Skip to main content

Events and Seminars

calendar imageAll seminars start at noon ET and are held in the CIC building in Pittsburgh, PA. Seminars are open to faculty, students, staff and general public. Webinars are provided for CyLab partners only, accessible live in the Partners Portal, and afterward via the Seminar Archive.
Research talks are informal sessions held for faculty and students. These talks are not webcast, nor recorded, due to informal nature and topic relevance.
CERT and SEI Training schedules, as well as other related events can also be found on this list.


April 27:  Seminar
Speaker: Limin Jia
April 20:  Seminar
Speaker: Michael Farb
April 13:  Seminar
Speaker: Nicolas Christin
April 6:  Seminar
Speaker: Ken Mai
March 30:  Seminar
Speaker: Bruno Sinopoli
March 23:  Seminar
Speaker: Alessandro Acquisti
Abstract forthcoming.
March 16:  Seminar
Speaker: Matthew Smith, Professor, Rheinische Friedrich-Wilhelms-Universität Bonn, Germany
March 2:  Seminar
What is a Cookie Worth?
Speaker: Rahul Telang

Recent technological advances have enabled detailed tracking of an individual user’s online browsing and transaction behavior through the use of digital cookies. Marketers now routinely use this information to deliver customized online advertisements to internet users based on their recent browsing history. Advertisers argue that using such information leads to better targeting users with relevant ads at appropriate times resulting in higher sales, making both the consumer and the seller better-off. Privacy advocates, on the other hand, claim that the cost of such privacy intrusion is too high and support strong restriction on such targeting.  

We seek to inform this debate by providing empirical evidence that quantifies the value of different types of information that cookies can track and their impact on advertising effectiveness. 

February 23:  Seminar
The IEEE Cybersecurity Initiative — Accelerating Innovation in Security & Privacy Technologies
Speaker: Greg Shannon, Chief Scientist, CERT Division at CMU Software Engineering Institute
As highlighted at the White House Summit on Cybersecurity and Consumer Protection, cyber security & privacy (S&P) are pervasive and growing concerns that affect individuals, companies, and nations.  Many IEEE members created, sustain, and grow the Internet, and IEEE has a decades-long history of forming and leading technical communities dedicated to engineering a cyberspace that provides security and privacy.  To more directly address these challenges, IEEE has launched a multi-year Cybersecurity Initiative (CybSI); its goal is to accelerate innovative research, development and use of efficient cyber security & privacy technologies that protect commerce, innovation and expression.
February 16:  Seminar
What Are They Doing With Your Data?
Speaker: Augustin Chaintreau, Assistant Professor, Columbia University

Today's Web services‒including Google, Amazon, and Facebook‒leverage user data for personalizing recommendations, targeting advertisements, and adjusting prices. Users currently have little insight, and at best coarse information, to monitor how and for which purposes their data are being used. What if we could tell exactly which item - whether an email you wrote, a search you made, or a webpage you visit - is being used to decide on a targeted ad or a recommended product for you? But how can we track data in an environment we do not control?

In this talk, we argue that without web transparency the exciting world open with your data threatens to become a breeding ground for data misuse, privacy negligence, or even unfair and predatory practices, discriminating the most vulnerable. Furthermore, we prove web transparency may be restored by building XRay, the first fine-grained, robust, and scalable tracking system for personal data the Web. XRay diagnoses which clue (i.e. emails, viewed products) is being used as trigger to which outputs (i.e. targeted ads, recommended products, or differentiated prices). XRay is service agnostic, easy to instantiate, and leverage a novel and simple mechanism that, surprisingly at first, shows that as data in our web profile expands, the amount of resource required for transparency grows only logarithmically.

(joint work with Mathias Lécuyer, Roxana Geambasu, Riley Spahn, Guillaume Ducoffe, Andrei Papancea, and Theofilos Petsios)

February 9:  Seminar
The Art of Privacy
Speaker: Lorrie Cranor
Privacy is an abstract concept that can be difficult to visualize. However, privacy visualizations can offer interesting insights into how people conceptualize privacy. In this talk I will explore privacy through art. I will begin by showing some examples of privacy-related artwork created by myself and by other artists. Then I will discuss our Privacy Illustrated project (, in which we invite everyday people to draw pictures of privacy and what it means to them.
February 2:  Seminar
Dancing with the Adversary: a Tale of Wimps and Giants
Speaker: Virgil Gligor
A system without accurate and complete adversary definition cannot possibly be insecure. Without such definitions, (in)security cannot be measured, risks of use cannot be accurately quantified, and recovery from penetration events cannot have lasting value. Conversely, accurate and complete definitions can help deny the adversary any attack advantage over a system defender and, at least in principle, secure system operation can be achieved.  In this talk, I argue that although the adversary’s attack advantage cannot be eliminated in large commodity software (i.e., for “giants”), it can be rendered ineffective for small software components with rather limited function and high-assurance layered security properties, which are isolated from giants; i.e., for “wimps.” 
January 28:  Celebration
Data Privacy Day 2015

Join us on January 28, 2015 for CMU Privacy Day 2015 at Carnegie Mellon University. CMU Privacy Day celebrates the International Data Privacy Day with an exciting schedule of privacy-related events.

Data Privacy Day is an international effort to empower and educate people to protect their privacy and control their digital footprint. For more information, please visit


December 9 - December 12:  CERT Training
Insider Threat Program Implementation and Operation
This three and a half day course builds upon the initial concepts presented in the prerequisite courses Insider Threat Overview: Preventing, Detecting, and Responding to Insider Threats and Building an Insider Threat Program. The course presents a process roadmap that can be followed to build the various parts of a robust Insider Threat Program. It discusses various techniques and methods to develop, implement, and operate program components.
December 8 - December 12:  CERT Training
Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures. 
December 2:  CERT Training
Big Data - Architectures and Technologies
This one-day course is designed for architects and technical stakeholders such as product managers, development managers, and systems engineers involved in the development of big data applications. It focuses on the relationship among application software, data models, and deployment architectures, and how specific technology selection relates to all of these. While we touch briefly on data analytics, the course focuses on the distributed data storage and access infrastructure, and the architecture tradeoffs needed to achieve scalability, consistency, availability, and performance. We illustrate these architecture principles with examples from selected NoSQL product implementations.
December 1:  Seminar
Tree-based Oblivious RAMs and their Applications
Speaker: Elaine Shi, Assistant Professor at the University of Maryland

Oblivious RAM (ORAM), originally proposed by Goldreich and Ostrovsky, is a powerful cryptographic primitive for provably obfuscating a program’s execution behavior. Since the initial proposal of Oblivious RAM, two biggest questions remain: 1) whether ORAM can be made practical; and 2) whether the well-known logarithmic ORAM lower bound is tight.

In this talk, I will describe a new, tree-based paradigm for constructing ORAMs. This tree-based paradigm yields constructions that are conceptually simple, amenable to implementation, and orders of magnitude faster. Tree-based ORAMs have allowed us to prototype the first ORAM-capable secure processor, and have also allowed us to demonstrate that certain stronger interpretations of the ORAM lower bound are indeed tight.

I will further describe programming language techniques for memory-trace oblivious program execution. Finally, I will describe our vision of building a unifying programming framework for modern cryptography.

November 17:  Seminar
Hardware Security
Speaker: Olivier Benoit, Senior Staff Engineer at Qualcomm Inc.

The talk on "Hardware Security" will address vulnerabilities beyond software in embedded system.

We will first go over general security properties and underlying cryptographic mechanisms. We will then investigate the so called Side-channel analysis as well as fault attack threats. We will conclude with the various countermeasures available to mitigate hardware attacks.

November 10:  Viewing
Excerpts from the 11th Annual Partners Conference
Speaker: CyLab
Join us as we present two excerpts from the 11the Annual CyLab Partners Conference. We will watch presentations from Nicolas Christin and Ken Mai.
November 3:  Seminar
Exciting Security Research Opportunity - Next-Generation Internet
Speaker: Adrian Perrig
Given the diverse nature of constituents in today's Internet, another important challenge is how to scale authentication of entities (e.g., AS ownership for routing, name servers for DNS, or domains for TLS) to a global environment. Currently prevalent PKI models (monopoly and oligarchy) do not scale globally because mutually distrusting entities cannot agree on a single trust root, and because everyday users cannot evaluate the trustworthiness of each of the many root CAs in their browsers. To address these issues, we study the design of a next-generation Internet that is secure, available, and offers privacy by design; that provides appropriate incentives for a transition to the new architecture; and that considers economic and policy issues at the design stage. 
October 30:  Seminar
Passwords - A Guide to the Ruins and Lessons for Improvement
Speaker: Cormac Herley, Principal Researcher, Microsoft Research

We review some of our recent work on authentication and search for lessons on why problems here have proved so persistent. First, considering a user who has, not one but dozens of accounts to maintain, we find that the common advice (choose random passwords and one per account) is not merely difficult but impossible in the absence of memory aids. We show that weak passwords and password re-use, far from being shameful manifestations of user failings, are essential tools in allocating effort as portfolio size grows. Second, we examine the gap between the effort needed to withstand online and offline attacks, and find it to be enormous: probable safety occurring when a password resists 106 and 1014 guesses respectively. This implies that many common practices guarantee large-scale waste of user effort. These include exceeding the online while falling short of the offline threshold, and encouraging users to resist offline guessing at sites where passwords are stored plaintext or reversibly encrypted.

Finally, we seek lessons. How do we end up insisting on the necessity of things that prove impossible? Why do we keep getting things wrong? What will it take to move things forward?
October 20:  Seminar
Towards More Secure and Usable Text Passwords
Speaker: Lujo Bauer
Despite numerous shortcomings and attacks, text-based passwords remain the dominant authentication method in computer systems. For several years, we've been studying how to help users create passwords that are hard for attackers to crack, but are still easy to remember and use. We developed a data-collection and analysis methodology that allowed us to study the strength and usability properties of passwords created by over 40,000 online study participants. Using this methodology, we explored the effectiveness of password-composition policies, password-strength meters, and detailed and step-by-step feedback and guidance during the password creation policies. In this talk I'll give a broad overview of our progress, focusing on more recent results.
October 10:  Seminar
Side Channels in Multi-Tenant Environments
Speaker: Mike Reiter, Professor at UNC Chapel Hill and Founding Technical Director of CyLab
With the growth of cloud computing, the security provided by public clouds to their tenants is increasingly being scrutinized, in part because these clouds arrange for mutually distrustful tenants to simultaneously execute tasks on the same hardware.  In this talk we explore a long-suspected but, to date, largely hypothetical attack vector in public clouds, namely "side-channel attacks" in which one tenant might learn sensitive information about another tenant simply by running on the same hardware with it, but without violating the logical access control enforced by the cloud's isolation software (hypervisor or operating system).  Specifically, we demonstrate the practicality of damaging cross-tenant side-channel attacks on modern hypervisors and operating systems, including some that we have demonstrated on commercial public clouds.  We will then describe various approaches we have developed to defend against side-channel attacks in cloud environments, both inexpensive defenses against our specific attacks and more holistic but expensive protections.
October 7 - October 8:  Conference
Carnegie Mellon University CyLab Partners Conference
The CyLab Partners Conference is an annual gathering of CyLab's corporate partners to meet with CyLab researchers and review their current projects. To learn more about attending the conference or becoming a partner, contact Associate Director of Partnership DevelopmentMichael Lisanti at  or 412-268-1870.
September 29:  Seminar
Narrowing the gap between verification and systematic testing
Speaker: Maria Christakis, Doctoral Student at ETH Zurich
The first part of the talk focuses on combining static program checking with systematic testing. We propose a technique for collaborative verification and testing that makes compromises of static checkers explicit such that they can be compensated for by complementary checkers or testing. In the second part of the talk, I will present how to use systematic testing to achieve verification. As a result of this work, we are able to prove, for the first time, that a Windows image parser is memory safe, that is, free of any buffer-overflow security vulnerabilities.
September 22:  Seminar
Simplifying Middlebox Policy Enforcement Using SDN
Speaker: Vyas Sekar

This talk will describe our work on a SDN-based policy enforcement system called SIMPLE for efficient middlebox-specific “traffic steering”. In designing SIMPLE, we take an explicit stance to work within the constraints of legacy middleboxes and existing SDN interfaces. To this end, we address key algorithmic and system design challenges and demonstrate the feasibility of using SDN to simplify middlebox traffic steering. In doing so, we also take a significant step toward addressing industry concerns surrounding the ability of SDN to integrate with existing infrastructure and support L4–L7 capabilities. 

September 15:  Seminar
Trends and Concerns in Enterprise Information Security
Speaker: Anish Bhimani, Chief Information Officer, Corporate Technology and Risk at JP Morgan Chase
The landscape of technology in corporate environments is dramatically changing. While new technologies create exciting opportunities for organizations that embrace them, those same organizations are faced with an exponentially growing list of threats, both externally and internally.
September 8:  Seminar
A Primer on Cyber Threat Intelligence
Speaker: Michael Susong, Co-Founder of iSight Partners
Cyber Threat Intelligence:  It’s the latest trend and marketing phrase.  How is it really new or different? How is it distinct from threat feeds?  How does the IT security organization use intelligence to defend and be proactive?  This talk will be an operations level discussion of how an end to end cyber threat intelligence program works.  And how cyber threat intelligence flows across the enterprise.
August 18 - August 22:  CERT Training
Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures. 
July 22 - July 24:  CERT Training
Advanced Forensic Response and Analysis
The CERT Advanced Forensic Response and Analysis course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis. The course builds on core forensic topics to provide a process for conducting more complete incident response and forensic analysis investigations. 
July 14 - July 18:  CERT Training
Fundamentals of Incident Handling
This five-day course is for computer security incident response team (CSIRT) technical staff who have little or no incident handling experience. It provides a basic introduction to the main incident handling tasks and critical thinking skills that will help an incident handler perform their daily work. It is recommended to those new to incident handling work. 
July 9 - July 11:  Symposium
Symposium on Usable Privacy and Security (SOUPS) 2014
The tenth Symposium on Usable Privacy and Security (SOUPS) will be held July 9-11, 2014 at Facebook Headquarters in Menlo Park, California. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. Visit the SOUPS 2014 website for details.
June 27:  Workshop
Workshop on the Future of Privacy Notice and Choice

In this workshop we will explore the future of privacy notice and choice, examining the needs of end users, how technology can be used to better meet user needs, and relevant public policy space. The workshop will include invited speakers; panels focussing on users, technology, and public policy; and a research poster session.

June 9:  CERT Training
Creating a Computer Security Incident Response Team
This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT). This course provides a high-level overview of the key issues and decisions that must be addressed in establishing a CSIRT. As part of the course, attendees will develop an action plan that can be used as a starting point in planning and implementing their CSIRT.
May 19 - May 21:  CERT Training
Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth
This five-day hands-on course is designed to increase the knowledge and skills of technical staff charged with administering and securing information systems and networks. Security topics such as vulnerability assessment, systems administration, network monitoring, incident response, and digital forensics will offer a comprehensive defense-in-depth experience.
May 12 - May 16:  CERT Training
Applied Cybersecurity, Incident Response and Forensics
This five-day hands-on course is designed to increase the knowledge and skills of technical staff charged with administering and securing information systems and networks. Security topics such as vulnerability assessment, systems administration, network monitoring, incident response, and digital forensics will offer a comprehensive defense-in-depth experience.
May 9:  Alumnus Book Signing
Core Software Security: Security at the Source
Speaker: Anmol Misra

Core Software Security expounds developer-centric software security, a holistic process to engage creativity for security. Whatever development method is employed, software must be secured at the source.

May 1:  Research Talk
SocioPhone - Mobile interaction sensing system and its applications
Speaker: Youngki Lee, Assistant Professor, Singapore Management University
In this talk, I will first introduce SocioPhone, a mobile system for face-to-face interaction monitoring. Then, I will introduce a novel Sociophone application, TalkBetter, in more detail. TalkBetter is a mobile in-situ intervention service for everyday clinical care for children with language delay, which is firmly grounded on extensive collaboration with speech-language pathologists.
April 28:  Seminar
Converses for Information Theoretic Cryptography
Speaker: Himanshu Tyagi, Postdoctoral Fellow at the Information Theory and Applications Center, UCSD
In this talk, we will review some simple schemes (based on error correcting codes and efficient hashing) for accomplishing the central cryptographic goals of secret key generation and secure computing.
April 21:  Seminar
Measuring and Defending Against Search-Result Poisoning
Speaker: Nicolas Christin
Search-result poisoning---the technique of fraudulently manipulating web search results---has become over the past few years a primary means of advertisement for operators of questionable websites.
April 14:  Seminar
Social Cybersecurity
Speaker: Jason Hong

There has been a tremendous amount of past work demonstrating many powerful and subtle ways of how social factors can influence people's behaviors and inclination to adopt innovations. However, little of this work has been adapted for cybersecurity. In this talk, I will discuss some of our team's work in progress here. 

April 7:  Seminar
SafeSlinger: Easy-to-Use and Secure Public-Key Exchange
Speaker: Michael Farb
SafeSlinger is the result of research into several protocols, designed to subvert the bane of public-key cryptography, the man-in-the-middle attack.  This solution easily bootstraps secure communication in-person with a device most people already own - their phone. SafeSlinger is designed to allow users to securely exchange any data, such as a public key, for later use.
March 31:  Seminar
Analytic Modernization for the National Security Agency and the Intelligence Community
Speaker: Dr. Patrick Dowd, Chief Technical Officer and Chief Architect, NSA/CSS
How can we create an environment that is still operate-able while under attack?  How can we be certain our data is used according to our legal authorities? This talk will outline a shift in our analytic operating model that was motivated by the desire to improve our analytic product and the security of our environment.
March 24:  Seminar
The Privacy Engineer's Manifesto: Getting from Policy to Code to QA to Value
Speaker: Michelle Dennedy, VP, Chief Privacy Officer, McAfee
This talk will address a cross functional view on How we got to where we are in the world of taglines like "Big Data" "The Information Age" "Quantified Self" and "IoT".
March 17:  Seminar
Do Search Engines Influence Media Piracy? Evidence from a Randomized Field Study
Speaker: Rahul Telang
The goal of this study is to use a randomized field study to analyze whether search results can influence consumers choices for piracy versus legal consumption channels.
March 3:  Seminar
Verifying Networking Protocols Using Declarative Networking
Speaker: Limin Jia
In this talk, I will present our work on leveraging NDlog, a declarative networking language, to build a unified framework for implementing, formally verifying, and empirically evaluating network protocols.
February 24:  Seminar
Designing Secure and Reliable Wireless Sensor Networks
Speaker: Osman Yagan
In this talk, we will present our approach that addresses this problem by considering WSNs that employ a randomized key predistribution scheme and deriving conditions to ensure the k-connectivity of the resulting network.
February 17:  Seminar
Privacy through Accountability
Speaker: Anupam Datta
Recognizing that traditional preventive access control and information flow control mechanisms are inadequate for enforcing such privacy policies, we develop principled audit and accountability mechanisms with provable properties that seek to encourage policy-compliant behavior by detecting policy violations, assigning blame and punishing violators. 
February 10:  Seminar
Senior Online Safety - An Imperative
Speaker: Christopher Burgess, CEO, Prevendra, Inc.
The imperative comes with a push to make senior online safety a reality, bring long term health care facilities into the fold with defined security awareness program; implementation strategies for senior citizen protected network solutions, solutions with family engagement and moderation.
February 3:  Seminar
Toward Self-Managing, Context-Aware Networked Systems
Speaker: Patrick Tague
In this talk we'll describe how this deeply integrated context-awareness can be applied to robust wireless communication, efficient mobile/cellular networking, privacy-preserving sensing in smart environments, and adversarial settings.
January 20:  Seminar
The Password That Never Was
Speaker: Ari Juels, roving chief scientist specializing in computer security
Honeywords are decoys designed to be indistinguishable from legitimate passwords. When seeded in a password database, honeywords offer protection against an adversary that compromises the database and cracks its hashed passwords. 
January 13:  Seminar
The SAFE Machine: An Architecture for Pervasive Information Flow
Speaker: Benjamin Pierce, Professor, University of Pennsylvania
The CRASH/SAFE project is building a network host that is highly resiliant to cyber-attack. At the lowest level, the SAFE hardware offers fine-grained tagging and efficient support for propagating and combining tags on each instruction dispatch.