Xavier de Carné de Carnavalet

About me

My most popular work includes a comparison of TrueCrypt's sources against the official binaries, my evaluation of popular password strength meters, and my study of how badly antivirus and parental control applications break TLS connections to filter content.

Please check my tutorial on how to correctly quote my name to avoid butchering it, thanks.

Interviews / videos

X EXPLAINED: How to create a strong password. Small video tutorial made for Concordia University. January 24, 2019.
Is your 'strong' password all that strong? CTV News Montreal live interview on March 26, 2015 by Caroline Van Vlaardingen (cache video)

Publications

Privacy and Security Risks of "Not-a-Virus" Bundled Adware: The Wajam Case. X. de Carné de Carnavalet and M. Mannan. arXiv:1905.05224 (May 13, 2019). preprint

Relayed on The Register, Le Figaro [fr] press

Large-Scale Empirical Study of Important Features Indicative of Discovered Vulnerabilities to Assess Application Security. (Pre-print version: Feb. 4, 2019, © IEEE). M. Zhang, X. de Carné de Carnavalet, L. Wang, A. Ragab. IEEE Transactions on Information Forensics and Security (TIFS), 14(9): 2315-2330 (September 2019). journal
Root Agency dummy root certificate trusted by Net Nanny and Untangle NG Firewall (Nov. 28, 2018). project

Bulletproof TLS Newsletter #48

Face recognition using multi-class Logical Analysis of Data. A. Ragab, X. de Carné de Carnavalet, S. Yacout, M-S. Ouali. Pattern Recognition and Image Analysis volume 27, no. 2 (2017), pages 276-288. journal
Killed by Proxy: Analyzing Client-end TLS Interception Software. X. de Carné de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS'16), San Diego, CA, USA, 2016. conference
A Large-Scale Evaluation of High-Impact Password Strength Meters. (Pre-print version: Feb. 27, 2015, © ACM). X. de Carné de Carnavalet and M. Mannan. ACM Transactions on Information and System Security (TISSEC), 18(1): 1-32 (May 2015). journal
- Relayed on Concordia News, Slashdot, Readwrite, CTV News press
Challenges and Implications of Verifiable Builds for Security-Critical Open-Source Software. X. de Carné de Carnavalet and M. Mannan. Annual Computer Security Applications Conference (ACSAC'14), New Orleans, LA, USA, 2014. conference
- Tech report (Dec. 10, 2014) tech report
- How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries (Oct. 2013) preprint
  - Full-disclosure
  - Relayed on Slashdot, Reddit, Korben [fr], ThreatPost, heise Security [de], The Register press
From Very Weak to Very Strong: Analyzing Password-Strength Meters. X. de Carné de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS'14), San Diego, CA, USA, 2014. conference
- Extended version (Dec. 26, 2013) tech report
- Project page with resources from this project (data + source code) project
- M.A.Sc. thesis: A Large-scale Evaluation of High-impact Password Strength Meters (Apr. 7, 2014) thesis
Windows 7/8 admin account installation password stored in the clear in LSA Secrets (July 11, 2013). tech report
- Bugtraq

Resources

For those searching for an updated LaTeX thesis template within Concordia's Gina Cody School of Engineering and Computer Science, check out my GitHub repo