Skip to main content

Making Headlines


iPhone X's facial recognition is cool, but it's not the future of technology - September 29, 2017
Making facial recognition technology mainstream has been a long time coming. And while Apple’s new iPhone X is a positive move towards getting people acquainted with the technology, widespread adoption of the technology itself will require an AI approach that’s more in line with existing cameras and systems.

Is universal end-to-end encrypted email possible (or even desirable)? - September 29, 2017
"People have been talking about getting encryption into email for decades now, and it still hasn't taken off because of the compatibility issue," says Jason Hong, associate professor in the human computer interaction institute at Carnegie Mellon University. Plus, you've got the current installed base working against you. "With email, you have to convince lots of people to upgrade simultaneously," he says. "When email was invented in the 70s, a lot of the encryption techniques weren't known and the CPU powers weren't that great," he says.

Google, Facebook in Senate Hearings A Historic Benchmark - September 28, 2017

In a report on “Who Benefits From Targeted Advertising,” researchers Veronica Marotta of Heinz College and Kaifu Zhang and Alessandro Acquisti from Carnegie Mellon provide the answer that likely doesn’t come as a surprise. It is the intermediary – Google, Facebook and Twitter – that benefit most.

The biggest problems with putting microchips in employees - July 27, 2017
But as Carnegie Mellon’s associate head of engineering and public policy, Lorrie Faith Cranor, explains, other companies may initially say they don’t plan on collecting chip data, but change that policy down the road. “What am I going to do? Go have it removed from me if I don’t like it?” she asked rhetorically. “It is also the sort of thing that has that kind of ick factor,” Cranor said. “I don’t know if I want to implant this, and I don’t know if I want my boss to have that ability to track me.”

Wisconsin Company Offers To Implant Chips In Its Employees - July 25, 2017
32M said that the data on the chip is "encrypted." However, Alessandro Acquisti, a professor of information technology and public policy at Carnegie Mellon University, told that Times that encrypted is "a pretty vague term ... which could include anything from a truly secure product to something that is easily hackable."

CMU hacking team wants to make four in a row at competition - July 24, 2017
"More now than ever, the skills used in this competition are becoming more relevant because cybersecurity is impacting all of our lives," says Tim Becker, a team captain, in a statement provided by CMU. "It's important that people have a place like this to hone their skills. The more we practice, the better prepared we'll be in the real world in dealing with actual cyberattacks."

Facial Recognition Cameras Are Now Watching Your Emotions - May 30, 2017
“Flagging people on a watchlist is a straightforward feature. There already exist surveillance cams (or software that accompanies them) that automatically identify the people who appear on camera,” Carnegie Mellon CyLab researcher Lujo Bauer told Vocativ. “Of course, this requires each person to be recognized to first be enrolled by showing the system a bunch of images of that person.”

Security flaw found in solid-state drive design - May 23, 2017
However, researchers at Carnegie Mellon University have discovered a flaw in SSD design that makes them vulnerable to a particular type of attack that can cause premature failure and data corruption.

How to create stronger passwords by using data-driven feedback - May 18, 2017
"Instead of having a meter say, 'Your password is bad,' we thought it would be useful for the meter to say, 'Here's why it's bad and here's how you could do better,'" says Nicolas Christin, a professor in Carnegie Mellon University's Engineering and Public Policy department in this press release by Daniel Tkacik.

Personal AI Privacy Watchdog Could Help You Regain Control of Your Data - May 11, 2017
Privacy Assistant, a creation of researchers at Carnegie Mellon University, uses machine learning to give users more control over the information that the apps on their Android phones collect. It combines a user’s answers to several questions (for example, “In general, do you feel comfortable with finance apps accessing your location?”) with information it gleans from analyzing the apps on the user’s phone to make specific recommendations about how that person should manage permissions.

You really should know what the Andrew File System is - May 10, 2017
Mahadev "Satya" Satyanarayanan, a Carnegie Mellon University Computer Science professor who was part of the AFS team, answered a handful of my questions via email about the origins of this scalable and secure distributed file system, the significance of it, and where it stands today. Satyanarayanan was recognized by ACM along with John Howard, Michael Leon Kazar, Robert Nasmyth Sidebotham, David Nichols, Sherri Nichols, Alfred Spector and Michael West, who worked as a team via the Information Technology Center partnership between Carnegie Mellon and IBM (the latter of which incidentally funded this ACM prize).

Learn how to set stronger passwords with this new tool - May 8, 2017
Researchers from Carnegie Mellon University's CyLab Usable Privacy and Security Laboratory and the University of Chicago have developed a new password meter that educates people on how they can make their password stronger. The project is open sourceand can be added on to existing services.

Fake football website reveals what makes us become nasty trolls - May 8, 2017
“I find it fascinating,” says Alessandro Acquisti at Carnegie Mellon University in Pittsburgh, Pennsylvania. “To me, this research confirms that there is no single one-size-fits-all relationship between anonymity and human behaviour.”

Data is giving rise to a new economy - May 6, 2017
By now consumers and online giants are locked in an awkward embrace. People do not know how much their data are worth, nor do they really want to deal with the hassle of managing them, says Alessandro Acquisti of Carnegie Mellon University. But they are also showing symptoms of what is called “learned helplessness”: terms and conditions for services are often impenetrable and users have no choice than to accept them (smartphone apps quit immediately if one does not tap on “I agree”).

CMU Researchers Roll Out Machine Learning App to Manage App Privacy Settings - May 5, 2017
CMU’s Personalized Privacy Assistant Project designed Privacy Assistant, which utilizes machine learning to take control of the information that apps on Android devices routinely collect. It works by asking users a few simple questions about their privacy preferences and then recommends specific permissions settings to best meet those needs. 

When Online Pirates Win, Creators And Consumers Lose - May 5, 2017
Indeed, Carnegie Mellon University researchers concluded that “on average, pre-release piracy causes a 19.1% decrease in revenue compared to piracy that occurs post- release.” While Netflix’s business model is different than that of other networks—they debut their shows online all at once as opposed to weekly episodes on cable or broadcast networks—it’s plausible to conclude many consumers who would have subscribed to Netflix may now choose to forego that subscription.

Creating Secure Passwords - May 4, 2017

You’ve probably heard that secure passwords require long strings of random letters and symbols that are nearly impossible to remember. However a study by Carnegie Melon University has shown that unique passphrases with a personal meaning can be just as effective.

Facial Recognition Is Everywhere — But So Are Tools To Defeat It - May 3, 2017
“There’s no approach that ‘just works,’ or anything close to it,” Lujo Bauer, a researcher at Carnegie Mellon University who recently co-authored a paper detailing new methods of defeating facial recognition, told Vocativ.

Updated: 3 things to do now to check up on your data privacy settings - April 26, 2017
There’s an internet adage: “If you’re not paying for the product, then the product is you.” And that applies to Unroll.Me. “You weren’t paying for it directly, but they were figuring out how to monetize your data in some way,” says Jason Hong, an associate professor of computer science at Carnegie Mellon University.

AI-powered cybersecurity bot from Pittsburgh firm lands at Smithsonian - April 20, 2017
Business at ForAllSecure has picked up since the team won the Cyber Grand Challenge. ForAllSecure was founded in 2012 as a Carnegie Mellon University spinoff company. To, of ForAllSecure, said the company has attracted interest from agencies in the federal government, banks and financial institutions and companies that make connected devices to bolster their cybersecurity. 

Brain Hacking May Mitigate Computer Users’ Risky Behavior - April 19, 2017

“There isn’t an easy answer,” Lorrie Cranor, a Carnegie Mellon University professor of computer science, and engineering and public policy, told Bloomberg BNA. One improvement would be making security software “as automatic as possible, so you don’t have to do anything to be protected,” said Cranor, the director of the school’s CyLab Usable Privacy and Security Laboratory. “To the extent that this just works, everybody wins.”

Smart cities can be vulnerable: That Dallas emergency siren hack is a warning of things to come - April 14, 2017
Researchers routinely find vulnerabilities in municipal hardware and software, including with traffic lights and smart parking meters. But some of the biggest concerns lie with what’s referred to as the kinetic hacking of municipal water, power and sewage systems, said Vyas Sekar, a faculty member at CyLab, Carnegie Mellon’s Security and Privacy Institute.

BankThink Race should have no place in fintech lending decisions - April 13, 2017
We have already seen studies from researchers at Harvard and Carnegie Mellon about discriminatory outcomes and search results that algorithms can produce, and it is critical we understand why these outcomes happen and develop effective solutions.

The psychology of privacy in the era of the Internet of Things - March 22, 2017
At the same time, Lorrie Cranor, a professor of computer science and engineering and public policy at Carnegie Mellon University, questions "how voluntary our choices to use Internet-connected computers and mobile phones are in today's society." Applying for most jobs and keeping many jobs -- those that require the use of a company phone and computer -- require online participation, she noted. Even schools increasingly require students to remain connected.

In Cyber, Who Do We Trust to Protect the Business? - March 16, 2017
The NACD Cyber-Risk Oversight Program was launched in concert with Ridge Global —led by former Governor Tom Ridge, first US Secretary of Homeland Security — and the CERT Division of the SEI, a federally-funded research and development center sponsored by the Department of Defense, based at Carnegie Mellon University. The program is a first-of-its-kind online course that goes in-depth on issues such as cybersecurity leadership, effective security structure, and the role of the board. Leaders who complete the course and pass the exam earn the CERT Certificate in Cybersecurity Oversight, issued by Carnegie Mellon.

Passwords suck, but lip-reading computers won't save us - March 15, 2017
Marios Savvides, who directs the CyLab Biometrics Center at Carnegie Mellon University, studies face and iris recognition; he says that at his lab, they can capture information about a person’s iris from nearly 40 feet away. He thinks that one good solution to computer login woes would be to use a strong authentication—using a metric like a fingerprint or iris scan—followed by softer monitoring by, for example, your webcam.

This creepy Facebook stalking app was a hoax—but it should still scare the hell out of you - March 15, 2017

Alessandro Acquisti, professor of information technology and public policy at Carnegie Mellon University, has published extensively on the use and abuse facial recognition systems—and he says something like Facezam is all too plausible. "While Facezam is a hoax, developing similar tools is, in principle, already possible (we demonstrated the feasibility of mass scale face recognition via social media photos in our 2011 experiment)," he said in an email.  

Did artificial intelligence deny you credit? - March 13, 2017
One way to describe why an automated decision came out the way it did is to identify the factors that were most influential in the decision. How much of a credit denial decision was because the applicant didn’t make enough money, or because he had failed to repay loans in the past? My research group at Carnegie Mellon University, including PhD student Shayak Sen and then-postdoc Yair Zick created a way to measure the relative influence of each factor. We call it the Quantitative Input Influence.

Cyberattack still not fixed - March 7, 2017

That is a real concern, said Rotem Guttman, a cybersecurity researcher at the CERT division of Carnegie Mellon University's Software Engineering Institute. While companies often feel confident that backups will protect their information, he said, "less than 50 percent of companies who have been attacked said they could recover all of that data."

Hackers Lock Pennsylvania Dems Out of Their Email, But They Refuse to Pay Ransom - March 7, 2017
That's a real concern, said Rotem Guttman, a cybersecurity researcher at the CERT division of Carnegie Mellon University's Software Engineering Institute. While companies often feel confident that backups will protect their information, he said, "less than 50 percent of companies who have been attacked said they could recover all of that data."

CMU Team Tries To Fight Cyber Threats From The Inside Out - March 7, 2017
Every few years, the Computer Emergency Response Team, or CERT, at CMU updates its report titled “The Common Sense Guide to Mitigating Insider Threats.” Technical director of the Insider Threat Center at CERT, Randy Trzeciak, said the team has recorded 1,300 incidents.  

Iris Scanners Are Coming To Phones, But Are They Safe? - March 3, 2017
Iris scanners could help make a phone more secure and convenient, but they come with downsides.  “It’s harder to spoof irises than it is to spoof fingerprints, and they’re thought to be stable over a person’s lifetime,” said Marios Savvides, head of the CyLab Biometrics Center at Carnegie Mellon University, which researches issues of cybersecurity. “In that sense, I think iris scanning will help remove some of that hackability.”

Is Bitcoin Safe? Experts Pick Sides - February 25, 2017
None of the cryptographic primitives behind Bitcoin have, to this day, shown major weaknesses. The system as a whole has shown tremendous resiliency for the past eight years it has been in existence, and works well. Contrary to what a lot of people think, Bitcoin is not anonymous, but pseudonymous. All transactions are publicly available and traceable. So, if one can associate a given Bitcoin address to Alice's identity (e.g., by obtaining the information from an online exchange where Alice bought her Bitcoin), all of her purchases are traceable. 

How to protect your children from identity theft - February 21, 2017
Protecting your child's credit from the minute they are born: It's not something new parents are thinking about, but a Carnegie-Mellon Cylab study found, nationally, kids are 50 times more likely to have their identities stolen than their parents.

A world beyond passwords - February 19, 2017
A former chief technology officer at the Federal Trade Commission, Lorrie Cranor has written more than 15 scientific papers on passwords. She said dealing with passwords is frequently a frustrating experience. “We have so many rules about how they have to be complicated, and hard to guess,” Cranor said. “And then we’re supposed to have a different one for every account we have, and we’re not supposed to write them down. And that’s just really difficult for people to deal with.”

Hitting the revolutionary road - February 19, 2017
Cars and computers have been bonding for a while. Their liaison will soon end up in a fusion that will enable vehicles to drive themselves. Already shaken by the public anger over losing jobs to trade and offshoring, the U.S. is bracing for another major disruption — autonomous vehicles. In the driver’s seat of this revolution around the corner is Raj Rajkumar, who heads the Connected and Autonomous Driving Collaborative Research Lab at Carnegie Mellon University (CMU) in Pittsburgh, Pennsylvania.

How to keep data leaks from getting out of hand - February 16, 2017
Norman Sadeh and his team at Pittsburgh’s Carnegie Mellon University are trying to thread that needle, by building artificial intelligence into a new app, called Privacy Assistant. The program asks users a few simple questions to gauge their privacy concerns: do you want banking apps to know your location? Based on your answers, Privacy Assistant analyzes every app, and suggests what information they should and should not get. If the user agrees, Privacy Assistant instantly applies the tighter privacy settings to every app on the phone.

Indian Americans Named Fellows of National Academy of Inventors - February 14, 2017
Additional Fellows named include Lakshmi S. Nair of the University of Connecticut, Shrikanth S. Narayanan of the University of Southern California, Paras N. Prasad of the University at Buffalo-SUNY, Ragunathan Rajkumar of Carnegie Mellon University, Sudeep Sarkar of the University of South Florida, Mrityunjay Singh of the Ohio Aerospace Institute, Kamalesh K. Sirkar of the New Jersey Institute of Technology, Ponisseril Somasundaran of Columbia University, Sidlgata V. Sreenivasan of the University of Texas at Austin, Madhukar L. Thakur of Thomas Jefferson University and Anil V. Virkar of the University of Utah.

Snapchat’s IPO May Be a Huge Vote for Privacy - February 13, 2017
A study co-authored by Carnegie Mellon computer science professor Norman Sadeh found that mobile apps such as Groupon and Weather Channel logged a user’s location every three minutes. Photo app Meitu was found to track a user’s location, calls made, Wi-Fi connected to. “We’ve seen massive amounts of tracking,” Sadeh says.

Carnegie Mellon researchers want to fix app permissions once and for all - February 10, 2017
A group of researchers at Carnegie Mellon University say they’ve come up with a solution for app permissions, after spending the past few years researching mobile apps and consumer privacy preferences. The group, led by Professor Norman Sadeh, also the director of CMU’s Mobile Commerce Laboratory, just released an app in the Google Play Store called, simply, Privacy Assistant. The app only runs on rooted (jailbroken) Android phones, since it requires system privileges in order to work properly, but Sadeh says this is just a start in the group’s larger goals around privacy protections.

Researchers Release An App To Help With App Permissions - February 10, 2017
Several researchers from Carnegie Mellon University have now created an Android application that helps users to understand and manage the permissions of other Android applications. Privacy Assistant – as the app has been named – will not be available to everybody, since it does require root-level system permissions to function. It also currently requires a specific version of Android, further narrowing the breadth of possible users. Privacy Assistant is the brainchild of Carnegie Mellon University researchers Jason Hong and Norman Sadeh and is part of a more broad study into app permissions which is being conducted by the university.

Leave Spicer alone! (Or, why DNS registration is horrible) - February 8, 2017
Previously, another ICANN working group had looked at ways protect registrant data. A 2013 study by Carnegie Mellon University commissioned by ICANN found substantial misuse of WHOIS data for both unsolicited calls and e-mails and targeting phishing and malware attacks. ICANN subsequently proposed eliminating public access to data through the WHOIS service. But that ran into resistance as well, particularly from organizations that use WHOIS data for tracking threats from malicious sources (including DomainTools and LegitScript).

Everything You Need to Know About Password Managers - February 7, 2017
“Password managers are not a magic pill,” Lujo Bauer, a security researcher and associate professor at Carnegie Mellon University, says, “but for most users they'll offer a much better combination of security and convenience than they have without them. Everyone should be using one.”

Post-Manning: Malicious Insider Defenses Evolve - February 6, 2017
"Back then, it was a trust model that relied upon a security clearance process that did proper vetting of employees," Randy Trzeciak of Carnegie Mellon's CERT insider threat program says in an interview with Information Security Media Group (click on player beneath image to listen). "But where the organizations back then tended to be a bit limited is in the 'trust but verify' [monitoring] of the activities that were happening on networking systems."

DARPA prize-winning bot Mayhem deploys to seek flaws, shut out botnets - February 3, 2017
Mayhem’s job will be to find and patch immediately. “Now when a machine is compromised it takes days or weeks for someone to notice and then days or weeks — or never — until a patch is put out,” Brumley said. “Imagine a world where the first-time a hacker exploits a vulnerability he can only exploit one machine and then it’s patched.”

Can the Internet of Things make your office more secure? - February 2, 2017
Meanwhile, the forces for good in the digital world are working on ways to beat the IoT hackers of tomorrow. The USA’s Defence Advanced Research Projects Agency (DARPA) recently awarded $2m to a Carnegie Mellon University team to develop automated digital security service, Mayhem.

Privacy Paradox: What You Can Do About Your Data Right Now - January 30, 2017
But reading the privacy policy of every website you visit would take you about 25 days a year, according to Carnegie Mellon researchers. No wonder we don't bother. And yet, in a Pew Research poll, almost three-quarters of Americans said the right to control who can access what information about them is "very important."

Carnegie Mellon privacy clinic aims to help protect you from hackers - January 26, 2017
"It is difficult to do anything or go anywhere without having your personal information collected, both online and in the physical world," said Lorrie Cranor, co-director of CMU's Privacy Engineering Master's Program, a faculty member at CyLab, a cyber security research and education institute at the university, and a professor in the departments of Engineering and Public Policy and the Institute for Software Research. "Most of us really want to have some privacy, and it's really important to be educated about who is collecting our data and what we can do to protect our privacy."

How Safe Is Your Internet Data? Americans Don’t Trust Social Media, Federal Government To Protect Personal Information - January 26, 2017
“Put your digits, symbols, and capital letters spread throughout the middle of your password, not at the beginning or end,” FTC Chief Technologist and Carnegie Mellon computer science professor Lorrie Faith Cranor told Wired last year. “Most people put capital letters at the beginning and digits and symbols at the end. If you do that, you get very little benefit from adding these special characters.”

Personal Privacy Assistant Uses AI To Learn Users' App Preferences - January 25, 2017
“The number of settings that we have to control has truly become overwhelming and unrealistic,” Norman Sadeh, a professor at Carnegie Mellon’s School of Computer Science, told Digital Trends. “If you have to decide which of these permissions you’re willing to grant, that means that the average user has to configure 150 different permissions. Very, very few people are willing to do that.”

Data Visualization Tools Can Help Stop Cyber Attacks - January 24, 2017
“It’s very hard for analysts to look at 80 columns of a spreadsheet,” says Yang Cai, the director of the CyLab’s Visual Intelligence Studio. “Visualization makes it very easy to see the patterns.”

Keep your texts private in Trump's America (and everywhere else, too) - January 23, 2017

Jason Hong, a privacy and security expert who teaches at Carnegie Mellon University, suggests you look to the pros when choosing your apps. "The strongest signal is just look at, what do all of the cybersecurity experts use? What are they recommending?" said Hong.

7 really cool network and IT research projects - January 17, 2017
As many as 4 in 10 apps with policies could be collecting location information and nearly 1 in 5 could be sharing that data without getting your permission to do so.  “Overall, each app appears to exhibit a mean of 1.83 possible inconsistencies and that’s a huge number,” said Norman Sadeh, professor of computer science in CMU’s Institute for Software Research.

Is Your Smartphone Listening to Your Conversations? - January 15, 2017
"There are two possible explanations,” Professor Jason Hong of the School of Computer Science at Carnegie Mellon University explained to Digital Trends. “It’s either coincidence, or they were browsing on a website and happened to see that topic and then talked about it with friends later on. Facebook is actually linked into lots of websites and news sites around the world, so they do collect data about what content you’re looking at and then base ads off of that.

Meet the man responsible for teaching some of the NSA’s best young hackers - January 11, 2017
“The program he’s running at CMU is producing experienced graduates that typically would not have this kind of technical mastery without several years on the job,” said former NSA technical director Bryan Smith. “Brumley has broken down the art of memory corruption and exploit writing into a reproducible science.”

Understanding The Internet Of Things - January 3, 2017
Carnegie Mellon’s Jason Hong gave the matter context when he explained that IoT “represents the third wave of computing. The first wave focused on computation — making the basics of computing work. The second wave centered on networking — connecting all of these computers together in a global network. The third wave, of which we are in the early stages, aims to make computers part of the physical world in which we live. Computation, communication and sensation are being woven into everyday objects, all of which contain, and indeed are, computers.”


Cyber issues are global issues - November 30, 2016
"Oftentimes, technology is created without any input from policymakers. Policies are then enacted after the fact. On cyber issues, we need to be building policy into the technology, getting in on the ground floor instead of trying to retrofit. We need to be entangling policy and technology from the start."

What happens when parents steal their children's identities? - November 29, 2016
The data collected by CyLab suggests that there are three main perpetrators: Organized criminals, illegal immigrants, and family/friends. And while the former two pose very real threats, it's the latter group — family and friends — who experts believe to be the most dangerous. If a stranger steals a child's identity, the responsibility of dealing with it falls on the parents. If a family member steals a child's identity, who is there to help the victim?

CMU prof lands spot on Trump transition team for National Security Council - November 23, 2016
Kyron Skinner, a Carnegie Mellon University associate professor and expert in international relations, U.S. foreign policy and political strategy has been named to President-elect Donald J. Trump’s transition team for the National Security Council.

Biometrics Could Make Passwords Obsolete - November 16, 2016

Choosing which biometric factors to use is still a matter for debate. Mario Savvides, director of the Carnegie Mellon’s CyLab Biometrics Center, isn’t optimistic. “Fingerprints are being widely used, but they have a negative stigma,” Savvides said. “Every time people use a fingerprint sensor they feel like they’ve done a crime.” Smudges and scrapes can also easily invalidate a fingerprint. “I lean toward iris scans,” Savvides said. “It is more secure, in the sense that you are less likely to do anything that might change your iris.”

Carnegie Mellon University Wins National Cyber Analyst Challenge - November 11, 2016
A team from Carnegie Mellon University was awarded $25,000 as the winner of the second National Cyber Analyst Challenge (NCAC), a cyber competition powered by Leidos and administered by Temple University's Institute for Business and Information Technology (IBIT) to fill the ever-growing need for cyber analysts.

Carnegie Mellon researchers visualize way to fend off DDoS attacks - November 8, 2016
Senior Systems Scientist Yang Cai of CyLab's Visual Intelligence Studio says the key is providing visualization of the reams of network traffic data (i.e., IP addresses and time stamps) that IT and security analysts typically examine. This makes it easier to spot patterns, they say.

Want to beat facial recognition? Get some funky tortoiseshell glasses - November 4, 2016
The end result is impressive. The glasses were able to fool both commercial facial recognition software Face++, as well as a more specific model trained exclusively on five researchers and five celebrities. With just the pair of glasses on their faces, the researchers were able to successfully prevent the software from recognising their faces at all, as well as impersonate each other and celebrities including Milla Jovovich and Carson Daly.

These glasses trick facial recognition software into thinking you're someone else - November 3, 2016
The glasses work because they exploit the way machines understand faces. Facial recognition software is often powered by deep learning; systems that crunch through large amounts of data to sift out recurring patterns. In terms of recognizing faces, this could mean measuring the distance between an individual’s pupils, for example, or looking at the slant of their eyebrows or nostrils.

These Glasses Fool Facial Recognition Into Thinking You’re Someone Else - November 2, 2016
The glasses were developed to mislead facial recognition programs that use neural networks (a form of advanced machine learning that mimics the human brain), said researcher and co-creator Mahmood Sharif. The specs had a 90 percent success rate in fooling the facial recognition software Face++, which is used for detection, tracking, and analysis, such as noting a person's age, gender, or identity.

All it takes to steal your face is a special pair of glasses - November 1, 2016

But new research from Carnegie Mellon University shows that facial recognition software is far from secure. In a paper (pdf) presented at a security conference on Oct. 28, researchers showed they could trick AI facial recognition systems into misidentifying faces—making someone caught on camera appear to be someone else, or even unrecognizable as human.

Hackers' entry point traced back to cameras - October 24, 2016
The motive behind a cyber attack that crippled major social media, entertainment and news websites last week remains unclear, but a Chinese surveillance camera maker acknowledged Monday that hackers hijacked its technology to launch the attack. “The short answer is we can only speculate about the intent,” said Vyas Sekar, a faculty member at Carnegie Mellon University's CyLab Security and Privacy Institute. “In the past, we have seen everything from nation states acting to disrupt other people to script kiddies having fun to actual attacks for vengeance or ransom.”

QUIZ: Can You Tell Legitimate Emails from Phishing Scams? - October 6, 2016
"When making decisions about phishing emails, people were more cautious when they were unconfident and perceived very negative consequences of opening a phishing email," CyLab researcher Casey Canfield noted. "Unfortunately, they were often overconfident so they would still fall for phishing attacks."

Phishing still fools people, but at least more are cautious - October 5, 2016
If at this point you are shaking your head at those silly fools who would fall for phishing messages, try CyLab's phishing detection quiz and see if you're still feeling so smug afterwards. "Despite the fact that people were generally cautious, their ability to detect phishing emails was poor enough to jeopardize computer systems," says Casey Canfield, a CyLab researcher from Carnegie Mellon's Department of Engineering and Public Policy, in a statement.

Deep Learning: Achilles Heel in Robo-Car Tests - October 3, 2016

Philip Koopman, professor of Carnegie Mellon Univ., believes the biggest hole in a Federal Automated Policy published late Sept. is in the regulators’ failure to tangle head-on with fundamental difficulties in testing Machine Learning — a problem already known to the scientific/engineering community. “Mapping Machine Learning‐based systems to traditional safety standards is challenging,” Koopman said, “because the training data set does not conform to traditional expectations of software requirements and design.”

How an Old Hacking Law Hampers the Fight Against Online Discrimination - October 1, 2016
Although no one has ever been prosecuted for online-discrimination testing, Anupam Datta, a researcher at Carnegie Mellon CyLab and the co-author of a 2015 paper finding that women were less likely than men to be shown Google ads for high-paying jobs, told me that “companies’ explicit constraints in terms of use give me pause.” Datta’s colleagues Alessandro Acquisti and Christina Fong, who also study Web-enabled bias, agreed. “The C.F.A.A. is so vague that anyone doing empirical Internet research may find himself or herself at risk,” they wrote in an e-mail.

How Artificial Intelligence Can Stop Sex Trafficking - September 21, 2016

At Carnegie Mellon University’s CyLab Biometrics Center, director Marios Savvides is focused on victim identification, a problem that’s particularly tough when victims are young. “If a baby is abducted, for example at the age of two or three, at the age of five or six, even their parents won’t be able to identify them facially,” Savvides says. “How do you identify those victims?”

Top Colleges For Cybersecurity - September 19, 2016
Known worldwide for its close working relationship with the CERT Coordination Center, Carnegie Mellon's CyLab is a huge draw for graduate students interested in a range of cybersecurity specializations. This cross-disciplinary institute facilitates research and industry participation from more than six departments and schools at the university and reflects the depth and breadth of CMU's cybersecurity opportunities. It has also been designated a National Center of Academic Excellence (CAE) in Information Assurance/Cyber Defense Education (CAE-IA/CD), Information Assurance/Cyber Defense Research (CAE-R) and Cyber Operations (CAE-Cyber Ops). 

Covering webcam 'doesn't hurt,' not a replacement for good computer security, experts say - September 17, 2016

David Brumley, also director of Carnegie Mellon University's CyLab Security and Policy Institute, said he doesn't typically agree with the FBI's approach to cybersecurity but does agree with the director on the tape issue. “I would say that's a pretty reasonable thing to do,” said Brumley, who admitted he doesn't tape his webcam. “It doesn't hurt, but by the time they're able to look at your webcam, they're able to capture all our keystrokes anyway.

Children are ideal targets for identity thieves - September 16, 2016
Identity theft victims don’t necessarily have to be adults. According to a study by Carnegie Mellon University’s CyLab, children are 51 times more likely to be a victim of identity theft than adults. Children and teenagers generally lack financial experience. This likely means they have clean credit, basically a blank slate, which makes them ideal targets for identity thieves. Furthermore, since they typically do not start applying for credit until at least early adulthood, a theft is more likely to go undetected for many years, which could create serious consequences.

Review: ‘Streaming, Sharing, Stealing’, by Michael D. Smith and Rahul Telang - September 11, 2016
Streaming, Sharing, Stealing charts the history of film, TV and music industries, going back a century to show how developments in technology and changing consumer habits have created a period of unprecedented change for them. The book, by two professors at Carnegie Mellon University, offers many lessons for executives in the creative industries, as well as serving as a case study of the challenges faced by any industry grappling with disruptive forces.

Sharing, securing data an ongoing project at Census Bureau - September 9, 2016
Tim Ruland, chief information technology security officer at the Census Bureau, said the agency recently completed two phishing exercises — one for employees who work in buildings across the country, while the other was for field representatives — and is also working with Carnegie Mellon University to improve its insider threat network.

Cyber War - August 29, 2016
CyLab director David Brumley: "Right now a lot of the computer security mechanisms we have are really about a person on a keyboard, and that's just too slow. So they put out a Grand Challenge - can we have a fully automated attack and defence system? And that's what this week is about. That's what this challenge is about, can we build fully automatic robot computers that can hack and defend against being hacked?"

The game has changed: 13 security startups to follow on Twitter - August 26, 2016
ForAllSecure, a startup with ties to Carnegie Mellon University, has created a system it calls Mayhem that can scan code for security holes and plug them without any human intervention. Mayhem recently won the $2 million first prize in the Cyber Grand Challenge sponsored by the US Defense Advanced Research Agency at DEF CON 2016 in Las Vegas.

35 Innovators Under 35: Visionaries - August 25, 2016
When programmers create a feature for an app or a website, even something as simple as a calendar, they should code in protections so the personal information that the feature needs to access—such as your location—doesn’t slip out onto the Internet. Needless to say, they sometimes fail, leaving our data to be exploited by hackers. “Just like there are many ways to sink a boat,” says Jean Yang, “there are many ways to leak information.”

Pittsburgh Earning Reputation As Cyber Security Hub - August 16, 2016
“We have the most startups that are literally winning the field against larger companies and really paving the way,” Carnegie Mellon CyLab director David Brumley said. “So, Pittsburgh really is poised to become the center for cyber security.”

Uber’s First Self-Driving Fleet Arrives in Pittsburgh This Month - August 16, 2016
The city is home to Carnegie Mellon University’s robotics department, which has produced many of the biggest names in the newly hot field. Sebastian Thrun, the creator of Google’s self-driving car project, spent seven years researching autonomous robots at CMU, and the project’s former director, Chris Urmson, was a CMU grad student.

There’s a new way to make strong passwords, and it’s way easier - August 11, 2016

CyLab Researcher Lorrie Cranor said NIST’s draft rules send a signal to agencies and companies that the revamped password guidelines have the blessing of the federal government. “One of the things we’ve seen when we talk to companies is they say, ‘Well, this is all good,’ but I can’t change things until I have something I can point to,” Cranor said. Now, they can point to NIST special publication 800-63, which still needs final approval.

Our Fingerprints Are Portals Into Our Digital Lives — But the Laws Haven't Caught Up - August 10, 2016
"Law enforcement often has legitimate reasons for needing this kind of data, but the scale and fidelity of this kind of data goes well beyond anything else we've ever had," Jason Hong, associate professor of computer science and CyLab at Carnegie Mellon University said in an email. 

Why Is This College Hacking Team So Freaking Good? - August 9, 2016
“We’re pretty proud,” CyLab director David Brumley says. “Every year it’s more competitive, it was really tough this year. You have people on other teams who [when they’re not competing] are making hundreds of thousands of dollars finding bugs. We’re also excited because automation is a new thing now, you’re starting to see some teams operate like Cyborgs. It’s going to be exciting to see what the future looks like.”

This System Won a DARPA Contest by Hacking Its Rivals - August 5, 2016
Carnegie Mellon CyLab director David Brumley, a co-founder of Mayhem’s team ForAllSecure, is a passionate advocate for the CGC. In a blog post ahead of the final, he explained that the competition gives researchers a chance to compare, contrast, and work out the best ways systems could automatically fix themselves. “Think about it: if we could develop computers that could automatically find vulnerabilities, then the good guys could fix them first,” Brumley said.

Seven automated hacking systems will compete for a $2 million prize on Thursday - August 2, 2016
"A vulnerability isn’t like a pothole that you have to recognize in an image," says Carnegie Mellon CyLab director David Brumley. "It’s a really subtle problem."

Security Bots Will Battle in Vegas for Darpa’s Hacking Crown - July 28, 2016
The promise is there, with many online operations,including Google, already exploring automated security. Darpa’s contest will only accelerate this movement, says David Brumley, the director of Carnegie Mellon’s security and privacy institute, who’s leading another team in the competition. And that couldn’t come at a better time, he says, as more and more online devices—the so-called Internet of Things—move into daily life.

Carnegie Mellon professor gets $1.1M to secure appliances - July 27, 2016
Hackers will have many more gateways into personal data, business accounts or public infrastructure as more and more toasters, refrigerators, light switches, garage doors, outlets, thermostats, cars and other items are connected to the Internet. “There's a saying in network security that your network is only as secure as your weakest link, and these could become the weakest link,” Sekar, a faculty member in CMU's CyLab Security and Privacy Institute, said.

Shedding light on the dark web - July 16, 2016
Other developments are making the job of law-enforcement harder. Tails, an operating system popular among dark-web fans, blocks almost all non-anonymous communication to or from a computer. Nicolas Christin and Kyle Soska, another CyLab cyber-security expert, found that the share of vendors using PGP encryption jumped from about 25% in July 2013 to over 90% in January 2015. “Bitcoin-tumblers” make the digital currency harder to trace

While you track Pokémon, Pokémon Go tracks you - July 11, 2016
CyLab's Jason Hong talks about privacy implications in the new PokemonGo app with USA Today. “That’s the challenge with this data,” Hong says. “It can potentially be used for good and bad as well."

Now the 100 individual privacy settings you need to set on your phone can be done in a single app - July 10, 2016
The result is not more privacy. It’s confusion. “Most people although they care about privacy won’t spend huge amounts of time playing with those settings,” said computer science and CyLab researcher Norman Sadeh at Carnegie Mellon University in an interview. “Doing the right thing in this space means, in principle, giving more control to users but it becomes unmanageable and underused. We’ve developed technology to assist users with these settings”

Researchers build a smart privacy app to keep you safe - July 6, 2016
“It’s clear that people just can’t cope with the complexities of privacy settings associated with the apps they have on their smartphones,” said Norman Sadeh, professor of computer science and CyLab researcher at Carnegie Mellon. “And it’s not just smartphone apps. The growing number of sensors and other smart devices that make up the so-called internet of things will impact privacy and make it even more challenging for users to retain control over their data and how it is being used.”

Driverless Cars Will Face Moral Dilemmas - June 23, 2016
“This question of ethics has become a popular topic with people who don’t work on the technology,” says Ragunathan “Raj” Rajkumar, a professor of electrical and computer engineering in Carnegie Mellon University’s CyLab and veteran of the university’s efforts to develop autonomous vehicles, including the Boss SUV that won the DARPA 2007 Urban Challenge. “AI does not have the same cognitive capabilities that we as humans have,” he adds. 

Self-driving car changes ‘driver’ to ‘instructor’ - June 1, 2016

Think of it as driver education with the car as the student and you as the instructor. That’s what it’s like in the latest version of Carnegie Mellon University’s self-driving car, a 2011 Cadillac SRX on display Wednesday in Schenley Park. CMU professor and CyLab researcher Raj Rajkumar gave demonstration rides to officials and the media after a news conference to announce legislation and a task force to oversee safe development of self-driving cars.

When Computers Stand in the Schoolhouse Door - May 16, 2016
Anupam Datta, a professor of computer science and researcher at Carnegie Mellon CyLab in Pittsburgh, PA, created AdFisher, a program that simulates browsing behavior and collects information about the ads returned after Google searches. The tool discovered more ads related to higher-paying jobs were served to men than were presented to women.

People Understand How to Make Good Passwords, But Still Don't - May 13, 2016
"They understand that this password is stronger than that password, as a rule, but they don’t know how strong is strong enough,” Lujo Bauer, a researcher at Carnegie Mellon CyLab, and one of the authors of the study, told Motherboard. “Right now we’re giving users bad instructions about how to create passwords, we’re giving them poor feedback about whether their password is good, and then we’re surprised when they create poor passwords,” Bauer said.

7 Password Experts on How to Lock Down Your Online Security - May 5, 2016
“Put your digits, symbols, and capital letters spread throughout the middle of your password, not at the beginning or end,” says Lorrie Faith Cranor, FTC Chief Technologist and Carnegie Mellon CyLab researcher. “Most people put capital letters at the beginning and digits and symbols at the end. If you do that, you get very little benefit from adding these special characters.”

Will artificial intelligence revolutionize cybersecurity? - May 4, 2016

Indeed, the amount of data that cybersecurity professionals and researchers contend with can be overwhelming, and the amount of information on cyberattacks and malware is growing expeditiously every day.  "As a rule of thumb, AI benefits tremendously the more data that you have," said David Brumley, director of Carnegie Mellon CyLab and the cofounder of the cybersecurity startup ForAllSecure.

How to Safeguard Your Children’s Credit - May 3, 2016
In their 2010 report, the Federal Trade Commission reported that 8 percent of total complaints received involved someone 19-years-old and under. In a recent 2011 Carnegie Mellon CyLab Report, children were reported to be 51 times more likely to become victims of identity than adults.

Updated: Cybersecurity being overlooked by American universities: Report - April 7, 2016

"Carnegie Mellon University is proud to offer 50+ courses in cybersecurity and privacy. And that's not counting security concepts taught in modules in courses such as computer systems, networking, compilers, imperative programming, and others. CMU believes security is fundamental, and has created an entire University-level institute called CyLab to bring together end-to-end expertise to help solve todays security and privacy challenges," CyLab director David Brumley said in an email to

Hackers Can Be Our Cybersecurity Allies - March 27, 2016
Carnegie Mellon CyLab director David Brumley explains, "The problem is lack of talent. A recent report by the University of Massachusetts Boston found that 60% of colleges don’t even offer courses in network or information security. To keep up with our competitors, America needs to cultivate the next generation of cybersecurity personnel in colleges and high schools across the country."

Protect Yourself Online By Protecting Your Passwords - March 22, 2016

“Using different passwords on different accounts is important,” said Lujo Bauer, a computer security expert as Carnegie Mellon University’s Cylab. He says creating strong passwords is vital because hackers have software that use billions of password combinations to break into an account.

Driverless Cars Must Have Steering Wheels, Brake Pedals, Feds Say - March 16, 2016
Efforts to shut out human drivers notwithstanding, stepwise automation of various features offers a more realistic short-term view of how the shift to driverless cars will play out, according to Ragunathan “Raj” Rajkumar, a professor of electrical and computer engineering in Carnegie Mellon University’s CyLab and veteran of the university’s efforts to develop autonomous vehicles, including the Boss SUV that won the DARPA 2007 Urban Challenge. “The transition to roadways filled with driverless drones will be gradual,” he says. “People will buy cars with more and more autonomous features in the coming years until, sometime in the 2020s, the majority of vehicles on the road will for the most part be fully autonomous.”

Views on Hackers and the Need to Rethink Cybersecurity From David Brumley, Director of CyLab, Carnegie Mellon University - March 7, 2016
"We need to see, as a national priority, cybersecurity put at the same level as STEM (Science, Technology, Engineering and Mathematics), at the same level as learning math or arithmetic." says Carnegie Mellon CyLab director David Brumley.

Forcing People to Change Their Passwords Isn’t Just Annoying. It’s Counterproductive. - March 3, 2016
But Lorrie Cranor, who studies security usability at Carnegie Mellon CyLab in addition to her role at the FTC, wrote on Wednesday that requiring frequent password changes can degrade users' password quality. People end up reusing passwords on a loop or making tiny changes to a base password. "I have heard from many users that they include the month (and sometimes year) of the password change in their passwords as an easy way to remember frequently changed passwords," Cranor writes.

Why changing your password regularly may do more harm than good - March 2, 2016

But according to the Federal Trade Commission's chief technologist and Carnegie Mellon CyLab researcher, Lorrie Cranor, the strategy has some major holes. "Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases," Cranor wrote Wednesday in a blog post entitled "Time to rethink mandatory password changes."

Apple Encryption Battle Points Out Lack of Unified Cybersecurity Ethics Code - February 29, 2016
David Brumley, director of CyLab, Carnegie Mellon University’s security and privacy institute, agrees that the lack of ethical standards makes the situation difficult to judge. “I don’t think there’s an industry-wide definition,” he said. “There’s a lot of discussion of ethics, but that really hasn’t involved modern computer security and privacy experts.”

CMU Research Makes Password Data More Secure - February 29, 2016

Anupam Datta, an associate professor of computer science and CyLab researcher at CMU, said in the right hands, that information helps organizations determine how strict to make their password standards. “If there aren’t like, these very large numbers of users who are picking one particularly common password like ‘123456’ then, perhaps, the number of attempts that can be given to users can be made higher,” Datta said. 

Researchers devise method to share password data safely - February 28, 2016
“This is the first time a major company has released frequency information on user passwords,” said Anupam Datta, associate professor of computer science and electrical and computer engineering at CMU. “It’s the kind of information that legitimate researchers can use to assess the impact of a security breach and to make informed decisions about password defenses. This is extremely valuable, so we hope other organizations will follow Yahoo’s lead.”

In FBI versus Apple, government strengthened tech’s hand on privacy - February 25, 2016
The ongoing fight between Apple and the FBI over breaking into the iPhone maker’s encryption system to access a person’s data is becoming an increasingly challenging legal issue.

Service Academy CyberStakes Proves Worth as Learning Tool - February 16, 2016
“In CyberStakes we make computer security a practiced skill,” Carnegie Mellon CyLab director David Brumley explained. “We encapsulate the essence of concepts like finding vulnerabilities, exploitation and defenses into hands-on exercises in a game environment. By playing the game, students solve problems, get better and can deliberately practice skills.”

Easily Concealable Devices Remotely Steal Data From Older Credit Cards - February 16, 2016
“You can imagine someone stealing your identity, running up debt, buying things they shouldn’t be able to, accessing other information about you,” said Carnegie Mellon CyLab Prof. and Researcher Anthony Rowe.

Cyber research leads to STIDS 'best paper' - February 12, 2016

Network defense collaborations between university and Army researchers have led to a best paper award at a recent technology security conference. A team comprised of members from the U.S. Army Research Laboratory and Carnegie Mellon CyLab are pursuing a novel way to use technology that eases the detection burden on analysists that monitor networks around the clock.

Self-Driving Cars in 10 Years? How $4B Could Make it a Reality - January 28, 2016

When DARPA held its third race in 2007, six cars crossed the finish line — including one from the winner, a team from Carnegie Mellon University led by CyLab researcher Raj Rajkumar, who remains a professor of electrical and computer engineering at the school. "I really like the size of the investment," Rajkumar told NBC News. "I think it's good for the technology and for society at large."

The firms who will beat Google to get us into self-driving cars - January 11, 2016

Raj Rajkumar of Carnegie Mellon CyLab in Pittsburgh, Pennsylvania, identifies multiple ways in which companies can build maps for their robot cars. The first is Google’s “do everything” approach: the company controls its entire driverless car operations, gathering the map data itself and processing it for the intelligent software that drives its cars. “Crowdsourcing is the traditional car companies’ very, very big advantage,” says Rajkumar. “There’s an interesting competition ahead.”

Do People Really Buy Guns On The Dark Web? - January 7, 2016
CyLab Researcher Nicolas Christin says, "Weapons represent a very small portion of the overall trade on anonymous marketplaces. There is some trade, but it is pretty much negligible." Drugs are far more common. Specifically, MDMA and marijuana each account for about 25% of sales on the dark web, according to Christin's research.