Exploring User Perceptions of Discrimination in Online Targeted Advertising | Plane, Redmiles, Mazurek

Angelisa C. Plane, Elissa M. Redmiles, Michelle L. Mazurek, University of Maryland; Michael Carl Tschantz, International Computer Science Institute; Exploring User Perceptions of Discrimination in Online Targeted Advertising; In Proceedings of the USENIX Security Symposium; 2017-08-16; some pages; landing.

tl;dr → Consumers hate targeted advertising in concept and in practice. N-2086.

Did someone not know this?  … conclude that this is but awareness raising.

A Privacy Analysis of Cross-device Tracking | Zimmeck, Li, Kim, Bellovin, Jebara

Sebastian Zimmeck, Carnegie Mellon University; Jie S. Li and Hyungtae Kim, unaffiliated; Steven M. Bellovin, Tony Jebara, Columbia University; A Privacy Analysis of Cross-device Tracking; In Proceedings of the USENIX Security Symposium; 2017-08-16; some pages; landing.


Online tracking is evolving from browser- and device-tracking to people-tracking. As users are increasingly accessing the Internet from multiple devices this new paradigm of tracking—in most cases for purposes of advertising—is aimed at crossing the boundary between a user’s individual devices and browsers. It establishes a person-centric view of a user across devices and seeks to combine the input from various data sources into an individual and comprehensive user profile. By its very nature such cross-device tracking can principally reveal a complete picture of a person and, thus, become more privacy-invasive than the siloed tracking via HTTP cookies or other traditional and more limited tracking mechanisms. In this study we are exploring cross-device tracking techniques as well as their privacy implications.

Particularly, we demonstrate a method to detect the occurrence of cross-device tracking, and, based on a cross-device tracking dataset that we collected from 126 Internet users, we explore the prevalence of cross-device trackers on mobile and desktop devices. We show that the similarity of IP addresses and Internet history for a user’s devices gives rise to a matching rate of F-1 = 0.91 for connecting a mobile to a desktop device in our dataset. This finding is especially noteworthy in light of the increase in learning power that cross-device companies may achieve by leveraging user data from more than one device. Given these privacy implications of cross-device tracking we also examine compliance with applicable self-regulation for 40 cross-device companies and find that some are not transparent about their practices.


University of Washington DNA Sequencing Security Study | University of Washington

Frequently-Asked Questions (FAQ)
Computer Security and Privacy in DNA Sequencing
Paul G. Allen School of Computer Science & Engineering, University of Washington

tl;dr → it’s a bug report on fqzcomp, fzcomp-4.6, wrapped in some lab work, wrapped in scare piece wrapped in an academic paper. It mentions DNA, people are made of DNA, YOU are made of DNA.

  • In the future, everyone will be famous for fifteen minutes.
    • They did it for the lulz, and the whuffie.
    • They did it for the FUD.
  • They are frontrunning the presntation of the paper at the conference site in Vancouver, CA
  • But there is nothing to worry about.
    • Really.
    • No, Really.
    • And they’ve already contacted the project sponsors with their work product.

Today’s theoretical demonstrations are tomorrow’s practice.

Original Sources

Ney, Koscher, Organick, Creze, Kohno; Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More; In  Proceedings of the USENIX Security Symposium; 2017-08-16; 15 pages.


  • They created DNA with particular patterns.
  • They used buffer overflows in C & C++ programs.
  • FASTQ, a data format.
  • /dev/tcp accessed via bash


  • <quote>Although used broadly by biology researchers, many of these programs are written by small research groups and thus have likely not been subjected to serious adversarial pressure. </quote>
  • <quote><snip/> copied fqzcomp from SourceForge and inserted a vulnerability into version 4.6 of its source code; a function that processes and compresses DNA reads individually, using a fixed-size buffer to store the compressed data.<quote>
  • <quote>Our second exploit attempt uses an obscure feature of bash, which exposes virtual /dev/tcp devices that create TCP/IP connections. We use this feature to redirect stdin and stdout of /bin/sh to a TCP/IP socket, which connects back to our server.<quote>


The “research” coders do not validate their inputs; they use whatever computer tools are handy for their purpose. Their purpose is to publish papers in their field of study. Their code works just well enough; it is MVP for an MPU. Those “researchers” who do validate their inputs, who do test their code, who do read CVE notices, who do remediate latent vulnerabilities aren’t researchers at all. They are drone coders in an on-time-under-budget, time & materials IT shop. “We” need such people and such skill is a valued trade craft by which to make an honorable living.  But such activity is Not New. It is not The Research.

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS | Vanhoef, Piessens

Mathy Vanhoef, Frank Piessens; All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS; In Proceedings of the 24th USENIX Security Symposium; 2015-08-12; 16 pages; landing.


We present new biases in RC4, break the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP), and design a practical plaintext recovery attack against the Transport Layer Security (TLS) protocol. To empirically find new biases in the RC4 keystream we use statistical hypothesis tests. This reveals many new biases in the initial keystream bytes, as well as several new long-term biases. Our fixed-plaintext recovery algorithms are capable of using multiple types of biases, and return a list of plaintext candidates in decreasing likelihood.

To break WPA-TKIP we introduce a method to generate a large number of identical packets. This packet is decrypted by generating its plaintext candidate list, and using redundant packet structure to prune bad candidates. From the decrypted packet we derive the TKIP MIC key, which can be used to inject and decrypt packets. In practice the attack can be executed within an hour. We also attack TLS as used by HTTPS, where we show how to decrypt a secure cookie with a success rate of 94% using 9*227 ciphertexts. This is done by injecting known data around the cookie, abusing this using Mantin’s ABSAB bias, and brute-forcing the cookie by traversing the plaintext candidates. Using our traffic generation technique, we are able to execute the attack in merely 75 hours.


Archaeological order…

XRay is Exposing What Exactly You Wrote That Made Gmail Show You Those Ridiculous Ads | Co.Exist

Exposing What Exactly You Wrote That Made Gmail Show You Those Ridiculous Ads; Sydney; In Fast Co.Exist; 2014-08.

tl;dr => a QA system for email targeting (on Gmail)

Original Sources