Paper Response Guidelines
Write a ~400 word critical response to each required paper.
- In the first paragraph:
- State the problem that the paper tries to solve; and
- Summarize the main contributions.
- In one or more additional paragraphs:
- Evaluate the paper's strengths and weaknesses;
- Discuss something you would have done differently if you had written the paper; and
- Suggest one or more interesting open problems on related topics.
Your most important task is to demonstrate that you've read the paper and thought carefully about the topic.
Paper responses are due before the start of class via the online submission system. Before you upload your work, the system will ask you to assess earlier responses written by your peers. We'll combine peer feedback and our own evaluation when determining your grade.
This list is subject to change. Updates will be posted by the end of the day on the Friday before each lecture.
Unfortunately, some articles require paid subscriptions to journals and digital libraries. You can access these for free when connecting on campus. For off-campus access, try the U-M VPN or the MLibrary Proxy Server Bookmarklet.
Tuesday, January 3No Class.
Thursday, January 5
Internet of Things / Cyber-Physical Systems (no bidding; instructors presenting)
Tuesday, January 10 — Attacks
- Security Analysis of Emerging Smart Home Applications. Fernandes, Jung, Prakash. Oakland 2016.
- Ukraine Power Grid Attack.
- Smart meter security: a survey. Anderson and Fuloria. JSAC 2011.
- Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit. Garcia, Brasser, Cintuglu, Sadeghi, Mohammed, and Zonouz. NDSS 2017.
Thursday, January 12 — Defenses
- FlowFence: Practical Data Protection for Emerging IoT Applications. Fernandes, Paupore, Rahmati, Simionato, Conti, and Prakash. USENIX Security 2016
- Who’s in Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems. Formby, Srinivasan, Leonard, Rogers, and Beyah. NDSS 2016
- Specification Mining for Intrusion Detection in Networked Control Systems. Caselli, Zambon, Amann, Sommer, and Kargl. USENIX Security 2016.
- HomeOS Project. Microsoft Research.
- Investigating Safety of a Radiotherapy Machine Using System Models with Pluggable Checkers. Pernsteiner, Loncaric, Torlak, Tatlock, Wang, Ernst, and Jacky. CAV 2016.
- Robust, low-cost, auditable random number generation for embedded system security. Lampert, Wahby, Leonard, Levis. SenSys 2016.
How Crypto Fails / Real World Crypto
Tuesday, January 17
- MD5 To Be Considered Harmful Someday. Dan Kaminsky. 2004.
- Lessons Learned in Implementing and Deploying Crypto Software. Peter Gutmann. Usenix Security 2002.
- MD5 Considered Harmful Today. Sotirov, Stevens, Appelbaum, Lenstra, Molnar, Osvik, and Weger. CCC 2008.
- TLS and SSL. D. Koren, et al. Secure Networking Protocols Portal, 2009.
- TLS v1.2. Dierks and Rescorla. RFC 5246, 2008.
- Let's Encrypt. (the CA Alex is building).
- How to Break MD5 and Other Hash Functions. Wang and Yu. Eurocrypt 2005.
- Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. Stevens, Sotirov, Appelbaum, Lenstra, Molnar, Osvik, and Weger. Crypto 2009.
- Chosen-prefix collisions for MD5 and applications. Stevens, Lenstra, and de Weger. Int. J. Applied Cryptography, 2(4), 2012.
- Freestart collisions for SHA-1. October 2015.
- Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH. Bhargavan and Leurent. NDSS 2016.
Thursday, January 19
- The First Few Milliseconds of an HTTPS Connection. Jeff Moser. 2009.
- Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. Heninger, Durumeric, Wustrow, and Halderman. Usenix Security 2012.
- Why Cryptosystems Fail. Ross Anderson. Commun. ACM, 37(11), Nov. 1994.
- Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. Adrian, Bhargavan, Durumeric, Gaudry, Green, Halderman, Heninger, Springall, Thomé, Valenta, VanderSloot, Wustrow, Zanella-Béguelin, and Zimmermann. CCS 2015.
- Why Information Security is Hard: An Economic Perspective. Ross Anderson. ACSAC 2001.
- ZMap: Fast Internet-Wide Scanning and its Security Applications. Durumeric, Wustrow, and Halderman. Usenix Security 2013.
- Censys: A Search Engine Backed by Internet-Wide Scanning. Durumeric, Adrian, Mirian, Bailey, and Halderman. CCS 2015.
- Analysis of the HTTPS Ecosystem. Durumeric, Kasten, Bailey, and Halderman. IMC 2013.
- Cryptanalysis of the Windows Random Number Generator. Dorrendorf, Gutterman, and Pinkas. CCS 2007.
- SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements. Clark and van Oorschot. Oakland 2013.
Tuesday, January 24 — Basic Exploitation
- Smashing the Stack for Fun and Profit. Aleph One. Phrack 49(14), Nov. 1996.
- StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. Cowan, Pu, Maier, Hinton, Walpole, Bakke, Beattie, Grier, Wagle, and Zhang. Usenix Security 1998.
- Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns. Pincus and Baker. IEEE Security and Privacy, July–Aug. 2004.
- On the Effectiveness of ASLR. Shacham, Page, Pfaff, Goh, Modadugu, and Boneh. CCS 2004.
- English Shellcode. Mason, Small, Monrose, and MacManus. CCS 2009.
- AEG: Automatic Exploit Generation. Avgerinos, Cha, Hao, and Brumley. NDSS 2011.
Thursday, January 26 — Modern Attacks
- Eternal War in Memory. Szekeres, Payer, Wei, and Song. Oakland 2013.
- The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). Hovav Shacham. CCS 2007.
- VUPEN Vulnerability Research Blog. (Details of advanced modern exploitation.)
- An Empirical Study of Vulnerability Rewards Programs. Finifter, Akhawe, and Wagner. Usenix Security 2013.
- Nozzle: A Defense Against Heap-spraying Code Injection Attacks. Ratanaworabhan, Livshits, and Zorn. Usenix Security 2009.
Tuesday, January 31 — Malware
- Reflections on Trusting Trust. Ken Thompson. Communications of the ACM, 27(8), Aug. 1984.
- Nazca: Detecting Malware Distribution in Large-Scale Networks. Invernizzi, Miskovic, Torres, Saha, Lee, Mellia, Kruegel, and Vigna. NDSS 2014.
- Towards Automatic Generation of Vulnerability-Based Signatures. Brumley, Newsome, Song, Wang, and Jha. Oakland 2006.
- Control Flow Integrity for COTS Binaries. Zhang and Sekar. Usenix Security 2013.
- Inside the Slammer Worm. Moore, Paxson, Savage, Shannon, Staniford, and Weaver. IEEE Security and Privacy, July/August 2003.
- The Morris Worm: A Fifteen-Year Perspective. Orman. IEEE Security and Privacy, Sept./Oct. 2003.
- Prudent Practices for Designing Malware Experiments: Status Quo and Outlook. Rossow, Dietrich, Grier, Kreibich, Paxson, Pohlmann, Bos, and van Steen. Oakland 2012.
Thursday, February 2 — Isolation
- Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. Ristenpart Tromer, Shacham, and Savage. CCS 2009.
- The Security Architecture of the Chromium Browser. Barth, Jackson, Reis, and The Google Chrome Team. 2008.
- Native Client: A Sandbox for Portable, Untrusted x86 Native Code. Yee, Sehr, Dardyk, Chen, Muth, Ormandy, Okasaka, Narula, and Fullagar. Oakland 2009.
- Cross-VM Side Channels and Their Use to Extract Private Keys. Zhang, Juels, Reiter, and Ristenpart. CCS 2012.
- Capsicum: Practical Capabilities for UNIX. Watson, Anderson, Laurie, and Kennaway. Usenix Security 2010.
- Leveraging Legacy Code to Deploy Desktop Applications on the Web. Douceur, Elson, Howell, and Lorch. OSDI 2008.
- Safe Kernel Extensions Without Run-Time Checking. Necula and Lee. OSDI 1996.
- The Ten-Page Introduction to Trusted Computing. Martin. 2008.
Tuesday, February 7 — Web Attacks
- Robust Defenses for Cross-Site Request Forgery. Barth, Jackson, and Mitchell. CSS 2008.
- Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. Louw and Venkatakrishnan. Oakland 2009.
- Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner. Doupe, Cavedon, Kruegel, and Vigna. Usenix Security 2012.
- OWASP Cheat Sheet Series. Open Web Application Security Project.
- Toward Black-Box Detection of Logic Flaws in Web Applications. Pellegrino and Balzarotti. NDSS 2014.
Thursday, February 9 — Web Isolation
- Securing Browser Frame Communication. Barth, Jackson, and Mitchell. Usenix Security 2008.
- Reining in the Web with Content Security Policy. Stamm, Sterne, and Markham. WWW 2010.
- Protection and Communication Abstractions for Web Browsers in MashupOS. Wang, Fan, Howell, and Jackson. SOSP 2007.
- Beware of Finer-Grained Origins. Jackson and Barth. Web 2.0 Security and Privacy 2008.
- Protecting Browsers from DNS Rebinding Attacks. Jackson, Barth, Bortz, Shao, And Boneh. CCS 2007.
- Eradicating DNS Rebinding with the Extended Same-Origin Policy. Johns, Lekies, and Stock. Usenix Security 2013.
- Content Security Policy 1.0. Sterne and Barth. W3C Candidate Recommendation, 2012.
Tuesday, February 14 — Mobile Security
- OAuth Demystified for Mobile Application Developers. Chen, Pei, Chen, Tian, Kotcher, Tague. CCS 2014.
- Securing Embedded User Interfaces: Android and Beyond. Roesner and Kohno. Usenix Security 2013.
- Dissecting Android Malware: Characterization and Evolution. Zhou and Jiang. Oakland 2012.
- Smart-Phone Attacks and Defenses. Guo, Wang, and Zhu. HotNets 2004.
- User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems. Roesner, Kohno, Moshchuk, Parno, Wang, and Cowan. Oakland 2012.
- Android Permissions Demystified. Felt, Chin, Hanna, Song, and Wagner. CCS 2011.
- Android Permissions: User Attention, Comprehension, and Behavior. Felt, Ha, Egelman, Haney, Chin, and Wagner. SOUPS 2012.
- You Can Run, but You Can’t Hide: Exposing Network Location for Targeted DoS Attacks in Cellular Networks. Qian, Wang, Xu, Mao, Zhang, and Wang. NDSS 2012.
Thursday, February 16 — Pre-proposal presentations No written response required for today.
Tuesday, February 21 — Passwords
- Fast, Lean, and Accurate:Modeling Password Guessability Using Neural Networks. Melicher et al. USENIX Security 2016.
- Of Passwords and People: Measuring the Effect of Password-Composition Policies. Komanduri et al. CHI 2011.
- The End is Nigh: Generic Solving of Text-based CAPTCHAs. Bursztein, Aigrain, Moscicki, and Mitchell. WOOT 2014.
- The Tangled Web of Password Reuse. Das, Bonneau, Caesar, Borisov, and Wang. NDSS 2014.
- reCAPTCHA: Human-Based Character Recognition via Web Security Measures. von Ahn, Maurer, McMillen, Abraham, and Blum. Science, September 2008.
- How Good are Humans at Solving CAPTCHAs? Bursztein, Bethard, Fabry, Mitchell, and Jurafsky. Oakland 2010.
- Sketcha: A Captcha Based on Line Drawings of 3D Models. Ross, Halderman, and Finkelstein. WWW 2010.
- The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. Joseph Bonneau. Oakland 2012.
- A Usability Study and Critique of Two Password Managers. Chiasson, van Oorschot, and Biddle. Usenix Security 2006.
- Designing Crypto Primitives Secure Against Rubber Hose Attacks. Bojinov, Sanchez, Reber, Boneh, and Lincoln. Usenix Security 2012.
- Honeywords: Making Password-Cracking Detectable. Juels and Rivest. CCS 2013.
Thursday, February 23 — Usable Security
- Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. Whitten and Tygar. Usenix Security 1999.
- Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. Akhawe and Felt. Usenix Security 2013.
- Why (Special Agent) Johnny (Still) Can't Encrypt. Clark, Goodspeed, Metzger, Wasserman, Xu, and Blaze. Usenix Security 2011.
- Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted Email. Gaw, Felten, and Fernandez-Kelly. CHI 2006.
- So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. Cormac Herley. NSPW 2009.
- In Search of Usable Security: Five Lessons from the Field. Balfanz, Durfee, Grinter, and Smetters. IEEE Security and Privacy, September/October 2004.
- Folk Models of Home Computer Security. Rick Wash. SOUPS 2010.
- Your Attention Please: Designing Security-Decision UIs. Bravo-Lillo, Cranor, Downs, Komanduri, Reeder, Schechter, and Sleeper. SOUPS 2013.
Tuesday, March 7 — Network Attacks
- The Matter of Heartbleed. Durumeric et al. IMC 2014.
- Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. Adrian et al. CCS 2015.
- A Look Back at “Security Problems in the TCP/IP Protocol Suite.” Steve Bellovin. ACSAC 2004.
- Amplification Hell: Revisiting Network Protocols for DDoS Abuse. Christian Rossow. NDSS 2014.
- Exit from Hell? Reducing the Impact of Amplification DDoS Attacks. Kührer, Hupperich, Rossow, and Holz. Usenix Security 2014.
- Blind TCP/IP Hijacking is Still Alive. lkm. Phrack 64, 2007.
- A Survey of BGP Security Issues and Solutions. Butler, Farley, McDaniel, and Rexford. 2008.
- Black Ops 2008: It’s the End of the Cache as We Know It. Dan Kaminsky. Toorcon 2008.
- Increased DNS Forgery Resistance Through 0x20-Bit Encoding. Dagon, Antonakakis, Vixie, Jinmei, and Lee. CCS 2008.
- Bro: A System for Detecting Network Intruders in Real-Time. Vern Paxson. Computer Networks 31(23-24), 1999.
- The Security Flag in the IPv4 Header. Steve Bellovin. RFC 3514.
Thursday, March 9 — Online Crime
- PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs. McCoy et al. USENIX Security 2012.
- Your Botnet is My Botnet: Analysis of a Botnet Takeover. Stone-Gross, Cova, Cavallaro, Gilbert, Szydlowski, Kemmerer, Kruegel, and Vigna. CCS 2009.
- Spamalytics: An Empirical Analysis of Spam Marketing Conversion. Kanich, Kreibich, Levchenko, Enright, Voelker, Paxson, and Savage. CCS 2008.
- Modeling and Evaluating the Resilience of Peer-to-Peer Botnets. Rossow, Andriesse, Werner, Stone-Gross, Plohmann, Dietrich, and Bos. Oakland 2013.
- A Multifaceted Approach to Understanding the Botnet Phenomenon. Rajab, Zarfoss, Monrose, and Terzis. ISC 2006.
- What’s Clicking What? Techniques and Innovations of Today’s Clickbots. Miller, Pearce, Grier, Kreibich, and Paxson. DIMVA 2011.
- Clickjacking: Attacks and Defenses. Huang, Moshchuk, Wang, Schechter, and Jackson. Usenix Security 2012.
- On the Mismanagement and Maliciousness of Networks. Zhang, Durumeric, Bailey, Liu, and Karir. NDSS 2014.
Security and Government Power
Tuesday, March 14 — Post-Snowden Era
- Grizzly Steppe. DHS, US-CERT, 2016.
- How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior. Redmiles et al. CCS, 2016.
- Global Surveillance Disclosures. Wikipedia.
- Decoding the Summer of Snowden. Julian Sanchez. Cato Policy Report, 2013.
- NSA's ANT Division Catalog of Exploits. Published by Der Spiegel, Dec. 2013.
- Liberty and Security in a Changing World. President's review group on intelligence and communications technologies. Dec. 2013.
- NSA Collecting Phone Records of Millions of Verizon Customers Daily. Glenn Greenwald. The Guardian, Jun. 2013.
- NSA Infiltrates Links to Yahoo, Google Data Centers Worldwide, Snowden Documents Say. Gellman and Soltani. Washington Post, Oct. 2013.
- NSA Collects Millions of Text Messages Daily in ‘Untargeted’ Global Sweep. James Ball. The Guardian, Jan. 2014.
- Designing and Implementing Malicious Hardware. King, Tucek, Cozzie, Grier, Jiang, and Zhou. LEET 2008.
- Stealthy Dopant-Level Hardware Trojans. Becker, Regazzoni, Paar, and Burleson. CHES 2013.
- On the Practical Exploitability of Dual EC in TLS Implementations. Checkoway, Fredrikson, Niederhagen, Everspaugh, Green, Lange, Ristenpart, Bernstein, Maskiewicz, and Shacham. Usenix Security 2015.
Thursday, March 16 — Cyberwar/Crypto War
- W32.Stuxnet Dossier. Falliere, Murchu, and Chien. Symantec technical report, 2011.
- Keys Under Doormats. Abelson, Anderson, Bellovin, Benaloh, Blaze, Diffie, Gilmore, Green, Landau, Neumann, Rivest, Schiller, Schneier, Specter, and Weitzner. July 2015.
- APT1 Report. Mandiant technical report, 2013.
- Cyberwar and Peace. Thomas Rid. Foreign Affairs, Nov./Dec. 2013.
- To Kill a Centrifuge. Ralph Langner. Nov. 2013.
- Order Compelling Apple, Inc. to Assist Agents in Search. Feb. 2016.
- Apple Inc.'s Motion to Vacate Order Compelling Apple Inc. to Assist Agents in Search, and Opposition to Government's Motion to Compel Assistance. Feb. 2016.
- Statement Before the Senate Select Committee on Intelligence. James Comey. July 2015.
- Going Bright: Wiretapping without Weakening Communications Infrastructure. Bellovin, Blaze, Clark, and Landau. IEEE Security & Privacy 11:1, Jan/Feb 2013.
- The Export of Cryptography in the 20th Century and the 21st. Diffie and Landau. In the Handbook of the History of Information Security, Elsevier, 2005.
- Bernstein v. United States. 1995–2002.
- Lavabit Legal Proceedings. 2013.
Critical Systems / Hardware
Tuesday, March 21 — Automotive Security
- Experimental Security Analysis of a Modern Automobile. Koscher, Czeskis, Roesner, Patel, Kohno, Checkoway, McCoy, Kantor, Anderson, Shacham, and Savage. Oakland 2010.
- Comprehensive Experimental Analyses of Automotive Attack Surfaces. Checkoway, McCoy, Kantor, Anderson, Shacham, Savage, Koscher, Czeskis, Roesner, and Kohno. Usenix Security 2011.
- Adventures in Automotive Networks and Control Units. Miller and Valasek. Countermeasure 2013.
- Remote Exploitation of an Unaltered Passenger Vehicle. Miller and Valasek. DEF CON 23, Aug. 2015.
- Security and Privacy for Implantable Medical Devices. Halperin, Heydt-Benjamin, Fu, Kohno, and Maisel. IEEE Pervasive Computing 7(1), 2008.
- Illuminating the Security Issues Surrounding Lights-Out Server Management. Bonkoski, Bielawski, and Halderman. WOOT 2013.
Thursday, March 23 — Hardware Security
- A2: Analog Malicious Hardware. Yang et al. Oakland 2016.
- Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. Halperin, Heydt-Benjamin, Ransford, Clark, Defend, Morgan, Fu, Kohno, and Maisel. Oakland 2008.
- Rowhammer. Google.
- Drammer: Deterministic Rowhammer Attacks on Mobile Platforms. van der Ween et al. CCS 2016.
- Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. Kim et al. ISCA 2014.
Privacy and Confidentiality
Tuesday, March 28 — Deletion and Leakage
- Lest We Remember: Cold Boot Attacks on Encryption Keys. Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino, Feldman, Appelbaum, and Felten. Usenix Security 2008.
- Secure Data Deletion. Reardon, Basin, and Capkun. Oakland 2013.
- History Independence for File Systems. Bajat and Sion. CCS 2013.
- BootJacker: Compromising Computers Using Forced Restarts. Chan, Carlyle, David, Farivar, and Campbell. CCS 2008.
- Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation. Chow, Pfaff, Garfinkel, and Rosenblum. Usenix Security 2005.
- Increasing Data Privacy with Self-Destructing Data. Geambasu, Kohno, Levy, and Levy. Usenix Security 2009.
- Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs. Wolchok, Hofmann, Heninger, Felten, Halderman, Rossbach, Waters, and Witchel. NDSS 2010.
- Reconstructing RSA Private Keys from Random Key Bits. Heninger and Shacham. Crypto 2009.
- Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems. Zhang and Wang. Usenix Security 2009.
- Electromagnetic Eavesdropping Risks of Flat-Panel Displays. Markus Kuhn. PETS 2004.
Thursday, March 30 — Privacy in the Cloud
- Mylar. Popa et al. NSDI 2014.
- BlindBox: Deep Packet Inspection over Encrypted Traffic. Sherry et al. SIGCOMM 2015.
- “You Might Also Like:” Privacy Risks of Collaborative Filtering. Calandrino, Kilzer, Narayanan, Felten, and Shmatikov. Oakland 2011.
- Selling Off Privacy at Auction. Olejnik, Tran, and Castelluccia. NDSS 2014.
- Third-Party Web Tracking: Policy and Technology. Mayer and Mitchell. Oakland 2012.
- Remote Physical Device Fingerprinting. Kohno, Broido, and Claffy. Oakland 2005.
- Adnostic: Privacy Preserving Targeted Advertising. Toubiana, Narayanan, Boneh, Nissenbaum, and Barocas. NDSS 2010.
- Securing Web Applications by Blindfolding the Server. Popa, Stark, Valdez, Helfer, Zeldovich, Kasshoek, and Balakrishnan. NSDI 2014.
- An Analysis of Private Browsing Modes in Modern Browsers. Aggarwal, Bursztein, Jackson, and Boneh. Usenix Security 2010.
Tuesday, April 4 — Anonymity
- Tor: The Second-Generation Onion Router. Dingledine, Mattewson, and Syverson. Usenix Security 2004.
- SoK: Secure Messaging. Unger, Dechand, Bonneau, Fahl, Perl, Goldberg, and Smith. Oakland 2015.
- Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries. Johnson, Wacek, Jansen, Sherr, and Syverson. CCS 2013.
- Off-the-Record Communication, or, Why Not to Use PGP. Borisov, Goldberg, and Brewer. WPES 2004.
- How Secure is TextSecure? Frosch, Mainka, Bader, Bergsma, Schwenk, and Holz. EuroS&P 2016.
- Shining Light in Dark Places: Understanding the Tor Network. McCoy, Bauer, Grunwald, Kohno, and Sicker. PETS 2008.
- Trawling for Tor Hidden Services. Biryukov, Pustogarov, and Weinmann. Oakland 2013.
- Criminal Complaint, U.S. v. Ulbricht. Oct. 2013.
- How the NSA Attacks Tor Users with QUANTUM and FOXACID. Bruce Schneier. Oct. 2013.
- Judge Confirms What Many Suspected: Feds Hired CMU to Break Tor. Cyrus Farivar. Ars Technica, Feb. 2016.
Thursday, April 6 — Censorship Resistance
- Examining How the Great Firewall Discovers Hidden Circumvention Servers. Ensafi, Fifield, Winter, Feamster, Weaver, and Paxson. IMC 2015.
- TapDance: End-to-Middle Anticensorship without Flow Blocking. Wustrow, et al. Usenix Security 2014.
- Telex: Anticensorship in the Network Infrastructure. Wustrow, Wolchok, Goldberg, and Halderman. Usenix Security 2011.
- Blocking-resistant Communication Through Domain Fronting. Fifield, Lan, Hynes, Wegmann, and Paxson. PETS 2015.
- Scramblesuit: A Polymorphic Network Protocol to Circumvent Censorship. Winter, Pulls, and Fuss. WPES 2013.
- Protocol Misidentification Made Easy with Format-Transforming Encryption. Dyer, Coull, Ristenpart, and Shrimpton. CSS 2013.
- Internet Censorship in China: Where Does the Filtering Occur? Xu, Mao, and Halderman. PAM 2011.
- Internet Censorship in Iran: A First Look. Aryan, Aryan, and Halderman. FOCI 2013.
- Analysis of the Green Dam Censorware System. Wolchok, Yao, and Halderman. Tech Report, 2009.
- No Direction Home: The True Cost of Routing Around Decoys. Houmansadr, Wong, and Shmatikov. NDSS 2014.