[Cryptography] [FORGED] Re: So please tell me. Why is my solution wrong?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Feb 10 08:37:48 EST 2017


James A. Donald <jamesd at echeque.com> writes:

>How would you run a real world user study?

Uhhh... is this a trick question?  Look at any HCI security paper for examples
on how this is done.

>The problem with today's users are that they are trained to be phished,
>because they are trained to enter their passwords into a wide variety of UIs.

Right, that's the real world that your system has to be able to handle.

>To give this a fair test requires an ecosystem of software and services that
>uses the system, and some substantial compulsion and coercion to exclude
>anything outside that ecosystem.

No, it just requires something that's appropriate for evaluating whatever it
is you're testing.  Again, read any HCI paper for examples on how people have
evaluated security mechanisms without having to build a parallel universe to
test them in.

Of course you can, if you want, create a complete "ecosystem of software and
services" etc to test with, a.k.a. throw it over the wall in the real world.
That's how a lot of security mechanisms are evaluated, companies spend
millions of dollars and years of effort deploying something which is then
discovered not to work once it's put in the field.  This is why you want to
perform the evaluation before you invest all that effort.

(For "security", substitute medicines, automobiles, aircraft, consumer
electronics, whatever you want, it's the same there).

Peter.


More information about the cryptography mailing list