Step 73: Reflect on the Grace Hopper Celebration

It’s been two weeks since GHC, and I want to reflect on the experience a little. I have been other smaller conferences – namely, the Wonder Women Tech conference/expo in July – and to be honest, that event left a bad taste in my mouth. There were too many “motivational” stories and not enough dissection […]

Learn more →

So You Want to Hack the Planet – Demystifying Careers and Opportunities in Cryptography, Security & Privacy

Speakers:
Eleni Gessiou (Security Engineer, Facebook), Natalie Silvanovich (Security Researcher, Google), Nadia Heninger (Magerman Term Assistant Professor, UPenn), Sandy Clark/Mouse (PhD student/Senior Research Staff, UPenn)
Moderator: Sarah Harvey (Security Software Engineer, Square)

This session was a path-breaker in its own way, because security wasn't a subject that was talked about much at previous Grace Hoppers. Each of the panelists gave a brief introduction, talking about what she does in the security field. Nadia's main area of research is applied crypto, particularly in breaking crypto :-).  Most of her work involves network security and sometimes, applied mathematics. She loves the fact that security/crypto span the whole CS stack, giving her the opportunity to work on a broad swath of problems. Eleni, who is a security engineer at Facebook, works on detecting suspicious behavior on FB. Natalie works at Google, on Project Zero, where her main task is to find zero-day attacks. She got into security quite by accident - first through a high-school project and then by applying for a junior hacker position while at university. Sandy Clark (whose hacker handle is Mouse) has had a long-standing interest in ethical hacking and cybersecurity in general. Her interests are wide-ranging, but to sum up, she spends her time figuring out how systems actually work as opposed to how they were designed to work.

Sarah kicked off the discussion by asking the panelists about the social/technical challenges they face in the field of security/privacy. Mouse is concerned about how to measure security - there are no laws to figure out how to use technology in a sufficiently secure way while benefiting individuals. There are a ton of security problems other than just "Is there a bug in my code that someone can exploit?". One of the things that Natalie finds in her day-to-day work is that finding zero-day exploits is incredibly taxing and difficult. On a larger scale, code is error-prone; that's just a fact; but how to make sure that developers avoid  making security bugs and how orgs can teach their developers this is something that hasn't been fleshed out. In her work at Facebook. Eleni has to deal with people from different backgrounds and cultures, and finds that it becomes difficult to make sure that bugs are effectively communicated. Often. Facebook ends up having to provide tailored solutions for each problem, rather than providing a holistic solution. Nadia's main concern is the field of crypto. For a while, folks were complacent about crypto, believing that we had good algorithms that were hard to break.  But the Snowden docs revealed that there's a lot more to the security/crypto field than just that. There has been at least one crypto standard that was revoked in the recent past because of allegations that there were backdoors introduced by the NSA. So now the question is what do we do if those algorithms that we thought were fool-proof actually have backdoors? What do we tell users, and how do we get governments to do the right thing?

Sarah's next question was what the biggest vulnerability in authentication protocols that are used on the Internet is. Mouse's answer - users. Natalie believes that the biggest problem is when people try to roll their own crypto. Eleni and Nadia trump for phishing and passwords.

The next question was what the central themes in security are in terms of job opportunities. Natalie's answer: product security folks (review people's code, try to secure products), product managers (who work with customers to figure out security requirements), customer response engineers, security development, etc. Eleni added that there are also teams that work on protecting corporate assets vs those who try to protect users. Mouse believes that there are several areas of interest - social engineering, bio-hacking, hardware hacking, malware detection, etc. Sarah added that pen testers also play a big role in securing products.

An audience member asked if there's a way to bridge the gap between security developers and policy makers. Nadia and Mouse find that crypto conferences are usually very effective in doing this, since security researchers, companies and government agents all tend to fore-gather. Mouse also suggests that anyone who is interested should get in touch with local politicians to become a technical advisor in the field of security.

Another audience question was how to make sure that there's a balance between the amount of data that's given out and keeping that data secure. Nadia believes that crypto's not the answer, but regulation is. Mouse is currently involved in research in this very area, and recently wrote a law review paper on this. She believes that regulation is necessary to bring together the 3 different stake-holders - individuals who give out the data, companies that collect the data for their business model, and the government.

Some security hygiene principles that the panelists recommend: using secure passwords for every site, disk encryption, using 2-factor authentication, ensuring that communication is encrypted end-to-end, and updating to security patches on a regular basis.

Another question was how security can best be incentivized - should products be given security ratings? Nadia answered that at some point, security policy is going to have to become like health policy. This is a long-term problem that only govts can solve - perhaps the FTC can start going after organizations that are notoriously lax in security practices. Natalie agrees, and believes that coming up with security metrics is going to be a difficult and long-drawn-out process.

The panelists were then asked to name what they love, and what they hate most about their jobs. Mouse said that she has had to get used to failing a lot and being frustrated - but all of that is dwarfed by the awesomeness of getting things to work. Natalie loves that she gets to play with lots of cool new technology - but then the stressful part is filing bugs and having to deal with people who are frustrated by those bugs :-). Eleni finds it fulfilling that she gets to use her tech skills to actually do good for other people. Nadia likes being able to break crypto - something that's a total breakaway from her image as a quiet, good kid back in school :-).  She finds it especially rewarding that as an academic, she actually gets to talk openly about all the research that she gets to do.

To get into the security field, the panelists recommended taking courses (even online ones), attending hackercons, or participating in bug bounty programs (the best part - you get paid for finding bugs! :-)). One could also start contributing to open-source software, or even just apply for a job in the field.

Learn more →

So You Want to Hack the Planet – Demystifying Careers and Opportunities in Cryptography, Security & Privacy

Speakers:
Eleni Gessiou (Security Engineer, Facebook), Natalie Silvanovich (Security Researcher, Google), Nadia Heninger (Magerman Term Assistant Professor, UPenn), Sandy Clark/Mouse (PhD student/Senior Research Staff, UPenn)
Moderator: Sarah Harvey (Security Software Engineer, Square)

This session was a path-breaker in its own way, because security wasn't a subject that was talked about much at previous Grace Hoppers. Each of the panelists gave a brief introduction, talking about what she does in the security field. Nadia's main area of research is applied crypto, particularly in breaking crypto :-).  Most of her work involves network security and sometimes, applied mathematics. She loves the fact that security/crypto span the whole CS stack, giving her the opportunity to work on a broad swath of problems. Eleni, who is a security engineer at Facebook, works on detecting suspicious behavior on FB. Natalie works at Google, on Project Zero, where her main task is to find zero-day attacks. She got into security quite by accident - first through a high-school project and then by applying for a junior hacker position while at university. Sandy Clark (whose hacker handle is Mouse) has had a long-standing interest in ethical hacking and cybersecurity in general. Her interests are wide-ranging, but to sum up, she spends her time figuring out how systems actually work as opposed to how they were designed to work.

Sarah kicked off the discussion by asking the panelists about the social/technical challenges they face in the field of security/privacy. Mouse is concerned about how to measure security - there are no laws to figure out how to use technology in a sufficiently secure way while benefiting individuals. There are a ton of security problems other than just "Is there a bug in my code that someone can exploit?". One of the things that Natalie finds in her day-to-day work is that finding zero-day exploits is incredibly taxing and difficult. On a larger scale, code is error-prone; that's just a fact; but how to make sure that developers avoid  making security bugs and how orgs can teach their developers this is something that hasn't been fleshed out. In her work at Facebook. Eleni has to deal with people from different backgrounds and cultures, and finds that it becomes difficult to make sure that bugs are effectively communicated. Often. Facebook ends up having to provide tailored solutions for each problem, rather than providing a holistic solution. Nadia's main concern is the field of crypto. For a while, folks were complacent about crypto, believing that we had good algorithms that were hard to break.  But the Snowden docs revealed that there's a lot more to the security/crypto field than just that. There has been at least one crypto standard that was revoked in the recent past because of allegations that there were backdoors introduced by the NSA. So now the question is what do we do if those algorithms that we thought were fool-proof actually have backdoors? What do we tell users, and how do we get governments to do the right thing?

Sarah's next question was what the biggest vulnerability in authentication protocols that are used on the Internet is. Mouse's answer - users. Natalie believes that the biggest problem is when people try to roll their own crypto. Eleni and Nadia trump for phishing and passwords.

The next question was what the central themes in security are in terms of job opportunities. Natalie's answer: product security folks (review people's code, try to secure products), product managers (who work with customers to figure out security requirements), customer response engineers, security development, etc. Eleni added that there are also teams that work on protecting corporate assets vs those who try to protect users. Mouse believes that there are several areas of interest - social engineering, bio-hacking, hardware hacking, malware detection, etc. Sarah added that pen testers also play a big role in securing products.

An audience member asked if there's a way to bridge the gap between security developers and policy makers. Nadia and Mouse find that crypto conferences are usually very effective in doing this, since they are attended by security researchers, companies and government agents too. Mouse also suggests that anyone who is interested should get in touch with local politicians to become a technical advisor in the field of security.

Another audience question was how to make sure that there's a balance between the amount of data that's given out and keeping that data secure. Nadia believes that crypto's not the answer, but regulation is. Mouse is currently involved in research in this very area, and recently wrote a law review paper on this. She believes that regulation is necessary to bring together the 3 different stake-holders - individuals who give out the data, companies that collect the data for their business model, and the government.

Some security hygiene principles that the panelists recommend: using secure passwords for every site, disk encryption, using 2-factor authentication, ensuring that communication is encrypted end-to-end, and updating to security patches on a regular basis.

Another question was how security can best be incentivized - should products be given security ratings? Nadia answered that at some point, security policy is going to have to become like health policy. This is a long-term problem that only govts can solve - perhaps the FTC can start going after organizations that are notoriously lax in security practices. Natalie agrees, and believes that coming up with security metrics is going to be a difficult and long-drawn-out process.

The panelists were then asked to name what they love, and what they hate most about their jobs. Mouse said that she has had to get used to failing a lot and being frustrated - but all of that is dwarfed by the awesomeness of getting things to work. Natalie loves that she gets to play with lots of cool new technology - but then the stressful part is filing bugs and having to deal with people who are frustrated by those bugs :-). Eleni finds it fulfilling that she gets to use her tech skills to actually do good for other people. Nadia likes being able to break crypto - something that's a total breakaway from her image as a quiet, good kid back in school :-).  She finds it especially rewarding that as an academic, she actually gets to talk openly about all the research that she gets to do.

To get into the security field, the panelists recommended taking courses (even online ones), attending hackercons, or participating in bug bounty programs (the best part - you get paid for finding bugs! :-)). One could also start contributing to open-source software, or even just apply for a job in the field.

Learn more →

Wednesday Opening Keynotes – Virginia Rommetty


Dr. Sweeney's inspiring talk (more here) was followed by the 2016 Technical Leadership ABIE Award presentation - to Dr. Anna Patterson, VP of Engineering, Artificial Intelligence at Google. Dr. Patterson's acceptance speech was full of amusing little anecdotes (for example, how she had to manually toggle bits to debug at her first job, working on planes - debugging and IDEs have come a long way since then!), but perhaps one of the most touching moments was when she paid tribute to her grandmothers and great-grandmother for being women leaders in their own right, showing her great-grandmother's poll tax receipts from voting.

Right after Dr. Patterson's speech was the Top Companies for Women Technologists award presentation. Top Companies is a program that was started by the Anita Borg institute that is the only data-driven benchmark for the technical workforce and shows which companies provide the most women-friendly work environments. This year, 60 companies participated in the program and are divided into one of two categories - change alliance and leadership index companies. The main things that distinguishes leadership index companies (ie, the best places for women to work at) from others are their flex time policies,  formal leadership development programs for women, and formal gender diversity training for all employees. Also, this year's findings reveal that women now hold about 21.7% of technical jobs, up 0.9% from 2015. This year's award went to ThoughtWorks.

The keynote ended with a talk by Virginia Rometty, CEO and President of IBM. She started off by talking about what she believes is the biggest natural resource of the present - data. Not only has 90% of all the data out in the world today been created just in the past 2 years, 80% of it is unstructured. Ms. Rometty believes that over the next 5 years, systems that learn using data are going to be increasingly important in the tech world. Given that, IBM is investing a great deal of its resources in the Watson systems, and already, has partnered with healthcare firms like Quest Diagnostics in an effort to find oncology patients the best treatment possible.

Ms. Rometty also shared several anecdotes from her own life that led her to where she is today. She explained that her mother was perhaps the single biggest influence in her life, inspiring by example. Ms. Rometty's mother was a single mother in the 60s, a difficult situation back then, and even went back to school while working on a night job in order to take care of Ms. Rometty and her siblings. She also mentioned that she derived huge support from her husband. Early on in her career, Ms. Rometty was offered a job opportunity that rather overwhelmed her, coming, as it did, "too early". She was inclined to walk away in the belief that she needed more time and experience to gain the necessary skills. It was her husband, however, who pointed out to her that this was something a man would never have felt had the same opportunity been offered him, and urged Ms. Rometty to take the job on. Since then, she has never looked back :-). The biggest take-away from that anecdote is that growth and comfort never co-exist. So even if you are attacked by the "imposter syndrome", which women frequently are, take big challenges on and learn from them. Another life-lesson that she shared was that it is important to work on something that you are passionate about, and that you believe is bigger than yourself.

Ms. Rometty ended the talk by inviting on stage three inspiring women from IBM, who have become leaders in their field and juggle multiple responsibilities Their advice to women - work on things that excite you, and always appreciate the people around you for everything they do.

Learn more →

Grace Hopper Celebration of Women 2016

Last week I attended the Grace Hopper Celebration of Women in Computing (GHC) where over 15,000 women engineers from all over the world gathered to learn from and network with each other. In case you didn’t know, Admiral Grace Hopper is the woman who invented the first compiler and pioneered the creation of high-level programming […]

Learn more →