Entries tagged with academia

Entry tags:

You can leave academia, but you can't get the academic spam out of your inbox

When I used to do research on spam, I wound up spending a lot of time listening to people's little pet theories. One that came up plenty was "oh, I just never post my email address on the internet" which is fine enough as a strategy depending on what you do, but is rather infeasible for academics who want to publish, as custom says we've got to put our email addresses on the paper. This leads to a lot of really awesome contacts with other researchers around the world, but sometimes it leads to stuff like the email I got today:

Dear Terri,

As stated by the Carleton University's electronic repository, you authored the work entitled "Simple Security Policy for the Web" in the framework of your postgraduate degree.

We are currently planning publications in this subject field, and we would be glad to know whether you would be interested in publishing the above mentioned work with us.

LAP LAMBERT Academic Publishing is a member of an international publishing group, which has almost 10 years of experience in the publication of high-quality research works from well-known institutions across the globe.

Besides producing printed scientific books, we also market them actively through more than 80,000 booksellers.

Kindly confirm your interest in receiving more detailed information in this respect.

I am looking forward to hearing from you.

Best regards,
Sarah Lynch
Acquisition Editor

LAP LAMBERT Academic Publishing is a trademark of OmniScriptum
GmbH & Co. KG

Heinrich-Böcking-Str. 6-8, 66121, Saarbrücken, Germany
s.lynch(at)lap-publishing.com / www. lap-publishing .com

Handelsregister Amtsgericht Saarbrücken HRA 10356
Identification Number (Verkehrsnummer): 13955
Partner with unlimited liability: VDM Management GmbH
Handelsregister Amtsgericht Saarbrücken HRB 18918
Managing director: Thorsten Ohm (CEO)

Well, I guess it's better than the many mispelled emails I get offering to let me buy a degree (I am *so* not the target audience for that, thanks), and at least it's not incredibly crappy conference spam. In fact, I'd never heard of this before, so I did a bit of searching.

Let's just post a few of the summaries from that search:

From wikipedia:

The Australian Higher Education Research Data Collection (HERDC) explicitly excludes the books by VDM Verlag and Lambert Academic Publishing from ...

From the well-titled Lambert Academic Publishing (or How Not to Publish Your Thesis):

Lambert Academic Publishing (LAP) is an imprint of Verlag Dr Muller (VDM), a publisher infamous for selling cobbled-together "books" made ...

And most amusingly, the reason I've included the phrase "academic spam" in the title:

I was contacted today by a representative of Lambert Academic Publishing requesting that I change the title of my blog post "Academic Spam", ...

So yeah, no. My thesis is already published, thanks, and Simple Security Policy for the Web is freely available on the web for probably obvious reasons. I never did convert the darned thing to html, though, which is mildly unfortunate in context!

Entry tags:

academia,
papers

Academic Notes: Superoptimizer -- A Look at the Smallest Program

Ages ago, I thought it would be a brilliant idea to write up stuff on the papers I read, much like I do book reviews, but then I promptly... didn't do it. But it's a new year with new papers, and here's the first for this year's seminar.

Photo: small toad by Scott* (Because tiny toads are adorable and compiler papers notes don't lend themselves to obvious illustration)

Superoptimizer -- A Look at the Smallest Program
Henry Massalin
1987

This is a neat little paper about optimizing assembly code. They took a program and then had the computer try to generate the smallest possible functionally equivalent version. The paper is super short and readable and filled with lots of very clever adding of registers and stuff to avoid program jumps and comparisons. They could get it to optimize only fairly small programs (12 lines of assembly), but it still seemed like a lot of these would be useful compiler optimizations and they're probably in use now.

Anyhow, it's three pages of explanation + two pages of cool examples they found, so if you're looking for a fun little bit of computing to read about to fill out some mind-expanding new year's resolution, this is an easy place to start.

Some questions we had in seminar that I don't know the answers to:

- What was the impact of this paper on modern compilers?
- Do we do any of this while compiling, or make use of the things they found in a preset kind of way?
- Has anyone tried to do this using modern computers / other assembly instruction sets?
- It seemed like there was a lot of adding... would it be possible to make reduced assembly instruction sets on the assumption that they will never be programmed by humans and thus can be super-optimal?

Entry tags:

academia,
work

On what I do

You may have seen this article on Peter G. Neumann: Killing the Computer to Save It. It was making the rounds a few weeks ago. (Note that you can read NYT articles without logging in if you turn on temporary cookies and then click the link.)

In case you were curious or maybe thought some of that sounded familiar, that is indeed the same DARPA grant that drew me to the US for this postdoc. I'm on CRASH or "Clean-Slate Design of Resilient Adaptive Secure Hosts." The article has a short mention of the stuff we're doing:

Clean Slate is financing research to explore how to design computer systems that are less vulnerable to computer intruders and recover more readily once security is breached.

Dr. Shrobe argues that because the industry is now in a fundamental transition from desktop to mobile systems, it is a good time to completely rethink computing. But among the biggest challenges is the monoculture of the computer “ecosystem” of desktop, servers and networks, he said.

“Nature abhors monocultures, and that’s exactly what we have in the computer world today,” said Dr. Shrobe. “Eighty percent are running the same operating system.”

Lessons From Biology

To combat uniformity in software, designers are now pursuing a variety of approaches that make computer system resources moving targets. Already some computer operating systems scramble internal addresses much the way a magician might perform the trick of hiding a pea in a shell. The Clean Slate project is taking that idea further, essentially creating software that constantly shape-shifts to elude would-be attackers.

That the Internet enables almost any computer in the world to connect directly to any other makes it possible for an attacker who identifies a single vulnerability to almost instantly compromise a vast number of systems.

But borrowing from another science, Dr. Neumann notes that biological systems have multiple immune systems — not only are there initial barriers, but a second system consisting of sentinels like T cells has the ability to detect and eliminate intruders and then remember them to provide protection in the future.

In contrast, today’s computer and network systems were largely designed with security as an afterthought, if at all.

That barely touches on all the cool stuff we're doing, since the article isn't exactly about our work at UNM & UVA, but it was pretty neat to see it in the news.

Entry tags:

More on Philosophy of Teaching

So, it turns out that not only do I dislike half the samples I can find online of good philosophy of teaching statements, I also hate everything I write on that front. But the deadline is today and my references have already sent in their letters, so I think I've just got to suck it up and submit what I have.

I am, however, pleased with the ideas in this paragraph on failure:

But perhaps the biggest lesson was about failure: Many students seemed to believe that any failure was a sign of fundamental, unfixable inadequacy, and this was especially toxic to the women and other minority students who were more likely to feel like imposters. But many self-taught programmers learn through experimentation and repeated failure, so we encouraged students to do this in tutorials and even celebrated ridiculous bugs together by encouraging the students to share them and help each other debug. The students who had difficulties at the beginning could see other students failing and then succeeding, and the change in their confidence levels was noticeable, as was the resulting change in what they attempted and what they achieved.

That's a little piece of what made teaching tutorials such a different experience from lecturing, and something I really loved watching happen every year.

Entry tags:

academia

Rating my scientific impact

A while ago, I saw a mention in a UNM newsletter about Google Scholar profiles and decided to give it a try. Like many people in my field, I already keep a list of publications on my website, but this had graphs! Citation counts! I wasn't too sure about this whole social-media-for-researchers aspects, but I like graphs.

I had totally forgotten about it 'till a few days ago when I got a reminder email, and upon looking at my profile I was pleased to see that my very first paper now has 60 citations. Sixty!

For context, the average citation rate in computer science was 3.75 from the period 2000-2010 (Source: Times Higher Education), and even the average citation rate for science in general was 10.81. So 60 seems awesome, even if average may be a weird number for something that I know is a power law distribution. Still, go me! I've got a few above-average papers, mostly the spam work (I was the first to apply artificial immunology to the spam problem, so subsequent people working in that space generally cite me) but I notice that SOMA's almost made it up to 30 citations, and that's the first of my papers in the web space.

It's still a pretty modest accomplishment in the grand scheme of things. Check out Paul's list or Steph's list if you want to feel small, but those are both totally amazing, exceptional people who run whole labs. For my weight class as a newly minted PhD, I'm happy enough, but I need to do more...

So now to take that pride and turn it into a totally awesome, citation-worthy paper summing up my remaining thesis work!

Entry tags:

The job hunt: What do I want to do next?

People have started to ask me what my plans are after I finish this postdoc, or rather the frequency with with I get asked has reached an arbitrary threshold, so I guess it's time to write about it. The short answer is that I'm not planning to start my job hunt 'till October at the earliest, but here's some more detailed information about my plans in case you, like many others, are curious:

1. I'm currently expecting to be at UNM 'till around Nov 2013, which would be the originally expected 2 years. The date's a bit flexible: the grant I'm on goes a little past that I think, and I can leave earlier if I have another offer that needs to start right away.

2. I'm focused on getting some publications out before I start the job hunt at all. I'm hoping to have results from the router work as early as next week, and I've got a plan for publishing my remaining thesis work, so at minimum I want papers for both of those to be out for review before I start looking.

3. My job hunting mode will probably kick off around the time of the Grace Hopper Celebration in October. That's not the greatest timing, but it's a good enjoy goal date for the papers to be out and the job fair and related resources available at GHC12 is an excellent opportunity that I don't want to miss. I'm happy to consider things that come up before then, but October/November is when I'll polish up my resume and start being active in my search.

4. I'd like to go back to Canada, but I do have a US visiting scholar visa that can be extended and transferred to another qualifying job. (It can be used for up to a total of 5 years, of which 2 are going to be used here at UNM.) There's some fascinating legalese around my current visa that makes Canada the easiest choice for my next job, but I'm not adverse to other countries.

5. I'm not committed to either academia or industry at this point, and I wasn't planning to make a more concrete decision on that 'till I have actual offers. You can expect me to be looking at a combination of academia and industry labs. I have one lab already on my shortlist after the last round of interviews. I turned down their offer of an on-site interview because I had decided on UNM, but if they're still taking on new hires when I'm done here I'd like to continue the process with them.

So I'm not looking yet, but do feel free to pass job leads my way if something comes up that you think would be up my alley.

Speaking of jobs... I *do* have a couple of friends looking for jobs more urgently than I am: One is a very talented programmer who's currently located in Halifax but willing to relocate, and one is an efficient mostly-windows systems administrator who's looking for a job in the Ottawa area. They're both around intermediate level, but given the job market they're willing to work more junior positions if that's what it takes. I'm happy to pass leads along or obtain their latest resumes if I can help make a connection!

Entry tags:

"[Being different] over a whole lifetime, adds up to an enormous amount of needless trouble."

I'm re-reading Richard Hamming's talk on You and Your Research because I felt like I needed the kick in the pants to do great work this month after some very busy months of doing necessary but not necessarily great things.

In this reading, I was struck by this anecdote:

John Tukey almost always dressed very casually. He would go into an important office and it would take a long time before the other fellow realized that this is a first-class man and he had better listen. For a long time John has had to overcome this kind of hostility. It's wasted effort! I didn't say you should conform; I said ``The appearance of conforming gets you a long way.'' If you chose to assert your ego in any number of ways, ``I am going to do it my way,'' you pay a small steady price throughout the whole of your professional career. And this, over a whole lifetime, adds up to an enormous amount of needless trouble.

On a surface level, I've long believed this is true. I've been long primed in the art of social hacking, first by my father and more recently as a security researcher/hacker. Anyone can watch the subtle variations on how I dress on teaching days or days when I'm going to the bank and you'll note that I pay attention to fitting in to the environment and manipulating the way in which I'm perceived. But as a child of the Internet, more or less, my experimentation hasn't limited to physical presentation. Especially as a teenager, I spent a lot of time grossly mis-representing my age and gender as well and watching how that changed my interactions with folk.

But what gets me this time is the end of that quote: "[If you don't appear to conform,] you pay a small steady price throughout the whole of your professional career. And this, over a whole lifetime, adds up to an enormous amount of needless trouble." Sometimes it's important to change the system, but sometimes you just want to get stuff done.

I can dress the part, but I don't generally change my gender presentation in real life. Is my female-ness adding up to an enormous amount of needless trouble over my lifetime given that I work in a field where that's going to make me non-conforming? I suspect it is, although I'm fortunate enough that my gender presentation is often canceled out by my racial makeup (Asian girls are totally good at math, don'tcha know?) so I can console myself by saying maybe it's not as enormous as it might have been. But not every person who doesn't fit the norm for their field has that consolation prize. Are we all paying the price of being different?

It's easy to get a little saddened by this. All that time explaining that no, I really am a techie, has added up to a lot of time I'm not having amazing conversations and doing great work. But before you get too saddened about how your hard-to-hide features like race/age/gender are affecting your ability to Do Great Things, you should stop and listen to Duy Loan Le's excellent 2010 Grace Hopper Celebration Keynote. In it, she talks about what she does to fit in to environments where she felt that letting go of her ego made it possible for her to get more good work done. I think it's really worth a listen, especially if fitting in isn't just a choice of what suit to wear for you.

Entry tags:

academia,
papers

Academic notes: "Detecting malware domains at the upper DNS hierarchy"

This is the first in my series of short notes on the academic papers I'm reading. This is a paper we read for seminar last week, and I chose to review it here not only because the results are interesting but also because it's a highly readable paper in case any of you get curious and want to read along with me.

Detecting malware domains at the upper DNS hierarchy
Antonakakis, M. et al, 2011

This paper is all about detection of malware using DNS. It turns out that while "normal" domains are accessed by machines that have patterns of geographical and network locations, malware domains are accessed by a bunch of zombie machines that could pop up anywhere on any network so the dns requests are a lot more random. So if you look at DNS, you can figure out what domains are being used by malware, and you can do it on the fly as domains change without needing a manually created blacklist.

It's a pretty neat trick. Malware authors could potentially get around it by adding in more clever requests -- doing something more like facebook or google which route you to "close" servers to provide good quality of service -- but until they do, this could be a handy supplement to existing malware detection. Reminds me a lot of greylisting that way.


@INPROCEEDINGS{antonakakis2011dnsmalware,
  author = {Antonakakis, M. and Perdisci, R. and Lee, W. and Vasiloglou II, N. and Dagon, D.},
  title = {Detecting malware domains at the upper DNS hierarchy},
  booktitle = {Proc. of the 20th USENIX Security Symposium, USENIX Security},
  year = {2011},
  volume = {11},
  pages = {27--27}
}

Entry tags:

academia,
papers

Paper reviews

One of the big problems of academia is that though we produce some amazing things, they're often not available, accessible, or even noticeable for the general public. That is, articles may cost money to read (unless you have access to academic journal subscriptions), interesting results get buried in dense scientific language, and often few people are talking about the results outside of academia (or sometimes even inside academia).

Last year, I committed myself to writing more book reviews to share what I read with others, and it occurs to me that this year, maybe I should make more of an effort to do the same with the scientific papers I read as well. The usual caveats apply: I've got my own set of biases in research just like I have taste in books, and it's entirely possible that I'll interpret results in ways other than they were intended.

This is something I did occasionally with my web security blog (and hoped to do more), but I'm currently reading papers about complex adaptive systems, biology, security, and more. So for now, these public paper reviews are going here right alongside my book reviews, and they'll be drawn not only from my own research interests but from the overlapping ones of my colleagues. I have a lead on a paper about railway design using slime molds, for example. You've been warned!

Entry tags:

On the subject of IPv6, security, committees, and carefully crafted understatement

One of the things I occasionally talk about at work is that my experience in the standards process completely destroyed any illusions I had about standards being made for the good of all[1]. Which is why this quote about the process of deciding on IPv6 amuses me so:

"However, many people felt that this would have been an admission that something in the OSI world was actually done right, a statement considered Politically Incorrect in Internet circles."

- Andrew S. Tanenbaum regarding the IPv6 development process in Computer Networks (4th ed.)

And since I imagine few of you follow my long-quiet web security blog (I didn't really feel like writing more on web security while doing my thesis or shortly thereafter), here's another quote that amused me from the same book:

... "some modicum of security was required to prevent fun-loving students from spoofing routers by sending them false routing information."

- Andrew S. Tanenbaum regarding OSPF in Computer Networks (4th ed.)

In case you're wondering what's up, I'm reading this textbook to brush up on my basic routing terminology with the plan to do some crazy things with routers in the future. It's quite useful for this purpose, but I keep getting distracted by how awesome Tanenbaum's writing is; you can see from his humour and deeper insights why his texts are considered standards in the field of computer science. I think the last time I was this struck by a textbook author was while reading Viega's Building Secure Software.

This sort of carefully crafted understatement is a huge contrast to the other book I'm reading currently, The 4-hour Workweek, which I'll probably review in a later post if I don't give up in disgust. (It's full of useful ideas, but the writing style is driving me nuts.)

[1] Standards are made for the goals of the companies involved in the committee. Sometimes those happen to be good for all, sometimes not, and the political games that happen were very surprising to me as a young idealist.

Entry tags:

Ants & the academic dream

When I was an undergraduate, I found that university really wasn't living up to my expectations of stimulating, interesting people and ideas.

But today, I was totally living the academic dream.

We had a visit from a leading expert on ant behaviour. This wasn't about computer ant algorithms; she studies real live ants. We started off the day with her talk on the Turtle Ants she's been studying in Mexico, a talk filled with pictures of ants and paths and grad students on ladders pointing at the trees. A talk filled with speculation about behaviour and patterns and analogies to search in computer networks and bifurcation of biological trees. Over the course of the day, the group talked ants, bees, simulations on the computer and using robots, immunology, flu and t-cells in the lung, patterns and theories. It was the kind of conjunction of ideas from multiple disciplines where things were just clicking and questions and potential experiments started getting debated.

Biochemistry from my scientist parents, ecology and field work from Macoun Club, immunology from the above plus my own master's research, algorithms from math and CS... I was pretty proud of myself for knowing the jargon pretty much across the board and being able to keep up. I love that I'm with a group where seemingly disjoint backgrounds are consistently recognized as a huge advantage, and my own particular background fits right in.

I learned a bunch about ants and flu today. My notebook is filled with doodles of ants and cells doing stuff. Apparently turtle ants, since they have paths in the trees, sometimes get the paths broken when the wind blows, and the ants just back up and wait for the wind to blow the branches back so they can keep going. I learned that swine flu's replication rates in cells are a hundred times higher than avian flu (and ~20 times more than regular flu) but avian flu does other things to suppress immune response. I learned some about how T-cells get into the lungs and find infection despite the fact that they don't seem to move fast enough to explain how well we handle infection. And I got to watch people putting ideas together in ways that might result in using experiments in ants to try to explain things that would be much harder to test in the lungs, and so many ideas that probably just couldn't happen anywhere else.

So if you've been wondering why the heck I moved here despite the many downsides about the US/desert/altitude/regional poverty/city, etc.... this is why: Cutting edge research at the conjunction of biology, computing, and maybe a few fields besides. Even if I decide to do something else once my contract is played out, this has already been amazingly worthwhile, and with my own project starting to take shape, I'm pretty sure it's just going to get better!

Entry tags:

Recent writings: privacy, young scientists, academia

Some fun recent stuff:

A WebInsecurity post on a Christmas-related privacy policy
A quick post about a girl who discovered a supernova (she's the youngest ever!)
A longer piece about a class of 8 year olds who got their scientific bee study published

And then some more sad stuff in the form of a round-up of the links I've seen lately about women leaving academia. Poignant for me given that I've got a contract that'll take me away from academia... although I'm actually leaving mostly for the "work that has impact" reason and not so much for the others.

And then one thing that I didn't write (but I wish I had):

Let's say that fighting sexism is like a chorus of people singing a continuous tone. If enough people sing, the tone will be continuous even though each of the singers will be stopping singing to take a breath every now and then. The way to change things is for more people to sing rather than for the same small group of people to try to sing louder and never breathe.

Isn't that just the way of it? Thanks Mary for sharing that one.

Entry tags:

Too asian?

A few weeks ago, Macleans (a popular Canadian weekly news magazine known for, among other things, its yearly university rankings) published an article claiming that top universities in Canada had become "too asian" and as a result other (white) students were feeling intimidated to apply. It's a pretty typical case of "meritocracy is great up until the white majority folk start losing out, in which case it's time for crying and wringing of hands!" QQ.

I only heard about it because I happened across an asian blog... and I don't normally read those, being not particularly strongly identified as asian. But I think it's worth sharing some quotes so you can get up to speed on this dubious piece of journalism and stereotypes:

Although university administrators here are loath to discuss the issue, students talk about it all the time. "Too Asian" is not about racism, say students like Alexandra: many white students simply believe that competing with Asians - both Asian Canadians and international students - requires a sacrifice of time and freedom they're not willing to make. They complain that they can't compete for spots in the best schools and can't party as much as they'd like (too bad for them, most will say). Asian kids, meanwhile, say they are resented for taking the spots of white kids. "At graduation a Canadian - i.e. 'white' - mother told me that I'm the reason her son didn't get a space in university and that all the immigrants in the country are taking up university spots," says Frankie Mao, a 22-year-old arts student at the University of British Columbia. "I knew it was wrong, being generalized in this category," says Mao, "but f–k, I worked hard for it."

You can see the original article and some commentary here.

( Quotes, commentary, responses, and what it means to be asian )And finally, the succinct response I liked best:

Too competitive? Psshh. You need to put down that Jager shot, pick up a book, and suck it up.

Entry tags:

academia,
gsoc

It's not thirteen weeks, it's three

Greg Wilson has this excellent post on Three Rules for Supervising Student Programming Projects. Anyone who ever works with students should probably read this, but I'm particularly enamoured of Rule #1, which puts something we've all known into a nicely concrete form:

Rule 1: It’s Not Thirteen Weeks, It’s Three

This was the hardest one for me to learn, and it’s almost always the hardest to get across to both students and their clients. University terms may be thirteen weeks long, but students are usually juggling five courses, and many have part-time jobs as well. That means they can only put eight hours a week into their project without sacrificing grades somewhere else. If you figure a full-time work week is 35 hours, that means students actually spend 8×13/35 = a bit less than three weeks working for you.

You can read the rest here.

Entry tags:

Visual Security Policy... or what Megashark and infographics have to do with web security

I've posted the web version of the presentation I gave at HotSec. I find it amusing, and so did my audience. Here's some sample slides to give you the, ahem, picture. This should be a 3x4 grid if you see it on my blog directly, but who knows what it'll look syndicated?

83% of web sites have had a serious vulnerability

64% of all sites have a security flaw right now

There are no restrictions within a web page

Separation between components can mitigate attacks

But not many web developers use encapsulation

Infographics make complex data easier to understand using visuals

Equations allow more detailed analysis... if you understand them.

The people who make web pages... are also the people who make infographics

The whole presentation I gave at HotSec is here.

Entry tags:

academia,
webkit

Coming to an understanding with WebKit

So, WebKit and I seem to have come to a temporary understanding. I will use xcode to edit things and take advantage of nice features like being able to right click and go to the definition of the property I'm inspecting. And then I will compile things using the build-webkit script and debug using debug-webkit (which is really just gdb). It's just not worth tracking down all the generated things that aren't quite being generated correctly when I use xcode right now.

This is not exactly ideal, but it'll do. I used to do a lot of debugging with gdb on the command line, so I'm perfectly capable, just pretty rusty.

On the bright side, I added some minor code and successfully stepped through it with the debugger, so things should be moving forwards again. And, bonus, I chatted with my supervisor and he had perfectly clever suggestions of other useful things I should be doing in parallel while my compiles are happening. (Changing a header results in a fairly lengthy recompile in webkit, so I've been trying to decide how to split my work day into two parallel tracks, and divide my attention accordingly.)

My other possible parallel project for this week may turn out to be rewrites on a paper. I'm supposed to find out today if it was accepted. I'm not sure how I feel about it -- I definitely want the paper to be accepted, but I've taken the work in a different direction since I wrote it, and I've got a weird time conflict that may see me giving two presentations in three days, in different cities, on entirely unrelated topics to very different audiences. So it makes my life a bit more weird if it gets accepted. It could be fun, though!

Entry tags:

Fatally flawed

I was browsing around, and found this article where someone is asking the author if she'll be putting her thesis online. She replied that she'd be using the ideas and reworking them to make them easier to read. "The writing style is pretty academic and not terribly accessible, which is a big criticism I make of feminist scholarship."

And here I had to laugh. Because you know one of the comments I got in my proposal defence? I got told that my thesis proposal was too much like a novel and basically too readable for a scholarly endeavour.

If you ever wondered why academics are so boring, now you know. ;)