Understanding science: Conference marathon in California

The little sister: SOUPS

It's cold in Platinum Salon number 5, really cold. It's not hard to tell who's already used to American air-conditioning. While some people in T-shirts seem to be unimpressed by the cold, others wrap their arms around themselves, in a futile effort to keep warm. Outside, the California sun is beating down from a cloudless sky on the Anaheim Marriott Hotel, where one of the most important cybersecurity conferences in the world will be held this year: the USENIX Security Symposium. But it's still Monday and USENIX is therefore two days away. Nevertheless, the hallways are already packed with cybersecurity researchers from all over the world. Well, not from the entire world. Attending conferences is still a privilege that not everyone can afford, nor everyone can achieve, CISPA-Faculty Katharina Krombholz tells me. Katharina is largely responsible for the flurry of activity that is already happening today. Together with Rick Wash from Michigan State University, she is the so-called Program Committee Co-Chair of SOUPS and has thus determined which papers will be presented here in the coming days. SOUPS is the universally beloved abbreviation for the Symposium on Usable Privacy and Security - a kind of little sister of USENIX, where everything revolves around so-called Usable Security. This research area is primarily concerned with the question of how security and data protection mechanisms can be designed in a way that they actually work in practice for the user. "SOUPS is totally nice because it's very small. You can talk to lots of people in peace and quiet before the hype of USENIX starts. You should definitely attend," CISPA researcher and PhD student Alexander Ponticello had already advised us when planning our trip.

„SOUPS is totally nice because it’s very small. You can talk to lots of people in peace and quiet before the hype of USENIX starts. You should definitely attend.“

Alexander Ponticello

Understanding conference logic

This is the first time we are attending a conference to document everything on the ground - and to understand what our researchers are actually doing there: Traveling around the world, presenting research papers, networking. In the lobby, we meet what we affectionately call the "usables," a research group at CISPA working on usable security, described earlier. "Mingle, network. I don't want to see you only talking to CISPA people," I hear Katharina say to them. Her appeal to young scientists is not without reason: more than 40 CISPA researchers plus a handful of supporters have come this year. Among them, besides us, the Scientific Talent Acquisition team, which hopes to land new talent for CISPA. A full 30 papers on which CISPA researchers have collaborated will be presented at USENIX. Two more at SOUPS. Quite a lot - as we will also discover in the coming days, trying to cover all the important talks in text and photos. And of course we also want to provide a bit of emotional support for our PhD students, most of whom are attending a conference for the first time themselves.

One of them is Abdullah Al Hamdan. You can see that he is nervous. And that's despite the fact that his talk will only take place in three days. I speak a few words with him, wish him good luck. "Finger's crossed," I say. He smiles. His talk at USENIX will be excellent. Several follow-up questions show that the audience is interested in his research. Abdullah is one of only a few speakers who manage to make eye contact with the audience on a regular basis. I smile at him after the talk, giving two thumbs up. He laughs and hints at a cheer before continuing to answer colleagues' questions.

Excellence and hard work

Back in Platinum Salon 5, however, it's time for the opening of SOUPS. And there is a highlight right at the beginning: It will be announced who will receive a Distinguished Paper Award. This award is intended to highlight the most remarkable of all the top papers presented at this conference. In addition to this coveted award, the IAPP SOUPS Privacy Award and the John Karat Usable Privacy and Security Student Research Award will also be presented. By this time, conference fever has me firmly in its grip. I unconsciously clench my hands into fists all the time - excited to see if one of the PhD students at CISPA will receive an award. Unfortunately, the prizes do not go to us that morning. Among the awards is a paper that examines cybercrime and threats in Pakistan in more detail. The winners and all the others presenting here are all young talents who have put their heart, sweat and tears into writing their research and then subjecting it to the often arduous review process. What is meant by review? If you want to be accepted at one of these so-called top-tier conferences, you submit your paper which is then reviewed by other researchers. This is referred to as "peer review" because the independent reviewers are all colleagues (peers) in the same field. The submitted paper is either accepted directly, which is rare, or rejected first. Some papers are submitted three or four times before they finally make it to one of the important conferences - many times revised and rewritten.

"We have a double-blind process these days. This means that neither the authors know who is reading their work, nor do the reviewers know whose work they are looking at. This anonymity is important to guarantee an unbiased evaluation. In the past, there were only single-blind procedures, which is not good. It's just that, unfortunately, some reviewers also take advantage of that anonymity.“

Sascha Fahl

CISPA-Faculty Sascha Fahl tells me how grueling this process can be: "Unfortunately, the comments from reviewers are sometimes not constructive at all. Sometimes they read something like: 'Boring, I've heard it before,'" he explains to me during a break in one of the afternoons. We spend it in the sun in front of the Marriot hotel. The square in front of the hotel, where there are a few seating areas and a large fountain a little further down the road, is lined with palm trees. From the Hilton Hotel, which is directly opposite, music booms all day long. Big and small hotel guests with Mickey Mouse ears disappear into the lobby of the Marriott. Since I've arrived, it seems to me that California really wants to fulfill every cliché of itself as the "Golden State" with entertainment value. And it does that so thoroughly that it's seriously a feel-good place. But that's just a side note.

Sascha and I blink a bit sleepily into the sun before he explains why the reviews sometimes turn out so messy: We have a double-blind process these days. This means that neither the authors know who is reading their work, nor do the reviewers know whose work they are looking at. This anonymity is important to guarantee an unbiased evaluation. In the past, there were only single-blind procedures, which is not good. It's just that, unfortunately, some reviewers also take advantage of that anonymity." Why, I ask myself first and then out loud. Surely they should know how that feels. "They've probably already forgotten," Sascha says. I figure maybe it's because the review process is so labor-intensive and comes on top of all the many tasks researchers already have. The reward: none. "'Community service,'" Sascha says. "It used to be that people could volunteer for reviewing. Looked good on your resume and kind of paid off that way. In recent years, however, the community has grown so much that researchers are increasingly expected to review papers. Nowadays, there are often so many paper submissions to conferences that even young researchers have to be involved in the review process. This is of course problematic. Many of them have only a rough idea of the topics they are reviewing. That's where we need to do more work on the processes and think about a lot of things for the future." CISPA researcher Ben Stock would certainly agree. However, he does see an advantage in involving junior staff early in the review process and helping them write constructive reviews. "In order for junior staff to learn how to do this appropriately, some conferences, such as Euro S&P, now offer mentoring programs for reviewers," he explains to me later.

What a day!

Sascha's team works out of Hanover, where CISPA has had a strategic research collaboration with Leibniz University since 2021. One of his PhD students, Sabrina Amft, gets to present her paper at SOUPS that morning after the awards are announced and a few other talks have passed. The paper is a study that shows that users of password managers often put convenience before security, and that theoretically well-designed security mechanisms are often undermined in practice by the behavior of users. This is important knowledge for developers of these tools, who will find suggestions on how to deal with this at the end of the paper. Sabrina appears professional during her presentation. She walks onto the stage with the utmost calm. It is at least 15 meters long and covered with black curtains. Once up there, a spotlight is directed so brightly and mercilessly onto the faces of the speakers that they can no longer see who is sitting in front of them. Sabrina speaks into a huge hall, which is rather sparsely occupied. This is not because her presentation is not interesting, but because SOUPS is comparatively small. I estimate that around 250 people have traveled to attend. The room we're sitting in can hold 800 people, I bet.

Whenever we go from the conference rooms to the lobby, there is a buzz from every direction. Everywhere, people are standing together at bar tables discussing possible collaborations after hearing an interesting talk. Others are rushing to the next talk or trying to get a quick coffee before moving on. The day is pretty packed. There are presentations until 4:45 p.m. From 5:30 p.m. to 7 p.m., there's another poster session. Researchers can apply in advance for this as well. On a usually huge poster, DIN A0 size, they summarize their work as clearly as possible. To be honest, this is more or less successful. With a drink in hand, other researchers, but also sponsors or other "VIPs" walk past the posters. If they stop, they get a short talk from the presenters and can ask questions. For young researchers, this is another good opportunity to talk to renowned researchers and perhaps gain an advantage for the next career step. For scientists who are already firmly in the saddle career-wise, such sessions are above all an opportunity to recruit talent. Win Win, in other words.

I can't even begin to cover all the posters on display. I estimate there are at least 40 that were pinned along the walls here on poster stands. I linger longer on some of the titles because I've heard of the theme at CISPA before. I grab one of the appetizers from the buffet and turn to face a friendly-looking researcher from Bonn. She is exhibiting her study on people's opinions of so-called client-side scanning. She's trying to find out if and under what circumstances people would agree to having their smartphone content scanned for law enforcement purposes. Again and again these days, I see her approaching people in the lobby. She wants to get them interested in taking a survey and doing an interview to further her research. She's in the right place for that.

At the poster session, Hanoverians are again strongly represented by CISPA. As many as three posters come from Sascha Fahl's group. Juliane Schmüser, Sabrina Amft and Alexander Krause will be answering questions on various topics in the large room. Juliane presents a study on the question of how high the risk awareness is in industry regarding potential attacks on machine learning systems. Sabrina has dedicated her research to security issues that arise when embedding content such as maps or social media logins on websites. Alexander talks about how developers handle code secrets and how they can accidentally reveal secret information. I also meet Simon Annell from Katharina Krombholz's team, who is standing next to his poster illustrating how healthcare experts share healthcare data with each other and where privacy issues can arise. The work of weeks and months is condensed here into a few minutes of conversation. I have to confess: I don't always follow them right away. But they all tirelessly answer my questions.

After a few more conversations, I feel mentally saturated. I take care of the rest with more appetizers and settle down at one of the few tables in the room, where, after brief eye contact and an inviting smile on my part, a gentleman sits down opposite me. As it turns out, he is an important decision-maker at the National Science Foundation, arguably the largest funding agency in the United States. This year, the government institution is distributing nine billion dollars to researchers in all U.S. states. I ask him how he decides which projects are worthy of funding and which are not, given the many applications that land on his desk. There is a whole catalog of criteria that expert committees use to decide on funding, he explains to me. When I ask him how and whether the success of the projects is evaluated, he thinks for a while. Of course, the researchers have to report on their projects and show what they are doing. But measuring actual success is difficult, he says. "It often takes years for a research project to ultimately turn into a product. Sometimes it doesn't happen at all."

Without the research, there certainly won't be a product, I think to myself. And after the conversation, I'm once again clearer about something that's been on my mind for a long time: research is born out of curiosity. Out of trial and error. Out of failure. Research thinks about the day after tomorrow and thus about the unknown. It is risky. But without it there is no progress. No innovative power. And as if my words had the slightest weight somewhere outside my head, I state perhaps a little too pathetically: We urgently need to preserve it as a valuable and perhaps last asset that is not measured solely by its capital value. With certainly much more profane thoughts, I fall into bed in the evening and have the distinct feeling of having experienced more than just one day at a time.

What on earth is GREPSEC?

The next day is much quieter for us. The nervousness of the beginning has subsided. A kind of daily conference routine develops: talks, breaks with refreshments, eating, occasionally warming up in the sun. In the evening, a special event is scheduled. CISPA-Faculty Cas Cremers draws my attention to it: "I'll be a mentor at the GREPSEC workshop later. Come by and check it out, I'm sure it'll be exciting." GREPSEC is a workshop for doctoral students that focuses on underrepresented populations, including women, non-binary and gender minorities, Blacks, Hispanics, Latinos and Latinas, Native Americans and Indigenous students, and LGBTQ+ students. That much for the theory. Then, when I enter one of the smaller lecture halls in the evening to get a close-up look at GREPSEC, I'm quite blown away by the hustle and bustle. Before the actual workshop, which is only open to registered participants, speed mentoring is on the agenda. All over the room, mentors stand at tables with doctoral students and answer all kinds of questions. Similar to speed dating, the idea is to get in touch with as many different people as possible, which is why every few minutes a woman shouts loudly into the room that it is now time to move on.

"Speed mentoring is a good opportunity to ask very basic questions. For example, you can find out how family-friendly institutions are and ask the mentors how they balance work and family."

Aurora Naska

I don't want to disturb the conversation and sit down in the hallway, hoping to ask Cas a little about the event afterwards. A few minutes later, blissfully smiling, CISPA researcher and PhD student Aurora Naska approaches me. "Are you a mentor too?", I ask, and I should know that she can't be. "No I'm a mentee," she says, adding. "Oh, this is really great. It's a great opportunity." "Opportunity for what?", I inquire, happy to have her sit down with me. So far, I don't really understand what this event is about; after all, doctoral students have already kind of arrived in the science system, especially if they can be present at the conference. Aurora explains to me that the event is very important for making contacts outside of one's own research institution - for the further career path. Always staying in the same place is not welcome in the community. Gaining experience in the world is an important currency. "And speed mentoring is a good opportunity to ask very basic questions. For example, you can find out how family-friendly institutions are and ask the mentors how they balance work and family." - A big issue in science. With many new impressions, I enjoy the Californian sunset that evening, which is truly one of the most beautiful in the world.

USENIX begins

When we enter the foyer on a Wednesday, I am almost left breathless. The number of people present has increased tenfold overnight. About 1800 people are registered for USENIX and I have the feeling that most of them are standing in front of me at this moment and are grabbing something from the Continental Breakfast, which unfortunately only consists of tiny muffins and a few melon bites every day. So now it's really getting serious: USENIX is about to begin. One of the top conferences when it comes to cybersecurity and data protection. It's much harder to spot familiar faces among all these people today. But after sorting myself out, I find them. I join Alexander Ponticello, who, as on the other days, has a kind of guest of honor with him: Dañiel Gerhardt. He is a master's student at Saar University and will soon join CISPA as a PhD student doing research in Katharina Kromholz's group. Together with Alexander, he is invited to present his study on digital certificates here the next day, even before he has de facto made it into the scientific community.

We all rush to the largest of the hotel's meeting rooms to witness the opening. It is also customary at USENIX to first announce the winners of the Distinguished Paper Awards. In keeping with the size of this conference, not one, but 16 awards will be presented. Three of them go to CISPA researchers this morning. Two go to Cas Cremers and his collaborators. His PhD student Alexander Dax is involved in both, Mang Zhao in one of them. Another award goes to Thorsten Holz and his collaborators. This paper also won the Runner Up to the Internet Defense Prize. A good start.

Six tracks, each with five talks in four time slots, is the program offered at USENIX - on three days in a row. The tracks are thematically structured and cover a wide range of research areas: cryptography, machine learning, protocol security, fuzzing (automated debugging in software) - everything a researcher's heart desires. On this day, not only we, but also many CISPA researchers have their hands full. CISPA-Faculty Giancarlo Pellegrino, as Program Vice Co-Chair of USENIX, is partly responsible for the whole affair. His response to the question about whether it's a lot of work is to groan loudly and exclaim, "A lot." How much work something like this actually is, I will find out at the end of my trip. Giancarlo, as well as CISPA-Faculty Lea Schönherr, Nils Ole Tippenhauer, Michael Schwarz, Thorsten Holz, Ben Stock, and Wouter Lueks are locked in as session chairs at USENIX. They moderate the various presentations and speakers within the tracks, ask questions, and help to ensure that everything runs smoothly. We constantly have to change locations because talks are being held somewhere by our researchers. And I have to admit that this is the first time I really understand how big CISPA really is. We are world leaders and not just on a paper or in a ranking. We are everywhere here, actively shaping this conference, the research landscape, and the community.

Aurora is giving her first presentation at such a large conference that day, and a second later that week. "I was still so nervous at the first one, I thought my knees were going to drop. By the second, it was almost business as usual," she reveals to me later that week during an evening at a café in Huntington Beach. We're sitting with PhD student and CISPA researcher Kevin Morio, who also made his debut that week. He, too, was struggling with nervousness. "Then when I stood at the top, all of a sudden it was gone." Aurora tells us she's staying in California full time right after the conference - at least for a few months. She's doing an internship at Amazon Web Services. Work is also a big topic for the doctoral students in a relaxed atmosphere in the evening. They give each other tips, ask each other about research topics. I'm a bit impressed by so much maturity. But hey, of course they can party, too.

On Thursdays, the first presentations by CISPA folks are early in the morning. During lunch break, I see Alexander and Dañiel outside in the sun still tweaking their presentation. "Are you nervous?", I ask Daniel. "A bit," he says. Then he gives me a long look, laughs, and says, "Yeah, a bit much." The two of them joke around about how they're going to let each other do the talking later, but quickly get back into work mode. The talk later is really good. No sign of nervousness. Not for either of them. Nor with Birk Blechschmidt, who is also one of the great exceptions: He is here with an extension of his master's thesis, which he wrote under the supervision of CISPA-Faculty Ben Stock. And the latter seems mighty proud of Birk's accomplishment. After his talk, I want to ask Birk if we can post his photo, but he is engrossed in an animated conversation with an older gentleman. A second one is standing next to him and gives me a kind of off-text what I am about to see: Here is an absolute luminary of web security talking to promising young talent. I later tell Ben about it, who only replies: "Yes, that was Steven Bellovin, but unfortunately I couldn't stay. I would have loved to have been there for that conversation."

Hoarse and tired: the cost of a conference marathon

When I see Ben again the next day, the last day of the conference, he is croaking something to himself. The American air-conditioning and all the talking on the previous days have done him in: "When I moderate the session later, I'll probably have to do it with my sexy voice," he says and laughs hoarsely. Ben is one of the biggest figureheads for CISPA at this and probably many other conferences. I constantly see him somewhere talking to talent and promoting CISPA. I have to admit, on day three of USENIX and day five of conferences overall, I am more than tired and also have trouble tolerating the noise level. The noise level decreases rapidly in the afternoon, because some of the researchers are already leaving that day. For us, there are still a lot of talks scheduled until the evening. Boyang Zhang starts off this morning by giving three presentations over the entire USENIX, because he is standing in for his colleagues Xinlei He and Min Chen, who could not be there. As evening falls, I am looking forward to ending the day on the beach, but I am already a little wistful: What an experience!

Bye Bye, California!

The next day in the Uber to the airport, I once again take the opportunity to grill Cas Cremers. He is Program Commitee Chair at CCS this year, as he was in 2022. The next top conference, which will be in Copenhagen in November. "As Program Committee Chair, you have a lot to do. You oversee the submission and review of all papers and make sure the program is high quality. You set the standards for it, you have to form a program committee, and you have to find people who are really knowledgeable about the different conference topics. There need to be guidelines for reviewing. Thousands of emails come into your inbox and you have to constantly confer with the other chairs. Right now, we meet once a week." In addition, there is the supervision of the doctoral students, which is incredibly important to Cas. There's a real lack of free time. Why would you put yourself through that? "Like everything, it's a kind of trade-off. I feel that as Program Committee Chair you can have impact on improving the scientific process. Besides that, people now know me who didn't know me before because they're not in the same field as I am. I have much more visibility in the community now. That is very important for us researchers. Also to recruit talented young researchers. But I'm also glad when it's over," says Cas, laughing.

People often talk about jobs that are more of a vocation than a profession. That of researcher is one such. That has become even clearer to me after this week. I'll be fighting jet lag at home for the next few days, but as annoying as that is, I'm already looking forward like crazy to my next conference trip in November: Copenhagen, here we come! It will probably be cold there again.

"Like everything, it's a kind of trade-off. I feel that as Program Committee Chair you can have impact on improving the scientific process. Besides that, people now know me who didn't know me before because they're not in the same field as I am. I have much more visibility in the community now. That is very important for us researchers. Also to recruit talented young researchers. But I'm also glad when it's over."

Cas Cremers