It’s the Anthropology, Stupid!

Ross Anderson and Frank Stajano

The Virtual Nirvana

• Imagine in 2025 –– Virtualised app and storage servers– Virtual clients in your laptop (or VR headset)– Bob.work, Bob.play, Bob.bank, Bob.gov…– Could be quite complex: Bob.work on laptop

talks to several clients, each with several service providers

• How will it all hang together?

What goes wrong

• To a first approximation all attacks are by insiders• To a first approximation they all start as errors• Military mechanisms (e.g. MLS) can stop well-

trained people from entering High data into Low by accident

• Butt commercial systems are error-prone! • Are there other ways of reducing the error rate?• It’s largely about context and cues after all…

A modest proposal

• Protocols often fail because the authentication is one-way instead of two-way (or just the wrong way)

• So: it’s not enough for the laptop to just display “you are now talking to AlicesPC.work”

• It needs something more…

A modest proposal (2)

• The laptop needs to know whether it’s talking to– Alice.work

– Alice.play

– Alice.bank

– Alice.gov

– …

• Not which VM in the cloud – but which VM in the user’s brain!

To Whom am I Speaking?

• If attackers are insiders, we need to know which insider

• For example, people in an unemotional state consistently underestimate their likely reactions when aroused – the “hot-cold empathy gap”

• We all have strategies to cope with this but …• Joe and Sören – Facebook users more open to

scams because of noisy distracting environment with continuous partial arousal

• So what if Alice.play talks to machine.bank?!?

Meatspace solutions

• Nonverbal channels we use for empathic synchronisation

• Expression, gesture, tone of voice

• Much older than speech

• Interactive too!

• Human cultures overlay them with ritual, manners, jargons, chants, dress codes …

Meatspace solutions (2)

Reclaiming the Interaction

• Matt Blaze: real-world protocols (such as ordering wine)

• Carl Ellison: human–computer interactions as ceremonies

• Ross: “I am buying 2000 BT shares from you at 131p”

• Frank Stajano: what hat are you wearing? This would work best if you actually wear it!

Hat-based Access Control

Keeping the Channel Open

• There will be a temptation to just do it all in software – an icon on the screen

• Our point is that we want to keep the behavioural channel open

• E.g. you might wear your access badge• Maybe better: an active audio feedback channel• Not system engineering: applied psychology and

anthropology!

Orienting the User

• It’s not just knowing the user’s mood (as with Peter’s systems for recognising emotions)

• It’s about putting her in the right mood – and ensuring she doesn’t get out of it without the machine noticing

• Like singing the national anthem, or reciting a prayer, a critical authentication should not just require solemnity but induce it

• The password she enters everywhere won’t do

Conclusions

• Engineers see security as authentication protocols • But often they’re part in the brain, part in software• Mutual authentication means more than just

usability testing – surely we need interaction too• Is it feasible to automate an emotional interaction?• How do systems get embedded in culture?• How do we rediscover ritual – or at least give

people the tools to invent it?• How else can we replace the vanishing context?