Cormac Herley

• “Researchers Propose New Approach to Address Online Password-Guessing Attacks,” DarkReading (opens in new tab)
• “Pushing on String: when password strength makes no difference” Video of my talk at Passwords15 (opens in new tab)
• Very nice write-up (opens in new tab) of my keynote at UK Research Institute of Science of Cyber Security
• Video of me giving a talk on passwords (opens in new tab) at CMU
• Administrator’s Guide to passwords: Wired (opens in new tab), The Register (opens in new tab), NakedSecurity (opens in new tab), slashdot (opens in new tab)
• Password portfolios: Ars Technica (opens in new tab), slashdot (opens in new tab), The Register, The Guardian (opens in new tab), Independent, Telegraph (opens in new tab)
• Password meters: Ars Technica (opens in new tab), Threatpost (opens in new tab), slashdot (opens in new tab)
• Why do Nigerian Scammers Say They are from Nigeria: The Economist (opens in new tab), Slate, Bloomberg TV, Wall St. Journal (opens in new tab), Forbes, NPR [On The Media], The New Yorker (opens in new tab), The Telegraph (opens in new tab), Computerworld Australia (opens in new tab), NY Times (opens in new tab), BBC (opens in new tab) et slashdot (opens in new tab)
• Some reactions to an NY Times Oped (opens in new tab) I wrote: theAtlantic (opens in new tab), Ars Technica (opens in new tab), slashdot (opens in new tab), Infoworld (opens in new tab),threatpost, P=NP Blog (opens in new tab)
• Everything we Know about Password-stealing is Wrong: threatpost, The Register (opens in new tab), slashdot (opens in new tab), Freakonomics blog (opens in new tab)
• Video of me giving the keynote at WOOT 2012 (opens in new tab)
• Persistence of passwords: Wired (opens in new tab), The Register (opens in new tab), slashdot (opens in new tab), Network World (opens in new tab), Wall St. Journal (opens in new tab)
• Why isn’t Everyone hacked every day? TechRepublic (opens in new tab)
• Cyber-crime surveys: ProPublica (opens in new tab), The Economist (opens in new tab), The Register (opens in new tab), slashdot (opens in new tab), BBC (opens in new tab), RiskyBiz (opens in new tab), Schneier (opens in new tab), threatpost, Technology Review (opens in new tab), Sydney Morning Herald (opens in new tab), CSO (opens in new tab), TheAge (opens in new tab), StraightStatistics (opens in new tab), The Economist (opens in new tab) [again]
• Where Do Security Policies Come From? NY Times (opens in new tab), slashdot (opens in new tab), theAtlantic (opens in new tab), Schneier (opens in new tab)
• Password popularity: Technology Review (opens in new tab), slashdot (opens in new tab), TechRepublic (opens in new tab)
• Economics of targeted attacks: threatpost
• Interview (opens in new tab) with Erik Meijer on MSDN Channel 9
• Users and security advice: NPR (opens in new tab), Boston Globe (opens in new tab), CBS News (opens in new tab), slashdot (opens in new tab), slashdot [again] (opens in new tab), darkreading, techrepublic (opens in new tab), internet evolution (opens in new tab), SC magazine, NewSchoolSecurity (opens in new tab), SecurityNow! (opens in new tab)
• Video of me speaking (opens in new tab) at CMU
• Underground Economy and IRC channels: DarkReading, ZDnet (opens in new tab)
• Economics of Phishing: slashdot (opens in new tab), The Register (opens in new tab), ZDnet (opens in new tab), NY Times
• Password strength: Newsweek (opens in new tab), slashdot (opens in new tab), TechRepublic (opens in new tab), Technology Review (opens in new tab), Infoworld (opens in new tab)
• Keylogging advice: Digg coverage, Washington Post (opens in new tab)
• Large scale password study: Folha (opens in new tab), Infoworld (opens in new tab)
• US Treasury Secretary Paul O’Neill pretty happy with my work on anti-counterfeiting (opens in new tab)

Passwords

• J. Bonneau, C. Herley, P.C. van Oorschot and F. Stajano, “Passwords and the Evolution of Imperfect Authentication”, Commun. ACM, July 2015
• D. Florencio, C. Herley and P.C. van Oorschot, “An Administrator’s Guide to Internet Password Research”, Proc. Usenix LISA, 2014
• D. Florencio, C. Herley and P.C. van Oorschot, “Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts”, Proc. Usenix Security, 2014
• S. Komanduri, R. Shay, L. Cranor, C. Herley and S. Schechter, “Telepathwords: preventing weak passwords by reading users’ minds”, Proc. Usenix Security 2014
• S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov and C. Herley, “Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection” Proc. CHI 2013
• J. Bonneau, C. Herley, P.C. van Oorschot and F. Stajano, “The quest to replace passwords: A framework for comparative evaluation of web authentication schemes“, IEEE Symp. Security & Privacy 2012
• C. Herley and P.C. van Oorschot, “A Research Agenda Acknowledging the Persistence of Passwords,”IEEE Security and Privacy magazine, Jan. 2012
• S. Schechter, C. Herley and M. Mitzenmacher, “Popularity is Everything: a new approach to protecting passwords from statistical-guessing attacks,” Proc. HotSEC 2010
• D. Florencio and C. Herley, “Where Do Security Policies Come From?”, SOUPS 2010 [Best paper award at SOUPS]
• C. Herley, P.C. van Oorschot and A.S. Patrick, “Passwords: If We’re So Smart Why Are We Still Using Them?” Financial Crypto 2009
• D. Florencio and C. Herley, “A Large Scale Study of Web Password Habits,” WWW 2007, Banff
• D. Florencio, C. Herley and B. Coskun,“Do Strong Web Passwords Accomplish Anything?,” Usenix HotSEC ’07, Boston

Economics of cybercrime

• M. Javed, C. Herley, M. Peinado, V. Paxson, Measurement and Analysis of Traffic Exchange Services, Proc. Internet Measurement Conf, 2015
• D. Florencio, C. Herley and A. Shostack, “FUD: a plea for intolerance,” Comm. ACM June 2014
• C. Herley, “Security, Cyber-crime and Scale,” Comm. ACM Sept. 2014
• C. Herley, “Small World: Collisions among attackers in a finite population”, WEIS 2013
• C. Herley, “When does Targeting Make Sense for an Attacker?” IEEE Security & Privacy magazine, March 2013
• C. Herley, “Why do Nigerian Scammers say they are from Nigeria?”, Proc. WEIS 2012
• D. Florencio and C. Herley, “Is Everything We Know About Password Stealing Wrong?” IEEE Security and Privacy magazine, Dec 2012
• D. Florencio and C. Herley, “Where Do All the Attacks Go?” WEIS 2011
• D. Florencio and C. Herley, “Sex, Lies and Cyber-crime Surveys,” WEIS 2011
• D. Florencio and C. Herley, Phishing and Money Mules, Proc WIFS, 2010
• C. Herley, “The Plight of the Targeted Attacker in a World of Scale,” WEIS 2010
• C. Herley and D. Florencio, “Economics and the Underground Economy,” Black Hat 2009
• C. Herley and D. Florencio, “Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy,” WEIS 2009, London
• C. Herley and D. Florencio, “A Profitless Endeavor: Phishing as a Tragedy of the Commons,” NSPW 2008, Lake Tahoe, CA

Safety and security

• G. Wang, J. Stokes, C. Herley and D. Felstead, “Detecting Landing Pages in Malware Distribution Networks: A Comparisoon of Rule and Cklassifier-based Methods,” IEEE DSN 2013
• Z. Mao, D. Florencio and C. Herley, “Painless Migration to Two-factor Authentication,” Proc. WIFS 2011
• D. Florencio and C. Herley, “One-time Password Access to Any Server Without Changing the Server,”ISC 2008, Taipei
• B. Coskun and C. Herley, “Can Something-You-Know be Saved?” ISC 2008, Taipei
• C. Herley and D. Florencio, “Protecting Financial Institutions from Brute-Force Attacks,” SEC 2008, Milan
• D. Florencio and C. Herley, “Evaluating Password Re-Use for Phishing Prevention,” APWG eCrime ’07 Pittsburgh
• D. Florencio and C. Herley,“KLASSP: Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy,” Proc. ACSAC 2006
• D. Florencio and C. Herley, “Password Rescue: A New Approach to Phishing Prevention,” Usenix HotSEC ’06, Vancouver
• C. Herley and D. Florencio, “How to Login from an Internet Cafe Without Worrying about Keyloggers,” Symp. On Usable Privacy and Security ‘06 [poster] [Note: please don’t rely on this. It was a cute idea in 2006, but offers very little protection in 2010]
• D. Florencio and C. Herley,“Analysis and Improvement of Anti-Phishing Schemes,” Proc SEC 2006
• D. Florencio and C. Herley,“Stopping a Phishing Attack, Even when the Victims Ignore Warnings,”MSR-TR-2005-142

P2P and networking

• Z. Mao and C. Herley, “A Robust Link-Translating Proxy Mirroring the Whole Web”, Proc. ACM SAC 2010
• A. Bharambe, C. Herley and V. Padmanabhan,“ (opens in new tab)Analyzing and Improving a BitTorrent Network’s Performance Mechanisms,” (opens in new tab) Proc. InfoComm 2006 [Download the simulator (opens in new tab)]
• A. Bharambe, C. Herley and V. Padmanabhan, “ (opens in new tab)Some Observations on BitTorrent,” Proc. ACM SigMetrics 2005 [poster]

Multimedia

• C. Herley, “ARGOS: Automatically extracting Repeating Objects from multimedia Streams”, IEEE Trans, Multimedia, Feb. 2006
• R. Ragno, C. J. C. Burges and C. Herley, “Inferring Similarity Between Music Objects with Application to Playlist Generation,” Proc. ACM Workshop Multimedia Information Retrieval, 2005
• C. Herley, “Accurate Repeat Finding and Object Skipping Using Fingerprints,” Proc. ACM Multimedia 2005
• C. Herley,”Why Watermarking is Nonsense”, Signal Processing Magazine, Sept. 2002

Image processing

• C. Herley, “Occlusion Removal with Minimum Number of Images,” Proc ICIP 2005
• C. Herley, “Efficient Inscribing of Noisy Rectangular Objects in Scanned Images,” Proc. ICIP 2004
• C. Herley, P. Vora and S. Yang, “Detection and Deterrence of Counterfeiting of Valuable Documents,”Proc. ICIP 2004
• C. Herley, “Extracting Repeats from Media Streams”, ICASSP 2004, Montreal
• C. Herley, “Recursive Method to Detect and Segment Multiple Rectangular Objects in Scanned Images”, MSR TR
• C. Herley, “Recursive Method to Extract Rectangular Objects from Scans”, Proc ICIP 2003
• C. Herley, “Document Capture Using a Digital Camera”, Proc. Int Conf. Image Proc., Thessaloniki, Greece, Oct 2001
• C. Herley, “Protecting Images Online: a Security Mechanism that does not involve Watermarking,”Proc. Int. Conf. Image Proc., Vancouver, BC, Sept. 2000