CMU’s big showing at RSA 2020

“The Human Element” was the theme of this year’s RSA Conference in San Francisco, which featured CyLab Director Lorrie Cranor talking about usable security research as a warm-up act for magician duo Penn & Teller. Three other CyLab faculty and staff members from across the university spoke about topics ranging from trustworthy artificial intelligence to risk management. Three Information Networking Institute (INI) students attended as RSA Conference Security Scholars.

During the final session of the conference, Cranor joined the conference’s program committee chair Hugh Thompson to talk about her research group’s work on passwords, their development of a privacy and security “nutrition labels” for devices, and general concerns people should have about smart devices.

“People don’t understand what they should be worried about when it comes to something like a smart toothbrush,” Cranor said. “They collect data about your brushing habits and your gum health, and they can actually wire it to your dental insurance company, which sounds kind of scary to me.”

Cranor’s talk, which mostly focused on trust and how humans can be deceived, aptly served as a warm-up act for magician duo Penn & Teller, who wowed the audience with a password magic trick following Cranor’s talk. While creating an “unbreakable” password on stage, Penn Jillette remarked that he had learned from Cranor’s talk that passwords are stronger when the digits are in the middle.

CyLab’s David Brumley, a professor in the department of Electrical and Computer Engineering, was a finalist in RSA’s Innovation Sandbox competition, which consisted of a competitive field of 9 other security startups. According to RSA, the top 10 finalists each year since the competition began in 2005 have collectively seen 48 acquisitions and raised over $5 billion in investments to-date.

Wearing his other professional hat – as CEO of his startup, ForAllSecure – Brumley explained his company’s vision for creating a system that can autonomously scan software for security vulnerabilities.

“Even the best white hat hackers can only look at a few apps at a time,” Brumley explained during his pitch to judges. “We believe everyone should be able to check their software.”

Hasan Yasar, technical director of the Software Solutions Division at CMU’s Software Engineering Institute, gave a talk alongside Altaz Valani, Security Compass’ research director. They discussed the implementation of an automated, continuous risk pipeline that demonstrates how cyber-resiliency and compliance risk can be traced in businesses. 

Carol Smith, senior research scientist in SEI, gave a workshop on artificial intelligence and how developers can make it more trustworthy. Smith argued, in her opening remarks, that AI shows much promise in helping augment humans’ intelligence, but people need to be careful.

“Regardless of how much intelligence we feel these systems have, they really aren’t that intelligent at all,” Smith said during her talk. “We have to do the work to make sure they are just augmenting our intelligence and not causing us any harm.”