The delightful user experience of security

C3 | Tue 22 Jan | 1:30 p.m.–2:20 p.m.


Presented by

  • Casey Schaufler

    Casey Schaufler has been developing operating systems since the 1970's, starting with the first commercial UNIX port to a 32 bit machine. He has worked on device drivers, filesystems, databases, tool chains and debuggers. He started working on system security in the 1980's and was the lead architect and developer for trusted systems at Silicon Graphics. In security he has implemented mandatory access controls, audit systems, access control lists, multi-level window systems and networking. He created a UNIX system with an unprivileged root user. He was heavily involved in the development of rational release process. Casey is the author and maintainer for the Smack Linux security module and is currently working to make security modules fully stackable. He is currently employed in Intel's Open Source Technology center. He lives 30 kilometers south of San Francisco and 100 meters from the Pacific ocean.

Abstract

The delightful user experience of security – We all know that computer security is obtrusive, annoying and expensive. At every layer of software from wifi modem micro-code to web backgammon there are passwords, updates and restrictions that get in the way of doing the simple things we set out to accomplish. If you’re a developer, it’s even worse with CVE tracking, code scanners and named exploits sucking away precious schedule time. But what if it wasn’t that way? What would software be like if someone developed computer security with the explicit goal of creating something people will like? Casey Schaufler knows how dreadful the experience of security can be, having implemented everything from access control lists and release process to the ugliest login screen ever produced. In this talk he steps back from the traditional approach to computer security and investigates it from the viewpoint of providing a delightful user experience. The talk starts off with the basic premises of security and why they ought to make systems more usable, not less. It continues with the importance of creating security models that reflect what people want the software to do, and how to go about doing so. The process of building software to enforce those models and the mechanism for ensuring that both security and user experience are maintained throughout are described. Finally, the problem of keeping the user experience from deteriorating when faced with new and unexpected security challenges is addressed.