It’s the Anthropology, Stupid! Ross Anderson and Frank Stajano
It’s the Anthropology, Stupid!
Ross Anderson and Frank Stajano
The Virtual Nirvana
• Imagine in 2025 –– Virtualised app and storage servers– Virtual clients in your laptop (or VR headset)– Bob.work, Bob.play, Bob.bank, Bob.gov…– Could be quite complex: Bob.work on laptop
talks to several clients, each with several service providers
• How will it all hang together?
What goes wrong
• To a first approximation all attacks are by insiders• To a first approximation they all start as errors• Military mechanisms (e.g. MLS) can stop well-
trained people from entering High data into Low by accident
• Butt commercial systems are error-prone! • Are there other ways of reducing the error rate?• It’s largely about context and cues after all…
A modest proposal
• Protocols often fail because the authentication is one-way instead of two-way (or just the wrong way)
• So: it’s not enough for the laptop to just display “you are now talking to AlicesPC.work”
• It needs something more…
A modest proposal (2)
• The laptop needs to know whether it’s talking to– Alice.work
– Alice.play
– Alice.bank
– Alice.gov
– …
• Not which VM in the cloud – but which VM in the user’s brain!
To Whom am I Speaking?
• If attackers are insiders, we need to know which insider
• For example, people in an unemotional state consistently underestimate their likely reactions when aroused – the “hot-cold empathy gap”
• We all have strategies to cope with this but …• Joe and Sören – Facebook users more open to
scams because of noisy distracting environment with continuous partial arousal
• So what if Alice.play talks to machine.bank?!?
Meatspace solutions
• Nonverbal channels we use for empathic synchronisation
• Expression, gesture, tone of voice
• Much older than speech
• Interactive too!
• Human cultures overlay them with ritual, manners, jargons, chants, dress codes …
Meatspace solutions (2)
Reclaiming the Interaction
• Matt Blaze: real-world protocols (such as ordering wine)
• Carl Ellison: human–computer interactions as ceremonies
• Ross: “I am buying 2000 BT shares from you at 131p”
• Frank Stajano: what hat are you wearing? This would work best if you actually wear it!
Hat-based Access Control
Keeping the Channel Open
• There will be a temptation to just do it all in software – an icon on the screen
• Our point is that we want to keep the behavioural channel open
• E.g. you might wear your access badge• Maybe better: an active audio feedback channel• Not system engineering: applied psychology and
anthropology!
Orienting the User
• It’s not just knowing the user’s mood (as with Peter’s systems for recognising emotions)
• It’s about putting her in the right mood – and ensuring she doesn’t get out of it without the machine noticing
• Like singing the national anthem, or reciting a prayer, a critical authentication should not just require solemnity but induce it
• The password she enters everywhere won’t do
Conclusions
• Engineers see security as authentication protocols • But often they’re part in the brain, part in software• Mutual authentication means more than just
usability testing – surely we need interaction too• Is it feasible to automate an emotional interaction?• How do systems get embedded in culture?• How do we rediscover ritual – or at least give
people the tools to invent it?• How else can we replace the vanishing context?