Nad did a brilliant guest lecture for our undergraduate HCI class at Lancaster on Monday. His slides and blog about the lecture are at Virtual Chaos. He touched on issues of democracy vs. authority of information, dynamic content vs. accessibility and of course increasing issues of privacy on social networking sites. He also had awesome slides to using loads of Flickr photos under creative commons … community content in action not just words! Of course also touched on Web3.0 and future convergence between emergent community phenomena and structured Semantic Web technologies.
Tag Archives: HCI
fading news – disks astray and children named
This is now old news (it takes me a long time to get to the blog!), but anyone in the UK will know the story of the missing child benefit disks – 25 million records containing parents and children’s names addresses, dates of birth, bank account and national insurance details … an identity fraudsters’ gold mine. This has caused worries of millions of parents and embarrassment for Alistair Darling in Parliament. The BBC has a timeline of the events and Computer Weekly has (very) slightly more techie focused account.
Anyway a week ago last Thursday (22nd Nov) I did a short radio interview on Radio Cumbria, which forced me to consider the issue in a little more detail. I think they expected more a security angle, but obviously this is very much a human story also.
Despite the gravity of the event I was shocked but not surprised. In the end if you put people in a severely time pressured, cost-controlled context mistakes will inevitable happen.
So what went wrong? …
after the ball is over …
Last week’s HCI2007 conference and the Physicality workshop now all finished (except sorting out the the final finances for HCI … but I’ll forget that for now!)
Being part of the organisation of things you always see so many things that are not as planned (like going wrong), but for the delegates it all seems a well-oiled machine. In this as in many other domains, the mark of a rubust system is not whether or not it fails, but how it copes with failure. This is the heart of my principles for appropriate intelligence when designing ‘intelligent’ user interfaces and also ‘fail fast programming’1 when designing and debugging critical computer systems.
Great to see so many old friends … and meet new people … and after able to show Nad2 the glories of the Lake District.
- I must make web pages for this some day … but see debugging notes I did for a software engineering course a few years ago[back]
- see his blog on arriving at the conference and his Flickr photos of the Lake District[back]
Practicing security
Last week I was stuck a night in Frankfurt due to the high winds. Soon after I settled into the 17th floor of the Holiday Inn, gusts screaming round the building, I got a call on my mobile. I thought it would be my taxi driver confirming the time for the re-booked flight the next day, but instead there was an unfamiliar voice:
“This is HM Revenue and Customs, we have a message for you, but first can we confirm your name and address”
Actually name and address to phone number is not that secret, but still I asked:
“How do I know you are who you say you are?”
“If you prefer you can ring back on …. it is to your advantage”
I checked that it would be OK to ring the next day on my return and rang off … I didn’t say (life is too short), that being given a number to ring back does not increase my confidence unless I can verify it.
In fact the next day I checked on the HMR&C site and the number was their helpline. However, this call had many hall marks of a fraudulent call: how could I, or a less technically aware citizen know this was a good call? In this case the information requested was relatively innocuous (but of course could easily continue, “and date of birth … bank details …”) and the phone number given was an 0845 number which costs the recipient money … either genuine or high-value fraud. Of course, if I was fradulently ringing up people pretending to be HMR&C, at any sign of trouble giving the genuine helpline numer would be just what I would do to allay suspicion!
It is not just HMRC that give calls like this; banks and credit card companies are forever ringing up and asking you to confirm your identity … and that usually does include giving some form of security code. But they have rung you up, so have more confidence in who you are then you do in them, yet never offer any means to confirm their identitiy.
Email too: I have received various mails from banks which look very like phishing emails. In one case I received an email where the domain of the sender was different from the domain of the reply email and different again from the domain of the URL link. It goes to say that none of these were the same as the standard domain of the bank. In this case the only reason I knew it was not phishing was that it offered information and did not request anything secure.
By sending emails and making phone calls that are virtually indistinguishable from fraudulent ones, the banks (and even HMR&C) are training us to be victims of fraud.
Literally we are encouraged to practice being insecure.