This is a collection of PDF, Postscript, and other formats of a selected few of my publications - they're not in any order. For a more complete list, please get a copy of my resume (in MSWord format).
Open mail relays have long been vilified as one of the key vectors for spam, and today - thanks to education and the blocking efforts of open relay databases (ORDBs) - relatively few open relays remain to serve spammers. Yet a critical and widespread vulnerability remains in an as-yet unaddressed arena: web-based email forms. This paper describes the effects of a distributed proxy attack on a vulnerable email form, and proposes easy-to-implement solutions to an endemic problem. Based on forensic evidence, we observed a well-designed and intelligently implemented spam network, consisting of large number of compromised intermediaries that receive instructions from an effectively untraceable source, and which attack vulnerable CGI forms. We also observe that although the problem can be easily mitigated, it will only get worse before it gets better: the vast majority of freely available email scripts all suffer from the same vulnerability; the load on most proxies is relatively very low and hard to detect; and many sites exploited by the compromised proxy machines may never notice that they have been attacked.
Copyright 2006 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution.
It is no secret that we are at the dawn of the digital age - our parents (and for some of us, even our grandparents) have computers, digital cameras, MP3 players, etc. We each have more computing power in our cell phones than the mainframes of 35 years ago, and everywhere we find data acquisition and tracking systems.
Privacy has never before been more zealously guarded nor more freely abandoned, and with the proliferation of digital data collection and dissemination have come new worries.
What is being recorded, why, and by whom? With literally billions of computers around us, how can we keep our data (and ourselves) safe? How can we prevent misappropriation or misuse of information about ourselves? How can we ever expunge flawed records, urban legends, or embarrassing facts? We have become the elephant who never forgets, but what are we remembering?
This talk will take a look at what our world is becoming, and perhaps suggest what we can do to make it a little less imperfect.
Copyright 2006 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution.
Flying Linux: We all know that "Linux is better than Windows". Few intelligent people would board a fly-by-wire airplane which was controlled by Microsoft Windows. So how about Linux? When your life is at stake, your attitudes change considerably. Better than Windows, yes - but better enough? This talk will look at what it takes to make software truly mission critical and man-rated. We'll go back to the earliest fly-by-wire systems - Mercury, Gemini, and Apollo - and look at such diverse (but critical!) issues such as compartmentalization, trojans and terrorism, auditing and accountability, bugs and boundary conditions, distributed authoring, and revision control. At the end of this talk, what you though might be an easy answer will be seen to be not so easy :-)
Copyright 2004 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution.
This is my original paper on password security, which surveys nearly 15,000 accounts and reports on crackable and non-crackable paswords. The numbers are a bit dated (since then I have raised my cracking ability to better than 42%), but the warnings and fundamental findings are quite sound. In both Postscript and troff source form.
When you read this, remember this research was done in 1989. It took about 3 CPU-years on Sparc-1 and Sparc-2 computers. Today, programs like l0phtcrack on Windoze and Alec Muffet's Crack on Unix/Linux can accomplish the same results in a couple of months on a 1 GHz pentium-class computer, and a 32-way Sparc can do the same thing in a few days.
Copyright 1990 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution.
A paper written jointly by myself and Matt Bishop, which appears in "Computers and Security", and which discusses a proactive tool for password checking called "passwd+". In both Postscript and troff source form.
Copyright 1992, Matt Bishop and Daniel V. Klein.
A paper describing a collection of attackes used by surfers and web sites against other web sites, as well as attacks by web sites against surfers. For many attacks, defenses are also proposed (with examples). Available in Postscript form (Microsoft Word available upon special request).
Copyright 1999 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution. This paper was presented at the 1st USENIX Workshop on Detection Symposium and Network Monitoring in April 1999. Readers are encouraged to visit at http://www.usenix.org/events/detection99/ and attend future USENIX workshops.
The adult industry is by far the biggest consumer of net bandwidth. It is arguably also the largest cash source for content providers. Without getting into the politics or "political correctness" of the industry as a whole, this talk will examine the many facets of this much maligned (and hugely subscribed) dark side of the web. And politics aside, there are many valuable lessons to be learned that apply to more "legitimate" web sites.We will examine what it means to be in a service industry (attitude, customer satisfaction, customer turnover, etc.), advertising (unlike other media, the web provides immediate and direct feedback on the efficacy of an ad), site scaling and bandwidth, monitoring, load sharing, load shedding, and load stealing. We'll look at issues of security, payment methods, billing, theft, and risk. We'll also see how data mining can be a boon (when you're the one with the pick-axe) and a bane (when you're being mined or otherwise hoisted on a petard), as well as issues of copyright protection and abrogation. Issues of spamming, being spammed, and even being targeted for an FBI sting operation will also be raised. And of course, the issues of site automation, what kind of people run adult sites, and "just how much money can you make doing this, anyway" will be explored.
While the entire adult industry is controversial at best, I believe that you will find the talk itself amusing, insightful, and thought provoking. And you will almost certainly walk away with information that can be applied to any web site, be it on the good side or the dark side of the force. This talk is gender neutral, and is rated PG-13. And yes, my Mother knows what I do for a living.
While the talk is far more interesting than the slides, many people have asked for copies of the slides, so here they are.
Copyright 1998, 2000, and 2002 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution.
Commerce has been around for at least 5,000 years, and e-commerce has arguably existed for nearly 150 years. Amazingly, the evolution of e-commerce has closely paralleled the evolution of "real" commerce. But it's in Internet time: 5,000 years of mistakes, failures, and successes in commerce have been repeated in less than 1% of the time.This talk will look at that parallel evolution, with numerous amusing examples. Then we'll see how people actually make money on the Net. We'll wind up with some speculations on the future (you should bring your own grains of salt).
While the talk is far more interesting than the slides, many people have asked for copies of the slides, so here they are.
Copyright 2000, and 2002 by Daniel V. Klein, unlimited rights of distribution are hereby granted, provided the paper is distributed in its entirety, with full author attribution.