Sauvik Das

ACCessory: password inference using accelerometers on smartphones

We show that accelerometer readings are a powerful side channel that can be used to extract entire sequences of entered text on a smart-phone touchscreen keyboard. This possibility is a concern for two main reasons. First, unauthorized access to ones keystrokes is a serious invasion of privacy as consumers increasingly use smartphones for sensitive transactions. Second, unlike many other sensors found on smartphones, the accelerometer does not require special privileges to access on current smartphone OSes. We show that accelerometer measurements can be used to extract 6-character passwords in as few as 4.5 trials (median).

The post that wasn't: exploring self-censorship on facebook

Social networking site users must decide what content to share and with whom. Many social networks, including Facebook, provide tools that allow users to selectively share content or block people from viewing content. However, sometimes instead of targeting a particular audience, users will self-censor, or choose not to share. We report the results from an 18-participant user study designed to explore self-censorship behavior as well as the subset of unshared content participants would have potentially shared if they could have specifically targeted desired audiences. We asked participants to report all content they thought about sharing but decided not to share on Facebook and interviewed participants about why they made sharing decisions and with whom they would have liked to have shared or not shared. Participants reported that they would have shared approximately half the unshared content if they had been able to exactly target their desired audiences.

Toward supporting stories with procedurally generated game worlds

Computer role playing games engage players through interleaved story and open-ended game play. We present an approach to procedurally generating, rendering, and making playable novel games based on a priori unknown story structures. These stories may be authored by humans or by computational story generation systems. Our approach couples player, designer, and algorithm to generate a novel game using preferences for game play style, general design aesthetics, and a novel story structure. Our approach is implemented in Game Forge, a system that uses search-based optimization to find and render a novel game world configuration that supports a sequence of plot points plus play style preferences. Additionally, Game Forge supports execution of the game through reactive control of game world logic and non-player character behavior.

Exploring capturable everyday memory for autobiographical authentication

We explore how well the intersection between our own everyday memories and those captured by our smartphones can be used for what we call autobiographical authentication-a challenge-response authentication system that queries users about day-to-day experiences. Through three studies-two on MTurk and one field study-we found that users are good, but make systematic errors at answering autobiographical questions. Using Bayesian modeling to account for these systematic response errors, we derived a formula for computing a confidence rating that the attempting authenticator is the user from a sequence of question-answer responses. We tested our formula against five simulated adversaries based on plausible real-life counterparts. Our simulations indicate that our model of autobiographical authentication generally performs well in assigning high confidence estimates to the user and low confidence estimates to impersonating adversaries.

Thumprint: Socially-Inclusive Local Group Authentication Through Shared Secret Knocks

Small, local groups who share protected resources (e.g., families, work teams, student organizations) have unmet authentication needs. For these groups, existing authentication strategies either create unnecessary social divisions (e.g., biometrics), do not identify individuals (e.g., shared passwords), do not equitably distribute security responsibility (e.g., individual passwords), or make it difficult to share or revoke access (e.g., physical keys). To explore an alternative, we designed Thumprint: inclusive group authentication with a shared secret knock. All group members share one secret knock, but individual expressions of the secret are discernible. We evaluated the usability and security of our concept through two user studies with 30 participants. Our results suggest that (1) individuals who enter the same shared thumprint are distinguishable from one another, (2) that people can enter thumprints consistently over time, and (3) that thumprints are resilient to casual adversaries.

Evolving the Ecosystem of Personal Behavioral Data

Everyday, people generate lots of personal data. Driven by the increasing use of online services and widespread adoption of smartphones (owned by 68% of U.S. residents; Anderson, 2015), personal data take many forms, including communications (e.g., e-mail, SMS, Facebook), plans and coordination (e.g., calendars, TripIt, to-do lists), entertainment consumption (e.g., YouTube, Spotify, Netflix), finances (e.g., banking, Amazon, eBay), activities (e.g., steps, runs, check-ins), and even health care (e.g., doctor visits, medications, heart rate). Collectively, these data provide a highly detailed description of an individual. Personal data afford the opportunity for many new kinds of applications that might improve people’s lives through deep personalization, tools to manage personal well-being, and services that support identity construction. However, developers currently encounter challenges working with personal data due to its fragmentation across services. This article evaluates the landscape of personal data, including the systemic forces that created current fragmented collections of data and the process required for integrating data from across services into an application. It details challenges the fragmented ecosystem imposes. Finally, it contributes Phenom, an experimental system that addresses these challenges, making it easier to develop applications that access personal data and providing users with greater control over how their data are used.

Epistenet: facilitating programmatic access & processing of semantically related mobile personal data

Effective use of personal data is a core utility of modern smartphones. On Android, several challenges make developing compelling personal data applications difficult. First, personal data is stored in isolated silos. Thus, relationships between data from different providers are missing, data must be queried by source of origin rather than meaning and the persistence of different types of data differ greatly. Second, interfaces to these data are inconsistent and complex. In turn, developers are forced to interleave SQL with Java boilerplate, resulting in error-prone code that does not generalize. Our solution is Epistenet: a toolkit that (1) unifies the storage and treatment of mobile personal data; (2) preserves relationships between disparate data; (3) allows for expressive queries based on the meaning of data rather than its source of origin (e.g., one can query for all communications with John while at the park); and, (4) provides a simple, native query interface to facilitate development.

Examining Game World Topology Personalization

We present an exploratory analysis of the effects of game world topologies on self-reported player experience in Computer Role Playing Games (CRPGs). We find that (a) players are more engaged in game worlds that better match their self-reported preferences; and (b) player preferences for game topology can be predicted based on their in-game behavior. We further describe how in-game behavioral features that correlate to preferences can be used to control procedural content generation algorithms.