all posts

February 15, 2021
If Johnny can't patch, maybe he shouldn't use C/C++

August 11, 2020
How Emacs beat vi in the Editor Wars

January 17, 2019
Using an unsafe language is a design flaw

June 11, 2017
Legacy C/C++ code is a nuclear waste nightmare that will make you WannaCry

May 18, 2017
Incentives in security

May 2, 2017
Everyday security horrors

April 8, 2017
Deconstructing Xen snark

February 28, 2017
Internet advertising is a company town

January 22, 2017
C and C++ are dead like COBOL in 2017

January 19, 2017
Cross-site tracking hurts publishers

January 16, 2017
The case for the smart refrigerator

January 15, 2017
IoT is not dumb

December 14, 2016
Weak sauce from NIST

December 13, 2016
The case for the connected lightbulb

July 20, 2016
Once more unto the breach: C/C++ must die

May 29, 2016
Coding standards won't make C/C++ memory safe

May 23, 2016
C is bad and you should feel bad if you don't say it is bad

May 19, 2016
On teaching C

May 17, 2016
An infosec mystery

May 16, 2016
Pwnage Zero

May 2, 2016
Security must respect human nature

April 28, 2016
Pwn2Own says C/C++ causes root

April 27, 2016
A public health campaign to stop C/C++

April 24, 2016
What we've got here is a failure to communicate

April 22, 2016
Unfrozen Cyclone

April 3, 2016
Attack is on defense

March 24, 2016
Man, I fold

February 1, 2016
Awk, Unix, and functional programming

November 13, 2015
We can replace C/C++

October 15, 2015
Math is better than data

October 10, 2015
C doesn't cause buffer overflows, programmers cause buffer overflows

October 4, 2015
Constructing a narrative against the use of C

September 8, 2015
The C/C++ performance myth

August 27, 2015
Flash is dying from C/C++

August 18, 2015
Safe by default

August 15, 2015
Unsafe behind the firewall

August 14, 2015
Unsafe at any speed

August 14, 2015
An unsafe legacy

August 14, 2015
Why safe languages are the best way to achieve memory safety

August 12, 2015
The terrible beauty of C

August 9, 2015
Project Zero is not good enough

July 27, 2015
Let's sunset C/C++

July 21, 2015
Thoughts on Flash security

June 30, 2015
Credit and progress in computer security

April 20, 2015
Cereal entrepreneurs

April 14, 2015
Closed access publishing causes Ebola

March 30, 2015
Gender diversity in tech: fake it till you make it

March 20, 2015
CEOs are highly paid because they are monopolists, not unicorns

February 28, 2015
Regulatory bufferbloat

February 21, 2015
You can't eliminate trust in computer security

November 10, 2014
Ethics of Bitcoin and Tor security research

November 2, 2014
Internet voting in New Jersey

October 26, 2014
Innovation roundup

October 26, 2014
Golang bindings for LLVM

October 16, 2014
What Wall Street does right

September 25, 2014
Parsing bug of the week

September 16, 2014
The Victim of a Thousand Revisions

September 5, 2014
The iCloud password problem

August 30, 2014
Parsing as an interface to LLVM

August 22, 2014
Thoughts on monkey selfies

August 4, 2014
Deanonymizing users

August 3, 2014
There is no standard of ethics in computer security research

June 5, 2014
The gender gap starts at Princeton admissions

June 2, 2014
Finally: pattern matching

May 30, 2014
Sexism at Princeton

May 23, 2014
Fix the stupid: email edition

April 29, 2014
Do not DOI: Searchable hashes instead

April 20, 2014
Heartbleed roundup

April 17, 2014
What not to do about Heartbleed

March 11, 2014
Bitcoin interoperability

March 7, 2014
Cute title: Actual title

February 28, 2014
On transaction malleability

February 27, 2014
Publish before peer review

January 19, 2014
Remote work is a moon shot

December 13, 2013
Only browser makers can stop spies from piggybacking on commercial Web tracking

December 12, 2013
Journalism strikes back

December 9, 2013
Security research is attack biased

November 21, 2013
How to not store your users' passwords

November 19, 2013
Lessons of the Adobe password breach

November 14, 2013
Science, policy, and economics

November 5, 2013
Parsing bug of the week

November 2, 2013
Probabilistic zombies

November 1, 2013
Newsweek wins the dumbest Snowden story contest

October 10, 2013
Minimalism in security

October 4, 2013
GitHub as a business model for open-access publishing

October 4, 2013
Adobe shows why we need SRP

October 1, 2013
Web identity

September 27, 2013
Remix culture in programming languages

September 6, 2013
Being Snowden

September 6, 2013
Who's watching?

September 2, 2013
Schmidt's Paradox

August 19, 2013
Identity, not privacy

August 16, 2013
Anti-intellectualism in New Jersey

August 15, 2013
Where is the golden age of academic research?

July 25, 2013
Sentenced to 25 years

July 25, 2013
How to fix tech hiring

July 24, 2013
Recovering from academia

July 19, 2013
Remote pair programming in Emacs

May 27, 2013
John Reynolds and the invention of pattern matching

May 12, 2013
Et tu, Bloomberg?

April 26, 2013
WebRTC and the death of SMS

April 24, 2013
Classic blunders of video conferencing software

April 11, 2013
Apple can't do cloud because the cloud is Linux

April 10, 2013
Emacs koan

April 9, 2013
The streak continues

March 24, 2013
Debug SSL connections with a shim

March 14, 2013
Parsing bug of the week

February 28, 2013
Convert untrusted PDFs to trusted PDFs

February 28, 2013
Parsing bug of the week

February 18, 2013
Parsing bug of the week

February 5, 2013
Parsing bugs of the week

January 31, 2013
C and C++ are not context free

January 18, 2013
The four horsemen of open source

January 16, 2013
What happened to Java security?

January 13, 2013
What security researchers should take from the example of Aaron Swartz

December 23, 2012
Security experts are the preppers of cyberspace

December 20, 2012
"There's no math band-aid that will cure these boo-boos"

December 12, 2012
Parsing and syncing

November 16, 2012
How to prove that a programming language is context free

November 6, 2012
Into the tar pit you Go

November 6, 2012
How to judge a voting system

November 5, 2012
Vote by email in New Jersey

October 29, 2012
A specification for Markdown

October 19, 2012
Is Java context free?

October 10, 2012
Haskell is not context free

October 10, 2012
Python is not context free

October 7, 2012
If you think parsing is a solved problem, you've solved the wrong problem

October 5, 2012
Dynamic languages

September 27, 2012
Tar-pit thinking

September 17, 2012
The IE zero-day is a parsing bug

September 16, 2012
The monadic morass

August 25, 2012
Libraries and open access

August 21, 2012
scmin

August 11, 2012
The Ivy ceiling in chart form

August 9, 2012
Parsing is the weakest link

July 31, 2012
If you don't use semicolons, you're dead to me

June 21, 2012
The vulnerabilities market

June 13, 2012
Xen and the art of privilege maintenance

May 29, 2012
The Ivy ceiling

May 29, 2012
The pace of innovation is 30-plus years

May 25, 2012
Postel's Law and security, again

May 12, 2012
Open access should not mean sole access

April 24, 2012
Good news, Harvard is broke

April 23, 2012
The curious incident of the semicolon at the newline

March 24, 2012
A grammar for HTML5

March 22, 2012
Postel's Law and network security

March 18, 2012
Archival journals require open access

March 12, 2012
Paper harms scholarship

February 29, 2012
Hashing FTW

February 29, 2012
Reflow for PDF

February 24, 2012
Local man thinks trust is not transitive

February 24, 2012
Read DJB if you are researching DNS

February 15, 2012
Apple hardware

January 26, 2012
Abstain from TeX

January 5, 2012
Lisp and C

December 15, 2011
Postel's Law is not for you

January 10, 2011
Save the floppy disk icon