CyLab Technical Director Adrian Perrig Wins Information Security Magazine 2009 "Security 7" Award

"Professor Perrig is being recognized for attacking future threats by designing systems that cut down on user error." Michael Mimoso, Editor, Information Security Magazine

CyLab Technical Director Adrian Perrig Wins Information Security Magazine 2009 "Security 7" Award

Carnegie Mellon CyLab's Adrian Perrig was awarded a Security 7 Award from Information Security magazine for innovative cybersecurity research in academia.

Perrig, Technical Director of Carnegie Mellon CyLab, is also a professor in the departments of Electrical and Computer Engineering and Engineering and Public Policy, and the School of Computer Science. He will be recognized in the magazine's October issue. This is the fifth year of the awards program, which drew more than 150 nominations throughout North America.

"I am deeply honored by this award because it demonstrates the important contributions under way by academic researchers in critical areas of security decision-making and novel technologies designed to protect users from cyber attacks," Perrig said.

Michael S. Mimoso, editor of the Massachusetts-based Information Security magazine, said the awards recognize the achievements of security practitioners and researchers in a variety of industries, including education. "Professor Perrig is being recognized for attacking future threats by designing systems that cut down on user error," said Mimoso, a 2007 fellow at Carnegie Mellon's Information Technology Media Fellowship Program supported by the university's College of Engineering.

This year's other recipients include Jerry Freeze, Director of IT Security Engineering for American Electric Power (Utilities), Melissa Hathaway, Former Acting Senior Director for Cyberspace for the National Security Council (Government), Bruce Jones, CISO, Kodak (Manufacturing), Jon Moore, CISO, Humana, Inc. (Healthcare), Bernie Romaniski, IT Security Officer, Regis Corp. (Retail), and Tony Spinelli, CSO, Equifax (Financial Services).

Each of the recipients of the fifth annual Security 7 Awards were asked "to write a first-person essay on a subject matter they are passionate about."

Here are a few brief excerpts from Perrig's essay, Improve SSL/TLS Security Through Education and Technology, with a link to the full text:

Probably the most fundamental threat to SSL/TLS security is a so-called man-in-the-middle (MitM) attack, where an adversary interposes in a connection between a client and a server to eavesdrop on communication or inject malicious data. Such MitM attacks can be mounted by any entity handling network packets, and is usually mounted in wireless networks in public environments, e.g., in coffee shops, airports, conferences, etc. The SSL/TLS protocol is designed to protect against man-in-the-middle attacks.

Unfortunately, many real-world issues still enable adversaries to mount attacks ...

Over the past seven years, I have been teaching more than 100 students each year about the various issues with SSL/TLS ... In several instances, the lessons learned in class fell on fertile ground: the students immediately assessed the security of their banks' websites and informed their banks to report cases of inadequate security. In numerous instances, the banks listened to the students' feedback and promptly improved security. In some cases, it was as simple as fixing a typo by adding the critical "s" to complete the URL to "https" for the login page. In more difficult cases, students needed to convince the banks' security administrators that Javascript-based encryption loaded from a non-https page can be easily removed by a MitM attacker. In summary, by educating a critical mass of students that further disseminate security knowledge can result in real improved security for everyone.

Together with student education, technology that provides the user with additional information for improved security decision making can also enhance security. To improve security for https sites with self-signed certificates, as well as detect numerous attacks on https sites using bogus certificates, Dan Wendlandt, Dave Andersen and I designed and built Perspectives , a Firefox plug-in that connects to notary servers to assist in validating https credentials ... Improve SSL/TLS Security Through Education and Technology, Information Security Magazine, 10-8-09

Text of press release

Carnegie Mellon's Capture the Flag Team Excels in Hackjam Competition

Our Hackjam will consist of 10 challenges which relate to Binary Analysis, Reverse Engineering, Exploitation, Web Security, Forensics, and all the other materials that are required to be a hacker. I can guarantee that these problems are not like other CTF's where they have to solve non-sense puzzle, instead of true hacking. We tried to create challenges that greatly resemble real world scenarios and environments, at the same time, adding fun and educational ingredients to them. Trust me, you won't regret it. Sapheads Hackjam

Carnegie Mellon's Capture the Flag Team Excels in Hackjam Competition

By Richard Power

Carnegie Melllon University's "Capture The Flag" (CTF) team, a.k.a. "Plaid Parliament Of Pwning" won third place in a recent Sapheads Hackjam competition.

CyLab researcher David Brumley, the team's faculty sponsor, provides some context: "Capture the Flag is a long running tradition at hacker conventions. It pits teams of security researchers against each other on the same network. There were 100 teams from all over the world, so this is quite an accomplishment. They were top in the US, and solved as many problems as the top two winners."

Brumley also cited CyLab's strong contributor on the success of the effort: "JonghHyup is a visiting scholar at CyLab. Jiyong, Sang Kil, and Ed are all funded by Cylab, and CyLab providing resources and space for the team. Symantec, one of CyLab's corporate partners, was also a sponsor."

Here's the proud roster of Plaid Parliament Of Pwning:

Joseph Ceirante (MS, INI)
Jonathon Cooke (MS, INI)
Brian Pak (Undergrad, CSD)
Sang Kil Cha (MS ECE)
Jiyong Jang (PhD ECE)
JongHyup Lee (Postdoc, ECE)
Ed Schwartz (PhD ECE)
Andrew Wesie (Undergrad, CSD)

Here is my interview with the team.

CyBlog: Describe the nature of this particular CTF contest? And what level of teamwork was required?

Plaid Parliament Of Pwning: General format and rules were similar to other CTF contests, where we need to find a key string to proceed to next stage. However, Sapheads – host of HackJam – claimed that they have differentiated their problem sets from others. Unlike usual CTF contests, they tried to relate problems to real world scenarios.
As problems got harder to solve, teamwork became more critical. The more brains that are coming up with ideas, the more successful you are going to be. It is possible that one person to do entire competition, but doing as a team is more effective and faster.

CyBlog: Give us an example or two of the kinds of problems you had to solve?

Plaid Parliament Of Pwning: Most of the problems required a mixture of several categories of techniques. These categories include binary reverse engineering/exploitation, web hacking, and forensic.
First, for an example of a binary exploitation, we needed to exploit a binary with stack protection that was running on the target server. Specifically, it was checking the integrity of the stack.
Also, as an example of a web hacking, we had to use XSS (Cross Site Scripting) and PHP code injection to access confidential data (in this case, the key phrase).
Third, we also had a forensic problem, where we needed to analyze captured network packets and extract various types of data such as zip and VoIP that gives a hint for password.

CyBlog: What was the most challenging problem you solved successfully and how did you do it?

Plaid Parliament Of Pwning: A problem that was both very interesting and challenging involved reconstructing an OpenSSH private key, that was being used for public key authentication, from the core dump of ssh-agent. This problem was unique because we weren't trying to exploit some bug or reverse a program, since it involved an open source program whose source code was readily available. Instead, it required you to be able to understand the source code quickly, relate it to what was in memory, and extract the information you needed.
Finding the key in memory wasn't too hard. You just needed to follow a couple of pointers and you were at the bytes you need. What made it difficult is the format the key was in: arrays of integers. How does a couple arrays of integers represent the components of an encryption key. Thanks to the source code and Wikipedia, it was trivial to see that each array represented one big number. Then, after sifting through the openSSL source code, which is quite a mess, one can start to imagine how these integers end up representing some really big numbers. And then it is a simple matter of constructing a private key file. Though it was not easy to find documentation for the OpenSSH private keys. Thankfully, after some time, another open source program plus a little luck resulted in a working private key.
Moral of the story, and one that is in the version of openSSH I looked at, letting a program that has your private keys core dump is a really bad idea.

CyBlog: What do such contests teach you about the nature of developing attacks and countermeasures?

Plaid Parliament Of Pwning: One of the ways that the problems got harder is that they started to implement some countermeasures against buffer overflow attacks. Obviously these countermeasures weren't perfect, but they definitely made it more challenging. And this is somewhat realistic: any one with enough time and resources is going to find a way to break your system, the best you can do, for now, is to make it as difficult as you possibly can.

CyBlog: Do you discern any differences in style, skill levels, etc., between hackers from different countries or regions?

Plaid Parliament Of Pwning: What determines the style and skill level between hackers is their past experiences. While the country or region they are from can influence this, it definitely is not a major difference.

Google Acquires ReCaptcha, Spin-Off Based on CyLab Research

"Google is the best fit for reCAPTCHA," von Ahn said. "From the very start,
people often assumed the project was connected to Google, so it only makes
sense that reCAPTCHA Inc. ultimately would find a home within Google." Reuters, 9-16-09

CyLab News – Google Acquires ReCaptcha, Spin-Off Based on CyLab Research

Once again, the fruits of research from within the creative matrix of Carnegie Mellon University CyLab has grabbed headlines across the mainstream, business and IT media; this time, its Luis von Ahn and ReCaptcha.

Here are a few excerpts from sample news stories, with links to the full texts:

Acknowledging once again that humans are better than computer algorithms at some tasks, Google said on Wednesday that it had acquired ReCaptcha, a start-up that grew out of a research project at Carnegie Mellon, for an undisclosed amount. New York Times, 9-16-09

"The words in many of the captchas provided by reCaptcha come from scanned archival newspapers and old books," wrote Luis von Ahn, co-founder of reCaptcha, and Will Cathcart, a Google product manager, in a blog post. "Computers find it hard to recognise these words because the ink and paper have degraded over time, but by typing them in as a captcha, crowds teach computers to read the scanned text. In this way, reCaptcha's unique technology improves the process that converts scanned images into plain text, known as Optical Character Recognition (OCR). This technology also powers large scale text scanning projects like Google Books and Google News Archive Search. Telegraph/UK, 9-17-09

Google says reCaptcha's technology can help it with some of its high-profile initiatives, like scanning books and newspapers to create searchable archives. As users type in the words, they help teach computers to read scanned text, improving computer accuracy when converting scanned images into plain text, a process known as optical character recognition.
"Having the text version of documents is important because plain text can be searched, easily rendered on mobile devices and displayed to visually impaired users," Google said in a blog post about the deal. Wall Street Journal, 9-16-09

Google has no shortage of errors to correct. One of the company's Book Search engineers recently acknowledged that there are millions of errors in the metadata used to describe the books scanned for Google Book Search. No doubt the company's OCR output isn't perfect either.
But such problems look a lot less daunting when one can leverage CAPTCHA input to correct errors. Information Week, 9-16-09

CUPS Director Lorrie Cranor Receives NSF Funding For Interdisciplinary Doctoral Program in Privacy and Security

Patrick Kelly of Tonawanda, N.Y., also said the new program will dovetail nicely with his privacy research. "I'm looking at how to improve the often arcane privacy policies all shoppers experience when surfing the Internet," said Kelly, a Ph.D. student at the Institute for Software Research in the School of Computer Science. "We would ultimately like to create a standard format for privacy rules."



CUPS Director Lorrie Cranor Receives NSF Funding For Interdisciplinary Doctoral Program in Privacy and Security

Carnegie Mellon University’s Lorrie Cranor and her colleagues received a five-year, $3 million grant from the National Science Foundation (NSF) to establish a Ph.D. program in usable privacy and security.
“Carnegie Mellon’s CyLab Usable Privacy and Security (CUPS) Doctoral Training Program will offer Ph.D. students a new cross-disciplinary training experience that helps them produce solutions to ongoing tensions between security, privacy and usability,” said Cranor, associate professor in the Institute for Software Research, the Department of Engineering and Public Policy and Carnegie Mellon CyLab — one of the largest university-based cybersecurity education and research centers in the world.
Cranor said the CUPS doctoral training program is designed to give students both classroom learning as well as collaborative research training with teams of mentors from different disciplines, internships and summer seminars …
The new CUPS program funded through the NSF’s Integrative Graduate Education and Research Traineeship program is now available to Ph.D. students across the university, including the programs in Computation, Organizations and Society, Engineering and Public Policy, Human Computer Interaction, Computer Science, Electrical and Computer Engineering, and Public Policy and Management.
Core faculty in the program include Alessandro Acquisti, an assistant professor of information technology and policy in the H. John Heinz III College and CyLab researcher; Lujo Bauer, a research scientist with Carnegie Mellon CyLab and the Electrical and Computer Engineering Department; Nicolas Christian, associate director in the Information Networking Institute and CyLab researcher; Julie Downs, a research scientist in the Social and Decision Sciences Department; Jason Hong, an assistant professor in the Human Computer Interaction Institute; Norman Sadeh, a professor in the Institute for Software Research and CyLab researcher; and Marios Savvides, director of the Carnegie Mellon CyLab Biometrics Center and a research scientist in the Department of Electrical and Computer Engineering.

Full text of the press release

For more information

Some Related Posts

CyLab CUPS Researchers Release Study on SSL Warning Effectiveness

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

CyLab's Cranor Publishes in Scientific American --"How to Foil Phishing Scams"

CyLab Research on the Cost of Reading Privacy Policies Makes Waves

CyLab Chronicles: Q&A with Lorrie Cranor

Android Security, Naked Keystrokes, Selling Viagra, Crying Wolf & More! -- A Report from the 18th USENIX Security Symposium (Montreal, 2009)

Montreal Harbor, 1889


The city proper covers most of the of the Island of Montreal at the confluence of the Saint Lawrence and Ottawa Rivers. The port of Montreal lies at one end of the Saint Lawrence Seaway, which is the river gateway that stretches from the Great Lakes into the Atlantic Ocean.[36] Montreal is defined by its location in between the St. Lawrence river on its south, and by the Rivière des Prairies on its north. The city is named after the most prominent geographical feature on the island, a three-head hill called Mount Royal, topped at 232 m above sea level. Wikipedia

Android Security, Naked Keystrokes, Selling Viagra, Crying Wolf & More! -- A Report from the 18th USENIX Security Symposium (Montreal, 2009)

By Richard Power

The 18th USENIX Security Symposium was held in Montreal, Quebec (August 10-14, 2009). This conference always provides an excellent opportunity to catch up on the thinking of some impressive minds and delivers the most technical content of all the major security-focused IT conferences.

USENIX distinguishes itself by being a non-profit organization, and acting like one. Seventy-nine students were given stipends to attend this year’s Security Symposium, at a cost of approximately $100,000. This is how USENIX spent the contributions of its sponsors, as well as a significant chunk of its own funds. None of the commercial conferences can lay claim to any such altruism.

I asked legendary login editor Rik Farrow (well, he is the Editor, and kept up the publication’s high standards for many years, enough to qualify as a legend in this field, and yes, he is my friend) how he would distinguish USENIX Security Symposium from the other major cyber security conferences?

“USENIX Sec is one of four top tier security research conferences, and certainly my favorite because accepted papers must include an implementation. So this goes well beyond theory.”

Rich Cannings, Android Security Leader at Google delivered the keynote, “Securing a Mobile Platform from the Ground Up.”

Here are my notes from the talk --

Cannings started off by breaking down the numbers:

-- 6.77 billion human beings on the planet.
-- 1.48 billion Internet-enabled PCs
-- 4.10 billion mobile phones, with a 12-18 month average replacement rate.
-- 1 billion mobile phone purchases per year

“And 13.5% of them are smart phones. This number will soon compare with the number of Internet enabled PCs, and they will become major security targets.”

Next, Cannings gave some background on Android:

Google’s Android is free, open source mobile program, intended to “empower both users and developers.”

It has a Linux kernel. It relies upon 90+ open source libraries (e.g., SQLite for structured data storage, OpenSSL, etc.). It supports common codes for sound, image, etc.

Android is also “designed to protect battery life.”

Developers don’t understand battery life
Users do.

In outlining Google’s security philosophy in regard to Android, Cannings articulated some of the premises with which they approach the issue:

-- Finite time and resources
-- Humans have difficulty understanding risk
-- Safer to assume that most developers do not understand security
-- Most users do not understand security

The cornerstones of the Android security philosophy, as formulated by Cannings, emphasize some basic needs:

-- Need to prevent security breaches from occurring
-- Need to detect them when they occur
-- Need to minimize their impact
-- Need to react to both to vulnerabilities and breaches swiftly

Cannings went on to explore each of these elements as they came into play in the development, roll-out and support of Android.

No one with serious experience in cyber security could argue with Cannings’ guiding principle: “Security is an ongoing process, not a checkbox.”

But of course, Android means “five millions lines of new code,” utilizing, as I mentioned earlier, one hundred open source libraries. And since Android is open source, Cannings remarked, it “can’t rely on obscurity.”

There are tremendous challenges ahead.

Farrow elaborates.

“I liked the keynote, as I am very concerned about the security of mobile devices. The obvious trend is for people to use their smart phones as their primary method for interacting with the Internet, and I would love to see the security of phone software fare MUCH better than Windows has in this area. Rich Canning did a good job of describing the Android security model, but I was left feeling that there are real weaknesses in the Android security model largely because the Android team is being rushed, and layering their security on top of ancient UNIX security features. The notion of relying on users to permit applications based on the number and importance of privileges required is flawed, as most people make poor security decisions (and there is lots of research to back this up).

“Android does present a chance to create a secure environment,” Farrow adds, “but it must also satisfy both developers and users if it is to be successful.”

The program committee received one hundred seventy submissions for this year’s Symposium, only twenty-six papers were accepted.

Martin Vuagnoux and Sylvain Pasini of LASEC/EPFL received an “Outstanding Paper” award for “Compromising Electromagnetic Emanations of Wired and Wireless Keyboards.” These students cobbled together a system capable of converting broad spectrum radio emissions of keyboards into actual keystrokes.

Roxana Geambasu, Tadayoshi Kohno, Amit A. Levy, and Henry M. Levy of University of Washington also received an “Outstanding Papers” awards for “Vanish: Increasing Data Privacy with Self-Destructing Data.”

Carnegie Mellon University was represented by Joshua Sunshine, who presented “Crying Wolf: An Empirical Study of SSL Warning Effectiveness,” headline-grabbing research conducted with Serge Egelman, Hazim Almuhimedi, and Neha Atri, under the guidance of Lorrie Cranor, Director of CyLab’s Usability of Privacy and Security Lab.

Of course, CyBlog covered this compelling research, recently, when the story broke. (See CyLab CUPS Researchers Release Study on SSL Warning Effectiveness)

CyLab corporate partners can read my full report on the 2009 USENIX Security Symposium, including my notes on Vern Paxson's “How the Pursuit of Truth Led Me to Selling Viagra” and interview with Metronics 4.0 chair, Jennifer Bayuk, in the Intelligence Briefing section of the CyLab partners-only portal.

Report from An Ancient Future: Auspicious Day of Celebration for the 7th Graduating Class of Carnegie Mellon’s Silicon Valley Campus

“Over the next twenty, thirty, forty years, when the Carnegie Mellon leadership looks back at this campus, and at 2008 … Some- times, when you look back at a decision, you say, ‘What was I thinking when I did this?’ But with this decision people are going to look back, and say, ‘Was the person a genius who did this?’ That is the kind of impact this campus is going to create.” Pradeep Khosla, 8-7-09

Report from An Ancient Future: Auspicious Day of Celebration for the 7th Graduating Class of Carnegie Mellon’s Silicon Valley Campus

By Richard Power

For the ancient Greek philosopher Pythagoras, all the numbers were sacred and carried spiritual meaning, but he considered seven the “perfect number,” because it contained both the triangle and the square; and he saw it as the basis for his “Music of the Spheres.” Down through history, from pagan pantheons of pre-Christian Europe to the pages of Genesis, from the fortune-tellers of the Roma to the blues artists of the Mississippi Delta, and from the symbolism of the Masons to the gaming tables from Monaco to Macau, seven has been known as a “lucky number.”

So it is not surprising, and certainly worthy of note that the circumstances surrounding the seventh graduating class of Carnegie Mellon’s Silicon Valley campus strike the careful observer as particularly auspicious.

Consider the perspective of Pradeep Khosla, Dean of the College of Engineering and founder of Carnegie Mellon CyLab, shared with over one hundred Silicon Valley alumni at a gathering on the eve of the graduation ceremony.

“Even though it is just only one building, a very small campus in relation to Pittsburgh, but nonetheless, it is a high-impact campus. The people that come here as students are typically non-traditional students; these are not typically 22-year-old students coming here to get their Master’s, these are people of experience, with a clear zeal for what they do, and a clear goal for what they want to accomplish.

“Over the next twenty, thirty, forty years, when the Carnegie Mellon leadership looks back at this campus, and at 2008 … Sometimes, when you look back at a decision, you say, ‘What was I thinking when I did this?’ But with this decision people are going to look back, and say, ‘Was the person a genius who did this?’ That is the kind of impact this campus is going to create.”

“Over the last year and a half, several changes have happened: there are several new programs on this campus, instead of just being a part-time evening campus, there are full-time programs. Now if you come here during the day you see people running around … there is a new, state-of-the-art distance learning class-room that has been built, and two more are going to be built. These changes are all coupled to our vision of being an international campus … We have several international locations – Portugal, Greece, Japan, Korea, Australia, and right now we are working on a project for Africa, in Rwanda. I look at this campus as one of the transit points, one of the stations that many of our international students will visit during their two years in our international programs. There is no better place than Silicon Valley to show the world what America is all about, what entrepreneurship is all about, what a can-do culture is all about. This campus really epitomizes that.”

Martin Griss, who has taken over as Director of the Silicon Valley Campus , added some granularity to the bold strokes of Dean Khosla’s vision:

“We have started a full-time software engineering program. Tomorrow we will graduate nine students who are part of our full-time program. We will graduate 44 part-time students. The incoming class is really exciting. We will have 21 full-time students, and seventy-one part-time students. We have started a PhD. program, which is a bi-coastal with ECE – something we have already wanted to have. We will have 8 PhD. students by December.”

“What I see as our mission moving forward is to continue strengthening and growing education, it’s doing great but we want to expand it, while building up research even more, we have a good research program, which started in Mobility last year, and we want to do more in that area, and we are particularly excited about growing entrepreneurship outreach, growing the program both inside the campus and connecting more to Silicon Valley.”

In their remarks, both Khosla and Griss honored founder Jim Morris.

Khosla described Morris’ effort as “revolutionary and impactful.”

Griss added, “When Jim started there was nothing here but his vision.”

Underscoring the theme of Carnegie Mellon’s commitment to globalism, Mara Barker, Director for Regional Programs, Alumni Relations, spoke of the Multidimensional Global Perspective:

“We have campuses and programs all over the world, but it is more than that. We have faculty and students from all over the world. And when you mix global campuses, global students, global faculty and global research, you have global impact. That is something quite powerful and wonderful that many universities don’t have.”

The graduation ceremony was held in a large white tent on a grassy field, under yet another azure sky. Over 45 students from 10 countries stepped to the stage to receive their hard-earned diplomas. They were led to the ceremony by a bagpiper in kilt.

The precise historical origin of the bagpipe is as yet undetermined; its visage began to appear in the iconography of Europe early in the second Millennium, and they are mentioned in the Canterbury Tales, i.e., approximately, 1380 (although it is quite possible that it is as ancient as Pythagorean science of numbers).

However they found their way into this world, whenever they are heard, they have a powerful effect on the listener. The stirring sound bagpipe is an integral element of formal occasions within the Carnegie Mellon University tradition, reflecting the influence of Andrew Carnegie’s Scottish roots. (Indeed, Carnegie Mellon is one of the few universities in the U.S. to offer a degree in bagpipes.)

The keynote speaker for the graduation ceremony was Liz King, a Vice-President and General Manager for Hitachi.

“Throughout her career,” Griss said in his introduction,” she has been responsible for building relationships with strategic alliance partners on a global basis, and for leveraging those relationships to drive new growth of both existing and new markets and has successfully assisted companies in world-wide strategies and international business development.”

King shared some insights from her rich experience, exhorting the graduates to cultivate both a strong network of colleagues and a fiercely open mind:

“A deep and active people network will provide you with a dazzling array of opportunities and choices.”

“The best way to cope with this chaotic world is to have an open mind. Conscious or unconscious constraints on how we view ourselves, our employers, our products and our competitors, everything needs to be critically examined on a real-time basis.”

But King also cautioned against trying to be successful running 20th Century strategies in a 21st Century world:

“How do you navigate through this dynamic high-tech world? Years ago, when the world was much more linear, the conventional wisdom was to set specific goals and manage to them. Well, anyone with a pulse-rate over 50 knows today life outcomes are more closely modeled by quadratic equations and pathways that look more like a strand of DNA than a straight line. The modern world is anything but linear, so stay in friendly relationship with that fact. Why don’t you replace the goal orientation with the vector orientation. Go ahead and set your goals, but detach from the outcomes, and focus on the vector, the path … For every one goal you would like to achieve there exist many others of equal or greater value that you can’t even imagine.”

Ray Bareiss, Director of Educational Programs, presented two of the graduating students with awards.

Alok Rishi received the Dean’s Return on Education Award:

“Having worked for Sun Microsystems for 19 years, this year’s recipient of the Return on Education Award joined the Carnegie Mellon Software Management program, seeking to ‘step out of his comfort zone.’ Shortly after enrolling in the program, he was able to gain the skills and confidence to begin thinking and behaving like a leader. His actions were clearly recognized by his global peer group of 1,500 engineers at Sun, who nominated him to be Principle Engineer. But he didn’t stop there … he left Sun after nearly 21 years to start Yunteq, a software company developing key enabling technology for Cloud computing … By continuing to tell his own story of transformation to his peers, he hopes to inspire others to make similar changes in their own professional lives.”


Daniel Maycock received the Outstand- ing Service Award:

“Dan has been a great ambass- ador for Carnegie Mellon at Boeing in Washing- ton State and tirelessly worked to help us set up inform- ation sessions, promote our programs, and connect with the larger Boeing community ... He serves as an admissions ambassador, speaking with prospective students and answering questions about the Master’s degree program and curriculum …. His enthusiasm for the school and for his program is contagious and generates excitement among his classmates and colleagues, several of whom have applied to the program as a direct result of his outreach.”
Here are some of the many faces of this year’s graduating class, the seventh in the young life of Silicon Valley. Many of you will soon be hearing their names, investing in their ideas, leveraging their work, and vying for their vision, energy and skills.

They are after all the sons and daughters of the seventh year.

CyLab CUPS Researchers Release Study on SSL Warning Effectiveness

"People get pop-ups in their browsers and they say something about security and they don't know what they are, so they swat them away," said Lorrie Cranor, associate professor of computer science and engineering at Carnegie Mellon. "Nothing bad happened before and they think nothing bad will happen again." ABC News, 7-30-09



CyLab CUPS Researchers Release Study on SSL Warning Effectiveness

Josh Sunshine will be presenting the paper Crying Wolf: An Empirical Study of SSL Warning Effectiveness at the USENIX 2009 Security Symposium.

Co-authored by with Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor, Crying Wolf is another compelling example of how Carnegie Mellon University CyLab is helping to both frame the dialogue and deliver the goods on how best to raise awareness and deliver effective user education:

We conducted a survey of over 400 Internet users to examine their reactions to and understanding of current SSL warnings.
We then designed two new warnings using warnings science principles and lessons learned from the survey … Our results suggest that, while warnings can be improved, a better approach may be to minimize the use of SSL warnings altogether by blocking users from making unsafe connections and eliminating warnings in benign situations. Crying Wolf: An Empirical Study of SSL Warning Effectiveness

Dr. Cranor, Director of the CyLab Center for Usable Privacy and Security (CUPS), was quoted in several news media stories breaking the study’s results.

Here is a sampling with links to the full texts:

After studying the behavior of more than 400 Internet users, Carnegie Mellon University computer researchers concluded that because users encounter so many pop-up warnings in benign situations, they have become immune to the messages … People get pop-ups in their browsers and they say something about security and they don't know what they are, so they swat them away," said Lorrie Cranor, associate professor of computer science and engineering at Carnegie Mellon. "Nothing bad happened before and they think nothing bad will happen again." ABC News, 7-30-09

“The big takeaway is that computer security warnings are not an effective way of addressing computer security,” study researcher and co-author Lorrie Faith Cranor, an associate professor of computer science, engineering and public policy at Carnegie Mellon University, told SCMagazineUS.com on Tuesday. “People don't read warnings and don't understand them when they do read them” … In addition, researchers also surveyed experts – those with an IT-related degree, computer security work experience or programming knowledge – to see if they would behave any differently when receiving a warning. Researchers found that even experts often ignored the warnings, indicating that the system of relying on warnings to communicate computer security risks is “fundamentally broken,” Cranor said. SC Magazine, 7-28-09

"Everyone knew that there was a problem with these warnings," said Joshua Sunshine, a Carnegie Mellon graduate student and one of the paper's co-authors. "Our study showed dramatically how big the problem was … hey found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites. "That's sort of a backwards understanding of what these messages mean," Sunshine said. "The message is validating that you're visiting the site you think you're visiting, not that the site is trustworthy." Computerworld, 7-24-09