developers forgot to
see the "abuser" point of view. Do you think that this only concern the
engineers and programmers or can Interaction Designers provide useful help
here? (If they ever think about "abusers")

Ali

Comments

8 Jan 2009 - 10:33am
jet
2008

Both of their books are excellent reading. They're short and to the
point, with line staff and QE managers as the target audience, not
security professionals.

ali at amroha.dk wrote:
> I am watching a discussion with Dr. Herbert Thompson:
> "Dr. Herbert Thompson is an internationally renowned expert in application
> security testing, research and training. He was Security Innovation’s
> second employee, joining Founder Dr. James Whittaker in 2002. Dr. Thompson
> earned his PhD in Applied Mathematics from Florida Institute of Technology
> and is co-author or editor of 12 books, including “How to Break Software
> Security: Effective Techniques for Security Testing.” Dr. Thompson has
> authored more than 50 academic and industrial articles on software
> security."
>
> He talks about IT firms forgetting security threats/issues when developing
> IT products. We as Interaction Designers also stress the importance of
> user interaction but do we include abusers too?
>
> Dr. Thompson talks about an airline incident where he was able to hack
> into a system due to boredom. He believes that the developers forgot to
> see the "abuser" point of view. Do you think that this only concern the
> engineers and programmers or can Interaction Designers provide useful help
> here? (If they ever think about "abusers")
>
> Ali
>
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

--
J. Eric "jet" Townsend, CMU Master of Tangible Interaction Design '09

design: www.allartburns.org; hacking: www.flatline.net; HF: KG6ZVQ
PGP: 0xD0D8C2E8 AC9B 0A23 C61A 1B4A 27C5 F799 A681 3C11 D0D8 C2E8

8 Jan 2009 - 3:01pm
Chauncey Wilson
2007

Designers need to consider misuse scenarios in planning. Here is brief note
that I wrote up about misuse (and related) scenarios for my class on
scenarios:

"While many scenarios focus on actions leading to the successful or
unsuccessful completion of user goals, there are also scenarios that you
might call "misuse scenarios" where you describe ways that your system is
abused or mishandled. Take the case of a postal kiosk in a mall. Scenarios
that could affect the success of your system could include common misuse
scenarios like vandals who pour glue into the payment and postage openings
or well-intentioned customers who put heavy packages (or chubby children) on
the postal scale while rummaging through their purses or wallets for credit
cards to pay for the postage. Misuse scenarios can be developed from field
interviews, technical support databases, and "misuse workshops" where
stakeholders brainstorm how bad things that a user can do to your system.
Related scenario types include "exception scenarios" where there is an
analysis of what could go wrong at various steps in a process and "obstacle
scenarios" that describe things that might hinder progress toward a goal.

There is a book that anyone interested in scenarios should consider by
Alexander (2004). It has some examples of misuse scenarios.

Alexander, I. (2004). Negative scenarios and misuse cases. In I. F.
Alexander, & N. Maiden (Eds.) *Scenarios, stories, use cases through the
systems development life cycle.* New York, NY: Wiley, pp. 119-139.

Chauncey
On Thu, Jan 8, 2009 at 10:11 AM, <ali at amroha.dk> wrote:

> I am watching a discussion with Dr. Herbert Thompson:
> "Dr. Herbert Thompson is an internationally renowned expert in application
> security testing, research and training. He was Security Innovation's
> second employee, joining Founder Dr. James Whittaker in 2002. Dr. Thompson
> earned his PhD in Applied Mathematics from Florida Institute of Technology
> and is co-author or editor of 12 books, including "How to Break Software
> Security: Effective Techniques for Security Testing." Dr. Thompson has
> authored more than 50 academic and industrial articles on software
> security."
>
> He talks about IT firms forgetting security threats/issues when developing
> IT products. We as Interaction Designers also stress the importance of
> user interaction but do we include abusers too?
>
> Dr. Thompson talks about an airline incident where he was able to hack
> into a system due to boredom. He believes that the developers forgot to
> see the "abuser" point of view. Do you think that this only concern the
> engineers and programmers or can Interaction Designers provide useful help
> here? (If they ever think about "abusers")
>
> Ali
>
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

8 Jan 2009 - 4:27pm
DrWex
2006

On Thu, Jan 8, 2009 at 3:01 PM, Chauncey Wilson
<chauncey.wilson at gmail.com> wrote:
> Designers need to consider misuse scenarios in planning.

I tend to agree but I think we need to separate two concerns:

One is "how should the system respond to out-of-bounds information".
Putting a heavy child on a postal scale, for example.
Two is "how should the system respond to behavior that may be
malicious." Ripping the scale out of the kiosk, for example.

In considering the design of a whole system both factors should be
considered to some degree but I'm uncomfortable with mixing the two
up.

Best regards,
--Alan

8 Jan 2009 - 4:42pm
Angel Marquez
2008

Would this account for abuse:
http://mypfblog.blogspot.com/2007/05/excess-activity-fee-at-wamu.html

This was about a month ago and the web UI allowed me to deplete my account
of over 75.00 of fees in one sitting with absolutely no destructive
confirmation screen.

The excessive fee was enforced right about when wamu was going under.

8 Jan 2009 - 7:27pm
Chauncey Wilson
2007

Hi Alan,
There is no problem with separating scenarios into those that result from
malicious intent versus actions with no true malicious intent. From the
perspective of the owner though the results could be the same from
intentional or unintentional behaviors. My thought is that we need to
consider a set of scenarios that include:

Normal scenarios
What-if scenarios
Misuse scenarios
Exception scenarios

Chauncey

On Thu, Jan 8, 2009 at 4:27 PM, Alan Wexelblat <awexelblat at gmail.com> wrote:

> On Thu, Jan 8, 2009 at 3:01 PM, Chauncey Wilson
> <chauncey.wilson at gmail.com> wrote:
> > Designers need to consider misuse scenarios in planning.
>
> I tend to agree but I think we need to separate two concerns:
>
> One is "how should the system respond to out-of-bounds information".
> Putting a heavy child on a postal scale, for example.
> Two is "how should the system respond to behavior that may be
> malicious." Ripping the scale out of the kiosk, for example.
>
> In considering the design of a whole system both factors should be
> considered to some degree but I'm uncomfortable with mixing the two
> up.
>
> Best regards,
> --Alan
>

11 Jan 2009 - 5:23am
Adrian Howard
2005

On 8 Jan 2009, at 15:11, ali at amroha.dk wrote:
[snip]
> Dr. Thompson talks about an airline incident where he was able to hack
> into a system due to boredom. He believes that the developers forgot
> to
> see the "abuser" point of view.

Interestingly I often see the opposite problem. Folk take the abuser
POV too seriously and produce a terribly user experience because of it.

> Do you think that this only concern the
> engineers and programmers or can Interaction Designers provide
> useful help
> here? (If they ever think about "abusers")
[snip]

"Yes" I think is the answer :-) The terribly user experiences that you
sometimes encounter when trying to stop abuses is a big sign that more
help is needed. To pick two of my particular hates:
* CAPTCHA images - how many regular users to they stop? I know I've
given up on occasion...
* The terribly user experience in many implementations of OpenAuth/ID
- new technologies that should be helping users

You might be interested in the hcisec list http://groups.yahoo.com/group/hcisec/
where these issues are sometimes discussed.

Cheers,

Adrian

11 Jan 2009 - 7:48pm
DampeS8N
2008

Yes. Security is great, but good interaction is better.

And there is such a thing as self-defeating security, also.

Take AKO's (Army Knowledge Online) password requirements:

2 or more lowercase letters
2 or more uppercase letters
2 or more numbers
2 or more symbols (*&^%$#@!,.;< so on)
And at least 10 characters long.

It changes once every 3 months and stores the last 10 passwords to
prevent you from repeating.

This is annoying, and also pretty-much forces the user to write his
password down.

I shake my head every time I see it.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=36963

12 Jan 2009 - 6:10pm
Angel Marquez
2008

What gets me is the system was designed to behave in that manner.
I was unable to open a bank account in Sweden. I was curious to how
everything worked over there. The POS in transportation systems were like
american fisher price toys, 3 very distinct big colored buttons.

Thanks for the input.

On Mon, Jan 12, 2009 at 4:58 AM, Jeroen Elstgeest <
jeroen.elstgeest at gmail.com> wrote:

> @Angel: what you did wasn't intentional, so good interaction design should
> have 'warned' you in some way. From a Service Design point of view such
> "excessive-usage"-fees should be forbidden :-)
>
> Designing around unintentional misusage isn't the same as fighting
> intentional abuse. The first can be prevented with interaction and
> industrial design. The second is a lot tougher, but Interaction Design could
> help there too, mostly in protecting a potential victim. On banking sites
> (in the Netherlands) you have always have to input a random number when you
> want to send a payment. The random number makes it harder to misuse the
> system, how well it works depends on interaction, but unfortunately such
> security systems must be used.
>
>
>
> On Thu, Jan 8, 2009 at 10:42 PM, Angel Marquez <angel.marquez at gmail.com>wrote:
>
>> Would this account for abuse:
>> http://mypfblog.blogspot.com/2007/05/excess-activity-fee-at-wamu.html
>>
>> This was about a month ago and the web UI allowed me to deplete my account
>> of over 75.00 of fees in one sitting with absolutely no destructive
>> confirmation screen.
>>
>> The excessive fee was enforced right about when wamu was going under.
>> ________________________________________________________________
>>
>
>

12 Jan 2009 - 7:58am
Jeroen Elstgeest
2008

@Angel: what you did wasn't intentional, so good interaction design should
have 'warned' you in some way. From a Service Design point of view such
"excessive-usage"-fees should be forbidden :-)

Designing around unintentional misusage isn't the same as fighting
intentional abuse. The first can be prevented with interaction and
industrial design. The second is a lot tougher, but Interaction Design could
help there too, mostly in protecting a potential victim. On banking sites
(in the Netherlands) you have always have to input a random number when you
want to send a payment. The random number makes it harder to misuse the
system, how well it works depends on interaction, but unfortunately such
security systems must be used.

On Thu, Jan 8, 2009 at 10:42 PM, Angel Marquez <angel.marquez at gmail.com>wrote:

> Would this account for abuse:
> http://mypfblog.blogspot.com/2007/05/excess-activity-fee-at-wamu.html
>
> This was about a month ago and the web UI allowed me to deplete my account
> of over 75.00 of fees in one sitting with absolutely no destructive
> confirmation screen.
>
> The excessive fee was enforced right about when wamu was going under.
> ________________________________________________________________
>

Syndicate content Get the feed