I am the privacy researcher at Brave Software, where I work on new ways to improve privacy and security on the web, and to measure the risk of new threats to Brave browser users.
Research Interests
I research web security and privacy, including browser hardening techniques and measuring how the growth of the Web API has impacted user privacy and security. I use this research to build access control systems for browser functionally and tools for deploying web applications that provide stronger privacy and security guarantees for users.
Publications
- AdGraph: A Machine Learning Approach to Automatic and Effective Adblocking
- Most Websites Don’t Need to Vibrate: A Cost–Benefit Approach to Improving Browser Security CCS 2017
- Fifteen Minutes of Unwanted Fame: Detecting and Characterizing Doxing IMC 2017
- CDF: Predictably Secure Web Documents ConPro 2017
- Browser Feature Usage on the Modern Web IMC 2016
- Characterizing Fraud and Its Ramifications in Affiliate Marketing Networks Journal of Cybersecurity 2016
- The Effect of Repeated Login Prompts on Phishing Susceptibility LASER 2016
- No Please, After You: Detecting Fraud in Affiliate Marketing Networks WEIS 2015
- "I Saw Images I Didn't Even Know I Had": Understanding User Perceptions of Cloud Storage Privacy CHI 2015
- Cloudsweeper and Data-Centric Security ACM SIGCAS Computers and Society 2014
- Cloudsweeper: Enabling Data-Centric Document Management for Secure Cloud Archives CCSW 2013
Other Significant Writing
- Improving Web Privacy And Security with a Cost-Benefit Analysis of the Web API My thesis, presenting a thorough measurement of WebAPI use, and ways those findings can be used to better protect the privacy and security of web users. Written for the completion of my PhD 2018
- Yao's Garbled Circuits: Recent Directions and Implementations Literature review of performance and security developments in using Yao's Protocol for secure function evaluation. Written for my degree's "Written Critique and Presentation" requirement 2014
Teaching
Talks, Posters and Presentations
- Browser Feature Usage on the Modern Web invited talk UIC SIG Security 2017
- Carnival of Privacy and Security Delights conference presentation AoIR 2016
- Doxing and the Dark Web: Detecting, Measuring and Addressing Malicious Information Disclosures Online invited talk Homewood-Flossmoor Science Pub 2016
- No Please, After You: Detecting Fraud in Affiliate Marketing Networks invited talk Department of Information Engineering at the CUHK, hosted by Prof. Zhang Kehuan 張克環教授 2015
- No Please, After You: Detecting Fraud in Affiliate Marketing Networks invited talk DePaul University's Security Daemon's group 2015
- One Thing Leads to Another: Credential Based Privilege Escalation poster CODASPY 2015
- Serving Two Masters: An Empirical Study of Browser API Cooptation Student Knowledge Exchange at Notre Dame 2015
- Cloudsweeper: Enabling Data-Centric Document Management for Secure Cloud Archives poster GCASR 2014
- Surveillance Defense: Small Easy Steps for Security and Privacy invited talk The Media Consortium 2014
Other Positions and Accomplishments
- Our paper on Web API security and privacy was a finalist in the CSAW’17 Applied Research Competition.
- I am a fellow in UIC's Electronic Security and Privacy IGERT.
- I organize a crypto reading group at UIC.
- I placed first as the Symantec Cyber Challenge Competition, held at UIC and hosted by the ESP-GERT program.
- I twice served as the president for the UIC computer science graduate student association.
- I advise TIMBY, a community investigating website and project, on web and application security issues.
Significant Programs and Code
- Fingerprinting Protection Improvements in Brave Browser Improved the technique used to block fingerprinting related Web API methods to reduce the impact on non-fingerprinting related code, and expanded the set of blocked Web API methods to cover five more, previously allowed, methods used for fingerprinting users.
- Web API Manager Browser Extension WebExtension, cross-browser extension that allows users to improve their privacy and security online by controlling what browser functionality web hosts have access to. Web API functionality access controls can be defined in general, or on a per host level, and can allow, for example, only trusted hosts to have access to privacy-risky browser functionality like high resolution timers, WebGL and WebRTC.
- Cloudsweeper Webservice tool to measure and mitigate the frequency of plaintext password sharing in Gmail archives. The public tool allows users to redact or encrypt-in-place found passwords. The site has had over 2,500 users and has secured over 38,000 messages
- CDF: Abstractions for Security Guarantees in Interactive Web Applications Built client and server-side tools for implementing CDF, a document format for building dynamic, interactive web applications that provide increased security and privacy guarantees for users of commodity web browsers.
- Machine Learning for Automatic 8bit Song Generation Library to write original NES chip-style soundtracks using a corpus of 39 classic NES games and machine learning.
- Objective-C Dijkstra implementation Library to perform Dijkstra in Objective-C (for iOS and OSX).
- FormBug A Firefox extension to make dealing and developing form based applications easier. I just maintain it now, but wrote it back when I was doing web development work.
Non-CS Bits
- I am half of the Chicago chiptune band 🍒🍒💣.
- I sing and play guitar in a Chicago power-pop band called The Pleasure Centers.
- I volunteer tutoring Chicago high school students as part of the East Village Youth Program.
- Sometimes I record chiptune music solo.
- A while back I played in a LOST-themed band called Sonic Weapon Fence.
- I'm a member of the Chicago LGBT Running group Front Runners.