Archive for the ‘Security’ category

When Computers Kill: Radiation Overdose

October 22, 2007

I was watching BBC News on EyeTV this morning, and caught the tail end of a horrific story about hundreds of French patients who received crippling, and sometimes fatal, overdoses of radiation.

Earlier this year, a major scandal erupted in France when it was discovered that between 1989 and 2006, two radiotherapy units had accidentally given hundreds of cancer patients too high a dose of radiation. Five patients have since died and many others have been left in crippling pain.

My first thought was how eerily similar this is to Therac-25. But this incident could be worse once all the facts are out. 5 are already dead, and hundreds affected, according to the BBC.

A major investigation is now under way to try to establish how so many mistakes could have been made…. Incredibly, one of the lines of inquiry will be why the instruction booklets that accompanied the equipment were in English when the hospital staff of course were French.

This investigation is very much worth following. A lot can be learned about designing safe and usable systems from this disaster. Cynically, I worry that the massive liability involved will lead to politics and cover ups, instead of through investigation. Be prepared to read between the lines.

… staff then explained to newcomers how to operate the programmes, who later explained to subsequent trainees, and so on. To add to the confusion, the procedures were all in English.

Eventually, an incorrect default setting was made that resulted in a number of patients being given overdoses of between 20% and 40%.

Poor training is an issue, sure. But the real question I have here is, how could the software be designed so that it could possible be rendered lethal by default?

According to the AP “In both the Epinal and Lyon incidents, hospitals blamed the problems on human error.” I agree, but I think the humans at fault were the designers, not the operators. “Human error” is usually a euphemism for “operator error”, or “customer error”, or “blame them”. Disasters are a chain of failures; operators are only one link in that chain. The system as implemented in the hospitals included hardware, software, training, and standard operating procedures. From all accounts, it looks like there were systematic errors, over a period of years — about the strongest indicator you can have that the system was deeply flawed.

What Therac-25 was to engineering, this could be to interaction design. I think there were probably engineering mistakes made, but if the instructions weren’t even in the right language, chances are usability was a bigger factor. Actually, the similarities to Therac-25 still bother me. It’s a bit of history that should not be repeated.

I’ve said it before and I’ll say it again, these incidents are worth following. I just wish more hard facts were public (and in English as well, I can’t read French).


“Disability research leads to shoulder surfing breakthrough”

August 30, 2007


The lens makes things easier to see, but harder to shoulder surf

Research initially aimed at helping partially sighted customers use chip and PIN keypads has led to the creation of a device which can protect customers from “shoulder surfing”.

This is the term used for the practice whereby a “criminally motivated” bystander casually observes the PIN when paying for goods or services or getting money from an ATM.

Neil Radford an Enterprise Fellow at the University of Warwick has worked with colleagues in the University of Warwick’s manufacturing Group to create a special “cradle” for chip & pin keypads, which innovatively incorporates a magnifying lens.

The use of the lens (patent pending) is of significant benefit to visually impaired people, as it enlarges the pin pad display whilst also improving security. The enhanced view, to any user standing directly in front of the key pad, alone is of great benefit by reducing the degree of difficulty and the associated anxiety many face in simply reading the display – from partially sighted people through to the many people who need simply to switch to reading glasses for some tasks – whilst vendors see improved transaction times.

Importantly the device, also provides tremendous additional benefit to customers, vendors and banks in that it has been proven to be a highly effective defence against shoulder surfing, by distorting the view available from any other angle by a casual observer or even CCTV and hidden cameras, thus frustrating shoulder surfers and more sophisticated fraudsters.

Neil Radford has now established a company, Secure Access Solutions Limited, to market the “PED Cradle”.

Boots is piloting 35 cradles in its Cambridge, UK store. Secure Access Solutions is also in discussions with the Royal National Institute of the Blind who are giving their expert assessment. Additional trials will be held with RNIB in July.

Secure Access Solutions has identified how the same issues affect transactions at ATM Cash points and are already well advanced with a range of complementary products for ATM’s, which are scheduled for further trials later this year with a UK Bank.

A lens seems like a good idea, but I hope it does a better job of obscuring the keypad then it appears to from the photograph.

Using Eye-Tracking to Stop Shoulder Surfing

August 30, 2007

An interesting new paper Reducing Shoulder-surfing by Using Gaze-based Password Entry

Shoulder-surfing — using direct observation techniques, such as looking over someone’s shoulder, to get passwords, PINs and other sensitive personal information is a problem that has been difficult to overcome. When a user enters information using a keyboard, mouse, touch screen or any traditional input device, a malicious observer may be able to acquire the user’s password credentials. We present EyePassword, a system that mitigates the issues of shoulder surfing via a novel approach to user input. With EyePassword, a user enters sensitive input (password, PIN, etc.) by selecting from an on-screen keyboard using only the orientation of their pupils (i.e. the position of their gaze on screen), making eavesdropping by a malicious observer largely impractical. We present a number of design choices and discuss their effect on usability and security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our approach. Our results demonstrate that gaze-based password entry requires marginal additional time over using a keyboard, error rates are similar to those of using a keyboard and subjects preferred the gaze-based password entry approach over traditional approaches.

Great idea, and could be done today on iMacs and MacBooks, with their built-in cameras.

Unfortunately, the paper falls-short at testing.

To evaluate EyePassword, we conducted user studies with 18 subjects, 9 males and 9 females with an average age of 21…. Twelve subjects reported that they were touch- typists. On average subjects had 12 years of experience using a keyboard and mouse.

We compared the password entry speed and error rates of three approaches: a standard keyboard for entering a password (Keyboard) to provide a baseline, using EyePassword with dwell- based activation (Gaze+Dwell) and using EyePassword with

trigger-based activation (Gaze+Trigger). In addition, we evaluated two different on-screen layouts for the dwell case:
QWERTY layout and alphabetic layout. At the end of the study we asked subjects to fill out a survey to collect data on the user’s subjective opinion of the techniques.

(the passwords used were): computer, security, apple314, sillycat, Garfield, password, $dollar$, GoogleMap, dinnertime, Chinatown.

That’s a very select group, and probably all college students at Stanford too (although the paper does not say one way or the other, which is an experimental failing). Unfortunately, this means the conclusion that “subjects preferred the gaze-based password entry approach over traditional approaches.” must be taken with a big grain of salt. Actually I’d completely disregard it.

The test passwords are not strong enough. With the test-passwords used, the subjects only use the Shift function 6 times, out of 94 characters that are inputted (94 = 84 password characters + 10 “enter” characters to mark the end of the password). The passwords are mostly recognizable words, occasionally with up to 3 extra characters tacked on. Real passwords shouldn’t look like that. This makes me skeptical of the published speeds and error rates, because many passwords need more capital and special characters to be accepted by a system. The paper did not give me an understanding of how the eye-tracking system could be expected to perform with a password as strong as the one I use for this blog.

But most importantly (to me) there was no testing with a randomized keyboard layout. Without a randomized keyboard, a camera only has to record people’s eye-movements to get their password. A randomized keyboard is necessary for strong security. But the paper gives no data on how this would affect usability. Not even a gross rule-of-thumb, or qualitative advice.

Still, eye-tracking is an interesting idea, and it could do a lot to stop “standard” shoulder surfing, even if it is not effective against an attacker with some hardware.

EDITED TO ADD: another benefit of gaze-based PIN entry is that it is more hygienic. You don’t have to touch a keypad that thousands of other people have touched today. (ATMs near bathrooms are always kinda scary). Input for transactions could also handled only via eye-movement tracking. Obviously for transactions lot more feedback could be provided for the user, making it a very pleasant experience.

Ellison’s Law

June 30, 2007

This post has moved to its new home.