interhack publications

A number of publications are available for your viewing pleasure, grouped by subject.

cryptography and security

Anatomy of Online Fraud: How Thieves Targeted eBay Users But Got Stopped Instead
eBay users in the United States were targeted in a scheme to collect their eBay login credentials and credit card numbers. A similar scheme went around twice later in the week. This paper analyzes the scheme against eBay users.
Spector Pro Review and Commentary
Spectorsoft's spyware package for Windows is briefly reviewed and discussed.
Comments on Guidelines on Securing Public Web Servers
NIST released a draft of its Guidelines on Securing Public Web Servers for public comment on February 28, 2002. Here is our response.
PCFriendly Enables DVD Backchannels
PCFriendly, a DVD content enhancement product, contains a backchannel that allows users to be watched unwittingly. The product has since been replaced by newer software, now known as the InterActual Player, but PCFriendly's failures are well worth considering.
Bank One Online Puts Customer Account Information at Risk.
The design and implementation of Bank One's online banking system suffers from several flaws that work together to put customers' credit and debit card numbers at risk of exposure.
A Failure To Communicate: When a Privacy Seal Doesn't Help.
An articulate privacy policy helps, but if reality and the policy don't agree, you still have a problem. That's what TRUSTe is all about: helping people identify sites with privacy policies that reflect reality. Too bad TRUSTe's own policy didn't tell you about who was tracking users of its site. Oops.
Getting To Know You (Intimately): Surreptitious Privacy Invasion on the E-Commerce Web.
How outsourcing web log processing can turn into a rather serious privacy problem, particularly then such outsourcing is being done in ways that are clearly contradictory to stated policy.
DoubleClick Opt Out Protocol Failure == Opt In
A failure to conform to the HTTP protocol specification results in a failure of DoubleClick's opt out mechanism. That is, if you opt out, it's possible that you'll be opted back in behind your back.
Opting In, By Accident
An apparent oversight in Netscape's handling of its cookies database makes it possible for people who opt out of banner advertising networks' tracking mechanisms to be opted back into the system without their knowledge.
Why Anti-Virus Software Cannot Stop the Spread of Email Worms
Malware like ILOVEYOU, Melissa, Happy99, and the like are just getting started. All of the anti-virus software and firewalls in the world won't stop it. But there is something that can.
Shibboleth: Private Mailing List Manager
This is a paper that describes a system that makes it possible to manage a mailing list that is closed to the outside world, one that resists attempts of outsiders to infiltrate the lists, one that can detect attempts to impersonate insiders, and one that supports cryptographic strength authentication.
What's Related? Everything but your privacy.
This is a report of our findings from examining the "smart browsing" feature of Netscape's Communicator 4.06. There are very serious privacy implications here that should not be ignored. After being made aware of these problems, Netscape has pointed a finger back at us instead of fixing the problem. (Updated March 26, 1999.)
Introduction to Network Security
This is a reproduction of a chapter from CPA's Guide to Information Security. A gentle introduction to network security for security-conscious end-users and information systems managers.
SKIPJACK and KEA Algorithm Specifications
(Also available in LaTeX source and as an archive with all the sources needed to typeset the document yourself.) As of version 1.7, I believe the document is error-free, particularly in the equations and figures. I'm less confident about the test vectors. Please report any errors you find. Note that this is partially derived from JYA's HTML version.
Firewalls FAQ
Answers to frequently asked questions about internet firewalls.
National Security Action Memorandum 160
Evidence that NSA was the first to discover public-key cryptography, a decade before Whit Diffie and Martin Hellman did in 1976. This is a sanitized copy of NSAM 160, titled "Permissive Links for Nuclear Weapons in NATO".
A Brute Force Search of DES Keyspace
Appeared in the May 1998 special issue of the USENIX Association's journal ;login:. This is a decent technical overview of the DESCHALL project, including what we did, and its significance. Also available in PostScript and PDF.
Snake Oil Warning Signs: Encryption Software to Avoid
Commonly known as the ``Snake Oil FAQ,'' this Usenet FAQ helps non-cryptographers identify weak cryptography products by exposing some of the common practices of the purveyors of bogus cryptography. Also includes a very brief introduction to cryptography basics.
A brief discussion of what the first brute-force crack of a 56-bit key means to everyone, even (perhaps especially to) those who don't directly use computers.

internet and systems

Analysis of Compact Disc Digital Rights Management
We studied dozens of compact discs and the copy protection schemes put on them. Some subtle but significant changes have taken place in CDs over the past few years and are well worth the attention of anyone who cares about who controls their computers.
Pelendur: Steward of the Sysadmin
A system for automated multidomain user account management. (Huh?) This thing basically takes care of user accounts for you, based on the status of users and the projects and groups to which they belong, in a central database. It takes care of user accounts on Unix, NT, and Sybase, completely without administrator intervention.
Address Munging Considered Harmful
Thinking about posting to Usenet with an address like <>? This tells you why you should not.


Creating an Environment for Reusable Software Research: A Case Study in Reusability
We apply the principles of a software reusability research project to a real-world project: a development environment for students and researchers and reap a large reward.
``Write Once Run Anywhere'': Why It Matters
An essay on the importance and feasibility of having software that runs completely unmodified on any type of computer.
Smalltalk FAQ
Another Usenet FAQ, one that was converted from nasty unreadable ASCII to LaTeX, which produces nice HTML, and PostScript.


Unix User Hierarchy
This one goes back a bit. Takes a snapshot across the population of Unix users, and categorizes them by their mastery of the system. A real hoot. And no, the last item does not refer to the chairman of Microsoft.
Hierarchy of TeXnical Accomplishments
Pretty much the same thing as the above, except instead of taking a snapshot of Unix users, it takes a snapshot of TeX users.

corporate | research | news | people | projects | publications | services | feedback | legal

C Matthew Curtin
Last modified: Mon Dec 12 10:42:49 EST 2005