Reading List

• This list should be used only for choosing a paper to present (or a course project). We are not going to read and discuss all listed papers in class.
• You can download the local copies only from a UW host. You can also download a file with all the papers.
• The listed dates are tentative. They might have to be adjusted depending on people's interests or paper choices.
• There likely will be no lecture on March 10 and 12.
• Project presentations will be on March 31 and April 2.

Location Privacy (Jan 20 and 22)

• Anonysense: Privacy-Aware People-Centric Sensing. Cornelius, Kapadia, Kotz, Peebles, Shin, and Triandopoulos. MobiSys 2008. [local]
• Chattering Laptops. Aura, Lindqvist, Roe, and Mohammed. PETS 2008. [local]
• Improving Wireless Privacy with an Identifier-Free Link Layer Protocol. Greenstein, McCoy, Pang, Kohno, Seshan, and Wetherall. MobiSys 2008. [local]
• Privacy-Preserving Location Tracking of Lost or Stolen Devices: Cryptographic Techniques and Replacing Trusted Third Parties with DHTs. Ristenpart, Maganis, Krishnamurthy, and Kohno. USENIX Security 2008. [local]
• Privacy: Theory meets Practice on the Map. Machanavajjhala, Kifer, Abowd, Gehrke, and Vilhuber. ICDE 2008. [local]
• Private Queries in Location Based Services: Anonymizers are not Necessary. Ghinita, Kalnis, Khoshgozaran, Shahabi, and Tan. SIGMOD 2008. [local]
• Virtual Trip Lines for Distributed Privacy-Preserving Traffic Monitoring. Hoh, Gruteser, Herring, Ban, Work, Herrera, Bayen, Annavaram, and Jacobson. MobiSys 2008. [local]

Privacy (Jan 27 and 29)

• FlyByNight: Mitigating the Privacy Risks of Social Networking. Lucas and Borisov. WPES 2008. [local]
• On the Existence of Unconditionally Privacy-Preserving Auction Protocols. Brandt and Sandholm. TISSEC 2008. [local]
• On Unifying Privacy and Uncertain Data Models. Aggarwal. ICDE 2008. [local]
• Privacy-Enhanced Sharing of Personal Content on the Web. Mannan and van Oorschot. WWW 2008. [local]
• Privacy Oracle: a System for Finding Application Leaks with Black Box Differential Testing. Jung, Sheth, Greenstein, and Wetherall. CCS 2008. [local]
• Protecting Users' Anonymity in Pervasive Computing Environments. Pareschi, Riboni, and Bettini. PerCom 2008. [local]
• Towards Practical Privacy for Genomic Computation. Jha, Kruger, and Shmatikov. Oakland 2008. [local]

Internet Security, Web 2.0, Cloud Computing (Feb 3 and 5)

• Detecting In-Flight Page Changes with Web Tripwires. Reis, Grible, Kohno, and Weaver. NSDI 2008. [local]
• HAIL: A High-Availability and Integrity Layer for Cloud Storage. Bowers, Juels, and Oprea. Tech Report. [local]
• iTrustPage: A User-Assisted Anti-Phishing Tool. Ronda, Saroiu, and Wolman. EuroSys 2008. [local]
• Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. Wendlandt, Andersen, and Perrig. USENIX 2008. [local]
• Protection and Communication Abstractions for Web Browsers in MashupOS. Wang, Fan, Howell, and Jackson. SOSP 2007. [local]

Voting (Feb 10 and 12)

• Civitas: Toward a Secure Voting System. Clarkson, Chong, and Myers. Oakland 2008. [local]
• Helios: Web-based Open-Audit Voting. Ben Adida. USENIX Security 2008. [local]
• Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes. Chaum, Carback, Clark, Essex, Popoveniuc, Rivest, Ryan, Shen, and Sherman. EVT 2008. [local]
• Security Evaluation of ES&S Voting Machines and Election Management System. Aviv, Cerny, Clark, Cronin, Shah, Sherr, and Blaze. EVT 2008. [local]
• Split-Ballot Voting: Everlasting Privacy with Distributed Trust. Moran and Naor. CCS 2007. [local]
• VoteBox: a tamper-evident, verifiable electronic voting system. Sandler, Derr, and Wallach. USENIX Security 2008. [local]

RFID (Feb 24 and 26)

• Dismantling MIFARE Classic. Garcia, de Koning Gans, Muijrers, van Rossum, Verdult, Wichers Schreur, and Jacobs. ESORICS 2008. [local]
• EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond. Koscher, Juels, Kohno, and Brajkovic. Tech Report. [local]
• Reverse-Engineering a Cryptographic RFID Tag. Nohl, Evans, Starbug, and Plotz. USENIX Security 2008. [local]
• RFIDs and Secret Handshakes: Defending Against Ghost-and-Leech Attacks and Unauthorized Reads with Context-Aware Communications. Czeskis, Koscher, Smith, and Kohno. CCS 2008. [local]
• Unidirectional Key Distribution Across Time and Space with Applications to RFID Security. Juels, Pappu, and Parno. USENIX Security 2008. [local]

Attacks (Mar 3 and 5)

• BootJacker: Compromising Computers using Forced Restarts. Chan, Carlyle, David, Farivar, and Campbell. CCS 2008. [local]
• Cloaker: Hardware Supported Rootkit Concealment. David, Chan, Carlyle, and Campbell. Oakland 2008. [local]
• Lest We Remember: Cold Boot Attacks on Encryption Keys. Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino, Feldman, Appelbaum, and Felten. USENIX Security 2008. [local]
• Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. Halperin, Heydt-Benjamin, Ransford, Clark, Defend, Morgan, Fu, Kohno, and Maisel. Oakland 2008. [local]
• Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations. Wright, Ballard, Coull, Monrose, and Masson. Oakland 2008. [local]
• Thinking Inside the Box: System-Level Failures of Tamper Proofing. Drimer, Murdoch, and Anderson. Oakland 2008. [local]

Usability (Mar 17 and 19)

• Analyzing Websites for User-Visible Security Design Flaws. Falk, Prakash, and Borders. SOUPS 2008. [local]
• A User Study of Policy Creation in a Flexible Access-Control System. Bauer, Cranor, Reeder, Reiter, and Vaniea. CHI 2008. [local]
• Exploring User Reactions to New Browser Cues for Extended Validation Certificates. Sobey, Biddle, van Oorschot, and Patrick. ESORICS 2008. [local]
• Personal knowledge questions for fallback authentication: Security questions in the era of Facebook. Rabkin. SOUPS 2008. [local]
• Use Your Illusion: Secure Authentication Usable Anywhere. Hayashi, Dhamija, Christin, and Perrig. SOUPS 2008. [local]
• You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. Egelman, Cranor, and Hong. CHI 2008. [local]

Trusted Computing (Mar 24)

• Flicker: An Execution Infrastructure for TCB Minimization. McCune, Parno, Perrig, Reiter, and Isozaki. EuroSys 2008. [local]
• Measuring Integrity on Mobile Phone Systems. Muthukumaran, Sawani, Schiffman, Jung, and Jaeger. SACMAT 2008. [local]
• Trustworthy and Personalized Computing on Public Kiosks. Garriss, Caceres, Berger, Sailer, van Doorn, and Zhang. MobiSys 2008. [local]

Economics, Incentives (Mar 26)

• An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. Franklin, Paxson, Perrig, and Savage. CCS 2007. [local]
• Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones. Holz, Engelberth, and Freiling. Tech Report. [local]
• Secure or Insure? A Game-Theoretic Analysis of Information Security Games. Grossklags, Christin, and Chuang. WWW 2008. [local]
• Spamalytics: An Empirical Analysis of Spam Marketing Conversion. Kanich, Kreibich, Levchenko, Enright, Voelker, Paxson, and Savage. CCS 2008. [local]
• The Impact of Incentives on Notice and Take-down. Moore and Clayton. WEIS 2008. [local]