strawberryJAMM's Security and User Experience WebLog

{pssst. I'm over here!}

2009-09-20T07:36:00Z

Just started a brand new professional blog! Check it out:

sJd UxD - http://sjd-uxd.blogspot.com/2009/09/hello-and-welcome.html

Long time gone and not coming back

2007-09-07T19:54:00Z

It's been a long time since I posted here, and that's because I left Microsoft back in November of 2005. As I was no longer working in Windows Security I no longer had anything to say on this subject and I didn't feel like this was the right place for me to continue posting about User Experience.

I haven't restarted a "professional" blog at this point in time, but I have maintained a personal blog at Live Spaces where I might start posting User Experience related topics again - I've been working in the Online Casino Game industry since March 2007, which has a very different set of user experience challenges from Security (although there is, as you might expect, a certain amount of overlap). If you see this, and liked what I have had to say in the past, feel free to check it out.

Signing Off,
Jenni

Customer Feedback Wicki for Windows Security Access Control

2005-09-10T06:45:00Z

Hi folks.

My current possition at Microsoft is as a Program Manager (PM) on the Security User Experience team in the Windows Security Access Control (WSAC) group. I'm just posting this to mention a new set of Wiki pages at Channel9 that have been put in place. WSAC is looking for customer feedback on the features in our areas of responsiblity, especially as implemented in Windows Vista and (eventually) Windows Server codenamed Longhorn.

The home page of the set is at the following URL: http://channel9.msdn.com/wiki/default.aspx/Channel9.WinSecurityAccessControlFeedback

WSAC's areas of responsibility are as follows:

Auditing, Authentication, Authorization - AAA
- Audit
- Audit Collection Services - ACS
- Code Integrity
- Process Isolation
- Secure Input
- Software Restriction Policy
- Windows Security Protocols
- User Account Protection - UAP (a.k.a. Least-privileged User Account - LUA; or Non-Admin)
- XrML Technologies
Credential Management - CredMan
- Electronic ID
- Public Key Infrastructure - PKI
Cryptography - Crypto
- Cryptography
- Cryptographic Services
Information Protection Platform - IPP
- Encrypting File System - EFS
- Rights Management Services - RMS
Security User Experience - SecUX
- Accessibility
- Interaction Design
- Interface Design
- Usability
- User Assistance/Help

So, if you have something to share about any of these features, especially if it's in relation to Beta1 of Windows Vista, please visit the URL above and leave us your comments. We can't wait to hear what you have to say, so do it today!

Fear and Loathing in Las Seguridades (Security)

2005-07-14T02:12:00Z

Fear. Anger. Distrust.

These will motiviate users to change their behaviour when it comes to securing their computers

At least that's the way Frank Hayes sees it in his article "Fear, Anger, Distrust".

Hayes discusses two surveys that came out last week: The Pew Internet & American Life Project on spyware and related problems, and a Ponemon Institute survey (reported on by Computerworld.com columnist Larry Ponemon) of 400 people who had had personal data leaked to the world. While neither one of these surveys intended to be about what makes users change what they do, Hayes' gives us the numbers to show us how fear, anger and distrusted had changed the behaviour of the study's participants.

Unfortunately, Hayes gently reminds us, relying on these particular motivators to change users' habits isn't the best idea:

<quote>

So users will change -- if they get afraid, angry or distrustful. That might be useful in getting them to stop doing risky, insecure things. But only if you make sure they're not afraid, angry or distrustful in your direction.

So threatening them with punishment for breaking security rules won't work. Neither will trying to force them to obey or lying to them. No wonder IT's standard techniques for getting users to behave always fail. They're exactly the wrong approach.

</quote>

This, of course, begs the question: "What is exactly the right approach?" That's a tough one and even Hayes avoids answering it. He does, however, offer a few additional insights "beyond fear, anger and distrust" gleaned from these two studies and then wraps up with the following:

<quote>

[N]ow that you know the strongest motivators of change for users, you want their fear, anger and distrust aimed squarely at security threats -- where they belong.

</quote>

Read the article for the full meal deal.

______________________________

So, just to be a bit silly, here's a "recipe" for the "right approach":

Start with what users like and toss in what users do
Pour in what users expect and what users need.
Mix well and sit in front of a usability study
Skim off any fear, anger and distrust
Bake iteratively over a release cycle and serve to millions.

;-)

Any thoughts on "the right approach"? Please leave a comment!

______________________________

PS: For the curious, "Las Seguridades" = "The Securities". ;-)

Usable Security - a new Usability and Security blog

2005-07-13T23:08:00Z

Well, I'm a bit late to the party but that doesn't mean I can't still welcome Ping and his Usable Security blog to the intersection of User Experience Ave. and Security St. ;-)

It's nice to see someone else blogging in this area. I look forward to reading through (and commenting on!)the posts and comments made about Usable Security since the first post on March 12, 2005.

Back in the Blogosphere

2005-07-13T22:06:00Z

To anyone who follows my blog, my apologies for the three month-ish absence. Real life reared it's ugly head and various circumstances of health, happiness and quality of life collided, thereby requiring that I take a short leave of absence from work. During this time, I felt that it was also wise to keep all things work related at arms length, and so I allowed this blog to languish.

And now I'm back, and raring to go. Expect me to start posting again very soon. :-)

--Jenni (aka strawberryJAMM)

mmmmmmmmmm..... This is not a Test. The World Is Flat. I Repeat, This is not a Test.... mmmmmmmmmm.....

2005-04-09T18:48:00Z

Someone on a mailing list I'm on passed along the URL to the article "It's a Flat World, After All," by Thomas L. Friedman, author of "The World Is Flat: A Brief History of the Twenty-First Century," from which the article is adapted (and which is now on my list of "books to read").

Friedman has quite a lot of interesting things to say in his seven web pages about the current status of the globalization process that started when Columbus safely returned home (thereby proving the world was round). ;This event kicked off an era where countries were globalizing for resources and imperial conquest, followed by the industrial revolution starting an era where companies were globalizing for markets and labor, and lead inexorably to the information era, where technology has "leveled the field" enabling individuals and small groups to globalize.

Around about the third page of the article, Friedman poses the question "How did the world get flattened, and how did it happen so fast?" He follows that up with a list of 10 events and forces, that all occurred or came together during the 1990’s, converging right around 2000. The first three world flatteners "created the new platform for collaboration":

Nov 9, 1989 – The Berlin Wall Comes Down (and Microsoft Windows 3.0 goes up)
Aug 9, 1995 – Netscape Goes Public (bringing the internet and the dot-com boom with it)
Workflow Revolution – Application to Application infrastructure (Enables outsourcing Y2K bug fixes to Indian engineers)

The next six world flatteners were the new ways in which individuals and companies could collaborate on work and share knowledge using the platform the first three created:

Outsourcing – work could be digitized, disaggregated and shifted to any place in the world where it could be done better and cheaper
Off-shoring – send the whole factory from Canton, Ohio, to Canton, China
Open-sourcing – whole new operating systems are written by engineers collaborating online and working for no pay.
Insourcing – let a company like UPS come inside my company and take over my logistics operations
Supply-chaining – create a global supply chain so efficient that when an item is sold in Arkansas, another is immediately made in China. (This is Wal-Mart’s specialty)
Informing – allow anyone to collaborate with, and mine, unlimited data all by themselves (This is Google, Yahoo and MSN Search)

The tenth and final world flattener, he called "The Steroids":

Wireless and Voice over Internet Protocol (VoIP) – the other collaboration methods areturbocharged: you can now do any one of them, from anywhere, with any device

Friedman follows up his discussion of these ten "World Flatteners" with the following quote:

<quote>

The world got flat when all 10 of these flatteners converged around the year 2000. This created a global, Web-enabled playing field that allows for multiple forms of collaboration on research and work in real time, without regard to geography, distance or, in the near future, even language. ''It is the creation of this platform, with these unique attributes, that is the truly important sustainable breakthrough that made what you call the flattening of the world possible,'' said Craig Mundie, the chief technical officer of Microsoft.

</quote>

As if the leveling of the playing field was not enough on its own, Friedman points out another convergence that occurred at roughly the same time: The three billion new players who walked, and often ran, from the sidelines and straight into the game. That is, all the people of China, India, Russia, Eastern Europe, Latin America and Central Asia who were suddenly no longer restricted from joining the free market after their economies and political systems opened up during the course of the 1990's.

>Friedman does go on to note that not everyone has access to this platform yet, but more people have access to it in more places on more days than ever before, and it the numbers are only increasing across the board with time. What I found particularly interesting was his and others thoughts that the so-called "IT Revolution" of the past 20 years was nothing more than the warm-up act – the first steps that forged, sharpened and distributed all the tools the world needed to collaborate and connect. The main act is only just beginning as we move on into the era where technology REALLY transforms every aspect of business, government, society and life.

Another quote that caught my attention:

<quote>

When the world is flat, you can innovate without having to emigrate. This is going to get interesting. We are about to see creative destruction on steroids.

</quote>

This got me thinking about how this trend is already changing immigration patterns into countries like the USA and Canada. There are tough requirements in these countries around who they will allow a company to bring in to work – ostensibly to protect their own citizens from the risk of loosing job opportunities to someone from another country. But, what happens when the companies really do not need to bring the people in to the country to get the work done? When the better educated, gung-ho people are not here but there? The jobs will be lost just the same – in fact, even more so. There are, of course, rules and regulations regarding what kind of offshore holdings a company can legally have, or how much offsite consulting they can legally utilize, but I wonder if, in the long run, this kind of locked down policing of global employment will do more harm than good?

You can already see this happening with help lines – you are more likely to get someone with a "friendly Indian lilt" answering your request for help, especially outside of North American working hours (8am EST to 6pm PST), than someone living closer to home, when you call a 24/7 help line. Even at Microsoft, we have staff working our internal corporate technical help desk lines in India in addition to staff in Denver, Colorado and some city in California. Truthfully, it does makes sense – over there, they are just waking up while, over here, it’s after dinner and we’re just trying to download our email or copy a document off of the corporate network Why hire people to work a "graveyard shift" when there are humans who can do the work as a "morning shift"?

Another quote, this one from Rajesh Rao, a young Indian Entrepreneur that Friedman spoke with, digs into the issue much more deeply:

There is no time to rest. That is gone. There are dozens of people who are doing the same thing you are doing, and they are trying to do it better. It is like water in a tray: you shake it, and it will find the path of least resistance. That is what is going to happen to so many jobs – they will go to that corner of the world where there is the least resistance and the most opportunity.

...

[Americans and Western Europeans would] be better off thinking about how you can raise your bar and raise yourselves into doing something better. Americans have consistently led in innovation over the last century. Americans whining -- we have never seen that before.

As Friedman says, "This is Not a Test" – it is time for the United States (and its cadres) to wake up and take a good long look at the other kids on the playground and in the classrooms. It will not be long before just getting by, by doing what has always been done and always worked, will not even get a "Satisfactory" grade from the World-at-Large.

We need to get going immediately. It takes 15 years to train a good engineer, because, ladies and gentlemen, this really is rocket science. So parents, throw away the Game Boy, turn off the television and get your kids to work. There is no sugar-coating this: in a flat world, every individual is going to have to run a little faster if he or she wants to advance his or her standard of living. When I was growing up, my parents used to say to me, "Tom, finish your dinner -- people in China are starving." But after sailing to the edges of the flat world for a year, I am now telling my own daughters, "Girls, finish your homework -- people in China and India are starving for your jobs."

I don’t know about you, but I’m already sitting on the edge of my seat, popcorn and a Coca-Cola in hand. The previews have ended, the digital sound check is just fading away, and the movie studio logo is rolling. In the next 10 to 20 years, there is going to be a spectacular, mind-blowing show unfolding around us. I sure wouldn’t miss this for anything in the world. Besides, I have a vested interest – I am expecting to write a line or two of the screenplay after all. ;-D

--
Jenni A. M. Merrifield =:= strawberryJAMM

LUA in the News

2005-04-07T21:57:00Z

There's an article at infoworld talking about LUA in Longhorn - check it out: http://www.infoworld.com/article/05/04/06/HNfewerpermissions_1.html

strawberryJAMM moves to Blogs @ TechNet

2005-03-29T03:00:00Z

blogs.TechNet.com has officially gone live and "strawberryJAMM's Security and User Experience WebLog" has moved off blogs.MSDN.com...(read more)

Adobe Photoshop CS activation doesn't play well with LUA

2005-03-09T21:12:00Z

The activation process in Adobe Photoshop CS doesn't work for LUA users because of the technique that was implemented to validate activation every time the program is launched. There are workarounds, but none are particularly ideal....(read more)

Internet Explorer 7

2005-02-16T03:56:00Z

Today, in his keynote for the 2005 RSA conference, Bill Gates announced, among other things, that Microsoft would be releasing a new version of Internet Explorer for the XP SP2 platform. Internet Explorer 7 (IE7) is expected to continue with advancements already in Windows XP SP2 by adding additional security to the platform while still maintaining its current levels of extensibility and compatibility. Betas are expected to be sometime this summer.

Here are a few related links:

This is a Good Thing^(TM), and I think Dean, from the IE Team, puts it best in his "IE Blog" post about the IE7 announcement:

[The IE Team is] committing to deliver a new version of Internet Explorer for Windows XP customers. Betas of IE7 will be available this summer. This new release will build on the work we did in Windows XP SP2 and (among other things) go further to defend users from phishing as well as deceptive or malicious software.

Why? Because we listened to customers, analysts, and business partners. We heard a clear message: “Yes, XP SP2 makes the situation better. We want more, sooner. We want security on top of the compatibility and extensibility IE gives us, and we want it on XP. Microsoft, show us your commitment.”

I think of today’s announcement as a clear statement back to our customers: “Hey, Microsoft heard you. We’re committing.”

The only thing that I'd still like to know myself is whether IE7 will bring with it improved support for open standards such as CSS, XHTML, PNG, SVG, MathML, &c in addition to improved security. And it looks like I'm not the only one either, based on a quick scan of the first ten or fifteen comments to Dean's post. I think I'll have to skim through them (there are 354 as of 4:47pm PST) to see if Dean or anyone else on the IE team has responded to the queries from my "creative" kith and kin.

More Tips and Tricks for the LUA User

2005-02-15T05:19:00Z

Aaron Margosis has just posted four more columns with LUA Tips and Tricks on his "Non-Admin Blog":

Check 'em out. :-)

Geo-Blog - Where Blogs Meet Maps and Location

2005-02-08T03:20:00Z

At BlogMap you can geo-code your blog by entering a primary city, zip/postal code, country and your blog feed URL. Then you can link to your own BlogMap or display it as an inline image (you should be able to see a blog map for this blog just to the right of this paragraph) using a fairly simple URL!

Very cool, if you ask me. :-)

[edit: link correction, plus added break to clear past right float image]

A New Wiki for the LUA / Non-Admin community

2005-02-04T20:59:00Z

Well, isn't this nice. The "least-privileged user" concept with Windows is slowly picking up speed and getting ready to take off - come check out the new Non-Admin Wiki that was just launched by Jonathan Hardwick.

(Wiki's are great - now those of us who champion the principle of Least-Privlege on Windows can get our collective wisdom into one place and give others a place to find out what to do and how to become a true "LUA Believer". Soon everyone will be doing it - so why not jump in now so you can claim to be one of the first, the proud, the NON-ADMINS!)

[edit: added a link to Jonathan's Blog]

--
Jenni A. M. Merrifield == strawberryJAMM

Now playing: "New Trees at Knockaun" by "Triona Ní Dhomhnaill" in Windows Media Player 10.

Least-Privileged Users, Add/Remove Programs and System Management Server

2005-01-26T01:58:00Z

I just found out something very interesting related to Least-Privileged User Accounts and software installations that are pushed out to enterprise employees using Systems Management Server (SMS), where they show up in the "Add New Programs" view of the Add/Remove Programs (ARP) control panel applet. It turns out that, for any installation published in this manner, the installing user doesn't have to be an Admin to successfully install the application. Anything that appears in this list will successfully install even if the installing user is running as LUA!

Personally, I couldn't believe this was true when I first heard it, so I had to immediately open ARP while running as LUA, click on "Add New Programs" and look for something that Microsoft's IT Group pushed out that I didn't already have installed ("WinZip 7.0" in my case). Lo' and behold, the installation worked without a hitch!

What an improvement to the user experience - previously, I've used MakeMeAdmin and then launched ARP from the cmd window (type "appwiz.cpl" and hit enter). This opened ARP with an ADMIN token under my credentials, thereby allowing me to see the published applications (launching it using runas /u:localadmin didn't work because the localadmin doesn't have rights to see what is published on the MSFT corpnet!). But now -- now I can install the applications without being an admin, so I can just open ARP, select "Add New Applications" and voilà!

Apparently the argument for this behaviour is that since everything published using SMS has been explicitly approved for use in the company by the enterprise' IT department, LUA users should be allowed to install them. That makes sense and, besides, anything that improves the LUA experience is fine by me. ;-)

Edit:

A colleague on an internal discussion list for Non-Admins, has brought to my attention that there is more than one way to populate the Add/Remove Programs interface, and not all of them support elevated privilege installs. However what I say above is still correct in that anything published through SMS does support them.