Skip to main content

CyLab Chronicles Archive

interview CyLab Chronicles is a series of articles that provide insight into the research conducted in CyLab at Carnegie Mellon University. From smartphones to network configuration protocols, face-recognition applications to privacy policy, the details come to light in the Chronicles.


CyLab Leans Forward In Its Tenth Annual Partners Conference
For many of us working in and with CyLab, the 2013 Annual CyLab Partners Conference was a particularly poignant one. It marked the tenth anniversary of this world class cyber security and privacy research program.

CyLab's Strong Presence Continues at Annual IEEE Symposium on Security and Privacy
The 34th annual IEEE Security and Privacy Symposium was held May 19-22 2013, in downtown San Francisco. Once again, as in recent years, Carnegie Mellon University CyLab researchers made a significant contribution to both its content and its tone.

CyLab Researchers Featured on CBS Sixty Minutes
After years of NCIS and other popular law enforcement TV dramas, there is an expectation that facial recognition technology could have led to a speedier conclusion to the Boston Marathon bombing suspect manhunt, or perhaps even have prevented the savage attack.

CyLab Seminars Series Offers Vital Perspectives on Critical Issues in Cyber Security and Privacy
On Mondays at noon, during the school year, CyLab presents its Seminar Series. These talks highlight the research of CyLab faculty, as well as, visiting scholars. In addition, through the CyLab Business Risks Forum, experts in security and privacy from business and government share vital operational perspectives.


A Glimpse Into the 9th Annual CyLab Partners Conference
Annual Partners Conference content is archived on the CyLab Partners Portal (another exclusive benefit of membership), including videos of the research presentations, along with .pdfs of the slides for each presentation, as well as the student posters, documenting current projects. To entice you to consider taking advantage of the benefits of CyLab partnership, and to contribute to the general dialogue on the vital issues of cyber security an privacy, we have posted a CyLab Partners Conference sampler and some other content to both the CyLab YouTube Channel and the CyLab iTunesU Store.

CyLab's Strong Presence at IEEE Security and Privacy 2012 Packs A Wallop
Seven papers authored or co-authored by CyLab researchers were presented in the course of the three-day program. In addition to the papers presented, CyLab faculty also chaired three sessions. Here is the CyLab 2012 IEEE Security and Privacy roster of papers and presenters, with brief excerpts from each paper ...

Lightning in a Bottle? A Brief Tour of CyLab Online
Indeed, CyLab is an audacious undertaking; and doing justice to such audacity has been quite a challenge. How do you sustain a narrative that is so complex? How do you communicate the prevailing spirit of the overall program, while at the same time documenting the painstaking progress of individual researchers? Since its launch in 2008, CyLab Online has pursued these daunting goals. And as of this writing, we have over two thousand pages of content, stretching across two central hubs, as well as several other outposts throughout the World Wide Web. Let us take you on a brief tour of some of what is available via CyLab Online.

Mike Farb Offers Insights Into SafeSlinger, CyLab's Powerful New Smartphone App
We want to provide secure operations even with careless users and powerful local adversaries who can monitor our messages and potentially alter our messages. We want to be able to detect group members attempting to impersonate other groups members. We want to eliminate the need to count in large groups. We want to enable remote operation, so that we can also do this over the phone. (We can assure each other of our presences, because we can recognize our voices in real time.) We want no information leaked to outsiders, even if the protocol fails.


Anthony Rowe on Wireless Sensor Networks for Building Energy Management
Imagine having sensors all over the environment, telling you where the energy is going and what devices are using it. We can look for anomalies in the system. We can look at patterns over time. And we can see if some particular aspect of a building is misbehaving, or performing abnormally compared to what it would normally do, and that would flag a facilities maintenance person to inspect or replace equipment. Imagine a system where you have control as well, so you have both sensing and control over the infrastructure.

A Report from the 8th Annual CyLab Partners Conference
The 8th Annual CyLab Partners Conference was held in September 2011, at the main campus of Carnegie Mellon University in Pittsburgh, PA. It offered attendees a unique opportunity to immerse themselves in a bold, cross-disciplinary program dedicated to deepening and enriching cyber security and privacy in the 21st Century ... Here are brief excerpts from just four of over thirty compelling research reports offered during the body of the Partners Conference.

Q&A with Nicolas Christin (2011)
Our network analysis indicates there are probably about a dozen groups at most that are or have been involved in these advertising techniques. They fan traffic from several thousands compromised websites to a few hundred pharmacy websites. We're not sure how many actual individuals are behind those pharmacies, but advertisers and pharmacies seem to be two distinct entities; and given that there are not that many large advertisers, it may make sense to try to take them down, and stop the flow of traffic to online pharmacies, rather than going after the pharmacy operators themselves.

Q&A with Lorrie Cranor (2011)
CUPS research continues to play a role in informing the privacy policy debate. The privacy nutrition label approach we developed is mentioned frequently as regulators encourage the adoption of more consumer-friendly privacy notices. Our work on location privacy is also cited frequently on Capital Hill. Our work on understanding consumer beliefs and attitudes about behavioral advertising is relevant to the do-not-track debate. And we expect our ongoing work evaluating the usability and effectiveness of various behavioral advertising choice mechanisms to shed light on the usefulness of these tools in practice.

Q&A with Adrian Perrig (2011)
With fifty plus faculty researchers, and one hundred plus graduate students, working along seven major research thrusts and seven cross-cutting research thrusts, CyLab's program impacts a broad spectrum of challenges, from securing the smart grid to enhancing personal privacy; but none is more sweeping in its implications and potential consequences than Scalability, Control, and Isolation On Next-Generation Networks (SCION).

Q&A with Michael Farb (2011)
KeySlinger is the result of research at Carnegie Mellon’s CyLab that resolves a specific security problem. The problem: How can we start a trusted relationship between people, on the fly, without people having sophisticated knowledge of security protocols?


Q&A with Norman Sadeh and Jason Hong
The goal of the platform is to make it easier to develop, deploy, and manage a suite of micro-games for cybersecurity awareness. This includes features for motivating employees to train, as well as monitoring its effectiveness and compliance rates within your organization. We are planning on two versions of the platform.

A Report on TIW 2010
"The Trusted Infrastructure Workshop (TIW) is intended as an open collaboration, education and innovation platform to bring together researchers and expert technologists from across industry, academia, and government alike. Research in Trusted Infrastructure is key to addressing today's need for information system security that we can trust in a global connected world." -- Boris Balacheff, HP Labs

Q&A with Bruno Sinopoli (2010)
Cyber-physical systems (CPS) are physical and engineered systems whose operations are monitored, coordinated, controlled and integrated by a computing and communication infrastructure. CPS will transform how humans interact with and control the physical world around us. We will be able not only to customize our infrastructure in real time to fit our needs, but we will be able to make it safer and more reliable.

Q&A with Jason Hong
Today, we have networked desktop computers, mobile phones, game consoles, and DVRs. Tomorrow, it will also include toys, stereos, home media systems, security systems, medical sensors, and more. The challenge here is that these home networks are maintained by home owners who don't necessarily know a great deal about computer security, nor do they want to.

A Report on the CyLab Silicon Valley Briefing
Will we develop the 21st Century cyber security technologies and strategies required to cope with this runaway risk and threat matrix?

Q&A with Lorrie Cranor (2010)
"We created SOUPS, in part, because it was hard to publish usable security papers in traditional venues. The good news is that now we can publish usable security papers in a variety of places."

Q&A with Nicolas Christin (2010)
"More and more attacks are motivated by financial gain, so it makes sense to try to see if we can follow the money trail to figure out what are the best intervention practices to defeat online crime."


Q&A with Collin Jackson
"It turns out that some ad networks will let you run whatever JavaScript or Flash movie you want in the ad, so exposing a victim to an exploit is quite cheap (less than one cent per impression) and it doesn't even matter whether the victim clicks the ad."

Q&A with Patrick Tague
“This cross-layered approach to anti-jamming parallels the recent exposure of highly-efficient jamming strategies using higher layer protocol information to conserve jammer resources.”

Q&A with Jonathan McCune
“Today we cannot say with any degree of certainty that a computer system is secure. In fact, I can say with a very high degree of confidence that there is still another yet-to-be-discovered vulnerability in every software program of significant size.”

Q&A with Dena Haritos Tsamitis
“The challenge for information security education is to have enough qualified, motivated learners sitting at our desks at the beginning of each semester, so we can meet the high demand for our students at graduation.”

Q&A with Anupam Datta
"Another significant challenge with analysis methods for secure systems is scaling these methods to complex, large scale, real systems. We are exploring several approaches to address this problem, in particular, secure composition and security-preserving translations."

Second Age of Carnegie Mellon in Silicon Valley
"Don’t get me wrong. Pittsburgh also has a culture of innovation and entrepreneurship, but there is something about this air out here, once you start breathing it you don’t want a real job anymore, you want to be an entrepreneur,'” Khosla remarked wryly."

Q&A with Julia Allen
"Software security is a pay me now, pay me later proposition... You can fix it during code and test or you can incur all of the costs (dollars and productivity losses) associated with releasing a patch into a production system."

Q&A with Pei Zhang
"SensorFly is a controlled-mobile flying sensor network platform. To the best of our knowledge, it is the most lightweight flying sensor platform implemented to date.”

Q&A with Lujo Bauer (2009)
"These list-of-rules interfaces cause problems for users when multiple rules interact, because the interfaces have no means of conveying the interactions amongst rules to users. Instead, users are left to figure out these rule interactions themselves. An Expandable Grid is an interactive matrix visualization designed to address the problems that list-of-rules interfaces have in conveying policies to users."

Q&A with David Brumley
"I believe software security is much more than arguing about the security of the code compiled. We need to secure the entire life cycle of code, from development, to deployment, to end-user configuration, to eventual retirement. Up till now, most software security research and practice has focused on finding and protecting against vulnerabilities in source code."

CyLab 2009 – Audacious Research in a Troubled Time
"...the future cannot arrive soon enough; and the future, after all, is the business of CyLab. CyLab faculty and graduate students are working on seven research thrusts, and along seven more cross-cutting research thrusts, in an audacious program aimed at harnessing the future to secure the present; and, of course, in the process, they are contributing to renewed prosperity and opportunity through capacity building in the areas of technology, personnel and industry...”

Q&A with Bill Scherlis
"Software assurance is a human judgment about various qualities and characteristics of software. To get to the point where we have enough evidence in hand to make such a judgment with confidence, we need to think clearly about our software and the way we produce it. ”


Wombat: The Latest CyLab Success Story
"As demand for our solutions continued to increase, we also came to realize that, as a university, we would only be able to go so far in distributing and maintaining our solutions. So the path forward was fairly clear and Wombat was eventually launched earlier this year. As a commercial entity, we have gained further visibility and have daily opportunities to talk to customer organizations and to closely monitor phishing attacks as they continue to evolve."

Q&A with Bruno Sinopoli (2008)
My goal is to set new standards for the security of critical infrastructures, such as power, gas and water distribution networks, transportation systems and built environments. Among the target applications, I believe that Supervisory Control And Data Acquisition (SCADA) systems are likely to greatly benefit from advances in CPS security.”

Q&A with Dawn Cappelli
"The insider threat diagnostic enables organizations to gain a better understanding of actual insider threat activity and an enhanced ability to assess and manage associated risks. It merges technical, organizational, personnel, and business security and process issues into a single, actionable framework."

Q&A with Mahadev Satyanarayanan
"Kimberley is an experimental prototype that we are building to explore the concept of transient customization. Kimberley decomposes customized virtual machine (VM) state into a widely-available ‘base VM’ and a much smaller, possibly proprietary, ‘private VM overlay.’ These two components are delivered to the site being provisioned in very different ways."

Q&A with Nicolas Christin (2008)
"… a lot of economic models tend to assume that people are always perfectly rational in their behaviors, and that they have a lot more information available than they actually do in practice. Using behavioral and psychological analysis allows us to understand the weaknesses of these assumptions, and refine our models to be a better depiction of reality.”

CyLab Mobility Research Center: Syncing in Anywhere, Anytime
"We're exploring all of these systems concepts -- infrastructure, devices, user interfaces, data, networking, operating systems, file-systems -- through large-scale pilot and testbed deployments. This is a significantly different approach from building small one-off lab projects.”

Q&A with Yang Cai
"Visual Thinking Agents (VTAs) are embeddable software tools for visual intelligence. … We have so much visual information but not enough eyes. Image and video collections grow at a rate that exceeds the capacities of human attention and networks combined.”

Glimpses into the Fourth Annual Symposium on Usable Security and Privacy (SOUPS)
"The new view of security that has emerged is that stuff often breaks because the incentives are wrong. The people who guard the systems or who could fix them don’t have the motivation to do so."

Q&A with Norman Sadeh
"Cell phone operators, social networking sites, and Internet portals are all experimenting with new services that involve the sharing of personal information. Our experiments show that giving users adequate controls over their privacy will be an important element in the adoption of these technologies.”

Q&A with Lorrie Cranor
"It has become very easy to expose your personal information without even realizing you are doing it. And once that information is exposed, it may be archived, copied, sold, and combined with all sorts of other information."

Q&A with Dena Haritos Tsamitis
"The bottom line is that our students are in high demand. In recent years, our graduating classes have achieved a hundred percent job placement rate at graduation. What sets our students apart is their understanding of the business and policy implications of technology solutions.”

Q&A with Tina Wong
"Misconfigurations have serious financial, security and performance implications…Our work aims to help network operators avoid these misconfigurations by simplifying, documenting and verifying router configuration.”

Q&A with Alessandro Acquisti
"Even more than technological problems, identity theft and spam are economic problems, in the sense that they originate from misaligned incentives on the side of those who are supposed to or are in the position to protect the system, and from the high profit margins on the side of those who are trying to game the system.”

Q&A with Anupam Datta
"A fundamental question in computer security is the following: Does a given protocol or system guarantee certain security properties even in the face of attack? Our work provides a theoretically well-founded approach for answering this question for widely deployed network protocols such as SSL, IEEE 802.11i, Kerberos, and the IPSec standards."

Q&A with Lujo Bauer (2008)
"Through the use of smartphones as a device that can interact with both physical and computer resources, GREY makes it possible to use a single system to control access to both physical and virtual resources."

Q&A with Mario Savvides
"Software security is a pay me now, pay me later proposition. There is ample evidence indicating that it is much more cost effective (by factors of 100:1 or more) to address a security requirements or design flaw (that can propagate forward into code and production) as early in the lifecycle as possible. The same is true for a security defect or coding error. You can fix it during code and test or you can incur all of the costs (dollars and productivity losses) associated with releasing a patch into a production system."

Q&A with Adrian Perrig
"Essentially, SecVisor makes the OS believe that it is in control of memory, even though SecVisor is in full control. SecVisor then uses this control to protect the OS against malicious writes to its code, as well as ensure that only authorized code can execute in the kernel privilege level."