Jeremy Epstein - The Scope of Cybersecurity: A View Forward

um that NSA and NSF are two very different things we're both in the government two of the three letters are the same very different animals um I I I commented to my wife that that um when I was uh a student um I was very nervous when I had to get up in front of people and talk and it's something that eventually does go away uh it was driven home to me a couple of months ago I was invited to speak uh to give an hourong talk at the national acem science which if you're not familiar with it is one of like the prestige places where the the Nobel Prize winners come around and I

was busy that week and so I started working on my slides at 8:00 the night before and this is when I realized I guess I'm not nervous getting up in front of people anymore um so what I'm going to talk to you a little bit about today is is uh a view of cyber security going forward uh what you're learning about at this event today is a lot of what's going on today and I'm trying try to take you a little bit further into the future um and uh um William Gibson uh said the future has arrived it's just not evenly distributed yet uh if you're not familiar with William Gibson um it's worth taking a

look at some of his books the signs of the future are starting to emerge out of our Research Laboratories our universities places like here at University of Central Florida and I'm going to talk about some of the areas that I see and that we at NSF see things going forward um uh Gibson uh coined the term cyberspace um when I started working in the cyber security field uh 30 years ago or almost 30 years ago uh we just called it computer security or information security we didn't have this cyberspace term uh but that's the buzzword of the of the day so we'll use that one um so when I started my career uh I worked for this little organization

called Bell Labs how many of you have heard of bell Labs okay Bell Labs at the time was the premier place to work and I graduated from a school nobody had ever heard of in fact I'll bet that none of you in this room has ever heard of where I did my undergraduate work New Mexico Institute of Mining and Technology any of you heard of it you have what's wrong with you um I've never figured out how I got a job there I didn't have the prestige but I got the job and in those days at B Labs people were talking about what they called convergence and what they meant by convergence in 1980 81 82 was we're going to get telephones

and data to be the same thing and it was like huh what are you talking about it didn't make any sense it was really farfetched and so maybe some of the ideas I'm going to talk about here today maybe they're not that far-fetched but when we talk about convergence today some of these things we can do already and some of them are coming so environmental sensing um we can have sensors for all sorts of things that are all connected to our Computing networks we know this is true we have emergency response uh I heard that someone talking about quadcopters being demoe here today I hope there's an FAA license for doing this um tell me no

yeah um uh it's all coming together which is really good smart devices Health devices and how many of you wear fitbits or similar things not very many I'm kind of surprised I wear one um it it motivates me to actually walk more instead of taking the elevators um people who uh have insulin pumps I was at a meeting uh a couple days ago in Berkeley uh with um a gentleman who mentioned that he is a type 1 diabetic and he used to have an insulin pump but then he looked at the security uh ramifications and stopped using an insulin pump and now manually injects himself with insulin because he's just scared of someone hacking his

insulin pump and this is a guy who actually understands he's not he's not just paranoid I say just par because I think he is paranoid I don't think anyone really is out to get him but it's not an unreasonable question um how many of you uh heard about uh Vice President Dick Cheney uh in and his um uh implanted defibrillator it was a defibrillator not a pacemaker I think it was anyway um you may have heard that he U had his is not the standard offthe shelf model they turned off the remote programming capability because he had seen some research that one of our uh researchers a guy named Kevin Fu who at at the time

was at the University of Massachusetts damerst and is now at the University of Michigan had done showing that someone could remotely reprogram your defibrillator and cause you to accidentally have a heart attack now some people might argue that in the case of Vice President Dick Cheney that might not have necessarily been a bad thing but we're not going to say that um so our TVs our thermostats how many of you heard about the Sam TV case recently so so someone tell me just real quick well this is Sunday morning everyone's tired everyone would rather be in bed what was the essence of the Samsung TV problem it listens to you it listens to you so when you turn on the

TV you may have it on in background it's listening to you and it's uploading everything you say into a cloud system somewhere to interpret it where you say turn on CNN or turn on whatever Nickelodeon or whatever uh or turn the volume up or down but it's also capturing whatever random stuff is going on in the room that that freaked a lot of people out but what if your light bulb is listening to you is that ridiculous no do are light bulbs smart yes yeah there was a case a few months ago where um someone figured out how to break into um home networks via light bulbs huh it turns out there's there's enough in some of the smart LED based light

bulbs there's enough encryption technology that they communicate the light bulbs talk to each other to say I'm burning out or whatever they say I don't know what they say um and there was enough there was a weakness in there that you could jump through the light bulb metaphorically speaking and get onto a home network um so all of these things are coming together and the threats are coming together too and as the threats come together it's harder to escape them unless you do as a as a as a colleague of mine did and you live in a tent in It's the middle of Missouri he still I'm sorry Missoura excuse me apologize for my pronunciation

um he does go into town and get on Facebook though which I haven't quite figured out if he really wants to be that much off the grid that he lives in in a tent in the middle of Missouri um why does he go into to and he's not doing it because of money he's doing it because he really wants to be off the grid I don't quite get it all of these things are coming together how many of you use Facebook or similar oh come on don't lie everyone there's a lot more that's coming together that Facebook can figure out by integrating your data with the data from all these other sources and so as we put all

these uh Technologies together we have to think about how do we prevent misuse how do we democratize and scale what happens in in uh in repressive countries have have things like Facebook been used for good in repressive countries sure the Arab Spring had a huge was hugely impacted and Ena by Facebook but have they also been used to repress people absolutely uh repressive governments are monitoring social media and using them against people and as we integrate all these Technologies together the opportunities for both good and evil expand we're going to build Workforce capacity through these Technologies we're going to enable fairness and opportunity so let me give you an example of that so there's a

really good study that that we funded um uh out of my program at NSF uh by alesandro aisti at Carnegie melon University um and what they did is they made up some fake identities this is a technique that's well understood in social science circles they made up fake identities on a uh social a couple of social network sites one that's more typically social networking and one that's more professional social networking you can sort of figure out what they are but he never said but you can always you can figure it out and what what he did is he created two resumés on the professional one that uh differed only in a couple of factors and then they would Smit and

matching social networking um pages that that matched the two and they used names that that were unmistakable that that there were no other names so they it wasn't John Smith or Mary Smith it was names that only one person in the entire world if you Googled them only one person had them and he still won't tell me what they are because he doesn't want me to accidentally use them and that would break their system and so the the two then they would do variations and on one of the social network Pages it would would show a person holding um uh a bottle of beer and on the other one it would show them holding a a can of

soda with their friends and on one of them it would show them hugging a person of the opposite gender and on uh the other page hugging someone of the same gender on one the person would be uh White on the other would be African-American on one it would be someone uh expressing their interest in going to to a Christian church and on the other would be expressing their interest in going to a mosque and so he measured and then they they submitted these same resumés to real job openings and they measured what the results were who got called who of these fake people got called for interviews it was really kind of interesting they even

got the um the registrar's office to agree to have fake uh transcripts that if anyone called up to check references to check is this really a student there and what's their transcrip so they had the same fake transcripts which is pretty amazing that they got that and then they measured what happened and the good news was it wasn't as bad as you thought the bad news was depending on where in the country the jobs were there was still real discrimination and again the more we integrate all these Technologies together the more there's the opportunity to just discriminate among people we have to change we have to adjust our societal expectations and cultural norms so let me go into

um well I mean the protocol stat clearly extends into social space uh and we have to think about how do we prevent patching relying entirely on patching because we can't patch some of these problems we're going to have to re-engineer redesign things so um let they uh mention Alan k um who is one of the Pioneers in the computer science field who said the best way to predict the future is to invent it he was uh was or is I can't remember if he's still alive a fellow of the American Academy of Arts and Sciences National Academy of engineering Royal Society of Arts etc etc and he's uh played a key role at NSF in uh providing our oversight uh for

many years so our at NSF is to try to invent the future and you say what does a government agency have to do with inventing the future so um one of the projects that NSF funded what I didn't have anything to do with this the final report the people who get NSF money have to submit annual reports and final reports and the the story and it's probably apocryphal is that the final report said we started a company it's doing pretty well well the company is called Google many did you just drop your phone I did okay okay um a lot of the inventions we take for granted are in fact things that grew out of NSF not all of them do quite as well

as Google but a lot of them do and that's our goal is to invent the future so our goal is to invest in science this is this the 19 19 40 I should remember the year 1946 act I think it was that uh founded NSF established the mission to promote the progress of science to advance the National Health prosperity and Welfare and to secure the National Defense so this is what when we when we look at research proposals this is our goal is to help America and the world uh over the long term uh not to we're not trying to build products we're trying to do research that's going enable products to transform the frontiers of Science

and Engineering stimulate Innovation address societal needs through research and education and Excel as a federal science agency so how does this translate into the real world so how many of you are computer science Majors or faculty or things like that most be what what what other majors are there in here computer enger I'm sorry Computer Engineering okay what else digal forensics digital forensics is that a separate Department here yes computer science engineering okay what else anything outside computer science and engineering civil engineering civil engineering that's still an engineer okay that's still part so within mathematics and computer science msf funds 76% of the basic research in the United States that's a pretty huge percentage the program that I lead I don't have the

percentage but it's the single biggest computer security research program in the world we have 670 active research grants we have over a th000 faculty members and over 2,000 graduate students doing computer security research that's a lot of research going on so oops so how do we do it and I'm just going to talk for a little bit about how NSF makes decisions because it's always black magic to people who have never been on the inside so we put out these things we call solicit solicitations is a nice way of saying here's a broad topic we're interested in in the case of my program cyber security we don't say I want you to build me a

widget that does this it's not like an what you might have heard of as rfps requests for proposals we we give a broad topic and we say we're interested in stuff in this area and you submit proposals and they're not going to be comparable one to another because you have an idea and someone else has an idea that's completely different you're not trying to solve exactly in NSF gets over 50,000 proposals annually of those about 900 come into my program about cyber security we go through an open transparent review process what this means is we bring in peer reviews people like you those of you who are faculty members people who are like you're going

to be for those of you who are students now um doesn't not all from IND not all from Academia people from industry as well we bring those people in and we ask their opinions and they give us their opinions and we have review criteria both the scientific Merit and the impact on society which we call broader impact we get 40,000 reviewers a year of which I should know the number about 500 or 600 of them are in my program alone we have review panels where they discuss things and everything goes to a program officer or program someone like myself who listens to what they have to say and decides to the panel make the right

recommendation and then we usually do what the panel says but not always T we say well the panel didn't know about this or the other and then we make decisions and we award about 10,000 Awards per year um about 200 of those come out of my program about 75 to 80 million a year out of my program about 8 billion dollar out of NSF every year that goes into new research um so let me tell you just a little bit about uh NSF and cyber security we've been doing cyber security research or we've been funding cyber security research at NSF since about the year 2000 um when I got into cyber security in 1988 my mother asked me whether there

was a future in the field wasn't clear a little clearer now in the late 1990s Y2K any of you remember Y2K a lot of you younger folks don't remember it the concern was that when the Clock Struck January 1st 2000 every computer in the world was going to stop our electricity was going to go out the airplanes were going to stop Etc and basically the reality is that nothing happened everything was okay pretty much there were a few minor CES why did nothing go wrong is the government and Private Industry oked embarked on a crash program to Sol to fix all the problems before they occurred we haven't done that with cyber security we've been

fighting all sorts of rear guard actions and there's actually something going on right now in the uh news if you read there's a big debate between should encryption be regulated to allow law enforcement to catch bad guys or should it be open to allow companies and individuals to protect their information there's not a right and a wrong it's it's waiting things um so over the the past 15 years we we we've had these various components we start we started to secure our systems we address policy issues usability Workforce um Etc how many of you incidentally is um UCF a scholarship for service uh program do you have one here no you don't okay um so one of the

things that for those of you who go on to graduate school somewhere else might consider is there's a s Hall scholarship for service which is sort of like RC uh for military uh scholarship for service the idea is the government pays your tuition and pays you money to live on um and in return you promise that when you graduate you will spend the same amount of time working at least that amount of time working for the government as a paid employee um uh uh in a cyber security job um and then after you've met your minimum you can either Stay or Leave um and so that's that's sort of related to this is is helping to educate the

workforce um so as we've moved along in time we've got more and more interdisciplinary and we've gotten more and more involved in things like uh Internet of Things Andy physical systems and more interested in trying to uh provide mechanisms to transition the technology into practice so the biggest changes over the past few years have been to integrate the social sciences and nobody mentioned that they were social scientists psychologist an economist any anyone like that in the room anthropologists archaeologists no okay it's it's an increasingly important topic and I'm going give you a couple of examples of that over the next few slides um because we have to consider all these different factors it's not just

technical we have to redefine what it means to be secure so the um the scope of the the S the sapy program secure trustworthy cyberspace anyone know what else satc stands for besides secure and trustworthy cyberspace any TV fans out there in City H Sex in the City Sex in the City exactly if you get B bored with cyber security it's Sex in the City which is which is more exciting it's more likely to get you a job that's for sure on you don't want to finish that thought okay so here's the topics um that that we funded out of my program in 2014 this gives you a scope of what we see the range of cyber security it's not

just technical stuff yeah there's access control and applied cryptography but there's anti- censorship how do we detect what the Chinese are doing and you heard about the the um the great Cannon this was in the yeah great Canon well the great firewall has been around for a long time the great Cannon is new there was a great article in the New York Times the other day um citizen lab put out a great report about how it works the Chinese are deliberately injecting traffic in uh into um uh web browsing sessions to cause your devices to uh misbehave um to block things Etc uh to to Launch ET um anyway so there's there's all these different areas of psychology

that's an important part of our program competitions um I know some of you participate in the ICPC the international Collegiate programming competition which is a general programming competition there's also cyber security competitions I don't know if you have any of those here at UCF um you do CCDC CCDC right okay so we don't fund CCDC uh which gets funded out of D Department of Homeland Security science and technology we fund other competitions um uh so anyway there's a bunch of those we fund something called uh build it break it fix it out at the University of Maryland which is a really cool competition um and there's a healthcare one that I can't think anyway all sorts of Hardware security software

all sorts of things so let me talk about a few uh things where where some of these topics are coming together in cyber physical systems uh social behavioral and economic Etc um I'm going to skip that okay what do so um I was at a workshop at burky um Thursday and Friday we were talking about among other things ethical hacking um and and what hacking means um hacking means changing things learning about things and so a lot of hacking is about just understanding and the term originated at uh MIT uh back uh in the 70s maybe even the 60s so we have to hack things in order to learn about how they work so I'm

going to talk about a few of projects that we fund at NSF in some of these areas obviously with 670 research projects I can't talk about all of them but let me talk about a few Transportation related projects so how do computers fit into Transportation well there's another term for a modern car any of you heard a car is a networked computer that happens to have wheels in an engine that's that's I mean there are various ways to phrase it but think about it how many computers do you think there are in a modern car and I'm not talking about a real low-end car but sort of a mid-range to up range car any of you any ideas

yeah um 3 I'm sorry how many 635 I haven't heard a number that high but but I believe you do do you I mean is there data to you have some examples of that okay I I'm certainly not going to to disagree with you it is it is certainly in the hundreds um what what the exact number is is going to depend on the specific car um even your remote control door entry is at least one computer um and and there's many many many computers and they're all Network together um increasingly we're talking about um smart roads um I live in the Washington DC area we have legendary traffic uh people are proud of how bad our traffic is you

show up late late to a meeting you don't have to explain it you just say traffic and everybody understands you don't have to say oh there was an accident here just say traffic if cars can communicate with each each other then we could keep all the cars moving faster because they wouldn't keep hitting the brakes and accelerating we could we could keep a steady flow and we can get a lot more cars through sounds great what is the bad guy going to do when they have that cause cars to crash into each other maybe what I want to do I don't want to cause cars crash into each other that slows everything down what I want to do

is if I have two High highways running parallel to each other I want to tell all the cars I'll call them Highway a and Highway B I want to tell all the other cars Highway a is a mess this morning go get on Highway B and then I'll take Highway a because there's no one there that's a lot more fun than crashing cars into each other well maybe maybe not can I do the same can I have impact on other forms of transportation trains planes certainly they're bad things that you can make happen um but there may be detour your competitors sure make them think that there's there's a bad weather that would cause them to

route for planes the Long Way burn more fuel and cause them to be late which causes pass is not to like that Airline anymore sure we can we can come up with a lot of scenarios so there's certainly plenty of opportunities so let's just talk about a few examples so this is a project uh Yoshi krono of University of Washington and Stephan Savage from the University of California San Diego and some of their students worked on where they they um took AP part a car and you can Google this and there have some cool videos um this is about 5 years old this actually was on 60 Minutes recently this work and it's kind of hard to see down

here but it says here says by card and the speed is 140 M hour and it's in park is a car going 140 mil an hour no it's propped up on Jacks but they just modified the software clearly they can change the controls um another project and this one I don't have any cool results on yet um but uh this one just started last year uh by Ryan gery at uh University of excuse me Utah State University uh to how you get uh cars in that are platooning which is driving all together at the same speed to to get maximum traffic how you can uh prevent bad guys from breaking in and adjusting the uh

speeds or or causing bad things to happen um there was this workshop last year uh where a whole bunch of people got together from we're in wa in Washington we we we have acronyms that's one of the things that gets we don't have a lot of manufacturing but we manufacture acronyms so this is National Science Foundation Department ofel Security Department of Transportation the national highway Transportation safety administration and a few others get scary when you spend enough time in Washington you can give sentences consist of nothing but acronyms um and I've done that and it's scary um so we got together actually I wasn't at this one one of my colleagues went to this one and talked about what

are all the threats uh and and issues going forward on Transportation as everything gets computerized um let's see uh oh this was uh the Dara how many of you are heard of Dara most of you those of you who haven't it's defense Advanced research projects agency have any of you heard of this thing called the internet okay the internet started out I'm sorry yeah it's a bunch of pipes I mean a bunch of tubes bun of tubes that was what uh no it wasn't Alor who said that it was Ted Stevens Senator Ted Stevens from Alaska he called it a bunch of tubes so before it was the internet that was a bunch of tubes it was the darpet or the

arpanet that so so the Department of Defense funded the original technology and Dara still exists their their offices two blocks mayares at NSF we talked to them I have a lot of friends who work there and one of the programs they ran was this thing called Haack High Insurance cyber military systems uh Kathy fiser ran this and what their goal was you could identify any vehicle it could be where a vehicle could be a drone it could be a car it could be whatever and how do you build one of these vehicles so the Computing components can't be hacked I'm not sure if I have a video I do have a video here doesn't a

driver if you haven't watched incident the Google so so Google self-driving cars um some of it grew out of the DARPA Grand Challenge on self-driving cars some of it uh came out of hackam um so all this stuff is connected together um um and so they they were uh building um cars that couldn't be hacked and you saw there little video of of the Cadillac I'm sorry I don't have the sound on for that um let's see okay this came out just um 9th of February so about two months ago uh Senator Mary um state is from anybody know what State Senator Mark is from I think New York but I'm not sure um his staff did the survey they sent

questionnaires to basically all the car manufacturers around and asked them can I hack your car what do you do to prevent me from hacking your car and one of the things that was kind of interesting is the only company that didn't respond was anybody know is it on here it's anybody know Tesla Tesla is the most computerized car there is they upgrade their by software downloads they fix bugs with software downloads and they were the only company that wouldn't tell Senator markting what they're doing for cyber security that doesn't mean they aren't doing anything it just means they Wen telling and and basically all the car companies have gotten religion in the past few years uh after the video that I showed

you well actually there's a much better video than the one I uh showed you there's one uh with Yoshi Kono and a couple of his students in a car that they they borrowed uh an abandoned Airfield and they reprogram the brakes and so that they can remotely cause the brakes to go on and off um and of course they only do it on a closed course and the the students and faculty members all wear helmets and everything like that just in case something goes wrong but um uh after that video and other things Senator Marky started to study and and there's legislation that I'm sure will be coming out of this to cause car manufacturers to start having to pay

attention uh to security just as software vendors do is there a difference between a car manufacturer and a software vendor no no there really isn't no I car manufacturers increasingly have labs in Silicon Valley because that's where the software industry is do you yeah oh I'm sorry Mar made a couple statements on mic Marky made statements on what I'm sorry mic things a little bit we interesting interesting I hadn't heard about that okay okay so there's a lot of interesting stuff in there um do you know how much your car tracks you more than you like I'm sorry more than you would like I have an example coming up um but we can also use some of

this stuff in positive ways it's not just privacy infring it's not just for uh um uh causing your car to crash we can also use some of these things to investigate uh the underground economy um how many of you uh occasionally get spam yeah occasionally it's gotten a lot better and I'm going to tell you in a second why it got better a few years ago um spam is actually an amazingly complex ecosystem and it it all runs in the dark side of cyberspace and what it turns out that spam is an integrated supply chain those of you who have been in Industry May understand what I mean when you buy a chair the chair didn't come all from one

place the plastic came from the plastic factory the cloth came from a cloth Factory the designers had to design it somewhere it had to be assembled it has to be shipped all these different things that all those things how all those pieces fit together is a supply chain and just the same way spam and malware and things like that have a supply chain you have somebody who has to distribute the malware and the malware is going to cause computers to become uh servers excuse me to become U spam generators and then someone else has to uh do the criminal advertising to find out the addresses to SP to send the spam to uh to send it to social media someone has

to create quick fraud in ads and Alver and people have to steal your your identity uh once they get you to place uh Place orders on their fake websites um they have to uh get that money they have to process it through a bank they got your credit card they have to do something they have to support the infrastructure do you know that that spammers and and those sorts of low wies have better it support than almost any software company you have they have a real Financial incentive to make everyone happy they are the best people at customer service [Music] um and so there's there's real hard science there's hard science there empirical science studying this sort of

stuff figuring out how the bad guys work um and and how they uh uh how the money gets processed and and the way well actually I should addressed this so um since we are the National Science Foundation we do have to say where's the science and the science in the case of Stam a lot of it is social sciences economics and things like that sociology so money is the Big Driver right now allowing people to do things on the internet allows scaling up in a way that's never been possible before if you want to do pickpocketing pickpocketing is pretty easy but the chances of being caught are pretty high and there's only so many pockets you can pick a

day but if you do it online you can can automate the pickpocketing and that's what's happening it allows monetization at a scale that's never been possible before and so what we see is this worldwide mapping so there are users in the United States and advertising is going to be domain registar in Russia DNS servers in China to web servers in Brazil ads on to affiliate programs in Russia and Ukraine the merchant Banks uh I think in Malaysia and so on all these different countries and this also makes it a lot harder to prosecute because it's not just one country where you're going after the bad guys it's a worldwide thing so the question is how

do you break this and the answer is that you break it let's see if I can get this to work you break it by figuring out the weak spot and I don't think I have the sound on here I don't know if I can turn it on uh this isn't my computer well actually you know it's not going to work because I didn't plug the sound card into it I mean I didn't plug it can you turn it louder uh we had bu system yeah I I don't sorry let's not worry about it if you're interested if you're interested you can look up Stephan Savage uh at UC San Diego and he does a great talk about um

how they uh found uh the the the weak point the spamers network which turns out to be how they process credit cards and there were just a few uh places uh a few banks that processed almost all of the credit card transactions for all the spammers in the world and then when the um can't remember which government agency it was but one of the government agencies uh saw the paper read about it did some investigations and and I think was actually Visa Visa the credit card um oversight organization uh put pressure on those Banks to stop processing um spam transactions and once that happened then um uh the amount of spam went down okay I'm going to just do

uh skip through these next view so we're trying to uh do um get uh computer scientists and social sciences to work together but I want to talk about some of this this next one is kind of fun um so uh well I guess I kind of talked about this part of it uh but this one I did not talk about this is a fun one um how many of you uh have a little device in your car that tracks how fast you go so you get better insurance rates any of you do that they get advertised on TV you have one you think it's a a good risk to get uh better insurance rates saes a fews I'm sorry saves a few bucks

it saves a few bucks that's for sure yeah anyone else have Oney so what this group at ru's University in New Jersey did is they said let's what this device does is it captures your speed and they claim all it does is capture your speed it doesn't capture where you go so what's the Privacy risk with that so what they did is they used this technology or this technique called elastic pathing they said if we know where you started and we assume you started at home and the insurance compan who knows where your home is because that's where they send the bill and they know how fast you went and when you started and when you stopped

and things like that can they figure out where you went and it turns out the short version is yeah most of the time they can figure out where you went KN they don't know when you turned left when you turned right they don't have a GPS they just know how fast you R but because of how streets are laid out and they know where the map is they can figure out where you went is that a privacy risk well maybe not so much if all you're doing is commuting back and forth between home and work but if you're going from home and then you're going to the bar and then you're going to work or you're going to home and then

to work and then to the bar and then to your girlfriend's house and then to your boyfriend's house and then you're going home maybe there is a privacy issue so it's some interesting results it's you know we have to sort of weigh how much of an issue this is and each one of us is going to make decisions some people and in fact most people will say it's worth it um how many of you saw the study a few years ago uh where they were offering candy bars if you gave your password most people do you like chocolate I like chocolate most people would now one of the hard Parts is knowing did people actually give their

real password in exchange for the Cho bar or did they say oh my password is XY one two three just they could get the chocolate bar even if that's not the real password so we don't know that we don't have ground truth but but a large fraction of people were willing to give their password for a candy bar most people will give most people will say I'm worried about my privacy but they will exchange your privacy for a discount at the grocery store a chocolate bar for a PS or whatever um I'm starting to run out of time um but I fortunate okay I'm going to skip to uh reverse engineering censorship uh so this is a study that

looked at um how the uh the Chinese government does censorship and what they allow and what they don't and it turns out it's actually not as black and white as you might think um there's a lot of real intelligence to the censorship um and how many of you think it's only the Chinese who are doing censorship on the internet okay what what other countries do censorship lever yeah any other countries throttling throttling certainly counts here in the US yeah any others Russia India Iran okay okay I want to challenge you how about a Western Country a a democratic Western Country in the back France France United United Kingdom Australia this is half and some people

would like the us as well this is this is actually happening and we can measure the impacts is it the right thing to do or the wrong thing to do well you hear the director of the FBI saying we shouldn't have tour because tour is used primarily for child porn I don't think that's actually true but it is a form of censorship do we want that form of censorship that's a policy decision we can have we need to understand the technology that allows it and the and and the how people will respond to that technology we can observe large scale Internet outages these happen periodically um and so there's monitors all over the place this this grp called kaida at the

University of California San Diego that that um that has sensors all over the place and they can measure things and then they can look at things retroactively and you can see really interesting uh results after we find out about attacks then we can look retroactively and say huh if we had only known to look we could have seen it happening six months earlier so some of them are obvious the Lian outage during the During the Revolution there uh there was a Syrian outage recently um uh but there have been a number of these where where a country just sort of drops off the internet suddenly um I want to talk about medical devices um there's not an awful lot of

this so far uh I did mention okay so so I mentioned the thing about dick chainy so the thing about the chain was kind interesting was this was a case of uh life imitating art imitating science so it originated with the science that uh Kevin Fu and his team at the University of Massachusetts Amherst showed you could reprogram of pacemaker the people on the Homeland TV show picked it up and turned into a TV element and then Dick Cheney or the white house picked it up and they thought it was sort of a TV thing but it actually it was a TV thing but it had its Origins and science which is kind of interesting because TV isn't

usually quite and and reality aren't quite so much based on science so what they had done was they actually um looked at a bunch of pacemakers and measure whether you could what depending on what your threat was personer uh software radio programmer what sort of things could you do by whom and Kevin F was at this meeting I was at uh earlier this week and he said he has the largest collection of pacemakers in the world in his lab and they measure all sorts of stuff one of the hard things about measuring uh the security risks of a pacemaker is you have to compare it to how it behaves inside the human body and they were uh doing things

like they were putting the Pacemakers inside a bag of hamburger meat and things like that and to measure the attenuating uh influences of the human body and it turns out when they finally got a chance to talk to uh uh people who are uh doctors and do research in the physical aspects there's actually a scientific standard for for what you use and it's not hamburger meat but um so some of you before we started uh saw that I had a couple copies of control wall attack here um so this is a a card game that was developed by one of our researchers to try to get the high school students interested in in the security field and understanding uh uh

what what it means to work in the security field and I have two copies of the game here and I will give them to the two people who asked for it first you get one and you get other and if you're really interested and especially if you're a faculty member um send me an email and I can uh ship you one um I don't have a lot of them I don't have I don't have hundreds of them I've given away about a thousand but I do have a few more um and I encourage you to play these and show them to high school students um pet flag um so uh let's see this is uh actually running I think this

week uh because one of the people who was supposed to be at the meeting I was at at Berkeley wasn't there because he was running running this program so uh any you any of you played well who knows what a a capture the flag game means in security okay so about half of you so the idea is there's there's a computer setup that has some data on it or or a service or whatever and the idea is to break in and uh and uh get that data and show that you've gotten it some of them you can attack other people and steal the data back and forth uh some of you can attack others there's all sorts of

variations and I don't remember what the rules are for ISF they've been running this for about 10 years now and it's it's a fun thing it's a training thing um there are some um there are some and you can see the names of some of the teams here uh people have a lot of fun with it um I think it's a really good idea I do I also have a problem with it um a lot of these sorts of games tend to turn things very Macho and when you turn things really Macho it has a tendency to uh discourage female participants and we have a real shortage in this field of female participants we're losing half of

our potential uh uh scientists and so I have a real problem with with anything that further reduces that so I'm really ambivalent about it but they're a lot of fun for people who like them um and a lot of people people learn a lot but it's something to sort of keep in mind if you're thinking of inventing one is how do you invent something like this that doesn't turn off participants that doesn't turn into a macho game um so let me so so I have a few minutes for questions let me just mention that NSF is always looking for new ideas as I said um I do about 200 new Awards a year uh the vast majority

of them do go to academics but you don't have to be an academic uh if you've got a really good idea and you're coming from a company from a from a nonprofit research lab um or even in theory a student all by themselves you could submit a proposal I would in general not encourage it but it's not prohibited so if you got the idea uh and it's a really killer idea do you think about submitting it um one one of the things about NSF funding that's different from Save enture Capital funding is you don't when it's over you own it we don't own it we don't take an ownership stake like with Venture Capital Money when it's

done you own it because our our goal is for you to do great things we are U looking for cyber physical systems research and security research and most things I've talked here about today fit into one or both of those and I mentioned earlier the Cyber core scholarship for service program program um uh UCF is not part of that uh but uh when you guys uh think about going on to grad school um uh that may be something you want to look into and uh I'm going to wrap it up there and take a few questions uh we have it looks like about five minutes if there are any questions

yes um if you go to control all.com you can buy you can buy it on Amazon or you can send me an email and and I do have a few copies um I don't remember how much it costs on Amazon it's not too expensive I'm sorry 34.99 $34.99 wow okay so so so getting getting a free copy thrown at you is better even if I had even if I had missed and hit you on the intellectual property part umman tried to R Wild with uman that didn't happen that wasain but like Henry

samai do you guys line you support a lot um how do you basically put up the Chinese C I got back how do you Bic the Chinese between what's really government money and what's really running off that that's a good question for those of you who couldn't he the question was basically how do how does NSF deal with intellectual property ownership I um and IP yeah the other IP um and and the answer is that we punt uh when we give the money to the recipient which again is usually a university um they pretty much set the rules on whether the university owns it whether their faculty own it who they license it to we don't really get

involved in that um because it's funded with government money uh the government ends up with what's called government purpose rights uh which means we can use it ourselves but that practically doesn't have an impact for research because the research isn't far enough along the government doesn't want to buy research the government wants to buy products and so it it it doesn't have any practical impact so we we we sort of Punt and and leave that up to to the universities to figure out um we do in some cases have uh a few strings associated with our research like we have a transition to practice option in my program and if you take money from that you have to agree to make any

software open source uh but that's that's not the case for most Awards that's that's just for in that particular area so it's a good question and it's one we largely countt on okay anything else I know there's another talk coming somewhere else thank you very much for your time