LB
Publications
- Can unicorns help users compare crypto key fingerprints?
- Designing Password Policies for Strength and Usability
- Better passwords through science (and neural networks)
- Design and evaluation of a data-driven password meter
- Some recipes can do more than spoil your appetite: Analyzing the security and privacy risks of IFTTT recipes
- Let's go in for a closer look: Observing passwords in their natural habitat
- Riding out DOMsday: Toward detecting and preventing DOM cross-site scripting
- Diversify to survive: Making passwords stronger with adaptive policies
- Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition
- (Do not) Track me sometimes: Users' contextual preferences for web tracking
- Do Users' Perceptions of Password Security Match Reality?
- Sharing personal content online: exploring channel choice and multi-channel behaviors
- Usability and Security of Text Passwords on Mobile Devices
- Self-driving cars and data collection: Privacy perceptions of networked autonomous vehicles
- How risky are real users' IFTTT applets?
- Cybersecurity and privacy
- Privacy expectations and preferences in an IoT world
- “I added '!' at the end to make it secure”: Observing password creation in the lab
- Timing-sensitive noninterference through composition
- Password creation in the presence of blacklists
- Towards privacy-aware smart buildings: Capturing, communicating, and enforcing privacy policies and preferences
- Why people (don't) use password managers effectively
- Fast, lean, and accurate: Modeling password guessability using neural networks
- "adulthood is trying each of the same six passwords that you use for everything": The Scarcity and Ambiguity of Security Advice on Social Media
- Detecting iPhone Security Compromise in Simulated Stalking Scenarios: Strategies and Obstacles
- (How) Do people change their passwords after a breach?
- “It's not actually that horrible”
- The Influence of Friends and Experts on Privacy Decision Making in IoT Scenarios
- Comparing Hypothetical and Realistic Privacy Valuations
- A Field Study of Computer-Security Perceptions Using Anti-Virus Customer-Support Chats
- A General Framework for Adversarial Examples with Objectives
- User behaviors and attitudes under password expiration policies
- On the Suitability of Lp-Norms for Creating and Preventing Adversarial Examples
- $n$-ML: Mitigating Adversarial Examples via Ensembles of Topologically Manipulated Classifiers
- What breach? Measuring online awareness of security incidents by studying real-world browsing behavior
- What Makes People Install a COVID-19 Contact-Tracing App? Understanding the Influence of App Design and Individual Difference on Contact-Tracing App Adoption Intention
- Optimization-Guided Binary Diversification to Mislead Neural Networks for Malware Detection
- Practical recommendations for stronger, more usable passwords combining minimum-strength, minimum-length, and blocklist requirements
- “Did you know this camera tracks your mood?”: Understanding Privacy Expectations and Preferences in the Age of Video Analytics
- Metering graphical data leakage with Snowman
- “I would have to evaluate their objections”: Privacy tensions between smart home device owners and incidental users
- (How) Do people change their passwords after a breach?
- OmniCrawl: Comprehensive Measurement of Web Tracking With Real Desktop and Mobile Browsers
- What makes people install a COVID-19 contact-tracing app? Understanding the influence of app design and individual difference on contact-tracing app adoption intention
- Malware Makeover: Breaking ML-based Static Analysis by Modifying Executable Bytes
- Towards a Lightweight, Hybrid Approach for Detecting DOM XSS Vulnerabilities with Machine Learning
- What breach? Measuring online awareness of security incidents by studying real-world browsing behavior
- Investigating Advertisers' Domain-changing Behaviors and Their Impacts on Ad-blocker Filter Lists
- Prevalence of Third-Party Tracking on Abortion Clinic Web Pages
- Perspectives from a Comprehensive Evaluation of Reconstruction-based Anomaly Detection in Industrial Control Systems
- A comparison of users' perceptions of and willingness to use Google, Facebook, and Google+ single-sign-on functionality
- Real life challenges in access-control management
- Detecting and resolving policy misconfigurations in access-control systems
- What you want is not what you get: Predicting sharing policies for text-based content on Facebook
- Analyzing the dangers posed by Chrome extensions
- Measuring password guessability for an entire university
- What matters to users? Factors that affect users' willingness to share information with online advertisers
- Expandable grids for visualizing and authoring computer security policies
- A user study of policy creation in a flexible access-control system
- Of passwords and people: measuring the effect of password-composition policies
- Efficient proving for practical distributed access-control systems
- Exploring reactive access control
- Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms
- Modeling and enhancing Android\'s permission system
- Tag, you can see it! Using tags for access control in photo sharing
- Run-time enforcement of information-flow properties on Android
- Run-time enforcement of nonsafety policies
- Constraining credential usage in logic-based access control
- Enforcing more with less: Formalizing target-aware run-time monitors
- Composing expressive runtime security policies
- The post anachronism: the temporal dimension of Facebook privacy
- Probabilistic cost enforcement of security policies
- Correct horse battery staple: Exploring the usability of system-assigned passphrases
- Discovering access-control misconfigurations: New approaches and evaluation methodologies
- More than skin deep: measuring effects of the underlying model on access-control system usability
- Out of sight, out of mind: Effects of displaying access-control information near the item it controls
- Studying access-control usability in the lab: lessons learned from four studies
- Don't bump, shake on it: The exploitation of a popular accelerometer-based smart phone exchange and its secure replacement
- xDomain: Cross-border proofs of access
- Encountering stronger password requirements: user attitudes and behaviors
- Introducing reputation systems to the economics of outsourcing computations to rational workers
- Introducing reputation systems to the economics of outsourcing computations to rational workers
- Probabilistic Cost Enforcement of Security Policies
- "I added '!' at the end to make it secure": Observing password creation in the lab
- Measuring Real-World Accuracies and Biases in Modeling Password Guessability
- "I added '!' at the end to make it secure": Observing password creation in the lab
- Run-time monitoring and formal analysis of information flows in Chromium
- Measuring Real-World Accuracies and Biases in Modeling Password Guessability
- A Spoonful of Sugar? The Impact of Guidance and Feedback on Password-Creation Behavior
- Studying the effectiveness of security images in Internet banking
- Android taint flow analysis for app sets
- Can long passwords be secure and usable?
- Studying the effectiveness of security images in Internet banking
- Mobile SCALe: Rules and Analysis for Secure Java and Android Coding
- Consumable credentials in logic-based access-control systems
- Don’t Bump, Shake on It: The Exploitation of a Popular Accelerometer-Based Smart Phone Exchange and Its Secure Replacement
- Challenges in Access Right Assignment for Secure Home Networks
- How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation
- Access control for home data sharing: Attitudes, needs and practices
- Toward strong, usable access control for shared distributed data
- Edit automata: Enforcement mechanisms for run-time security policies
- Distributed proving in access-control systems
- Lessons learned from the deployment of a smartphone-based access-control system
- More enforceable security policies
- A linear logic of authorization and knowledge
- Composing security policies with Polymer
- Enforcing non-safety security policies with program monitors
- Mechanisms for secure modular programming in Java
- Device-enabled authorization in the Grey system
- Types and effects for non-interfering program monitors
- A general and flexible access-control system for the Web
- Access control for the Web via proof-carrying authorization
- Adversarial Training for Raw-Binary Malware Classifiers
- Towards Usable Security Analysis Tools for Trigger-Action Programming
- Widespread Third-Party Tracking On Hospital Websites Poses Privacy Risks For Patients And Legal Liability For Hospitals
- Deceiving ML-Based Friend-or-Foe Identification for Executables
- RS-Del: Edit Distance Robustness Certificates for Sequence Classifiers via Randomized Deletion
- Group-based Robustness: A General Framework for Customized Robustness in the Real World
- RS-Del: Edit Distance Robustness Certificates for Sequence Classifiers via Randomized Deletion
- Interdisciplinary Approaches to Cybervulnerability Impact Assessment for Energy Critical Infrastructure
- On the Suitability of $L_p$-norms for Creating and Preventing Adversarial Examples
- The Impact of Exposed Passwords on Honeyword Efficacy
- Constrained Gradient Descent: A Powerful and Principled Evasion Attack Against Neural Networks
- Introducing Reputation Systems to the Economics of Outsourcing Computations to Rational Workers
- "Adulthood is trying each of the same six passwords that you use for everything": The Scarcity and Ambiguity of Security Advice on Social Media