Some relatively recent publications for which I am at least partially to blame.

• Developing Trust: Online Privacy and Security
  Developing Trust is my book on how to build systems that don't come back and bite us. In the book, I argue that privacy-aware systems are necessary for good security, that today's methods of "addressing" privacy are doomed to failure, and that we can build systems worthy of trust, if we have the courage to do so. Available in late November 2001 from Apress in the US and from Springer-Verlag internationally.
• Getting to Know You (Intimately): Surreptitious Privacy Invasion on the E-Commerce Web
  Coremetrics has implemented a system that will allow web site operators to determine how people are using their site without having to perform their own data collection and analysis. This is implemented in a peculiar way; it's a combination of cookies, web bugs, and JavaScript that causes the users' web browsers to copy personal information out of forms and report the information back to Coremetrics for collection and analysis. This raises many privacy concerns and even Coremetrics doesn't seem to understand the terrible potential of this system in a failure mode.
• DoubleClick Opt Out Protocol Failure == Opt In
  DoubleClick, in its infinite wisdom, implemented the HTTP protocol (RFC 2616) incorrectly. Specifically, it does not treat HTTP headers case insensitively. This causes opt-out cookies to fail sometimes, thus making it possible to report falsely that a user who tried to opt-out of the system did so. It is also possible for someone who has opted out of the system at one time to be opted back into it, completely without his knowledge.
• Opting In, By Accident
  Discovery and investigation of a problem in Netscape's Communicator version 4 that makes it possible for people who have opted out of banner advertising networks' tracking activity to be opted back in silently.
• Shibboleth: Private Mailing List Manager
  To appear in the Proceedings of the 9th USENIX Security Symposium.
• Preserving Integrity
  May 2000 issue of WebTechniques magazine.
• On Guard: Protecting your site against attack
  April 2000 issue of WebTechniques magazine.
• Radio appearance on Sterling's show with no name.
  It aired live on Wednesday, December 15, 1999. When asked for my "Y2K prediction", I said that we'll see mostly localized problems, caused by things like some drunk slamming his car into a utility pole just after midnight and interrupting electricity. On the morning of January 1, 2000, I heard on the radio that some fool slammed his car into a utility pole just after midnight and knocked out electricity for about 3,000 people in the Columbus suburb of Hilliard. Ha!
• Creating an Environment for Reusable Software Research: A Case Study in Reusability
  This is archived as an OSU-CIS technical report (OSU-CISRC-8/99-TR21); I'm poking around for a place to publish it.
• Electronic Snake Oil
  Published in the April 1999 issue of the USENIX Association's ;login:. (An adaptation of the "Snake Oil FAQ" cited below.)
• ``What's Related?'' Everything But Your Privacy. An examination of the ``smart browsing'' feature in Netscape's Communicator 4.06.
• Firewalls FAQ, maintained with Marcus J. Ranum. Published as an official USENET FAQ. This is the first place to go when you need answers to your questions about firewalls. Lots of good introductory information, some sage advice, and examples of how to implement various schemes to protect yourself.
• ``A Brute Force Search of DES Keyspace''
  Published in a special supplimentary (May 1998) issue of the USENIX Association's ;login:, for the 1998 USENIX Security Symposium. PostScript and PDF versions are also available.
• IBM's Daily Grounds. I was interviewed for a small piece called `A View From the Trenches' in March 1998. It's about Java, what's cool about it, what isn't so cool about it, and what's happening with it.
• Unix Unleashed, Internet Edition.
  Available at about every bookstore on the planet. I wrote pieces that made it into an introduction to CGI programming, as well as the chapter on writing CGI programs in the Perl programming language. I have some errata online.
• Write Once Run Anywhere: Why It Matters
  An essay I wrote in October 1997 about the importance of platform-independent software, to information system managers, end users, and, of course, developers. Available locally, as well as from Sun's Java Home Page.
• PreText Magazine, November 1997 issue.
  This isn't a publication, per se, but more of an ``appearance.'' I took part in a forum discussing privacy and security issues.
• Snake Oil Warning Signs: Encryption Software to Avoid, also available in PostScript and PDF.
  Cryptography is hard. But it's a useful tool for everyone. So, how do you determine whether the crypto product that you're thinking about buying is any good, without being a cryptographer yourself? The "Snake Oil FAQ" was written to help folks understand the most basic principles of cryptography, as well as highlight some of the most common traits of bogus crypto products.
• The CPA's Guide to Information Security
  Published by Kent Information Services. I authored a chapter on network security, and provided material for and did a technical review of a chapter on cryptography.
• Lots of stuff living in usenet archives. Also be sure to look here, here, here, and here. You can probably find me elsewhere, too.

I didn't do it!

• ``Toysrus.com drops tracking service amid pressure'', c|net August 14, 2000.
  This is a great article. Therein, Coremetrics CEO Brett Hurt says, "Technically we could combine the data, but legally we don't have the right to do that." What a great confirmation of what we've said all along. We're worried about what can be done. To paraphrase a catchphrase that went around on cypherpunks some time back, we prefer good technology to good intentions.
• The N.E.W. Show: "The New Economy Watch", CNNfn, August 8, 2000.
  I gave an on-air interview about privacy problems with the Coremetrics data collection system specifically and web privacy in general.
• ``Toys `R' Us Suit Reveals Pitfalls of Privacy Policies'', Investor's Business Daily. August 7, 2000.
  Surprise of all surprises, Toys `R' Us managed to get itself sued by having a privacy policy that said one thing and then deployed a technology that did something else. (It's a really good article, too.)
• ``More Web Site User Data Gathering Revealed'', Slashdot. August 3, 2000.
• E-tailers' data-gathering questioned, The Columbus Dispatch August 2, 2000
  A local paper ran a localized version of the AP story that reported our findings on the Coremetrics system.
• Privacy Report Criticizes 'Infomediaries'. TheStandard.com. August 2, 2000.
• Sharing of personal data by Web sites sparks new privacy controversy, Computerworld August 1, 2000
  Computerworld's coverage of the story about Coremetrics, Toys `R' Us, and friends.
• Online Shopping: Privacy Hazard?, CBS News (D. Ian Hopper, AP), August 1, 2000.
  The AP article was the first to cover our report on the Coremetrics privacy problems.
• ``Group calls privacy protection measures ineffective'', c|net May 18, 2000
  This story reports on two privacy advisories we released, demonstrating how opt-out systems fail.
• ``Super Programmers'', Computerworld. November 24, 1997.
  There is a two-paragraph blurb about me in there.
• PC Computing Japan. August 1997 issue, p.212. I'd tell you what the name of the article was, but I can't read Japanese. (Maybe if I could read Japanese, I'd claim that they're not talking about me! :-) Seriously, this is an article about DESCHALL.
• ``Financial code cracked''. CNNfn. June 19, 1997.
  CNNfn's coverage of DESCHALL, the morning after we won the contest.
• ``Scientist questions standard for encryption technology''. Business First. May 23, 1997, p.10.
  A ``Tech Watch'' column for a central-Ohio business publication headlined with a note about DESCHALL about three weeks before we found the key.
• ``Eavesdroppers can crack digital cellphone codes''. Business First. May 23, 1997, p.25.
  Some folks in the cellular phone industry have been claiming that digital cell-phones are secure against eavesdroppers. I'm quoted in this article arguing that this is not the case, and that even phones that do offer encryption typically don't offer anything even moderately difficult to break.