`
`Markus Jakobsson
`www.linkedin.com/in/markusjakobsson
`www.markus-jakobsson.com
`
`1 At a Glance
`• Focus. Identification of security problems, trends and solution along four
`axes – computational, structural, physical and social; quantitative and
`qualitative fraud analysis; development of disruptive security technologies.
`• Education. PhD (Computer Science/Cryptography, University of Cali-
`fornia at San Diego, 1997); MSc (Computer Engineering, Lund Institute
`of Technology, Sweden, 1994).
`• Large research labs. San Diego Supercomputer Center (Researcher,
`1996-1997); Bell Labs (Member of Technical Staff, 1997-2001); RSA Labs
`(Principal Research Scientist, 2001-2004); Xerox PARC (Principal Scien-
`tist, 2008-2010); PayPal (Principal Scientist of Consumer Security, Di-
`rector, 2010-2013); Qualcomm (Senior Director, 2013-2015); Agari (Chief
`Scientist, 2016–current)
`• Academia. New York University (Adjunct Associate Professor, 2002-
`2004); Indiana University (Associate Professor & Associate Director, 2004-
`2008; Adjunct Associate Professor, 2008-2016).
`• Entrepreneurial activity. ZapFraud (Anti-scam technology; CTO and
`founder, 2012-); RavenWhite Security (Authentication solutions; CTO and
`founder, 2005-); RightQuestion (Consulting; Founder, 2007-); FatSkunk
`(Malware detection; CTO and founder, 2009-2013 – FatSkunk was ac-
`quired by Qualcomm); LifeLock (Id theft protection; Member of fraud ad-
`visory board, 2009-2013); CellFony (Mobile security; Member of technical
`advisory board, 2009-2013); PopGiro (User Reputation; Member of tech-
`nical advisory board, 2012-2013); MobiSocial (Social networking, Member
`of technical advisory board, 2013); Stealth Security (Anti-fraud, Member
`of technical advisory board, 2013–current)
`• Anti-fraud consulting. KommuneData [Danish govt. entity] (1996);
`J.P. Morgan Chase (2006-2007); PayPal (2007-2011); Boku (2009-2010);
`Western Union (2009-2010).
`
`1
`
`USR Exhibit 2002, Page 1
`
`
`
`• Intellectual Property, Testifying Expert Witness. Inventor of 100+
`patents; expert witness in several patent litigation cases (McDermott, Will
`& Emery; Bereskin & Parr; WilmerHale; Hunton & Williams; Quinn
`Emanuel Urquhart & Sullivan; Freed & Weiss; Berry & Domer; Fish &
`Richardson; DLA Piper; Cipher Law Group; Keker & Van Nest). Details
`and references upon request.
`• Publications. Books: Phishing and Countermeasures: Understanding
`the Increasing Problem of Electronic Identity Theft (Wiley, 2006); Crime-
`ware: Understanding New Attacks and Defenses (Symantec Press, 2008);
`The Death of the Internet (Wiley, 2012); Towards Trustworthy Elections:
`New Directions in Electronic Voting (Springer Verlag, 2010); Understand-
`ing Social Engineering (Springer Verlag, 2016); 100+ peer-reviewed publi-
`cations
`
`2 Summary
`I am one of the more prominent computer scientists studying fraud and fraud
`prevention. I have performed and published novel research on fraud and authen-
`tication since 1993, with a focus on the payments industry since 1995. In 1999, I
`posited that what later became known as phishing would become a big problem.
`As a Principal Scientist at RSA Laboratories in 2001, my mandate was to de-
`termine the impact of future fraud scenarios on commerce and authentication,
`and developing intellectual property to address such problems. In 2004, I built
`a research group around online fraud and countermeasures, resulting in more
`than 50 publications and two books (“Phishing and Countermeasures”, Wiley;
`“Crimeware”, Symantec Press.) I co-founded the first company to address con-
`sumer security education, and am a pioneer in that area.
`I also co-founded
`an RSA Security spinoff (RavenWhite Security), and a company to address mo-
`bile malware (FatSkunk), and have overseen their intellectual property creation.
`FatSkunk was acquired by Qualcomm in 2013. I also founded ZapFraud, a com-
`pany addressing Business Email Compromise. I am currently the Chief Scientist
`at Agari, a company addressing email-based fraud.
`I have recruited and supervised junior colleagues, developers and PhD/Masters
`students for fifteen years. I have been in charge with building research groups
`at Bell Laboratories, RSA Laboratories and Indiana University. I was the most
`senior security researcher at Indiana University, and was hired to Xerox PARC
`to provide thought leadership to their security group. My former advisees have
`prominent roles at RSA Laboratories, Mozilla, Google, and top universities such
`as MIT and ETH Zurich MIT. I played a prominent role in defining the intel-
`lectual property efforts at PayPal/eBay, and contributed significantly to their
`portfolio. I founded and built FatSkunk, bringing a new security paradigm to
`the marketplace.
`
`2
`
`USR Exhibit 2002, Page 2
`
`
`
`3 Recent Focus
`
`My work primarily involves identifying trends in fraud and computing before
`they affect the market, and to develop and test countermeasures – whether
`technical, or based on user interaction or education. I am the inventor of more
`than 100 patents. At PayPal, I developed and tested a technology that allows
`the automatic creation of PINs from passwords [46], with direct applications to
`improved mobile security and simplified user experience. I also studied liar buyer
`fraud [39] and developed improved authentication and fraud detection methods.
`At FatSkunk, I developed a new Anti-Virus paradigm (see, e.g., [42]); protected
`the intellectual property; built a team to build the technology; and worked
`towards commercializing the technology. After the acquisition of FatSkunk,
`this work was continued at Qualcomm, where I also worked on IoT, wearable
`authentication methods [41], anti-theft technology and privacy technology aimed
`at automatically detecting and block attempts to track users. My work at
`ZapFraud focused on understanding and blocking email scams [40], with a focus
`on business email compromise, and building a foundational patent portfolio. My
`work at Agari addresses enterprise-facing scams.
`I study and address trends
`in online fraud, especially as they relate to email. This includes gaining an
`understanding of problems such as Business Email Compromise, Ransomware,
`and other abuse based on social engineering and identity deception.
`My PhD is in theoretical computer science, but my later emphasis has been
`on applied security, including authentication, click-fraud [29], mobile malware
`detection [42], detection of business email compromise, and the development of
`metrics to detect new types of fraud.
`
`4 My Beliefs
`
`Security research is commonly carried out from a perspective that is not cross-
`disciplinary, and which only takes into consideration a portion of the issues
`affecting the security of the system. This creates results that bring to mind the
`story of the blind men and the elephant – showing that without a holistic view
`of a system, it is easy to misunderstand it. Dramatic progress can sometimes
`only be made by understanding a problem in a holistic manner.
`The security of a system can be described along (at least) three dimensions:
`One dimension of relevance is the typical behavior of the end user. A first
`example of this is the context of phishing: It is largely meaningless to design
`phishing countermeasures without first understanding end-user psychology, in-
`cluding how typical users react both to fraud and to potential fraud countermea-
`sures. I studied phishing before it was an academic discipline; built an under-
`standing of how typical users react to common security measures (such as Bank
`of America’s SiteKey, which provides only negligible security); and I created
`methods to heuristically measure the success of security solutions that were de-
`signed with typical user behavior in mind. A second example of the importance
`of understanding end-user behavior involves how people create passwords; how
`
`3
`
`USR Exhibit 2002, Page 3
`
`
`
`traditional password strength meters fail to measure strength in any meaningful
`manner; and how to design password strength meters that work, informed by
`an understanding of how people create passwords. These two examples demon-
`strate how an understanding of end-user behavior can guide protocol design and
`user interface design (as in the first example) and back-end risk assessments (as
`in the second example.)
`A second dimension of relevance in the context of the design of security
`measures is an understanding of the typical adversary. As a first example,
`in my research on so-called Nigerian scams, I have studied adversarial behav-
`ior, including copycat behavior and adaptive behavior. Based on the insights
`from this work, I developed novel natural language processing techniques and
`associated spam filters that exhibit dramatically lower error rates than tradi-
`tional spam filters. This effort was both guided by current adversarial behavior,
`and by an understanding of possible adversarial changes and likely reactions to
`deployed security measures. A second example underlining the importance of
`understanding adversarial behaviors – including where traditional security mea-
`sures are likely to drive adversarial behavior – is my work on mobile malware
`detection.
`My work on mobile malware detection also shows the importance of un-
`derstanding the third dimension: understanding computational limitations and
`hardware constraints; algorithmic limitations; and deployment constraints. My
`work in this area shows how being able to understand computational con-
`straints and hardware constraints enables new and dramatically improved secu-
`rity paradigms to be developed. The FatSkunk technology is just one example
`of this opportunity.
`Even security problems that at first sight appear to many to be one di-
`mensional commonly turn out to have two or more dimensions. Mobile security
`mechanisms, for example, need to recognize the potential impact of the different
`use of these platforms in comparison with traditional computers. A concrete
`example of this is the impact of screen size on security via reduced abilities to
`convey security information: Mobile browsers allow websites to cause the ad-
`dress bar to be scrolled off the screen, which has a direct impact on the ability
`of users to make security decisions based on inspecting the URL of a visited
`site. Another concrete example relates to “liar buyer fraud”. Estimated to ac-
`count for about a third of PayPal’s fraud losses, it is a problem that has defied
`traditional anti-fraud technologies. Using a simple change in what information
`is displayed to a user – whether honest or not – offers a promise to dramatically
`reduce the losses arising from this type of fraud [39].
`
`My research. One can define an adversarial opportunity as the possibility
`for an adversary to increase his or her yield, where the yield can loosely be
`defined as the profit at a particular risk and effort. It is possible to estimate
`adversarial opportunities. Simply speaking, there is a great adversarial oppor-
`tunity when there exists scams (whether currently used or not) that current
`security solutions do a poor job addressing, seen in the light of typical user
`behavior. I identify areas with big adversarial opportunity by building an un-
`
`4
`
`USR Exhibit 2002, Page 4
`
`
`
`derstanding of systemic weaknesses and psychological vulnerabilities. Here, the
`establishment of an understanding of the adversarial opportunity depends on
`an understanding of the three dimensions of the associated problem.
`Given an area associated with a great adversarial opportunity, the next step
`is to find ways to reduce the size of this opportunity, or, stated more simply,
`to design improved security solutions. This task, just like the task of assessing
`adversarial opportunity, is informed by an understanding of the three dimen-
`sions associated with the problem, seen in the light of each potential individual
`security measure. Given areas of great adversarial opportunity, I identiy secu-
`rity solutions that appear to reduce this opportunity the most. I then construct
`ways to provide assurance of this reduction – whether experimentally or using
`analytical or deductive methods.
`As soon as I succeed in identifying promising solutions to vexing problems, I
`address the intellectual property aspect, which is a fourth dimension associated
`with a problem. This is an area I am passionate about. I am named as inventor
`on more than seventy issued patents, and at least as many pending. I commonly
`draft claims, and am always involved in addressing office actions. In addition,
`I have served as testifying expert witness in an array of patent litigation cases
`stretching from digital rights management and hardware-based security to mo-
`bile security and secure messaging, further feeding my awareness of what makes
`a patent strong – or not so strong.
`
`Vision of future needs. It is not meaningful to try to defend against a
`threat that one does not understand. The first step must be to understand and
`quantify the problem, and to recognize what constrains the possible solutions.
`This must be done in terms of the computational, structural, physical and social
`dimensions.
`There is a substantial need for work that secures the infrastructure, whether
`from technical or social threats. This will involve malware detection and recov-
`ery; robustness against denial of service and denigration attacks; establishment
`of identity (whether device or user); maintenance of trust (on both a technical
`and human level); user communication (including avoidance of social engineer-
`ing, how to communicate important information to unmotivated users, and how
`to build security mechanisms that are usable in the face of adversarial cam-
`paigns). There is also need to recover from failures on various levels; and to
`use anomaly detection for early-warning systems. It is important to understand
`that user behavior will change dramatically in situations of attack, and this may
`in itself destabilize systems. To address these issues, a broad understanding of
`vulnerabilities, technologies, and trends is necessary.
`
`5 Publication List
`
`Books (1-6); book chapters, journals, conference publications and other scientific
`publications (7-147), issued /published U.S. patents (148-234). For an updated
`list, and for international patents, please see www.markus-jakobsson.com/publications
`and appropriate patent search engines.
`
`5
`
`USR Exhibit 2002, Page 5
`
`
`
`References
`
`[1] M. Jakobsson, Mobile Authentication: Problems and Solutions, ISBN
`1461448778, 125 pages, Springer, 2013.
`
`[2] M. Jakobsson, (editor) The Death of the Internet, ASIN B009CN2JVE, 359
`pages, IEEE Computer Society Press, 2012.
`
`[3] D. Chaum, M. Jakobsson, R. L. Rivest, P. Y. Ryan, J. Benaloh, and M.
`Kutylowski, (editors), Towards Trustworthy Elections: New Directions in
`Electronic Voting, 411 pages, (Vol. 6000), Springer, 2010.
`
`[4] M. Jakobsson and Z. Ramzan (editors), Crimeware: Trends in Attacks
`and Countermeasures, ISBN 0321501950, Hardcover, 582 pages, Symantec
`Press / Addison Wesley, 2008.
`
`[5] M. Jakobsson and S. A. Myers (editors), Phishing and Countermeasures:
`Understanding the Increasing Problem of Electronic Identity Theft, ISBN
`0-471-78245-9, Hardcover, 739 pages, Wiley, 2006.
`
`[6] M. Jakobsson, M. Yung, J. Zhou, Applied Cryptography and Network Se-
`curity: Second International Conference , Yellow Mountain, China, 2004,
`511 pages, Lecture Notes in Computer Science (Book 3089), 2004.
`
`[7] N. Sae-Bae, M. Jakobsson, Hand Authentication on Multi-Touch Tablets,
`HotMobile 2014
`
`[8] Y. Park, J. Jones, D. McCoy, E. Shi, M. Jakobsson, Scambaiter: Under-
`standing Targeted Nigerian Scams on Craigslist, NDSS 2014
`
`[9] D. Balfanz, R. Chow, O. Eisen, M. Jakobsson, S. Kirsch, S. Matsumoto, J.
`Molina, and P. van Oorschot, “The future of authentication,” Security &
`Privacy, IEEE, 10(1), 22-27, 2012.
`
`[10] M. Jakobsson, and H. Siadati, Improved Visual Preference Authentication:
`Socio-Technical Aspects in Security and Trust, (STAST), 2012 Workshop
`on IEEE, 27–34, 2012.
`
`[11] M. Jakobsson, R. I. Chow, and J. Molina, “Authentication-Are We Do-
`ing Well Enough?[Guest Editors’ Introduction]” Security & Privacy, IEEE,
`10(1), 19-21, 2012.
`
`[12] E. Shi, Y. Niu, M. Jakobsson, and R. Chow, “Implicit authentication
`through learning user behavior,” Information Security, 99-113, Springer
`Berlin Heidelberg, 2011.
`
`[13] M. Jakobsson and K. Johansson, “Practical and Secure Software-Based
`Attestation,” Lightweight Security & Privacy: Devices, Protocols and Ap-
`plications (LightSec), 1–9, 2011.
`
`6
`
`USR Exhibit 2002, Page 6
`
`
`
`[14] A. Juels, D. Catalano, and M.Jakobsson, Coercion-resistant electronic elec-
`tions: Towards Trustworthy Elections, 37–63, Springer Berlin Heidelberg,
`2010.
`
`[15] M. Jakobsson and F. Menczer, “Web Forms and Untraceable DDoS At-
`tacks,” in Network Security, Huang, S., MacCallum, D., and Du, D. Z.,
`Eds.,77–95, Springer, 2010.
`
`[16] R. Chow, M. Jakobsson, R. Masuoka, J. Molina, Y. Niu, E. Shi, and Z.
`Song, “Authentication in the Clouds: A Framework and its Application to
`Mobile Users,” 2010.
`
`[17] X. Wang, P. Golle, M. Jakobsson, and A. Tsow, “Deterring voluntary trace
`disclosure in re-encryption mix-networks,” ACM Trans. Inf. Syst. Secur.,
`13(2), 1-24, 2010.
`
`[18] X. Wang, P. Golle, M. Jakobsson, A.Tsow, “Deterring voluntary trace dis-
`closure in re-encryption mix-networks,” ACM Trans. Inf. Syst. Secur. 13(2):
`(2010)
`
`[19] M. Jakobsson, and C. Soghoian, “Social Engineering in Phishing,” Infor-
`mation Assurance, Security and Privacy Services, 4, 2009.
`
`[20] M. Jakobsson, C. Soghoian and S. Stamm, “Phishing,” Handbook of Fi-
`nancial Cryptography (CRC press, 2008)
`
`[21] M. Jakobsson and A. Tsow, “Identity Theft,” In John R. Vacca, Edi-
`tor, “Computer And Information Security Handbook” (Morgan Kaufmann,
`2008)
`
`[22] S. Srikwan and M. Jakobsson, “Using Cartoons to Teach Internet Security,”
`Cryptologia, vol. 32, no. 2, 2008
`
`[23] M. Jakobsson, N. Johnson and P. Finn, “Why and How to Perform Fraud
`Experiments,” IEEE Security and Privacy, March/April 2008 (Vol. 6, No.
`2) pp. 66-68
`
`[24] M. Jakobsson and S. Myers, “Delayed Password Disclosure,” International
`Journal of Applied Cryptography, 2008, pp. 47-59.
`
`[25] M. Jakobsson and S. Stamm, “Web Camouflage: Protecting Your Clients
`from Browser Sniffing Attacks,” IEEE Security & Privacy Magazine.
`November/December 2007
`
`[26] P. Finn and M. Jakobsson, “Designing and Conducting Phishing Experi-
`ments,” IEEE Technology and Society Magazine, Special Issue on Usability
`and Security
`
`[27] T. Jagatic, N. Johnson, M. Jakobsson and F. Menczer. “Social Phishing,”
`The Communications of the ACM, October 2007
`
`7
`
`USR Exhibit 2002, Page 7
`
`
`
`[28] A. Tsow, M. Jakobsson, L. Yang and S. Wetzel, “Warkitting: the Drive-by
`Subversion of Wireless Home Routers,” Anti-Phishing and Online Fraud,
`Part II Journal of Digital Forensic Practice, Volume 1, Special Issue 3,
`November 2006
`
`[29] M. Gandhi, M. Jakobsson and J. Ratkiewicz, “Badvertisements: Stealthy
`Click-Fraud with Unwitting Accessories,” Anti-Phishing and Online Fraud,
`Part I Journal of Digital Forensic Practice, Volume 1, Special Issue 2,
`November 2006
`
`[30] N. Ben Salem, J.-P. Hubaux and M. Jakobsson. “Reputation-based Wi-Fi
`Deployment,” Mobile Computing and Communications Review, Volume 9,
`Number 3 (Best papers of WMASH 2004)
`
`[31] N. Ben Salem, J. P. Hubaux, and M. Jakobsson. “Node Cooperation in
`Hybrid Ad hoc Networks,” IEEE Transactions on Mobile Computing, Vol.
`5, No. 4, April 2006.
`
`[32] P. MacKenzie, T. Shrimpton, and M. Jakobsson. “Threshold Password-
`Authenticated Key Exchange,” Journal of Cryptology, 2005
`
`[33] A. Juels, M. Jakobsson, E. Shriver, and B. Hillyer. “How To Turn Loaded
`Dice Into Fair Coins.” IEEE Transactions on Information Theory, vol.
`46(3). May 2000. pp. 911–921.
`
`[34] M. Jakobsson, P. MacKenzie, and J.P. Stern. “Secure and Lightweight Ad-
`vertising on the Web,” Journal of Computer Networks, vol. 31, issue 11–16,
`Elsevier North-Holland, Inc., 1999. pp. 1101–1109.
`
`[35] M. Jakobsson, “Cryptographic Protocols,” Chapter from The Handbook
`of Information Security. Hossein Bidgoli, Editor-in-Chief. Copyright John
`Wiley & Sons, Inc., 2005, Hoboken, N.J.
`
`[36] M. Jakobsson, “Cryptographic Privacy Protection Techniques,” Chapter
`from The Handbook of Information Security. Hossein Bidgoli, Editor-in-
`Chief. Copyright John Wiley & Sons, Inc., 2005, Hoboken, N.J.
`
`[37] M. Jakobsson, E. Shi, P. Golle, R. Chow, “Implicit authentication for mo-
`bile devices,” 4th USENIX Workshop on Hot Topics in Security (HotSec
`’09); 2009 August 11; Montreal, Canada.
`
`[38] R. Chow, P. Golle, M. Jakobsson, E. Shi, J. Staddon, R. Masuoka, J.
`Molina, “Controlling data in the cloud: outsourcing computation without
`outsourcing control,” Proceedings of the 2009 ACM Workshop on Cloud
`Computing Security (CCSW 2009); 2009 November 13; Chicago, IL. NY:
`ACM; 2009; pp. 85–90.
`
`[39] M. Jakobsson, H. Siadati, M. Dhiman, “Liar Buyer Fraud, and How to
`Curb It,” NDSS, 2015
`
`8
`
`USR Exhibit 2002, Page 8
`
`
`
`[40] M. Jakobsson, T.-F. Yen, “How Vulnerable Are We To Scams?,” BlackHat,
`2015
`
`[41] M. Jakobsson, “How to Wear Your Password,” BlackHat, 2014
`
`[42] M. Jakobsson and G. Stewart, “Mobile Malware: Why the Traditional
`AV Paradigm is Doomed, and How to Use Physics to Detect Undesirable
`Routines,” in BlackHat, 2013.
`
`[43] M. Jakobsson, and H. Siadati,“SpoofKiller: You Can Teach People How to
`Pay, but Not How to Pay Attention” in Socio-Technical Aspects in Security
`and Trust (STAST), 2012 Workshop on, 3-10, 2012.
`
`[44] M. Jakobsson, and M. Dhiman,“The benefits of understanding passwords,”
`in Proceedings of the 7th USENIX conference on Hot Topics in Security,
`Berkeley, CA, USA, 2012.
`
`[45] M. Jakobsson, and S. Taveau, “The Case for Replacing Passwords with
`Biometrics,” Mobile Security Technologies, 2012.
`
`[46] M. Jakobsson and D. Liu, “Bootstrapping mobile PINs using passwords,”
`W2SP, 2011.
`
`[47] M. Jakobsson and R. Akavipat, “Rethinking passwords to adapt to con-
`strained keyboards,” 2011.
`
`[48] Y. Niu, E. Shi, R. Chow, P. Golle, and M. Jakobsson, “One Experience
`Collecting Sensitive Mobile Data,” In USER Workshop of SOUPS, 2010.
`
`[49] E. Shi, Y. Niu, M. Jakobsson, and R. Chow, “Implicit Authentication
`through Learning User Behavior,” 2010.
`
`[50] M. Jakobsson and K. Johansson, Assured Detection of Malware With Ap-
`plications to Mobile Platforms, 2010.
`
`[51] M. Jakobsson and K. Johansson, “Retroactive Detection of Malware With
`Applications to Mobile Platforms,” in HotSec 2010, Washington, DC, 2010.
`
`[52] M. Jakobsson, A Central Nervous System for Automatically Detecting Mal-
`ware, 2009.
`
`[53] R. Chow, P. Golle, M. Jakobsson, R. Masuoka, J. Molina, E. Shi, and J.
`Staddon, “Controlling data in the cloud: outsourcing computation with-
`out outsourcing control,” ACM workshop on Cloud computing security
`(CCSW), 2009.
`
`[54] M. Jakobsson and A. Juels, “Server-Side Detection of Malware Infection,”
`in New Security Paradigms Workshop (NSPW), Oxford, UK, 2009.
`
`[55] M. Jakobsson, “Captcha-free throttling,” Proceedings of the 2nd ACM
`workshop on Security and artificial intelligence, 15–22, 2009.
`
`9
`
`USR Exhibit 2002, Page 9
`
`
`
`[56] M. Jakobsson, E. Shi, P. Golle, and R. Chow, “Implicit authentication for
`mobile devices,” Proceedings of the 4th USENIX conference on Hot topics
`in security, 9–9, 2009.
`
`[57] C. Soghoian, O. Friedrichs and M. Jakobsson, “The Threat of Political
`Phishing,” International Symposium on Human Aspects of Information
`Security & Assurance (HAISA 2008)
`
`[58] R. Chow, P. Golle, M. Jakobsson, L. Wang and X. Wang, “Making
`CAPTCHAs Clickable,” In proc. of HotMobile 2008.
`
`[59] M. Jakobsson, A. Juels, and J. Ratkiewicz, “Privacy-Preserving History
`Mining for Web Browsers,” Web 2.0 Security and Privacy, 2008.
`
`[60] M. Jakobsson, E. Stolterman, S. Wetzel, L. Yang, “Love and Authenti-
`cation,” (Notes) ACM Computer/Human Interaction Conference (CHI),
`2008. Also see www.I-forgot-my-password.com
`
`[61] M. Jakobsson and S. Myers, “Delayed Password Disclosure,” Proceedings
`of the 2007 ACM workshop on Digital Identity Management
`
`[62] M. Jakobsson, S. Stamm, Z. Ramzan, “JavaScript Breaks Free,” W2SP ’07
`
`[63] A. Juels, S. Stamm, M. Jakobsson, “Combatting Click Fraud via Premium
`Clicks,” USENIX Security 2007
`
`[64] R. Chow, P. Golle, M. Jakobsson, X. Wang, “Clickable CAPTCHAs,” Ad-
`Fraud ’07 Workshop; 2007 September 14; Stanford, CA, USA
`
`[65] S. Stamm, Z. Ramzan, and M. Jakobsson, “Drive-by Pharming,” In Pro-
`ceedings of Information and Communications Security, 9th International
`Conference, ICICS 2007
`
`[66] M. Jakobsson, A. Tsow, A. Shah, E. Blevis, Y.-K. Lim, “What Instills
`Trust? A Qualitative Study of Phishing,” USEC ’07.
`
`[67] R. Akavipat, V. Anandpara, A. Dingman, C. Liu, D. Liu, K. Pongsanon,
`H. Roinestad and M. Jakobsson, “Phishing IQ Tests Measure Fear, not
`Ability,” USEC ’07.
`
`[68] M. Jakobsson, “The Human Factor in Phishing,” American Conference
`Institute’s Forum on Privacy & Security of Consumer Information, 2007
`
`[69] S. Srikwan, M. Jakobsson, A. Albrecht and M. Dalkilic, “Trust Establish-
`ment in Data Sharing: An Incentive Model for Biodiversity Information
`Systems,” TrustCol 2006
`
`[70] J.Y. Choi, P. Golle, M. Jakobsson, “Tamper-Evident Digital Signatures:
`Protecting Certification Authorities Against Malware,” DACS ’06
`
`10
`
`USR Exhibit 2002, Page 10
`
`
`
`[71] L. Yang, M. Jakobsson, S. Wetzel, “Discount Anonymous On Demand
`Routing for Mobile Ad hoc Networks,” SECURECOMM ’06
`
`[72] P. Golle, X. Wang, M. Jakobsson, A. Tsow, “Deterring Voluntary Trace
`Disclosure in Re-encryption Mix Networks.” IEEE S&P ’06
`
`[73] M. Jakobsson, A. Juels, T. Jagatic, “Cache Cookies for Browser Authenti-
`cation (Extended Abstract),” IEEE S&P ’06
`
`[74] M. Jakobsson and J. Ratkiewicz, “Designing Ethical Phishing Experiments:
`A study of (ROT13) rOnl auction query features.”, WWW ’06
`
`[75] M. Jakobsson and S. Stamm. “Invasive Browser Sniffing and Countermea-
`sures,” WWW ’06
`
`[76] J.Y. Choi, P. Golle and M. Jakobsson. “Auditable Privacy: On Tamper-
`Evident Mix Networks,” Financial Crypto ’06
`
`[77] A. Juels, D. Catalano and M. Jakobsson. “Coercion-Resistant Electronic
`Elections,” WPES ’05
`
`[78] V. Griffith and M. Jakobsson. “Messin’ with Texas, Deriving Mother’s
`Maiden Names Using Public Records,” ACNS ’05, 2005.
`
`[79] M. Jakobsson and L. Yang. “Quantifying Security in Hybrid Cellular Net-
`works,” ACNS ’05, 2005
`
`[80] Y.-C. Hu, M. Jakobsson, and A. Perrig. “Efficient Constructions for One-
`way Hash Chains,” ACNS ’05, 2005
`
`[81] M. Jakobsson. “Modeling and Preventing Phishing Attacks,” Phishing
`Panel in Financial Cryptography ’05. 2005, abstract in proceedings.
`
`[82] N. Ben Salem, J.-P. Hubaux, and M. Jakobsson. “Reputation-based Wi-
`Fi Deployment Protocols and Security Analysis,” In WMASH ’04. ACM
`Press, 2004. pp. 29–40.
`
`[83] M. Jakobsson and S. Wetzel. “Efficient Attribute Authentication with Ap-
`plications to Ad Hoc Networks,” In VANET ’04. ACM Press, 2004. pp.
`38–46.
`
`[84] M. Jakobsson, X. Wang, and S. Wetzel. “Stealth Attacks in Vehicular Tech-
`nologies,” Invited paper. In Proceedings of IEEE Vehicular Technology
`Conference 2004 Fall (VTC-Fall 2004). IEEE, 2004.
`
`[85] A. Ambainis, H. Lipmaa, and M. Jakobsson. “Cryptographic Randomized
`Response Technique,” In PKC ’04. LNCS 2947. Springer-Verlag, 2004. pp.
`425–438.
`
`[86] P. Golle, M. Jakobsson, A. Juels, and P. Syverson. “Universal Re-
`encryption for Mixnets,” In CT-RSA ’04. LNCS 2964. Springer-Verlag,
`2004. pp. 163–178.
`
`11
`
`USR Exhibit 2002, Page 11
`
`
`
`[87] P. Golle and M. Jakobsson. “Reusable Anonymous Return Channels,” In
`WPES ’03. ACM Press, 2003. pp. 94–100.
`
`[88] M. Jakobsson, S. Wetzel, B. Yener. “Stealth Attacks on Ad-Hoc Wireless
`Networks,” In IEEE VTC ’03, 2003.
`
`[89] N. Ben Salem, L. Buttyan, J.-P. Hubaux, and M. Jakobsson. “A Charg-
`ing and Rewarding Scheme for Packet Forwarding in Multi-hop Cellular
`Networks,” In ACM MobiHoc ’03. ACM Press, 2003. pp. 13–24.
`
`[90] M. Jakobsson, J.-P.Hubaux and L. Buttyan. “A Micro-Payment Scheme
`Encouraging Collaboration in Multi-Hop Cellular Networks,” In FC ’03.
`LNCS 2742. Springer-Verlag, 2003. pp. 15–33.
`
`[91] M. Jakobsson, T. Leighton, S. Micali and M. Szydlo. “Fractal Merkle Tree
`Representation and Traversal,” In RSA-CT ’03 2003.
`
`[92] A. Boldyreva and M Jakobsson. “Theft protected proprietary certificates,”
`In DRM ’02. LNCS 2696, 2002. pp. 208–220.
`
`[93] P. Golle, S. Zhong, M. Jakobsson, A. Juels, and D. Boneh. “Optimistic
`Mixing for Exit-Polls,” In Asiacrypt ’02. LNCS 2501. Springer-Verlag, 2002.
`pp. 451–465.
`
`[94] P. MacKenzie, T. Shrimpton, and M. Jakobsson. “Threshold Password-
`Authenticated Key Exchange,” In CRYPTO ’02. LNCS 2442. Springer-
`Verlag, 2002. pp. 385–400.
`
`[95] M. Jakobsson. “Fractal Hash Sequence Representation and Traversal,” In
`Proceedings of the 2002 IEEE International Symposium on Information
`Theory (ISIT ‘02). 2002. pp. 437–444.
`
`[96] M. Jakobsson, A. Juels, and R. Rivest. “Making Mix Nets Robust For
`Electronic Voting By Randomized Partial Checking,” In Proceedings of
`the 11th USENIX Security Symposium. USENIX Association, 2002. pp.
`339–353.
`
`[97] D. Coppersmith and M. Jakobsson. “Almost Optimal Hash Sequence
`Traversal,” In Financial Crypto ’02. 2002.
`
`[98] M. Jakobsson. “Financial Instruments in Recommendation Mechanisms,”
`In Financial Crypto ’02. 2002.
`
`[99] J. Garay, and M. Jakobsson. “Timed Release of Standard Digital Signa-
`tures,” In Financial Crypto ’02. 2002.
`
`[100] F. Menczer, N. Street, N. Vishwakarma, A. Monge, and M. Jakobsson.
`“Intellishopper: A Proactive, Personal, Private Shopping Assistant,” In
`AAMAS ’02. ACM Press, 2002. pp. 1001–1008.
`
`12
`
`USR Exhibit 2002, Page 12
`
`
`
`[101] M. Jakobsson, A. Juels, and P. Nguyen. “Proprietary Certificates,” In
`CT-RSA ’02. LNCS 2271. Springer-Verlag, 2002. pp. 164–181.
`
`[102] M. Jakobsson and A. Juels. “An Optimally Robust Hybrid Mix Network,”
`In PODC ’01. ACM Press. 2001. pp. 284–292.
`
`[103] M. Jakobsson and M. Reiter. “Discouraging Software Piracy Using Soft-
`ware Aging,” In DRM ’01. LNCS 2320. Springer-Verlag, 2002. pp. 1–12.
`
`[104] M. Jakobsson and S. Wetzel. “Security Weaknesses in Bluetooth,” In CT–
`RSA ’01. LNCS 2020. Springer-Verlag, 2001. pp. 176–191.
`
`[105] M. Jakobsson and D. Pointcheval. “Mutual Authentication for Low-Power
`Mobile Devices,” In Financial Crypto ’01. LNCS 2339. Springer-Verlag,
`2001. pp. 178–195.
`
`[106] M. Jakobsson, D. Pointcheval, and A. Young. “Secure Mobile Gambling,”
`In CT–RSA ’01. LNCS 2020. Springer-Verlag, 2001. pp. 110–125.
`
`[107] M. Jakobsson and S.Wetzel. “Secure Server-Aided Signature Generation,”
`In PKC ’01. LNCS 1992. Springer-Verlag, 2001. pp. 383–401.
`
`[108] M. Jakobsson and A. Juels. “Addition of ElGamal Plaintexts,” In T.
`Okamoto, ed., ASIACRYPT ’00. LNCS 1976. Springer-Verlag, 2000. pp.
`346–358.
`
`[109] M. Jakobsson, and A. Juels. “Mix and Match: Secure Function Evaluation
`via Ciphertexts,” In ASIACRYPT ’00. LNCS 1976. Springer-Verlag, 2000.
`pp. 162–177.
`
`[110] R. Arlein, B. Jai, M. Jakobsson, F. Monrose, and M. Reiter. “Privacy-
`Preserving Global Customization,” In ACM E-Commerce ’00. ACM Press,
`2000. pp. 176–184.
`
`[111] C.-P. Schnorr and M. Jakobsson. “Security of Signed ElGamal Encryp-
`tion,” In ASIACRYPT ’00. LNCS 1976. Springer-Verlag, 2000. pp. 73–89.
`
`[112] P. Bohannon, M. Jakobsson, and S. Srikwan. “Cryptographic Approaches
`to Privacy in Forensic DNA Databases,” In Public Key Cryptography ’00.
`LNCS 1751. Springer-Verlag, 2000, pp. 373–390.
`
`[113] J. Garay, M. Jakobsson, and P. MacKenzie. “Abuse-free Optimistic Con-
`tract Signing,” In CRYPTO ’99. LNCS 1666. Springer-Verlag, 1999. pp.
`449–466.
`
`[114] M. Jakobsson. “Flash Mixing,” In PODC ’99. ACM Press, 1999. pp. 83–
`89.
`
`[115] G. Di Crescenzo, N. Ferguson, R. Impagliazzo, and M. Jakobsson. “How
`To Forget a Secret,” In STACS ’99. LNCS 1563. Springer-Verlag, 1999. pp.
`500–509.
`
`13
`
`USR Exhibit 2002, Page 13
`
`
`
`[116] M. Jakobsson, D. M’Raihi, Y. Tsiounis, and M. Yung. “Electronic Pay-
`ments: Where Do We Go from Here?,” In CQRE (Secure) ’99. LNCS 1740.
`Springer-Verlag, 1999. pp. 43–63.
`
`[117] C.P. Schnorr and M. Jakobsson. “Security Of Discrete Log Cryptosystems
`in the Random Oracle + Generic Model,” In Conference on The Mathe-
`matics of Public-Key Cryptography. 1999.
`
`[118] M. Jakobsson and A. Juels “Proofs of Work and Breadpudding Protocols,”
`In CMS ’99. IFIP Conference Proceedings, Vol. 152. Kluwer, B.V., 1999.
`pp. 252 – 272.
`
`[119] M. Jakobsson and C-P Schnorr. “Efficient Oblivious Proofs of Correct Ex-
`ponentiation,” In CMS ’99. IFIP Conference Proceedings, Vol. 152. Kluwer,
`B.V., 1999. pp. 71–86.
`
`[120] M. Jakobsson, P. MacKenzie, and J.P. Stern. “Secure and Lightweight
`Advertising on the Web,” In World Wide Web ’99
`
`[121] M. Jakobsson, J.P. Stern, and M. Yung. “Scramble All, Encrypt Small,”
`In Fast Software Encryption ’99. LNCS 1636. Springer-Verlag, 1999. pp.
`95–111.
`
`[122] M. Jakob