Welcome to Matt Curtin: The Web Page.

You've reached my virtual presence. If you feel so inclined, let me know what you think. Non-techies might be a little more comfortable reading the corporate tripe about me.

mug shots

New(ish) Goodies

Brute Force: Cracking the Data Encryption Standard

Brute Force Finally! The story behind the project that I led with Rocke Verser and Justin Dolske to prove that the U.S. Government standard for data encryption was weak is available in print. Brute Force covers the story behind the scenes, how we overcame technical hurdles, organized a huge social network, and defeated the standard before Congress made it illegal for people to use good cryptography to protect themselves.

Anatomy of Online Fraud

Online fraud is essentially no different from other kinds of fraud. Defenses often include an awareness of the scams that are out there and being careful not to be taken. In this paper, I document and comment on a recent scheme targeting eBay and Best Buy users.

Spector Professional Review and Commentary

If you're using spyware to see what your children or employees are doing, you might well be allowing a vendor to spy on them as well. We performed a quick analysis of Spector Pro for Windows for WBNS-10TV in Columbus, and documented our findings.

PCFriendly Enables DVD Backchannels

If you watch DVDs on your computer, you might be in for more than you realized, thanks to some unsafe default behavior in PCFriendly. More information is available in a press release and the paper.

Developing Trust: Online Privacy and Security

Developing Trust Developing Trust is my book on how to build systems that don't come back and bite us. In the book, I argue that privacy-aware systems are necessary for good security, that today's methods of "addressing" privacy are doomed to failure, and that we can build systems worthy of trust, if we have the courage to do so. Available in late November 2001 from Apress in the US and from Springer-Verlag internationally.

Shibboleth: Private Mailing List Manager

A mailing list manager that differs widely from others like Majordomo and Mailman. For lists whose subscriptions are by invitation only, these are problematic. We introduce more sophisticated subscriber profiles, protection from "outsiders", and eliminate the problem of receiving multiple copies of the same message. More information is available on this project's page.

Current Work and Interests

Programming Stuff

Common Lisp
I teach "Programming in Common Lisp" (CSE 459.31) at The Ohio State University's Department of Computer and Information Science. You should take my class so I can turn your brain inside out. Plus, we use lots of Common Lisp behind the scenes at Interhack.
I used to oversee much of the development of software for internal use and systems operation at OSU's CSE department. Most of this software is written in Perl. We made it a point to write good Perl, with a focus on maintainability and modularity. I'm very proud of what we were able to accomplish while I was there. Some of the systems are now enjoying wider use, others have been documented in formal papers, and some others are still waiting to achieve fame and fortune.
I have a few projects cooking in Java. At present, I'm more interested in the ubiquitous acceptance of the Java Virtual Machine and implementing other languages in Java.
"Open Source"
Not a language, but related closely enough that it's worth mentioning here. I was the original advisor of the Open Source Club at Ohio State.

The Net

IETF Working Groups
I poke my head into various working groups as time allows. I'm currently driving two Internet Drafts, both of which came from work that jwz started in 1998. (Actually, these have gotten bogged down, and the working group we were coordinating it through is years behind schedule. I'm just waiting until we get the main documentation finished before I revive these babies.) One is on identifying messages that have been delivered via both mail and news, and the other is an informational one giving some ideas for good Message-ID generation.

Cryptography, Security, and Privacy

Primary investigator, Interhack Internet Privacy Project
Beginning in 2000, we've turned more attention to the privacy project because of recent increases in the number of privacy eroding technologies that have been introduced into the Internet, generally without the knowledge of those whose actions are being tracked. Lots of folks are talking about privacy, but there aren't many (comparatively speaking) who are dealing with the technical side of privacy. We're hoping that we can make a difference by helping developers fix problems that are accidental, by making the general public aware of systems that are not, and by building up a library of good technical documentation that describes these problems and how we can learn from these failures.
Primary author and maintainer of the "Snake Oil FAQ"
This is the generally accepted authoritative guide to identifying bogus cryptography, without having to be a cryptographer yourself.
The first crack of a DES-encrypted message took place in June of 1997. I have some pages on the project here, including the mailing list archives. Also, some of us got our pictures taken for an article in PC Computing Japan about DESCHALL. I wrote a book entitled Brute Force about this project.

Running my mouth

I like to talk to people about technology, and help them get a grasp on the sorts of things that are possible now. Something that especially appeals to me is demystifying fairly complex issues and technologies like security, cryptography, scalable architectures, distributed systems, and that sort of thing.

From time to time, I like to give presentations at schools, and try to help get kids more fired up about the sciences. The presentations I've given are usually pretty well-received; computers, cryptography, and the Internet interest kids now, and they're also great for showing how all that math-stuff they gotta learn is useful later in life. Throw me mail if you're a teacher or counselor in the Ohio area, and are interested in having some weird guy talk to students about the utility (and fun!) of science.

You can find my non-work stuff at Ergo Sum.

Contacting me
There are a number of ways to get ahold of me. By far, the best and most effective way is by email.

Should you happen to come across my phone number, don't bother. It's probably got some strange device hooked up to it, anyway. Snail mail? hahahahahahhaa! If you're going to send me something you want me to read via snail mail, you'll likely have a much greater degree of success if you enclose a cool t-shirt with it. I'm partial to shirts with Unixy, math, and crypto related themes. Microsoft shirts are burned, symbolic of the "crash and burn" with which users of Microsoft software are intimately familiar. (Their CDs are used for coasters.)

interhack | cmcurtin | vitals | the soap box | publications | perl | hackcam | links