[liberationtech] Socio-technical security, amazing post doc and researcher opportunity at Data and Society

Tue Nov 12 16:44:35 CET 2019

From: biella <biella at riseup.net>
To: <hackademia at lists.riseup.net>

Here's the full call:
https://datasociety.net/blog/2019/10/03/researcher-postdoctoral-scholar-socio-technical-security/
<
https://datasociety.net/blog/2019/10/03/researcher-postdoctoral-scholar-socio-technical-security/
>

About the Socio-Technical Security Project
Social media, search engines, mobile phones, and other internet-based
services have reconfigured how people access information and communicate
with others around the globe. These technologies have also introduced new
social and cultural vulnerabilities, and modulated old ones. Conspiracy
theories and misinformation quickly proliferate across networks. Trust in
institutions, experts, and information intermediaries is declining for a
variety of reasons. And adversaries with economic, political, and
ideological incentives are helping manufacture ignorance.

The field of computer security matured under similar conditions, as
computers were first exposed to networking environments–drastically
increasing their attack surface. As computer hackers set out to demonstrate
this new insecurity, in both friendly and malicious ways, a complex field
of security research consisting of formal and informal researchers, public
and private institutions, contentious norms and standards, and a range of
market dynamics emerged to grapple with the new threats. Focusing primarily
on how attackers exploit technical vulnerabilities to gain or deny access
to systems, the bulk of this work continues to emphasize technical
controls. Nevertheless, a growing class of manipulators now use systems as
they are technically designed to function–even if they use them counter to
the spirit their designers intended or imagined could be possible; they
exploit features, rather than bugs, in pursuit of social and cultural
outcomes that often contravene the policies of platforms, frustrate the
efforts of moderation teams, and threaten the healthy functioning of
communities.

This initiative puts the socio-technical–the interplay between social and
technical systems–at the center of analysis, recognizing that the
information and communication landscape involves complex interactions
between social norms and technical systems. As such, the vulnerabilities in
the socio-technical system are rarely embodied simply in the technology or
society alone; there are both structural and cultural vulnerabilities that
need to be understood and “patched,” so to speak. The work that we do in
this initiative focuses primarily on addressing these vulnerabilities.

Examples of current work include:
- Data Voids – Search engines are especially vulnerable to manipulation
when there is limited data available for a particular search. Our work here
seeks to better understand these data voids, how they are exploited, and
how they can be patched.
- History of Security Research – Examining technical systems to identify
vulnerabilities was once the act of “hackers” who were often seen as
adversarial even when they were probing systems to help strengthen them.
Today, security research, penetration testing, and white hat hacking are
seen as legitimate and desired activities–economically incentivized in bug
bounty programs and lucrative jobs. This project explores what technical
and social changes made this possible.
- Bug Bounty Labor – This project seeks to understand who participates in
bug bounty programs and why. The goal is to understand bug bounty work and
how these programs could provide models for efforts to produce more secure
socio-technical systems.
- Socio-technical Threat Modeling – In this work, we’re looking to help
stakeholders who are trying to secure socio-technical systems (i.e.,
communities) model the technical, communications, and data pollution
threats in order to more effectively respond to emergent threats in
real-time.
- Refractive Attacks – In order to manipulate Google, it’s often easier for
an attacker to focus on Twitter, reddit, or Wikipedia. By understanding API
and other information dependencies, we can see how vulnerabilities often
occur in the interstices between technical systems.
- Dodging/Testing Guardrails – Major technology companies have built
numerous guardrails to identify when media manipulators are trying to
exploit their systems, but some adversaries learn where these guardrails
exist and exploit them. This is best seen through the lens of content
moderation, where our team has examined different efforts to test and dodge
restrictions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20191112/ce424acf/attachment.html>