The Saucer

The SaucerThe Newsletter of theCyLab Usable Privacy and Security (CUPS) LaboratoryIssue 6, Summer 2015ContentsPrivacy Engineering 1From the Director 2News 3Year in Review 4Recent Publications 6Dissertations & Proposals 7CUPS research sponsorsArmy Research Laboratory(ARL)Data Transparency LabDepartment of HomelandSecurity (DHS)FacebookGoogleMicrosoftNational Institute ofStandards and Technology(NIST)National ScienceFoundation (NSF)National Security Agency(NSA) Science of SecurityLabletPrivacy Engineering Masters Program TrainsStudents for Privacy JobsIn August 2014 we graduated the inaugural class of theworld’s first masters degree program in privacy engineering.Our first graduates have taken jobs at Google, Adobe,Oracle, eBay, and Linked-In.Co-directed by Norman Sadeh and Lorrie Cranor, theMaster of Science in Information Technology—PrivacyEngineering (MSIT-PE) degree is a one-year programdesigned for computer scientists and engineers who wish topursue careers as privacy engineers or technical privacymanagers. See http://privacy.cs.cmu.edu for moreinformation.Over the past several years, both industry and governmentorganizations have created positions for people responsiblefor ensuring that privacy is an integral part of the designprocess. These people have to understand technology andMSIT-PE ’15 student CameronBoozarjomehri asks a questionat CMU Privacy Day in January.be able to integrate perspectives that span product design, software development, cybersecurity, human computer interaction, as well as business and legal considerations.The MSIT-PE program includes two semesters of courses taught by leading academic privacyand security experts. Required semester-long courses include Privacy Policy, Law andTechnology; Information Security and Privacy; Foundations of Privacy; Usable Privacy andSecurity; and Engineering Privacy in Software. Students also participate in a privacy seminarheld throughout the Fall and Spring semester. Guest speakers this year included speakers fromGoogle, Yahoo!, American Express, the Federal Trade Commission, the National SecurityAgency, ICANN, and SpiderOak.The program concludes with a summer-long learning-by-doing capstone project, wherestudents are brought in as privacy consultants to work on client projects. Our first classcompleted capstone projects for Facebook, American Express, and the Future of PrivacyForum. Our second class is working on projects for Lufthansa and SpiderOak.Privacy IllustratedWe asked children and adults to drawpictures of what privacy means tothem. Browse these images on ourwebsite and contribute your own!cups.cs.cmu.edu/privacyillustrated1CMU faculty discuss their privacy research with FTC Commissioner Julie Brill at CMU Privacy Day in January.

The Saucer Summer 2015CyLabUsablePrivacy andSecurityLaboratoryhttp://cups.cs.cmu.eduCarnegie Mellon University5000 Forbes AvenuePittsburgh, PA 15213DirectorLorrie Faith Cranorlorrie@cmu.eduFacultyAlessandro AcquistiYuvraj AgrawalLujo BauerTravis BreauxNicolas ChristinJulie DownsCoty GonzalezJason HongNorman SadehMarios SavvidesFrom the DirectorAt the beginning of July I got an email from one of my firstPhD students, Ponnurangum Kumaraguru (COS PhD 2009),congratulating me on becoming an academic grandmother. PKis an assistant professor at Indraprastha Institute ofInformation Technology (IIIT), Delhi. His first PhD student,Aditi Gupta, defended her thesis on mitigating misinformationspread on Twitter. I love hearing about all the great things ouralumni are doing.I had the opportunity to catch up with several alumni duringmy visit to the Bay Area in June. I had coffee with MSIT-PE2014 alumni Adam Durity and Ziwei Hu at Google inMountain View. Adam also visited CMU last spring and gave aprivacy seminar talk. While in the Bay Area I met up with Aleecia McDonald (EPP PhD2010), but missed Serge Egelman (COS PhD 2009). Instead, I got to see Serge in July whenhe came to our NSA Lablet meeting in Pittsburgh. Serge recently started his own laboratory,the Berkeley Laboratory for Usable and Experimental Security (BLUES). Great name!A few of our PhD alumni are still in the Pittsburgh area. Rebecca Balebako (EPP PhD 2014)works for RAND and often comes to our CUPS seminars. Pedro Leon (EPP PhD 2014) hasspent the past year working for Stanford while located at CMU. Steve Sheng (EPP PhD2009) moved back to Pittsburgh, so I run into him periodically. Last spring he gave a CUPStalk about his work at ICANN. MSIT-PE 2014 alumna, Sakshi Garg, stopped by my officewhen she was on campus to recruit for Adobe at the TOC.And there is more news from our alumni (and current faculty, staff, and students) on thenext page….StudentsHazim Saleh AlmuhimediSekhar BhagvatulaJim GravesHanan HibshiDarya KurilovaShing-hon LauBin LiuAbby MarshBilly MelicherAshwini RaoSean SegretiStephen SienaManya SleeperJosh TanYuan TianBlase UrJason WiesePost-Docs & StaffMatthias BeckerleAlain ForgetPedro LeonAlessandro OltramariSarah PearmanFlorian SchaubJeremy ThomasTiffany M. ToddLeft top: Alumni Rob Reeder and Serge Egelmanavoid landmines at the DMZ. Left bottom: PhilipHuh takes the passwords team to dinner in Seoul.Right: Newly minted PhDs Pedro Leon, Rich Shay,and Rebecca Bakebako model their new lab coats atthe CUPS graduation brunch.2

The Saucer Summer 2015New AdditionsJason Hong’s daughter Zoey wasborn in July 2014.WeddingsMSIT-PE 2014 alum Adam Duritymarried Katherine Harrington in April.Adam is now working at Google inMountain View, CA.Daricia Wilkinson is a senior at theUniversity of the Virgin Islands. She isworking with Abby Marsh on teenprivacy and helping on other projects.Jonathan Bees, who worked onpasswords projects at CUPS lastsummer (and co-authored a SOUPSpaper), graduated from SciTech and isheading to Penn State this fall.Saranga Komanduri’s son Shreyaswas born in March 2015. Saranga isnow an Engineering Technical Lead atCivis Analytics.Michelle Mazurek’s daughterHannah was born in June 2014.Michelle is now an assistant professorat the University of Maryland.Alessandro Oltramari and his wifeLaura adopted Lady, an 8-year-old pitbull, from the Animal Rescue League.CUPS InternsRupal Nahar is a rising sophomore atCMU. She is working with Blase Uron developing data-driven browserprivacy tools.Brett Hubbard is entering 12 th gradeat South Side High School. He isworking with Blase Ur and AbbyMarsh on privacy notices for theinternet of things and teen privacy.Adam Buchinsky is an 11 th gradestudent at the Pittsburgh Science andTechnology Academy (SciTech).Maung Aung finished his bachelor’sdegree at CMU this spring and isworking with Blase Ur on a real-timepassword strength tool.Ashwin Srinvasan is entering 10 thgrade at Pittsburgh Allerdice highschool. He is continuing to develop hisaward-winning tool Privacy Tracker.Jerome Williams and JonathanTran, both rising 12 th graders atSciTech, are working with Blase Ur todevelop improved visualizations forpassword-strength meters.Alexander Butler and BrandonJabout, both 12 th grade students atSciTech, are working with Abby Marshon teen privacy tools.On the MoveRebecca Balebako (EPP PhD 2014)joined the staff at RAND Corporationin January 2015.Rich Shay (COS PhD 2015) is joiningthe staff at Lincoln Labs inMassachusetts in August.Kami Vaniea (CSD PhD 2012) willjoin the faculty of the University ofEdinburgh Scotland in August. Shewill be in the School of Informatics aspart of their growing security group.In Other NewsFlorian Schaub serves as technicalobserver of the Uniform LawCommission’s drafting committee onlimiting the use of social media inemployment and admission decisions.Peter Klemperer (ECE PhD 2014)spent part of last summer volunteeringat Techbridge, a non-profitorganization whose mission involvesproviding young women and girlsaccess to the computer scienceeducation and programming.Alessandro Oltramari and othersstarted the CMU group of Interest onOntology Studies.3

The Saucer Summer 2015Lorrie Cranor speaks at an NSF-sponsored briefingfor congressional staffJason Hong speaks about smartphone privacyissues at a briefing for congressional staff.Florian Schaub presents his research to FTCCommissioner Julie Brill at CMU Privacy Day.The Usable Privacy Policy team in spring 2015.Learn about the project at http://usableprivacy.org.Year in ReviewJuly 2014Alessandro Acquisti delivered a keynote at the 27 th Annual Computer SecurityFoundations Symposium.August 2014Team CMU, composed of members of the CUPS research group on passwords, tookfirst place in the “street” (non-professional) division of the 2014 DEF CON “CrackMe If You Can” password-cracking contest.The first class of the MSIT-Privacy Engineering program graduated.September 2014Blase Ur and mentors Jaeyeon Jung and Stuart Schechter were awarded Best Paper atUbiComp 2014 for “Intruders Versus Intrusiveness: Teens’ and Parents’ Perspectiveson Home-Entryway Surveillance.”October 2014Norman Sadeh and Anupam Datta coordinated CMU’s response to the NITRDRequest for Information on a National Privacy Research Strategy.Lorrie Cranor gave an invited talk at the Grace Hopper Celebration of Women inComputing.Lorrie Cranor and Jason Hong presented their research at Capitol Hill briefings.Jason Hong launched the http://privacygrade.org website that grades smartphoneapps’ privacy practices. The grades are based on research he conducted with NormanSadeh and their students analyzing the privacy of 1 million Android smartphone apps.November 2014Florian Schaub and co-authors received the Best Paper Award at the InternationalConference on Mobile and Ubiquitous Multimedia for the paper “PriPref Broadcaster:Enabling users to Broadcast Privacy Preferences in Their Physical Proximity.”Alessandro Acquisti delivered keynotes at the 77 th Association for Information Scienceand Technology (ASIST) Annual Meeting.Florian Schaub was one of four nominees for the 2014 CAST/GI dissertation awardIT-Security by the Competence Center for Applied Security Technology for hisdoctoral Dissertation “Dynamic Privacy Adaptation in Ubiquitous Computing.”Lorrie Cranor gave the closing keynote at the IAPP Practical Privacy Seriesgovernment event.December 2014Alessandro Acquisti delivered a keynote at the SPION Closing Workshop: “You AreNot Alone.”Lorrie Cranor, Rebecca Balebako, Manya Sleeper, and Darya Kurilova participated inDeep Lab at the CMU STUDIO for Creative Inquiry and developed the PrivacyIllustrated website http://cups.cs.cmu.edu/privacyillustrated/.January 2015The MSIT-Privacy Engineering program hosted CMU Privacy Day with guest speakerJulie Brill, Commissioner of the Federal Trade Commission.Lorrie Cranor was named a 2014 ACM Fellow for her contributions to usable privacyand security research and education.4

The Saucer Summer 2015Florian Schaub spoke on a panel on automated notice processing at theInternational Conference on Computers, Privacy & Data Protection in Brussels.February 2015Lorrie Cranor spoke at the White House Cybersecurity Summit.Ashwin Srinivasan, a 9th-grader at Pittsburgh Allderdice High School, received afirst place award at the Pennsylvania Junior Academy of Science (PJAS)Pittsburgh Regional science fair. At the Pittsburgh Regional Science andEngineering Fair (PRSEF), Ashwin placed third in Computer Science/Math in theSenior Division and won three special awards. He was advised by Blase Ur indeveloping the PrivacyTracker Chrome plugin.March 2015Lorrie Cranor gave a “game changer talk” at the IAPP Global Privacy Summit.Abby Marsh received a Facebook Fellowship to support her research on howparents and their teenaged children make privacy-related decisions about teens’use of the internet and digital technologies.April 2015Alessandro Acquisti was awarded an Andrew Carnegie Fellowship from CarnegieCorporation of New York.CUPS alumni Serge Egelman and Eyal Peer received an Honorable MentionAward for the paper “Scaling the Security Wall: Developing a Security BehaviorIntentions Scale (SeBIS) at CHI 2015.A mobile privacy nudging field study by Hazin Almuhimedi, Florian Schaub,Norman Sadeh, Idris Adjerid, Alessandro Acquisti, Josh Gluck, Lorrie Cranor andYuvraj Agrawal,was featured in several press articles.Lorrie Cranor graduated from the ELATE @ Drexel leadership developmentprogram for senior women faculty in STEM fields.May 2015Norman Sadeh co-chaired the 2015 International Workshop on PrivacyEngineering.Lorrie Cranor helped write the Computing Community Consortium report“Towards a Privacy Research Roadmap for the Computing Community.”Jonathan Bees and Shane Cranor, 12 th -grade and 8 th -grade students at thePittsburgh Science and Technology Academy, received first place awards at boththe regional and state-level competitions of the PJAS science fair. Jonathanworked with Sean Segreti, Blase Ur, and the rest of the passwords research groupin examining users’ perceptions of password security. Shane worked with Blase Urto study listeners’ perceptions of compressed audio.June 2015Lorrie Cranor and Blase Ur received a grant from the Data Transparency Lab(DTL) for their work “Providing Users Data-Driven Privacy Awareness.”Jason Hong was named a 2015 National Cybersecurity Fellow by New America.Alessandro Oltramari received the “Above and Beyond” award for his work withthe Army Research Lab (ARL) Cyber-security CRA program.July 2015Lujo Bauer, Travis Breaux, Lorrie Cranor, Jason Hong, and Norman Sadehbriefed commissioners and staff at the Federal Trade Commission on theirprivacy research. They also presented a briefing to the Future of Privacy Forum.Abby Marsh presented a paper on teen privacy atSOUPS 2014. She won a Facebook Fellowship tocontinue this research.MSIT-PE students Scott Stevenson and Hsin Miao,and undergraduate Nathaniel Fruchter presenttheir class project on “Variations in Tracking inRelation to Geographic Location.” This team, alongwith Rebecca Balebako, presented their paper atthe 2015 IEEE Security and Privacy Workshop onWeb 2.0 for Security and Privacy.Lorrie Cranor was inducted as an ACM Fellow at anawards banquet in June.Norman Sadeh, Lorrie Cranor, Lujo Bauer, TravisBreaux and Jason Hong present a briefing to theFuture of Privacy Forum.5

The Saucer Summer 2015Recent PublicationsMost CUPS publications are available on the CUPS website. Thefollowing are a selection of publications from the past year.Privacy Decision MakingYour Location has been Shared 5,398 Times!: A FieldStudy on Mobile App Privacy NudgingH. Almuhimedi, F. Schaub, I. Adjerid, A. Acquisti, J. Gluck, L. Cranor, Y. AgarwalCHI 2015Smartphone users are often unaware of the data collected byapps running on their devices. We report on a study thatevaluates the benefits of giving users an app permissionmanager and sending them nudges intended to raise theirawareness of the data collected by their apps. Our studyprovides both qualitative and quantitative evidence that theseapproaches are complementary and can each play a significantrole in empowering users to more effectively control theirprivacy. For instance, even after a week with access to thepermission manager, participants benefited from nudgesshowing them how often some of their sensitive data was beingaccessed by apps, with 95% of participants reassessing theirpermissions, and 58% of them further restricting some of theirpermissions. We discuss how participants interacted both withthe permission manager and the privacy nudges, analyze theeffectiveness of both solutions, and derive somerecommendations.A Design Space for Effective Privacy NoticesF. Schaub, R. Balebako, A. Durity, and L. CranorSOUPS 2015Notifying users about a system’s data practices is supposed toenable users to make informed privacy decisions. Yet, currentnotice and choice mechanisms, such as privacy policies, areoften ineffective because they are neither usable nor useful, andare therefore ignored by users. Constrained interfaces onmobile devices, wearables, and smart home devices connectedin an Internet of Things exacerbate the issue. Much researchhas studied usability issues of privacy notices and manyproposals for more usable privacy notices exist. Yet, there islittle guidance for designers and developers on the designaspects that can impact the effectiveness of privacy notices. Inthis paper, we make multiple contributions to remedy this issue.We survey the existing literature on privacy notices and identifychallenges, requirements, and best practices for privacy noticedesign. Further, we map out the design space for privacynotices by identifying relevant dimensions. This provides ataxonomy and consistent terminology of notice approaches tofoster understanding and reasoning about notice optionsavailable in the context of specific systems. Our systemizationof knowledge and the developed design space can helpdesigners, developers, and researchers identify notice andchoice requirements and develop a comprehensive noticeconcept for their system that addresses the needs of differentaudiences and considers the system’s limitations andopportunities for providing notice.What do they know about me? Contents and Concernsof Online Behavioral ProfilesA. Rao, F. Schaub, N. SadehUbiComp 2014Data aggregators collect large amount of information aboutindividual users and create detailed online behavioral profiles ofindividuals. Behavioral profiles benefit users by improvingproducts and services. However, they have also raised concernsregarding user privacy, transparency of collection practices andaccuracy of data in the profiles. To improve transparency, somecompanies are allowing users to access their behavioral profiles.In this work, we investigated behavioral profiles of users byutilizing these access mechanisms. Using in-person interviews(n=8), we analyzed the data shown in the profiles, elicited userconcerns, and estimated accuracy of profiles. We confirmed ourinterview findings via an online survey (n=100). To assess theclaim of improving transparency, we compared data shown inprofiles with the data that companies have about users. Morethan 70% of the participants expressed concerns aboutcollection of sensitive data such as credit and healthinformation, level of detail and how their data may be used. Wefound a large gap between the data shown in profiles and thedata possessed by companies. A large number of profiles wereinaccurate with as much as 80% inaccuracy. We discussimplications for public policy management.PasswordsMeasuring Real-World Accuracies and Biases inModeling Password GuessabilityB. Ur, S. Segreti, L. Bauer, N. Christin, L. Cranor, S. Komanduri, D. Kurilova, M.Mazurek, W. Melicher, R. ShayUSENIX Security 2015 (forthcoming)Parameterized password guessability—how many guesses aparticular cracking algorithm with particular training data wouldtake to guess a password—has become a common metric ofpassword security. Unlike statistical metrics, it aims to modelreal-world attackers and to provide per-password strengthestimates. We investigate how cracking approaches often usedby researchers compare to real-world cracking by professionals,as well as how the choice of approach biases researchconclusions. We find that semi-automated cracking byprofessionals outperforms popular fully automated approaches,but can be approximated by combining multiple suchapproaches. These approaches are only effective, however, withcareful configuration and tuning; in commonly used defaultconfigurations, they underestimate the real-world guessabilityof passwords. We find that analyses of large password sets areoften robust to the algorithm used for guessing as long as it isconfigured effectively. However, cracking algorithms differsystematically in their effectiveness guessing passwords withcertain common features (e.g., character substitutions). Ourresults highlight the danger of relying only on a single crackingalgorithm as a measure of password strength and constitute thefirst scientific evidence that automated guessing can oftenapproximate guessing by professionals.6

The Saucer Summer 2015“I Added ‘!’ at the End to Make It Secure”: ObservingPassword Creation in the LabB. Ur, F. Noma, J. Bees, S. Segreti, R. Shay, L. Bauer, N. Christin, L. CranorSOUPS 2015Users often make passwords that are easy for attackers toguess. Prior studies have documented features that lead toeasily guessed passwords, but have not probed why users craftweak passwords. To understand the genesis of commonpassword patterns and uncover average users' misconceptionsabout password strength, we conducted a qualitative interviewstudy. In our lab, 49 participants each created passwords forfictitious banking, email, and news website accounts whilethinking aloud. We then interviewed them about their generalstrategies and inspirations. Most participants had a well-definedprocess for creating passwords. In some cases, participantsconsciously made weak passwords. In other cases, however,weak passwords resulted from misconceptions, such as thebelief that adding “!” to the end of a password instantly makesit secure or that words that are difficult to spell are more securethan easy-to-spell words. Participants commonly anticipatedonly very targeted attacks, believing that using a birthday orname is secure if those data are not on Facebook. In contrast,some participants made secure passwords using unpredictablephrases or non-standard capitalization. We identify aspects ofpassword creation ripe for guidance or automated intervention.A Spoonful of Sugar? The Impact of Guidance andFeedback on Password-Creation BehaviorR. Shay, L. Bauer, N. Christin, L. Cranor, A. Forget, S. Komanduri, M. Mazurek, W.Melicher, and B. UrCHI 2015Users often struggle to create passwords under strictrequirements. To make this process easier, some providerspresent real-time feedback during password creation, indicatingwhich requirements are not yet met. Other providers guideusers through a multi-step password-creation process. Our6,435-participant online study examines how feedback andguidance affect password security and usability. We find thatreal-time password-creation feedback can help users createstrong passwords with fewer errors. We also find that althoughguiding participants through a three-step password-creationprocess can make creation easier, it may result in weakerpasswords. Our results suggest that service providers shouldpresent password requirements with feedback to increaseusability. However, the presentation of feedback and guidancemust be carefully considered, since identical requirements canhave different security and usability effects depending onpresentation.Telepathwords: Preventing Weak Passwords byReading Users’ MindsS. Komanduri, R. Shay, L. Cranor, C. Herley, and S. SchechterUSENIX Security 2014To discourage the creation of predictable passwords, vulnerableto guessing attacks, we present Telepathwords. As a user creates apassword, Telepathwords makes realtime predictions for thenext character that user will type. While the concept is simple,making accurate predictions requires efficient algorithms tomodel users’ behavior and to employ already-typed charactersto predict subsequent ones. We first made the Telepathwordstechnology available to the public in late 2013 and have sinceserved hundreds of thousands of user sessions. We ran ahuman-subjects experiment to compare password policies thatuse Telepathwords to those that rely on composition rules,comparing participants’ passwords using two differentpassword-evaluation algorithms. We found that participantscreate far fewer weak passwords using the Telepathwordsbasedpolicies than policies based only on charactercomposition.Biometric Authentication on iPhone and Android:Usability, Perceptions, and Influences on Adoption.C. Bhagavatula, B. Ur, K. Iacovino, S. Kywe, L. Cranor, M. Savvides.USEC 2015While biometrics have long been promoted as the future ofauthentication, the recent introduction of Android face unlockand iPhone fingerprint unlock are among the first large-scaledeployments of biometrics for consumers. In a 10- participant,within-subjects lab study and a 198-participant online survey,we investigated the usability of these schemes, along with users’experiences, attitudes, and adoption decisions. Participants inour lab study found both face unlock and fingerprint unlockeasy to use in typical scenarios. The notable exception was thatface unlock was completely unusable in a dark room. Mostparticipants preferred fingerprint unlock over face unlock or aPIN. In our survey, most fingerprint unlock users perceived itas more secure and convenient than a PIN. In contrast, faceunlock users had mixed experiences, and many had stoppedusing it. We conclude with design recommendations forbiometric authentication on smartphones.Social NetworksI Would Like To..., I Shouldn't..., I Wish I...: ExploringBehavior-Change Goals for Social Networking SitesM. Sleeper, A. Acquisti, L. Cranor, P. Kelley, S. Munson, N. SadehCSCW 2015Despite the benefits they derive from social networking sites(SNSs), members of those services are not always satisfied withtheir online behaviors. The investigation of desires for behaviorchange in SNSs both provide insight into users’ perceptions ofhow SNSs impact their lives (positively or negatively) and caninform tools for helping users achieve desired behaviorchanges. We use a 604-participant online survey to explore SNSusers’ behavior-change goals for Facebook, Instagram, andTwitter. While some participants want to reduce site use, otherswant to improve their use or increase a range of behaviors.These desired changes differ by SNS, and, for Twitter, byparticipants’ levels of site use. Participants also expect a rangeof benefits from these goals, including more free time, contactwith others, intrinsic benefits, better security/privacy, andimproved self presentation. We provide insights both into howparticipants perceive different SNSs, as well as potential designsfor behavior-change mechanisms to target SNS behaviors.7

The Saucer Summer 2015DissertationsMitigating the Risks of Smartphone Data Sharing:Identifying Opportunities and Evaluating NoticePhD Thesis , Engineering & Public PolicyRebecca Balebako, August 2014Privacy Notice and Choice in PracticePhD Thesis , Engineering & Public PolicyPedro Leon, August 2014Creating Usable Policies for Stronger Passwords withMTurkPhD Thesis , Computation, Organizations & SocietyRich Shay, December 2015Modeling the Adversary to Evaluate Password Strengthwith Limited SamplesPhD Thesis , Computation, Organizations & SocietySaranga Komanduri, May 2015ProposalsSupporting Security and Privacy Decisions with DataPhD Thesis Proposal, Computation, Organizations & SocietyBlase Ur, July 2015CUPS students Saranga Komanduri, Blase Ur, Billy Melicher, Rich Shay, and SeanSegretti enjoying ice cream.Everyday Online SharingPhD Thesis Proposal, Computation, Organizations & SocietyManya Sleeper, July 2015Blase Ur and ManyaSleeper spent a lot oftime at the librarywhile working ontheir thesisproposals.Tiffany Todd breathed a sigh of relief at the end of the SOUPS 2014 reception.Tiffany keeps everything running smoothly at CUPS and SOUPS.Lorrie Cranor’sTEDxCMU talk wasfeaturedin-flightentertainment onDelta this pastwinter.CUPS summer interns Rupal Nahar, Daricia Wilkinson, and Adam Buchinskydiscuss their research.8