New (January, 2007 and later):

I've finally joined the late 20th century and installed a blog, "Matt Blaze's Exhaustive Search" [http://www.crypto.com/blog]. Most of what I write and do from now on will be announced on the blog, so check there to see what's new.

Older stuff:

August 6, 2006: Our USENIX Security paper on "Keyboards and Covert Channels" (for which Gaurav Shah and Andres Molina won Best Student Paper) is now available in the papers directory (PDF format). The paper introduces "JitterBugs", a new class of hardware keyboard sniffer that does not require subsequent access or any changes to the host software. JitterBugs demonstrate that "supply chain attacks" can be a practical and powerful threat.
Fall, 2006: I'm teaching the undergraduate Operating Systems course (CSE-380) at Penn in the Fall 2006 semester.
November 29, 2005: For information about our paper on vulnerabilities in law enforcement wiretapping systems, including audio examples, click here.
August 16, 2005: Help save the reconstructed Colossus, arguably the world's first electronic computer, built in secrecy at Bletchey Park in England during WWII to break enciphered German messages. Read the story (and donate generously) at http://www.bletchleyparkheritage.org.uk/.
June 27, 2005: I'm giving this month's Penn Science Cafe talk Monday evening (near the Penn campus).
May, 2005: I'm finally getting around to updating the photos page, but it's slow going.
December 17, 2004: There's a lot that information security can learn from physical security. See my new draft survey of safecracking and computer science in the papers directory. (Warning - this is a heavily illustrated -- and hence big -- .pdf file)
April 6, 2004: I'm chairing USENIX Security '04, to be held August 9-13, 2004 in San Diego, CA. The program will be available soon at http://www.usenix.org. Until then, the list of accepted papers can be found here (ASCII text). Although the submission deadline is now long past, the official Call for Papers is here; a plain ASCII version is here.
Spring, 2004: I taught a graduate seminar (CIS-700/03) on security vulnerabilities at Penn. Check out the course web page, here.
October 13, 2003: Nothing to do with security, but I recently did some performance measurements of NiMH battery chargers, which you can find here.
January 22, 2003: For information about my paper on the vulnerability of master keyed mechanical lock systems, click here.
October 23, 2002: Some new papers can be found in the research papers section, including some new material on the relationship between cryptology and mechanical locks.
December 26, 2001: The list of accepted papers for FC'02 can be found here. For information about the conference, click here.
September 12, 2001: My thoughts on yesterday's tragic events can be found here.
August 21, 2001: The Call for Papers for Financial Cryptography '02 is available here.
August 16, 2001: My declaration in Felten et al vs. RIAA et al can be found here (ASCII text).
December 4, 2000: In October, I was part of a group of five security researchers invited by the Justice Department to identify technical issues with the Carnivore system that should be addressed by an outside review. We have just released our analysis of IITRI's draft report on Carnivore; our comments can be found here.
November 21, 2000: The US Department of Justice has released a sanitized version of the IITRI Report on Carnivore. I've mirrored the PDF file here.
September 1, 2000: Steve Bellovin and I wrote a short guest column for Peter Neumann's Inside Risks page in the October 2000 CACM, reprinted here.
July 24, 2000: The House Judiciary Committee's Subcommittee on the Constitution held hearings on "Fourth Amendment Issues Raised by the FBI's 'Carnivore' Program." There were witnesses from the FBI and Department of Justice as well as technical people, civil liberties advocates, and representatives from ISPs. I was invited to testify as an expert on the risks of Internet wiretapping generally and on the issues that would be raised by making the Carnivore software open-source in particular. You can read my written testimony here.

If you're trying to find information about "Crypto.Com, Inc.," click here.

In real life: On January 1st, 2004, I joined the faculty at the Computer and Infomation Sciences Department at the University of Pennsylvania. where I study and teach security and cryptology. I also serve there as acting director of the Distributed Systems Laboratory, which is an academic and research resource for the study of networking and security. I spent the dozen years before I joined Penn as a research scientist at AT&T Labs - Research / AT&T Bell Labs, in various parts of New Jersey. My research focuses on trust management, smart cards, cryptographic and security protocols, large-scale systems, physical security, and cryptography policy. The best way to reach me is by email, either to my U. Penn or crypto.com address. Before you ask: I do not endorse or link to security products or services, and I probably won't help you with your cryptography homework.

A summary of my research and basic biographical information can be found here.

Should we discuss security vulnerabilities in the open literature? It's an age-old question; click here for one perspective.

Many of my research papers can be found here. Slides from talks I've given can sometimes be found here.

If you're developing distributed applications that have security policies or credentials, check out the new KeyNote Trust Management System page, a free toolkit for specifying and checking for compliance with security policies. The KeyNote language is described in RFC-2704.

There's some ciphertext here. Part of the crypto engine that created it can be found here.

The report on the Risks of Key Recovery, Key Escrow and Trusted Third Party Encryption is here.

U.S. cryptography export rules were relaxed in January 2000, especially for freely-available software source code. Check out the CDT, EFF or EPIC sites for details, but basically you can now make open-source cryptography source code available on the web, provided that you send email to the Commerce Department export people telling them the URL. I maintain a publically-archived alias for this purpose; if you send your notice to exports@crypto.com, it will be automatically forwarded to the government (at crypt@bxa.doc.gov) but will also be archived at http://www.crypto.com/exports/mail.txt for all to see. Using the exports@crypto.com alias will help others find your software. NOTE: This service has been temportarily discontinuted. Please send export notices directly to the BXA.

Here are some random photographs that have nothing to do with cryptography. And what on earth does this sign mean? Or for that matter, this one? And who's responsible for this?

For the historically minded, my 1992 dissertation, which anticipated what we now call "peer-to-peer file distribution" by at least five years, can be found here, in PostScript format. Of course, you can still only get it via a centralized server...

I'll put up links to other sites that I find useful soon. Until then, here are some of my favorites: The Halfbakery is a fun communal database of ideas and inventions. Ron Rivest's web page has an excellect collection of cryptography and cryptology research links. Bruce Schneier's Counterpane Internet Security maintains a very useful index of cryptography papers available online, with extensive links.

It's possible that you've come here expecting to find the Encryption Privacy and Security Resource Page, which we've moved to another site, hosted by the Center for Democracy and Technology. If you're a webmaster hosting the My Lock, My Key icon, you can save your readers trouble by changing the link for the icon to point directly to "http://www.cdt.org/crypto/".

All of the old crypto policy resources are now located at CDT: voting records on Members of Congress, "Adopt Your Legislator" and other activist resources, as well as tons of headlines, analyses, reports and links. If that's what you were looking for, just click here.