Three Recent papers:

• "Why do Nigerian Scammers say they are from Nigeria?" 
• "Is Everything We Know About Password Stealing Wrong?"
•  "Sex, Lies and Cyber-crime Surveys"

Publications:

Users, Security Advice and Avoiding Harm:

• S Egelman, D Molnar, N Christin, A Acquisti, C Herley, S. Krishnamurthi, "Please Continue to Hold: An empirical study on user tolerance of security delays," WEIS 2010

• C. Herley, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," NSPW 2009, Oxford

Passwords:

• S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov and C. Herley, "Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection" Proc. CHI 2013
• J. Bonneau, C. Herley, P.C. van Oorschot and F. Stajano, "The quest to replace passwords: A framework for comparative evaluation of web authentication schemes", IEEE Symp. Security & Privacy 2012.
• C. Herley and P.C. van Oorschot, "A Research Agenda Acknowledging the Persistence of Passwords," IEEE Security and Privacy magazine, Jan. 2012.
• S. Schechter, C. Herley and M. Mitzenmacher, "Popularity is Everything: a new approach to protecting passwords from statistical-guessing attacks," Proc. HotSEC 2010
• D. Florencio and C. Herley, "Where Do Security Policies Come From?", SOUPS 2010 [Best paper award at  SOUPS]
• C. Herley, P.C. van Oorschot and A.S. Patrick, "Passwords: If We're So Smart Why Are We Still Using Them?" Financial Crypto 2009
• D. Florencio and C. Herley, “A Large Scale Study of Web Password Habits,” WWW 2007, Banff.
• D. Florencio, C. Herley and B. Coskun,“Do Strong Web Passwords Accomplish Anything?," Usenix HotSEC '07, Boston.

Economics of Cybercrime: 

• C. Herley, "Security, Cyber-crime and Scale"
• C. Herley, "Small World: Collisions among attackers in a finite population"
• C. Herley, "When does Targeting Make Sense for an Attacker?" IEEE Security & Privacy magazine, March 2013.
• C. Herley,  "Why do Nigerian Scammers say they are from Nigeria?", Proc. WEIS 2012
• D. Florencio and C. Herley, "Is Everything We Know About Password Stealing Wrong?" IEEE Security and Privacy magazine, Dec 2012.
• D. Florencio and C. Herley, "Where Do All the Attacks Go?" WEIS 2011
• D. Florencio and C. Herley, "Sex, Lies and Cyber-crime Surveys," [slides] WEIS 2011
• D. Florencio and C. Herley, Phishing and Money Mules, Proc WIFS, 2010
• C. Herley, "The Plight of the Targeted Attacker in a World of Scale," WEIS 2010

• C. Herley and D. Florencio, "Economics and the Underground Economy," Black Hat 2009

• C. Herley and D. Florencio, “Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy,” WEIS 2009, London
• C. Herley and D. Florencio, “A Profitless Endeavor: Phishing as a Tragedy of the Commons,” NSPW 2008, Lake Tahoe, CA

Safety and Security:

• G. Wang, J. Stokes, C. Herley and D. Felstead, "Detecting Landing Pages in Malware Distribution Networks: A Comparisoon of Rule and Cklassifier-based Methods," IEEE DSN 2013
• Z. Mao, D. Florencio and C. Herley, "Painless Migration to Two-factor Authentication," Proc. WIFS 2011.
• D. Florencio and C. Herley, “One-time Password Access to Any Server Without Changing the Server," ISC 2008, Taipei
• B. Coskun and C. Herley, "Can Something-You-Know be Saved?" ISC 2008, Taipei
• C. Herley and D. Florencio, “Protecting Financial Institutions from Brute-Force Attacks,” SEC 2008, Milan
• D. Florencio and C. Herley, “Evaluating Password Re-Use for Phishing Prevention,” APWG eCrime '07 Pittsburgh.
• D. Florencio and C. Herley,“KLASSP: Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy,” Proc. ACSAC 2006.
• D. Florencio and C. Herley, “Password Rescue: A New Approach to Phishing Prevention,” Usenix HotSEC ’06, Vancouver.
• C. Herley and D. Florencio, “How to Login from an Internet Cafe Without Worrying about Keyloggers,” Symp. On Usable Privacy and Security ‘06 [poster] [Note: please don't rely on this. It was a cute idea in 2006, but offers very little protection in 2010]
• D. Florencio and C. Herley,“Analysis and Improvement of Anti-Phishing Schemes,” Proc SEC 2006.
• D. Florencio and C. Herley,“Stopping a Phishing Attack, Even when the Victims Ignore Warnings,” MSR-TR-2005-142.

P2P and Networking:

• Z. Mao and C. Herley, "A Robust Link-Translating Proxy Mirroring the Whole Web", Proc. ACM SAC 2010
• A. Bharambe, C. Herley and V. Padmanabhan,“Analyzing and Improving a BitTorrent Network's Performance Mechanisms,” Proc. InfoComm 2006. [Download the simulator]
• A. Bharambe, C. Herley and V. Padmanabhan, “Some Observations on BitTorrent,” Proc. ACM SigMetrics 2005 [poster].

Multimedia:

• C. Herley, “ARGOS: Automatically extracting Repeating Objects from multimedia Streams”, IEEE Trans, Multimedia, Feb. 2006.
• R. Ragno, C. J. C. Burges and C. Herley, “Inferring Similarity Between Music Objects with Application to Playlist Generation,” Proc. ACM Workshop Multimedia Information Retrieval, 2005.
• C. Herley, “Accurate Repeat Finding and Object Skipping Using Fingerprints,” Proc. ACM Multimedia 2005
• C. Herley,”Why Watermarking is Nonsense”, Signal Processing Magazine, Sept. 2002.

Image Processing:

• C. Herley, “Occlusion Removal with Minimum Number of Images,” Proc ICIP 2005.
• C. Herley, “Efficient Inscribing of Noisy Rectangular Objects in Scanned Images,” Proc. ICIP 2004.
• C. Herley, P. Vora and S. Yang, “Detection and Deterrence of Counterfeiting of Valuable Documents,” Proc. ICIP 2004.
• C. Herley, “Extracting Repeats from Media Streams”, ICASSP 2004, Montreal.
• C. Herley, “Recursive Method to Detect and Segment Multiple Rectangular Objects in Scanned Images”, MSR TR.
• C. Herley, “Recursive Method to Extract Rectangular Objects from Scans”, Proc ICIP 2003
• C. Herley, “Document Capture Using a Digital Camera”, Proc. Int Conf. Image Proc., Thessaloniki, Greece, Oct 2001.
• C. Herley, “Protecting Images Online: a Security Mechanism that does not involve Watermarking,” Proc. Int. Conf. Image Proc., Vancouver, BC, Sept. 2000

Press Coverage and Other Stuff 

• Why do Nigerian Scammers Say They are from Nigeria: The Economist, Slate, Bloomberg TV, Wall St Journal, Forbes, NPR [On The Media], The Telegraph, Computerworld Australia,  and Slashdot.
• Some reactions to an NY Times Oped I wrote: theAtlantic, Ars Technica, slashdot, Infoworld, threatpost, P=NP Blog
• Everything we Know about Password-stealing is Wrong: threatpost, theregister, slashdot, Freakonomics blog
• Video of me giving the keynote at WOOT 2012
• Persistence of Passwords: Wired, theRegister, slashdot, Network World, Wall St Journal
• A profile of me done by MSR.
• Why isn't Everyone hacked every day?  TechRepublic
• Cyber-crime surveys: ProPublica, The Economist, theRegister, slashdot, BBC, RiskyBiz, Schneier, threatpost, Technology Review, Sydney Morning Herald, CSO, TheAge, StraightStatistics
• Where Do Security Policies Come From? NY Times, slashdot, theAtlantic, Schneier.
• Password Popularity: Technology Review, slashdot, techrepublic
• Economics of targeted attacks: threatpost
• Interview with Erik Meijer on MSDN Channel 9.
• Users and Security Advice: NPR, Boston Globe, CBS News, slashdot, slashdot [again], darkreading, techrepublic, internet evolution, SC magazine,  NewSchoolScurity, SecurityNow!
• Interview with Dennis Fisher on threatpost.
• Video of me speaking at CMU
• Underground Economy and IRC channels: DarkReading, ZDnet
• Economics of Phishing: slashdot, theRegister, ZDnet, NY Times
• Password strength: Newsweek, slashdot, techrepublic, Technology Review, Infoworld
• Keylogging advice: Digg coverage, Washington Post 
• Large scale password study:Folha, Infoworld 
• US Treasury Secretary Paul O’Neill pretty happy with my work on anti-counterfeiting. 

People worth following:

• NewSchoolSecurity: provocative thinking from some of the smartest people in the field

Favorite things to do around Seattle:

• Fringe theater: Theater Schmeater, Balagan, 14/48 (the white-knuckle ride of Seattle theater)
• Some pix of the Pacific Northwest: