Friday, October 16, 2015

GHC15: Friday Afternoon Plenary

Isis Anchalee from One Login was featured in SF Bay Area BART stations as an engineer at One Login. She never thought that allowing her photo to appear in a train station would spark a dialogue on whether or not she was an actual engineer.

She then started the "I Look Like An Engineer" campaign which started many other things like "I look like a Scientist".

One of her co-workers referred to her in the thrid person as the "cute girl that I work with"- when she  brought it up to him that she did not feel respected when he talked about her like that. He said she was oversensitive, it was a complement. Such a great disconnect!

If we don't feel accepted at work, it eats away at our soul.  There's a lot of companies out there that value diversity and will pay you for it. If you're not valued, move on.

It's important to remember that "diversity " doesn't just mean adding women. Its a multifaceted issue. It's complicated, so we need to try different things and share results and help each other improve.

Miral Kotb, Founder of iLuminate.

Miral's talk started with a possibly cool dance display from iLuminate, alas for unknown reason the A/V people turned the volume up the max so much it made it feel like my ears were about to explode, so I could only focus on blocking the sound as much as possible. The house lights had been turned off (and remained off), so it wasn't safe to try to climb over people to leave.

Miral has always loved dancing, ever since she can remember - she was dancing! Her father was also a folk dancer.  She was always curious about math and science, so her parents enrolled her in BASIC programming at the age of 9.

She worked at Bloomberg and she would get frustrated with her male colleagues as they liked to sit around and talk about what they know... she wanted to DO!

But she wanted to get back into dance, but not just dancing... she was also obsessed with this new wireless stuff.  Her dancers are covered with computers - there is a central computer that times things to a millisecond.  They use C, C++, Java, Javascript, Perl, Python.

What we do in software development is ART!  It's not just what you see, it's what you don't see.

And ... another dance. I love dance, but love my ears more :(

Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!

GHC15: Denice Denton Emerging Leader and A. Richard Newton Educator ABIE

Lydia Tapia of University of New Mexico

Dr. Tapia's team studies motions. Things like swing control of load on an autonomous flight vehicle.
That is - she gets to play with robots!  But, why does she do it? To see her students go on and get funding and have fun careers in robotics.

She lives in New Mexico - a minority majority state where 30% of the children live in poverty. 65% are eligible for Medicaid.  She's working hard to encourage undergraduates to become graduate students.

Dr. Tapia is careful not to single out any of her students in a public way for being a minority - she highlights their accomplishments.

She's discovered that graduate students like to have power and be in control of their own thing - so she trains them as mentors for undergraduates, giving them responsibility.

With her undergraduates, she has to be very clear about expectations, assign a daily mentor and get them working in small teams with measurable small projects.

She's doing research on allergy anti-body binding behaviour. Apparently 1500 people die every year due to an allergic reaction.  (wow!)

Cool pictures of molecules!  Problem was that their models did not match the pictures of real ones.  Looked at just the antibodies and were able to get graphs that matched real life - but needed a computer to be able to sort.  So, bring in undergraduate researcher!

Got great results and gave them to the medical department to help with their research.

She also works with high school researchers.  Side note: did you know you can be allergic to cockroaches?

Not enough? She organized  a workshop!   Additionally, she takes demos to to K-12 schools... well, not middle school. They get bored (or at least pretend to be). Elementary and high school students love them. :-)

She had to put a limit on the demos to  one a month as it was putting  a drain on her research staff.

Doing all this, she has to remember to balance her outreach with making sure she keeps her career on track. If she doesn't get tenure, she can't keep inspiring students to pursue robotics, modeling  and science!

Lecia Barker, of University of Texas at Austin

Presenting on behalf of Joanne McGrath Cohoon, professor, University of Virginia Senior Research Scientist, NCWIT.  Dr. Cohoon is battling cancer and could not be here to accept her award or talk about her work in person.

When Joanne was thinking about dropping out of her PhD program, her parents really inspired and supported her to stay in.  Her husband, Jim, always supported her having a career when wives were expected to stay home and take care of the house.

Many people along the way continued to support her and encourage  her to stay in the PhD program.

In her research, in schools where she found that people deliberately encouraged students to improve gender diversity - it worked!  More women were retained in these areas.

Joanne doesn't target women and girls in her outreach, but more the influencers and those who can make the positive changes.  We need to change the system to sustain the change. This sometimes means changing how we teach.

One teach in one year introduced pair programming and many other gender diversity encouraging programs. Big improvement in his department seen very quickly.

Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!

GHC15: Keynote: Robotics as a Part of Society

Manuela Veloso, Herbert A. Simon University Professor, Computer Science Department, Carnegie Mellon University.

Robots use sensors and reasoning to have autonomy. They use radars, lasers and cameras to see, and wheels to get around.  There are Roombas, but in general robots that get around by themselves are rare.

Robots can learn a map of a building, or calculate it based off a PDF - and uses it's own motion model. Check out Depth-Camera Based Indoor Robot Localization , Joydeep Biswas, PhD 2014 for more details.

Kinect can be used to play games, but can be used by robotics. It can perceive color and distance. We sample the point cloud, compute the normal of three points to define a plane. Do this many time to do the plane filters. Why do we care? Because walls are planar, floors are planar. We got to see a cool video of the robot processing data (from it's perspective).

CoBot Learning Data, Richard Wang, PhD 2016 about how to use a robot to gather accurate data about wifi, temperature, etc from Robot Localization.

As smart as these robots are, they still cnnot really go up stairs, open all doors, etc. Some do not have arms - so they cannot put elevator buttons.   Now they have to ask for help! Symbiotic Autonomy!  They can ask for help from humans, the Internet, or other robots.

CaBot at CMU needs to ask a human to push the elevator call button, tell it when the elevator has arrived and which one it is (and then push the button for it's destination floor).

But, what if nobody helps? CaBot will send email to remote humans - "I have been blocked by an obstacle for more than 3 minutes. Can someone please come to office 7409 on floor GHC7 to rescue me?"

Only happens a few times a year, most people will move out of the way for the robot or help it out.

Human-Centered Planning, Stephanie Rosenthal, PhD 2012 - could human planning be part of the robot's planning? That is, choosing routes with more helpful humans, though not necessarily the shortest  Dr. Veloso no longer gives people directions to her office - she sends CoBot to meet and guide them.

The robot has to look up references to objects it may not have been trained on - like where to find coffee or chocolate, or what a binder is?  Can look up on the internet to calculate the most likely place to find a particular object.  Watched a fun video of the robot seeking coffee to take to the lab, which of course, as it has no arms, required human assistance. It will learn from that information and now in the future it will know where to find coffee.

At CMU, they had 4 robots... but one professor moved to UMass, so now UMass has one CoBot and CMU has 3. :-)

Videos of robot soccer! These robots are not remote controlled, nor playing a programmed game - they are dependent on teamwork to complete the task.

The CoBot robots talk to each other, to help them plan and replan based on closed doors and obstacles. They are sharing information!

Brian Coltin, PhD 2014 did research for multi-robot transportation task planning with transfers.  His research also tracked taxi trips - if taxis were autonomous and could transfer their passengers to one cab at common crossing points so only one taxi went to the airport, lots of time and fuel could be saved.

CMU has another robot, Baxter, who has arms, but cannot move around.  CoBot can move, but has no arms - but does have a basket. So, the two robots can work together :-)

I've already seen robots at work in the Mountain View, CA, El Camino hospital, delivering medications and moving around paperwork, linens and trash. :-)

Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!

Thursday, October 15, 2015

GHC15: Thursday Plenary

Sheryl Sandberg, COO at Facebook

Nora Denzel, Ericsson board member, Retired SVP, Big Data, Intuit and Vice Chair, Anita Borg Institute for a fireside and Q&A

Sheryl was asked to keynote GHC for years, but refused, as she was not a technical woman. But than she realized her friend Alan Eusted had keynoted... and he wasn't even a woman. So, she was at least a woman. :-)

Since Sheryl last spoke in 2011, but the numbers haven't moved. Sheryl said it's hard to imagine when looking at a room full of 12,000 women, but tree. These jobs are well paid, available all over the world and have flexible work schedules. Let's keep working on this.

With all jobs, we make 77 cents to a man's dollar, but in CS it's 88 cents to a dollar... so, not as bad.  It's improving, but very slow.  Some people call this a myth. 

It's actually 78 cents, and if you equalize for hours worked, it's 81 cents.  And women tend to have to do more work around the home (note: I'm so lucky for that not to be the case in my marriage!).

Even with the most detailed analysis, the best figure you can come up with is women making 91 cents of the dollar of men's earnings.  Not equal.

There's a right way to negotiate and a successful way to negotiate, and she knows we can do it.  Norah asks - how do you do it well?  Sheryl noted that women have a confidence vs likeability problem.  Our brains stereo type to process data quickly - which means we like people that adhere to their stereo types.  All over the world, people believe men should lead and be technical, women should be supportive. When men excel, they are well liked - but if women do... not so much.

Until we get equal parity - you need to make it a communal ask.  Tie your pay to others. I need this because it's fair, I need this because it's for all women.  Find more advice on

Sheryl considers herself a feminist - did a show of hands, only 1/2 the women here think they are feminist. If you survey women in the US and ask them if they are feminists - 35% say they are a feminist. If you add a definition that feminism is about equal pay and equal rights - it goes to over 70!

Understanding issues that women face, they will be successful in their career and their lives.

If you have an equal marriage - you will have a happier marriage, more sex and happier children.  The case for including men is not because it's good for women, because it's good for men.

If your husband does laundry, you'll have a great marriage.  If you want to make your wife happy, don't buy her flowers - do the laundry! FTD would rather the message be: do laundry AND buy flowers.  :-)

Sheryl noted that homosexual couples have more natural equity and find this balance more easily.

Note from Norah: She ran into a man she knew in the park with his kids. She talked to him and asked how he was doing. He noted he was "babysitting" while his wife was at the dentist. It should not be babysitting if they are your own children! But that showed Norah a lot about how this man thought about the work his wife did...don't be that guy.

LeanIn circles are having great success! One recent example of a 5 woman circle all pushed each other to apply for their dream internship, did practice interviews with each other and helped each other. Each one got their top choice jobs!

To fix bias, we need to understand our biases.  This starts at a young age - mother's over estimate their infant son's performance at crawling, and underestimate their daughters.

We don't call little boys bossy, because they are expected to lead. But, we call litle girls bossy.  "That little girl's not bossy, she's got executive leadership skills". Uproarious laughter. Flip the sentence to little boy - no laughs.  She was hitting our own internal biases.

In 2012, when women made up 20% of the senate - the papers called it a "takeover". It's not a takeover, it's a gap!

The mommy penalty is real. Now that you're a mother, we really want you to think about your kids... and if you're thinking about kids, you're not thinking about work. And... if you're working hard, you must not be thinking about your kid, and then you are not nice.

After Sheryl's husband died 6 months ago, one of her friends asked her to write down 3 things she did well she did that day. Some days were harder than others - "made tea", but she's done it. Not things she is grateful for, not things others did - things she did well. She said it has made such a positive impact on her life and helped her in this tragic time and she encourages us to all do it.

As a teen Sheryl was not proud of being smart. In the 9th grade, she went to a math competition and was the only girl. She mentioned it to her teacher, and his reply was 'you're right, girls don't do that" ... and that was her last time going to a math contest. 

Question: Why is it so hard to get into Facebook?  We're a small company - big presence, but only 11,000 employees. They do look at every resume and they do expect everyone to be technical. Sheryl thinks she'd be better at her job if she knew how to code.

This post is by Valerie Fenwick and syndicated from Security, Beer, Theater and Biking!    

GHC15: Defenses Presentations

Unwanted Software: Google's Efforts to Protect Users from Malicious Intent

Elisabeth Morant, Product Manager at Google

Biggest problem they are seeing are ad injections.
They issue 5 M safe browsing warnings a day – do not ignore!!!

Have launched the Chrome Cleanup software .  They’ve halved the hijacked chrome users since launching the tool.

They analyze EVERY binary on the Internet to find unsafe binaries and malware. Misled users to "Chrome Support" and gave you a number to call to "help". Found a nasty executable that took advantage of a bug in the Chrome webstore and persist on user's machines.  They've been able to fix a few bugs - but people are still downloading.  Technical solutions are not enough. Google alone is not enough. They need to collaborate with others in the industry.

(Near) Real Time Attack Monitoring on System Landscapes

Kathrin Nos, Development Architect of SAP SE

Kathrin has a cat (Shroedinger, of course!).  She has an electronic cat flap that leverages the RFID chip embedded in the cat, so other cats cannot come in.  Now, it doesn't stop him from bringing in creatures like mice...

This is like a system landscape. You can put up a firewall, which lets some people in.  People can try to brute force this. You can train your engineers to have good passwords (or check that they are good), but what if they have downloaded malware?

It's not just about money, but the thieves want personal information, blue prints, contracts, etc.

We have to monitor attacks, because even well meaning users can introduce attack vectors.

We're looking for outliers - aberrant behaviour.   This requires statistics - hope you paid attention in college! :-)

Think of it like a metal detector. Define a path of filters and restrict data flow. It will help you to define a pattern - if you see X number of failed login requests from the same source, you might want to lock the account.  Now, that's probably not a low number - people forget their password, network latency issues, etc.  This should also get reset based on time passing between requests.

You can define an additional pattern to detect successful login events.  Here, the threshold is low. One attack is too many!

Hunting APT 28 in Your Fleet with Open Source Tools

Elizabeth Schweinsberg, Google

Elizabeth does incident report work at Google. There are multiple approaches for doing this.  You go on a hunt to find data, triage what is important, and dig in.

SpicyBorscht :-) APt28 aka Fancybear, etc

Some of these exploits are now working together - Sofacy is Coreshell and EvilToss which work with Chopstick.  Look for MD5 hashes of these binaries, registry keys, window event logs, anti-virus logs, browser history.

Google has made their own tools, like Grr. They need software that can run quickly and on large amount of data.

Timesketch uses output from plaso to give you color coded events from each machine as the attack.

They also have a tool that can dig through memory to see where the interesting stuff is happening. Can collect RAM data via GRR. Rekall will do memory forensics. Output is easy to read and share.

Intel® Device Protection Technology with Boot Guard

Shrestha Sinha, Technologist of Intel Corporation

There are so many avenues of attacks. Some are known and controlled, some we're aware of and dealing with - and others... we haven't learned about, yet.  Boot Guard's goal is to prevent these attacks from getting into the server.

Keep malware off, keep data where it belongs, maintain identity consistently and have a way to recover.

Funny analogy about the Leaning Tower of Pisa - we celebrate it because it has a defect - a bad foundation. Would we take our pictures next to a crashed system?

The primary question - is the code that we're running early in boot the right code? Example: Mebromi Attack - it reflashed the bios.  Could bypass secure boot and own the entire platform.  This is where Intel's BootGuard comes into play.  Boot Guard is an important building block in the chain of trust.

Imagine a scenario of an Evil Hotel Maid.  You leave your laptop in your hotel room, and she installs a USB drive and read the keys from the TMP and decrypt your harddrive.  BootGuard protects against that scenario.

Make sure we validate all firmware from first execution. We have extended the root of trust down to the hardware.

Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!

GHC15: Attacks Presentations

Web Security: Thinking Like An Attacker

Sarah Chmielewski, Associate Technical Staff of MIT Lincoln Laboratory

Software development focuses on the end user - performance, functionality and usability.  Lots of attacks happening against web based applications, so we need to stay one step ahead and "think like a hacker" :-)

Injection attacks top the most common attack, along with broken authentication management schemes.

Look at Heartbleed - attacked the transport layer. We've all heard about it, it unfortunately would leak in memory data.  You can play with this yourself - but set up your own server, please don't attack the still vulnerable servers out there :-)  (and also don't expose your server to the Internet... :-)

Think about how you could've discovered this on your own. A traditional attack method are buffer overflows, and there are static analyzers that can catch those.  Heartbleed was a buffer overread, though - no static analysis tools that can find this.

Look at your own code for memory accesses - like memcpy.

Another common attack: Cross-Site Request forgery (XSRF). SXRF exploits the way that a client's browser handles sessions. Check out Google Gruyere - a sandbox to practice with XSRF.  They can do things like withdraw money, delete things, all sorts of "fun" things!  Look for forms that do not have unique token only sent with the form.

 Software developers mostly think of how to build things up - not tear them down. So play around in safe places  with these vulns to expand your way of thinking.  Also check out Damn Vulnerable Web Applications (dfwa) and also check out OWASP.

there are also websites out there with old capture the flag games on them.

Test Driven Security

Rosalie Tolentino, Developer consultant of ThoughtWorks, Inc

You should not trust incoming data. Think about whitelisting, too.

Simple version: if you're creating zip codes in the US - it should not allow alphabetic characters.

A great way to prevent CSRF vulns - do more input validation.

Output encoding mentality - separate user data from execution data. Look out for SQL injection attacks.

Use only the least available privilege. Guests should not be able to see invoices, for example, only approved accountants.

Build these into your code, so they run right away.  This makes developers more aware.

Just because your developers are adding assertions doesn't mean you can get rid of QE, security experts or business ownership of security.  It also requires that you have test driven development knowledge and security awareness in all of your developers.

Ransomware: An Exploration into the Damaging Threats

Marianne Mallen, Antivirus Researcher of Microsoft Corporation.

Ransomware typically wants money before it will unlock your machine, but sometimes they want information.

Screenlocker - MS has worked with the FBI to kill this one off . It works just like you think, it locks your computer screen. It will claim that the Department of Justice will come after you unless you give them money.

Another encrypts your files and holds them encrypted... until you pay.

Browser locker will prevent you from going to other pages, they will claim you have to pay a fine or go to jail.  It's a false claim, though - restarting your browser will take care of it.

Common distribution methods are from attachments in email, or drive-by download by browser exploit kits or software downloaded by other malware.

They will attract you with fake mails from FedEx or other business services - watch out!

Starting in 2010, there started to be exploit kits available for sale. Script kiddies would buy them and exploit many systems. They could make up to $54,000 a day for "unlocking" a user's screen.

Many of these will use a command and control server, which use encrypted communication. These attacks are being done so anonymously now that it is hard to shut them down.

If you get hit with Ransomware - don't hit the panic button, yet.

Be aware - do not just open attachments or click on suspicious links. Hover your mouse over a link to make sure it's going to take you to the place that's displayed in the email.  Keep your anti-virus and patches up to date. Keep backups!

If your browser is locked - restart. Download Windows Defender Offline. Please don't pay the ransom! Reach out to experts for help.

 Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!

GHC15: Identity and Privacy Presentations

Identity & Access Management: Who is Touching What?

Laura Chapba, VP of Bank of America

Laura found herself with a 1.8 GPA and realized she should not be in pre-med. Major change to tech! Graduated with a 3.1 after LOTS of hardwork and then started her career.  There are two paths you can choose for a career: deep focus and become a subject matter expert, or have fun exploring many careers and move around a lot - like she did. :-)

Laura is using applying for a credit card to demonstrate Identity and access management.  We're pretty good at the provisioning part - verifying identity to issue the card.  There are more problems with deprovisioning - when are you not longer using this card?  Users are not good at identifying this, but credit card companies now automate this. Haven't used it recently enough? They will automatically close your account and give the credit line to someone else.

Now - authentication and authorization is really hard.

How do you authenticate that the person is allowed to use the card?  You could ask for driver's license (NOTE: Thought this was not allowed by merchant agreement?).  Then verify folks have the credit limit is a little trickier.

Case example: Amy moves to NYC and gets a new app, NYC101, which asks to have access to her Facebook account. She authorizes it, and has fun exploring NYC.  Then the NYC101 database was hacked... then hackers knew her mother's maiden name, birthdate and home town. That's enough to get credit cards in her name!  Now... she's a victim of identity theft. :(

So - be careful about sharing this information online!

Why are they looking for women in this space? Looking for people that want to work together on diverse teams. Need people that are willing to collect all the facts before jumping to conclusions and willing to work with sensitive situations.

Identity Toolkit

Hadas Shahar, Technical Program Manager of Google

Identity is a building block of every website you want to build. Most websites allow you to use an ID and password, or use another system to authenticate - like Facebook, Twitter, and G+. Usually you are given several choices and most of us cannot remember what they used.

The login screen is the first impression people have of your website - and usually the most complicated and confusing.

OpenID is making some progress - but we are not there, yet.

One id: take someone's email address first, THEN determine what they used to set up their account on your site in the past and redirect them to that page.  That is, if you previously signed in with username and password - it will take you there.  likewise, if you used google to authenticate, it takes you there.

But  why do we have to type our email address everytime? The browser now remembers your commonly used email addresses (because who has only one?)

This is also hard from a developer perspective - you have to wok with all of the different APIs/systems.

Google Identity tool kit is hoping to lower the barrier to entry, making it much easier for developers to get this right.

Ethical Market Models in the Personal Data Ecosystem

Kaliya Hamlin of IIW
Kalliya has worked on ta report: Personal Data: The Emergence of a New Asset Class. What type of data are they talking about? Relationship, government record, health, communications, education, context data (where are you , who are you with, what are you doing?)... and identity data.

Currently there are a lot of unethical data practices out there.

Data sources: Public, retail, schools, websites... passed on to data brokers who aggregate data about you and resell it.  Then it comes back and effects your life and you never consented.

The individual should be at the center of their own data lives.

We need a personal cloud (data bank, data store). You should be able to put your geolocation data somewhere and have it be YOUR data under your control.  You could even understand yourself better with this data.

Vendor Relationship Management: Rewiring how we interact with businesses today. what if businesses had to come to us to get our information?

We need persistent data store that we can share with trusted vendors.

"Infomediary Services" - an agent that will go on the web and find deals for you. It's great, if you trust these services with our info, as opposed to the entire market having this information and making actions.  Like right now, you can go searching for mortgages or about a life event, but perhaps change our mind or complete purchase decision - but the offers don't stop. There is no way to signal "I'm done" - and now way to remain private.

There is a long standing business model of data aggregation services - like Nielsen and Arbitron. People trust those aggregate services, because they are not sharing my name. They've aggregated the data. Businesses get information without all of those business knowing who I am and everything about me. They don't need that.

We are making this real with a worldwide consortium: pcc.

There is an Identy Workshop in Mountain View CA October 27-29, 2015 and again in April.

Life of PI - Protecting Your Personally Identifiable Information

Alisha Kloc, Security Engineer of Google

What happens with your personal data? We're in an information age, data is everywhere.

In the past, you only needed to protect your credit cards and passwords.  Now, there's so much more - photos, etc.

How is our data kept private? Well... no industry wide standards for user data privacy. This is getting better in the EU, but not so much in the US.

This should be figured out early in the development lifecycle - during design. And they should be reviewed by privacy experts. Products should only ask for the data required to make them work, and keep that data safe.  At Google, they also have privacy code reviewers, to make sure they are properly integrated with privacy protection tools.

we need to make sure we receive that data securely - encryption, encryption, encryption! you have control over your Google data - control is key! [Note: I did not know this - will have to figure out how to do configure this.]

Data must also be encrypted while stored, with restricted access.

You should be able to access your data freely, but others should not.

Google has tightly restricted access to user's data. All requests are audited and reviewed by a team before the data access is given.

All granted access is audited - they will know everything the Google employee looked and and did anything with.

Google does not give you personal info to third parties, unless you tell them to, you have a domain admin, or they are using a trusted partner to process information or the law requires them.

Data is not deleted right away - as often users accidentally delete things. Data becomes deactivated and after a period of time will really be deleted.

Be smart - is a 10% of discount worth giving away your name, email, zip and phone?

talk about this - advocate for change. Let companies know this is important to you as a users. Choose products and services from places that actively protect data.  If you're a developer, work with others and share ideas and try your best to do this right.

Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!

GHC15: Thursday Keynote

Hadi Partovi, CEO and Cofounder at

Hadi immigrated here after the Islamic Revolution in Iran. He learned to code on a Commodore 64, a gift from his dad.  But now he's looking at kids in high school in the US that do not have access to computers to program.  Computer Science should be taught in high school. Education is starting to increase, after 10 years of decline.

Nine out of ten parents want their children to study CS, but only 1 out 4 schools even teaches CS. They are finding that if girls are not exposed to CS in high school, they won't even consider it as a degree.

It makes no sense these days that schools are not teaching children the basics of how an algorithm works or how the Internet works.

In the last 2 years, they've had 300 organiations join to help solve this problem Over 70 school districts have embraced CS including NYC, LA, Chicago, Miami, Las Vegas, Houston and SF.

85% of the 15,000 newly trained CS teachers are female.

How do you break a stereo type without changing the facts on the ground.  We try to break it down in he classrooms where it's already a 50/50 split - so that they never see it as male or female.

We got to watch a cool video on the Hour of Code - it's fun watching kids get so excited about coding! In the last hour of code, the participants were 48% female.

In that hour, students learn the basics with drag and drop programming and teachers learn that they can teach other subjects by leveraging programming.

Please help! They have over 10,000 teachers looking for help to run their hour of code. Go to for more information.

Susan Wojcicki, CEO of YouTube

Susan was Google's first landlord, and their 16th employee.

There are 10000 Googlers and Youtubers at this event! Wow - 1/12th of the attendees!!!

At 10 years old, Susan's daughter announced that she hated computers. What??!?  Her daughter had been coming around Google since she was a baby!  Why?  They had one computer in their house, and, in her daughter's words, her son had "conquered the computer".  She thought liking computers is lame.  Computers are antisocial and insular.

Susan was visibly upset by this, since she fights so hard to get more women involved in computer science.

Computers are everywhere - IBM's Watson is diagnosing cancer more accurately than oncologists, farmers are using satellite and weather models to plan crops.

Yet, only 26% of technologies are women. It's a pipeline and retention problem.

Female participation of women in CS was higher in the US.  Other sciences are seeing more women. The decline of women in science is specific to CS.

Maria Klawe says about women in tech: 1) they think it's boring 2) they think they wouldn't be any good at it 3) they wouldn't want to be caught dead with the people that think it's cool

Susan checked with her daughter, who agreed with those misconceptions.  What is driving this? how do we fix it?

Computer Science is boring? Obvious that is not true! How would anyone know if they haven't tried it?  It can indeed be boring to *watch* people do computer science, but that's different than doing it.

The perception that women wouldn't be good at it? That makes Susan mad. Of course they would be! Some of the greatest programmers were women!  Most women haven't even tried it, so it becomes easy to internalize these misconceptions.

Susan learned  from her years in tech: Men have no special skills that enable them to run technology companies!

When she goes to computer camps to pick up her kids - she sees the same things she sees in her office. In groups of 7 year olds, there are hardly any girls. If we don't fix this now, it will not get better. We need to make computer science mandatory in school.

School budgets are tight, but it's required to be successful in the future. If we don't make it a priority, we will make gender and ethnic inequality worse and risk our nation's future competitiveness.

We mandate math, biology, chemistry and physics.  Those are great - but we need more.

Other countries already mandate computer science.

And that last misconception - about not wanting to be caught dead with a computer geek?  We need those girls to come to GHC and meet these exciting women technologists.

People love to blame the media on persisting stereo types, but Susan can't just point her finger at "the media" - as she's running a media company!

How can Youtube improve this situation?

We got to see a teaser for a new film called "Code Girl" - neat!

Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!

Wednesday, October 14, 2015

GHC15: Transforming the Culture of Tech

 Fran Berman notes that this is a really hard thing to do - transform a culture. Things are moving so fast - easy for things like diversity to become sidelined.

Clara Shih, CEO and Founder at Hearsay Social

Attended her first GHC 10 years ago in Chicago, with just 800 attendees and wasn't sure what to do - grad school or business?  She was super inspired. She has since worked at microsoft, written an app that went viral, had a New York Times featured best selling book - then started her own company!

She's learned a lot of lessons in 10 years. She immigrated here as a kindergartener - she could not speak English, so...  she was a really good listener.  This is important to listen to your customers and your direct reports. A 360 review is hard, but so valuable - you must listen to the feedback, though.

It's important to accept yourself as you are - it's okay to be different.  A colleague at MS asked her why she was trying to be one of the guys?  He noted he respected her for her technical prowess and vision. She's felt more accepted by being authentic.

Relationships are so valuable. Mentors, sponsors, friends.  Remember, mentorship is a two way street - it's important to give back. And it's not just women, make and keep relationships.

As an example: at her first tech entrepreneur event, 7 men came up and asked her administrative questions: where is the bathroom? Where do I get water? Where are badges?

Instead of reacting as her 20 something self (crying to her mother), or her 30 something self (tell them to stop being so sexist) - she reacted simply with wonderment: "I'm also looking for the bathroom, I also need water, I also need my badge".

Later that day, during introductions, when those men all realized their mistake and that she had raised as much money as they had for her start up - they were embarrasssed. They came to her and apologized and they ended up building lasting relationships. They are still making it up to her. :-)

She realized she was probably the first woman at this conference. They made an honest mistake. they probably will not again. Because she avoided confrontation, they now have a relationship.

The most important lesson: the future is on us.

Every time we take the time to lift up another woman - we are lifting all of us up.

At Hearsay they mentor non technical women into engineering positions.  If we all could just mentor one woman this year, what sort of impact could we make?

Blake Irving , CEO of GoDaddy

Addressing the big question: what is he doing here after the disaster of the male allies panel last year?  He's here to address our tweets.

Everyone knew that GoDaddy was a terrible company, bashed on their ads.  The sad thing was - those ads brought in a tremendous amount of revenue. That's why they did not stop until he took over.

People assumed that no women worked there - but, not true. Their numbers were about the same as other tech companies.

Before he took the position, he visited headquarters and found it was full of amazing people - not reflecting their corporate culture.  He wants their brand to match the values of their employees and the customers they serve.

There is empirical evidence that tech built by diverse teams is just better - and he likes better!

If you see a problem and do nothing to fix it, then you really didn't think it was a problem in the first place.

This means hiring senior women engineers, putting them on your board.  Empower your staff so they can do what is right and know it will be rewarded.

Inspire and speak out.

It's our job as leaders to shine a light on this industry.  Bad things die in the light.

Then he showed us the improvements in recruitment and retention they have made since last year, since they began publishing numbers.

Then ... he showed us how women's salaries stacked up against men's! First I've seen!

Overall, at GoDaddy, women make .75% more than men... except in management roles, women make nearly 4% less. They are finding that the women they are hiring are inheriting low salaries from their previous company (NOTE: I've heard you should never say what your current salary is while job hunting for this reason).

They also saw that the percentage of women in engineering roles diminishes as the role becomes more senior.  They are looking into why this is.

No advice this year for women in tech - but he does have advice for tech CEOs. Shine a light on your issues, publish your data, and fix the issues.

Megan Smith, United States Chief Technical Officer

As tech evangelists, we need to go where we are underrepresented.

Since she last visited us - she has dug up Grace Hopper's archive and found lots of neat stuff, including Admiral Hopper's original nanosecond.

The CTO Office has to work on things like patent reform, encryption regulations, and "innovation nation".

Tech jobs pay 50% more than average jobs in US - so we want to get more people into them.

Kathy Pham, US Digital Services - is now working for the US Gov to help veterans. Doing things like working on their digital record systems. VAs treat 8 million veterans.  Use open health care software! And giving back!

Mina Hsiang - democratizing healthcare digitally. 16 million people now have access to healthcare since ACA went into effect. 70% of the people say they could use more information - let's get it to them!
The ACA is helping people, like Diane, who had to drop out of school even though she had a 4.0, because she could not afford college and health care.

Next speaker: how can we make applying for immigration less painful? Right now process is almost entirely paper - visas, bringing loved ones from other countries, marriages, etc.  Have to radically rethink and redesign. The online forms that exist online were impossible to understand and navigate. She has been working on simplifying it  Found a form on the train from someone trying to work out how to bring their family here - so many forms listed, and large costs - and obvious concerns about meeting the poverty income.

Sarah Allen - Open Data by the People for the People. Never thought she'd join the government - she thought that's where bad ideas went to die. :-)

They have built a college score card - includes an API, so others can use the data, too. it's based on how successful your degree with make you - it's the surest way to enter the middle class.

Cori Zarek - Open Gov for and with the People. She wants a transparent and open government. Transparency and  collaboration are critical. Check out Her office additionally created an analytics site so they can see what sites are getting used.

Join them at

Meg Smith needs more smart people - so consider doing a "tour" in a tech job for the government.

then ... a panel of all of the above speakers!

Meg: we need to move diversity up in importance!  Meetings for "important things get on the calendar - other things do not.

Blake: it has to come from leadership, but they need to be held accountable.  Hold your leaders accountable!

Fran: How do you keep diversity on the agenda?  What if you're not at the top?

Clara: The "runi rule" - must consider a diverse candidate for every position. When she was looking for CFO, she wanted to see two diverse candidates for each white male. It's work at first, but as many of your employees come from referrals, this will impact change.

Blake: We've been observing teams. Watching words - seeing how words turn into action. Need to give rewards and recognition for positive changes. You can bias simply by lack of thought. It's important to listen to people who have more experience than you.

Meg: we need to learn how to mitigate the bias.Talking to NIST: could there be standards about bias? This is holding us back in the US.

Fran: Culture change is sometimes perception or the environment we operate in. Looking at social media, it can be so toxic for women sometimes.

Meg: Referenced a book - "the Internet is not a thing, it's us." How did the web get weaponized?  talking about campus sexual assault - this is not just digital, it's physical. The web is often a reflector. We need to raise consciousness and develop empathy.

Clara: bullying online is getting out of control. It's a digital manifestation of an analog problem. we need to teach our kids why they should not do it. If it does happen to them, teach them how they should respond. They should not suffer alone.

Blake: I've seen the effect has on both of my sons. they both left Facebook.. but then came back. They didn't like how they were being treated, but missed the good things.  We need to have an empathetic view. To the attacker - it seems anonymous. The the victim, it's just as real as if it was happening in person.

Fran: how do we change the culture of our organizations and the culture of our society?

Meg: You're doing it here! Focusing now on history. Think about a family picture - if you had missed that event, you won't be in the picture. Everyone knows you had a conflict now... but what about future generations? You'll disappear from history.

Technical women - their history is missing. When they make movies about Apple, the women are left out. there's a classic photo of the Apple Pyramid - 7 men, 4 women - but the women are almost always left out of the movies.

"Women have always been annual par of the past. We just haven't been a part of history." - Gloria Steinem

"Declaration of Sentiments" - signed July 1848 at Seneca Falls. this is an important document about equal rights. We know it existed because Frederick Douglas brought a copy to the US where it was signed.  But the original is missing... help Meg #FindTheSentiments

Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!

GHC15: Cloud Security Presentations

Security in Cloud Based Integration Solutions

Sindhu Gangadharan, Vice President, SAP

How do you secure your data in the cloud?

Secure information, secure interaction and secure identity. How are control and access mechanisms used to protect these systems.

Also look at their physical security. There are world class data centers around the globe. Cloud integration service providers operate from a specific country – do their laws and contracts line up with your business needs?

Your idea of privacy may also vary from your service provider.

Make sure each customer gets their own tenant assigned. Message processing runtimes of different customers are located o different virtual machines, and have your own database schema.  How is data between tenants secured? Is it enforced?

Data at rest should be encrypted. Digital signatures should be deployed.  They should have some sort of tamper evident architectures, with well defined recovery plans.

There needs to be secure interaction. That means authentication and access control, encryption of data in transit, security key management and storage. Remote access should be secured with VPN, most likely using IPsec.  Don’t forget audit logging!

Journey to the Cloud

Katherine Krieger, Analyst, External Cloud Access Platform of Goldman Sachs

Why use the public cloud?

No need to buy expensive hardware, particularly for short term needs. You can deploy faster. You are also outsourcing risk management and flexibility.

Of course, though, you have to now worry about someone from the public cloud becoming an insider threat.  You need to cover legal and regulatory risk.

To cover all bases for all projects, Goldman Sachs has found themselves using several public cloud providers.

In the process of moving to the cloud, found they had to make modifications to their internal applications.  This was frustrated by the fact that there are little to no standardization of public cloud providers. Keep in mind, when we're talking about financial services, speed and performance and working every time is critical.

GS requires encryption for data at rest and data in motion, and also want to be in control of all of their keys.

GS had to ensure there were low latency guarantees and buy HSMs so they could keep all of their keys, and the cloud provider would not have any access to it.

They have a continuous validation environment - something like a security monkey architecture. watchers, changes, instance validation and checking for anomalies.

Cloud Security from the Inside

Brian Chess, Senior Vice President of Infrastructure and Security of NetSuite, Inc.

How exactly did Brian Chess end up at this cloud provider? He was originally involved in integrated circuit design, but was more interested in software. He liked the rigorous quality process that hardware was using, but discovered software people didn't care. So - he started Fortify :-)

Then he found that the top reason people were not moving to the cloud was concern over security - so, he moved into the cloud!

Again, keep in mind that the cloud provider's priority are no the same as yours.

Security is really hard to measure. The difference between a secure system and a very insecure system can be whisker thin. This is a really hard problem. So much of this is about trust.

The largest risk here, like the financial industry, is from bad insiders. Insider problems.

Like banks, public cloud will need regulation - but we'll always have to worry about the insider threat.

An Overview of DDOS Impact on Cloud Performance

Yasmine Kandissounon, Software Security Engineer of Rackspace

We all have to worry about distributed denial of service attacks - they are on the rise, and new types of targets are being attacked.34% more attacks in the first half of 2015 vs 2014, and the average attack size is increasing as well!

The bad guys want to make the systems crash, plane and simple.  In the past, the attacker would use just one system to attack your system.  But, they got smarter.  They are taking control of systems and turning them into zombies, then they use these as botnets to do the attack. This increases their chances of doing the attack and  makes it harder to track the real bad guy.

But why? Often, politics.  For example, people were mad about a new law in Canada, so an attack was launched against them.

There are a few types of attacks. Protocol abuse, like ping-of-death, teardrop, smurf.  There are flooding attacks, where they overwhelm the system.  Application layer attacks - like encryption/decryption attacks, Http requests, DB queries. Finally, amplification attacks.

Now... bring in he cloud. Even with multi-tenant systems, if the cloud provider is attacked - all people using that service are impacted.

Protect yourself with
  • Hardening: updates, patches, firewalls and access control lists and intrusion prevention systems.
  • Packet filtering: deep packet inspection, blackholing and clean pipes
  • Traffic routing: CDN (Content Delivery Network)
 Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!