Some relatively recent publications for which I am at least
partially to blame.
Trust: Online Privacy and Security
Developing Trust is my book on how to build systems
that don't come back and bite us. In the book, I argue that
privacy-aware systems are necessary for good security, that
today's methods of "addressing" privacy are doomed to failure,
and that we can build systems worthy of trust, if we have the
courage to do so. Available in late November 2001 from Apress
in the US and from Springer-Verlag internationally.
- Getting to Know You (Intimately): Surreptitious Privacy Invasion on the E-Commerce Web
Coremetrics has implemented a system that will allow web site
operators to determine how people are using their site without
having to perform their own data collection and analysis.
This is implemented in a peculiar way; it's a combination of
browsers to copy personal information out of forms and report
the information back to Coremetrics for collection and
analysis. This raises many privacy concerns and even
Coremetrics doesn't seem to understand the terrible potential
of this system in a failure mode.
- DoubleClick Opt Out Protocol Failure == Opt In
DoubleClick, in its infinite wisdom, implemented the HTTP
protocol (RFC 2616) incorrectly. Specifically, it does not
treat HTTP headers case insensitively. This causes opt-out
cookies to fail sometimes, thus making it possible to report
falsely that a user who tried to opt-out of the system did
so. It is also possible for someone who has opted out of the
system at one time to be opted back into it, completely
without his knowledge.
- Opting In, By Accident
Discovery and investigation of a problem in Netscape's
Communicator version 4 that makes it possible for
people who have opted out of banner advertising networks'
tracking activity to be opted back in silently.
- Shibboleth: Private Mailing List Manager
To appear in the Proceedings of the 9th USENIX Security
- Preserving Integrity
May 2000 issue of
- On Guard: Protecting your site against attack
April 2000 issue of
- Radio appearance on
with no name.
It aired live on Wednesday, December 15,
1999. When asked for my "Y2K prediction", I said that we'll
see mostly localized problems, caused by things like some
drunk slamming his car into a utility pole just after
midnight and interrupting electricity. On the morning of
January 1, 2000, I heard on the radio that some fool slammed
his car into a utility pole just after midnight and knocked
out electricity for about 3,000 people in the Columbus suburb
of Hilliard. Ha!
- Creating an
Environment for Reusable Software Research: A Case Study in
This is archived as an OSU-CIS technical report
(OSU-CISRC-8/99-TR21); I'm poking around for a place to
- Electronic Snake Oil
Published in the April 1999 issue of the
(An adaptation of the "Snake Oil FAQ" cited below.)
- ``What's Related?'' Everything
But Your Privacy. An examination of the ``smart
browsing'' feature in Netscape's Communicator 4.06.
- Firewalls FAQ, maintained with
Marcus J. Ranum.
Published as an official USENET FAQ. This is the first place
to go when you need answers to your questions about
firewalls. Lots of good introductory information, some
sage advice, and examples of how to implement various schemes
to protect yourself.
- ``A Brute Force Search of DES Keyspace''
Published in a special supplimentary (May 1998) issue of the
for the 1998 USENIX Security Symposium.
versions are also available.
- IBM's Daily Grounds. I was
interviewed for a small piece called `A View From the Trenches' in March 1998. It's about Java, what's cool about it, what isn't so cool about it, and what's happening with it.
- Unix Unleashed, Internet Edition.
Available at about every bookstore on the planet. I wrote
pieces that made it into an introduction to CGI programming,
as well as the chapter on writing CGI programs in the Perl
programming language. I have some
- Write Once Run Anywhere: Why It Matters
An essay I wrote in October 1997 about the importance of
platform-independent software, to information system managers,
end users, and, of course, developers. Available
locally, as well as from
Java Home Page.
- PreText Magazine, November 1997 issue.
This isn't a publication, per se, but more of an
``appearance.'' I took part in a forum discussing privacy
and security issues.
- Snake Oil Warning Signs:
Encryption Software to Avoid, also available in
hard. But it's a useful tool for everyone. So, how do you
determine whether the crypto product that you're thinking
about buying is any good, without being a cryptographer
yourself? The "Snake Oil FAQ" was written to help folks
understand the most basic principles of cryptography, as well
as highlight some of the most common traits of bogus crypto
- The CPA's Guide to Information Security
Published by Kent Information
Services. I authored a
chapter on network
provided material for and did a technical review of a chapter
- Lots of stuff living in usenet archives.
Also be sure to look here,
You can probably find me elsewhere, too.
I didn't do it!
Here are some references to selected publications I didn't write,
but that mention me or my work. Some of our projects have gotten
such wide publicity that we can't possibly list all of the
articles, so we'll just include a sampling.
- ``Toysrus.com drops tracking service amid pressure'', c|net August 14, 2000.
This is a great article. Therein, Coremetrics CEO Brett Hurt
says, "Technically we could combine the data, but legally we
don't have the right to do that." What a great confirmation
of what we've said all along. We're worried about what
can be done. To paraphrase a catchphrase that went
around on cypherpunks some time back, we prefer good
technology to good intentions.
- The N.E.W. Show: "The New Economy Watch", CNNfn, August 8, 2000.
I gave an on-air interview about privacy problems with the
Coremetrics data collection system specifically and web
privacy in general.
- ``Toys `R' Us Suit Reveals Pitfalls of Privacy Policies'',
Investor's Business Daily. August 7, 2000.
Surprise of all surprises, Toys `R' Us managed to get itself
deployed a technology that did something else. (It's a really
good article, too.)
- ``More Web Site User Data Gathering Revealed'', Slashdot. August 3, 2000.
- E-tailers' data-gathering questioned, The Columbus Dispatch August 2, 2000
A local paper ran a localized version of the AP story that
reported our findings on the Coremetrics system.
Report Criticizes 'Infomediaries'. TheStandard.com.
August 2, 2000.
- Sharing of personal data by Web sites sparks new privacy controversy, Computerworld August 1, 2000
Computerworld's coverage of the story about
Coremetrics, Toys `R' Us, and friends.
- Online Shopping: Privacy Hazard?, CBS News (D. Ian Hopper, AP), August 1, 2000.
The AP article was the first to cover our report on the
Coremetrics privacy problems.
- ``Group calls privacy protection measures ineffective'', c|net May 18, 2000
This story reports on two privacy advisories we released,
demonstrating how opt-out systems fail.
- ``Super Programmers'', Computerworld. November 24, 1997.
There is a two-paragraph blurb about me in there.
- PC Computing Japan. August 1997 issue, p.212. I'd
tell you what the name of the article was, but I can't read
Japanese. (Maybe if I could read Japanese, I'd claim that
they're not talking about me! :-) Seriously, this is an
article about DESCHALL.
- ``Financial code cracked''. CNNfn. June 19, 1997.
CNNfn's coverage of DESCHALL, the morning after we won the
- ``Scientist questions standard for encryption technology''.
Business First. May 23, 1997, p.10.
A ``Tech Watch'' column for a central-Ohio business
publication headlined with a note about DESCHALL about three
weeks before we found the key.
- ``Eavesdroppers can crack digital cellphone codes''.
Business First. May 23, 1997, p.25.
Some folks in the cellular phone industry have been claiming
that digital cell-phones are secure against eavesdroppers.
I'm quoted in this article arguing that this is not the case,
and that even phones that do offer encryption typically don't
offer anything even moderately difficult to break.
the soap box |
C Matthew Curtin
Last modified: Tue Oct 16 15:58:34 EDT 2001