Jason Hong's Confabulations

A journalist asked me about cybersecurity under the Trump administration, whether anything will change. Here are my thoughts. Note that this is just my opinion and does not represent my employers or any of my funders. -------------- I don't expect much to change. President Obama already  made cybersecurity one of his top 10 priorities, and as a result, a lot of the heavy lifting has already started. However, there are still some opportunities for the  next administration . For example: A lot more research funds for longer-term thinking and solutions to big problems. Security today is dominated by the latest data breach, and there isn't enough funding for problems 5-10 years down the road, in particular Internet of Things. Another area that needs longer-term thinking and solutions is foreign countries interfering with elections . It's unclear how much happened this year, but it's only going to get worse. There are a lot of concerns that foreign countries are

I've been asked by more and more journalists to offer some insights into various aspects of cybersecurity. I figured that since I'm already writing these up, I might as well share them with the public. This one is on ransomware. ------------------ Ransomware is a kind of malware that holds your data hostage. The malware scrambles your data and makes it so that you can't access it, unless you pay a ransom, typically in Bitcoin. It's not really clear if you can recover your data or not. Some people have been able to by paying the ransom, while others have not. Instead, the best thing you can do is to prevent being infected in the first place. Here are some tips for protecting yourself: Don't install any software you weren't expecting to install. A lot of malware and ransomware are designed to trick you into installing them. They might pretend to be anti-virus, or say that you need to update your browser. Don't do it! Be especially careful of email

I was just asked to write up some tips for managing privacy on smartphones. I figured this would be generally useful to share with folks on the Internet. 1. Many Android phones track a person's location history. You can check if Google has your location history by logging into your Google account and going to:     https://www.google.com/maps/timeline If you want to turn this feature off, on your smartphone, go to:   Google Settings (app) -> Location -> Location History Or go to:   Settings -> Location -> Google Location History ----------------- 2. You can also choose to opt out of personalized ads. Android phones can share an advertising ID with sites, and this ID can be used to build up a profile of interests. These advertising IDs are just like web browser cookies. If you want to turn this feature off, go to:   Google Settings (app) -> Ads Or go to:   Settings -> Accounts -> Google -> Personal Info & Privacy You can also use this

I posted a new article on Communications of the ACM's web site about the increasing ridiculousness of stricter password policies .

Well-known security researcher Peter Gutmann has a draft of his book on Engineering Security available on his web page. He has a lot of good commentary about challenges that the security community is facing. So far, my favorite passage challenges the common mentality that security has to be 100% or it's just not worth having. Engineering an effective security solution in the presence of security geeks is an extremely difficult problem... Consider as an example of this a world where no-one ever locks their front door when they leave the house, and someone suggests that fitting locks and actually using them might help in dealing with the spate of burglaries that have occurred recently. This would be totally unworkable. If you lost your key you’d be unable to get into your own house. Conversely, anyone who found it or stole it could now get in. For a house with multiple occupants you’d need to get a new key cut for everyone in the house, including any temporary guests who were st

Wombat Security Technologies has created a quiz on Facebook to test your knowledge of computer security . See if you can get the Golden Wombat!

One of the writers at MIT Tech Review has blogged about our work on Locaccino. "Locaccino Shows How Facebook Places Should Work" http://www.technologyreview.com/blog/mimssbits/25832/

Forbes Magazine has a nice article arguing that more disclosure isn't necessarily better , pointing out the complexity, the difficulty in making choices, and the legalese. My favorite passage: One study found that despite the [Miranda] warning the overwhelming majority of suspects (78% to 96%) waive their rights ... "Next to the warning label on cigarette packs, Miranda is the most widely ignored piece of official advice in our society."

Our group had a good year for Ubicomp with four papers accepted, all on various aspects of privacy, location, and social networking. Jialiu Lin, Guang Xiang, Jason Hong, Norman Sadeh. Modeling People’s Place Naming Preferences in Location Sharing. This paper looks at how people name places when sharing with others. Eran Toch et al. Empirical Models of Privacy in Location Sharing. This paper examines what location information people share with others, using models of how public a place is, and how mobile that individual is. Karen Tang, Jialiu Lin, Jason Hong, Norman Sadeh. Rethinking Location Sharing: Exploring the Implications of Social-Driven vs. Purpose-Driven Location Sharing. Here, we examine the difference between two different kinds of location sharing. One is purpose-driven ("where are you now?"), the other is social-driven ("hey, I'm in Paris now"). Justin Cranshaw, Eran Toch, Jason Hong, Niki Kittur, Norman Sadeh. Bridging the Gap Between Physical Locat

After presenting at the ISSA CISO forum , I got into this really interesting discussion as to why corporations purchase security software. Given that I've been struggling to understand why technologies are and aren't adopted (especially those from the CHI community), I was naturally intrigued. The manager of Schlumberger's enterprise services security listed three reasons: There was a recent security incident There is a new regulation or policy in place The organization failed an audit recently I'd add a fourth one, which is that everyone else is doing it. These days, people purchase firewalls, spam filters, and anti-virus software almost as a matter of fact.

I just logged into Facebook while in Brazil, and was presented with an interesting challenge-response. Apparently, FB is doing some kind of profiling as to where you login (or alternatively, where lots of fake logins are happening). After answering a captcha, I was presented with a series of photos from my friends list, and had to answer multiple choice questions, getting at least 4/7 correct. I thought this was a compelling idea. The photos would be relatively hard for attackers to find, and not too hard for the owner to identify (unless you're one of those people that friend everyone they meet).

NYTimes reports on a rather nasty Facebook glitch that reveals personal info : On Wednesday, users discovered a glitch that gave them access to supposedly private information in the accounts of their Facebook friends, like chat conversations. I wonder what kinds of processes and procedures Facebook will put into place to prevent these kinds of things from happening in the future. Facebook is already facing a lot of heat from consumer groups regarding privacy. The worst case scenario for them is to have legislation passed dictating what they can and cannot do. Not knowing anything about their system architecture and procedures, I'd suggest adding a significant number of regression tests for privacy, checking hundreds of scenarios to make sure that information that isn't supposed to be disclosed won't be disclosed.

A few weeks ago, Mark Bregman, Executive Vice President and CTO of Symantec, came by Cylab and gave a talk on Symantec's approach to customer-centric innovation . He made a nice distinction between invention (which we researchers are very good at) and innovation (getting products out into the marketplace that people really want). He also made a statement that really resonated with me. After studying how people use backup systems, Symantec took a step back and thought more about what people really needed (and not what they said they wanted). It turns out it wasn't really backup that they needed, it was reliability , and backup was just one way of offering that. I like this high-tech variant of " People don't want to buy a quarter-inch drill . They want a quarter-inch hole !". I'll find some ways to incorporate this idea more into my classes.

Sasha Romanosky points me to a story about a security analyst dressing up as a phish to educate students. This reminds me of that time Randy Pausch dressed up as some character from Alice in Wonderland and gave away Alice CDs. I have to admit, this is definitely going to be memorable for the students. Tech-Security Official at U. of Virginia Wears Fish Costume to Raise Awareness of 'Phishing' When Karen McDowell dressed up in a purple fish costume and walked around the University of Virginia’s campus last month, she got plenty of attention for her cause, even though she had to explain the meaning of her outfit. Ms. McDowell is a security analyst for the university, and her goal was to raise awareness about e-mail phishing schemes, in which con artists send e-mail messages hoping to lure people into giving out their passwords or other personal information.

A sad, funny, and frustrating story about phishing education. Don't know if this is true or not, but I can see it happening. http://thedailywtf.com/Articles/Go-Phish.aspx Auburn University's CIO sends out a warning to students, faculty, and staff about phishing, and includes an example of phishing in his email. A few days later, he sends out another email, excerpt below: "In my previous alert, I included the text of a phishing email as an example. Some students misunderstood that I was asking for user name and password, and replied with that information. Please be aware that you shouldn’t provide this information to anyone."

Here's a new baby naming service that we could all use. Given your last name, what kinds of first names should you avoid so that your child won't be on the TSA no-fly list. http://www.nytimes.com/2008/09/30/business/30road.html “The woman at the ticket counter demanded, ‘Who is John Anderson?’ ” Ms. Anderson recalled. She pointed at the baby stroller and said, “He’s right here.” The suspect, then 2 years old, blinked his big blue eyes and happily gummed his pacifier. “That baby’s on the no-fly watch list,” the agent said.

Washington Post on some work being done at CMU ------ Lost in the Fine Print: It Would Take a Week to Read All Your Privacy Policies It would take the average American about 42 hours -- an entire work week -- to read the online privacy policies for the Web-sites they encounter each year, according to new research being presented this weekend.

Some colleagues and I talked about this potential threat a few months ago, and it looks like it's finally starting to happen. http://www.wired.com/politics/security/news/2008/01/facebook_phish Some Facebook users checking their accounts Wednesday found odd postings of messages on their "wall" from one of their friends, saying: "lol i can't believe these pics got posted.... it's going to be BADDDD when her boyfriend sees these," followed by what looks like a genuine Facebook link. But the link leads to a fake Facebook login page hosted on a Chinese .cn domain. The fake page actually logs the victims into Facebook, but also keeps a copy of their user names and passwords. Soon after, the hackers post messages containing the same URL on the public "walls" of the users' friends. The technique is a powerful phishing scam, because the link seems to be coming from a trusted friend. ... Hackers can use the compromised profiles to host Trojan horses

The next version of Internet Explorer 8 will have new features to protect people from phishing attacks . Some of these features were developed by CMU's very own Serge Egelman . Nice work Serge! Some highlights include: Better warning messages (based on our past work on warnings in web browsers [PDF] ) Better heuristics for detecting scams (I'd be interested in learning more about how these work) Anti-malware support

I didn't expect to have two posts in a row about World of Warcraft, but I found this one too interesting to resist. It looks like Blizzard will be making physical tokens available for customers to purchase, to increase the security of their accounts. Apparently, there have been many hacked accounts, leading to the loss of (virtual) gold and items. This was a venue for phishing and malware that I didn't see coming, but it makes sense once you see how the value chain eventually ends up as cash. http://us.blizzard.com/support/article.xml?articleId=24660&rhtml=true