The following is a preliminary program, subject to change.
Buses will depart at 5:15 pm for our dinner cruise, which leaves
from the Kirkland City Dock at 6 pm. Tickets
(included in registration) are required for the cruise. The cruise
will return to the dock by 9 pm and buses will return to
the conference hotel and the Microsoft Commons. We will be cruising
the waterways of Lake Washington and Lake Union. Guests will enjoy
the beautiful scenery, views of Mt. Rainier, the University of
Washington Husky Stadium, and homes of Seattle's rich and
famous. You will also see the historic houseboat community including
the "Sleepless in Seattle" houseboat, and the view of downtown Seattle.
The SOUPS ice cream social will be held at Microsoft Research
(building 99). From 3:30 to 4:45 laboratory tours will leave every 15
minutes from the building 99 atrium. Tours will last about 15 minutes.
The Microsoft laboratory tour will be conducted by Stuart Schechter and Jess Holbrook. Stuart is a Researcher at MSR and SOUPS program co-chair. Jess is a UX Research Lead on the Windows team who serves on the Trust User eXperience (TUX) advisory board. We will tour a laboratory in building 99, the heart of Microsoft Research Redmond. Topics to be discussed will include:
Adam Shostack, Microsoft - Engineers are People Too
In "Engineers Are People, Too" Adam Shostack will address an often
invisible link in the chain between research on usable security and
privacy and delivering that usability: the engineer. All too often,
engineers are assumed to have infinite time and skills for usability
testing and iteration. They have time to read papers, adapt research
ideas to the specifics of their product, and still ship cool new
features. This talk will bring together lessons from enabling
Microsoft's thousands of engineers to threat modeling effectively,
share some new approaches to engineering security usability, and
propose new directions for research.
Adam Shostack is a program manager in Microsoft's Trustworthy
Computing Initiative, where he's focused on security and usability.
He's a veteran of several successful startups, a co-founder of the CVE
(Common Vulnerabilities and Exposures project), and co-author of the
acclaimed New School of Information Security.
New Research Tools: Crowdsourcing and Cloud Computing
Researchers can now "outsource" work or service infrastructure to
Internet-based services, such as Amazon Mechanical Turk, Amazon EC2,
or CrowdFlower. What benefits can these services offer to
researchers? When are these services appropriate or inappropriate?
This panel will discuss best practices for deriving useful results
from these services. Also, it will debate the implications of
allowing research data - particularly human subjects' data - to reside
in the cloud.
Vice President, Mechanical Turk
Sharon Chiarella joined Amazon in December 2007 as Vice President of
Amazon Mechanical Turk, an online marketplace for outsourcing work.
Sharon has over 20 years of experience developing and managing
innovative high-technology products and businesses with over 15 years
focused on Internet technologies and connected devices. Prior to
joining Amazon, Sharon was Vice President of Product Management and
Business Development at Presto Services, a Kleiner Perkins funded
startup. Sharon has held leadership positions at Yahoo!, Microsoft
and Kodak. She developed the business plan, prototypes and early
partnerships for Yahoo!’s connected device business; ran Microsoft's
WebTV and MSN dial-up businesses; led Product Management for
Microsoft's first DVR product (UltimateTV) and created the business
plan, developed and launched Kodak's online photo business. Sharon
earned her bachelor's degree in computer science from Manhattan
College and her MBA from Harvard Business School.
Founder and CEO of CrowdFlower
Founded in 2007, CrowdFlower provides Labor-on-Demand to help
companies outsource high-volume, repetitive tasks to a
massively-distributed global workforce. Before founding CrowdFlower,
Lukas was a senior scientist and manager within the Ranking and
Management Team at Powerset, Inc., acquired by Microsoft in 2008. He
led the Search Relevance Team for Yahoo! Japan after graduating from
Stanford University with a B.S. in Mathematics and an M.S. in Computer
Science. Recently, Lukas won the Netexplorateur Award for GiveWork - a
collaboration with Samasource that brings digital work to refugees
worldwide. Lukas is also an expert level Go player.
Senior Security Engineer and Researcher, University of Washington
Dave Dittrich is a security researcher at the Applied Physics
Laboratory at the University of Washington. Dave has a long history of
dealing with computer intrusions and security operations and has
expertise in computer forensics, botnets and the
ethical/legal/technical issues associated with responding to computer
attacks. Dave also sits on the UW's Institutional Review Board
Committee K (combined behavioral and biomedical research) and has
written several documents that deal with ethics in computer security
research. (See http://staff.washington.edu/dittrich/)
Senior Staff Attorney, Electronic Frontier Foundation.
Lee Tien is a senior staff attorney with the Electronic Frontier
Foundation specializing in free speech, privacy and security issues.
As part of his practice, he represents security researchers and works
on legal/ethical policy relating to cybersecurity research.
Patrick Gage Kelley
Ph.D. Student, Carnegie Mellon University
Patrick Kelley is a Computation, Organizations and Society Ph.D. student in the CyLab Usable Privacy and Security (CUPS) Lab at Carnegie Mellon University. His work centers around designing interfaces to help users control and understand privacy policies and settings. His research towards "Designing a Privacy Label" has been selected as one of the top three pieces in the ACM Grand Finals for 2010.
Privacy, Security, and Public Policy
Discussion leader: Janice Tsai, California Council on Science and Technology, CA Senate
The last year has been a time of significant focus on privacy. Congress has had several hearings regarding online privacy, and the FTC has become involved in issues related to online privacy, behavioral advertising, and privacy and security in cloud computing. How effective has this attention been? What kinds of issues are being discussed and what issues are actually being acted upon? This breakout session will discuss privacy and security as public policy issues and how and what should be passed into law.
IRB and HCI-Sec Research
Discussion leader: Simson Garfinkel, Naval Postgraduate School
Increasingly security researcher at universities in the US and abroad is focusing on the importance of the user---and usability research, especially field research, invariably requires the involvement of human beings. In the US such research is governed by the Common Rule (45 CFR 46) and enforced by Institutional Review Boards. (Outside the US research is typically governed by Ethics Boards that satisfy much the same function.)
For example, a significant amount of important research in computer science is performed using electronic mail archives as a data source. Many researchers have traditionally used email messages that they have personally received from friends and correspondents as the basis of their work. A significant number of publications are based on personally received messages. It is relatively rare for computer scientists and linguists to receive IRB approval for the use of such archives. Is such approval required?
The Common Rule does not apply to data sets that are anonymous. But what about data sets that can be re-identified? Are embedded names in email headers and/or bodies considered sufficient for identifying research subjects? That is, does an email message that contains a name fail to meet the requirement of 45 CFR 46.101 b(4)) of being "recorded in such a manner that subjects cannot be identified, directly or through identifiers linked to the subject?" Is English text authored by the research subject considered an identifier that can be linked to the subject? There has been considerable work in the past 20 years of using authorship patterns such as word choice and grammar to determine the identity of an author.
This breakout session will discuss the difficulty of applying the current IRB regulations to computer security research and possible ways of approaching these issues. Particular attention will be paid to email archives, network packet captures, and the re-identification of apparently anonymous data sets.
Usable Security and Privacy for Mobile Devices
Discussion leader: Marc Langheinrich, Universita della Svizzera italiana (USI)
Integrating Usable Security and Privacy into Security Education
Discussion leader: Heather Lipford, UNC Charlotte
The importance of usability in security and privacy has been gaining acceptance in the security research community, but what about security educators? A number of faculty in our community have offered usable security and privacy courses at various universities. Yet these course are still rare. So what should the “average” security professional know about usable security? There are countless educational programs in security offered at universities and in industry training. How should usable security lessons and principles be integrated into those programs? How can we as a community impact general security and privacy education? In this discussion session we will focus on these issues, and discuss our experiences and ideas on usable security education and training.
Health Security and Privacy
Discussion leader: Tadayoshi Kohno, University of Washington
Healthcare is going digital. An increasing amount of health information is being gathered, stored, and shared digitally. There are a variety of institutions advocating the wide-scale deployment of electronic health records. Google and Microsoft and others have introduced online personal health systems for individuals to manage their own information. Advanced medical devices will be gathering health information in the home and hospital. These devices will also be affecting patients' physiology. All of these systems have important security, privacy, and safety implications, and need useful and usable mechanisms and solutions. In this breakout session we will focus on the usable security and privacy issues in health care technologies. What are the current and future usability challenges and research questions for the variety of health systems that are being developed?
SOUPS 2010 is sponsored by Carnegie Mellon CyLab and Microsoft.