Ame Elliott - Speaker Deck

Slide 1

Slide 1 text

UX PROTECTING DESIGN ame elliott // @ameellio // ame@simplysecure.org FROM BUSINESS TO BUTTONS // 15 MAY 2018 TRUST + PRIVACY IN A CONNECTED WORLD

Slide 2

Slide 2 text

DESIGNERS DEVELOPERS RESEARCHERS USERS Simply Secure is a nonproﬁt for security, privacy, ethics, people 2

Slide 3

Slide 3 text

| I |--->| H | +---+ +---+ ^ | +---+ +---+ | | H |--->| I | | +---+ +---+ +---+ ^ | G | / +---+ +---+ +---+ +---+ / | F |--->| H |--->| I | ^ / +---+ +---+ +---+ \ / ^ \/ / +---+ +---+ +---+ +---+ +---+ | F | | G |--->| I |--->| H | | M | +---+ +---+ +---+ +---+ +---+ ^ ^ ^ | / | +------+ +-----------+ +------+ +---+ | TA W |<------| Bridge CA |-------->| TA X |-->| L | +------+ +-----------+ +------+ +---+ / ^ \ \ v \ v v +------+ +------+ +---+ +---+ | TA Y | | TA Z | | J | | N | +------+ +------+ +---+ +---+ / \ / \ \ \ v v v v v v +---+ +---+ +---+ +---+ +---+ +----+ | A | | C | | O | | P | | K | | EE | +---+ +---+ +---+ +---+ +---+ +----+ / \ / \ / \ \ v v v v v v v +---+ +---+ +---+ +---+ +---+ +---+ +---+ | B | | C | | A | | B | | Q | | R | | S | +---+ +---+ +---+ +---+ +---+ +---+ +---+ / \ \ \ \ \ \ v v v v v v v +---+ +---+ +---+ +---+ +---+ +---+ +---+ | E | | D | | B | | B | | E | | D | | T | You don’t need to be a cryptographer to work in security +---+ +---+ ^ | +---+ +---+ | | H |--->| I | | +---+ +---+ +---+ ^ | G | / +---+ +---+ +---+ +---+ / | F |--->| H |--->| I | ^ / +---+ +---+ +---+ \ / ^ \/ / +---+ +---+ +---+ +---+ +---+ | F | | G |--->| I |--->| H | | M | +---+ +---+ +---+ +---+ +---+ ^ ^ ^ | / | +------+ +-----------+ +------+ +---+ | TA W |<------| Bridge CA |-------->| TA X |-->| L | +------+ +-----------+ +------+ +---+ / ^ \ \ v \ v v +------+ +------+ +---+ +---+ | TA Y | | TA Z | | J | | N | +------+ +------+ +---+ +---+ / \ / \ \ \ v v v v v v +---+ +---+ +---+ +---+ +---+ +----+ | A | | C | | O | | P | | K | | EE | +---+ +---+ +---+ +---+ +---+ +----+ / \ / \ / \ \ v v v v v v v +---+ +---+ +---+ +---+ +---+ +---+ +---+ | B | | C | | A | | B | | Q | | R | | S | +---+ +---+ +---+ +---+ +---+ +---+ +---+ / \ \ \ \ \ \ v v v v v v v +---+ +---+ +---+ +---+ +---+ +---+ +---+ | E | | D | | B | | B | | E | | D | | T |

Slide 4

Slide 4 text

NO YES

Slide 5

Slide 5 text

UNDERSTAND  RISK TO  USERS PRACTICAL  ADVICE LEAD  THROUGH  DESIGN

Slide 6

Slide 6 text

Who are you worried about having your data? It depends on your threat model COMPANIES GOVERNMENTS HACKERS STALKERS

Slide 7

Slide 7 text

Image: Kajart Studio’s Tor Browser explanation  http://www.kajart.com/portfolio/tor-project-educational-animation-english/ Corporations and governments gather data about us

Slide 8

Slide 8 text

8 Twitter and US National Security Letters in 2014

Slide 9

Slide 9 text

People expect bike sharing apps to track their location and use the camera

Slide 10

Slide 10 text

Why does a bike sharing app need to read your home settings and shortcuts and transfer that data?

Slide 11

Slide 11 text

11 http://www.theregister.co.uk/2015/10/19/bods_brew_ikettle_20_hack_plot_vulnerable_london_pots/ 114 € iKettle hacked to show location on a map

Slide 12

Slide 12 text

12 IoT botnets harm society, not only individual consumers

Slide 13

Slide 13 text

UNDERSTAND  RISK TO  USERS PRACTICAL  ADVICE LEAD  THROUGH  DESIGN

Slide 14

Slide 14 text

Content strategy, brand, and tone are opportunities to communicate privacy

Slide 15

Slide 15 text

Slackbot reads all, but doesn’t comment in 1:1 direct messages

Slide 16

Slide 16 text

Graphic by Dan Grover Beyond “usable,” interfaces must be understandable, accountable, trusted

Slide 17

Slide 17 text

Read receipts use a limited visual vocabulary to change behavior

Slide 18

Slide 18 text

LEAD  THROUGH  DESIGN PRACTICAL  ADVICE UNDERSTAND  RISK TO  USERS

Slide 19

Slide 19 text

Phishing is the attempt to obtain sensitive information like _ user names  _ passwords  _ credit card details by masquerading as a trustworthy entity in an electronic communication. – Adapted from Wikipedia

Slide 20

Slide 20 text

Defense: Writing style guide for consistent tone builds trust 20

Slide 21

Slide 21 text

21 http://berlinstreetwear.com/signup/? id=43289s32 https://berlinstreetwear.siliconalllee.com https://berlinstreetwear.siliconallee.com https://berlinstreetwear.com/ezpay https://berlinstreetwear.ezpay.com https://ezpay.com/berlinstreetwear Easy to spoof Your site, not 3rd party http://acm.us2.list-manage.com/track/ clicku=db7c289da&id=e70bf2b789&e Content strategy and site information architecture prevent phishing with good URLs

Slide 22

Slide 22 text

Defense: Style guides codifying visual design build trust

Slide 23

Slide 23 text

LEAD  THROUGH  DESIGN PRACTICAL  ADVICE UNDERSTAND  RISK TO  USERS

Slide 24

Slide 24 text

NO YES

Slide 25

Slide 25 text

25 https:// simplysecure.org/ knowledge-base

Slide 26

Slide 26 text

slack@simplysecure.org GET YOU THANK INVOLVED ! @simplysecureorg @ameellio ame@simplysecure.org