March 2006
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  


This Blog
The author
     My Webpage
     My Faculty Profile
     My Curriculum Vitae (CV)
     Contact me

March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003


Links to my published articles online
List of Publications with Full Citations

Adolescent Diary Weblogs and the Unseen Audience

Conversations in the Blogosphere: An Analysis "from the Bottom Up". Hawaii International Conference on System Sciences (HICSS-38) Best Paper Nominee.

Weblogs as a bridging genre

Bridging the Gap: A Genre Analysis of Weblogs. Winner of the 2004 EduBlog Awards as best paper.

Common Visual Design Elements of Weblogs

Women and Children Last: The Discursive Construction of Weblogs

Time until my next publication submission deadline
27 March 2006 23:59:59 UTC-0500

Links to my conference papers online
The Performativity of Naming: Adolescent Weblog Names as Metaphor

Buxom Girls and Boys in Baseball Hats: Adolescent Avatars in Graphical Chat Spaces

Time until my next conference submission deadline
31 March 2006 23:59:59 UTC-0500

Adolescents and Teens Online Bibiliography
Last updated July 8, 2005.

Weblog and Blog Bibliography
Last Updated November 22, 2005.

My CiteULike Page

My Book2
New books are added but reading status is rarely accurate.

June 04, 2005

What I learned from the IU Phising experiment

Recently I have been involved in an interesting ethical debate with myself. Here's the background. Two Indiana University (IU) School of Informatics (SoI) Bloomington, grad students proposed a phishing study as part of their course work in an SoI class. In essence the study gathered the names and email contact information for pairs of friends from publicly accessible sites - think friend-of-a-friend (FOAF) sites. Then the researchers sent an email to person B spoofing person A's email addy. The email requested that the receiver access a specific site and in so doing they were required to provide their user name and password. No names were retained, no passwords were collected. The only data collected were counts, "x people were successfully phished". The research took place over a one week period and at the end of the week both spoofed email addresses and phished addresses received notification of what was going on. Then the proverbial doggy-do hit the fan.

I don't have space here to go into all of the arguments why some people thought this research was "unethical." If you want a complete debate hit the search engines with the following terms "phishing" and "Indiana." I will note that several of the pages that turn up on the first page of the search are IU University Information Technology Services (UITS) pages that predate this issue and are targeted at preventing successful phishing attacks.

I want to stress that the students involved did apply for Human Subject approval and were granted such. That part is massively important and I think underlines that the research is not inherently unethical, though there were some serious lessons learned by me. If I were designing a similar study at this point I would do the following:

I think that one of the main things I learned from this study and the fallout after it was completed is that no matter how hard everyone involved tries to be when considering human subject protections in designing useful research, we all make mistakes. This research was not the mistake, this research is important. However all of us missed some potential issues that caused excessive concern from some of the participants.

Here is a sampling of the available press on the experiment:

- From the Indiana Daily Student (IDS), Students go 'phishing' for user info: Research technique used to show ease of login, user name theft.

- Also from the IDS, 'Phishing' experiment attracts national a debate about ethics of study

For Information Technology watchers around the country, the reaction of IU students to the misleading nature of the study has been a mix of disappointment and sympathy.

Director of Io's Center for Applied Cyber-Security Research Fred Cate said he hopes students can look past the deception.

"I can completely understand why people would be upset about this," Cate said. "When I first heard about this I was like, you've got to be kidding ... but you can't do this type of research and tell people in advance."

Cate, who is also a professor of law, said phishing is the biggest and fastest-growing fraud in the United States and affects those who use the Internet the most, like students on highly wired campuses.

"It seems like (the study is) addressing a real problem," he said.

So it seems. Studies estimate that the normal success rate of identity theft using commercial addresses, such as the auction Web site, eBay, is around 3 percent. But Filippo Menczer, one of the professors who advised Jagatic and Johnson's study, said preliminary results of the IU test show 70 percent of students clicked on the link provided in an e-mail sent by their acquaintances.

It was the Human Subjects Committee's hope that students will learn from being duped by familiar e-mail addresses that convinced it to approve the study earlier this semester.

Professor of Psychology and Chair of the Human Subjects Committee Peter Finn said there were four criteria the committee considered before approving it: whether the risk to subjects of being spoof-attacked was greater than it would be on a day-to-day basis; whether the element of surprise was needed to obtain accurate results; how the lack of prior consent would affect subjects; and lastly, whether subjects would be properly debriefed after being attacked.

"We anticipated that some people may be upset, but there's an awful lot of learning that will go on for everybody," Finn said.

- This link is to the researchers blog which was used to gather comments and questions related to the research, Phishing Attacks Using Social Networks

- "Phishing" E-mail Attacks Could Soon Get a Lot Nastier this article dated Oct 18, 2004 discusses an SoI professors concerns about the growth of phishing attacks.

Phishing messages that appear to be sent by such trusted companies as eBay, Citibank and others are currently duping 3 percent of the people who receive them, according to a recent survey by Gartner Inc. Aware of the threat, members of Congress are currently debating passage of the Internet Spyware Prevention Act, which would provide the Justice Department with $10 million to apprehend phishers and other online scam artists.

Jakobsson said preliminary data suggest that savvier, "context-aware" phishing attacks could have success rates as high as 50 percent.

Context-aware attacks, as Jakobsson envisions them, would take advantage of users' unique circumstances or personal relationships.

- And finally here is the link to the SlashDot story with some interesting, though often illogical, comments. Check out Phishing for Credit.

I have been a SpoofStick user for sometime now. SpoofStick decodes website urls so that it is visible the actual url of the site you have accessed. SO if you thought you were on PayPal responding to an email request for information with SpoofStick you can see that the actual site url bears no resemblance to PayPal. I'm probably not really likely to get sucked in by phishing emails, though everyone screws up, rather I use this tool to verify sites when I am clicking through from websites and blog posts. I really recommend the product.

Posted by prolurkr at June 4, 2005 11:17 AM

Trackback Pings

TrackBack URL for this entry: