A Pact with the Devil - Bond and Danezis, June 6th 2006 With thanks to Joshua Corman and David Etue for pointing this paper out to me during discussions at the GOTO London conference. Does that app really need all those permissions? And why can't permissions be finer-grained or temporary? For example - I'm happy … Continue reading A Pact with the Devil

Buffer Overflows: Attacks and Defenses for the Vulnerabilty of the Decade - Cowan et al. 2000 Some of you may recall reading "Smashing the Stack for Fun and Profit" (hard to believe that was published in 1996!), which helped to raise consciousness of buffer overflow attacks. In this paper from 2000 Cowan et al. provide … Continue reading Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade

Lessons Learned in Implementing and Deploying Crypto Software - Gutmann 2002 The author of today's paper, Peter Gutmann, is the developer of CryptLib, which gives him a unique perspective both in the development of crypto, and also in how people use it (from supporting the crypolib user base). The paper was written in 2002, so … Continue reading Lessons Learned in Implementing and Deploying Crypto Software

Mining your Ps and Qs: Detection of Widespread Weak Keys in Network Devices - Heninger et al. 2012 This paper definitely wins the 'best pun in a paper title' prize. P and Q here refer to the factors that are multiplied together when generating your public and private key pairs. As for the mining? It … Continue reading Mining your Ps and Qs: Detection of Widespread Weak Keys in Network Devices

MD5 To Be Considered Harmful Someday - Kaminsky 2004 A few people have asked if I can cover more security topics in The Morning Paper. It's a subject area that always seems a little daunting to me (as in, "a little knowledge is a dangerous thing"), but it's also a subject area that I feel … Continue reading MD5 To Be Considered Harmful Someday