I am a Principal Researcher in the Machine Learning Department at Microsoft Research. I am interested in data and signal analysis problems that reduce complexity and remove pain points for users. My current interests include economics, authentication, safety and data-driven security. There are links to some papers and projects below.
Here's a short profile of me done by MSR. Some media coverage of my work: All Things Considered (NPR), the Boston Globe, the NY Times, Wired, theAtlantic, Bloomberg TV, The Economist, the Wall St Journal.
My email is my firstname at microsoft dot com.
- "Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts"
- "FUD: a plea for intolerance"
- "More is Not the Answer"
- "Is Everything We Know About Password Stealing Wrong?"
Users, Security Advice and Avoiding Harm:
- C. Herley, "More is Not the Answer", IEEE Security & Privacy magazine, 2014
- S Egelman, D Molnar, N Christin, A Acquisti, C Herley, S. Krishnamurthi, "Please Continue to Hold: An empirical study on user tolerance of security delays," WEIS 2010
C. Herley, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," NSPW 2009, Oxford
- D. Florencio, C. Herley and P.C. van Oorschot, "An Administrator's Guide to Internet Password Research", Proc. Usenix LISA, 2014
- D. Florencio, C. Herley and P.C. van Oorschot, "Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts", Proc. Usenix Security, 2014
S. Komanduri, R. Shay, L. Cranor, C. Herley and S. Schechter, "Telepathwords: preventing weak passwords by reading users' minds", Proc. Usenix Security 2014.
- S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov and C. Herley, "Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection" Proc. CHI 2013
- J. Bonneau, C. Herley, P.C. van Oorschot and F. Stajano, "The quest to replace passwords: A framework for comparative evaluation of web authentication schemes", IEEE Symp. Security & Privacy 2012.
- C. Herley and P.C. van Oorschot, "A Research Agenda Acknowledging the Persistence of Passwords," IEEE Security and Privacy magazine, Jan. 2012.
- S. Schechter, C. Herley and M. Mitzenmacher, "Popularity is Everything: a new approach to protecting passwords from statistical-guessing attacks," Proc. HotSEC 2010
- D. Florencio and C. Herley, "Where Do Security Policies Come From?", SOUPS 2010 [Best paper award at SOUPS]
- C. Herley, P.C. van Oorschot and A.S. Patrick, "Passwords: If We're So Smart Why Are We Still Using Them?" Financial Crypto 2009
- D. Florencio and C. Herley, “A Large Scale Study of Web Password Habits,” WWW 2007, Banff.
- D. Florencio, C. Herley and B. Coskun,“Do Strong Web Passwords Accomplish Anything?," Usenix HotSEC '07, Boston.
Economics of Cybercrime:
- D. Florencio, C. Herley and A. Shostack, "FUD: a plea for intolerance," Comm. ACM June 2014.
- C. Herley, "Security, Cyber-crime and Scale," Comm. ACM Sept. 2014.
- C. Herley, "Small World: Collisions among attackers in a finite population", WEIS 2013
- C. Herley, "When does Targeting Make Sense for an Attacker?" IEEE Security & Privacy magazine, March 2013.
- C. Herley, "Why do Nigerian Scammers say they are from Nigeria?", Proc. WEIS 2012
- D. Florencio and C. Herley, "Is Everything We Know About Password Stealing Wrong?" IEEE Security and Privacy magazine, Dec 2012.
- D. Florencio and C. Herley, "Where Do All the Attacks Go?" WEIS 2011
- D. Florencio and C. Herley, "Sex, Lies and Cyber-crime Surveys," [slides] WEIS 2011
- D. Florencio and C. Herley, Phishing and Money Mules, Proc WIFS, 2010
- C. Herley, "The Plight of the Targeted Attacker in a World of Scale," WEIS 2010
C. Herley and D. Florencio, "Economics and the Underground Economy," Black Hat 2009
- C. Herley and D. Florencio, “Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy,” WEIS 2009, London
- C. Herley and D. Florencio, “A Profitless Endeavor: Phishing as a Tragedy of the Commons,” NSPW 2008, Lake Tahoe, CA
Safety and Security:
- G. Wang, J. Stokes, C. Herley and D. Felstead, "Detecting Landing Pages in Malware Distribution Networks: A Comparisoon of Rule and Cklassifier-based Methods," IEEE DSN 2013
- Z. Mao, D. Florencio and C. Herley, "Painless Migration to Two-factor Authentication," Proc. WIFS 2011.
- D. Florencio and C. Herley, “One-time Password Access to Any Server Without Changing the Server," ISC 2008, Taipei
- B. Coskun and C. Herley, "Can Something-You-Know be Saved?" ISC 2008, Taipei
- C. Herley and D. Florencio, “Protecting Financial Institutions from Brute-Force Attacks,” SEC 2008, Milan
- D. Florencio and C. Herley, “Evaluating Password Re-Use for Phishing Prevention,” APWG eCrime '07 Pittsburgh.
- D. Florencio and C. Herley,“KLASSP: Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy,” Proc. ACSAC 2006.
- D. Florencio and C. Herley, “Password Rescue: A New Approach to Phishing Prevention,” Usenix HotSEC ’06, Vancouver.
- C. Herley and D. Florencio, “How to Login from an Internet Cafe Without Worrying about Keyloggers,” Symp. On Usable Privacy and Security ‘06 [poster] [Note: please don't rely on this. It was a cute idea in 2006, but offers very little protection in 2010]
- D. Florencio and C. Herley,“Analysis and Improvement of Anti-Phishing Schemes,” Proc SEC 2006.
- D. Florencio and C. Herley,“Stopping a Phishing Attack, Even when the Victims Ignore Warnings,” MSR-TR-2005-142.
P2P and Networking:
- Z. Mao and C. Herley, "A Robust Link-Translating Proxy Mirroring the Whole Web", Proc. ACM SAC 2010
- A. Bharambe, C. Herley and V. Padmanabhan,“Analyzing and Improving a BitTorrent Network's Performance Mechanisms,” Proc. InfoComm 2006. [Download the simulator]
- A. Bharambe, C. Herley and V. Padmanabhan, “Some Observations on BitTorrent,” Proc. ACM SigMetrics 2005 [poster].
- C. Herley, “ARGOS: Automatically extracting Repeating Objects from multimedia Streams”, IEEE Trans, Multimedia, Feb. 2006.
- R. Ragno, C. J. C. Burges and C. Herley, “Inferring Similarity Between Music Objects with Application to Playlist Generation,” Proc. ACM Workshop Multimedia Information Retrieval, 2005.
- C. Herley, “Accurate Repeat Finding and Object Skipping Using Fingerprints,” Proc. ACM Multimedia 2005
- C. Herley,”Why Watermarking is Nonsense”, Signal Processing Magazine, Sept. 2002.
- C. Herley, “Occlusion Removal with Minimum Number of Images,” Proc ICIP 2005.
- C. Herley, “Efficient Inscribing of Noisy Rectangular Objects in Scanned Images,” Proc. ICIP 2004.
- C. Herley, P. Vora and S. Yang, “Detection and Deterrence of Counterfeiting of Valuable Documents,” Proc. ICIP 2004.
- C. Herley, “Extracting Repeats from Media Streams”, ICASSP 2004, Montreal.
- C. Herley, “Recursive Method to Detect and Segment Multiple Rectangular Objects in Scanned Images”, MSR TR.
- C. Herley, “Recursive Method to Extract Rectangular Objects from Scans”, Proc ICIP 2003
- C. Herley, “Document Capture Using a Digital Camera”, Proc. Int Conf. Image Proc., Thessaloniki, Greece, Oct 2001.
- C. Herley, “Protecting Images Online: a Security Mechanism that does not involve Watermarking,” Proc. Int. Conf. Image Proc., Vancouver, BC, Sept. 2000
Press Coverage and Other Stuff
- Password meters: Ars Technica, Threatpost, slashdot
- Why do Nigerian Scammers Say They are from Nigeria: The Economist, Slate, Bloomberg TV, Wall St Journal, Forbes, NPR [On The Media], The New Yorker, The Telegraph, Computerworld Australia, NY Times, BBC and Slashdot.
- Some reactions to an NY Times Oped I wrote: theAtlantic, Ars Technica, slashdot, Infoworld, threatpost, P=NP Blog
- Everything we Know about Password-stealing is Wrong: threatpost, theregister, slashdot, Freakonomics blog
- Video of me giving the keynote at WOOT 2012
- Persistence of Passwords: Wired, theRegister, slashdot, Network World, Wall St Journal
- A profile of me done by MSR.
- Why isn't Everyone hacked every day? TechRepublic
- Cyber-crime surveys: ProPublica, The Economist, theRegister, slashdot, BBC, RiskyBiz, Schneier, threatpost, Technology Review, Sydney Morning Herald, CSO, TheAge, StraightStatistics
- Where Do Security Policies Come From? NY Times, slashdot, theAtlantic, Schneier.
- Password Popularity: Technology Review, slashdot, techrepublic
- Economics of targeted attacks: threatpost
- Interview with Erik Meijer on MSDN Channel 9.
- Users and Security Advice: NPR, Boston Globe, CBS News, slashdot, slashdot [again], darkreading, techrepublic, internet evolution, SC magazine, NewSchoolScurity, SecurityNow!
- Interview with Dennis Fisher on threatpost.
- Video of me speaking at CMU
- Underground Economy and IRC channels: DarkReading, ZDnet
- Economics of Phishing: slashdot, theRegister, ZDnet, NY Times
- Password strength: Newsweek, slashdot, techrepublic, Technology Review, Infoworld
- Keylogging advice: Digg coverage, Washington Post
- Large scale password study:Folha, Infoworld
- US Treasury Secretary Paul O’Neill pretty happy with my work on anti-counterfeiting.
People worth following:
- NewSchoolSecurity: provocative thinking from some of the smartest people in the field