Presentations and Speaking Engagements
I used to give presentations fairly regularly as part of my academic work, and didn't bother to list them since it's assumed that most academics do the same. However, since I also speak on other topics to communities where frequent presentations are not the norm, I thought this page might be helpful for those curious about my speaking experience, venues and topics.
Slides of my talks are not always linked here, either due to the work in question not being public or due to it being so old that I figured it would be of limited interest. If you are interested in seeing a particular slide deck that is not linked here, please contact me by email to terri(at)toybox(dot)ca or terrioda(at)gmail and I may be able to find it.
- "Keynote: Is Open Source Software Really More Secure?" Pycon Pune, February 2017. [Video]
Abstract: Open source proponents often list security as one of many reasons that users should want to use open source software, but is it really true? This talk explores why the question "Is open source software really more secure?" is hard to answer, what it means to be secure, how our metrics could be harming our actual security, what good security looks like at a community level, and how we can help make things better.
Notes: Video has no sound at beginning, link above starts it at 1:50 when the talk starts
- Advanced Secure Code Development, two-day internal course, March 28-29, 2017. (Internal course, materials not available to general public.)
Notes: This is a course developed by others on secure coding, mostly focusing on issues in C/C++. This iteration was the final step of my "training" and was a very small and friendly class. I expect to be teaching the course quarterly when there is sufficient demand.
- "Choosing More Secure Open Source Packages: Lessons from the Whitelist" Brown Bag, March 21, 2017. (Reprise of SWPC 2016 talk for internal open source audience.)
- "Choosing More Secure Open Source Packages: Lessons from the Whitelist" Software Professionals Conference (SWPC), October 19, 2016. (Internal company conference, slides and video not available to general public.)
Notes: This talk used examples from many open source projects to help software professionals gain an understanding of how to differentiate sketchy, unmaintained or dangerous open source projects from well-maintained and reasonably secure projects.
- "Taking no for an answer" Open Source Bridge, June 22, 2016. [full proposal] [slides]
Abstract: Open source (like many fields) rewards people who are confident and even a bit pushy. So we give talks encouraging folk to get over imposter syndrome, lean in, say yes to more things. But self-improvement shouldn't focus only on our most vulnerable members, but also our most powerful. So let's talk not about saying yes, but about hearing no. Learning to take no for an answer can transform efforts such as security, diversity and mentoring where we have few experts or volunteers and great need. Let's talk about accepting "defeat" with grace, and how to take "no" for an answer while still moving forwards.
- "Sparkle Security" Open Source Bridge, June 21, 2016. [full proposal] [slides]
Abstract: "Agent Sparkle, you have been recruited as a security expert to use your skills to protect the kingdom of Project Rainbow. You might not feel qualified yet, but Project Rainbow has great faith in your ability to learn." Web security is perhaps one of most fun types of computer security to master: exploits can be constructed quickly and without many tools. But sadly, while there are many tutorials, they simply don't have enough rainbows and sparkles and the practice exploits tend to focus on the basics without flourishes. Project Sparkle is a set of "training missions" designed to make learning web security more kid-friendly, but we think the audience of Open Source Bridge will also enjoy exploiting the web to add more rainbows and sparkles!
- "Securing Open Source Software" Panel discussion with Valerie Fenwick, Leigh Honeywell and Terri Oda. Moderator, Sarah Beck. Grace Hopper Celebration of Women in Computing, October 2015
Abstract: Heartbleed, FREAK, POODLE - you've heard about them: vulnerabilities in critical parts of the internet's infrastructure. If you work in Security, IT, or development, these names and cheesy logos have given you nightmares. The tech world depends on FOSS (Free and Open Source Software), and it needs to be secure. Learn about how individuals and corporations can work to ensure FOSS is safe and improves over time. Our panelists discuss their efforts and how you can help.
- "Bringing Security to Your Open Source Project" Open Source Bridge, June 25, 2015. [full proposal] [slides] [video]
Abstract: With high profile breaches in open source projects, the issue of security has become one of great import to many people. But many projects, especially smaller ones, are intimidated by the idea of a security audit. This talk will discuss ways for smaller projects to experiment, learn, and even have fun improving their security. No PhDs in security required!
Notes: The slides for this were designed to stand somewhat on their own, but the slide deck does include notes on what I intended to say to flesh out the information on the slides. The presentation video is also available from the conference.
- "Internet of Things Militia: Paramilitary Training for your IoT devices" Open Source Bridge, June 25, 2015. [full proposal] [slides] [video]
Abstract: Security folk generally talk about how the Internet of Things is bad for security, and indeed it is true that infrequently updated devices given access to a "trusted" home network can potential result in problems. But what about the other side? Can you train your internet light bulbs as guard dogs? Can you send your internet fridge to search and destroy invaders and that dude whose wifi signal interferes with yours? Can your thermostat help you figure out whether a network access is legitimate or not? The internet of things brings new sensors and connected devices that could co-operate in new and interesting ways, some of which may be very different from the manufacturer's initial intent.
Notes: This was intended to be a light, somewhat irreverant talk about IoT. The meta-goal was to get people to think about interoperability and IoT in different ways, but mostly it was meant to be fun. The slides are very image-heavy and not intended to stand on their own without presenter. Rough notes are included in the slide set to give you some idea of what verbal presentation went with. The presentation video is also available from the conference.
- "Skynet is Open Source: How automated software repair can use mutations to fix your bugs and possibly destroy mankind" Open Source Technology Summit, April 2015. (Invite-only conference, slides and video not publicly available at this time.)
Notes: This was a presentation to explain genprog and my postdoctoral research at UNM to an audience of colleagues who would be unlikely to encounter such work in the course of their usual jobs. It covered many key ideas from the artificial life based automated system repair program, discussion of the issues and challenges of that space, as well as thoughts on open source, academia and industry. Slides may be available at a later date if I seek approval from my manager.
- "When Many Eyes Fail You: Tales from Security Standards and Open Source" Open Source Bridge, June 24, 2014. [full proposal]
Abstract: It's often said that "given many eyes, all bugs are shallow" and open source proponents love to list this as a reason that open source is more secure than its closed-source relatives. While that makes a nice sound bite, the reality of security with many eyeballs doesn't fit so nicely into a tweet. This talk will explore some of the things that surprised me in going from academic security research to industry security research in open source and open standards.
- Crosswalk on Tizen update, Tizen Security F2F, Vannes, France, September 2014.
- Crosswalk security, Tizen Security F2F, Warsaw, Poland, July 2014.
- "Web Security and Automated Software Hardening" Job talk at industry research group, April 2013.
- "First Experiences in Open Source Software: How to get involved" Panel Discussion, Grace Hopper Celebration 2012.
- Router bugs, Upcoming research presentation for DARPA site visit, February 2012.
- "Security Attacks, Countermeasures and Protecting Yourself Online!" Grace Hopper Celebration 2011.
- "Open Source Needs You: Find Your Community and Change the World." Panel discussion, Grace Hopper Celebration, November 2011.
- "Simple security policy for the web." PhD Thesis Defense, Carleton University, October 2011.
- "Web Security for the Masses." Job talk, Univeristy of New Mexico, May 2011.
Abstract: If web security were a siege, the attackers would be winning through attrition: it is relatively easy to compromise a site, but it takes significant resources for a defender to ensure that it is even moderately secure. There is a need for security policy languages to improve control over the behaviour of web pages, but security policy can be overwhelming and confusing to web designers who may have backgrounds in art, not security. As such, I have developed Security Style Sheets, a language rooted in existing web standards and visual design that allows designers to mitigate common attacks such as cross-site scripting without requiring extensive page rewrites. This alleviates some of the barriers to better web security, but the language could be even more powerful combined with adaptive techniques for inferring policy, giving web users the ability to browse more safely even when an expert is not available.
Notes: As is apparently typical for a job talk, this also included more information about me, my background and previous research.
- "Using Facebook for Evil (and other bad things that happen online)." CU-WISE Celebration of Women in Computing, Carleton University, Ottawa, ON, April 6, 2011
Notes: A general-level talk intended for the public as well as students and staff.
Abstract: People like to share. Photos, links, stories, feelings, or even what you had for dinner might end up online... it all seems harmless, but is it really? Learn here about some of the crafty things a mean person might do using your information, and how you can try to avoid getting burned.
- "Enhancing Web Page Security with Security Style Sheets" Research Day, Carleton University, March 25, 2011
Brief talk description (25-40 words): The web is dangerously insecure, but solutions are often so prohibitively time consuming that they are not implemented. Security Style Sheets, a policy language based in existing web standards, unites disparate techniques to make security mitigation more straightforward for busy developers.
Talk abstract (150-200 words): Although the web security community now has a variety of techniques that could help web developers to defend against common attacks such as cross-site scripting and cross-site request forgery, this work is not in a form suitable for general use. What is needed is a web standard that unites these techniques using syntax and semantics that are easy for web developers to learn and straightforward for browser makers to implement. Here we propose such a standard, Security Style Sheets, a browser-enforced policy language modelled on Cascading Style Sheets. Security Style Sheets provides an extensible policy framework that allows for policy to be separated from content and to be specified at both coarse and fine levels of granularity. In this paper we present the syntax and semantics of Security Style Sheets, explain its relationship with past web security proposals and CSS, and give examples of how it could be used to protect mainstream websites such as Facebook. Also in the model of CSS and the Acid3 tests, we present a conformance suite for Security Style Sheets.
- "Getting Started in Free and Open Source Software." Grace Hopper Celebration of Women in Computing, Atlanta, GA, September 30, 2010.
Session Description: Are you interested in contributing to a Free or Open Source software project, but you're not sure how to get started? Wondering about some of the social aspects of participating in the community, as well as the technical details? During this panel discussion, key contributors to several Free and Open Source Software projects will discuss tips for successfully engaging with the project of your choice. Panelists will share their own experiences getting started in Free and Open Source development. They will also share best practices with audience members, helping newcomers understand the basics of contributing to Open Source so their initial foray is most effective.
Notes: I was part of a panel discussing this topic as part of the new open source track at Grace Hopper. I also helped out with the Codeathon that followed our session.
- "GNU Mailman 3: Mailing lists of the future." LinuxCon, Boston, MA, August 12, 2010.
Abstract: GNU Mailman forms the backbone of many online communities, including many open source projects. It provides free software for managing electronic mail discussion and e-newsletter lists which are often used to coordinate development, communities and events. Mailman 3, currently in alpha, is an extensive rewrite to use modern architecture, address user issues, and bring new ideas into the way we use mailing lists. Learn about what the upcoming Mailman 3 will offer to end users and communities, and hear a little bit about what is changing under the hood. Audience members can expect to learn about new features and changes in Mailman 3, both for users and for list/community administrators. Only basic understanding of email and mailing lists will be required.
Notes: A talk on the upcoming features of Mailman 3 (in alpha at the time of the talk). As it turned out, my audience was largely composed of system administrators with significant experience using Mailman 2.1 on a large scale.
Notice how this was two days after the HotSec presentation, and in a different city. It was a busy week!
- "Visual Security Policy for the Web." USENIX Hot Topics in Security (HotSec 2010), Washington, DC, August 10, 2010.
Abstract: Many web security vulnerabilities allow parts of a page to interact when they should be isolated. Such vulnerabilities can be mitigated by implementing protection boundaries between web page elements. Several methods exist for creating such boundaries, but existing methods require relatively sophisticated knowledge of web technologies. To make protection mechanisms available to a wider audience, we propose a simple web page security policy language, ViSP, modelled on mechanisms for specifying page layout. Here we characterise ViSP and describe a simple Firefox-based prototype that allows interactive, graphical specification of per-page security policies. We also show how these tools can be used to protect against cross-site scripting (XSS) attacks on common web applications.
- "Visual Security Policy for the Web." CCSL Meeting, August 4, 2010
Notes: Complete trial run for HotSec
- "Web security for regular folk" COMP1001 class, June 7, 2010.
Notes: I was invited to give a general-level talk on web security for an intro-level computer science course. This version of the talk included an intro to web security, a small overview of my research, and tips for staying safe online.
- "No Website Left Behind: Are We Making Web Security Only For the Elite?" Web 2.0 Security and Privacy, Oakland, CA, May 20, 2010.
Abstract: The web is riddled with flaws that make it unsafe. Protection methods exist, but current web security solutions are often designed to be deployed by programmers and security experts. Unfortunately, programmers and web security experts are not always available: many sites are created by graphic designers with more artistic backgrounds, and others involve web applications installed by non-programmers who want a website to fit a targeted need. These non-expert page creators may find web security solutions confusing and difficult to implement because they assume significant technical expertise. While solutions designed for experts are valuable, solutions for non-experts are needed to make the web safer.
- "No Website Left Behind: Are We Making Web Security Only For the Elite?" ABA meeting, May 12, 2010.
Notes: Complete trial run for W2SP
- "No Website Left Behind: Are We Making Web Security Only For the Elite?" ISSNet Annual Workshop, May 27-30, 2010.
Notes: Shortened Sneak Preview of my W2SP talk
- "Visual Security Policies for Web Pages." Thesis proposal defence, April 9, 2010.
Notes: Yes, I passed.
- "Web security for regular folk." Carleton Celebration of Women in Science and Engineering, April 8, 2010.
The web is not a safe place: little flaws found in a large number of web pages can be exploited by attackers to do harm, from installing viruses to stealing passwords to infecting all your friends. There are new attacks showing up all the time. Being safe on Facebook is not limited to "don't share your password," but many people are unaware of the risks. And unfortunately, even the people who make websites may not understand how to make them safe! This talk will describe some of the modern safety concerns on the web, as well as my own research to make the web safer. If part of the problem is that web designers are artists, not security experts, can we make it so that art provides security? How can we make the web safer, but still usable?
Notes: A general-level talk on my web security research.
- "How does biology explain the low numbers of women in computer science? Hint: it doesn't." Carleton Celebration of Women in Science and Engineering, April 8, 2010.
A snarky but mathematically informed look at one of the common myths of ability regarding women in technical fields. Simple, short, back-of-the-napkin style presentation.
This was prepared and put online in November 2009, and parts of it have been used by others, but this was my first live "performance" of the presentation.
- Joint with Gail Carmichael. Interview with CBC Ottawa Morning. Aired April 8, 2010.
- "Visual Web Security Policies." Carleton Computer Security Laboratory, January 28, 2010.
Notes: Precursor to a potential poster.
- "Computer Security." Outreach presentation for careers class at Lisgar Collegiate Institute, December 1, 2009.
- "Using Layout Information to Enhance Security on the Web." Grace Hopper Celebration of Women in Computing, September 30 - October 3, 2009.
- "Attracting women to open source" Birds of a Feather session, Linux Symposium, Montreal, July 13-17, 2009.
In 2006, GNOME put out the call for students to participate in the Google Summer of Code project, where students get paid to work on open source projects. They received 181 applicants -- and not a single one from a woman. Seeking to attract a female applicants, they did a Women's Summer Outreach Programme, and got 100 applicants. There are capable women out there, but how can we attract them to open source projects? Do women need an invitation? What makes an open source project attractive to women? What drives otherwise talented people away from a project? The goal of this BOF is to talk about some of the issues, and brainstorm ways to increase involvement. (And yes, the BOF is open to both women and men.)
- "Mitigating Cross Site Scripting
Using Web Page Layout" ISSNet Annual Workshop, June 15 - 18, 2009.
Web security lies primarily in the hands of those who create the pages. Unfortunately many people and organizations who run web sites do not have the time, security knowledge, or motivation to produce secure sites. As a result, users are exposed to insecure pages daily. This talk investigates ways to protect users by leveraging existing information from the page layout to produce good security policy without requiring an expert.
- "Mitigating Cross Site Scripting Using Web Page Layout" MITACS annual conference, June, 2009.
- "Web Security" Private government meeting, February, 2009.
- "SOMA: Mutual Approval for Included Content in Web Pages", Ottawa-Carleton Institute for Computer Science Seminar Series (OCICS), January 9, 2009.
- Joint presentation with Glenn Wurster. "SOMA: Mutual Approval for Included Content in Web Pages" ACM Computer and Communications Security (CCS'08), October 27-31, 2008. Pages 89-98.
- Joint presentation with Glenn Wurster. "SOMA: Mutual Approval for Included Content in Web Pages", Carleton Computer Security Laboratory, October 21, 2009.
Notes: Trial run for CCS presentation
- Joint presentation with Anil Somayaji. "The Ottawa Linux Symposium: Update on the world of Linux." Carleton Computer Security Laboratory, July 29, 2008.
We will present an overview of the Ottawa Linux Symposium: its history, who attends, and what it is about. We'll give some highlights of the symposium, discussing issues such as SELinux, virtualization, and issues with P2P distribution of free software. We'll then discuss security research problems that seem to be relevant to the OLS audience.
Notes: Bringing some highlights of OLS back to our research group.
- "Women in Open Source." Birds of a Feather session, Ottawa Linux Symposium, Ottawa, July 23rd - 26, 2008.
- "SSP, SOMA, and Web Security" Carleton Computer Security Laboratory, July 8, 2008.
Notes: A short presentation to stimulate discussion on the design of SSP (which later became Mozilla's CSP) and how it compared with SOMA.
- "SOMA: Mutual Approval for Included Content In Web Pages" Private industry meeting, June, 2008.
- "Content Provider Conflict on the Modern
Web" Symposium on Information
York State Cyber Security Conference), Albany, NY, June 4-5, 2008.
- "When Elephants Dance, Mice Must be Careful: Content Provider
Conflict on the Modern Web" Carleton Computer Security Laboratory, March 18, 2008.
Notes: Trial run for Albany presentation
- "The Same Origin Mutual Approval Policy" MITACS research group meeting, December 7, 2007.
- "Upsides and downsides of the Tahoma sandboxed browser model" Carleton Computer Security Laboratory, September 27, 2007.
This talk discusses the 2006 paper "A Safety-Oriented Platform for Web Applications" by Cox et al, which proposes a "Browser Operating System" called Tahoma. The idea is to use virtual machine sandboxes to contain separate web applications -- protecting the computer from them, and them from each other. I will be covering some of the interesting ideas in their approach, and I hope to inspire discussion about the parts of this approach that lead themselves to exploitation or confusion on the part of the user.
Notes: This marked some early discussion into related work for SOMA.
- "Sharks in the Sandbox: Security and Privacy on the Modern Web" Private industry meeting, May 7, 2007.
- "Sharks in the Sandbox: Security and Privacy on the Modern Web" Carleton Computer Security Laboratory, April 17, 2007.
Notes: Trial run for the industry presentation
2006 (Highlights)I was finishing coursework and studying for my comprehensive exams this year. I almost certainly did presentations, but I don't remember the details. Sorry!
- "Immunity from spam: an analysis of an artificial immune system for junk email detection" Artificial Immune Systems: 4th International Conference, ICARIS 2005, Banff, AB, Canada, August 14-17, 2005.
Notes: [Associated Paper]
- "A Spam-Detecting Artificial Immune System." Master's thesis defence, December 2004.
Notes: [Master's Thesis]
- "Developing an Immunity to Spam."
Genetic and Evolutionary Computation - GECCO 2003.
Genetic and Evolutionary Computation Conference, Chicago, IL, USA,
July 12-16, 2003.
Notes: [Associated paper]
- "Revisiting Elitism in Ant Colony Search."
Genetic and Evolutionary Computation - GECCO 2003.
Genetic and Evolutionary Computation Conference, Chicago, IL, USA,
July 12-16, 200a.3
Notes: [Associated paper]