██████╗  ██████╗ ██╗  ██╗ █████╗ 
╚════██╗██╔═══██╗██║  ██║██╔══██╗
 █████╔╝██║   ██║███████║███████║
 ╚═══██╗██║   ██║██╔══██║██╔══██║
██████╔╝╚██████╔╝██║  ██║██║  ██║
╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝

Welcome to 3OHA, a place for random notes, thoughts, and factoids that I want to share or remember.

5 December 2023

My 2023 brag document

I used to do work for organizations that conducted annual performance reviews. The significance of such reviews, combined with my inclination to overlook essential details for the process, instilled in me the habit of keeping a brag document. I have maintained this practice since then, even though I am no longer subject to formal performance reviews.

This post is an excerpt from my 2023 brag document. It highlights the most visible impacts and achievements from this year, focusing largely on media coverage of my research and contributions towards enhancing the security of real-world systems. It is not intended to seek recognition or promotion, for I no longer care much about those aspects. I keep track of these items because it enables me to reflect on themes in my work, particularly distinguishing what eventually demonstrates a visible impact from what holds personal significance, including the substantial yet fundamentally invisible work I undertake.

This is the tip of the iceberg for 2023:

• The fake engagement ecosystem. We conducted a study on fake social media engagement services that was covered by El País, La Vanguardia, ABC, Cybermagazine, SER, Tech Xplore, and Pledge Times. While exploring the ecosystem of fake click resellers, we had the opportunity closely examine click farms and connect with researchers studying this infrastructure.
  
  
• Russia-Ukraine war reviews. Our study Reviewing War: Unconventional User Reviews as a Side Channel to Circumvent Information Controls was covered by Fast Company on the occasion of the first anniversary of the Russian invasion of Ukraine.
  
  
• Vulnerabilities in the Chromium Debugger API. Our Euro S&P paper Chrowned by an Extension: Abusing the Chrome DevTools Protocol through the Debugger API identified several vulnerabilities in the Chromium Debugger API and in the granting of capabilities to extensions. We responsibly disclosed our findings to Google, which assigned CVE-2022-2164 to one of the vulnerabilities. Some of the remaining disclosures turned out to be duplicates and others are still in discussion.
  
  
• USENIX Security 2023 Research Ethics Committee Chair. I served as the Chair of the 2023 USENIX Security REC for two reviewing cycles. It was an immense privilege that allowed me to work with an incredibly talented team on numerous challenging issues.
  
  
• Leaks of sensitive information in Android logs. Our USENIX Security 2023 paper Log: It's Big, It's Heavy, It's Filled with Personal Data! Measuring the Logging of Sensitive Information in the Android Ecosystem studied how apps log sensitive information. We responsibly disclosed our findings to Google and engaged with them in conversations about improving the logging framework. In response to our disclosure, Google introduced a new control in Android 13 and above to help users manage access to device logs, with the goal of preventing entities from surreptitiously collecting user logs as a matter of routine. In Spain, El País covered the story (English version here).
  
  
• USENIX Security 2023 noteworthy reviewer. I was named "Noteworthy Reviewer" at the 2023 USENIX Security Symposium.
  
  
• MITRE ATT&CK T1653. I contributed to ATT&CK Technique T1653, which describes the use of power settings for achieving persistence. This technique was introduced in version 14 of the framework released on 31 October 2023.
  
  
• Vulnerabilities in IoT local network traffic. Our IMC 2023 study In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes identified multiple security and privacy issues in home devices. We sent disclosures to 19 IoT vendors and manufacturers, and reported to Google a list of Android mobile apps and SDKs that we discovered collecting sensitive local network information. We received responses from 11 of these parties and are actively collaborating with them to address the identified vulnerabilities. The paper received substantial attention in the media. In Spain, it was covered by El País, ABC, El Correo, COPE, and Onda Cero. My colleague and co-author of the study Joel Reardon was interviewed by CBC News Calgary.
  
  
• AEI panel on disinformation. I was invited to participate in a panel on disinformation, fake news and AI organized by the Spanish AEI in the XXIII Madrid Science and Innovation Week.
  
  
• Joint statement on the EU's proposed 2023 eIDAS reform. In November 2023, I helped putting together an open statement criticizing some aspects of the eIDAS digital identity reform. The statement was signed by more than 500 scientists from 39 countries and some key Internet organizations. Mozilla set up a website that provides further context about the protest and collects links to press coverage and statements by other organizations and individuals. I acted as contact point for the Spanish press and was interviewed by El Confidencial, Xataka and Newtral. Influenced by the concerns raised in the statement, the trilogue introduced a number of amendments to the final text of the update to the eIDAS regulation. At the time of writing this, the final text of the regulation is not yet known.