all posts
February 15, 2021
If Johnny can't patch, maybe he shouldn't use C/C++
August 11, 2020
How Emacs beat vi in the Editor Wars
January 17, 2019
Using an unsafe language is a design flaw
June 11, 2017
Legacy C/C++ code is a nuclear waste nightmare that will make you WannaCry
May 18, 2017
Incentives in security
May 2, 2017
Everyday security horrors
April 8, 2017
Deconstructing Xen snark
February 28, 2017
Internet advertising is a company town
January 22, 2017
C and C++ are dead like COBOL in 2017
January 19, 2017
Cross-site tracking hurts publishers
January 16, 2017
The case for the smart refrigerator
January 15, 2017
IoT is not dumb
December 14, 2016
Weak sauce from NIST
December 13, 2016
The case for the connected lightbulb
July 20, 2016
Once more unto the breach: C/C++ must die
May 29, 2016
Coding standards won't make C/C++ memory safe
May 23, 2016
C is bad and you should feel bad if you don't say it is bad
May 19, 2016
On teaching C
May 17, 2016
An infosec mystery
May 16, 2016
Pwnage Zero
May 2, 2016
Security must respect human nature
April 28, 2016
Pwn2Own says C/C++ causes root
April 27, 2016
A public health campaign to stop C/C++
April 24, 2016
What we've got here is a failure to communicate
April 22, 2016
Unfrozen Cyclone
April 3, 2016
Attack is on defense
March 24, 2016
Man, I fold
February 1, 2016
Awk, Unix, and functional programming
November 13, 2015
We can replace C/C++
October 15, 2015
Math is better than data
October 10, 2015
C doesn't cause buffer overflows, programmers cause buffer overflows
October 4, 2015
Constructing a narrative against the use of C
September 8, 2015
The C/C++ performance myth
August 27, 2015
Flash is dying from C/C++
August 18, 2015
Safe by default
August 15, 2015
Unsafe behind the firewall
August 14, 2015
Unsafe at any speed
August 14, 2015
An unsafe legacy
August 14, 2015
Why safe languages are the best way to achieve memory safety
August 12, 2015
The terrible beauty of C
August 9, 2015
Project Zero is not good enough
July 27, 2015
Let's sunset C/C++
July 21, 2015
Thoughts on Flash security
June 30, 2015
Credit and progress in computer security
April 20, 2015
Cereal entrepreneurs
April 14, 2015
Closed access publishing causes Ebola
March 30, 2015
Gender diversity in tech: fake it till you make it
March 20, 2015
CEOs are highly paid because they are monopolists, not unicorns
February 28, 2015
Regulatory bufferbloat
February 21, 2015
You can't eliminate trust in computer security
November 10, 2014
Ethics of Bitcoin and Tor security research
November 2, 2014
Internet voting in New Jersey
October 26, 2014
Innovation roundup
October 26, 2014
Golang bindings for LLVM
October 16, 2014
What Wall Street does right
September 25, 2014
Parsing bug of the week
September 16, 2014
The Victim of a Thousand Revisions
September 5, 2014
The iCloud password problem
August 30, 2014
Parsing as an interface to LLVM
August 22, 2014
Thoughts on monkey selfies
August 4, 2014
Deanonymizing users
August 3, 2014
There is no standard of ethics in computer security research
June 5, 2014
The gender gap starts at Princeton admissions
June 2, 2014
Finally: pattern matching
May 30, 2014
Sexism at Princeton
May 23, 2014
Fix the stupid: email edition
April 29, 2014
Do not DOI: Searchable hashes instead
April 20, 2014
Heartbleed roundup
April 17, 2014
What not to do about Heartbleed
March 11, 2014
Bitcoin interoperability
March 7, 2014
Cute title: Actual title
February 28, 2014
On transaction malleability
February 27, 2014
Publish before peer review
January 19, 2014
Remote work is a moon shot
December 13, 2013
Only browser makers can stop spies from piggybacking on commercial Web tracking
December 12, 2013
Journalism strikes back
December 9, 2013
Security research is attack biased
November 21, 2013
How to not store your users' passwords
November 19, 2013
Lessons of the Adobe password breach
November 14, 2013
Science, policy, and economics
November 5, 2013
Parsing bug of the week
November 2, 2013
Probabilistic zombies
November 1, 2013
Newsweek wins the dumbest Snowden story contest
October 10, 2013
Minimalism in security
October 4, 2013
GitHub as a business model for open-access publishing
October 4, 2013
Adobe shows why we need SRP
October 1, 2013
Web identity
September 27, 2013
Remix culture in programming languages
September 6, 2013
Being Snowden
September 6, 2013
Who's watching?
September 2, 2013
Schmidt's Paradox
August 19, 2013
Identity, not privacy
August 16, 2013
Anti-intellectualism in New Jersey
August 15, 2013
Where is the golden age of academic research?
July 25, 2013
Sentenced to 25 years
July 25, 2013
How to fix tech hiring
July 24, 2013
Recovering from academia
July 19, 2013
Remote pair programming in Emacs
May 27, 2013
John Reynolds and the invention of pattern matching
May 12, 2013
Et tu, Bloomberg?
April 26, 2013
WebRTC and the death of SMS
April 24, 2013
Classic blunders of video conferencing software
April 11, 2013
Apple can't do cloud because the cloud is Linux
April 10, 2013
Emacs koan
April 9, 2013
The streak continues
March 24, 2013
Debug SSL connections with a shim
March 14, 2013
Parsing bug of the week
February 28, 2013
Convert untrusted PDFs to trusted PDFs
February 28, 2013
Parsing bug of the week
February 18, 2013
Parsing bug of the week
February 5, 2013
Parsing bugs of the week
January 31, 2013
C and C++ are not context free
January 18, 2013
The four horsemen of open source
January 16, 2013
What happened to Java security?
January 13, 2013
What security researchers should take from the example of Aaron Swartz
December 23, 2012
Security experts are the preppers of cyberspace
December 20, 2012
"There's no math band-aid that will cure these boo-boos"
December 12, 2012
Parsing and syncing
November 16, 2012
How to prove that a programming language is context free
November 6, 2012
Into the tar pit you Go
November 6, 2012
How to judge a voting system
November 5, 2012
Vote by email in New Jersey
October 29, 2012
A specification for Markdown
October 19, 2012
Is Java context free?
October 10, 2012
Haskell is not context free
October 10, 2012
Python is not context free
October 7, 2012
If you think parsing is a solved problem, you've solved the wrong problem
October 5, 2012
Dynamic languages
September 27, 2012
Tar-pit thinking
September 17, 2012
The IE zero-day is a parsing bug
September 16, 2012
The monadic morass
August 25, 2012
Libraries and open access
August 21, 2012
scmin
August 11, 2012
The Ivy ceiling in chart form
August 9, 2012
Parsing is the weakest link
July 31, 2012
If you don't use semicolons, you're dead to me
June 21, 2012
The vulnerabilities market
June 13, 2012
Xen and the art of privilege maintenance
May 29, 2012
The Ivy ceiling
May 29, 2012
The pace of innovation is 30-plus years
May 25, 2012
Postel's Law and security, again
May 12, 2012
Open access should not mean sole access
April 24, 2012
Good news, Harvard is broke
April 23, 2012
The curious incident of the semicolon at the newline
March 24, 2012
A grammar for HTML5
March 22, 2012
Postel's Law and network security
March 18, 2012
Archival journals require open access
March 12, 2012
Paper harms scholarship
February 29, 2012
Hashing FTW
February 29, 2012
Reflow for PDF
February 24, 2012
Local man thinks trust is not transitive
February 24, 2012
Read DJB if you are researching DNS
February 15, 2012
Apple hardware
January 26, 2012
Abstain from TeX
January 5, 2012
Lisp and C
December 15, 2011
Postel's Law is not for you
January 10, 2011
Save the floppy disk icon