GHC12: Phd Forum 2 - Security

Enhancing security and privacy in online social networks
Sonia Jahid


Social networks have traditionally had some strange ways of dealing with security and privacy, and bring new challenges. How do we handle it if you leave a comment on a private photo and that later becomes public? Right now many networks would make the comment public, but does that make sense?

Sonia Jahid notes that one of the oddities of the social network is that traditionally we don't go through a 3rd party to talk to our friends, and some of the challenges towards a private and secure social network stem from that change. She proposes looking at a more decentralized model, but this forces us to make new decisions and answer new questions. For example, where is data going to be stored? (will I keep it myself? what if I'm offline?) What does access control mean for social networks? How do those models change if the network is decentralized? How can one efficiently provide something like a news feed for a distributed network?

I think one of the key insights of this talk is that while these questions may not seem that urgent for a facebook status update (what if you don't care about those?), many of these questions come up in other applications. For example, medical record sharing can be likened to a social network, where patients, doctors, hospitals, specialists, etc. all want to share some data while keeping other data private. And bringing the problem into the healthcare space brings other challenges: what if we need a "in case of emergency break glass" policy where if the patient is hospitalized while traveling, her medical data can still be accessed by the hospital that admits her. What if the patient wishes to see an audit listing everyone who has accessed her data? (How can we make that possible while keeping that information private from other folk?)

There's clearly some really interesting problems in this space!

Securing Online Reputation Systems
Yuhong Liu



Trust exists between people who know each other, but what if we want to trust people we may not know? This is the goal of reputation systems, but these ratings can be easily manipulated. Yuhong Liu points out a movie rating that was exceptionally high while the movie was during its promotional period, but fell rapidly once it had been out a while. Her research includes detecting such ratings manipulation.

For a single attacker, common strategies include increasing the cost of obtaining single userids, investigating statistically aberrant ratings, or giving users trust values, but all of these can be worked around, so Yuhong Liu's research includes a defense where she builds a statistical model based on the idea that items have intrinsic quality which is unlikely to change rapidly. She found that colluding users often share statistical patterns, making it possible to detect them.

One of the interesting things about this talk was a question from the audience about the complexity of this model: Because the first pass of the model uses a threshold to determine areas of interest in the ratings, we can avoid doing larger checks constantly and can focus only on regions of interest, making this much more feasible as far as run time goes. Handy!

On Detecting Deception
Sadia Afroz



Deception: adversarial behaviour that disrupts regular behaviour of a system

Sadia Afroz's work involves detecting deception three areas:
1. in writing where an author pretends to be another author.
2. websites pretending to be other webites (phishing)
3. blog comments (are the legit or are they spam?)

All of these are interesting cases, but I was most fascinated by the fact that her algorithm was fairly good at detecting short-term detection (e.g. a single article aping someone else's style) but had more difficulty detecting long-term deception like in the case of Amina/Thomas MacMaster. (This might be interesting to badgerbag?) Are long-term personas actually a different type of "deception" ?

---

All in all, lots of food for thought in this session. I've also uploaded my raw notes to the GHC12 wiki in case anyone wants a bit more detail than in this blog post.

Note: If you're one of the speakers and feel I accidentally mis-represented your talk or want me to remove a photo of you for any reason, please contact me at terri(a)zone12.com and I'd be happy to get things fixed for you!

How To Market Yourself With A Strong Technical Resume (Advice from the GHC12 career track)

This may have been the most directly practical of the sessions I attended! My raw notes are on the GHC12 wiki (and they're quite interesting, including a lot of questions from the audience) but here's some take home messages:

When job hunting, make sure to excel at the following:

(The speaker joked about this as "win all steps, all the time")

1. Resume and web presence

If you don't have an online presence, you can get passed over. Nowadays, this includes LinkedIn, and the speaker (as a LinkedIn employee) told us that filling in more information is generally better, and that your LinkedIn profile can be used to supplement a shorter resume with greater detail if you so desire.

2. Meeting the recruiter

A recruiter is interested in your passions, your fit with the company and company culture, so articulate your interests and show your personality!


3. Phone screen.

Be prepared and do research on the company. The worst thing is to be unprepared, so make sure you learn about the company and have questions ready. Show your passion during the interview, and let the interviewer push you in the right direction -- if you're not a great fit for one position, they might know of others. And make sure, even if you're not sure if you want the job that you treat it seriously: it's good practice and you don't know if you might want to apply for another position in the organization.

4. Onsite interviews.

For tech interviews, you need to be comfortable writing on a whiteboard, so practice doing it, and practice articulating your ideas as you write. This is the way to show your interviewer how you think!



When writing a Technical resume, make sure to excel at the following:
1. Fundamentals.

Make sure you've proofread and had others proofread for spelling and other mistakes, and make sure the formatting is organized and consistent.

2. What did you contribute or learn

Women especially want to focus on the team effort, but companies want to know about you, so focus on what you did to affect the outcome of a project. Make sure to differentiate yourself: don't just list skills, talk about how you applied them.

3. What value was added in the end result?

Think about the bigger picture and talk about how your work impacted the project, your company, the world. If you can, quantify what you did whether that's percent speed up, dollars saved, or increased value of the project.

4. Differentiate yourself, authentically

Highlight ways you stand out, especially as a leader. Did you take on additional responsibilities? Negotiate between two groups? Do exceptional community service? You shouldn't over-embellish, but make sure you demonstrate what makes you awesome and unique.

5. Does your resume convey your personal brand?

One way to check this is to have someone read it and ask them to summarize you in two sentences or 5 keywords. If what they say doesn't match up with what you'd hoped to convey, maybe you're sending the wrong message and need to revisit.


There were a lot of really interesting questions at the end of this session, and if you're interested my raw notes are on the GHC12 wiki, including all those questions.

Note: If you're one of the speakers and feel I accidentally mis-represented your talk or want me to remove a photo of you for any reason, please contact me at terri(a)zone12.com and I'd be happy to get things fixed for you!