From Academia to Industry

Posted: October 6th, 2020 | Author: | Filed under: industry, personal, privacy, random, research, security | No Comments »

A personal 3 year retrospective

Since more than three years I left academia and joined adidas Runtastic as an information security engineer. In this blog posts I discuss what made me move to industry and what I learned so far.

After finishing my masters in Stockholm, I worked in academia for almost 10 years. This blog thus exclusively covered academia and research so far: e.g. my visit to CERN as a summer student. My personal drive for research came from the freedom to work on interesting (socio)technical issues and frequent traveling. These two motivational factors converged to burdens over time: frequent travels with family is a challenge, and then there is constant pressure to publish or perish. After completing my PhD, I faced yet another challenge: the need to create a constant stream of research funding. In academia, I was used to hop from grant to grant (and temporary employment contracts) from 2007 onwards.

The search for a stable family-friendly research environment eventually led me to the FH St. Pölten. The downside of being a lecturer was the high amount of teaching and the ongoing shift of teaching towards weekends and evenings (to better cater to working information security students). In addition to teaching, I was happy to work some extra hours on my Usable Privacy Project.

In 2017, I finally decided to leave academia for industry. Even though my blog paints a different story, I spend an considerable amount in industry before my time in academia (e.g. at uniforce, RHI Magnesita, unicredit Bank Austria). To this extend I did not jump entirely into cold water after academia. The remainder of this blog post covers my personal transition from academia back to industry.

First off some misconceptions I observed in my transition phase:

Misconceptions in computer security academia vs. industry

academics: we lack skills (imposter syndrome)

In academia, I personally always had the constant fear that I lack (technical) skills and that somebody will find out soon. In the light of the ivory tower misconception, I thus (wrongly) assumed that I lack privacy and security skills for industry.

academics: it is easy to apply bleeding-edge knowledge in industry

On the other extreme of “the fear of missing skills”, I personally had the misconception that it is easy to apply current privacy & security best-practices in industry (e.g. all API endpoints with TLS 1.3 support, U2F based multi-factor authentication …). Turned it is even tricky to enable TLS at some endpoints at all taking months of alignment meetings.

industry: “academia is super relaxed with little working hours”

When I interviewed for my job at Runtastic, I was told towards the end of the interview: “We just wanted to let you know that we expect some extra hours here at Runtastic; not like at the FH”. Once I asked how much they expected, I was puzzled: “10 hours” – “per week?” – “no 10 hours extra per month”.

I laughed hard about the 10 extra hours per month requirement.

While there might be lecturers and maybe even researchers who work little hours, I experienced the exact opposite. Especially as a postdoc, researchers work like crazy, so 60 hours per week are an absolute minimum. This took me some time (and visits) to realize, but academics work crazy hours. My working hours in my last three years industry where considerable less than for any academic on tenure track.

industry: academics live in ivory towers and solve rubric cubes

The other misconception from industry, I often witnessed, is the belief that all academics live in ivory towers (looking at you, sensor-net / semantic web bubble). At SBA research, I was lucky to contribute to some high-impact (pop-science) security exploits of real-world services (e.g. Dropbox, Facebook, WhatsApp). So while the ivory tower misconception might be true for some academics, the majority of academic (infosec) research is very much applicable to industry (beware of ‘bleeding edge’ and industry though).

Useful skills from academia for industry

After initial doubts I found the skills I required as a researcher were very helpful for privacy & security engineering in industry …

experience with open source software

Open Source Software thrives in the academic community and a considerable amount of systems in industry now also rely on OSS (Linux, PostgreSQL) instead of commercial vendor software (Windows Server, Oracle).

communication & project management skills

Over time you have to learn how to address your target audience at conference talks and students you teach: what is the background of my audience?, which basic knowledge do they have?, etc.
This skill comes in handy at industry for holding internal trainings (~= teaching) and presentations (~=conference talks).

Personal learning from the past 3 years

PhDs are a great base for industry

Part of the issue I wanted to discuss in this blog post, is the potential fear of postdocs to lack skills for industry (cmp. imposter syndrome). I therefore hope some of the skills discussed above encourage you to believe in the skills you acquired during a PhD in information security.

Every single time, it is about people not tech

The other big learning I had over the past three years in industry (and this happens every single time): decisions in industry are exclusively based on the people you are working with. I was first surprised that people in industry want to “foster a data-driven decision culture”. In academia you always had to show at least some data to make your case, in industry decisions are often based solely on intuition or vendor who lobby for their products.

Finally, there is another interesting perk in industry: you get to solve interesting real world challenges and do not have to solve your own research problems (“Im eigenen Saft schmoren”).

Security Research in 2016: Measurements and Usability

Posted: February 27th, 2017 | Author: | Filed under: privacy, research, security | Tags: , , , , , , , , , , , , , , | No Comments »

My security research in 2016 focused on two broad categories: measurement-, and usability-studies. In this blog post, I briefly discuss the four most important papers we published in these domains in 2016.

Data-driven security and measurement studies

The Transport Layer Security (TLS) protocol is the building block of secure web communication. A number of important Internet applications rely on the TLS  protocol for the protection of exchanged information. One of these important applications is E-Mail, which despite of the growing use of mobile messengers, remains very popular. In a joint project with Wilfried, Aaron, and Martin we analyzed how TLS is used in the global E-Mail ecosystem. Our measurements consist of over 10 billion TLS handshakes against 20 Million global email services. Our findings showed that weak Diffie Hellman parameters are a serious threat for the security of the current E-Mail systems. We also showed that roughly one third of all analyzed E-Mail services supported the insecure plain-authentication method. Our paper got the award for best paper at ARES 2016, for the details on our research: read the paper and/or download our dataset.

number of email hosts that offer auth plain authentication (2016)

In 2016 we furthermore conducted a study on the effectiveness of state-of-the-art blocker tracking tools. Online tracking is a widespread practice for web services in order to tailor online advertisement as well as to identity the online behavior of people. Tracker-blocking tools such as Ghostery or AdBlock Plus are currently the only available solution for people to protect against tracking and malicious advertisement, yet little is known how effective these tools are. We performed the first large-scale measurement study on the effectiveness of tracker-blocking tools on websites as well as mobile apps. The research is part of our PriSAd research project (FH St. Pölten + nimbusec) and joint work with SBA Research (in particular Georg + Damjan), as well as Nick Nikiforakis from Stony Brook University. We will present our findings at the EuroS&P conference in Paris / April 2017. A preprint of our paper is available here.

Usability of Secure Mobile Applications

In addition to measurements on the usage of TLS in E-Mail services we tackled the correct usage of TLS in mobile applications. Android enables application developers to customize how TLS certificates are verified. Per default Android applications trust valid certificates based on its own CA store. Developers can however completely disable certificate validation (which is very bad and renders the security of TLS useless), or in best case pin certificates. Ultimately, users have to trust application developers to use TLS correctly. We outlined a method improve the correct usage of TLS in Android applications for end users, despite potential implementation bugs introduced by app developers. The main idea we proposed consists in intercepting calls to the Android TrustManager and pin TLS certificates on the fly. Damjan presented our method and proof-of-concept implementation at the IFIP Networking conference.

Finally, in 2016 we conducted a usability study on the state-of-the-art secure messenger: Signal. The Signal protocol provides both forward as well as future secrecy. Signal also works if message recipients are offline. In 2016 WhatsApp rolled out encrypted communication based on Signal and the cryptographic protocol is now used by more than a billion users worldwide. Signal makes the use of state-of-the-art cryptography easy, the whole protocol is however broken if an attacker manages to compromise the key-exchange servers of e.g. Signal or WhatsApp. We studied how users perform on countering targeted attacks with Signal’s fingerprint verification feature. We found that 75% of our study participants failed to correctly verify the identity of other Signal users. Read the paper for further details on our study and our suggested usability improvements for the Signal messenger.

example warning dialog from Signal once identity key changes

What else happened in 2015

Posted: November 25th, 2015 | Author: | Filed under: privacy, random, security | No Comments »

Time to post a short update on things that happened, since I attended WWW in Florence 2015. In 2015, I devoted the majority of my research time on the development of the Usable Privacy Box (upribox). The upribox is a RaspberryPi-based WiFi router that automatically filters advertisement and optionally routes traffic through the Tor anonymity network. I presented the upribox at the CCC Camp in Berlin and ITSecX 2015.

nysos v3 – home theater PC

Posted: July 5th, 2015 | Author: | Filed under: personal, random | Tags: , , , , , | No Comments »

In June 2015, i replaced my old home theater PC with new hardware. This is the third time I upgraded my HTPC hardware, thus the name: nysos v3. I am now using an AMD Kabini APU, which resulted in quite some performance improvements for the full-encryption RAID5 storage of my setup. In May, I attended the WWW15 in Florence, and could also see the original painting that inspired my current online handly (dio)nysos .

Caravaggio at Uffizi Florence


Bye Bye Facebook

Posted: December 15th, 2014 | Author: | Filed under: personal, privacy | Tags: , , , , , , , | 1 Comment »

I will close my Facebook account for good on the 31st of December 2014. It is no secret that Facebook is bad for your personal information and ultimately leads to security problems (shameless promo of my own research e.g. 1,2,3). Originally I intended to close my account once I am done with my PhD. One year later it is finally time to say bye bye Facebook.

Some advice on saving your Facebook data before you close your account:

See you guys offline!

*SNOOB might stop working soon, once Facebook rolls out the Graph 2.0 API.