Cranor discusses CyLab and cybersecurity with PBT
Pittsburgh Business Times
In an interview with Pittsburgh Business Times, CyLab Director Lorrie Cranor discussed security and privacy of Internet of Things (IoT) devices. “There is a growing number of IoT devices that are everywhere in the home environment, but also in businesses and in cities,” said Cranor. “The problem is that a lot of them are fairly low cost devices and not enough effort has been put into making sure that they are actually secured.” Aside from IoT devices, CyLab has also been involved in privacy policies, artificial intelligence, and anti-phishing research. Several CyLab outreach projects, including an online program that teaches middle and high school students cybersecurity skills, also encourage people to consider careers in cybersecurity.
Panat, Goyal, and Hong discuss cybersecurity with PBT
Pittsburgh Business Times
CyLab’s Rahul Panat, Vipul Goyal, and Jason Hong were recently quoted by Pittsburgh Business Times about the cybersecurity projects they are working on. Believing that blockchain can help secure the energy grid, Panat and Goyal are planning to create a complete prototype of the eight-node blockchain system. They said that combining high temperature sensor networks with blockchain technology could help the energy grid decentralize, thereby making it harder for criminals to hack machines without being detected. Meanwhile, Hong is designing an IoT Hub prototype, a system that would manage the security of all IoT devices in a home or business. He is also working on strategies people can use to identify the specific locations of smart devices in a room.
Acquisti in WSJ on GDPR
Wall Street Journal
Europe’s new privacy law, the General Data Protection Regulation (GDPR), appears to benefit Google and Facebook for now. These big players have gained more money from advertisers and they can ask for consent directly from a larger pool of individuals. However, CyLab’s Alessandro Acquisti says it is too early to tell whether the GDPR will favor Facebook and Google or weaken their businesses at the end. “We should be extremely cautious about distinguishing between short-term effects and long-term effects,” he says. “Until we see how cases will be litigated and their outcomes, and until we do empirical studies about downstream impacts, there is no way to resolve these opposing claims.”
Many online advertisers believe that ads shown based on users’ browsing activities will yield more profit. However, CyLab’s Alessandro Acquisti and researchers from other institutions have questioned this idea. In their new paper, “Online Tracking and Publishers’ Revenues: An Empirical Analysis,” the researchers have suggested that online publishers only make 4% more revenue from those targeted ads compared to contextual, non-targeted ads.
Cranor expresses concerns about tools that monitor children online
The Wall Street Journal
To keep their children away from troubles online, many parents use monitoring tools such as Bark to track their texts, emails, and social media posts. While Bark claims that they preserve a level of privacy for children, it does ask for the passwords to their social media accounts. Bark argues that the risk of children encountering problematic things online is much higher than the risk of their data being hacked. However, CyLab Director Lorrie Cranor thinks otherwise. “I’m always nervous about any service provider that wants my password. That’s fundamentally insecure,” said Cranor. As a parent of three teenagers, she does not use any monitoring or control tools. “I’m sure they look at things I’d prefer them not to, but my instinct tells me most things aren’t extremely terrible,” she added.
Cranor comments on British spy agency proposal to access encrypted messages
The Washington Post
Along with fellow researchers, human rights groups, and large tech companies, CyLab Director Lorrie Cranor has signed an open letter to Britain’s Government Communications Headquarters (GCHQ) to condemn their proposal that would allow law enforcement to spy on encrypted messages. Government access to encryption has been a controversial topic for years; while law enforcement believes it is a vital tool against criminals, privacy advocates and tech companies argue that it poses threats to cybersecurity and personal privacy. “All the proposals that I’ve seen for how to address this raise a lot of concerns about giving law enforcement too-broad access and opening that backdoor to bad actors and all sorts of other issues,” said Cranor. “It’s a case where it’s hard to have your cake and eat it, too.”
Acquisti explains why people don’t fight for their privacy
The New York Times
Although most people claim to treasure privacy, they continue to expose themselves online without taking any action to protect their information. This paradox may seem bizarre, but CyLab’s Alessandro Acquisti points out that people’s conflicting impulses are actually quite rational. To fully understand our vulnerabilities and protect our privacy, we have to spend lots of time and effort, including changing how we search, purchase, and connect with others. “There’s a sense that the fight to protect your data is unwinnable,” says Acquisti. “You’d have to learn about other tools, it’s costly in time, and it might not even help, because your data is already out there.”
Acquisti quoted on controversial facial recognition technology
The New York Times
Facial recognition has stimulated countless debates over the past two decades due to the privacy concerns it brings and its potential for gender and racial biases. Nevertheless, experts noted that this technology is constantly growing. “There are still technical limitations on it, but the computational power keeps growing, and the databases keep growing, and the algorithms keep improving,” said CyLab’s Alessandro Acquisti in The New York Times.
Acquisti quoted on the value publishers get from behavior advertising
The Wall Street Journal
Behavioral advertising, a technique that collects information about people’s browsing activity typically through cookies, has a dominant position in digital advertising nowadays. Its externalities such as harm to privacy were often justified because of their supposedly huge value to publishers. However, researchers at CMU and other universities suggest publishers only get about 4% more revenue for an ad impression that has a cookie enabled than for one that doesn’t. The online ad ecosystem is complex and opaque, said CyLab’s Alessandro Acquisti. It is “hard to understand how much value each participant in the ecosystem is adding to the process, and whether the fees different intermediaries receive are commensurate to their value added,” he said.
Carley receives honorary doctorate from University of Zurich
Institute for Software Research
CyLab/EPP’s Kathleen Carley has been awarded an honorary doctorate by the University of Zurich, Switzerland. Carley was awarded the honorary degree for “pioneering contributions to our understanding of social systems by means of computational methods. Through the development of new methods to study social networks, she shaped the development of data science and computational social science and provided important stimuli for the study of digital societies.”
CMU aims to develop privacy and security systems for Internet of Things
Pittsburgh Business Times
CyLab has recently announced its funded projects for the Secure and Private Internet of Things (IoT) Initiative. According to CyLab/ECE’s Vyas Sekar, the initiative aims to address security and privacy risks associated with IoT “before it’s too late.” From four sponsors, CyLab will receive more than $3 million for the next three to five years.
Rajkumar comments on Tesla’s future plans
The Associated Press
ECE’s Raj Rajkumar was recently quoted by The Associated Press in an article concerning Elon Musk’s plan to start converting Tesla’s electric cars into self-driving vehicles for 2020. Rajkumar called Musk’s plan a “pipe dream” and said that he is “overpromising, which is typical.” Following his announcement, Musk has also been accused of shirking public safety, and Rajkumar agrees, stating, “People will die.”
Despite having brought down multiple marketplaces for illicit goods and drugs over the past several years, law enforcement officials across the world are still struggling to contain the emergence of new dark-web markets to replace them. “History has taught us that this ecosystem is very, very resilient,” says CyLab’s Nicolas Christin “It's part of a cycle, and we’re in the chaotic part of the cycle. We’ll have to see how it recovers. But if I were a betting person I would put more money on it recovering than on it dramatically changing.” International law enforcement has made major improvements in coordination and methodology, but according to Christin, their efforts don’t “seem to have dented the ecosystem in a major way.”
ChemE/EPP’s Neil Donahue was among the Carnegie Mellon faculty recently elevated to the rank of University Professor, the highest distinction a faculty member can achieve. Donahue was nominated and recommended by now-fellow University Professors. Donahue said, “This is a huge honor.”
Walmart has expanded its use of CMU startup Bossa Nova’s shelf-stocking robots from 50 to 350 stores nationwide. After purchasing HawXeye, another CMU spinoff developed in CMU’s Biometrics lab, Bossa Nova further improved the product identification of the robots. The upgraded robots are capable of identifying all stock keeping units and any exceptions over a span of two minutes.
Cranor quoted on the future of privacy
CyLab Director Lorrie Cranor was quoted in a recent article discussing the future of privacy, specifically how much access companies can have to personal information and how long they can retain it. Cranor believes that privacy is a combination of technology and policy and that, in the future, “New technology can be used to set and enforce access controls, store data in encrypted form and to de-identify data.”
CyLab Director Lorrie Cranor has been named to the 2019 Class of Andrew Carnegie Fellows by the Carnegie Corporation of New York. As one of 32 distinguished scholars and writers selected, Cranor will have the opportunity to pursue a research sabbatical that will allow her to take her research on security and usability to the next level.
Cranor speaks at WiCyS Conference
CyLab Director Lorrie Cranor was among a collection of prominent names in cybersecurity speaking before over 1,300 attendees at last month’s Women in Cybersecurity (WiCyS) Conference. The conference provided opportunities for networking and encouraged continued growth in the number of women represented in cybersecurity, which has risen from 11% of the workforce five years ago to 20% today.
Brumley on Nielsen’s departure and cybersecurity
The Washington Post
In an article from The Washington Post, cybersecurity experts in government, academia, and the private sector discussed the implications and consequences of Kirstjen Nielsen’s ouster from the Department of Homeland Security. A majority of people believe her departure will hurt the DHS’s security mission due to her experience in cybersecurity and government policy, while others say the mission wasn’t doing well under her leadership. “Nielsen’s departure is another sad indication that the government lacks the will to make real cybersecurity and safety improvements,” said ECE’s David Brumley.
Sarjoun Skaff named one of 10 transforming retail industry
Bossa Nova Robotics co-founder and CTO Sarjoun Skaff was recently named one of Business Insider’s 10 people transforming the retail industry. The startup works with Carnegie Mellon’s biometrics lab to produce machines that work in retail store aisles, taking inventory and noting out-of-stock products. The company is currently working the Walmart to implement the machines in stores. “I admit to being naive when we first started this,” Skaff said. “As we started to build them, we started to realize the scope, the magnitude of the challenge is enormous.”
CyLab/ECE’s Biometrics Center Director Marios Savvides recently commented for a piece on the growing prevalence of AI powered facial recognition software. “We live in a time where AI can surpass the human brain's capability,” he said. Savvides and his group are working to further improve the accuracy of facial recognition software, particularly in cases where the face is partially obstructed.
Walmart has announced the company will add thousands of robots to its workforce, taking lower-level responsibilities such as scrubbing floors, scanning boxes, and checking inventory. As retailers aim to cut costs and increase efficiency, the introduction of robotic workers has been eminent. Forbes featured the move, and explained that according to a study by Carnegie Mellon startup Bossa Nova Robotics, the manufacturer behind the worker robots, 99 percent of the top retailers surveyed reported some kind of inventory problem, while 76 said that using robots in stores would improve employee productivity.
A TechCrunch article interviewed Bossa Nova Robotics CTO and co-founder Sarjoun Skaff about the company’s starring role in Walmart’s new initiative to introduce robots into its workforce. Created in 2005 by Carnegie Mellon Ph.D. students, Bossa Nova develops robots designed to make sense of the “black box” of inventory in the store. While some people fear robots replacing human jobs, Skaff argues that the robots will help their jobs, not take them. “Our robot doesn’t have arms right now, so it’s not replacing the manual labor of restocking a shelf,” he says. “It’s displacing the tedious task of looking for problems, which is really mind-numbing.…As soon as we can tell you where the problems are, you can spend your time fixing them, restocking the shelves and spending more time with shoppers.”
Leaders in cybersecurity gather at CMU for WiCyS Conference
More than 1,200 women, including many College of Engineering faculty and alumnae, gathered from March 28-30 for the Carnegie Mellon’s Women in Cybersecurity (WiCyS) Conference. INI Director Dena Haritos Tsamitis, CyLab Director Lorrie Cranor, and ECE’s Giulia Fanti and Limin Jia were all featured as prominent leaders advocating for an expanded workforce through support for women in cybersecurity. A panel discussing how women in tech groups can spark culture shifts in companies included INI alumna Saralee Kunlong, a senior software engineer at Yellow Pages; INI alumna Divya Ashok, senior director of product management at Salesforce; and Era Vuksani, a graduate student studying information security.
Cranor on password security and social network privacy
Random but Memorable
CyLab Director Lorrie Cranor was a special guest on an episode of podcast “Random but Memorable.” She spoke about her research on the human side of security, privacy, and passwords, and discussed the changes in password standards and management over the last several years, conceding that while there have been changes in standard, there still hasn’t been much change. While password managers and generators are becoming more common, there are still people who resist them. “We hear all sorts of reasons. People who just don’t know about them….there’s a lot of misinformation, there’s a lot of confusion,” Cranor said. She also spoke about informed consent for data privacy in social media companies.
Sekar on automated visitor security systems
ECE/CyLab’s Vyas Sekar was interviewed by NBC News about the safety and privacy of automated visitor security systems, which are replacing receptionists and security guards in businesses, schools, hotels, and hospitals. An IBM X-Force Red study revealed that five different systems are vulnerable in previously unknown places, making not only individuals’ information susceptible, but also company information if connected to a wider network. “An attacker always looks for the weakest link, so if they find one of these systems that collects personal data and is network-connected, it’s like a goldmine for them,” Sekar said. “If these systems are not secured and a company does not have the right security practices in place, then that’s a big security risk.”
Hong discusses spam in Reader’s Digest
Spam emails are an inevitable part of communicating online, and yet many of us are still unsure of exactly how they work against us. As CyLab’s Jason Hong notes in Reader’s Digest, different types of spam emails lead to different user consequences. To combat this, Hong warns us to be wary of emails that have urgent tasks and recommends that we use different passwords for each of our accounts. Spam can be a problem, but knowing what to expect and how to deal with it is half the battle.
CyLab/ECE’s Marios Savvides spoke with CNET in an article about how AI has helped to drastically improve facial recognition. While there are privacy and bias concerns, facial recognition is now being used more widely, at airports, in home security systems, and on cruises, with a 99.7 percent accuracy for the most cutting-edge systems. However, even deep learning neural networks can make mistakes. Savvides, director of the CyLab Biometrics Center, separates some of the data to make things clearer for the neural net. His team can reconstruct faces even in conditions that aren’t optimal. “We live in a time where AI can surpass the human brain’s capability,” he says.
Parno quoted in PopSci on end-to-end encryption
Mark Zuckerberg’s recent announcement regarding end-to-end encryption and the future of Facebook’s messaging services has stirred up quite a bit of chatter within the tech communities. While encryption is essential to privacy, leading experts in the field point out that there are both pros and cons. One proponent of encryption is ECE’s Bryan Parno, who emphasizes that it is essentially impossible to break. “To the best of our knowledge, as cryptographers, the amount of time it would take to decrypt those messages without knowing the key is hideously large,” Parno told Popular Science.
Cranor quoted in NEXTPittsburgh on WiCyS
CyLab Director Lorrie Cranor spoke with NEXTPittsburgh about the 2019 Women in Cybersecurity (WiCyS) conference. From March 28-30, Carnegie Mellon hosted the conference, which aimed to support and connect young women in this critical field that is only 14 percent women in the U.S. (and 11 percent worldwide). “A lot of our important critical systems are not as secure as we would like them to be,” said Cranor, who is one of the keynote speakers of the conference. “If half your population is not considering this as a viable career path, then you’re really cutting into the pool of available workers.”
Acquisti quoted on possible impacts of stricter data privacy rules
The Wall Street Journal
CyLab’s Alessandro Acquisti was quoted in a WSJ article about how big tech companies like Facebook and Google handle customers’ personal information and what stricter privacy rules could do to these companies. Some say that stricter rules will benefit big companies that have more resources at their disposal, but others say that stricter rules will undercut big companies’ advertising and weaken their advantage over smaller companies. Acquisti says, “Both are reasonable claims. But it is far too early to tell which will turn out to be true.”
Cranor elected to CRA board of directors
Computing Research Association
CyLab Director Lorrie Cranor has been elected to the Computing Research Association (CRA) board of directors. Her term will run from July 1, 2019, to June 30, 2022. CRA members elected Cranor in recognition of her many accomplishments, including her work as director of CyLab, Bosch Distinguished Professor, FORE Systems Professor, co-founder of Wombat Security Technologies, and more.
Cranor featured in Post-Gazette
The Pittsburgh Post-Gazette featured Lorrie Cranor’s appointment as the new director of CyLab. Cranor said, “I look forward to supporting CyLab’s ongoing success and bolstering research aimed at making our increasingly digital world safe and trustworthy.”
CyLab’s Virgil Gligor and Maverick Woo received the distinguished paper award at the Network and Distributed Systems Security (NDSS) Symposium in San Diego, California. Their paper, “Establishing Software Root of Trust Unconditionally,” presented a novel test that can be run on any computing device to discover malware with a high degree of confidence. “This is the only solution that exists to any security or cryptography problem that's unconditional,” says Gligor. “This seems important—researchers have sought such solutions for decades.”
Two Engineering faculty members spoke at the RSA Conference in San Francisco earlier this month, CyLab Director Lorrie Cranor, and CyLab/ECE’s Lujo Bauer. They were among eight total Carnegie Mellon faculty and staff members who spoke at the conference, which is focused on security and welcomes 40,000 attendees each year. Cranor led an all-day seminar that focused on how and why human behavior makes cybersecurity difficult. Bauer presented at the seminar and was a panelist on the panel “Hacking the Human: Special Edition,” which Cranor moderated.
CyLab’s Alessandro Acquisti spoke with CNET about California Gov. Gavin Newsom’s recent comments saying that companies should be charged a “data dividend.” They would pay a fee to use user information, and some of the benefit would be given back to the users. Legislation is being drafted by Common Sense Media to be submitted soon. Some privacy advocates, however, see a data dividend as an incentive for users to disclose their private information, as opposed to protecting it. Acquisti says these concerns are valid, up to a point. “I do not believe that such a significant change in the policy of consumer data will be implemented by the tech industry, in absence of regulatory intervention.” Acquisti said.
Savvides on the future of airport security
Twin Cities Pioneer Press
CyLab’s Marios Savvides was interviewed by the Twin Cities Pioneer Press about the future of airport security and the role advancing technology will play. Some airlines and airports have begun to test and implement biometric systems that scan travelers’ faces instantly to verify identity. “With a facial-recognition system, there would be no need for a TSA agent to check your ID,” Savvides said. “The system captures an individual’s iris and full face as they walk by.” A future with biometric screening, however, has some people concerned about data security and privacy, while others would simply like more consistent and respectful TSA officers.
Libert discusses AI and digital privacy reform
CyLab’s Tim Libert spoke recently on how AI and data-harvesting have affected personal privacy in the digital landscape. With the successful implementation of Europe’s General Data Protection Regulation (GDPR), Libert says the passage of similar legislation in the U.S. will hinge on the strength of lobbying efforts. “In the long term, I just don’t think it’s a sustainable model,” he says of current data-harvesting practices.
CyLab team studies user behavior to detect malicious websites
In an article for Security Magazine, ECE Ph.D. student Mahmood Sharif spoke about a CyLab research study to predict and detect malicious websites before users are exposed to them. The team analyzed the relationship between user behavior and malicious websites with data covering three months of web traffic from 20,000 users in 2017. They found that 11 percent of users were exposed to malicious
ECE’s Raj Rajkumar was quoted in an article by KQED that discusses why autonomous have a long way to go before they become mainstream and available across the country. While ample research and development are occurring in Pittsburgh and Silicon Valley for companies like Uber and Google’s Waymo, there are several reasons why the industry needs at least 10 years—probably more—of technological development. One reason is the weather, particularly snow, that is hard to predict and even harder to control. Heavy snow, rain, fog, and other conditions obstruct the view of the cars’ cameras, interfering with object recognition sensors. “It’ s like losing part of your vision,” Rajkumar said.
Brumley on offensive cyber operations
The Washington Post
ECE/CyLab’s David Brumley was interviewed by the The Washington Post about the Trump administration’s goal for loosening constraints on offensive cyber operations. A majority of security experts agree with the move, which allows the U.S. to challenge international adversaries and reconsider their attacks, but they advise to proceed carefully and caution against giving the military free reign. Brumley believes the move is “common sense” on an operational level. “The military should be able to use their judgmen—within the confines of law—to determine where and how to conduct an offensive cyber operation,” he said. “Allowing the men and women who are experts in cyber to make the call on how to use cyber is common sense.”
Congratulations to the winners of the 2018 College of Engineering Staff Recognition Awards! At the 24th annual staff award ceremony winners were announced and length of service awards were distributed. The winners in each category were:
- Continuous Excellence Award: Beth Hockenberry (CEE)
- Innovation Award: Megan Kearns (CyLab)
- Inspirational Leadership Award: Sandra DeVincent Wolf (Dean's Office)
- Spirit Award: Deborah Kuntz (EPP)
- Rookie Award: Mi Kim (MechE)
- Burritt Education Award: Kate Sencindiver (MechE)
CyLab Director Lorrie Cranor recently commented for NBC News on the dramatic increase in the number of personal records stolen by hackers in the past year. Hackers stole almost 447 million personal records in 2018, more than double the 198 million estimated stolen in 2017. “We've always been sloppy when it comes to data security and the hackers are finding creative new ways to exploit that,” says Cranor.
Acquisti comments on Facebook privacy issues
The Economic Times
In 2018, Facebook confronted a series of data privacy crises, disillusioning users and angering privacy advocates. CyLab’s Alessandro Acquisti weighs in on the debate, saying “time and again, Facebook has shown a cavalier attitude towards the handling of users’ data.” He also comments that Facebook fails to clearly tell users the extent of their data collection.
Savvides recognized at Immigrant Entrepreneur Celebration
CyLab/ECE’s Marios Savvides was one of eight people recognized at GlobalPittsburgh’s 3rd Annual Immigrant Entrepreneur Celebration and Award Ceremony. Savvides, who hails from Cyprus, won the Technological Innovation category for his work as the founder and director of the CyLab Biometrics Center.
CyLab/EPP’s Lorrie Cranor recently commented for CNET in the wake of troubling emails that have emerged regarding data privacy practices at Facebook. While public concern has repeatedly been raised after multiple data privacy incidents at the company over the last couple years, the emails appear to cast doubt on Facebook’s claims that it does not sell user data. “This email certainly doesn’t express any value of privacy or protecting users,” says Cranor. “This is expressing that data is a corporate asset, and that we don’t want to give it away.”