Event

The Praktikum "Security, Usability and Society" will cover topics both of usable security and privacy programming, and how to conduct user studies. To reserve a place, please, register on the WiWi portal and send an email with your chosen topic, plus a back-up one, to mattia.mossano@kit.edu . Topics are assigned first-come-first-served until all of them are filled. The deadline for the first round is 18.07.2022. Topics in italics have been already assigned.

WiWi portal: https://portal.wiwi.kit.edu/ys/6273

Important dates:

Kick-off: 13.10.2022, 10:00 AM CET in Big Blue Button - Link
Report + code submission : 30.01.2023 23:59 CET
Presentation deadline : 30.01.2023, 23:59 CET

Presentation day: 01.02.2023

Topics:

Programming Usable Security Intervention

In this subject, students develop a part of coding, an extension, or another programming task dealing with various usable security interventions, eg as an extension. Eg TORPEDO ( https://secuso.aifb.kit.edu/english/TORPEDO.php ) or PassSec + ( https://secuso.aifb.kit.edu/english/PassSecPlus.php ). Just as before, students are provided with a point list of goals, containing both basic features mandatory to pass the course and more advanced ones that heighten the final grade.

Title: Portfolio Graphical Recognition-Based PWDs with Gamepads
Number of students: 2 Bachelor or Master level
Description: Graphical passwords use graphical elements as passwords and they are usually easier to remember than textual passwords. Moreover, they can be combined with "portfolio authentication" techniques to make them shoulder surfing resistant. The goal of this topic is to implement a graphical portfolio authentication shceme for gamepads, based on previous textual schemes implementations.

Title: Development of a secure web interface with a ticket system for the Hashcat Password Cracker
Number of students: 2 Bachelor or Master level
Description: Hashcat is a console application which allows to crack passwords using a given wordlist or password pattern. In order to allow multiple not necessarily trustworthy users to register a password cracking job with the specified parameters in parallel, a web platform with a ticket system should be developed within the framework of this laboratory topic.Therefore a frontend and backend should be implemented separately and a clear description of the interface between is essential part of this work. Python with Flask Web Framework can be used to implement the backend. Good knowledge in programming, APIs and web security are required.

Designing Security User studies

These topics are related to how to set up and conducting user studies of various types. This year, due to the Corona outbreak, we decided to conduct online studies only; otherwise, interviews and in lab studies would have been possible. At the end of the semester, the students present a report / paper and a talk in which they present their results.

Title: Analysing the percetions on email subject extensions like 'Caution - This e-mail is sent from someone outside the company'
Number of students: 1/2 Bachelor or Master level
Description: Email subject extensions are used in myn organistions to reduce the risk to become a victim of a phishing email - why should your boss e.g. send you an external email? Likely to be a phish! The idea is to develope the study protocol and to collect first data which should be analysed.

Title: Benutzerstudie zur Erkennung von Angriffen auf die E-Mail Absicherung mit S/MIME-Zertifikaten
Number of students: 2 Bachelor or Master level
Description: Das KIT bietet den Beschäftigten und Studierenden die Möglichkeit, ihre E-Mail-Kommunikation mittels S/MIME-Zertifikaten abzusichern. Für die Nutzenden entsteht hierbei die Herausforderung, eingehende Nachrichten hinsichtlich gültiger Signatur und Verschlüsselung zu prüfen und mögliche Angriffe zu erkennen. Zielsetzung dieser Arbeit ist die Konzeption und Erstellung einer Nutzerstudie zur Evaluation von Schulungsmaterialien. Die Studie soll verschiedene Nutzungsszenarien bei der Erkennung von Angriffen (z.B. durch ungültige Zertifikate) und das Verhalten der Nutzenden innerhalb dieser Szenarien umfassen.

Title: Evaluation of the Sudoku Privacy Friendly App usability for users with rheumatoid arthritis (English only)
Number of students: 1 Bachelor or Master level
Description: The Privacy Friendly Apps are a set of applications developed by the SECUSO group that do not contain any advertisement or tracking mechanism, hence preserving the privacy of their users (https://secuso.aifb.kit.edu/english/105.php). One of these apps is "Sudoku", available for Android on both the Google Store and F-Droid. Although the app is friendlier to privacy that other alternatives, it requires multiple tactile interactions with the mobile device. This can be an issue for users with reduced hand mobility, such as those suffering from rheumatoid arthritis. To approximate the reduced mobility caused by reumatoid arthritis in healthy users, it is common to use arthritis simulation gloves (e.g., https://idarinstitute.com/products/arthritis-simulation-gloves). The task of the student is to design a lab study involving arthritis simulation gloves that evaluates the Sudoku app usability for users suffering from rheumatoid arthritis.

Title: Password Generator Defaults
Number of students: 2 Bachelor or Master level
Description: Password Managers are useful tools that help the use of complex passwords and avoid the password recycle practice. Moreover, they support users by providing password generator tools, that create random password of specific length. However, the defaults settings might be at odds with the password policies of popular website, e.g., they can contain forbidden characters or be too long/short. Moreover, we need to understand if Password Managers users change the default settings to generate passwords, in how many cases and for what reasons. The students task is therefore two-folds: (1) compare the default settings of several Password Managers to the privacy policies of popular websites; (2) design and implement a survey to collect the behavior of Password Managers users with regard to the password generator tools.

Title: Benutzerstudie zur Auswertung der PassSec+ Browser Extension mittels Eye-Tracking
Number of students: 1/2 Bachelor or Master level
Description: PassSec+ ist eine von SECUSO entwickelte Browser-Erweiterung für Firefox und Google Chrome, die hilft, Passwörter, Zahlungsdaten und andere sensible Daten besser zu schützen, indem es bereits vor der Eingabe dieser Daten prüft, ob eine sichere Dateneingabe gewährleistet ist und im Zweifel ein Dialog anzeigt, welcher den Nutzer bei der Entscheidung unterstützt. In der Nutzerstudie soll untersucht werden, wo der Fokus des Nutzers mit und ohne Benutzung von PassSec+ liegt und dabei die Effektivität zur Prävention vor Phishing untersucht werden. Es wird das Setup sowie der Aufbau der Studie bereits vorgegeben. Ziel ist es, die Nutzerstudie mit Probanden durchzuführen und die Daten entsprechend z.B. mit Heatmaps auszuwerten.

Title: User study on user's knowledge about brainwaves verification
Number of students: 1 Master level
Description: Brainwaves can be used to authenticate users. Hoerver, several questions are left unanswered regarding the users' stance on this: What is the prior knowledge of users about verification and brainwaves? Are they comfortable wearing a device to record their brainwaves? How are they feeling regarding storing their brainwaves samples? Which kind of information can be extracted from the smaples? How secure would such an authentication scheme be? The task of the student is to design, implement an pre-test a user study investigating these questions.

This event counts towards the KASTEL certificate. Further information on how to obtain the certificate can be found on the SECUSO website https://secuso.aifb.kit.edu/Studium_und_Lehre.php) .