Xavier de Carné de Carnavalet

My research interests span across network security and privacy, web security, Internet measurement, passwords and authentication, software and firmware security, and applications of machine learning to security.

Mailing address:
PQ806, Mong Man Wai building, The Hong Kong Polytechnic University
11 Yuk Choi Rd, Hung Hom, Kowloon, Hong Kong

📧 ORCID DBLP profile @xavier2dc

> Looking for highly motivated PhD/MPhil students, Research Assistants with a B.Sc. or Master's, in the areas of Network/Web Security and Privacy, Passwords and Authentication, Internet Measurement, and Firmware Security. Please contact me if you are interested.

About me

My most popular work includes a comparison of TrueCrypt's sources against the official binaries, my evaluation of popular password strength meters, and my study of how badly antivirus and parental control applications break TLS connections to filter content.

Please check my tutorial on how to correctly parse my name to make my day brighter, thanks!

Interviews / videos

• X EXPLAINED: How to create a strong password. Small video tutorial made for Concordia University. January 24, 2019.
• Is your 'strong' password all that strong? CTV News Montreal live interview on March 26, 2015 by Caroline Van Vlaardingen (cache video)

Publications

• Privacy and Security Risks of "Not-a-Virus" Bundled Adware: The Wajam Case. X. de Carné de Carnavalet and M. Mannan. arXiv:1905.05224 (May 13, 2019). preprint
• Relayed on The Register, Le Figaro [fr] press
• Large-Scale Empirical Study of Important Features Indicative of Discovered Vulnerabilities to Assess Application Security. (Pre-print version: Feb. 4, 2019, © IEEE). M. Zhang, X. de Carné de Carnavalet, L. Wang, A. Ragab. IEEE Transactions on Information Forensics and Security (TIFS), 14(9): 2315-2330 (September 2019). journal
• Root Agency dummy root certificate trusted by Net Nanny and Untangle NG Firewall (Nov. 28, 2018). project
• Bulletproof TLS Newsletter #48
• Face recognition using multi-class Logical Analysis of Data. A. Ragab, X. de Carné de Carnavalet, S. Yacout, M-S. Ouali. Pattern Recognition and Image Analysis volume 27, no. 2 (2017), pages 276-288. journal
• Killed by Proxy: Analyzing Client-end TLS Interception Software. X. de Carné de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS'16), San Diego, CA, USA, 2016. conference
• A Large-Scale Evaluation of High-Impact Password Strength Meters. (Pre-print version: Feb. 27, 2015, © ACM). X. de Carné de Carnavalet and M. Mannan. ACM Transactions on Information and System Security (TISSEC), 18(1): 1-32 (May 2015). journal
  • Relayed on Concordia News, Slashdot, Readwrite, CTV News press
• Challenges and Implications of Verifiable Builds for Security-Critical Open-Source Software. X. de Carné de Carnavalet and M. Mannan. Annual Computer Security Applications Conference (ACSAC'14), New Orleans, LA, USA, 2014. conference
  • Tech report (Dec. 10, 2014) tech report
  • How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries (Oct. 2013) preprint
    • Full-disclosure
    • Relayed on Slashdot, Reddit, Korben [fr], ThreatPost, heise Security [de], The Register press
• From Very Weak to Very Strong: Analyzing Password-Strength Meters. X. de Carné de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS'14), San Diego, CA, USA, 2014. conference
  • Extended version (Dec. 26, 2013) tech report
  • Project page with resources from this project (data + source code) project
  • M.A.Sc. thesis: A Large-scale Evaluation of High-impact Password Strength Meters (Apr. 7, 2014) thesis
• Windows 7/8 admin account installation password stored in the clear in LSA Secrets (July 11, 2013). tech report
  • Bugtraq