This is a collection of PDF, Postscript, and other formats of a selected few of my publications - they're not in any order. For a more complete list, please get a copy of my resume (in MSWord format).
AusCERT and GOVCERT have been holding conferences for quite a few years, and the CERT/CC was founded over two decades ago. Yet in spite of these prominent centers of excellence, we keep seeing new attacks, new exploits, and new vulnerabilities - in simpler terms, "same stuff, different day". It's not because there are more bad guys out there (although there are), and it's not because the bad guys are smarter (but they are). In my opinion, it is because we are working with tools and systems that are fundamentally flawed. Our house of bricks is built on a sandy foundation, and we find ourselves at a crossroads - the same crossroads that every technology has faced in our history: start over again and do it right from the start, or keep doing it wrong until it all falls over in a heap.
This talk will try to take a lighthearted look at some really bad news. Either we will have to spend a lot of money redeveloping our basic tools, infrastructure, and operating systems properly, or we will have to spend a lot of money patching bugs and regularly recovering from security disasters (and continually be faced with the same basic problems). One way we have a lot of unhappy people now, the other will have a lot of unhappy people later. In the 1950's, the architect Frank Lloyd Wright was given a tour of Pittsburgh, which ended atop Mt. Washington. He was asked "okay, what should we do?". In his inimicable style, he looked around and said "raze it and start over". Having lived in Pittsburgh for 35 years, I can tell you that he was right. I've worked with computers for as long as I've been in Pittsburgh. Frank's advice is strangely apropos... Copyright 2009 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the file is distributed in its entirety, with full author attribution.If my computer crashes, it's not the end of the world - it just seems that way sometimes, when I lose 3+ hours of work. But computers are appearing everywhere - in our phones, cars, airplanes, medical devices and urban infrastructure in more ways that we imagine, and they are networked in more ways than we know.
Our telephone network is becoming more and more IP based. Generators and power systems are on the internet for "maintenance and diagnostic purposes", but they are also the targets of hackers (with catastrophic consequences). The new Boeing 787 will have in-flight internet access at each seat, but the same network will be connected to the avionics. Pacemakers can be hacked wirelessly. Suddenly a computer crash threatens more than 3 hours of work, it threatens my life! And while man-rated systems are rigorously tested for proper functioning, it is much harder to prove the negative that "you can't break in".
This talk will look at some fundamental assumptions about security that cannot be addressed with the "patch it in the next release" mentality - we have to get it right the first time. What I hope to convey is that Security (and paranoia) has to be a lifestyle choice and not just your job. And as security professionals, we need to convince everyone that there are no shortcuts - because the shortest path from 35,000 feet is straight down.
Copyright 2008 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the file is distributed in its entirety, with full author attribution.
Open mail relays have long been vilified as one of the key vectors for spam, and today - thanks to education and the blocking efforts of open relay databases (ORDBs) - relatively few open relays remain to serve spammers. Yet a critical and widespread vulnerability remains in an as-yet unaddressed arena: web-based email forms. This paper describes the effects of a distributed proxy attack on a vulnerable email form, and proposes easy-to-implement solutions to an endemic problem. Based on forensic evidence, we observed a well-designed and intelligently implemented spam network, consisting of large number of compromised intermediaries that receive instructions from an effectively untraceable source, and which attack vulnerable CGI forms. We also observe that although the problem can be easily mitigated, it will only get worse before it gets better: the vast majority of freely available email scripts all suffer from the same vulnerability; the load on most proxies is relatively very low and hard to detect; and many sites exploited by the compromised proxy machines may never notice that they have been attacked.
Copyright 2006 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution.
It is no secret that we are at the dawn of the digital age - our parents (and for some of us, even our grandparents) have computers, digital cameras, MP3 players, etc. We each have more computing power in our cell phones than the mainframes of 35 years ago, and everywhere we find data acquisition and tracking systems.
Privacy has never before been more zealously guarded nor more freely abandoned, and with the proliferation of digital data collection and dissemination have come new worries.
What is being recorded, why, and by whom? With literally billions of computers around us, how can we keep our data (and ourselves) safe? How can we prevent misappropriation or misuse of information about ourselves? How can we ever expunge flawed records, urban legends, or embarrassing facts? We have become the elephant who never forgets, but what are we remembering?
This talk will take a look at what our world is becoming, and perhaps suggest what we can do to make it a little less imperfect.
Copyright 2006 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution.
Flying Linux: We all know that "Linux is better than Windows". Few intelligent people would board a fly-by-wire airplane which was controlled by Microsoft Windows. So how about Linux? When your life is at stake, your attitudes change considerably. Better than Windows, yes - but better enough? This talk will look at what it takes to make software truly mission critical and man-rated. We'll go back to the earliest fly-by-wire systems - Mercury, Gemini, and Apollo - and look at such diverse (but critical!) issues such as compartmentalization, trojans and terrorism, auditing and accountability, bugs and boundary conditions, distributed authoring, and revision control. At the end of this talk, what you though might be an easy answer will be seen to be not so easy :-)
Copyright 2004 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution.
This is my original paper on password security, which surveys nearly 15,000 accounts and reports on crackable and non-crackable paswords. The numbers are a bit dated (since then I have raised my cracking ability to better than 42%), but the warnings and fundamental findings are quite sound. In both Postscript and troff source form.
When you read this, remember this research was done in 1989. It took about 3 CPU-years on Sparc-1 and Sparc-2 computers. A few years ago (ca. 2006), programs like l0phtcrack on Windoze and Alec Muffet's Crack on Unix/Linux can accomplish the same results in a couple of months on a 1 GHz pentium-class computer, and a 32-way Sparc can do the same thing in a few days. Today (2010), computing in the cloud has reduced this to hours (or less, depending on how much computational horsepower you want to pay for).
Copyright 1990 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution.
A paper written jointly by myself and Matt Bishop, which appears in "Computers and Security", and which discusses a proactive tool for password checking called "passwd+". In both Postscript and troff source form.
Copyright 1992, Matt Bishop and Daniel V. Klein.
A paper describing a collection of attackes used by surfers and web sites against other web sites, as well as attacks by web sites against surfers. For many attacks, defenses are also proposed (with examples). Available in Postscript form (Microsoft Word available upon special request).
Copyright 1999 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution. This paper was presented at the 1st USENIX Workshop on Detection Symposium and Network Monitoring in April 1999. Readers are encouraged to visit at http://www.usenix.org/events/detection99/ and attend future USENIX workshops.
The adult industry is by far the biggest consumer of net bandwidth. It is arguably also the largest cash source for content providers. Without getting into the politics or "political correctness" of the industry as a whole, this talk will examine the many facets of this much maligned (and hugely subscribed) dark side of the web. And politics aside, there are many valuable lessons to be learned that apply to more "legitimate" web sites.We will examine what it means to be in a service industry (attitude, customer satisfaction, customer turnover, etc.), advertising (unlike other media, the web provides immediate and direct feedback on the efficacy of an ad), site scaling and bandwidth, monitoring, load sharing, load shedding, and load stealing. We'll look at issues of security, payment methods, billing, theft, and risk. We'll also see how data mining can be a boon (when you're the one with the pick-axe) and a bane (when you're being mined or otherwise hoisted on a petard), as well as issues of copyright protection and abrogation. Issues of spamming, being spammed, and even being targeted for an FBI sting operation will also be raised. And of course, the issues of site automation, what kind of people run adult sites, and "just how much money can you make doing this, anyway" will be explored.
While the entire adult industry is controversial at best, I believe that you will find the talk itself amusing, insightful, and thought provoking. And you will almost certainly walk away with information that can be applied to any web site, be it on the good side or the dark side of the force. This talk is gender neutral, and is rated PG-13. And yes, my Mother knows what I do for a living.
While the talk is far more interesting than the slides, many people have asked for copies of the slides, so here they are.
Copyright 1998, 2000, and 2002 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution.
Commerce has been around for at least 5,000 years, and e-commerce has arguably existed for nearly 150 years. Amazingly, the evolution of e-commerce has closely paralleled the evolution of "real" commerce. But it's in Internet time: 5,000 years of mistakes, failures, and successes in commerce have been repeated in less than 1% of the time.This talk will look at that parallel evolution, with numerous amusing examples. Then we'll see how people actually make money on the Net. We'll wind up with some speculations on the future (you should bring your own grains of salt).
While the talk is far more interesting than the slides, many people have asked for copies of the slides, so here they are.
Copyright 2000, and 2002 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution.