Race conditions in security dialogs
I discovered arbitrary code execution holes in Firefox, Internet Explorer, and Opera that involve human reaction time. One version of the attack works like this:
The page contains a captcha displaying the word "only" and asks you to type the word to verify that you are a human. As soon as you type 'n', the site attempts to install software, resulting in a security dialog. When you type 'y' at the end of the word, you trigger the 'Yes' button in the dialog. I made a demo of this attack for Firefox and Mozilla.
Another form of the attack involves convincing the user to double-click a certain spot on the screen. This spot happens to be the location where the 'Yes' button will appear. The first click triggers the dialog; the second click lands on the 'Yes' button. I made a demo of this attack for Firefox and Mozilla.
These types of attack work on any security dialog that can be triggered by untrusted content. The attack is most useful in a dialog where one of the buttons means "Yes, let this untrusted content run arbitrary code". Firefox has such a dialog in the form of the extension installation (XPI) dialog. Similarly, Internet Explorer has the ActiveX installation dialog and Opera has an "Open" button for downloaded executables. Programs other than browsers might also be vulnerable.
Firefox's solution, from bug 162020, is to delay enabling the "Yes"/"Install" buttons until three seconds after the dialog appears. I believe that this is the only possible fix other than completely denying untrusted content the ability to pose the dialog. Unfortunately, this fix is frustrating for users who install extensions often.
Some users have been intentionally lowering the delay to 0 seconds, which frustrates me. These users think the delay was added merely to force everyone to read the dialog. I surprises me that these users were not able to figure out the security hole given the fix. Ironically, advanced users are the most susceptible to these attacks, because they type and double-click faster than they react to unexpected stimuli.
It might be possible to lower the delay to less than three seconds, making it less annoying, without jeopardizing security. Designing experiments to determine the minimum "safe" delay would be tricky. You would want to do everything an attacker could do to increase participants' reaction time: give them a complicated task, make new rectangles appear every second to make the dialog less unexpected, etc.
It might make sense to make the dialog appear only after the user clicks a statusbar indicator that means "This web site wants to install software". This would get rid of the problem of choosing a delay, and it wouldn't require users who want to install extensions to wait.
Illusory contour in an advertisement
The woman in this clever clothing advertisement is as convincing as the white triangle in the Kanizsa Triangle illusion.
Color-constancy illusion
Michelle, Lauren, and I stumbled on a strong illusion last night. It's similar to the checkerboard illusion but involves color rather than just shades of gray.
The "blue" tiles on top of the left cube and the "yellow" tiles on top of the right cube are actually the same shade of gray.
Articles that talk about this illusion: American Scientist: Why We See What We Do and Discover Magazine: Sensory Reflexes. (The authors of the American Scientist article wrote a book with the same name.)
Berkeley's dilemma (as described by the American Scientist article) reminds me of Quine's Gavagai problem in the acquisition of language. Berkeley's dilemma is that retinal images are inherently ambiguous -- for example, there's no difference in the retinal image created by a large object at medium distance and a small object at a large distance. In the Gavagai problem, an island native points to a rabbit and says "gavagai". Do you interpret "gavagai" as "rabbit", "there goes a rabbit", "white", "animal", "hopping", "it's a nice day", "cute", "lunch", or something else?
Both Berkeley's dilemma and the Gavagai problem are problems of infinite ambiguity. Humans have clever heuristics for dealing with both problems. Examples include color constancy and overestimation of acute angles in visual perception, and the whole-object, taxonomic, and mutual-exclusivity assumptions children use to interpret new nouns.
Synesthesia
My friend Michelle sees English letters and some Chinese characters as having colors. She doesn't like sites about letter-color synesthesia because they always get the colors of the letters wrong.
Illusions
MIT Perceptual Science Group: lightness; interaction between motion and form
Akiyoshi Kitaoka: static images that appear to move
Perception experiment videos
The Visual Cognition Lab at the University of Illinois has some cool videos.
In one set of videos, "Real-world person-change events", an experimenter asks a subject for directions. Two people carrying a door come between the experimenter and the subject. While the door is between them, the experimenter switches with one of the door-carriers. Subjects noticed the person change between 35% and ~100% of the time, depending on whether the experimenter was part of the same social group as the subject.
The "Gradual changes to scenes" videos are fun. Over a period of about 10 seconds, part of an image changes. Unfortunately, video compression artifacts make it easy to see the change if you focus on the correct portion of the image. I wrote Gradual image change in JavaScript with the intent of submitting it to the lab. The JavaScript works by superimposing two images and varying the transparency of the top image in increments of 1%. It works well in IE 6.0, but it's about three times too slow in Mozilla Firebird on my 1.6 GHz computer.
