Dr. Gillian "Gus" Andrews
Dr. Gillian "Gus" Andrews is not the titular honeypot. The honeypot is her email account. Gus's background spans hacking, education, and software usability. Her latest project, Keep Calm and Log On, is a handbook to help everyday people survive the digital revolution without getting trampled, and is available from MIT Press. Over the past five years, Gus has worked to improve everyday users' understanding of digital security through her work at the Open Internet Tools Project, Simply Secure, and ThoughtWorks. She has served as a user experience specialist at ThoughtWorks and at Linden Lab (home of Second Life). Her work on open-source encryption tools has informed policy at the Electronic Frontier Foundation and the U.S. State Department. She is the creator of The Media Show, a YouTube series aimed at teaching digital and media literacy skills using snarky puppets. As a former panelist on the hacker radio show Off The Hook and organizer for the Hackers On Planet Earth conference, she has been engaged with digital rights and privacy issues for close to two decades.
Anatomy of an Accidental Honeypot
Gus owns a couple of Gmail accounts with very generic, common user names. Unfortunately, this means she has ringside seats to some of the worst privacy and security mistakes on the web, as everyone with these names (and everyone they know) sends email to these accounts, thinking the mail will go to the right recipients. It's a common story by now, one that others have written about, but it's an under-recognized human factors problem in security. One of her accounts is a veritable nuclear waste dump of social security numbers, licenses, and bank account information that should never have been sent there.
In this talk, Gus will give an overview of what kind of documents show up in this account, and who is sending them. In talking to some of the people who have sent these misguided emails, she has learned about the specific shapes of bad habit and mistake that lead people to send email to this account - thinking it is theirs in some cases - and she will share those, along with comparisons to the Internet mistakes she saw in her dissertation research. Gus will discuss the structural problems with email that plague us this way. She will talk about the potential ramifications of accounts like this for phishing schemes and social engineering pretexting, which have been cited by other security researchers. Gus will describe the successful and unsuccessful interventions she has attempted in order to try to get people to stop sending email to these accounts, and the weird, serendipitous stories that have come about as she's talked to them (including getting written up in a North Carolina newspaper story about a dying woman she never met).
In the comments period, she will seek input from attendees facing this same problem, and will workshop other potential ways to solve it.