CYBERLAB STUDIES PLETHORA OF ISSUES
TECHNOLOGY, FROM PAGE 1:
vacy and has trained more than 75,000 people.
Biometrics, the science of using hard-to-mask physical attributes — like facial characteristics, fingerprints, retinal scans and DNA — is just one specialty. Cylab is also engaged in broader uses for AI, cryptography, network security and an array of other cybersecurity skills.
One of the first times Savvides and his group used his facial-recognition technology for something besides research was just after the 2015 Boston Marathon bombing. His lab took the blurry, low-resolution, surveillance image of the suspected bomber released by the FBI and, using AI technology, reconstructed the image and sent it to the bureau.
The next morning, the identity of Dzhokhar Tsarnaev, who was convicted of the bombing, was revealed. Savvides does not know whether his reconstruction helped the FBI, but “we were extremely surprised to see the resemblance to Tsarnaev that was constructed from the very low resolution, pixelated face that even our human brain cannot comprehend,” he said.
Savvides was also happy to demonstrate another gee-whiz technology — long-distance iris scanning. Rather than requiring that an eye be placed directly up to a scanner, the device he helped invent looks like a very large camera lens with a smaller one on top and wings of infrared lights on either side. It can identify people by their irises from as far as 40 feet away.
Like fingerprints, each person’s iris is unique; it stays the same as we age, and unlike fingerprints, cannot be scratched or covered up in some way short of removing the eye altogether. And fingerprints cannot be taken from a long distance.
In a video he made, Savvides showed how it would be possible for police officers to identify the driver of a car they’ve pulled over for a violation by capturing a detailed image of the iris as the driver glances into the side mirror and comparing it to their database of irises.
Then police would know whether the person was driving a stolen car, had a criminal record or was on a terrorist list — and might be dangerous — before walking up to the car.
It could also help speed up endless security lines at airports. Instead of a human agent taking a passport or a driver’s license and running it through a security check, the irises of travelers could be quickly scanned.
Of course, the potential for abuse makes some people wary of the technology. An article in The Atlantic magazine on the concept noted that “identification to a degree comparable to fingerprints at a distance is not something our social habits and political institutions are wired for.”
Savvides gets annoyed with such talk.
“We all want better computer and human relations — we’ve craved it for decades,” he said. “But biometrics and facial recognition are stigmatized by Hollywood.” Some of the Cylab work is focused on the threats that most affect people in their daily lives: password security.
Lujo Bauer, director of the university’s Cyber Autonomy Research Center, within Cylab, said his research showed that to avoid being hacked, a computer user’s passwords had not only to be complex, but long.
“A password that’s long and just slightly complex is stronger than a password that’s very complex but short,” said Bauer, an associate professor of computer science and electrical and computer engineering.
Just changing a few words or adding numbers in a password already used does very little to stop hackers, who can easily try thousands of variations of a password in rapid succession, he said. As everyone has been told repeatedly, the worst thing to do is reuse passwords from different accounts. That may be how many people’s accounts have been hacked.
One way to check if your account has been compromised in a data breach is to go to haveibeenpwned.com.
Other research from Cylab has discovered that, contrary to common assumptions, older people are less likely to be a target of phishing than 18- to 25-year-olds, perhaps because younger people are more likely to take risks, said Jason Hong, a professor at Carnegie Mellon’s Human-computer Interaction Institute
Much of cybersecurity is, as Kathleen Carley, a professor at Carnegie Mellon’s School of Computer Science, put it, “employing computer techniques to better understand society and employing our knowledge of society to better understand computer techniques.”
Her work is social cybersecurity — that is figuring out how to make social media “a free and open place without undue influence.” It is a subject that has become a major societal issue with the suspected Russian hacking of the 2016 election in the United States.
Most people, she said, do not realize the impact of bots, which are software applications that run automated tasks over the internet. The role of bots is to convince and direct individuals; it could be for relatively innocuous reasons such as marketing, but increasingly bots are used by organizations or governments to run schemes or sow discord on social media by creating or amplifying an existing conversation, making it more virulent and divisive.
The bots exploit how human brains are wired. People hear something repeated over and over, seemingly from many sources, and it soon seems like the truth.
“They are affecting the country’s values and beliefs,” she said.
One example, which Carley and her team discovered in 2015, was a bot used to persuade Syrians and those in the Syrian diaspora to go to a website to donate to charity for Syrians.
“We believe it was actually a money-laundering site for ISIS,” she said.
In that case, the bots, or botnet, which are bots connected together and controlled as a group, were identified simply through human detection. But AI researchers have now created algorithms to identify bots.
The one Carley and her team created is called bot-hunter.
Perhaps even more insidious are bots that generate and magnify discord on social media, “warping the information environment,” Carley said, and affecting everything from how people vote to what they buy to how they view others in society.
There are relatively few bots compared with real human accounts, but they are so active that their effect is far out of proportion to their size, she said.
One popular example is the big role bots played in the civil unrest in Ukraine in 2013 believed to have been fomented by the Russians, Carley said.
She and others are developing technological fixes, such as using AI to do automatic fact-checking, to identify bots and to identify posts with abusive language. But, she said, “the tools are in their infancy,” and technology alone won’t solve this problem. “Policymakers and the public have to be educated,” she said.
But technology can solve a lot, and that is why graduate students working with Cylab have helped create a digital cybersecurity game for those over 13 years old called picoctf, for Capture the Flag.
In its fourth year, the competition attracted more than 27,000 students from around the world this time, usually working in teams. It is played over two weeks and involves increasingly complex challenges — requiring high-tech solutions — to capture the flag. Only participants in the United States are eligible for the top prize — a visit to Carnegie Mellon and $5,000. But the prestige is high.
And while fun, it is also a way to encourage young people to think about a profession they may never have considered before.
“There’s a dramatic shortage of people in cybersecurity,” said Martin Carlisle, a professor and director of academic affairs at Carnegie Mellon who oversees the contest. “And we know the vast majority of students have picked their major by the time they get to college.”
So targeting middle- and highschool students, he said, is a way to get them excited about a career in cybersecurity before they’re already in college.
This year’s winner? Dos Pueblos High School in Goleta, Calif. It was the only team that solved every challenge, although thousands made significant inroads, Carlisle said.
“This was one of the few competitions I could access as a high school student,” said Carolina Zarate, who entered the contest in Maryland and who is now a graduate student studying information security at Carnegie Mellon.
She helps develop problems for picoctf and is also part of Carnegie Mellon’s competitive hacking team, which has won four of the last six competitions at the Def Con conference, considered to be the Olympics of hacking competitions.
For Zarate, the interest in cybersecurity was always there, but she said she hoped the challenge got more people involved.
“If you think how many new areas technology is touching — what if someone hacked self-driving cars or bitcoins?” she said. “I want my money and life to be safe.”