Daniele Lain
System Security @ ETH Zurich
$ whoami
I'm at the System Security group at ETH Zurich, where I recently defended my Ph.D. under the supervision of Prof. Srdjan Čapkun.
My current research focuses on the broad area of human-centered security through novel attacks, countermeasures, and large-scale measurements. My interests include designing usable systems, authentication techniques, security awareness and education, user interactions with security-sensitive elements, and how modern hardware and software security shape future system designs.
Besides academic venues, my research appeared in several industry venues and media: our attacks on keyboard sounds were featured in Black Hat USA and covered by Forbes, BBC, and Tom's Hardware, among others. Our findings on phishing awareness training were showcased in podcasts such as Malwarebytes and First Watch, as well as at the Security Awareness Day '23 hosted by the Swiss national CERT.
I play and organize Capture The Flag competitions. I founded No Pwn Intended at the University of Padua, and coordinate the Italian team mhackeroni with whom I played 6 DEF CON CTF finals finals and hacked a satellite in orbit. Thus, I greatly enjoy applying teaching-by-doing, at all levels of education. I've designed hands-on courses and labs for bachelor's, master's, and continuing education programs at both the University of Padua and ETH.
Before my doctorate, I earned an M.Sc. (with honors) and a B.Sc. in Computer Science at University of Padua in Italy, where I also spent a year as a research assistant in Prof. Mauro Conti's group.
Publications
See also my Google Scholar profile.
Content, Nudges and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing Training
ACM CCS '24. Distinguished Paper Award [ PDF ]
Phishing in Organizations: Findings from a Large-Scale and Long-Term Study
IEEE S&P '22. [ PDF ]
- Selected media coverage: Malwarebytes, First Watch.
IntegriScreen: Visually Supervising Remote User Interactions on Compromised Clients
arXiv preprint (2020). [ PDF ]
Pilot: Password and pin information leakage from obfuscated typing videos
Journal of Computer Security (2019). [ PDF ]
Back To The Epilogue: Evading Control Flow Guard via Unaligned Targets
- Also presented at Black Hat Asia 2018.
Don't Skype & Type! Acoustic eavesdropping in Voice-over-IP
ACM ASIACCS '17. [ PDF slides ]
- Also presented at Black Hat USA 2017.
- Selected media coverage: Forbes, BBC Click, Tom’s Hardware, Kaspersky Threatpost and its podcast, Dark Reading.
It's always April fools' day!: On the difficulty of social network misinformation classification via propagation features
IEEE WIFS '17. [ PDF ]
Teaching & Supervision
I enjoy teaching and applying the principles of teaching-by-doing to cybersecurity concepts, inspired by the idea that targeted application of concepts greatly complements more conventional forms of teaching. My teaching experience and main contributions besides "ordinary" teaching duties include:
- 19-24: TA and head TA for System Security, M.Sc. level at ETH; creating practical graded assignments on web and software security.
- 20-21: TA for Information Security Lab, M.Sc. level at ETH; design of a hands-on introduction to memory vulnerabilities.
- 19-21: TA for Information Security, B.Sc. level at ETH; design of a CTF laboratory on the concepts of anonymity networks.
- 18-22: TA for Introduction to Information Security, Continuing Education (CAS/DAS) program in Information Security at ETH; design of hands-on laboratories for students from technical and non-technical backgrounds.
- We are investigating how to bring hands-on teaching of basic cybersecurity and awareness concepts to K-12 students, adapting the ideas of practical challenges to a younger crowd: read more here.
- Further TA experiences: SS18: Design of Digital Circuits; AS18: Advanced Machine Learning.
At University of Padua, I organized a set of hands-on courses on practical security topics (covering fundamental Capture The Flag skills, from web exploitation to memory vulnerabilities and cryptanalysis) called playground in 17-18 and 18-19, awarding 2 credits to students.
I was an instructor for the team that won the Italian National Cyberchallenge in 2018.
I also ran CTF laboratories at the System Security Summer School 2019, and as part of the Networks and Security B.Sc. course at University of Padua in 2016-2017.
I had the opportunity to supervise several great students both at ETH and in Padua:
- Master's Thesis: Todor Hristov, Matthieu Ehlers, Franklyn Sciberras, Remo Kellenberger, Dario Napfer, Adalsteinn Jonsson, Sven Grubel, Tarek Jost, Jason Friedman, Stefano Boschetto, Leonardo Nodari, Andrea Biondo, Ali El Wahsh, Swe Geng.
- Master's Semester Project: Leon Windler, Davud Evren, Matthieu Ehlers.
- Bachelor's Thesis: Quirin Bitter, Samuel Huber, Adrian Kress, Lukas Baege, Leonardo Nodari, Nicola De Cao.
- Other internships: Alexander Schlieper, Sarah Muhlemann, Elizaveta Tretiakova.
CTF
I'm passionate about playing CTFs since my first ' OR 1=1; --. I admire its didactic potential, its great community building aspects and individual and team growth.
I founded and lead No Pwn Intended, the academic team of the University of Padua.
I coordinate mhackeroni, the main Italian CTF team that (among other successes) played 6 DEF CON CTF Finals in Las Vegas and won the first-of-its-kind Hack-A-Sat 4 competition by hacking a satellite in orbit.
With mhackeroni, I organized and ran mhackectf: Enterprise Edition, a large online attack-defense CTF in 2020.
Media & Talks
Some selected presentations and talks:
- Phishing in Organizations: The Science of Phishing Prevention and Education. Swiss Security Awareness Day 2023, Bern.
- mhackeroni's Recipe for Hacking Satellites (and Winning!). No Hat 2023, Bergamo (with Mario Polino).
- On Phishing Exercises and Simulations. Invited talks @ Zuhlke, J.P. Morgan AI Research.
- Phishing in Organizations: Findings from a Large-Scale and Long-Term Study. IEEE S&P '22.
- Adventures in User Authentication: Challenges and Solutions. System Security Summer School 2019, Padua.
- Back To The Epilogue: How to Evade Windows' Control Flow Guard with Less than 16 Bytes. Black Hat Asia 2018 (with Andrea Biondo).
- Skype & Type: Keystroke Leakage over VoIP. Black Hat USA 2017.