Skip to main content

CyLab Chronicles

A Report from the 8th Annual CyLab Partners Conference

posted by Richard Power

The 8th Annual CyLab Partners Conference was held in September 2011, at the main campus of Carnegie Mellon University in Pittsburgh, PA. It offered attendees a unique opportunity to immerse themselves in a bold, cross-disciplinary program dedicated to deepening and enriching cyber security and privacy in the 21st Century.

Framed around seven main research areas, with seven more cross-cutting research thrusts, the CyLab program is driven by over fifty faculty members and over one hundred graduate students, CyLab students from numerous colleges within Carnegie Mellon University.

Here are brief excerpts from just four of over thirty compelling research reports offered during the body of the Partners Conference.

In the session on Secure Next-Generation Networks, Peter Steenkiste spoke on “The eXpressive Internet Architecture (XIA): An Architecture for a Trustworthy and Evolvable Internet,” a project which involves several CyLab researchers, as well as researchers from University of Wisconsin and Boston University.

Steenkiste provided an overview of XIA.

“The vision we are pursuing with XIA has four elements, the first is that we want an Internet that is trustworthy … Security, broadly defined, is the biggest challenge … the next requirement that we have is we would like an Internet that supports long-term evolution of usage models … today’s Internet is very host-centric, all packets are sent to hosts. If you look back at the original Internet and when it was designed, this should not be a surprise, because all applications, originally, were host-based … However, today’s applications aren’t host-centric at all. It is very rare for a user to care where a computer is or what its address is, what they care about is services and content … The next part of our vision is that we want to support long-term technology evolution. Doesn’t the Internet do that already? Well, kind of. Today’s Internet does a very good job of supporting evolution at the link level, the wires or the lack of wires (in the case of wireless), but the fact of the matter is we have had equally dramatic improvements in storage and computing technology, but it is very difficult to introduce this inside the Internet in a clean fashion … And finally, this is not just a project about technology, it is important that future Internet architecture basically fit into society: ISPs have to be able to support it, they must be able to make money on it, users must trust that Internet, application developers must be able to write applications for it …” 

Adrian Perrig, CyLab Technical Director and CyLab researcher David Andersen spoke on other elements of XIA-related research. Perrig spoke on “Scalability, Control and Isolation On Next-Generation Networks (SCION).” Andersen spoke on “Efficient Data Analysis with a Fast Array of Wimpy Nodes (FAWN)."

“This project, called SCION, provides secure and highly available point to point communication,” Perrig explained. “Essentially, we are trying to do the impossible here. We are trying to replace IP and PGP. Obviously, this is a very challenging issue, especially for deployment as IP is already everywhere. So the question is, why should you actually listen to me? The fact is that we need to know how good the world could get if we could redesign it. Most people have completely given up on trying to re-design IP and PGP, because they simply assume that IP and PGP are there to stay, forever, and we simply don’t have a way to replace them. However, as you are going to see we can really achieve dramatically improved security and availability if we redesign this… Consequently, we anticipate for some specialized networks, you could actually deploy these mechanisms, e.g., for secure communications for smart grid … Hopefully, over time, we could switch over to more secure networks …"

In the session on Privacy and Usability, Lorrie Cranor, Director of CyLab Usable Privacy and Security Lab (CUPS), delivered a presentation entitled, “I Regretted the Minute I Pressed Share, A Study of Facebook Regrets,” which is based on research conducted for CUPS’ privacy nudges project.

“What we wanted to do in this study is understand better what users do on social networks that they regret, what causes them to take these regrettable actions, what the consequences of these regrettable actions are, and whether they are actually changing their behavior or how they are handling these sorts of things going forward. And we wanted to know if what we are seeing in the media is typical of what is going on in Facebook, or are these just outlying cases. We ended up doing a series of studies, and our studies covered regrets both on Facebook and on Twitter. We interviewed or surveyed about fifteen hundred American Facebook users. We asked, ‘Have you ever regretted posting something on Facebook?’ Fifty-seven percent said yes … We found that regrets are not unusual, and that the majority of people surveyed had experienced regrets about something that they posted on Facebook … We found that some of these people do have serious consequences. There is a lot of relationship breakdown and some job loss. But we also found that even when they don’t have that sort of serious, tangible consequence, there are a lot of other consequences that people find very upsetting, and when we asked them to rate the severity of their regret, they rate this very high. So just the feeling of guilt or embarrassment can be very upsetting for people even if there is no tangible consequence.

"We also found that many of the regrets actually occurred within a day, some people regretted it immediately when they posted something, some people it was ten minutes or an hour later, but within a day most people had regretted what they had done. So what is it that people regret? We asked them to describe an incident that they most regretted, and then we asked them to categorize it … Sex and relationships are among the most common regrets people have on Facebook, use of profanity, alcohol, drugs, violence, politics, underage drinking and religion round out our list of top things that people regret … So besides things they post, we also found that people regret some other forms of activities, friending or unfriending people, using certain Facebook applications or tagging people in photos …

"We wanted to know why did people do it. There are lots of different reasons … Probably the most common one we saw both on Facebook and on Twitter is that when people are mad, or in a bad mood, and they want to vent, they are not thinking and they just post things they may regret later, on the other side, if they are excited in a positive way, they may also do things they regret although that doesn’t happen as often … All that some people could say was, ‘I just wasn’t thinking’ … A lot of people were under the influence of drugs or alcohol when they posted. Then there were the people that posted something they didn’t mean to post. Usually because they misunderstood the Facebook mechanism or because they pressed the wrong button. We’ve found about one third of regrets involved unintended audiences; and about seventy percent of that included Facebook ‘friends,’ so either people forgot or didn’t realize who was in their Facebook friend group …"

In the session on Software Security, CyLab researcher Collin Jackson spoke on his team’s work on Web Security.

“While a lot of people think that the problem with web security is that there so many attacks out there, so many bugs, so many holes, I think that the biggest threat to the web right now is that it is falling behind compared to other platforms for software. There are a lot of closed platforms, proprietary platforms, that are doing quite well right now, if you look at the Apple App store or the Android market, even desktop platforms, those platforms are able to move more quickly than the web, because of the fact that features take a very long time to make their way through standards bodies, and a lot of the reason is that it takes a very long time to get the feature right, and you only get one shot at it in the world of web standardization … So our research team at CMU Silicon Valley is looking at the way HTML is evolving and trying to find ways to accelerate the progress of the web by eliminating a lot of the concerns that researchers and vendors have about security and making it easier for them to analyze these features … We have set up this web site called Browserscope.org, you can go there right now and test your browser, and see which features that have been proposed and which have been adopted by your browser … it’s a crowdsourced site, an open source community project with Google. It is very interesting to see which features do extremely well on Browsersope and get adopted in a couple of years, and which features end up languishing and taking ten years or more before any vendor picks it up …

"What I have noticed, in the course of looking at the way in which HTML 5 has evolved, is that there are three criteria necessary for a feature to get broad adoption: it has to be a feature that replaces something that people desperately need, right now people are using flash player to access the web camera even though plug-ins are really designed more for playing movies and media content, so they found this hacky workaround … it is extremely difficult to use, and the API is proprietary … It has to be easy for the browser vendors to implement. If there is a lot of complexity to it, or it is not clear that the feature is secure, the browser vendors will be skittish, and will wait until the feature is easier to implement … And finally you need to make sure these features are low risk, and that they won’t break any existing applications, because then vendors will be afraid to put it in their next version. So we have developed some tools that are designed to help browser vendors evaluate security features and to help good ideas make their way on to the web and into the hands of billions of people …"

Some Related Posts


See all CyLab Chronicles articles