Educational CyberPlayGround ®

Peter G. Neumann Home Page
SRI International Computer Science Laboratory

Peter G. Neumann Home Page

Position: Principal Scientist
Computer Science Laboratory
333 Ravenswood Ave
Menlo Park California 94025, USA
Tel: 415/859-2375 *
Fax: 415/859-2844 *
(No junk faxes, please; no solicitations.)

[* In August 1997, area code 415 becomes 650 for all of us south of San Francisco.]


I have been in the SRI Computer Science Lab since September 1971. I spent eight years at Harvard (1950-58, with a PhD in 1961). My undergraduate thesis in mathematics (1954) involved identifying five nomographic classes of elliptic functions, establishing canonical transformations, and generating tables for them (using the Harvard Mark IV). My doctoral thesis work and various subsequent papers involved variable-length and information-lossless sequential coding schemes with surprisingly strong self-resynchronization properties despite arbitrary fault modes [and denial-of-service attacks], even in the presence of very low or minimum redundancy as in Huffman codes. (My first computer employment was in the summer of 1953, as a programmer on the IBM ``Card-Programmed Calculator''.) I was in (West) Germany for two years on a Fulbright (1958-60, receiving a German doctorate in 1960). I had ten exciting years in the Computer Science Lab at Bell Labs in Murray Hill, New Jersey (1960-70) -- including extensive involvement in Multics from 1965 to 1969. Beginning in 1965, Bob Daley (then at Project MAC at MIT) and I did the Multics file system design, which included directory hierarchies, access-control lists, dynamic linking of symbolic names to cacheable descriptor-based addresses, and dynamically paged segments. (It is nice to find dynamic linking again being ``rediscovered'' in Webware!) I had a minor role in the Multics input-output design, heavily influenced by Ken Thompson and Joe Ossanna, with symbolic stream names -- which Ken later transformed into Unix pipes -- and device-independent I/O. There was some really beautiful innovation in Multics. For those of you who are young folks with little idea of its ``early'' contributions to history, Joe Bob says check it out at Tom Van Vleck's Multics website at (Multics had multiprogramming, multiprocessing, multiple protection domains, and other forms of multiplexing, but no multiple aardvarking.)

I had two reverse sabbaticals as Visiting Mackay Lecturer, a quarter at Stanford (spring 1964), and a year at U.C. Berkeley (1970-71, teaching courses in hardware, operating systems, and coding theory, and co-leading two seminar courses).

Research Interests

My main research interests continue to involve security, crypto applications, overall system survivability, reliability, fault tolerance, safety, software-engineering methodology, systems in the large, applications of formal methods, and risk avoidance. (I am apparently an Eclectical Engineer, a Zennish ZScientist, and a Peregrine Philosopher.)

A recent report, ``Architectures and Formal Representations for Secure Systems'', considers what formal methods can do for system security, and vice versa. It is available in PostScript form, and contains various references to earlier work, e.g., to our 1970s work on the capability-based object-oriented hierarchically-layered Provably Secure Operating System, and the role of system structure and abstraction -- which has been a long-standing interest.

An extensive collection of information on our current project (EMERALD) and past work (IDES, NIDES) on analyzing systems and networks for the purposes of anomaly and misuse detection is available on our Website at, thanks to the efforts of my colleague Phil Porras. We are significantly extending our earlier work to networks, servers, and hierarchically layered analysis. A recent paper is now available for ftp.

Other Related Activities

I was part of the National Research Council's crypto study group, whose report is a 700-page tome, Cryptography's Role In Securing the Information Society (a.k.a. the CRISIS report), available from the National Academy Press. The executive summary is available on-line at . I am also a coauthor of the earlier 1995-96

ACM crypto study report -- indeed the only one who was on both.

In addition, I am one of the 11 authors of a new report (along with Hal Abelson, Ross Anderson, Steve Bellovin, Matt Blaze, Whit Diffie, John Gilmore, Ron Rivest, Jeff Schiller, and Bruce Schneier), The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption, which is available for web browsing, and for ftp-ing in PostScript or ASCII.

My written testimony on that report for the Senate Judiciary Committee, originally scheduled for a crypto key-recovery hearing for 25 June 1997, and was delivered on 9 July 1997. It is available on-line: Security Risks in Key Recovery.

My earlier written testimony for the Senate Governmental Affairs Committee Permanent Subcommittee on Investigations is also available for browsing: Security Risks in the Computer-Communication Infrastructure. The written testimony is included in Security in Cyberspace, Hearings, S. Hrg. 104-701, ISBN 0-16-053913-7, 1996, pp. 350-363; my oral testimony is transcribed on pages 106-111 of that volume.

I was invited to speak at the Gore Commission Conference on Aviation Safety and Security. My position paper, Computer Security in Aviation: Vulnerabilities, Threats, and Risks, is browsable.

Written testimony for the House Ways and Means subcommittee on the Social Security Administration hearing on 6 May 1997 is also available here ; there was no oral testimony on my part, although Marc Rotenberg and Keith Rhodes were there and alluded to my written testimony. A slightly extended subsequent version of that statement was presented as part of a Social Security Administration panel in San Jose CA on 28 May 1997.

I served on the IRS Commissioner's Advisory Group for 2.5 years ending in June 1996, primarily as an advocate for privacy and personal rights, and prevention of internal misuse, but also as a critic of the Tax Systems Modernization effort -- now scuttled to the tune of something like $4 billion. One of my first recommendations involved asking the IRS to remove Social Security Numbers from appearing visibly on the mailing labels. Perhaps I had an impact, although it is obviously hard to tell. (``Well, it works; there are no elephants.'') [Added note: I don't really think I had any effect, but when Peter Z. Ingerman saw my Web page, he noted that he had filed a class-action lawsuit in 1990 affecting every taxpayer -- although he could not afford to appeal to the Supremes.] With Senators Glenn and Pryor, I then wound up on an IRS training tape on privacy risks, noting that privacy is something most people don't even realize they had until after they have lost it. Incidentally, I notice that insider misuse of IRS databases is once again a hot topic.

More or less as a sideline, I moderate the RISKS Forum newsgroup, known as comp.risks in the USENET community, under the sponsorship of the ACM Committee on Computers and Public Policy (CCPP), which I chair. (The current issue is accessible at, and the last item of each regular issue contains further info about the newsgroup.) For a subscription, send e-mail to the automated list server at with a single line of text, ``subscribe'' -- or if you wish to subscribe at an address other than your From: address, include that address after ``subscribe''. (The latter alternative will bounce to me for personal attention, so please don't try the old spoof of subscribing folks such as the White House or Newt Gingrich.) The archives of back issues (beginning with volume 1 number 1 on 1 Aug 1985) are available at or courtesy of Lindsay Marshall at Newcastle . (I am very grateful to Lindsay, who provides a RISKS redistribution service for the UK and a lovely archival search and retrieval system. I am also indebted to Dennis Rears, who provides a redistribution service for MILNET subscribers at

In a related effort that is supported in part by the ACM Committee on Computers and Public Policy, Lauren Weinstein moderates the Privacy Digest Forum. You may subscribe or request information via .

I am Associate Editor of the ACM SIGSOFT Software Engineering Notes (which I founded in 1976 and was Editor for its first 18 years before turning it over to Will Tracz) and Contributing Editor to the ACM (for the Inside Risks column). Excerpts from RISKS appear in each regular issue of ACM Software Engineering Notes. I contribute to and edit a monthly column in Communications of the ACM, called Inside Risks, the latest column of which is accessible on-line at; reuse for commercial purposes is subject to CACM and author copyright policy.

The ever-growing now-21-page document, Illustrative Risks to the Public in the Use of Computer Systems and Related Technology, summarizes as one-liners most of the interesting cases over the past decades. It can be ftped in PostScript form from or from .

By the way, let me express my thanks to the members of the ACM CCPP, who have kept me on the straight and narrow over the past many years. CCPP includes Peter Denning, Sy Goodman, Jim Horning, Rob Kling, Nancy Leveson, Dave Parnas, Ronni Rosenberg, Jerry Saltzer, Barbara Simons, and Lauren Weinstein. They have contributed nobly -- among other things, in guiding the authors of the monthly Inside Risks columns and acting as a review board when sensitive issues come up regarding RISKS submissions.

I am a Fellow of the AAAS, ACM, and IEEE.

Recent Publication

Computer-Related Risks, Addison-Wesley/ACM Press, ISBN 0-201-55805-X, 1995, 384pp., paperback. Further info on the book is available at A short errata list is also accessible. Some events that have occurred since the book was published is also here, along with some references.

Other Activities

Music is a fundamental part of my life. I play a variety of instruments, play two recorders at once, hum and whistle two-part harmony at the same time (unlike Ron Graham, I never learned how to juggle and ride a unicycle), sing, and dabble at conducting and composing. My next book, in the works, is a collection of something on the order of 50 small compositions that I have written (mostly for piano, and some with voice or other instruments as well), intended to be relatively easy to play because of their use of concepts of software engineering, abstraction, structure, symmetries, and iterative learning strategies. These are intended to be pieces that almost play themselves! Maybe I'll eventually put a few of them on-line, maybe even a piece of the month.

Long ago, in graduate school, my musical endeavors included, among other things, (1) joint work in 1954-55 with Fred Brooks, Bill Wright, and Al Hopkins for Tony Oettinger's seminars on computational linguistics, in which Al and I used Fred and Bill's Markov analysis of common-meter hymn tunes to compose ``new'' music on the Harvard Mark IV (see references, below); (2) Bob Ashenhurst, Al Hopkins and I used to sing Gilbert and Sullivan trios in the basement of the Computation Lab; (3) I sang the part of the Man in the Moon in what I believe to be the world's first science-fiction opera, Joel Mandelbaum's The Man in the Man-Made Moon, in which the Man in the Moon becomes quite jealous of the Man in the Man-Made Moon and threatens celestial war, whereupon the Scientist who created the Man in the Man-Made Moon performs an operation whereby the Man-Made Man in the Man-Made Moon is transformed into the Man-Made Maid in the Man-Made Moon, leading to a Happy Ending. It is a wonderful opera. (In case you had not guessed, it was written post-Christine Jorgenson, but pre-Sputnik -- and, for that matter, before mooning became popular.) (4) I did and still do Tom Lehrer interpretations. How many of you have heard his apparently unpublished and unrecorded wonderfully cynical song about something he observed while riding the Boston MTA in his graduate-school days?

Finally, I might direct you to a few items I wrote for a would-be book on English language usage. One section, referred to as the Hyphen(h)ater's Handbook, appeared in RISKS, vol 17, issue 95, discussing the deeper implications of ``email'' versus ``e-mail''. Another section, Only His Only Grammarian Can Only Say Only What Only He Only Means, discusses the risks of the misplaced ``only''. Just for kicks, I have also resurrected an old annotated limerick written in honor of my high-school English teacher, to be read only by folks who enjoy pseudoliterary puns.