Tuesday, November 15, 2016

Cybersecurity under the Trump Administration

A journalist asked me about cybersecurity under the Trump administration, whether anything will change. Here are my thoughts. Note that this is just my opinion and does not represent my employers or any of my funders.


I don't expect much to change. President Obama already made cybersecurity one of his top 10 priorities, and as a result, a lot of the heavy lifting has already started.

However, there are still some opportunities for the next administration. For example:
  • A lot more research funds for longer-term thinking and solutions to big problems. Security today is dominated by the latest data breach, and there isn't enough funding for problems 5-10 years down the road, in particular Internet of Things.
  • Another area that needs longer-term thinking and solutions is foreign countries interfering with elections. It's unclear how much happened this year, but it's only going to get worse. There are a lot of concerns that foreign countries are using our very own social media to foment uncertainty and unrest.
  • More funds for education. Right now, only about half of developers today have degrees in computer science. But even then, only 3 of the top 50 CS programs require students to take any computer security courses. Furthermore, security goes beyond computer science. We could expand cybersecurity to students in psychology (e.g. social engineering), visual design (e.g. warnings), and so on. There's also just educating the public at large.
  • Expand security to also encompass privacy too. There are many emerging technologies that have tremendous potential to benefit society, such as big data, autonomous vehicles, Internet of Things, and so on. However, these technologies will only be adopted if people feel like they understand what personal data these systems are using, and if they feel that they are in control of these systems.
On a side note, this doesn't deal with cybersecurity as it is conceived of today, but it's a different form of technology and national security. Basically, a lot of jobs are being automated out of existence. For example, once Uber, Google, Tesla, or Ford create a reliable and commercially viable autonomous vehicle, there are tens of thousands of jobs that will never come back. And it's not just the drivers of taxis or eighteen-wheelers, but also people who run the motels, gas stations, and diners
that formed part of the support ecosystem for drivers. And, no politicians are discussing any real solutions to this problem today.

Some Tips on Protecting Yourself from Ransomware

I've been asked by more and more journalists to offer some insights into various aspects of cybersecurity. I figured that since I'm already writing these up, I might as well share them with the public. This one is on ransomware.


Ransomware is a kind of malware that holds your data hostage. The malware scrambles your data and makes it so that you can't access it, unless you pay a ransom, typically in Bitcoin.

It's not really clear if you can recover your data or not. Some people have been able to by paying the ransom, while others have not.

Instead, the best thing you can do is to prevent being infected in the first place. Here are some tips for protecting yourself:

  • Don't install any software you weren't expecting to install. A lot of malware and ransomware are designed to trick you into installing them. They might pretend to be anti-virus, or say that you need to update your browser. Don't do it!
  • Be especially careful of email attachments. A lot of malware and ransomware are spread through email. A lot of these will be caught by spam filters, but check the file extension of attachments before downloading and opening them. Avoid anything with .exe or .com
  • Backup your data regularly. Keep your most important files on a separate backup hard drive, or even on cloud services.

Wednesday, October 05, 2016

Android Smartphone Settings for Privacy

I was just asked to write up some tips for managing privacy on smartphones. I figured this would be generally useful to share with folks on the Internet.

1. Many Android phones track a person's location history. You can check if Google has your location history by logging into your Google account and going to:

If you want to turn this feature off, on your smartphone, go to:
  Google Settings (app) -> Location -> Location History

Or go to:
  Settings -> Location -> Google Location History


2. You can also choose to opt out of personalized ads. Android phones can share an advertising ID with sites, and this ID can be used to build up a profile of interests. These advertising IDs are just like web browser cookies.

If you want to turn this feature off, go to:
  Google Settings (app) -> Ads

Or go to:
  Settings -> Accounts -> Google -> Personal Info & Privacy

You can also use this screen to generate a new advertising ID if you wish.


3. You should add a screen lock to your phone, just in case you lose your phone or if it's stolen. You can find the right settings if you go to:
  Settings -> Security


4. You should also turn on remote location and remote lock and erase, in case you lose your phone. To do this, go to:
  Google Settings (app) -> Security

You'll see that there are some other useful features here for protecting your phone.


5. You can also see basic personal information Google has about you, and do some basic privacy settings here:
  Google Settings (app) -> Personal info & privacy


6. Lastly, you can go to http://myaccount.google.com to manage settings that are connected with your
Google account (rather than just your smartphone). In particular, try out the Privacy Checkup.

Thursday, July 28, 2016

Toward a Safe and Secure Internet of Things

I wrote up a white paper about the cybersecurity issues that we will face as the Internet of Things becomes more common. I discuss issues like physical security, scale, lack of experience by manufacturers, and lack of tools and best practices.

One idea I also advance is this pyramid of IoT Devices. At the top tier we will all have a few devices that have a lot of computational horsepower, such as laptops, smartphones, and glasses. In the middle tier we will have dozens of devices that have moderate computational capabilities, but also only require a little bit of our attention. These include TVs, refrigerators, and smart toys. At the bottom tier are hundreds of cheap devices or ones that we are barely aware of. These include RFIDs, smart toilets, digital picture frames, electronic locks, smart meters, cheap environmental sensors, and more.

The bottom two tiers are the ones we need to worry about the most. The top tier already has major tech manufacturers worrying about the cybersecurity issues, but the other two often do not. Plus, devices in the bottom two tiers can't run standard endpoint security, will likely have battery constraints, poor networking, and minimal CPU processing.

Wednesday, July 13, 2016

Chase Fraud Alert from SMS 28107

I got a fraud alert on my phone this morning from SMS short code 28107. Is this legitimate? The short story, from what I can tell, is yes.

The alert I got was:
FREE MSG: Chase Fraud-Did you use card ending xxxx for $xx.xx at INGLES MARKETS on 07/13? If YES reply 1, NO reply 2
In cybersecurity, getting these kinds of alerts is a pretty common kind of scam. Attackers will send out lots of these kinds of SMS and email and try to get you to verify your account, essentially tricking you into sharing sensitive information.

If you ever get one of these kinds of alerts, you should try to verify it independently. So I logged into my credit card account and saw that there were several purchases that morning. Looking up the name of the store, it appears to be a chain of grocery stores in North Carolina. Ok so definitely fraud.

So I responded with a "1" to the SMS message, and it said that Chase would call when a specialist is available, or call the number on the card.

There's a minor risk here with the first option, which is that getting a phone call from an unknown number doesn't mean that it's legitimate. In computer security, this is the mutual authentication problem, which is that while your credit card company can verify if it's you or not, you don't have any easy ways of verifying if it really is your credit card company calling you.

The safe thing to do here is the second option, which is to call the phone number on the back of the credit card.

Now, as someone who does research in cybersecurity, even all of this is not guaranteed. It's possible that a hacker could have intercepted my web browser request to Chase's web site, knew the last 4 digits of my credit card, knew my mobile phone number for SMS (SMS can be spoofed), and intercepted Chase's 1-800 number, but the combination of all of these is pretty low. Plus, if a hacker were skilled enough to do all of the above, they would chase after bigger fish than me.

So a new credit card is on the way, and the damage is limited, both for me and for Chase. I should also say good on Chase for having an excellent fraud detection department too. This is actually the first time Chase has warned me about possible fraud on my credit card, despite all of my travels around the world, and they got it right.

Wednesday, March 16, 2016

Should companies be allowed to "hack back" against thieves?

Companies should absolutely not hack back against cyber thieves. One major concern is attribution, namely knowing that you have identified the right parties. Intruders typically use other people’s computers and servers, so odds are high that a company would simply be attacking an innocent party.
Furthermore, if a company does take down an attacking server, they might take down many other innocent third-party web sites and services, which would make the company potentially liable for damages.
Companies also have varying levels of talent and resources. While a very large tech company might be able to mount a proportional countermeasure, the vast majority of companies can’t. It would only be a matter of time before one of these other companies oversteps its bounds and inadvertently causes collateral damage and a great deal of embarrassment.
Lastly, in the unlikely case that a company could pinpoint who the attackers are and guarantee a precise counterattack, it is worth pointing out that some cyber thieves are state sponsored. As such, hacking back could spark an unwanted international incident.
A better alternative is to consider softer countermeasures that can slow down thieves and help law enforcement. For example, some banks feed fake data into phishing web sites, to make it easier to trace criminal activities. Many companies also run honeypots, which are servers that, when hacked, contain fake content and a great deal of monitoring software. This kind of approach makes it easier to identify attackers and their strategies, and potentially deter thieves as well.

My Article in Slate on Human Weaknesses in Cybersecurity

I published an article on Slate about human aspects of cybersecurity.
A great deal of metadata and surrounding context can still be inferred from unclassified emails. These inferences might include the social connections between people, the names of projects a person is working on, how emails are formatted, and what jargon a person uses. On the surface, this kind of information might seem innocuous. However, in the hands of a skilled and patient adversary, this information can be used to exploit human weaknesses in cybersecurity.

Sunday, November 29, 2015

World Economic Forum IdeasLab talk on Smartphones and Healthcare

Here is a YouTube video of my talk at the World Economic Forum on Smartphones, Personal Data, and Healthcare.

Article in Quartz Magazine about Usability and Cybersecurity

I recently wrote up an article on Quartz looking at why public officials are using personal email accounts for business, looking at it from a usability and security perspective.
Why are so many politicians turning to personal email in the first place?

This trend may justifiably raise concerns about transparency and legality. But why are so many politicians turning to personal email in the first place? It could be that usability issues are driving our public officials and their subordinates to use personal accounts.

Friday, July 31, 2015

Conflict Management and Negotiation

One thing we do in our Master's of Human-Computer Interaction program is to have our students participate in workshops about conflict management. Conflict is inevitable, but how you deal with it is not.

This year, we also sent our students some web resources about negotiation strategies. These are, for the most part, very positive ways of looking at negotiation, rather than making it something purely adversarial.

Thursday, July 02, 2015

Computer Science, Internet of Things, Privacy, and Advice for Students

I wrote up an article for my old high school's alumni magazine, about my work and advice for the students. Here's the article below.


In the near future, our smart homes, smart cars, and smartphones will essentially know everything about us. In many ways, this will be a good thing, as these devices can help us in terms of healthcare, sustainability, safety, and more. At the same time, these same systems pose many new kinds of privacy challenges. What kind of data is being sensed and collected? How is it used? How can we help people feel like they are in control? How can we create a connected world that we would all want to live in?

After graduating from SCGSSM in 1993, I majored in both computer science and mathematics at Georgia Tech, and then got my PhD at University of California at Berkeley. Since 2004, I’ve been a professor at Carnegie Mellon University, one of the top schools in the world in computer science. It’s a very fun place, with brilliant people looking at how to push the boundaries of what is possible with computing.

Computer science is a bit unusual when compared to natural sciences. In fields like astronomy or biochemistry, there are hard limits dictated by atomic structures or fundamental forces like gravity. In contrast, much of computer science is bounded by perceptual and cognitive psychology. We only need 24-bit color because that’s all the human eye can see. A lot of programming languages are structured to mitigate the limited working memory of our brains. Computer science is also bounded by our imaginations. Things like wearable computers, self-driving cars, and sensor networks only came out because someone dreamt new ways of using computers.

My specific subfield of computer science is known as human-computer interaction (HCI). HCI looks at people and computers together, drawing on ideas from traditional computer science, psychology, and design. The most immediate aspect of HCI is the user interfaces we use. Everyone has experienced some really terrible interfaces and can appreciate the need for good design. But HCI also looks at really big questions too. For example, how can we build intelligent tutoring systems that can adapt to individual students? How can we design robots that people can understand and feel safe around? How can we design better interfaces to help those with physical disabilities?

My particular area of research looks at emerging smart systems, sometimes called Internet of Things, sometimes Ubiquitous Computing. These kinds of sensor-based systems will let us understand human behavior at a fidelity and scale that previously was not possible, but we can only succeed if we can legitimately address people’s privacy concerns.

My current work focuses on privacy and smartphones. Smartphone apps can collect a great deal of sensitive information about people, including location, contact lists, and microphone data. How can we easily understand what these apps are doing? To address this problem, my team developed new ways to analyze and summarize the behaviors of apps, based on the notion of expectations. For example, most people don’t expect a Blackjack game to use location data, but some surprisingly do. In contrast, everybody already knows Google Maps uses location data. Using this approach, we have graded the privacy of a million apps, which you can see at PrivacyGrade.org. We’ve gotten press coverage from CNN, New York Times, Forbes, BBC, as well as interest from the FTC, California Department of Justice, Google, and Consumer Reports.

Now, while this article was supposed to be about STEM (Science, Technology, Engineering, Mathematics), I’d like to close by reflecting on non-STEM lessons I’ve learned along the way, which I hope can help current students and younger alums. First, raw intellect only gets you so far. Even hard work isn’t enough. While these are pre-requisites for success, you’ll also need ambition, imagination, and some luck. I lucked out in getting admitted to Berkeley for my PhD, and was suddenly surrounded by people who were the best in the world at what they did. It only dawned on me then that I might be able to do the same.

Second, don’t underestimate the social dimension of success. My two years at SCGSSM were harder than my first two years at Georgia Tech, and it only struck me years later why. At SCGSSM, there were so many smart and hard-working people that it forced me to up my game. At Georgia Tech, it wasn’t until my junior year that I found a similar group of people.

Third, it’s not about what you yourself can do, but what you can get a group of people to do. Most big things that are worth doing can’t be done by individuals. So if you want to succeed, you really need to understand how to motivate people, how to work in a team, how to manage conflict, and how to mentor people and help them grow.

Last, there’s a big world stage out there, and it’s waiting for brilliant young people to get up there. The problems we as humanity are facing today are bigger and harder than any we’ve ever faced, and we need all the help we can get. And besides, it will be fun as we help invent the future. 

Monday, March 02, 2015

Visualizations of Phishing Emails

I've been collecting all phishing emails that have come into my inbox since 2010. I thought it would be fun to create some simple visualizations, to look for interesting patterns.

Below is a wordle of 95 different Nigerian email scams. These are the scams where the sender of the email has a business proposition for you, with millions of dollars in a bank or secret fund, and they need your help getting it out. You can see several prominent words, like bank, money, contact, and fund. You can also see that these scammers are quite polite, with please being a common word too.

Surprisingly, I only got 16 reply-to phishing emails. These are the ones where the scammer asks you to fill out your account information in the email, like your account name and password. Nothing too surprising here.  

The largest set was 160 general phishing attacks, ones where the scammer tries to trick you into clicking a link or opening an attachment. You can see that these scammers are quite polite, with please being pretty prominent. Like the reply-to phishing attacks above, you can see that an email that mentions your account or wants you to click on a link is a good signal that it may be a phishing attack.  

Below is a wordle that combines all of the above emails, if you want to share with others or print out.

I also created a word tree visualization using the service on Jason Davies' site. You can see the interactive version of all of the phishing emails here. You can see the most common opening for these phishing emails, and again, scammers are quite polite.

Saturday, February 21, 2015

Notes on Running the Mobisys 2015 Program Committee

Marco Gruteser and I recently finished co-chairing the Mobisys 2015 technical program committee. Some of the TPC members said that it was the best run, least stressful program committee that they had been on, and were amazed that we were able to discuss over 60 papers.

I thought it would be good to share what tools and processes we used to keep things running smoothly, to help other program committees.
  • We allocated NNN minutes of discussion per paper (this will vary depending on PC size and #papers to discuss). Basically, take the total amount of time and divide by #papers to discuss, subtracting 1-2 minutes per paper as slack time.
  • We used the iPad app Lightning Talk to keep track of time (thanks to Jenna Date for pointing me to this app)
  • On the projector, we displayed what paper we were discussing and who the conflicts were. This helped speed up conflicts getting out of the room. Here is a shortened version of the slides. (Thanks to Morley Mao and Landon Cox for this idea)
  • Conveniently, if you print these slides 6 to a page, they are roughly post-it size. We taped each slide to a post-it, making it easier to see what the decisions were for each paper. See the picture below to see how we used these post-its (note that we blurred out information about most papers in the picture). We had 4 categories: Accept, Weak Accept, Maybe Accept, and Reject. 
  • We started the TPC by discussing the strongest papers and then the weakest papers, to help the PC with calibration of the other papers.
  • We assigned a discussion lead for each paper, typically the most positive reviewer. Each lead was asked to start with 2min summary, and then we moved on to discussion from the other reviewers.
  • We asked committee members to be decisive about making decisions within the NNN minute period. Earlier, several days before the meeting, we also asked TPC members to discuss online papers for which there was not a clear consensus. This approach helped with faster decision making. 
  • If a paper was a clear accept or reject after a few minutes, we cut off discussion to keep moving forward. This let us have more time for more papers that needed more discussion time.

Saturday, November 29, 2014

PrivacyGrade is out

PrivacyGrade.org is our web site that presents our privacy analysis of a million Android smartphone apps. It's a deeper and broader analysis of apps beyond the previous blog posts on this site.

Friday, November 30, 2012

Analysis of Most Unexpected Permissions for Android Apps

Our team has been analyzing Android apps for unusual behaviors, using crowdsourcing techniques to find differences between what people expect an app to do and what an app does in reality.

Here are the top 10 most unexpected permissions, based on our crowdsourcing approach to analyze the behavior of Android apps. Each circle represents the level of surprise people had for each permission (N=20). For example, a vast majority of people (95%) were surprised that Brightest Flashlight used location data, but no one (0%) was surprised that Google Maps did so. Here, we can use level of surprise as one form of privacy. If people aren't surprised, then from our perspective it's less of a privacy issue, since people have some level of informed consent. On the other hand, if lots of people are surprised, then we have a potential privacy issue at hand.

Click to zoom

Here is the top 10 list in text form, with links to more analysis where available.

  1. Brightest Flashlight
  2. Toss It
  3. Angry Birds
  4. Talking Tom Free
  5. Backgrounds HD Wallpapers
  6. Dictionary.com
  7. Mouse Trap
  8. Horoscope
  9. Shazam
  10. Pandora

Note that some of these uses, while rated unusual, were actually perceived as legitimate once it was explained how the data was used. For example, the Dictionary.com app uses location for finding words that others near you are searching for, rather than for ads or other purposes. In our work, we also found that people were generally ok with this usage once it was made clear to them.

In the short-term, the main thrust of our research is to help people understand these kinds of unusual behaviors of apps, as well as increase transparency. It's worth pointing out too that a lot of this information seems to be used for advertising rather than malicious purposes (though it obviously depends on your definition of malicious). In the long-term, we need better policies and best practices around this kind of data collection, as well as better ways of helping developers create sustainable business models that also respect privacy. 

Note that this list is based on the top 100 most popular Android apps around December 2011, so some things may have changed since then.


Below is an analysis of the Top 10 Most Downloaded Android apps, showing the level of surprises. For example, for Angry Birds, we found that 80% of people (N=20) were surprised that it used location at all, whereas for Google Maps, 0% of people were surprised.

Click to Zoom
Here is the same list in text format, with links to more analysis for apps that we have probed in more depth.
  1. Facebook
  2. Google Maps
  3. Angry Birds
  4. Pandora
  5. KakaoTalk Messenger
  6. Bubble Blast
  7. Paradise Island
  8. Handcent SMS
  9. Adobe Flash Player
  10. Tap Fish
You can also read more about our research here (PDF). This work was done by Jialiu Lin, Shah Amini, myself (Jason Hong), and Norman Sadeh. This work is also funded in part by the National Science Foundation, Google, and the Army Research Office.

Analysis of Brightest Flashlight Free for Android

GoldenShores Technologies, LLC
Category: Tools
Price: Free
Brightest Flashlight Free - Turns on all available lights.
Brightest Flashlight App – Free of Charge
* Turns on all available lights on the device
* Camera Flash LED at Maximum
* Screen at Bright Maximum
* Keyboard Backlight at Maximum
* Soft Keys Backlight at Maximum

Used by
Device ID
Mobile ad optimization and tracking
Targeted mobile advertising
Mobile ads, analytics, ad exchange
Mobile ad network aggregator
App analytics
Targeted mobile advertising
Mobile ads, analytics, ad exchange
Other 3rd-party libraries app uses
Mobile ad network

Privacy Analysis

· 95% of people were surprised Brightest Flashlight Free uses your unique Device ID
· 95% of people were surprised Brightest Flashlight Free uses your location

Analysis of Horoscope for Android

Category: Lifestyle
Price: Free
Check your complete horoscopes for today, tomorrow and much more !
Horoscope : The official Horoscope from horoscope.fr now available on your Android phone ! 100% FREE, 100% PRO !

Used by
Device ID
Used for indexing users


App analytics
Other 3rd-party libraries app uses

Privacy Analysis

· 80% of people were surprised Horoscope uses your unique Device ID
· 80% of people were surprised Horoscope uses your location

Analysis of Shazam for Android

Shazam Entertainment Limited
Category: Music & Audio
Price: Free
Hear a song you don't know? Shazam identifies it instantly. Free and Unlimited.
Faster tagging. Now discover, explore and share more music, TV shows and brands you love in as little as one second.

Used by
Device ID
Used for indexing users

Mobile ad optimization
Mobile ads and campaigns
Owner of app, for tagging songs
Other 3rd-party libraries app uses

Privacy Analysis

· 60% of people were surprised Shazam uses your unique Device ID
· 80% of people were surprised Shazam uses your location

Analysis of Talking Tom Free for Android

Outfit 7
Category: Entertainment
Price: Free
Tom is your pet cat, that responds to your touch and repeats everything you say.
★★★ A Cat That Talks? ★★★
Talking Tom repeats everything you say with a funny voice. You can pet him, poke him, you can even grab his tail.

Used by
Device ID
Used for indexing users

Other 3rd-party libraries app uses

Analysis of Backgrounds HD Wallpaper for Android

Stylem Media
Category: Entertainment
Price: Free
Backgrounds - more than 10,000 Wallpapers, Add your own Photo and customize!
10,000 awesome unique designs.
New Backgrounds added daily.

Used by
Used internally for assigning contact photos

Device ID
Used for indexing users

Other 3rd-party libraries app uses

Privacy Analysis

· 60% of people were surprised Backgrounds HD Wallpapers uses your unique Device ID
· 90% of people were surprised Backgrounds HD Wallpapers uses your contact list