I work on Chrome's security team, working to make the web safe for everyone, not just the experts.
Reach out to me at web@bogus DOTjoedeblasio.com.
My interests are widespread across security and privacy, but I'm particularly interested in the WebPKI and practical security and privacy improvements. My graduate work focused on security/privacy measurement with a special focus on fraud and abuse.
I was ably advised by Alex Snoeren, and wouldn't have made it without the advice and support of Geoff Voelker and Stefan Savage. I was a proud member of the Center for Evidence-based Security Research (CESR).
My PhD and MS are from UC San Diego. My BSc. is from the wonderful Harvey Mudd College.
While phishing detection, risk analysis, and two-factor authentication help stem large-scale hijackings, targeted attacks remain a potent threat not fully addressed by current account protections. "Hack for hire" services make targeted attacks against anyone available for a few hundred dollars. Posing as buyers, we hired several of these services to attack synthetic (though realistic) identities we controlled. We categorize their methods and the state of the market in general.
Though users increasingly rely on commercial VPN services to preserve online privacy, circumvent censorship, and access geo-filtered content, they lack a strong method for evaluating the privacy and security claims made by VPN providers. We designed an active measurement system to test many of security and privacy properties, analyzed 62 commercial providers and find deceptive practices in at least 10\% of the providers studied.
* Co-authors Khan and DeBlasio contributed equally to the work.
Tripwire is a method for detecting website compromises as an unprivileged third-party using externally-visible side effects. Our proof-of-concept implementation exposed previously-unknown compromises impacting more than 100 million users.
This work explored search advertiser fraud on Microsoft's Bing search engine, characterizing the scale of fraud, the targeting and bidding behavior of fraudsters, and how those fraudsters impact legitimate advertisers in the ecosystem.
I co-designed and taught CSE 80, covering essential Linux/UNIX command line skills for all computer scientists and software engineers. The course is highly interactive, taking place entirely at a traditional Bash command prompt.
You know what else is cool? Chez Bob is cool.