Sid Stamm

sid (a) mozilla . com

publications <
invited talks <
projects <

blog <
cv <
pgp key <
Sid's Face
BE7F 075E 7AB5 F95B 59DD
D22D EBFD 40B2 2787 3E2D



compelled certificates [pdfpaper]
"Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper)" In G. Danezis (Ed.) Proceedings of the Fifteenth International Conference on Financial Cryptography and Data Security. February 2011, St. Lucia.
content restrictions [abstract] [pdfpaper] [pdfslides]
"Reining in the Web with Content Security Policy" In proceedings of the 19th International World Wide Web Conference (WWW2010). April 26-30 2010. Raleigh, NC, USA.
mid-stream injection [abstract] [paper]
"Practice and Prevention of Home-Router Mid-Stream Injection Attacks", Steven A. Myers and Sid Stamm. In proceedings of the 2008 APWG eCrime Researcher's Summit. October 15-16, 2008. Atlanta, GA, USA.
immigration control [abstract] [pdfpaper]
"HTTP Fences: Immigration Control for Web Pages", Sid Stamm. Indiana University Computer Science Technical Report TR669. July, 2008.
crimeware book [website]
Contributing author for portions of "Crimeware: Understanding New Attacks and Defenses", Markus Jakobsson (Editor), Zulfikar Ramzan (Editor). Paperback, 608 pages. Addison-Wesley Professional, April 28, 2008. ISBN: 0321501950
"Drive-by Pharming" Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson. In Proceedings of Sihan Qing, Hideki Imai, Guilin Wang (Eds.): Information and Communications Security, 9th International Conference, ICICS 2007, Zhengzhou, China, December 12-15, 2007. Lecture Notes in Computer Science 4861 Springer 2008, ISBN 978-3-540-77047-3. Pages 495-506.
sitdrm and tpm [abstract] [paper]
"Implementing Trusted Terminals with a TPM and SITDRM" Sid Stamm, Nicholas Paul Sheppard, Reihaneh Safavi-Naini. In the First International Workshop on Run-Time Enforcement for Mobile and Distributed Systems (REM'07).
unicode spam [abstract] [paper] [slides]
"Fighting Unicode-Obfuscated Spam" Changwei Liu and Sid Stamm. In proceedings of the 2007 APWG eCrime Researcher's Summit.
web camouflage [abstract] [paper]
"Web Camouflage: Protecting Your Clients from Browser Sniffing Attacks," Markus Jakobsson and Sid Stamm. In the IEEE Security & Privacy Magazine. November/December 2007.
"Combatting Click Fraud via Premium Clicks," Ari Juels, Sid Stamm, and Markus Jakobsson. Proceedings of the 16th USENIX Security Symposium, August 6-10 2007.
javascript breaks free [paper] [slides]
"Web 2.0 Security Position Paper: JavaScript Breaks Free!" Markus Jakobsson, Zulfikar Ramzan and Sid Stamm. In the W2SP: Web 2.0 Security Workshop, held in conjunction with the 2007 Symposium on Security and Privacy (Oakland'07). May 24, 2007.
phishing book [website]
Contributing author for portions of "Phishing and Countermeasures : Understanding the Increasing Problem of Electronic Identity Theft", Markus Jakobsson (Editor), Steven Myers (Editor). Hardcover, 739 pages. Wiley, November 2006. ISBN: 978-0-471-78245-2
"Invasive Browser Sniffing and Countermeasures" Markus Jakobsson and Sid Stamm. Proceedings of The 15th annual World Wide Web Conference, (WWW2006).
"Privacy-Preserving Polling using Playing Cards" Sid Stamm and Markus Jakobsson. Cryptology ePrint Archive, Report 2005/444. 2005.
"Privacy on the Internet"Kay Connelly, Katie Moor, Tom Jagatic, Ashraf Khalil, Yong Liu and Sid Stamm. Proceedings of WWW @ 10 Conference (www@10 '04), 2004.
(I led this paper and presented it at the conference on October 1st, 2004. Slides with notes here)
"Java Engagement for Teacher Training: An Experience Report" Raja Sooriamurtthi, Arijit Sengupta, Suzanne Menzel, Katie Moor, Sid Stamm, and Katy Börner. Proceedings of the Frontiers in Education (FIE'04), 2004.
"Mixed Nuts: Atypical Classroom Techniques for Computer Science Courses" Sid Stamm. ACM Crossroads issue 10.4, Summer 2004.
(Originally written for my undergraduate thesis at Rose-Hulman, this paper shows the benefit of using unusual tactics in the classroom when teaching new Computer Science students. Previous version available here (v2) or here (v1).)


Invited Talks

Online Snoops and Thwarting Them with Transparency, Choice and Control. [pdfslides]
Who are the snoops and why are we more paranoid online than offline? This talk discusses some of the reasons online privacy is so pressing and presents my draft framework for building privacy into the web.
9 July 2013 -- Invited talk at PETools 2013, Bloomington, IN
Better control of your data online [pdfslides]
The growth of data sharing on the web is rapid and biased towards making shiny new things. New types of web applications pop up every day, and with fast innovation in data mining and analytics, the smallest bits of information about you can be valuable. While the complexity and robustness of web applications is quickly expanding, peoples ability to control what happens with their information is needs to grow fast enough to match. This talk discusses what Mozilla knows about needs for better privacy and anonymity, and what they're doing about it. There is lots of work to be done, and with a little focus and help we can put people back in control of what is done with their data.
29 July 2011 -- Keynote at 4th Hot Topics in Privacy Enhancing Technologies, Waterloo, Canada
Staying Safe on the Web: Yesterday, Today and Tomorrow [pdfslides]
This talk recounts some stories of security problems in Mozilla's past and examines the current state of security and privacy in Firefox. It also describes the future of the Web browser, covering Mozilla's plans for upcoming releases and examining some questions in Web security and privacy that don't yet have answers.
12 August 2010 -- 19th USENIX Security Symposium, Washington D.C.
Browser (Firefox) Security [pdf slides]
The browser as a protector: securing your private data, web sites, your platform and third party features. This talk discusses what we do in Firefox to help ensure users' security, and some efforts we're making at Mozilla to add to the security and privacy of the web.
22 April 2010 -- Stanford CS241 Guest Lecture.
Phishing and Pharming (and the Future) [abstract] [pdf slides and notes]
The state of the art in Phishing and Pharming (online identity fraud), why current countermeasures fail, the human factor, and the future of phishing and pharming.
21 May 2008 -- AusCERT 2008 Information Security Conference.
16 October 2007 -- CFCA Global Educational Event.
Drive-By Pharming and other WebSec Bummers [abstract] [pdf slides] [movVideo]
Web Application abuses, especially to compromise routers and screw with DNS.
12 July 2007 -- Talk to security group at PARC
28 June 2007 -- Tech Talk at Google, Inc.
Invasive Browser Sniffing and Countermeasures [abstract] [ppt slides] [movVideo]
Discussion of my recent phishing work
30 Aug 2006 -- The Security Seminar in CERIAS at Purdue University.
9 May 2006 -- ISI Seminar at Queensland University of Technology, Australia.
22 Feb 2006 -- Crypt Seminar at University of Wollongong, Australia.
Visualizing Secure Protocols [abstract] [pdf slides]
Private polling using playing cards and other secure protocol visualizations.
April 2005 -- ACM Computer Security/Privacy Lecture Series at University of Minnesota.
What's new in Java 1.5 [pdf slides]
How does Java 1.5 affect APCS?
Fall 2004 -- JETT 04 at Indiana University.
The Fine Art of Rememorable Teaching
How do you keep them interested?
Based on the Mixed Nuts paper.
Fall 2003 -- JETT 03 at Indiana University.


Projects shows how you can sniff URLs out of a client's browsing history. This translating proxy software protects a service provider's clients by making the URLs really hard to guess. For more information, see the paper on invasive sniffing.
Driver's License Numbers [More Info]
It's not hard to calculate driver's license numbers when you know the algorithm. What information can be obtained with your Name, DOB and DL number? Good question.
Browser Recon [More Info] [Go see it!]
Most of the time, we can tell which online bank you use! It's kind of scary, but with a CSS trick, we can record where you've been, and with that guess who you use for online banking. (See this page). Developed with Tom Jagatic and Markus Jakobsson
VSOP (evolving) [Go see it!]
A catalog of strange graffiti and tags in Bloomington's public areas. Uses Google's Maps to display locations in a pictoral tour of some of the town's tags.
Digger Magoo's Fossil Hunt (in production) Award Winning! [More Info]
a fossil "hunt" exhibit that is going to be prototyped and tested at WonderLab in Bloomington, Indiana. Fossil Hunt consists of the FlashFidgets! software and some content produced by Telecom. I am in charge of installing and testing the software platform and hardware for deployment on the museum floor. The exhibit should be ready for initial testing soon.
Awarded "Best Interactive Conversation" in IDEAS 2005
FlashFidgets! v2.0α (still in development) [dmgMac OS X installer (16.3M)] [pdf Manual (646k)]
A Phidgets / Flash 5.0 interface. This plays flash movie files and lets them interact with phidgets. You can get a Plist Editor here. New features in 2.0 include multiple trigger sources and support for digital outputs. (Updated 3/3/2005)
Note: This uses a very rough driver, the one provided by the Phidgets site work much better -- new version should appear some day.


sstamm (at) indiana (dot) edu
  Privacy Policy