 Cool. So, hi. Welcome. I'm David Wehriter. This is the talk that I'm doing. It's called Alice and Bob or Sightless Confused, just to kind of go up with the kind of biography, like, who is this? So, I'm Digital Security Fellow of Freedom Press Foundation. I also organize scripted parties in New York City and Phoenix. A lot of the kind of experiences that I've had with, like, user frustrations and things come from, like, kind of the front lines of, like, showing people how to, quote, unquote, use Signal, use Tor. And then before that, I come from kind of a weird mix of a developer and design background and working in an AI lab that did mostly data visualization for really complicated things. There's my Twitter. It's mostly just me yelling at the f-train nonstop. And then this is actually SQL. So, this is a talk, like, the continuation of a talk that I did in 2015. So, let's talk about that. So, 25, 24 months ago, actually 24 months ago, I did a talk on kind of usability privacy and just, like, these are the issues that people ran into at crypto parties and here's some suggestions on, like, what to do based on things like human interface guidelines, which are kind of the rules that different platforms have for, like, making things feel more like the platform that they were designed for among other kind of design concepts. So, these, I'm just gonna, like, recap kind of, like, the very, like, the very kind of cliff notes just of what that talk was about. The new Mac interface guidelines that are online leave out all the UX fundamentals. So, they'll just be, like, you know, put an arrow here instead of a hamburger menu or whatever. But if you find this, like, really old 1983 copy of the Mac interface guidelines, it goes through kind of the baseline fundamentals of user experience, which apply to, like, everything. This is kind of at the forefront of, like, people doing things with, like, graphical user interfaces before, of course, it was a command line at the beginning. And this is, like, kind of the way to, like, deal with user interfaces that are based inside screens. And so, just kind of the recap of what that basically talks about if you don't want to spend, like, $4 at a used bookstore on it. So, there's these concepts that we think about in UX, modelessness. So, the idea of, like, having to depend on human memory to remember what state you can do certain things in versus others, this is a lot of, like, a lot of Emacs people are, like, this is why you don't like them, because you have to remember what state you're in, whether you're in write or whether you're, like, in a command entry mode. And the problem that is kind of specific to a lot of cryptography software is usually kind of, like, bolted on top of some other insecure protocol. This is especially the case of, like, PGP, for example, where it's, like, people generally, not generally, but, like, some people use it for email. So, in this case, email is just not designed to be, by modern standards, a secure protocol. And you have to remember to, like, do things in a certain way to have it be in it and encrypted. But there's, like, an unsecure mode and a secure mode that gets, like, mentally modeled on top of that. And having to remember that is a problem. Perceive stability. So, this is, like, the idea of the UI kind of reflecting what's actually going on behind the scenes. Mostly, a lot of the points that it was making in 1993 were mostly about, like, making sure that if something is working really well behind the background that the front end reflects that, so that people don't automatically assume that, like, you know, oh no, there's an error. That, because in, especially in, like, security software, a lot of users' assumption won't be, like, you know, computers are garbage, code is garbage, nobody did tests on it, but mostly, oh no, something went wrong, I must have been hacked. So, you really don't want to, like, cause anxiety, you don't want to freak users out. Another book that I recommend actually kind of speaking on anxiety and design is called, oh yeah, sorry. Another book that is not mentioned, aside, thank you, from, aside from the fact that, aside from the original Mac Hig, is also, I think, a list apart, publishes something called the Designing for Motion, which is another good book, which is really good, how are they recommended. Mostly talks about web design, but kind of applies to a lot of other applications as well. So, we have user testing, and that is basically exactly what it sounds like. In this case, like, what you make will make sense to you, because you built it, if you're a developer, for example, but you want to put it in front of people that are not like you, in a sense, to, like, see how they use it, to see whether the same assumptions that you have about how this works are the same assumptions that they have. And that is why user testing is super important. This is actually pretty well established, as far as, like, the methodologies for this. Katie and Smith did a talk, I think, two hopes ago about user testing that I recommend checking out. Metaphors, it's also just, like, as far as, like, describing what a thing does, like, having a analog kind of equivalent of that to compare it to is a good way for people to understand what it is. So, you know, you have, like, your notepad, for example, this is like you write down notes in, or text, or whatever. And that is a common, like, thing that gets used a lot. And I'm just going to move this mic around. So, there's user testing, metaphors. The problem is that, like, in cryptography, like, public key for cryptography is weird, and it's hard to describe. And, you know, back in the day, we had keys and crypto keys, and a public key is like cryptography key, but it really works more like a lock with private key as a key. So, it's one of those things where we have to think about, like, metaphors that make sense to really describe the function of what different things within a system do. And then there's Key Lesson from 2015. So, this is also from my own talk of just, like, things that were not covered in 1993, but, like, the idea of undoing, for example, we usually want to have, like, in software development a way to do that really easily. But in cryptography, like, as far as, like, privacy has some technology goes, like, for example, if you're in the old version in Elm Below, if you start typing a message, you go and encrypt it. But too late, it's already saved this draft in your Google draft. So, it's one of those things that, like, it's harder to pull off in more of a challenge, more of a design challenge than it would be in other apps. There's also the idea of just, like, you have too many tools and too many things and moving parts that a user has to manually deal with. So, in, like, crypto parties, for example, you will have to go through, like, oh, well, if you want to, like, say you want to do the standard kind of cross-platform setup of Thunderbird and Nygmel, GPG tools, or GPG for win. Like, you're installing three different things, you're doing, you're downloading three different things, you're doing checksums on three different things, looking for checksums, researching how you actually use checksums, because literally no place that offers a download for these things actually mentions how to use them. And then going from there as far as, like, making sure that everything is installed correctly and knowing what order to install things in. There's also just kind of a, there's probably a better name for this, like, more experienced designers have. Those are the idea of false hope, or it's like, I'm going to do a thing, I'm going to do a thing, oh, by the way, I can't do a thing. Like, at the very last step of this long process that I've just gone through, it realized that this is actually impossible. This is a problem with, like, the UBQ support and, like, the GP, for example, where, like, the way it reads the card, like, if you start typing a track... Okay, cool. I am going to have it right in front of my face. Does that work for everybody? It's noticeably better, I can tell. Thank you. Cool. And honestly, like, up until this point, this was basically my talk from 2015, so you didn't miss out on anything new yet. All right, so, uh, yeah, let users know. So GPT tools is kind of a choice for this. There's, like, a specific thing where, like, I'll start writing a thing, a Thunderbird, but then I plug in my UBQ, and then it's like, oh, I don't recognize it. You haven't entered your pen, but it is imprompt for it because it only looks for that at the point before the mel client is opened when the, like, GPT daemon in the background runs it. And, like, it's like, oh, okay, here it is. So you literally have to, like, put your laptop to sleep, and then in Mac OS X, it'll basically re-kick in the GPT background process and be like, okay, now you can prompt, get prompted for your key. Uh, so that's what the, like, the concept for false hope. And the other thing is also just, like, the internet is for, like, garbage documentation. So, like, even if you, like, describe everything absolutely perfectly to your users or your audience or whoever it be, somebody on the internet will explain it really poorly, confuse them, and cause more of a problem. So you have to anticipate, like, what other people are using to describe things in order to explain why they're, they're either wrong or why that might be confusing to explain it that way. Alright, so we kind of, in 2015, talked about a few different examples, uh, privacy enhancing technology and, like, some of the problems and then kind of some of the progress, some of them they had. So we're going to talk a little bit about that. Uh, we're, we're not going to talk about Pigeon, though. It's Pigeon's a little busy surfing right now. And, uh, there hasn't been one progress on that front, neither has there really been on Thunderbirds, it's still kind of EOL and they're not doing anything but bug fixes at this point. Uh, so we'll just, like, skip right over those. So going back into what I mentioned about modality of, like, thinking about, like, an insecure versus a secure mode and what that means, uh, I kind of cited Chrome as a good example of this, where it was like, well, here's incognito, here's, like, within this window, within this frame, which is, like, differentiated from the way the other, like, insecure modes work. This is the way, like, it gives you just, like, the briefest amount of information, but it's not in your way, so you're not, like, clicking the X buttons or OK buttons, so, like, make something stop. It's there if you need it and then it's not in the way if you don't. Uh, different browsers, like, they've improved, they, like, made it even more obvious that, like, this is different than the other windows, uh, which is cool. And it's, like, one of those things where I think the Chrome team's been doing a lot of user testing around that, to see, like, how people make avoid mistakes of, like, accidentally, um, doing embarrassing searches on their non-secure incognito modes. Uh, other browsers, of course, have this, um, the, there's a bit of a problem, though, that was kind of discovered recently due to user testing, uh, which was unsc, basically discovered from this from a DuckDuckGo study, is that a lot of people don't actually know what private mode does. So, like, people can tell when they're in private mode or not, but as far as, like, the mental models people have, the assumptions that people make around these things, they're not super well described, although, you know, there is a blurb of text explaining what it is, but it turns out, like, paragraphs of texts that are kind of in the background maybe aren't necessarily the best way to warn people about stuff or, like, really explain easily and quickly concepts like that. Uh, but they're working on it, and I think this is actually, like, this seems like the tiniest, most insignificant change, um, but just looking at what it does, like, say, like, yes and no, as far as, like, does this protect from my ISP? Does it protect from, like, other people using my computer? Like, kind of having a more, like, threat model in media, like, real world application of just not being, like, talking about cookies specifically, but just, like, you know, your little brother can see what you're looking for or, like, uh, your government can see what you're looking for, etc. I think this could be applied in a few other places, um, and I would love to see that kind of proliferate in more places where you have, kind of, an insecure and a differentiation between insecure and secure mode. Cool. So, last time we were here, this is, so this is signal, this is literally copying and paste screenshot from 2015. Uh, there was this idea that I had of just, like, well, this is kind of, just kind of where things got thrown into as far as the settings page goes. And, like, we're all guilty of this as developers. It's just, like, well, we gotta have some stuff. It's, like, I don't know, just throw them in the settings page, whatever, like, leave it alone. Uh, it's improved instead actually a lot. So, the issue with this, for example, two things. One, I hate the word fingerprint because any time I've talked to people that are just new at computers, they immediately think of a fingerprint reader which are actually fairly common in a lot of laptops and smartphones now. And they think it's related to that because they share the same namespace, um, in memory and context. And it also doesn't say what to do with it. This is a problem that I have with, with the way people offer checksums. It's like, there's no instructions on what to do with this, like, weird number that you're seeing. Uh, and that was the kind of case of what it was back then. Uh, the protocols changed so actually the way people would even compare fingerprints is different. Uh, the screen security, there's no explanation what it is. So that was kind of the main issue back then. Now, you have exactly what kind of Apple recommends for, like, explaining things in general. So you have, like, a short thing. It's like, this is when you're switching apps and that's the official name of what it's called in other Apple apps. So they're, you know what app switcher means. Is kind of there, there's, um, other explanations for new features that didn't quite exist back then. Uh, you also have block functionality which is really important. I think unfortunately there's a lot of focus that we tend to have in information security on, like, the most, you know, making sure that we do things on the crypto side and on the math side really well but maybe not thinking about a lot of the other attack vectors or, like, issues of what attack means. In this case, like, what if it actually means that, like, your creepy x will not subs into you, like, you know, uh, creepy texts, for example. So this kind of takes care of that. It took a while for that to roll out. Apparently there's been some iOS issues that have made that a little bit harder than it sounds but, um, but this is one of those things that I think you really want to have implemented as far as, and this is why people do user testing because this is a concern that gets brought up in addition to, like, I really don't want to share my phone number. Like, it's another thing but, like, that's kind of baked into the way this works. So that's, there's no changing that unfortunately. Um, kind of similar thing. So this is, like, kind of what you do with fingerprints now where it has an entire kind of screen that's dedicated to, like, a process of what you do. So, like, here it shows you the state of where it is, which before you had to remember, you had to, like, you had to, like, basically throw this into human memory to be, did I already verify this person, did I not? In the early days the signal there weren't that many users so it wasn't really seen as a problem, probably. But as we have more and more people on signal, that's, like, more spaces in your, like, meaty, like neural network to, like, save, um, basically to say, like, I already verified person. I didn't verify this person. Did I verify this person? Maybe I did before I got my new phone. So there's only things that have to be thought about, uh, modes as far as, like, you know, now you can do this one feature and this is what that screen is for. Uh, and it also says why. So it kind of gives you an idea of what that is. Uh, it has a few different options so you have the easy option but you can actually see the full fingerprint by yourself so you can have some other means outside of the way it was designed for to compare by other out-of-band verification processes. Uh, and there's a learn more thing, which I'm really a fan of. So people that want to learn more can learn more. Uh, outside of that though, there's been some new issues. Uh, we have, um, kind of going back to the assumptions people make of, like, how things work. Uh, does anybody remember path for, like, kind of the weird, like, people threw a shit ton of money at it? They were like, it's the next Facebook. Uh, basically the idea behind that was there was a big controversy about it essentially, like, uploading all your contacts and then, like, keeping them on their servers. So when people hear about, you know, something on their side is able to see that in friends with somebody on their side, the mental model people have and assume is that, like, stuff is on the server because that's the way it works for their email, that's the way it works for social media, that's the way it works for, like, a lot of other things. And they're not going to necessarily understand, like, well, we did a hash on a thing and then we did another thing and that's how the server doesn't know what's going on. Uh, and this is hard to explain because it's a very, you know, there's a lot of unique security processes. But I think having, so this is Threema, they kind of do that as far as, like, explanations go of, like, what's going on, this is why we can see who else is on Threema while still, like, not giving away or keeping your, like, phone number or contact or email address or whatever identifier they use. Uh, and you get to the screen via, uh, this is like an ID, via these, like, little more information icons, which are pretty common in a lot of mobile labs, so, uh, it's, I'm a fan of them. Uh, because some people, like, for them it might not matter very much, but for anybody that really wants to know what's going on behind the scenes, I think they should. Uh, and this is, like, an easy way to present that without having, you know, throwing the same thing at absolutely everybody. It's a good way to distinguish that. Uh, cool. Uh, last time we also kind of covered Perio. It's changed pretty radically since then. Uh, the problems with it last time were that it felt a lot like email because of that people had certain assumptions on, like, being able to send a message to a contact without adding them first. Whereas now, it, because the design is so essential, it's basically like Slack or like any other like 800 chat apps that are out there now. Um, people assume that you have to be added to a rumor, that you have to add people so that like, mental model that people have about the way it works kind of is more in line with what people are already used to. Uh, which is great. Uh, oh, something really great about this. The other thing that I mentioned last time is, like, Perio would be one of those things where, like, it's, it would be tricky to use your tests for because of the fact that you're dealing with the enforcement of a really long pass raise that's dedicated normally to human memory. And when user testing is done, normally, these are like really short sessions. But in this case, like, if you want to test, like, the strength of forcing somebody to use the long pass and whether they will actually remember it, that has to be done a little bit differently where you have to, like, test over time over a series of weeks, over a series of months to make sure that they still can. Um, in personal experience at CryptoParty is that digital security trainings, like, people did forget these a lot because it is a long list of weird words. Uh, and there was a pin that people could use to log in so they would never have to remember it, but then if they changed computers or did something else and they would, like, oh, no, I have to remember my long pass raise again. And they don't. It's a con misconception that, like, if you use words, they'll be memorable. That's not always the case. So what they did was they actually, like, kind of saw the same behaviors in their own user testing eventually. And they created a new word list. So rather than using kind of the common word lists that are out there for different languages, the way they created a word list that was actually memorable was they would look at, like, the way more people have, like, written language thrown at them. So going into the fact that, like, a lot of humanity is in, like, super into, uh, reading or at least, like, hardcore, like, heavy book reading, like, what is, what do a lot of people watch is movies. So what if we just took the subtitles for movies and created word lists out of that for each language? So it's basically what they did. So we end up with, like, very common words that people recognize and know, uh, and, you know, maybe has less, you know, there's a bigger set of words so it's, like, fewer amount of combinations. But even doing things like requiring an extra word of more common words can help mitigate that. So there's, like, kind of weird different ways of approaching things, uh, that has an effect on stuff. So, uh, the other thing, uh, that is something to test about that is a little bit different than other testing situations is testing for worst case scenarios. So in this case, have any, are any of you from the Northeast Corridor, the, like, Excella part of the country, like Boston, New York, Washington? Okay, you know my feels then. Uh, have any of you use the, like, garbage Amtrak Wi-Fi? Okay, yeah, okay, yes, somebody, somebody will get this. The, uh, so Amtrak, uh, you know, it's, it's what we used to get around the East Coast, but there's free Wi-Fi. It's, uh, it's very slow and intermittent and it drops a lot. So there's a lot, there's a very, like, kind of situation that I think, and this is a known issue where you'll see people tweeting about it constantly. It's like, what is the Amtrak Wi-Fi suck? Uh, and you have to, like, keep that in mind when you're testing things that depend on the internet, for example, or even, uh, whether, certain aspects of a network or block, like, tour. Uh, so this is only to share. This is an older version, um, and this is, uh, an example, real world, from the real world, of, like, me sharing something with somebody on a broadband internet connection somewhere else in the world. Uh, but I'm running as a server, so I'm running this, like, you know, desktop app and when I first did this, like, the Wi-Fi was fine, the internet was fine, it was, like, paying things, I had an IP address, it was all good. But then, of course, the Wi-Fi dropped halfway between, like, Maryland and Delaware, and it doesn't reflect that. It basically just has the same, like, green, like, everything's fine, it's working. Um, and of course, it's not, and so there's this, like, back and forth outside of that band of, like, what's going on, there's a lot of confusion, and that's the kind of thing you want to avoid. Um, some apps do this better than others, some will have, like, an offline messaging thing that would be like, you seem to be offline, so there's, like, a process behind the scenes that will just check to see whether it can connect to the internet, usually by pinging whatever API server it's connecting to behind the scenes. In this case, there's no API server, but there's, like, other things that you can check to see, like, do I have internet? Uh, the other thing in this case, which is unique Tony and Sharers, like, do I have Tor, because there's some networks that block Tor, and being able to know that the reason why this doesn't work is because Tor is blocked is something that you want to let users know, so they're not guessing. Um, so, that's something to keep in mind. Different ways do this, like this as well. Uh, but yeah, this is what kind of the other side looks like, and then this is what life on the, on the northeast regional is like. And, uh, yeah, oh, that's the image I was trying to share. This is very important. I was very sad I wasn't able to share this, but there are a lot of improvements being done, so just, like, as I'm critiquing these things, like, know behind the scenes that they all are improving, basically. Uh, this is the kind of design issue on that, uh, which brings me to another point of, um, how I've been able to kind of approach design issues with different projects. A lot of commercial projects will have kind of a full set of, well, not a lot, some will have a full set of teams made up of like a product designer, uh, you know, a product manager, a QA team, uh, other folks, a security person, like, with a lot of this stuff, it's kind of open source software, it's very scrappy, it starts off with a really small team and, you know, they're not hiring anybody, so, there's no dedicated designers so like, how do people get better at these things? Um, and some people have, like, strive to just, like, make design of focus of theirs, uh, and I'm gonna talk about one example of that. So in this case, uh, Tails, which is the, uh, incognito live, like that live Linux system that has tour baked into it, it's something that we worked on a workshop on, uh, workshop on every new press foundation last year, uh, with a bunch of folks that were not from the tech world of the law, they, AstroNoise at the Whitney Museum. So, basically, there were, there were a few issues that we ran into, um, I wrote them down and I, basically just submitted it up to a bug tracker as if it were like, you know, a software bug, a code bug, basically. Uh, there's some things that are, that are kind of, would work, that are kind of important things to think about when developing other software, so, when you're creating documentation, you don't necessarily see right away that it's, um, not inside the window or of the window or necessarily see that like, oh, the window dressing on this screenshot is different than the one on my desktop. These things are not always caught right away, so we did something where like, we noticed that in the instructions to use a live USB writer for windows, for example, people were like clicking on the webpage screenshot of what it was because it was the exact kind of size dimensions of what the actual thing would be. So don't do that, basically make it smaller. That was an easy fix. Um, naming things counts because people have different meanings for different words, so every Linux distribution has kind of a default mode that fell safe mode. Uh, so for all of us coming from the Linux world, which you saw my Linux desktop, it made sense to me, everybody else did not know what exactly that meant, so, people saw this because of they were using as a means of like safety as far as privacy and what they associated with that, they assumed that that was a default mode, that there was an insecure mode, like there was in PGP with like, unencryp that email unencrypted email and they had to like, go down one level to fail safe to get into like the secure or torrified mode. So that's something that we changed by easily by renaming it. So, uh, so if you boot tells now, you just see the regular default mode and then you see a troubleshooting mode so they know the reason why they would ever want to choose that option and like what action there is to do there. So it's very explicit and we deliberate on like what language to use based on what Microsoft and Apple were using for meaning the same things. Uh, because we really want to like use language that is familiar in different situations in different contexts. So like people use troubleshoot to talk about other tech troubleshooting problems. So that's basically what we ended up laying on that. The other thing too is just like making the documentation on available offline. So back in this was early 2016, um, there's a link to how documentation which is what you go to if you want to like learn how something works. But what if the reason you're going to the documentation is because you're having trouble connecting to the internet. If your docs are online, you're not going to be able to read them. So in this case, you're booting a live system. So why not just have them offline and have them live in there? So that's what they did and that works so people are able to like read up on what to do if they can't connect to the internet. What could be the problems? Maybe their Wi-Fi chip isn't working but it's that way they can actually read the docs to see what the problem is. Um, some things can't be fixed. So this is some Apple bullshit where if you have a live Linux USB drive, it'll just show up as Windows because it just assumes that operating systems are just like there's macOS 10 and I guess Windows and that's it. So that's something that we can't fix a confusion for unfortunately, at least for Mac users. And so with Intel's you have the option of creating a persistent storage like basically just like a looks partition. This is one of those things where like people don't necessarily know that they would have to reboot to be able to like start saving things there and have them stay and then persist there. So just like having a note of that within the like you know the wizard that they set up for creating a persistent volume is helpful but I think it should go a little bit further. I think it actually should just have like a immediate button to just reboot right away because that should be the next action so they don't commit that to human memory and depend on human memory to remember that they haven't rebooted yet to do that. Just to make it that much easier. So this is a new thing. Like I just not really a lot of people that I know that report design bugs. There's not a lot of designers in open source in general which is a problem and I think that's more of a a kind of difference in like the kind of experiences that people have as design and what they associate with free or volunteer work versus what we do as developers when we like work on open source where like if we're working on open source it's kind of just community and we're just working on a project together or as design like the neural network of a designer and developer will be like basically trained on different datasets where you have like experiences of like voluntarily working with other people and then the designer kind of dataset where it's like oh remember when you did that work for free it's because that asshole like ripped you off and like no lawyer will let you take him to small small claims court because it was like too small to be to be worth their time. So people have different expectations on what that means so it's one of those things that like yeah be great if more designers were like just start working on stuff on open source but for now this is kind of the closest way of like ask designers to participate because it's worked out for me pretty well as far as with tails with signal with period it's just basically just adding something that are above tracker and being like this is the current behavior this is the what we want the behavior to be these are some design suggestions this is the reference to like what I'm like backing up this assumption with based on the human interface guidelines of the operating systems that you're targeting here's some screenshots and here's the user stories of people that were confused by it. And there's also the consideration of just like who's actually going to do that. Certain systems for doing that are easier than others for example for doing that on onion for onion share for example that's a github ticket that's super easy to use. Other platforms like the Torre project have their own specific bug tracker and they have you know you of course want to search to see whether this has already been discussed so you're not just like reopen making a duplicate issue and if you have an archive of like you know bugs and bug reports and discussions that adds up over time that's really hard to like really grab especially if like the search functionality of the back bug tracker that you're using is a little bit more of a challenge or time consuming to use. So the bug tracker is something that is also factors into a particular kind of user experience that has to be taken in mind as well. Cool. So yeah and that's it's Queen's Comfort. It's if you're ever in New York for hope or whatever like take the set take the take the end train to Astoria it's like if you'd like grease and butter and waffles this is this is like heaven slash Valhalla love of that it's pretty great. Cool. So that's the kind of a quick wrap up talk I wanted to like create as much time as I could for Q&A. And you know any questions you'd have as far as what people see as far as like using all these tools that we use or any ideas you have on like what makes sense for different projects that you're working on. You have my ear on any design advice. So yeah go set up microphones in the center presumably turned on so cool.