A number of publications are available for your viewing
pleasure, grouped by subject.
cryptography and security
- Anatomy of Online Fraud: How
Thieves Targeted eBay Users But Got Stopped
- eBay users in the United States were targeted in a scheme to
collect their eBay login credentials and credit card numbers.
A similar scheme went around twice later in the week. This
paper analyzes the scheme against eBay users.
- Spector Pro Review and Commentary
- Spectorsoft's spyware package for Windows is briefly
reviewed and discussed.
- Comments on Guidelines on Securing
Public Web Servers
- NIST released a draft of its Guidelines on Securing
Public Web Servers for public comment on February 28,
2002. Here is our response.
- PCFriendly Enables DVD Backchannels
- PCFriendly, a DVD content enhancement product, contains a
backchannel that allows users to be watched unwittingly. The
product has since been replaced by newer software, now known
as the InterActual Player, but PCFriendly's failures are well
- Bank One Online Puts Customer Account Information at Risk.
- The design and implementation of Bank One's online banking
system suffers from several flaws that work together to put
customers' credit and debit card numbers at risk of exposure.
- A Failure To Communicate:
When a Privacy Seal Doesn't Help.
policy don't agree, you still have a problem. That's what
TRUSTe is all about: helping people identify sites with
privacy policies that reflect reality. Too bad TRUSTe's
own policy didn't tell you about who was tracking users of its
- Getting To Know You (Intimately): Surreptitious Privacy Invasion on the E-Commerce Web.
- How outsourcing web log processing can turn into a rather
serious privacy problem, particularly then such outsourcing is
being done in ways that are clearly contradictory to stated
- DoubleClick Opt Out Protocol
Failure == Opt In
- A failure to conform to the HTTP protocol specification
results in a failure of DoubleClick's opt out mechanism. That
is, if you opt out, it's possible that you'll be opted back in
behind your back.
- Opting In, By Accident
- An apparent oversight in Netscape's handling of its cookies
database makes it possible for people who opt out of banner
advertising networks' tracking mechanisms to be opted back
into the system without their knowledge.
- Why Anti-Virus Software Cannot Stop
the Spread of Email Worms
- Malware like ILOVEYOU, Melissa, Happy99, and the like are
just getting started. All of the anti-virus software and
firewalls in the world won't stop it. But there is something
- Shibboleth: Private Mailing List
- This is a paper that describes a system that makes it
possible to manage a mailing list that is closed to the
outside world, one that resists attempts of outsiders to
infiltrate the lists, one that can detect attempts to
impersonate insiders, and one that supports cryptographic
- What's Related? Everything but your
- This is a report of our findings from examining the "smart
browsing" feature of Netscape's Communicator 4.06.
There are very serious privacy implications here that should
not be ignored. After being
made aware of these problems, Netscape has pointed a finger
back at us instead of fixing the problem.
(Updated March 26, 1999.)
- Introduction to Network Security
- This is a reproduction of a chapter from CPA's Guide to
Information Security. A gentle introduction to network
security for security-conscious end-users and information
- SKIPJACK and KEA Algorithm
- (Also available in LaTeX
source and as an archive
with all the sources needed to typeset the document yourself.)
As of version 1.7, I believe the document is error-free,
particularly in the equations and figures. I'm less confident
about the test vectors. Please report any errors you find. Note
that this is partially derived from
- Firewalls FAQ
- Answers to frequently asked questions about internet
- National Security
Action Memorandum 160
- Evidence that NSA was the first to discover public-key
cryptography, a decade before Whit Diffie and Martin Hellman
did in 1976. This is a sanitized copy of NSAM 160, titled
"Permissive Links for Nuclear Weapons in NATO".
- A Brute Force Search of DES Keyspace
- Appeared in the May 1998 special issue of the USENIX
This is a decent technical overview of the DESCHALL project, including what we did, and
its significance. Also available in
PostScript and PDF.
- Snake Oil Warning Signs: Encryption Software to Avoid
- Commonly known as the ``Snake Oil FAQ,'' this Usenet FAQ
helps non-cryptographers identify weak cryptography products
by exposing some of the common practices of the purveyors of
bogus cryptography. Also includes a very brief introduction
to cryptography basics.
- What DESCHALL Means
- A brief discussion of what the first brute-force crack of a
56-bit key means to everyone, even (perhaps especially to)
those who don't directly use computers.
internet and systems
- Analysis of Compact Disc Digital Rights Management
- We studied dozens of compact discs and the copy protection
schemes put on them. Some subtle but significant changes have
taken place in CDs over the past few years and are well worth
the attention of anyone who cares about who controls their
- Pelendur: Steward of the Sysadmin
- A system for automated multidomain user account management.
(Huh?) This thing basically takes care of user accounts for
you, based on the status of users and the projects and groups
to which they belong, in a central database. It takes care of
user accounts on Unix, NT, and Sybase, completely without
- Address Munging Considered Harmful
- Thinking about posting to Usenet with an address like
tells you why you should not.
- Creating an Environment
for Reusable Software Research: A Case Study in Reusability
- We apply the principles of a software reusability research
project to a real-world project: a development environment for
students and researchers and reap a large reward.
- ``Write Once Run Anywhere'': Why It Matters
- An essay on the importance and feasibility of having
software that runs completely unmodified on any type of computer.
- Smalltalk FAQ
- Another Usenet FAQ, one that was converted from nasty
unreadable ASCII to LaTeX, which produces nice HTML, and
- Unix User Hierarchy
- This one goes back a bit. Takes a snapshot across the
population of Unix users, and categorizes them by their
mastery of the system. A real hoot. And no, the last item
does not refer to the chairman of Microsoft.
- Hierarchy of
- Pretty much the same thing as the above, except instead of
taking a snapshot of Unix users, it takes a snapshot of TeX
C Matthew Curtin
Last modified: Mon Dec 12 10:42:49 EST 2005