Kevin Schofield's Weblog
Musings on life, kids, work, the Internet, Microsoft, politics, orcas, etc.


Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.



  Tuesday, April 25, 2006

I guess we shouldn't be surprised at this point, but Bush just threw another freebie to his buddies in the oil industry. He just temporarily suspended the environmental rules on gasoline production, to try to make it easier to increase production.

Of course, it's not at all clear that the high gas prices actually have anything to do with restrictions on production. In fact, there was a study last week that showed that the profit margins of the major oil companies have shot up. By making it cheaper (and dirtier) to make gasoline, Bush has allowed the retail price of gasoline to drift lower while maintaining the oil companies' outrageous margins.

10:28:27 PM    comment []

I'm in the CHI papers session on Security.

The first paper is "Why phishing works."  Interesting point: both security designers and phishers use user interface techniques to accomplish their goals. Three basic categories of reasons why phishing works:

  • lack of knowledge ( e.g. about URLs, security indicators)
  • visual deception (e.g. "vv" istead of "w", overlaying windows,embedding fake address and status bar in page )
  • bounded atention (i.e. inattention to secuirty indicators) 

In their study of whether people can correctly identify real and phishing sites, participant knowledge and use of security indicators was the best indicator of success in correctly identifying the sites. Though in walking through the examples, the reasons why people made mistakes were all over the place.

Interesting suggestion: that product teams "spoof" their own design in the testing of their web sites, to see how easy it is to convincingly phish your site.

Another interesting design point: address bar prints the URL in small type that's hard to read; can you re-size the text to make it bigger and more readable?

Second paper: Secrecy, Flagging and Paranoia: Adoption Criteria in encrypted E-mail. There is an argument that people should encrypt all of their email. Conventional wisdom is that people don't encrypt email because it's too hard. Their user study showed that in fact people often don't encrypt email because there is a social meaning (in fact, a negative stigma) associated with encryption that they don't want to convey. People will use it for financial information, and for protecting secret planning information. But recipients think that if it's encrypted it must be important -- so encrypting all email would send the wrong message (no pun intended). This was a pretty limited study and it's unclear how much it can be generalized, but it's an interesting thought.

Third paper:  Do Security Toolbars Actually Prevent Phishing Attacks? There are many browser toolbars that try to help identify phishing sites. The categories of toolbars:

  • neutral info: domain name, date registered, country registered
  • System-decision: propose whether the site is OK or potentially fraudulent
  • SSL-verification: presents a logo if it's a verified site.

Recurring point: security is almost never the user's primary task and we don't want to make it the primary task, but we do want the user to be motivated and engaged to make good decisions. Their results are that secuirty toolbars are not as effective as one would hope in preventing phishing attacks. The study reinforces the notion that users don't understnad or know how to parse URL's. Interestingly, anecdotal comments suggest that false-positives in spam filters cause people to expect anti-phishing spoolbars to be wrong some percentage of the time. In other words: often the phishing web site looks more credible than the toolbar. Also, since security is a separate, secondary task, people's desire and focus on getting the primary task done overrides the focus on the secondary task. This is a bizarre dilemma: we don't want to make security the primary task, but then users will often override security in favor of the primary task and open themselves up to phishing attacks.



2:53:57 PM    comment []

I'm in the CHI panel session on "Managing Deviant Behavior in Online Communities."

The first panelist, from IBM Research, studies intranet online communities and made the point that managers should just "chill out" about extreme behavior on corporate online presences -- there isn't that much downside, there are social corrective measures, and efforts to prevent the use of these systems within a company would be a far greater negative than trying to manage their use well.

The second speaker is an administrator for slashdot and His big issues:

  • not all misbehavior is the same
  • not all misbehavior is intentional
  • not all misbehavior is bad/harmful
  • deviance is all relative to your perspective. Deviants something think that their critics are the deviants. And sometimes there are good reasons to be a deviant from a society.

The third speaker argues that managing deviant behavior online and offline are essentially the same.

The fourth speaker works with online games, and deals with issues around cheating in games. One difficulty there is how to keep the game open and emergent, encoraging exploration, without encouraging testing boundaries and exploiting rules.

The discussion is cetered around some interesting scenarios. The first was from World of Warcraft, wher ethe member of a guild dies (in real life) and the other members of the guild organize an online memorial service. a rival guild notices the public notice of this, show up in force and slaughter everyone -- to add insult to injury, they videorecord the entire massacre and post it online to flaunt their actions. What should the WoW people do?

The second one: a large mailing list where one person keeps sending irrelevant posts. Talking to the person only casues very short-term relief. What should one do?

The third one: the recurring troll on an online bulletin board system who explicityl tries to get the community stirred up. Is this any different from the second case above?

The fourth example is more of an explicit (online) dscussion of who in a community had the privilege/right to define deviancy.


12:52:31 PM    comment []

I'm in the CHI 2006 session on Schools of Information, aka "i-schools." The session chair suggests that i-schools focus on information as the central concept vs. computers or computing.

There's no single model for an i-school; some evolved from computer science, some from library science, some are hybrids of several departments. There are about 20 i-schools in North America. They tend to grow up in places where there isn't already an independent School of Computer Science, at least partially as a way to raise the awareness and importance of subfields (like HCI) that tend to get buried in a department of CS that's buried in an engineering school.

If you imagine a triangular "problem space" with information, people and technology at the points, you've mapped out the area of concern for an i-school.

This "i-school movement" raises lots of hard questions:

  • is HCI more central/relevant to i-schools than to Computer Science?
  • will it make HCI even less central to CS?
  • what publications are important for tenure decisions?
  • is research biased toward studies and away from actually creating intellectual property that could be commercialized?
  • over time, will i-schools "silo" to the detriment of interdisciplinary subfields (like HCI)?
  • what's the difference between a "school of information" and a "school of informatics"?
  • within i-schools, is HCI in danger of becoming too diffuse?
  • will i-schools buck the trend of the overall decline of enrollment in CS programs?

This is a very frustrating session. There's a long list of audience members waiting to comment or ask questions, so I'd never make it to the mike before the session ended, but they're asking all the wrong questions.  They're focused on branding, identty, and how to facilitate interdisciplinary work. The right questions to ask are all more basic:

  • what kind of jobs are your preparing people to? (one of the panelists said that he hoped that their graduates would go to work in other i-schools!)
  • have you actually talked to any employers to see if they value what you're offering?
  • How do you "market" i-schools to the rest of academia and to industry?
  • where do researchers in your field publish? (besides CHI)
  • Is it easier of more difficult to get funding for research when you're in an i-school vs. a CS, engineering or other school?
  • will i-schools create anything that will ever get commercialized? (I realize this is in my list above, in a slightly different form)
  • is this really anything more than an attempt to get HCI and interdisciplinary work more respect wthin the university?
  • What kind of degrees do people get from an i-school, and do they mena anything to anyone? Is the undergraduate degree BS or BA? (similar question for the master's degree)


9:28:48 AM    comment []

The plenary session this morning at CHI is an "expert critique" of the XBox 360. Two of the user experience managers for the XBox team are presenting a photographic history of the design process, followed by a panel of experts giving their critique, followed by opening it up to the audience for comments and critique.

I applaud the XBox team for doing this; it's pretty brave to stand up in front of a highly critical set of experts (and an often MS-unfriendly group to boot) and lay it all out.

The expert critiquers are asking mostly slow-pitch questions, which is a little disappointing. But there was one zinger so far: it took one of the experts 90 minutes to set up a new XBox 360, most of that time taken up with reading the EULA.

6:21:12 AM    comment []

Click here to visit the Radio UserLand website. © Copyright 2006 Kevin Schofield.
Last update: 5/1/2006; 8:59:58 PM.

April 2006
Sun Mon Tue Wed Thu Fri Sat
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
Mar   May