CyLab mentioned in the media


Tsamitis quoted on cybersecurity education

PRISM quoted INI Director Dena Haritos Tsamitis in an article on the importance of educating students about cyber security. Since an estimated 3.5 million positions in cyber security will remain unfilled globally by 2021, educators are structuring curricula and educational practices in response. Tsamitis commented on the Information Networking Institute’s superb students and flexible M.S. degrees. “The program teaches principles of building secure systems and incorporates both offensive and defensive security,” Tsamitis said.

Cranor quoted on simple privacy policies
The Washington Post

Cylab/EPP’s Lorrie Cranor was quoted in The Washington Post in an article on the privacy breach in Facebook users’ data by Cambridge Analytica. For privacy policies, their simplicity affects whether social media users understand terms of service. Cranor and her fellow researchers found that participants in a study “comprehend[ed] simpler privacy policies better than long, complicated ones,” and that the participants expressed less frustration with simpler policies. Facebook has responded to recent privacy concerns by condensing their privacy settings onto a single page. Cranor was also quoted in CNET on the Facebook hearings.

Christin quoted in Wired on Monero

ECE/CyLab’s Nicholas Christin was quoted in Wired on privacy flaws in he and collaborators discovered with Monero, a virtual currency. “People took the privacy guarantees of the currency at face value,” said Christin. “All indications show people were really using this for applications where they needed privacy. And those transactions were very, very vulnerable.”


Newt Gingrich amazed by CMU’s technological advances
Fox News

Recently, former Speaker of the House Newt Gingrich visited Carnegie Mellon and remarked on the university’s technological leaps in artificial intelligent systems. Gingrich was amazed by voice analysis used for medical diagnostics and robotic assistance in heart surgery.

Tsamitis appears on WQED’s “iQ: smartparent”

INI/CyLab’s Dena Haritos Tsamitis appeared on a recent live webcast of the WQED program “iQ: smartparent.” The episode focused on cyber-safety privacy and protections, as well as the latest cyber-safety laws affecting kids and families. Tsamitis discussed topics like safeguarding personally identifiable information, managing your online presence, and the importance of open communication between parents and their kids.

Pasareanu to receive ISSTA Retrospective Impact Paper Award

CMU-SV and CyLab’s Corina Pasareanu has been selected to receive the International Symposium on Software Testing and Analysis (ISSTA) 2018 Retrospective Impact Paper Award. Pasareanu co-authored a paper published in ISSTA 2004 Proceedings that showed how to perform efficient test input generation for code-manipulating complex data. At ISSTA 2018, Pasareanu and her co-authors, Sarfraz Khurshid from the University of Texas at Austin and Willem Visser from Stellenbosch University, will deliver a keynote address to discuss research that’s happened since 2004 on the symbolic execution component of the Java PathFinder tool discussed in their original paper. ISSTA 2018 will be held July 16-18 in Amsterdam.  

Cranor receives 2018 SIGCHI Social Impact Award

EPP/CyLab’s Lorrie Cranor has been awarded this year’s Social Impact Award by the Association for Computing Machinery’s Special Interest Group on Computer Human Interaction (SIGCHI). The award is given annually to a mid or senior-level individual who promotes applying human-computer interaction research to pressing social needs. Cranor has focused her research on user-centered approaches to security and privacy, helping non-technical users protect themselves.

CMU spinoff Wombat acquired for $225 million

EPP/CyLab’s Lorrie Cranor and CyLab’s Norman Sadeh and Jason Hong founded Wombat Security Technologies a decade ago to leverage research on cyberattack prevention. Since then, the company has grown into a leader in cybersecurity awareness training. So much so that Proofpoint Inc. recently completed its acquisition of Wombat for $225 million. “You always have high expectations when you start a company, but there’s nothing more rewarding than to see results of your research having an impact on this scale,” said Sadeh. “Our research at CMU has effectively created an entirely new segment in the cybersecurity industry, one that focuses on the human element.”


Datta stresses internal processes of AI
The Economist

ECE/CyLab’s Anupam Datta was featured in a story in The Economist discussing the push to understand why artificial intelligence (AI) agents make the decisions they do. Once deep learning neural networks are trained, it’s difficult to understand exactly how they do what they do. The fear, the article states, isn’t that AI won’t do what it’s told, but that it will do it in a way that’s incomprehensible. While a number of researchers are attempting to crack the “black box” of internal AI processes, Datta is focusing on stress-testing the outputs of trained AI systems. He feeds the systems input data and then examines output data for undesirable outcomes. According to the article, Datta’s approach “lets those who make and operate AI ensure they are basing decisions on the right inputs, and not harmful spurious correlations.”  

Sekar quoted on Pyeongchang cyberattack
SC Magazine

There were concerns about potential cyberattacks leading up to the 2018 Winter Olympics in Pyeongchang, South Korea. Those concerns were validated during the opening ceremonies when hackers hit Pyeongchang’s computer system with a destroyer malware attack. SC Magazine shares that forensic work has shown the intent of the attack was to disable the networks functionality and not steal data. While investigators know the ‘what,’ they’ve yet to discover the ‘who.’ “It's pretty easy for attackers to hide their origins or use VPNs etc., so the IOC is probably doing the right thing of not blaming until they are sure,” ECE/CyLab's Vyas Sekar told SC Magazine. “Forensics/attribution is really hard work especially given sophisticated attackers.”

Rowe heads research on future of edge computing

ECE/CyLab associate professor Anthony Rowe is leading CONIX, a research project aimed at increasing the capabilities of future computing networks. The project will work to develop a programming language that places increased processing power at different points on a network removed from a central server. In a GeekWire article, Rowe compared the work CONIX will do to the central nervous system. The brain is responsible for most of our actions, but the spine plays a huge part in quick, real-time action that would be delayed if handled by the brain. It’s this real-time action that CONIX will work to improve. The creation of a language for edge computing necessitates the development of underlying infrastructures as well. “We’ll be steering more toward the really forward-looking architecture that are higher risk for companies to research on their own,” Rowe told GeekWire.   

CyLab study cited by BuzzFeed

Research completed by CyLab’s Richard Power in 2011 was used in a BuzzFeed article titled This Kid Became a Debtor Before He Could Count. Powers research helped to determine the percentage of children who were in debt before turning 18, bringing to light how many children are subject to premature debt due to identity theft.

Christin quoted in New York Times about Bitcoin
New York Times

The price of Bitcoin recently dropped, but students and businesspeople alike are still showing great interest in the virtual currency. In fact, due to high demand, many colleges and universities around the country, including Carnegie Mellon, have added courses about Bitcoin and the blockchain to their curriculum. Developments in the field are happening so quickly that, even if the price of Bitcoin dropped to $2, EPP/CyLab’s Nicolas Christin says that he “[would] still think it’s very cool from a technical standpoint.” Christin is currently teaching a course at Carnegie Mellon called “Cryptocurrencies, Blockchains, and Applications.”

Rowe quoted on CMU students' contribution to IoT field
Education Dive

Since billions of smart devices are already connected to the Internet of Things (IoT), many colleges and universities, like Carnegie Mellon, have been training the next generation of leaders in the IoT world. According to ECE/CyLab’s Anthony Rowe, students at Carnegie Mellon are developing solutions for real-world IoT applications. “Students think of wild ideas,” says Rowe. “They are so comfortable with the internet and social media. They have always had a cell phone in their hands. So while the older generation might think, ‘What problems need to be solved?’ These students are thinking, ‘What can we use technology for to make our lives better?’”

Datta's study cited in New York Times book review
New York Times

A study conducted by ECE’s Anupam Datta and his colleagues was recently cited in a New York Times book review for Joanne Lipman’s book, titled That’s What She Said: What Men Need to Know (and Women Need to Tell Them) About Working Together. In his study, Datta found that, when an equal number of men and women visited 100 recruitment sites, men were shown ads for the highest-paying jobs six times more often than women.


Parno quoted on Chronicle, Alphabet's newest cybersecurity company
Popular Science

Recently, Alphabet, Google’s parent company, developed a new cybersecurity platform called Chronicle that companies can use to help comprehend their own security data. Few details have been shared publicly, but this platform will most likely use machine learning to comb through data from a company’s security products and ultimately detect abnormal traffic on their network. Although machine learning is a powerful tool, ECE/CyLab’s Bryan Parno says in an article for Popular Science that, historically, its been challenging to use for security problems. The  Achilles Heel of anomaly detection has always been that attackers just say, 'Well, I’m just going to very carefully craft my attack so it looks like normal activity,’” he says. 

New research center CONIX featured in TribLIVE

ECE/CyLab’s Anthony Rowe will head the Computing on Network Infrastructure for Pervasive Perception, Cognition, and Action Research Center—CONIX—to work toward improving Internet of Things (IoT) networks. The new center, housed on Carnegie Mellon’s campus, received $27.5 million in funding from Semiconductor Research Corp. and the Defense Advanced Research Project Agency (DARPA). CONIX brings together researchers from six U.S. universities who will seek to develop faster, more secure, more robust networks for connecting smart devices to the cloud.

Brumley featured on SciTech Now
SciTech Now

Recently, CyLab/ECE's David Brumley was featured on an episode of SciTech Now, where he talked about the importance of understanding basic cybersecurity concepts. In our daily lives, one of our biggest problems is that most people have no idea how cybersecurity works, said Brumley. At Carnegie Mellon, one of the things that we have a big initiative on is a cyber aware generation. We think understanding basic cybersecurity is something everyone should know.

Bauer's research on facial recognition technology cited in Digital Trends
Digital Trends

ECE/CyLab’s Lujo Bauer and his research team recently developed eyeglasses that are capable of fooling facial recognition algorithms. In his recent study, Bauer and his team explain how they developed five pairs of glasses that 90% of the population could successfully wear to bypass surveillance systems. After concluding their study, Bauer and his team notified the Transportation Security Administration (TSA)—an organization that already uses facial recognition technology—of their findings, and recommended that they require subjects to remove things like hats and glasses before conducting facial recognition scans.

Cranor interviewed on tech support scams

EPP/CyLab’s Lorrie Cranor spoke with 90.5 WESA about the danger of tech support messages claiming to be from prominent companies. “Companies like Microsoft are not actually going to call you to tell you about problems with your computer. If somebody calls you to tell you they’re from Microsoft, don’t believe them,” Cranor said. Bad actors use this tactic as a way to access victims’ computers, which they then infect with spyware or ransomware. With the number of IoT (Internet of Things) devices on the rise, it’s even more important to keep devices updated and secure and to be wary of scammers.

Cranor lends expertise to creation of secure online passwords
NBC News

EPP/CyLab’s Lorrie Cranor offers her insight in an NBC News story examining how most Americans’ passwords are weak and easily hackable. With cybercrime on the rise, it’s more important than ever for passwords to be robust. As director of the CyLab Usable Privacy and Security Laboratory (CUPS), Cranor helped develop a set of guidelines to assist in creating strong passwords. From character length to the avoidance of patterns, few people realize what it takes to thwart a hacker. “What people don't realize is that the attackers don’t just sit down at a computer and make a few guesses. They use computer programs that can actually make millions or billions of guesses in minutes,” said Cranor.


Sicker quoted on realities of net neutrality repeal
BBC News

EPP Department Head and CyLab Interim Director Doug Sicker was quoted in a recent BBC News article that explored both the cases for and against net neutrality rules. Supporters of the rules say they keep internet service providers (ISPs) from unilaterally impacting things like service speed and accessibility. Detractors say the rules prohibit ISPs from investing, innovating, and competing. Sicker isn’t so sure. “The marketplace isn’t sufficiently combative to make those kinds of arguments,” he said.

Sicker comments on bipartisanship in net neutrality protections
Morning Consult

“This is such a pendulum swing in the other direction from the 2015 order that I think it’s very unsettling for everybody, because nobody knows what this new model is going to look like after you’ve gotten rid of these protections, which were pretty acceptable to everybody,” EPP Department Head and CyLab Interim Director Doug Sicker told Morning Consult. Prior to the Republican-controlled Federal Communications Commission’s repeal of net neutrality rules, it was discovered that support for the regulations had crossed party lines, receiving majority support from tea party and conservative backers. Sicker said he believes there is widespread support for “codifying no blocking, no throttling, and no censorship.”

Acquisti comments on consumer data collection
CBS News

Why do our smartphones show ads for things we searched for three days ago on our laptops? Simple: data collection. Sure, data makes the modern economy run, but a recent CBS News story reported that it has a negative side too. “Much of the internet [economy] is a black box where we don't know what is happening. We know that value is being generated, but we don't know how it's happening,” said CyLab’s Alessandro Acquisti. This lack of transparency has led the Federal Trade Commission (FTC) to start examining “informational injury”—harm caused by the use of consumer data.

CyLab study mentioned as facial detection finds its challengers

Last year, ECE/CyLab’s Lujo Bauer, Sruti Bhagavatula, and Mahmood Sharif were part of a research study that developed facial-recognition-fooling eyeglasses. The glasses’ frames confuse facial detection software, rendering it ineffective. Governments are starting to utilize facial detection software for surveillance purposes, which has generated an uptick in research aimed at fooling these systems. references the CyLab team’s work as it describes one such study from the University of Illinois.

Datta’s 2015 algorithm bias study referenced by HuffPost UK
Huffington Post UK

Embrace an android. That’s the rallying cry of the UK’s deputy Labour leader, Tom Watson. His party’s Future of Work Commission recently released a study finding, in part, that the “increasing use of hi-tech machines could create as many jobs as it destroys,” but only if the government invests in training low-skilled workers to fill those jobs. With the rise of automation in the workplace, the Commission also recommended the establishment of ethics and algorithm training to prohibit discrimination by algorithm. Used as a reference was a 2015 study co-authored by ECE/CyLab’s Anupam Datta. Datta’s study revealed that Google ads—which are generated by algorithm—for high-paying executive positions were shown to substantially more men than women.

Cranor accepts FORE Systems Professorship

EPP/CyLab’s Lorrie Cranor recently accepted a FORE Systems Professorship. Cranor, who is a leading researcher in online privacy and usable privacy and security, was named FORE Systems Professor of Computer Science and of Engineering and Public Policy at a December 5 ceremony held in Gates and Hillman Centers.    

Christin recalls bitcoin’s beginnings as its price soars
The Washington Post

Bitcoin has come a long way since its start in 2009. In a recent Washington Post article, EPP/CyLab’s Nicolas Christin shared that, when it was introduced, bitcoin was used by those avoiding traditional currency. “The people who started to use bitcoin years ago were those that couldn’t use anything else,” he said, because what they were buying was often illegal. Nearly nine years later, bitcoin’s price surpassed $17,000, up from $1,000 at the start of 2017. This astronomical increase has prompted a buying frenzy and sparked the first trade of a bitcoin product on the US financial market at the beginning of December. Despite its popularity, financial institutions remain wary of the cryptocurrency’s legitimacy as a tradable commodity.    

Datta’s research referenced in story addressing AI liability

In 2015, CyLab’s Anupam Datta co-authored a study that revealed digital ads for high-paying jobs were shown to significantly more men than women. The question became whether programmers were to blame or if fault rested with machine learning algorithms. The weight of this question has only increased, as discussed in a recent article in ANZ’s bluenotes. Who’s to blame when autonomous, self-learning systems make a wrong, or “bad,” decision, the AI-systems or the engineers who “taught” them?

CyLab’s Hong quoted on robotic workforce
The Denver Post

CyLab's Jason Hong was quoted in an article addressing the impacts of continued workforce automation. “Artificial intelligence is now taking over even white-collar jobs, but those that require lots of human touch and communication won’t be easily automated,” he told the Denver Post. The Post article cites research conducted by McKinsey Global Institute, which finds that 70 million workers in the United States—and 375 worldwide—would lose their jobs to automation by 2030. The jobs most susceptible to automation involve predictive and repetitive tasks, like equipment installation, food preparation, and clerical work, the Post article said. According to Hong, anyone whose work relies on empathy and creativity can feel a bit more comfortable as automation begins to spread.

CyLab’s Goyal comments on cryptocurrency’s challenge to Bitcoin

In less than a year, Bitcoin saw its price balloon from $1,000 to more than $10,000. The top cryptocurrency, Bitcoin has also made a hot commodity out of “altcoins” (Bitcoin alternatives). All cryptocurrencies run on blockchain technology—a shared digital ledger that records financial transactions on an encrypted peer-to-peer network—and it seems that one in particular is set to challenge Bitcoin for supremacy: Ethereum. Ethereum is more than just a cryptocurrency; it’s a platform for building applications that run on blockchain, allowing for more secure transactions, which has many enthusiasts paying close attention. "My personal prediction is that Ethereum will end up becoming the biggest cryptocurrency," says CyLab's Vipul Goyal.


Lorrie Cranor stresses importance of 2-factor authentication

As both a security researcher and a victim of poor security practices, EPP/CyLab's Lorrie Cranor was once victim to a mobile phone hijacking plot against her family—one she's confident could have been prevented with 2-factor authentication. "In that scenario, the carrier should have texted the phone, and it would have solved the problem," Cranor says. "The thief didn't have the old phone. It was in my hand."

Franchetti quoted on AI chip startups
Technology Review

Recently, a growing belief has emerged among some investors that AI could be a unique opportunity to create significant new semiconductor companies. As companies continue to invest heavily in hardware to run deep-learning systems, the limitations of existing chips, such as Nvidia’s graphic chips, are being exposed. Despite having been tweaked to adapt, they soak up a lot of energy when working in parallel. CMU has had to ask its researchers to throttle back their chip use due to the strain they placed on the university’s power system. ECE/CyLab’s Franz Franchetti says that CMU is looking for an alternative power source; companies like Graphcore, Mythic, Wave Computing, intend to answer precisely to that need, developing newer chips tailored for AI applications.

Zarate writes on the importance of hacking
eSchool News

Fourth-year undergrad Carolina Zarate recently wrote an article commenting on the recent Equifax security breach, presenting the incident as proof that elementary and secondary educational systems should implement computer science programs to teach kids how to hack at an earlier age. “To prevent attacks from happening,” Zarate writes, “one makes take the role of an attacker to understand what the offensive attack would look like and how it would work.”

Acquisti quoted on facial recognition software
The Week

Though facial recognition is on the rise, the technology is far from perfect, susceptible to innovative hacks from researchers everywhere. At CMU CyLab, researchers created oversize colored glasses that not only masked the wearer's identity but also made the software think the person was a celebrity. While the technology still isn't as good as it is in the movies, with computers instantaneously identifying every individual in a huge crowd, it's not that far off. "From a technological perspective, the ability to successfully conduct mass-scale facial recognition in the wild seems inevitable," says CyLab’s Alejandro Acquisti. “Whether we as a society will accept that technology, however, is another story.”

CyLab study sourced on facial recognition article
The Register

Facial recognition software is pushing towards a high-security threshold, where the false acceptance rate (FAR) must be 1:1,000,000. With every advancement, however, researchers find counter-hacks to thwart the system. Researchers at CyLab successfully triggered false acceptance and rejection on state-of-the-art facial recognition systems by printing out eyeglasses with different visual characteristics.

Datta study cited in article about fairness in AI

Recent advancements in artificial intelligence have revealed the presence of bias within the learning processes of neural networks. ECE's Anupam Datta conducted a study in 2015 that offers proof: in certain settings, Google ads that promised help for applicants in getting jobs with salaries greater than $200,000 were shown to significantly fewer women than men. A vital concern, then, is developing a system that can adjust neural networks to provide fairness in an unfair world.

Cranor comments on recent phone scam
CBS Local

EPP & Cylab’s Lorrie Cranor was the unfortunate victim of a phone hijacking. Using a fake ID in her name, the thief purchased two new iPhones on her account in a store in Ohio. “I was on the phone, and suddenly my phone cut out,” said Cranor. Based on her past research on passwords and security, Cranor recommends setting up an extra PIN or password to avoid situations like these.

Zhang receives Test of Time Award 2017

ECE/INI associate research professor Pei Zhang recently received the ACM SenSys Test of Time Award (ToTA) 2017 for his 2004 research paper, “Hardware design experiences in ZebraNet.” The paper, which Zhang co-authored, examines techniques for supplying power to wireless sensor networks as well as methods for managing both energy consumption and peripheral devices in those networks. Zhang was honored at the 15th Association for Computing Machinery (ACM) Conference on Embedded Networked Sensor Systems (SenSys 2017), held November 5-8 in Delft, The Netherlands. The ToTA is awarded to research papers that are at least a decade old and have had lasting academic, industrial, and/or societal impacts on networked embedded sensing science and engineering.


Neural network developed by CyLab researchers mentioned
Science Magazine

A neural network developed by CyLab researchers Lorrie Cranor, Lujo Bauer, and Nicolas Christin was mentioned in Science Magazine in relation to new GAN technology that guesses users’ passwords in an effort to beat cybercriminals at their own game. The neural network uses simple machine learning techniques to crack passwords, and may be more efficient than the GAN technology. 

Article on facial recognition technology references study by Acquisti

A 2011 study by CyLab’s Alessandro Acquisti was referenced in an article on on Apple’s new phone that unlocks using facial recognition. The new technology in use by the new phone raised various concerns about privacy and security. Showing what facial recognition technology can do, Acquisti’s study “showed that face recognition could be combined with social networking data to identify people walking around in public and provide instant information about their interests based on their social media data.”


Savvides quoted on Apple’s facial recognition technology

Recently, Apple released its newest device, the iPhone X, with a price tag of nearly $1,000. The new iPhone uses facial recognition technology instead of fingerprint detection to help customers secure their data. But is there something even more reliable we could be using? According to ECE’s Marios Savvides in an article for Mic, an iris would be the best and strongest password because it’s incredibly precise and more private, which means that it’s nearly impossible to reproduce. “Your face is out there [online], but your iris is not,” says Savvides. To break into your phone, “[hackers] would have to actively try to capture your iris or find an extremely high-resolution picture of your face.” Although iris-scanning seems like the best way to secure data, the technology is currently too big and expensive to use for small devices.

Datta quoted on machine bias
Science News

CyLab/ECE’s Anupam Datta was quoted in Science News on machine bias. With increased dependence on machine-learning, algorithms also pick up biases along the way. But is it possible to get a completely unbiased algorithm? “We have to think about forms of unfairness that we may want to eliminate, rather than hoping for a system that is absolutely fair in every possible dimension,” says Datta.

Bauer, Sharif, and Bhagavatula’s facial-recognition fooling glasses mentioned
Quartz, MSN, New Scientist, Motherboard

ECE/CyLab’s Lujo Bauer, Mahmood Sharif, and Sruit Bhagavatula created glasses with a pattern custom-built to fool facial-recognition algorithms. The glasses were mentioned in Quartz, MSN, New Scientist, and Motherboard articles. AI’s capabilities now allow facial recognition technology to identify people who have concealed their identities by wearing hats, sunglasses, or scarves. But the researchers’ glasses were able to confuse facial recognition algorithms into misidentifying the wearer as someone else.

CyLab faculty write article about password security
The Conversation

“As researchers into password security, we’ve known for years that most password advice was not actually based on scientific knowledge,” says CyLab’s Lorrie Cranor, Lujo Bauer, and Nicholas Christin in an article for The Conversation. “To address this, we have been conducting experiments about the effects of password requirements on security and usability.” Cranor, Bauer, Christin, and their colleagues from the University of Maryland and the University of Chicago say that users need to go beyond creating passwords that are merely hard to guess. To defend themselves against hackers, they must now create passwords that are difficult for computers to figure out.

Cranor, Christin, Bauer, and former students publish article on passwords research
The Washington Post

CyLab’s Lorrie Cranor, Nicolas Christin, Lujo Bauer, and their former students Blase Ur and Michelle Mazurek had an article on their password research published in The Washington Post. In the article, the authors share ways that users can create stronger passwords, based on their research findings. Their recommendations include making your passwords at least 12 characters long and avoiding names of people, pets, places you've lived, and common words or phrases. 

Cranor presents at Black Hat USA 2017

At the end of July, CyLab/EPP’s Lorrie Faith Cranor presented at Black Hat USA 2017, the world’s largest information security event. During her presentation, Cranor talked about security usability testing and the empirical data her team at CyLab collected on the usability of common controls such as complex password policies and multi-factor authentication requirements.


Acquisti quoted on facial recognition technology

Over the years, computers have gotten better at recognizing faces because of more advanced 3-D technologies, which offer higher resolution data. As facial technology grows more sophisticated, some people worry that their sense of security and privacy will be compromised. Other people, however, are embracing the technology, saying that it could potentially be used to help find lost pets, identify criminals, and increase students' attentiveness. Despite the concerns about this technology, CyLabs Alessandro Acquisti says that it will continue to advance and eventually overcome the challenges standing in its way. From a technological perspective, the ability to successfully conduct mass-scale facial recognition in the wild seems inevitable, he says in an article for Whether as a society we will accept that technology, however, is a different story.

Fischhoff co-chairs cybersecurity research committee

EPPs Baruch Fischhoff recently co-chaired the Committee on Future Research Goals and Directions for Foundational Science in Cybersecurity, a committee formed by the National Academies of Sciences, Engineering, and Medicine. The committee, made up of 14 experts from industry and academia, compiled a report that identified key research opportunities in the cybersecurity field. In the report, the committee members ultimately state that computer scientists need to collaborate more closely with their counterparts in the natural and social sciences to solve cybersecurity challenges. According to the committee, a more interdisciplinary approach would help advance cybersecurity research. "The strategies and procedures to secure cyber technologies would be improved through a better understanding of the social, behavioral, and decision sciences because people are an integral component—in designing technologies, operating them, allocating security resources—and in attacking them," said Fischhoff.

Acquisti quoted about microchip implantation
The New York Times and NPR

On August 1, more than 50 out of 80 employees at a technology company in Wisconsin volunteered to have a microchip implanted between their thumb and forefinger. Now, they can do things like enter buildings and pay for food with a wave of their hand. Although some people are excited by this emergence of new technology, other people are concerned about their privacy. “Companies often claim that these chips are secure and encrypted,” says CyLab’s Alessandro Acquisti. “But ‘encrypted’ could include anything from a truly secure product to something that is easily hackable,” he says in an article for The New York Times and NPR.  Acquisti says that another potential problem with this advancement is that technology designed for one purpose can be used for something different in the future. Today, the microchips are used to grant access to buildings, but tomorrow, they could be used to track an employee’s movements without their knowledge. “Once [the microchips] are implanted, it’s very hard to predict or stop a future widening of their usage,” says Acquisti.


Tague comments on the benefits of BitClave in MediaPost

Recently, a team at BitClave built a decentralized search advertising platform that eliminates the need for intermediaries like Google, Facebook, and Amazon. Instead of paying middlemen to promote their advertisements online, businesses can now make offers directly to consumers who have chosen to participate in the program. In this system, consumers have more control over the information they share with advertisers. They also have the opportunity to earn money for viewing ads online. ECE’s Patrick Tague (BitClave CTO) explains in MediaPost that the technology powering the platform focuses on the idea of consumer control, privacy, and protection.  

Tsamitis quoted in Pittsburgh Business Times and Fast Company

INI Director Dena Haritos Tsamitis was recently quoted in two major publications: Pittsburgh Business Times and Fast Company. In the Pittsburgh Business Times article, titled "Filling the gap: Cybersecurity worker shortage means there's 'six jobs to everyone person applying,'" Tsamitis comments on the shortage of employees working in the cybersecurity field. “Although demand has grown significantly in the market in both private and public spacesgovernment has a great demand, industry has a great demandthere is a severe shortage of talent,” she says. In the article for Fast Company, titled "How to Steal A Phone Number (And Everything Linked To It)," Tsamitis details her experience as a victim of fraud and cellphone hacking.

Christin comments on size of AlphaBay in New York Times
The New York Times

AlphaBay, the largest online black market for drugs, was recently shut down by law enforcement officials, causing buyers and sellers to reallocate their business on the dark net. Researchers say that AlphaBay had grown into the world’s largest black market by far. According to unpublished statistics from EPP’s Nicolas Christin, the site was bringing in $600,000 to $800,000 in transactions daily earlier this year.


CyLab research cited in New York Times article about dark web
New York Times

As law enforcement officials continue fighting the opioid crisis in the US, they must learn how to conquer the uncontrollable and often untraceable nature of the dark web. Since 2013, numerous online anonymous marketplaces have cropped up, making drugs like fentanyl readily available to thousands of people. Although federal agencies haven’t released any data that reveals the amount of drugs ordered online, a research paper written by CyLab’s Kyle Soska and Nicolas Christin indicates that today’s sites are doing much more business than Silk Road, the first successful online anonymous marketplace. An article in The New York Times cites their paper, which presents a long-term measurement analysis of a portion of the online anonymous marketplace ecosystem over more than a two-year timespan.

INI Students place third in MITRE Embedded Capture the Flag

A team of Information Networking Institute (INI) students placed third overall in the semester-long MITRE Embedded Capture the Flag (CTF) held January 18 - April 14. The semester-long competition required each team to assume the role of defender and attacker on a self-driving car. For 14 weeks, the team’s design successfully withstood attacks and did not lose a single flag to adversaries who had physical access to the team’s provisioned chip and the full source code, earning them the Iron Flag Award.

Bauer comments on facial recognition technology and its ability to recognize human emotions

Recently, companies have been claiming that their facial recognition technology can not only identify people, but also recognize their emotional state, age, gender, and criminal tendencies. In an article for Vocativ, ECE’s Lujo Bauer indicates that these capabilities have been available for a while now, including in the systems he created with his colleagues at Carnegie Mellon.


Bauer quoted in Vocativ on anti-facial recognition devices

Due to the rise of social media, technological devices and facial recognition databases, more than half of the U.S. adult population can be identified in public spaces by simply showing their face. To combat this encroachment on public anonymity, and to thwart facial recognition databases, engineers have been creating technology of their own. But according to ECE’s Lujo Bauer in Vocativ, “There’s no approach that ‘just works,’ or anything close to it.” For individuals to remain anonymous, anti-facial recognition devices must be able to avoid detection from all possible camera angles and distances.


Savvides quoted on the benefits of iris scanners
Vocative and The Week

In an article published by Vocativ and The Week, ECE/CyLab’s Marios Savvides explained how iris scanners can help make smart phones more secure. “It’s harder to spoof irises than it is to spoof fingerprints, and they’re thought to be stable over a person’s lifetime,” said Savvides. “In that sense, I think iris scanning will help remove some of that hackability.” However, even though iris prints will provide an extra layer of security, experts still advise people to use more than one authentication method on their devices because “nothing is fool-proof.”

picoCTF featured on WESA

CMU’s picoCTF, a computer security game targeted at middle and high school students, was recently featured on 90.5 WESA. The two-week contest features a series of challenges, which participants must solve either by decryption, breaking, reverse engineering, or hacking—whatever it takes. One goal of the contest is to tackle the common misconception that hacking is a bad thing; in reality, people skilled in hacking are highly sought out by companies looking to strengthen their cybersecurity. What we're trying to do is educate and bring up a culture of people who are experts at computer security who can make those systems more safe, says David Brumley, director of CyLab.


Ad settings study featured in The Atlantic
The Atlantic

A 2015 study by ECE Ph.D. student Amit Datta and ECE Associate Professor Anupam Datta, titled Automated Experiments on Ad Privacy Settings, was featured in The Atlantic. The study was cited in an article that explored the problem of discriminatory online advertising. The study found instances of discrimination, opacity, and choice in targeted Google ads; for example, the researchers found that men were much more frequently targeted for ads offering high-paying jobs than women were.

Christin named CSIS 2017 Cyber Fellow

EPP/CyLab’s Nicolas Christin has been named a Center for Strategic and International Studies (CSIS) 2017 Cyber Fellow in Advanced Cyber Studies. As one of approximately 20 fellows, Christin will participate in the 12-month fellowship program that begins in March with a kickoff conference in Washington D.C. The fellowship gives future leaders in government, industry, and academia the chance to engage in interdisciplinary programs that sharpen analytical capabilities and deepen technical and policy skills for cyber issues. In addition to completing a term-long research project, Christin will attend at least four two-day conferences in Washington D.C., Silicon Valley, and New York City.

Datta publishes article on automated decision-making tasks
The Conversation

ECE’s Anupam Datta recently published an article in The Conversation on automated decision-making tasks. Specifically, Datta explored the issue of using machine learning algorithms for credit decisions. Under federal law, people who apply for a loan from a bank or credit card company, and are turned down, are owed an explanation of why that happened. Getting an answer wasn't much of a problem in years past, when humans made those decisions. But today, as artificial intelligence systems increasingly assist or replace people making credit decisions, getting those explanations has become much more difficult, writes Datta. He explains how his research group developed a method to better understand how these algorithms make complex decisions.

Tsamitis speaks at conference on diversity in cybersecurity
International Consortium of Minority Cybersecurity Professionals

INI Director Dena Haritos Tsamitis will serve on a panel at the International Consortium of Minority Cybersecurity Professionals (ICMCP) Second Annual National Conference on March 15 - 16. Her session, Women to Women - Diversity Obstacles Impacting Advancement, will address innovative strategies to tackling cybersecuritys diversity challenges.

Tsamitis speaks at first China-US Cybersecurity Technology Forum

INI Director Dena Haritos Tsamitis presented at the first China-US Cybersecurity Technology Forum co-sponsored by Tsinghua University and Microsoft on February 15, 2017. Her talk focused on securing diversity in cybersecurity during a session about the challenges and opportunities of developing cyber talent.

Cranor talks password security with CBS Sunday Morning
CBS News

EPP/CyLab’s Lorrie Cranor was interviewed by CBS Sunday Morning regarding her research on usable privacy and security. Commenting on the increasing unreliability of password-based security, Cranor, alongside other experts from the University of Toronto, discussed possible replacements for passwords, such as fingerprints or heart rhythms. “We have so many rules about how [passwords] have to be complicated, and hard to guess,” Cranor said. “And then we’re supposed to have a different one for every account we have, and we’re not supposed to write them down. And that’s just really difficult for people to deal with.”


Cranor elected to CHI Academy

EPP/CyLab’s Lorrie Cranor was elected to the CHI Academy, an honorary group of individuals who have made substantial contributions to the field of human-computer interaction. Individuals are elected to the CHI Academy based on the following criteria: cumulative contributions to the field, impact on the field through development of new research directions and/or innovations, influence on the work of others, and active participation in the ACM SIGCHI community. Cranor, along with the other SIGCHI award recipients, will be honored at CHI 2017 in Denver, Colorado.

Researchers prove how difficult it is to spot phishing scams

Recently, scammers targeted Netflix customers, sending them fake email notifications that prompted them to update their membership by reentering their personal information. People might think they can detect a phishing scam when they see one, but CMU researchers proved just how complicated these scams can be. During an experiment, researchers taught people how to spot scams and then presented them with a pile of both fake and genuine emails. Even with their newly acquired knowledge, people still struggled to identify the scams. According to researcher Casey Canfield, “the only way to stay safe is to be a bit paranoid.”

CyberScoop celebrates Brumley for teaching NSA’s best hackers

ECE’s David Brumley was featured in CyberScoop because of his knack for teaching students how to hack into technological devices, ultimately transforming them into top-notch employees for tech companies like Microsoft, Google, Facebook, and the National Security Agency (NSA). Brumley’s unique academic program produces experienced graduates that are “coveted by the federal and private sectors alike. Competition to secure their services is fierce.”

Cranor, Bauer quoted in Consumer Reports on password managers
Consumer Reports

EPP/CyLab’s Lorrie Cranor and ECE/CyLab’s Lujo Bauer were quoted in a Consumer Reports article on password managers. Cranor and Bauer recommend that everyone should use a password manager service that generates, retrieves, and protects all your passwords in one secure, convenient place.

Tsamitis quoted in Safertech

INI Director Dena Haritos Tsamitis was quoted in an article on about privacy issues and Google Vault. “In the past decade, rapid advances in workplace technology have often come at the expense of privacy and security. On one hand, we have enterprise-level software and applications like Google Vault offering incredible opportunities for collaboration and communication. On the other, we have the threat of compromising the privacy of employees. The balance lies in an organization’s commitment to understand how these tools work and educate its employees on safe and secure practices,” said Tsamitis.

Cranor quoted in IBT on password security
International Business Times

CyLab/EPP’s Lorrie Cranor was quoted in International Business Times on password security. Cranor suggests that one way to improve your password is to put digits, symbols, and capital letters in the middle of your password, not at the beginning or end.

Savvides gives talk at IDGA conference

ECE/CyLab’s Marios Savvides was invited to give a talk at the Institute for Defense and Government Advancement (IDGA) Biometrics in Government and Law Enforcement conference in Washington, DC from January 23-25. Savvides joined an impressive lineup of speakers that included many government directors and program managers.


Datta quoted on lack of diversity in AI industry
Digital Trends

ECE’s Amit Datta was quoted in Digital Trends about the lack of diversity in the artificial intelligence industry. Last year, Datta and other researchers found that women were shown far fewer Google ads for high paying jobs than men. Researchers believe that this data reveals the gender biases entrenched within artificial intelligence systems. According to Kate Crawford, a researcher at Microsoft, “artificial intelligence will reflect the values of its creators. So inclusivity matters… Otherwise, we risk constructing machine intelligence that mirrors a narrow and privileged vision of society, with its old, familiar biases and stereotypes.”

Tsamitis joins Executive Women’s Forum

INI Director Dena Haritos Tsamitis has been appointed to the advisory board of the Executive Women’s Forum (EWF) on Information Security, Risk Management, and Privacy. In 2007, Tsamitis established a partnership between the EWF and INI to offer a full scholarship to an incoming INI student. The partnership has been renewed after 10 years and will continue to offer invaluable networking and mentorship opportunities to develop women leaders in information security and privacy.