SRI International Computer Science Laboratory

Unless you came through the main Web site, you might want to click on one of the photos noted below, for an informal pool picture (which is already on the main site), taken by my wife, Elizabeth S. Neumann, or the more formal official SRI photo. For professional photos, please contact Jim Sugar,, 1-415-388-3344, fax 415-388-3345, 45 Midway Ave., Mill Valley, CA 94941, a former National Geographic photographer and all-around good guy.

CLICK HERE for an informal picture

CLICK HERE for a more formal picture

Senior Principal Scientist
Computer Science Laboratory
333 Ravenswood Ave EL-243
Menlo Park California 94025-3493, USA
Tel: 650/859-2375
(if you don't like voicemail, press "0" to speak with a real human being.)

Click here for a short bio. More detailed bio information is available on request.

This Web page ( can also be reached from the primary CSL Web site ( by clicking on "CSL Staff" and then "Neumann". (It differs from the default CSL page.) The following sections are included here, and can be moused directly if you do not want to read linearly.

  • Academic and R&D Background
  • Research Interests at SRI
  • RISKS, Inside Risks, Illustrative Risks
  • Computer-Related Risks, The Book
  • Computer-Related Elections
  • PFIR: People For Internet Responsibility
  • URIICA: Union for Representative International Internet Cooperation and Analysis
  • Advisory Activities
  • Honors and Awards
  • Mentors
  • Mentoring
  • Music
  • Statistical Metalinguistics and Zipf/Pareto/Mandelbrot
  • Some Quasi-Literary Pursuits
  • Other Odds and Ends
  • End (finally?)
  • Academic and R&D Background

    I have been a member of the SRI International Computer Science Laboratory since September 1971. I spent eight years at Harvard (1950-58, with my A.B. in Math in 1954, S.M. in Applied Math in 1955, and PhD in 1961 after returning from my two-year Fulbright in Germany (1958-60), where I also received the German Dr rerum naturarum in 1960.

    The work for my two doctoral theses (Tony Oettinger was my Harvard advisor, and Alwin Walther my Darmstadt advisor) and various subsequent papers involved variable-length Huffman-like codes and later was extended to Huffman-style information-lossless sequential coding schemes with surprisingly strong self-resynchronization properties despite arbitrary fault modes and denial-of-service attacks, even in the presence of very low or minimum redundancy as in Huffman codes. These schemes provided the possibility of highly survivable communication systems in the presence of arbitrary temporary interference. Earlier, my undergraduate thesis in mathematics (1954) involved identifying five nomographic classes of motions based on elliptic integrals, establishing canonical transformations for each of those classes, and generating tables for them (using the Harvard Mark IV).

    I had two reverse sabbaticals as Visiting Mackay Lecturer, during the spring quarter of 1964 at Stanford University in Electrical Engineering, and the academic year 1970-71 at U.C. Berkeley (teaching courses in hardware, operating systems, and coding theory, and co-leading two seminar courses). I also taught a course on survivable systems and networks at the University of Maryland in the fall of 1999, half in person, half by video teleconference; the course notes are indicated below.

    My first computer job was in the summer of 1953, as a programmer on the IBM Card-Programmed Calculator, for the U.S. Naval Ordnance Lab in White Oak MD, a punched-card machine with four registers and ZERO memory. (The cards provided auxiliary memory!) Among other things, I wrote a nifty recursive complex matrix-inversion routine. The three-address instruction interpretation was done in the plugboard, which represented an early assembler! My boss was Cal Elgot, who later became director of the IBM mathematics group at IBM in its very early days at the Lamb Estate, before the research effort moved to the Watson Lab in Yorktown Heights, NY.

    I had ten exciting years in the Computer Science Lab at Bell Labs in Murray Hill, New Jersey (1960-70) -- including extensive involvement in Multics from 1965 to 1969. Beginning in 1965, Bob Daley (then at Project MAC at MIT) and I did the Multics file system design, which included directory hierarchies, access-control lists (ACLs), dynamic linking of symbolic names to cacheable descriptor-based addresses, and dynamically paged segments within a novel hardware-supported virtual memory concept. (It is nice to find dynamic linking again being ``rediscovered'' in Webware! Multics also had multiprogramming, multiprocessing, multiple protection domains, and other forms of multiplexing.) I had a minor role in the Multics input-output design, heavily influenced by Ken Thompson, Joe Ossanna, and Stan Dunten, with symbolic stream names (which Ken later transmogrified into Unix pipes) and device-independent I/O. After Vic Vyssotsky moved over to Whippany, I found myself the Bell Labs member of the Multics Triumvirate, coordinating with Fernando Corbató (Corby) at MIT and Charlie Clingen at Honeywell, and flying to MIT for a meeting almost every other week. There was some really beautiful innovation in Multics, and many wonderful people. For those of you who are young folks with little idea of Multics' contributions to computer history, check out Tom Van Vleck's Multicians website at, which (as of 22 May 2015) listed 2003 names of people who were associated with Multics! Particularly notable among those not already mentioned here is Jerry Saltzer, although many others were important contributors as well.

    Click here for a few selected bibliographic references and other items. A list of CSL-related .bib entries is available at the bottom of the official CSL Web site page for me .

    Research Interests at SRI

    My main research interests continue to involve security, crypto applications, overall system survivability, reliability, fault tolerance, safety, software-engineering methodology, systems in the large, applications of formal methods, and risk avoidance. (I am apparently an Eclectical Engineer, a Zennish ZScientist, and a Peregrine Philosopher. A profile on me in the February 1999 issue of ICSA's Information Security magazine in pdf and in PostScript depicts me as a ``designated holist''.) A short article on Holistic Systems summarizes the challenges of developing trustworthy systems holistically, with possible lessons from energy, health care, and agriculture. (This appeared in the ACM SIGSOFT Software Engineering Notes, 31, 6, November 2006, pages 4--5.)

    Trustworthiness: Security

    SRI's Computer Science Lab and the University of Cambridge have been working since October 2010 on a project for the DARPA CRASH program (Clean-slate design of Resilient, Adaptive, Survivable Hosts). Our project is officially named CTSRD (CRASH-worthy Trustworthy Systems R&D).

    We have three recent papers that capture the current state of our work. With the most recent listed first, they describe the total-system architecture, the programming-language implications of the system, and the hardware instruction-set architecture.

    IEEE SSP 2015 Robert N. M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brooks Davis, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey Son, and Munraj Vadera. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization, IEEE Symposium on Security and Privacy, San Jose, CA, May 18-20, 2015.

    ASPLOS 2015 David Chisnall, Colin Rothwell, Brooks Davis, Robert N.M. Watson, Jonathan Woodruff, Simon W. Moore, Peter G. Neumann, and Michael Roe, Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine, 20th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2015, Istanbul, Turkey, 14--18 March 2015.

    ISCA 2014 U.S. URL and ISCA 2014 UK URL. Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The CHERI capability model: Revisiting RISC in an age of risk, Proceedings of the 41st International Symposium on Computer Architecture (ISCA 2014), Minneapolis, MN, USA, June 14--16, 2014. This paper received an "honorable mention" in the Guest Editor piece for the Micro Top Picks edition.

    The earliest paper resulting from this project, Peter G. Neumann and Robert N. M. Watson, Capabilities Revisited: A Holistic Approach to Bottom-to-Top Assurance of Trustworthy Systems, was presented at the Fourth Layered Assurance Workshop (in association with ACSAC 2010) in Austin Texas, 6-7 December 2010. A 2012 paper reflected subsequent progress on the development of the hardware architecture, CHERI: A Research Platform Deconflating Hardware Virtualization and Protection for the RESoLVE workshop associated with ASPLOS in London, March 2012. A rather comprehensive poster for the September 2014 DARPA CRASH PI meeting for our CTSRD project is available online. along with the most recent slides for that meeting. Further papers are in the works and will be added here, See also the project website at the University of Cambridge.

    An article by Nicole Perlroth, "Reinventing the Internet to Make it Safer", in The New York Times on 3 December 2014 considers the DARPA clean-slate CRASH program; it is on also on The Times' blog. (The article refers to CTSRD pronounced as "Custard" -- where referring to "the CHERI hardware-software system" might have been more to the point -- see my note below.) See also her companion article, "The Hacked vs. the Hackers: Game On" also on The Times' blog.

    Note: The CTSRD acronym is alternatively pronounced "Custard" primarily in the UK, where it was once accompanied by custard tarts for the weekly conference calls, or "CatSword" (thanks to Jon Anderson) elsewhere, especially as a logo in our slides -- where it is represented by a heraldic shield of a lion with a sword. It was originally conceived rather weakly as "CutSurd" (i.e., get rid of the irrational and absurd security problems), although that is no longer in use.)

    The comparable poster and slides for our companion joint SRI-Cambridge project (MRC)-squared for DARPA's Mission-oriented Resilient Clouds (MRC) program are for the project website at the University of Cambridge.

    I delivered the 2013 Elliott Organick Memorial Lectures at the University of Utah in March 2013. Slides --- A Personal History of Layered Trustworthiness -- are online for some of the material presented (in addition to slides from the above-noted PI meetings). A profile of me written by John Markoff was included in The New York Times Science Tuesday section on 30 October 2012, and is online, along with a short video clip. John also did an audio interview, but that is probably buried somewhere in the archives of The Times.

    Note: John's article attributes to me the naming of Ken Thompson and Dennis Ritchie's system as `Unics' -- as a pun, an emasculated successor of Multics -- perhaps based on a sentence in Peter Salus's 1994 book, A Quarter Century of UNIX. On the other hand, Brian Kernighan recalls that he had suggested the name Unics. However, when the switch from Unics to Unix took place remained unclear to Peter Salus in 1994, and remained so to both Brian Kernighan and Doug McIlroy when I asked them in 2012. My guess is that some AT&T lawyers eventually decided that the punned name (Unics) did not reflect well on the corporate image, and insisted that it be changed it to Unix. But that's only a guess. It came a pun a midnight clear, as I started writing this paragraph around 5am on 3 Jan 2012.

    Incidentally, my recollection of the first two days of what ultimately became Unics and then Unix was this: After Bell Labs bailed on Multics in 1969, Ken Thompson acquired a PDP7 that Max Mathews was no longer using. Ken came in one day for lunch having worked much of the previous night to create a roughly thousand-line one-user operating system kernel. I suggested that Ken might want to use some of the concepts we developed in Multics to extend his kernel into a multi-user system. The next morning Ken came in with another thousand lines, and had indeed done so. The rest is history. Ken has always been amazingly productive.

    A subsequent profile written by Bruce Newman appeared in the San Jose Mercury News on 12 Mar 2013 is titled Peter G. Neumann: Top cop on the hair-raising cybersecurity beat. A 45-minute segment from the Minnesota Public Radio Daily Circuit on 27 Dec 2012, in discussion with Matt Honan (EFF) and me, considers the subject of the limitations of passwords and computer security, and is online (click on `LISTEN').

    My coauthors Matt Bishop, Sean Peisert, Marv Schaefer, and I wrote a paper, Reflections on the 30th Anniversary of the IEEE Symposium on Security and Privacy, for the May 2010 proceedings of the 31st annual meeting. We regret inadvertently omitting recognition of Sushil Jajodia for the most accepted papers (in Section VII), and Gerry Popek [d] (in Section IX). The paper is of course subject to IEEE copyright, but you have my permission to use it for educational and noncommerical purposes. (The ``[d]" designation here indicates that an individual is no longer alive -- although I have probably missed a few tagged.)

    I gave a keynote talk, Identity and Trust in Context, for IDtrust 2009 at NIST on 15 April 2009. The slides are online at the conference website and on my website. This talk included discussion of the importance of holistic system considerations rather than trying to deal with identity and authorization in isolation, with applications to health care, and summarized the work of Brent Waters (Attribute-Based Encryption), Carl Gunter (Attribute-Based Messaging), and Chris Peikert (Lattice-Based Cryptography).

    In the early 2000s, DARPA funded thirteen projects under its Composable High-Assurance Trustworthy Systems (CHATS) program, created by Douglas Maughan. I led one of those projects (CHATS project website), in the SRI Computer Science Laboratory. The emphasis in the CHATS program was on composable trustworthy open-source operating systems. The final report, Principled Assuredly Trustworthy Composable Architectures, was completed on 28 December 2004, and is available in three forms: html, pdf, and ps. An earlier paper summarizing the project as of early 2003 appeared in the DISCEX03 proceedings: Achieving Principled Assuredly Trustworthy Composable Systems and Networks.

    Incidentally, a significant effort is underway in Peter Denning's Great Principles project, which considers the importance of principles more broadly --- as common elements across system designs. I believe PJD is still in the process of writing a book on that effort.

    The Provably Secure Operating System (PSOS) project began in 1973 and continued until 1983. The 1980 PSOS final report (noted in my partial reference list) has been scanned in and is online in PostScript form (over 300 pages). The report includes the system architecture and many of the basic hardware and operating system layers, plus some illustrative applications (all formal specified in the SPECIAL language of HDM, the Hierarchical Development Methodology). The Feiertag/Neumann paper summarizing the architecture as of 1979 is available in a retyped, more or less correct, hand-edited pdf form. A 2003 paper, PSOS Revisited by me and Rich Feiertag, was presented at ACSAC 2003 in Las Vegas in December 2003, as part of the Classic Papers track (which was initiated at ACSAC 2002 for the Karger-Schell paper on the Multics multilevel secure evaluation). Please read it if you are interested in capability architectures. The PSOS project continued from 1980 to 1983, supporting the Goguen-Meseguer papers and the Extended HDM effort that led to SRI's PVS system.

    A 1996 report, Architectures and Formal Representations for Secure Systems, considers what formal methods can do for system security, and vice versa. It is available in PostScript form. and contains various references to earlier work, e.g., to our 1970s work on the formally specified capability-based object-oriented hierarchically-layered Provably Secure Operating System (PSOS), and the role of system structure and abstraction -- which has been a long-standing interest. A 1992 paper by Norm Proctor and me, Architectural Implications of Covert Channels from the 1992 Computer Security Conference, is available in html form. That paper develops the concept of multilevel-secure systems in which there are no end-user multilevel-secure workstations, and consequently no user-oriented covert channels. This paper is really a paper on how to build multilevel-secure systems and networks out of non-MLS end-user components and a few high-assurance trustworthy servers. It further pursues an approach begun by Rushby and Randell in their 1983 paper. The concept is also applicable to architectures of (single-level) networked systems in which trusworthiness is localized in certain critical servers. The Oracle thin-client network computer is ideally suited to such an architecture.

    An extensive collection of information on our current efforts (EMERALD) and past work (IDES, NIDES) on analyzing systems and networks for the purposes of anomaly and misuse detection is available on our Website at, thanks to the efforts of my colleague Phil Porras. EMERALD significantly extends our earlier work, addressing not just host systems but also networks, servers, and hierarchically layered analysis. A 1997 paper is available in html form for browsing or in PostScript form for ftp-ing . A 1999 paper on Experience with EMERALD, jointly authored with Phil Porras, is available in PostScript and in html for the USENIX Workshop on Intrusion Detection and Network Management, 11-12 April 1999. (It won the best-paper award for the workshop!)

    I helped organize a workshop on preventing, detecting, and responding to insider misuse, held in Santa Monica in August 1999. The final report and the slide materials for long and short briefings are available on our Web site at My position paper for that workshop is also available online. A second workshop was held in Honolulu in July 2000.

    I have updated and extended the 1999 paper in a new position paper that I prepared for the Dagstuhl Workshop on Insider Threats, 20-25 July 2008: Combatting Insider Misuse, with Relevance to Integrity and Accountability in Elections and Other Applications click here. Although I was unable to attend, Matt Bishop most graciously presented it for me. Matt's slides are online.

    The Dagstuhl Workshop article has been extended and is included in a book: P.G. Neumann, Combatting Insider Threats, chapter 2, in Insider Threats in Cybersecurity -- and Beyond, C.W. Probst, J. Hunker, D. Gollman, and Matt Bishop, (editors), Springer Verlag, 2010. [Incidentally, see my screed on Combatting `Combating', below.]

    Just for kicks, let me mention my 1969 paper, The Role of Motherhood in the Pop Art of System Programming, from the 2nd Symposium on Operating Systems Principles, which has now been put on the Web courtesy of Olin Sibert and posted on Tom Van Vleck's Multicians website.

    Trustworthiness: Survivable Systems and Networks

    My final report for the Army Research Lab, Practical Architectures for Survivable Systems and Networks, 30 June 2000, is available for browsing in html, and for printing in PostScript, and in pdf. From the abstract: This report summarizes the analysis of information system survivability. It considers how survivability relates to other requirements such as security, reliability, and performance. It considers a hierarchical layering of requirements, as well as interdependencies among those requirements. It identifies inadequacies in existing commercial systems and the absence of components that hinder the attainment of survivability. It recommends specific architectural structures and other approaches that can help overcome those inadequacies, including research and development directions for the future. It also stresses the importance of system operations, education, and awareness as part of a balanced approach toward attaining survivability.

    I taught a course ENPM 808s as an Adjunct Professor at the University of Maryland in the Fall of 1999 on material related to the Army Research Lab survivability study: All of my UMd lecture materials (except for my RISKS book) are online as source-available open-course documents. (It is wonderful to see MIT's announcement of its OpenCourseWare in April 2001. That is a marvelous development.) My final set of Maryland lecture notes is also available in a 6-up PostScript form, that is, six slides to a printed page. Please let me know if you find the course materials interesting and/or useful. Similar courses were also taught at the University of Pennsylvania by Tony Barnes (I gave one of Tony's lectures), and at the University of Tennessee by Doug Birdwell ( and Dave Icove ( -- Electrical & Computer Engineering 599 -- using some of my lectures and lecture materials, and some of their own. Georgia Tech (Blaine Burnham) gave such a course in Winter 2000, and the Naval Postgraduate School (Cynthia Irvine) was contemplating such a course in the spring of 2000, according to an earlier discussion with Cynthia. Other universities have also expressed interest in piggypacking on the course materials.

    Robust Open-Box Software

    The CHATS effort was strongly motivated by an interest in demonstrating the viability of making open-source software more secure and robust. See the CHATS program information noted above.

    My two-page position paper for a panel on open-box software (e.g., open-source and free software, where you can actually get inside the box and change something, as opposed to black-box software where you cannot even see inside the box) at the IEEE Symposium on Security and Privacy at Oakland CA, May 2000, is titled ``Robust Nonproprietary Software'' and is clickable (subject to IEEE copyright) in PostScript and pdf form.

    A set of 28 slides for my keynote talk on the same general subject, titled ``The Potentials of Open-Box Source Code in Developing Robust Systems'' for an April 2000 NATO conference, on The Ruthless Pursuit of COTS is also available, in a variety of forms:
    PostScript, 1 per page, 4 per page, 6 per page,
    and pdf, 1 per page, 4 per page, 6 per page.
    (I also handed out to the NATO audience a preprint of the IEEE-copyrighted position paper noted above: PostScript and pdf form.)

    A 2001 set of slides on the pros and cons of open-box software, from a talk on 27 February 2001 is available in PostScript and pdf formats.

    Open-box software is not a panacea -- it does not solve all the problems. It still requires all of the discipline in development and operation that we would like to see in proprietary closed-box software. But it has enormous potential, and needs to be pursued as a serious contender.

    If you have an active interest in the development of robust nonproprietary open-box software, please contact me by e-mail about participating actively in a small newsgroup dedicated specifically to the challenges of robustifying open-box software.

    Spam and E-Mail Risks

    My keynote talk might be of interest: ``CEAS and DESIST?'' for the Second Conference on E-mail and Spam, 21-22 July 2005, at Stanford:
    ``This talk will take a far-reaching big-picture view of some fundamental problems that must be confronted in the future, spanning issues such as security, reliability, survivability, safety, critical infrastructure protection, homeland security, national security, long-term research, sound science, free and open source software, and the development of predictably trustworthy systems and networks that can avoid past and foreseeable risks. Clearly, E-mail And Spam (CEAS!) are just one piece of the overall puzzle. In this context, the last part of the whimsical talk title (DESIST!) might be considered as a polymorphic backronym: Don't Encourage Simplistically Inadequate Software Techniques, or perhaps Dependably Engineered Secure Information System Technology. In any event, some radical changes are necessary and [were] considered.''


    More or less as a sideline, I moderate the ACM Risks Forum newsgroup, known as comp.risks in the USENET community, under the sponsorship of the ACM Committee on Computers and Public Policy (CCPP), which I have chaired since 1985. (The current issue is accessible at, and the last item of each regular issue contains further info about the newsgroup.) For a subscription, send e-mail to the automated list server at with a single line of text, ``subscribe'' -- or if you wish to subscribe at an address other than your From: address, include that address after ``subscribe''. (The latter alternative will bounce to me for personal attention, so please don't try the old spoof of subscribing folks such as the White House or Newt Gingrich, which happened some years ago.) The archives of back issues (beginning with volume 1 number 1 on 1 Aug 1985) are available at or courtesy of Lindsay Marshall at Newcastle . (I am very grateful to Lindsay, who provides a RISKS redistribution service for the UK and a lovely complete archival search and retrieval system, also accessible as .

    The ever-growing document, Illustrative Risks to the Public in the Use of Computer Systems and Related Technology, summarizes as one-liners many of the most interesting cases over the past decades. Unfortunately, in recent years I have not been able to keep it up-to-date (except for some of the election integrity issues and the Inside Risks summary): for browsing. The same content is also available in printer-friendly formats in pdf form and PostScript from or from .

    In 2006, I was once again asked to do a Classic Paper for ACSAC, this time revisiting the RISKS experience. The paper Risks of Untrustworthiness and the slides for the talk are online.

    Various folks have taught courses related to the RISKS material -- for example, Jerry Saltzer and others at MIT, Roy Maxion at CMU -- and Rebecca Mercuri when she was at Bryn Mawr.

    In a related effort that is supported in part by the ACM Committee on Computers and Public Policy, Lauren Weinstein moderates the Privacy Forum Digest and Network Neutrality Squad. He is providing a superb service for those of you who are deeply concerned about privacy issues. You may subscribe or request information via . Check out the Privacy Forum and Network Neutrality Squad>.

    I am a regular contributor to the ACM SIGSOFT Software Engineering Notes (which I founded in 1976; I was Editor for its first 18 years before turning it over to Will Tracz, who has now persisted for an even longer editorship!). Will has put most of the content of all the back issues online. Selected edited excerpts from RISKS continue appear in each regular issue of ACM Software Engineering Notes.

    For 18 years beginning in 1980, I was a Contributing Editor to the Communications of the ACM (CACM). I either wrote or shepherded a column under the Inside Risks rubric. From July 1990 until June 2008, this was a monthly column that appeared inside the back cover of CACM. After 216 consecutive one-page monthly appearances, longer articles are now scheduled to appear three times a year. Most columns (except for some of the earliest ones) are accessible online at; reuse for commercial purposes is subject to CACM and author copyright policy.

    I am very grateful to the members of the ACM CCPP, who have kept me and RISKS-related efforts on the straight and narrow over the past many years. CCPP includes Steve Bellovin, Peter Denning, Virgil Gligor, Nancy Leveson, Dave Parnas, Jerry Saltzer, Lauren Weinstein, and most recently, Kevin Fu. (Jim Horning [d, 18 Jan 2013] was one of my original members -- see the lead item in RISKS-27.14. Sy Goodman, Rob Kling [d], and Barbara Simons were earlier long-time members.) They have all contributed nobly -- among other things, in guiding the authors of the monthly Inside Risks columns and acting as a review board when sensitive issues come up regarding RISKS submissions, and in some cases writing columns themselves.

    One of the thornier issues relating to the lack of good software-engineering practice, particularly in the development of systems with critical requirements, is that of whether certification of programmers would help. A panel statement I wrote for the 2000 IEEE International Conference on Requirements Engineering is accessible in PostScript and pdf forms. I have deep concerns relating to certification and licensing. You should not read that position statement as an endorsement, but rather as a skeptical set of concerns. My keynote address slides are also available, PostScript.

    Computer-Related Risks, The Book

    My RISKS book is still very timely: Computer-Related Risks, Addison-Wesley/ACM Press, ISBN 0-201-55805-X, 1995, 384pp., paperback, transcended its fifth printing, and is now printed on demand. Further info on the book is available at Click here for an errata list for the first three printings. Some events that have occurred since the book was published are also available, along with some further references. It is quite remarkable that almost everything in the book is still true and still relevant today; in many cases, the situation is even worse -- because many of the same problems still continue to recur, and because the Internet has exploded the opportunities for miscreants to include attacks on each of us from potentially every system in the world. More recent material is summarized in the Illustrative Risks document, the Risks Forum, and ongoing issues of Software Engineering Notes.

    The book has also been translated into Japanese and published by Addison-Wesley in 2000. ISBN 4-89471-141-9.

    Computer-Related Elections

    ``It's not who votes that counts, it's who counts the votes.'' (attributed to Joseph Stalin)

    ``Not everything that can be counted counts, and not everything that counts can be counted.'' (attributed to Albert Einstein; thanks to Will Tracz for sending me this delightful quote, serendipitously relevant to problems with elections!)

    Dan Thomsen, Jeremy Epstein, and I were guest editors of the special issue, Lost Treasures, IEEE Security and Privacy (Building Dependability, Reliability, and Trust), November-December 2012, pp. 17--50, and authors of its introduction (pp. 17--19), which also includes a one-page sidebar by I wrote, titled Lost Lessons: Election Systems, Lost Lessons: Election Systems, on page 18.

    I was SRI's PI for the NSF ACCURATE effort: A Center for Correct, Usable, Reliable, Auditable and Transparent Elections, NSF Grant number 0524111. ACCURATE was initially led by Avi Rubin at Johns Hopkins, and then by Dan Wallach at Rice. Other PIs are Mike Byrne at Rice, David Dill and Dan Boneh at Stanford, Dave Wagner at U.C. Berkeley, Doug Jones at the University of Iowa, and more recently Jeremy Epstein and Natarajan Shankar at SRI. See the ACCURATE website. That grant has now ended, although the work will never be complete!

    My position paper for the CSTB workshop on Voter Registration Databases, December 29-30 2007, is online.

    As noted above, the Illustrative Risks section on problems in past elections (click on Election Problems) is particularly timely in light of the the aftermath of the November 2000 Presidential election (fuzzy math? fuzzy aftermath?). I brought the section up to date on 17 Dec 2013 with respect to items in RISKS. The legend for the descriptors is at the beginning of the file.

    Various columns relating to the use of computers in the voting process are included in the Inside Risks series in the Communications of the ACM:
    U.S. Election After-Math, Peter G. Neumann, February 2009
    Risks of E-Voting, Matt Bishop and David Wagner, November 2007
    COTS and Other Electronic Voting Backdoors, Rebecca T. Mercuri, Vincent J. Lipsio, and Beth Feehan, November 2006
    Evaluation of Voting Systems, Poorvi L. Vora, Benjamin Adida, Ren Bucholz, David Chaum, David L. Dill, David Jefferson, Douglas W. Jones, William Lattin, Aviel D. Rubin, Michael I. Shamos, and Moti Yung, November 2005
    Security by Insecurity, Rebecca Mercuri and PGN, November 2003
    Florida 2002: Sluggish Systems, Vanishing Votes, Rebecca Mercuri, November 2002
    Uncommon Criteria, Rebecca Mercuri, January 2002
    Vote Early, Vote Often, Rebecca Mercuri, November 2000
    Corrupted Polling, Rebecca Mercuri, Nov 1993
    Voting-Machine Risks, Rebecca Mercuri, Nov 1992
    Risks in Computerized Elections, PGN, Nov 1990
    and are particularly timely in light of the the aftermath of the November 2000 Presidential election (fuzzy math? fuzzy aftermath?) and various 2002 and 2004 problems.

    In addition, a paper I wrote in 1993, Security Criteria for Electronic Voting, is also available. This paper was adapted for inclusion in Computer-Related Risks. Evidently, I have been a psephologist as well as a psephotechnologist -- for well over two decades. (Thanks to Doug Jones for pointing this out!)

    A National Public Radio piece (just under 7 minutes) by Dan Charles featuring Rebecca Mercuri and me ran on 10 February 2003, and is available as audio from the NPR archives. An old LinkTV program excerpt (courtesy of Lauren Weinstein's editing) on voting is available online as an mp4 file. It is somewhat dated and chatty, but still generally relevant. (Many things don't seem to change!)

    Ronnie Dugger's November 1988 article in The New Yorker is on my Web site. His long article in The Nation (August 16/23 2004) is also online (unfortunately, requiring nine downloads).

    For the convenience of folks trying to uncover some of the earlier history prior to the year 2000 election problems, I have also placed some of the material on electronic voting in Computer-Related Risks, although that material is under Addison-Wesley copyright.

    Finally, if this topic is of serious interest to you, check out Rebecca Mercuri's doctoral thesis on the subject; info at This is a remarkable thesis, and should be considered seriously by everyone involved in developing, evaluating, or using voting systems in future elections.

    Furthermore, check out David Dill's Web site,, which has become a very valuable contribution to the cause of election integrity. Read his petition, and join hundreds of computer scientists and many other people as well in signing it. He has also summarized the proceedings currently ongoing in Santa Clara County, where he and I and (remotely) Rebecca Mercuri were involved in trying to get the county to include a voter-verified paper audit trail as a part of their efforts to rush into all-electronic voting machines. The county has been partially responsive, and has contracted for an upgrade path to that end. Subseqently, then California Secretary of State Shelley has mandated a VVPAT for all-electronic voting machines by 2006. Much more has happened since then, as evidenced by the current California Secretary of State Debra Bowen's Top-To-Bottom Review in 2007.

    Also of topical interest are the first two items in Risks Forum issue vol 21 no 13, and also an article in the San Francisco Chronicle by Henry Norr on 4 December 2000, on the risks of touch-screen balloting (in PostScript form). Remarking on our efforts in February 2003 to get Santa Clara County to use voter-verified hardcopy ballot images in their ongoing procurement of touch-screen systems (for example, see David Dill's Web site noted above), a highly supportive article in the San Francisco Chronicle by Henry Norr on 3 March 2003. I greatly admire Henry's willingness to publicly change his mind when he discovered his earlier views were short-sighted -- as he has done in these two articles.

    My position statement for a hearing of the California Assembly Committee on Elections Reapportionment and Constitutional Amendments on 17 Jan 2001 pdf and PostScript gives a one-page summary on the integrity of the election process plus two one-page items (the Inside Risks piece from January 2001 with Rebecca Mercuri, and an article in RISKS-21.14 by PGN, Rebecca Mercuri, and Lauren Weinstein). A statement for a subsequent hearing for the same committee on 15 Jun 2004 is also available: in pdf form. Testimony for the California Senate Elections Committee on 8 Feb 2006 is also available in pdf form, on The Relative Merits of Openness in Voting Systems, written for Debra Bowen when she was in the California Senate.

    A remarkably forthright detailed analysis of the lack of trustworthiness and usability of voting machines used in California in 2007 was conducted over the summer of 2007 under the auspices of California Secretary of State Debra Bowen. in the Top-To-Bottom Review. That effort seems to have inspired several subsequent analyses, all of which have greatly increased the general awareness of the breadth and depth of problems with electronic voting systems.

    PFIR: People For Internet Responsibility

    Lauren Weinstein (Privacy Forum) and I have created an entity called People For Internet Responsibility (PFIR). Check it out at There are some important position statements on Internet voting, Internet governance, Internet hoaxes and misinformation, Government interception of Internet traffic, hacking, spam, censorship, and other topics. PFIR seeks to create an iterative process by which progress can be made. A conference took place at the end of July 2004, Preventing the Internet Meltdown: see PFIR provides FactSquad, which is aimed at debunking much of the misleading information that floats around the Internet. Also, see Fact Squad Radio, one- to three-minute audio features on critical topics It also sponsors the Network Neutrality Squad

    URIICA: Union for Representative International Internet Cooperation and Analysis

    For the sake of Internet users everywhere, Lauren Weinstein, Dave Farber, and I created a would-be organization called URIICA: Union for Representative International Internet Cooperation and Analysis URIICA's intent was explicitly not to try to control the future of the Internet, but rather to provide an open forum through which a truly international representative basis can be sought that is not captive of commercial and other special interests. We recognize the complexity of any such efforts, and are in no way attempting to imply that we have all the answers. However, we are convinced that such an approach is essential, pulling together the strengths of existing Internet-related groups and creating new ones as needed. On the other hand, URIICA is not currently active. It has been more or less supplanted by Lauren Weinstein's Network Neutrality Squad

    Advisory Activities

    I was part of the National Research Council's crypto study group, whose report is a 700-page tome, Cryptography's Role In Securing the Information Society (a.k.a. the CRISIS report), available from the National Academy Press. The executive summary is available online at . I am also a coauthor of the earlier 1995-96 ACM crypto study report -- indeed the only one who was on both.

    I am one of the 11 authors of the June 1997 report (along with Hal Abelson, Ross Anderson, Steve Bellovin, Matt Blaze, Whit Diffie, John Gilmore, Ron Rivest, Jeff Schiller, and Bruce Schneier), The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption,. This report was reissued in June 1998, with a new preface that notes that little has improved in the intervening year. The report is available for web browsing, and from CDT. It is also available for direct ftp-ing from Matt Blaze in PostScript or ASCII.

    My July 1997 written testimony on that report for the Senate Judiciary Committee, originally scheduled for a crypto key-recovery hearing for 25 June 1997, was delivered on 9 July 1997. It is available online: Security Risks in Key Recovery. As a follow-up to that hearing, Senator Hatch asked each panelist to respond to specific questions from Senators Thurmond, Grassley, Leahy, and Feinstein. My responses to those questions are also available online. The proceedings of the entire set of hearings are available as Security in Cyberspace, S. Hrg. 104-701, 1996, pp. 350-363. ISBN 0-16-053913-7, 1996.

    Incidentally, I note that the surveillance issue is perennially before us, for example, with respect to the Internet rather than telephony. The FBI's Carnivore monitoring system has been subjected to a review, and the draft IITRI Carnivore report is online on the DoJ site. At the request of the Department of Justice, I participated in a review of the IITRI report, with Matt Blaze, Steve Bellovin, Dave Farber, and Eugene Spafford. Our Carnivore review comments as submitted to DoJ are available here in html form. (As a result of widespread criticism relating to the choice of its seemingly predatory name, Carnivore has been renamed DCS1000, the Digital Collection System.)

    A more recent article on risks of surveillance was written by Steven M. Bellovin, Matt Blaze, Whitfield Diffie, Susan Landau, PGN, and Jennifer Rexford, Risking Communications Security: Potential Hazards of the ``Protect America Act'', IEEE Security and Privacy, 6, 1, January-February 2008, pp. 18--27.

    In 2015, we reconstituted the 1997 group and added a few more people. The resulting report, released in July 2015 is
    Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications, Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Peter G. Neumann, Susan Landau, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter, Daniel J. Weitzner. The report is online as a pdf. It was discussed on 6 July 2015 in The New York Times blog and in the 7 July 2015 print edition article (front page, above the fold) both by Nicole Perlroth. The report was noted by several speakers during a hearing of the Senate Judiciary Committee on 8 July. Subsequently, an op-ed piece appeared on 28 Jul 2015 Washington Post by three leading former government executives, Mike McConnell, Michael Chertoff and William Lynn: Why the fear over ubiquitous data encryption is overblown. That article constructively supports and amplifies the arguments in our report.

    My 25 June 1996 written testimony for the Senate Permanent Subcommittee on Investigations of the Senate Governmental Affairs Committee is online: Security Risks in the Computer-Communication Infrastructure. The written testimony is included in Security in Cyberspace, Hearings, S. Hrg. 104-701, ISBN 0-16-053913-7, 1996, pp. 350-363; my oral testimony is transcribed on pages 106-111 of that volume.

    My May 1998 follow-up written testimony for the Senate Permanent Subcommittee on Investigations of the Senate Governmental Affairs Committee is online: Computer-Related Infrastructure Risks for Federal Agencies.

    My 6 November 1997 written testimony for a hearing of the U.S. House Science Committee Subcommittee on Technology is also online: Computer-Related Risks and the National Infrastructures. (My responses to subsequent questions appear in the proceedings of the hearing, ISBN 0-16-056151-5.) On 15 April 1999, I was again testified for the House Science Committee subcommittee on technology, this time for a hearing on the Melissa Microsoft Outlook Word Macro propagating e-mail Trojan horse/virus; I did a differential analysis on my November 1997 testimony, and argue that Melissa is merely the tip of a very large iceberg. On 10 May 2000, I was asked to testify for the same House committee on the ILOVEYOU Microsoft Outlook propagating Trojan e-mail horse/virus, Risks in Our Information Infrastructures: The Tip of a Titanic Iceberg Is Still All That Is Visible. A further testimony for the House Committee on Government Reform, Subcommittee on Government Efficiency, Financial Management, and Intergovernmental Relations, August 2001, provides another update, Information Security Is Not Improving, Relative to the Risks. Relative to other events, computer-communication security appears to have regressed steadily in recent years, rather than progressed.

    In December 2000, I participated in a panel on emerging technology issues as part of a program that the Harvard JFK School of Government puts on every two years for newly elected members of Congress. See my handout page.

    I was invited to speak at the 1997 Gore Commission Conference on Aviation Safety and Security. My position paper, Computer Security in Aviation: Vulnerabilities, Threats, and Risks, is browsable. Of particular relevance on that topic are some of the reports of Department of Transportation reports by Alex Blumenstiel that are cited in my paper, and a long series of GAO reports (click on airport security and on terrorism), all of which seem to have been almost completely ignored. [Written in 1997, this paper considers many topics that today seem less far out.]

    Written testimony for the House Ways and Means Subcommittee on the Social Security Administration hearing on 6 May 1997 is available here ; there was no oral testimony on my part, although Marc Rotenberg and Keith Rhodes were there and alluded to my written testimony. A slightly extended subsequent version of that statement was presented as part of a Social Security Administration panel in San Jose CA on 28 May 1997. The SSA announced on 4 Sep 1997 that they would reinstate the PEBES database, but with considerably increased attention to security issues. I am pleased that their revised plans go a long way toward what is recommended in my position statement.

    On 7 Jun 2007, I testified once again for a hearing of the House Ways and Means Subcommittee on the Social Security Administration on the Employment Eligibility Verification System (EEVS). My written testimony on behalf of USACM is available in pdf form.. The entire hearing was webcast, and I was followed by Marc Rotenberg whose testimony is also of interest. (The testimony is also available on the USACM website, along with subequent testimony for USACM on protecting the privacy of social security numbers, by Annie Anton.)

    I served on the IRS Commissioner's Advisory Group for 2.5 years ending in June 1996, primarily as an advocate for privacy and personal rights, and prevention of internal misuse, but also as a critic of the Tax Systems Modernization effort -- now scuttled to the tune of something like $4 billion. One of my first recommendations involved asking the IRS to remove Social Security Numbers from appearing visibly on the mailing labels. Perhaps I had an impact, although it is obviously hard to tell. (``Well, it works; there are no elephants.'') [Added note: I don't really think I had any effect, but when Peter Z. Ingerman saw my Web page, he noted that in 1994 he had filed a class-action lawsuit to that effect including every taxpayer -- although he could not afford to appeal to the Supremes when it was thrown out. Perhaps PZI's suit actually had an effect!] With Senators Glenn and Pryor, I then wound up on an IRS training tape on privacy risks, noting that privacy is something most people don't even realize they had until after they have lost it. Incidentally, I notice that insider misuse of IRS databases and SSNs is once again a hot topic.

    I have been a member of the U.S. Government Accountability Office Executive Council on Information Management and Technology since November 1997. (The GAO -- prior to July 2004 known as the General Accounting Office -- is the investigative arm of the U.S. Congress, and the nation's auditor.) Our meetings in the previous century were heavily concerned with the Y2K problem and the U.S. Government's initially slow reaction to it. We had briefings from President Clinton's Y2K czar John Koskinen, and from Senator Bennett and Congressman Stephen Horn (check out the Website for the Committee on Government Reform, Subcommittee on Government Management, Information, and Technology). More recently the GAO EXIMT has also been concerned with the software development situation, computer security more generally, and of course critical-infrastructure protection.

    I am a member of the advisory committee for the California Office of Privacy Protection.

    From April 2001 through June 2003, I was a member of the National Science Foundation Computer Information Science and Engineering Advisory Committee (NSF CISE AC, if you like acronyms). Research is absolutely fundamental to the future, and I was particularly concerned with issues relating to computer systems and networks, security, reliability, good software engineering, formal methods, and education, among other topics.

    I am on the Advisory Board and now a member of the Board of Directors of the Electronic Privacy Information Center (EPIC) -- run by Marc Rotenberg. EPIC is playing an extraordinary role in trying to defend our computer-related privacy.

    I am nominally still on technical advisory boards of several companies, although these boards seem to be inactive at present: Cryptography Research Inc. (Paul Kocher,, Cigital (formerly Reliable Software Technologies, Gary McGraw,

    Honors and Awards

    I am a Fellow of the AAAS, ACM, and IEEE, and recipient of the ACM Outstanding Contribution Award in 1992, the Electronic Frontier Foundation Pioneer Award in 1996, and the ACM SIGSOFT Outstanding Contribution Award in 1997. (I was an ACM National Lecturer for 16 months during 1969 and 1970.) I am greatly honored by being the 1997 recipient of the Norbert Wiener Award for excellence in promoting socially responsible use of computing technology, which I received on 4 Oct 1997 at the annual conference of Computer Professionals for Social Responsibility (CPSR) -- of which I was a member from the beginning. Notes from my Wiener-Winner acceptance speech are online, and include some truly prescient quotes from Wiener. I received the National Computer System Security Award (sponsored by NIST and NSA) in 2002, and the ACM SIGSAC Outstanding Contributions Award in 2005. At the ACM Awards Banquet in June 2013, I received the Computer Research Association Distinguished Service Award. I am became an SRI Fellow in 2000. On 29 October 2001, I became an Honorary CISSP (Certified Information Systems Security Professional), awarded by the International Information Systems Security Certification Consortium -- (ISC)^2.

    I was delighted to be included in the Inaugural Induction into the National Cyber Security Hall of Fame on 17 Oct 2012, along with Len Adleman, Dorothy Denning, Whit Diffie, Marty Hellman, Carl Landwehr, Lynn McNulty, Ralph Merkle, Ron Rivest, Adi Shamir, and Roger Shell. General Keith Alexander was the evening keynote speaker, and is in the middle of the group photo of those who able to be honored in person: CLICK HERE ==> [click here]


    One of the most important aspects of my life has been the influence of a sequence of inspirational mentors, at different times and in different ways. Each of them took a deep personal interest in me. I would like to honor a few of them in return, in chronological order of their appearance.

    My parents, J.B. Neumann [d] and Elsa Schmid Neumann [d], each of whom had an extraordinary influence in my life, and who constantly encouraged me in my pursuits of my varied interests. My father was a noted person in the art world from 1906 to 1961, and my mother was an artist and mosaicist from the 1920s until her death in 1970. (Biographical information on them is available on request.) I learned many wonderful things from my sons John [d] and Chris [d], and from my daughter Helen Krutina Neumann --- from whom I am still learning. In her forties, Hellie went back to school at the Pacific College of Oriental Medicine in San Diego, and now applying her knowledge and experience in the Vineyard Complementary Medicine clinic in West Tisbury, Massachusetts.

    Malcolm Holmes [d, 1953], head of the New England Conservatory, conductor of Harvard-Radcliffe Orchestra (for 26 years), the New England Conservatory orchestra, and the Harvard Band (1942 and 1946-1952), superb violinist, and erstwhile fine athlete. Through the last four of my five summers (1947-1950) at Greenwood Music Camp near Tanglewood in the Berkshires (see below) and at the beginning of my freshman year at college, Mal was a true inspiration to me. As an avid reader of The New York Times since 1940, I was happy that he would share his copy of the paper with me after lunch each day at Greenwood (even if it came a day late by mail) and discuss many issues (musical and otherwise) while he was whittling batons. His presence was an unforgetable experience for me. His early death was a great loss to thousands of people whom he had similarly inspired.

    Marsden V. Dillenbeck (30 Jul 1908 -- [d] Jan 1990), my very literate high-school senior-year English teacher, who inspired my interest in language and languages. See my Epic Annotated Limerick homage to him, also note below. At my 50th high-school reunion in October 2000, it was clear that he had had a huge impact on other classmates as well, as his memory was often invoked.

    Roger Nash Baldwin [1894-1981], humanist, founder of the American Civil Liberties Union in 1919. Over much of my life, until he died at the age of 97, we did many things together, discussions on all sorts of topics, four-hand piano, nature-walking, blueberry pancakes, canoeing on a beautiful New Year's Day on the Ramapo River in New Jersey, and many summers together on Martha's Vineyard. He was interested in everything and everyone, and had extraordinary life values.

    Albert Einstein [d, 18 April 1955] who made a wonderful cameo appearance in my life on the morning of 8 November 1952. I had the enormous privilege of a more than two-hour visit with him, with a discussion that ranged over complexity and apparent simplicity in mathematics, science, and -- at great length -- music (among many other topics). In this context, I became presumably just one of the many people who heard him say, ``Everything should be made as simple as possible but no simpler.'' (I recall seeing a simpler version of that quote when I was in High School, in the Readers' Digest, without reference, perhaps omitting the word ``made'', although that makes less sense.) That entire conversation made a huge impact on my subsequent approach to computer systems (and my life, and as noted below in some musical compositions). It undoubtedly inspired a life-long fascination with hierarchical and other forms of abstraction -- which recurs in much of my writings and system designs (e.g., Multics, PSOS, SeaView, and the CHATS report on composable systems) and complexity in computer systems. Einstein was someone I felt I knew before I met him because of looking at my mother's remarkable 1944 mosaic portrait of him in our home during my teenage years. In 1998 I donated the portrait to Boston University, where a U.S. manifestation of the Einstein Papers Project was centered. Elsa Schmid, Mosaic portrait of Albert Einstein is now in the reference reading room in the main library at B.U. Here is my translation from the original German of the main text of Einstein's letter to my mother (known professionally as Elsa Schmid, and long ago Elsa Schmid-Krutina) after he saw her mosaic. His letter (dated 19 February 1945) gives some idea of the power of the portrait and why it had such a strong impact on me personally:

    ``The viewing of your mosaic portrait has been an artistic experience for me that I shall never forget. I am happy that through my very existence I have been the inspiration for the origin of such a work. In this portrait is perfectly expressed exactly that which is so completely missing in modern man -- inwardness and contemplation, detachment from the here and now. It is a riddle to me how it is possible to achieve such a delicate and strong expression with this inflexible material.'' (signed A. Einstein)

    It was Einstein's step-daughter Margot, who initiated the connection for the Einstein mosaic by asking my mother to teach her the techniques underlying mosaics. In response to a letter my mother wrote to Margot after Einstein's death, Margot wrote a wonderful letter:

    ``You know how much I love your work! But the portrait of my father is one of the finest things you have done. It expresses his whole spirit -- you are the only one -- I would say -- who presented the real Einstein who was so humble in his heart, so kind and child-like and wise altogether. In your work I find all these qualities. The mosaic expresses the simplicity and purity he had -- and one sees so rarely in the work of our time. Looking at it makes me feel happy and sad at the same time -- because he is no more -- but in your work he lives again and will live forever. This I want you to know. Margot''

    [Incidentally, there are two more wonderful large mosaic portraits also done by my mother in the mid-1940s -- of Abraham Lincoln, based on two original Matthew Brady daguerreotypes lent to her from the Frederick Hill Meserve collection. The Elsa Schmid, full-face mosaic portrait of Abraham Lincoln has found a permanent home in the Boston University Library, along with her Einstein portrait and the newly acquired Matthew Brady collection of daguerreotypes of Lincoln. The profile portrait has been donated to the University of Illinois at Springfield, which has a curriculum that includes various tributes to Lincoln. A few of her other mosaic portraits are in museum collections: Martin D'Arcy in the Museum of Modern Art in NY, John Dewey in the Newark Museum, and Dikran Kelekian in the Walters Art Museum in Baltimore.]

    Philippe LeCorbeiller [d], Professor at Harvard for many years, and my informal undergraduate thesis advisor in 1954 (motions depending on elliptic integrals). He was a wonderfully caring human being. (Joe Walsh in the Math Dept was my formal advisor.)

    Tony Oettinger, Harvard Professor, and my PhD advisor, still somewhat involved long after his delightful 70th birthday party in March 1999 (noted below). Tony and I have always had many similar interests. I was a guinea pig in 1953 for his doctoral thesis on translation of Russian into English.

    Alwin Walther[d], (6 May 1898 -- 4 January 1967, Technische Hochschule Darmstadt Professor and department director for many years. His enthusiasm and encouragement during my wonderful two-year Fulbright stint led me to teach a course, write a second doctoral thesis, play in the student orchestra, represent him on committees, and travel around Europe. Many thanks to Prof. Dr.-Ing. Winfried Goerke (Karlsruhe) for sending me the 100th birthday commemorative publication, Alwin Walther: Pionier des Wissenschaftlichen Rechnens, Kolloquium zum 100. Geburtstag, volume 75 of the Technical University Darmstadt Schriftenreihe Wissenschaft und Technik, ISBN-3-88607-120-0.

    David Huffman [d] 9 Aug 1925 -- 7 Oct 1999], Professor at MIT and Santa Cruz, who invited me to visit Stanford for the spring quarter of 1964 while he himself was visiting at Stanford for the year -- and also an ongoing consultant in what is now the Computer Science Lab at SRI. His interest in my 1964 paper on self-synchronizing information-lossless sequential machines (itself inspired by his 1959 paper) began a long friendship. The diversity of his work is remarkable, from Huffman codes and asynchronous sequential machines to his little-known paper on graphical representations of error-correcting codes. His later work on zero-curvature surfaces is extraordinary, and where it led him is even more remarkable -- some of the most beautiful artistic creations I have ever seen, while at the same time based on his mathematical theory of continuous deformations without tearing or cutting: truly amazing. See David A. Huffman, Curvatures and Creases: A Primer on Paper, IEEE Transactions on Computers C-25, 10, pp. 1010-1019, October 1975. (A hint of the variety of some of the astounding and artistically beautiful ``foldings'' he achieved can be found at A photographic record of these works is being planned in his memory. See also an article in The New York Times by Margaret Wertheim, ``Cones, Curves, Shells, Towers: He Made Paper Jump to Life,'' June 22, 2004, National Edition, page D2, with a correction on June 25, 2004, page A2. See also a more recent Web item, Curved Crease Origami, from The Institute for Figuring.) All in all, Dave had an incredible ability to provide elegant solutions to complex problems, and often with visual simplicity -- as in his delightful representation of the seven-bit Hamming code: Draw a three-circle Venn diagram; label as 1,2, and 4 the regions that are included in only one circle; label each other region as the appropriate sum of 1,2, and/or 4 depending on which circles the region encompasses; the center is thus 7. Regions 3,5,6,7 represent the four information digits; regions 1,2,4 represent the even-parity-check digits; the three circles represent the parity checksums. Voila! The Hamming code. For any single-bit error, it is immediately obvious which bit it must have been from the three parity checks. Now you can explain a complex mechanism very simply through a picture! Dave's death on 7 October 1999 was a great loss to me and many others.

    Fernando Corbató, Professor at MIT (now emeritus), father of time-sharing, and leader of the development of both CTSS and Multics. Corby was the best man at my wedding in 1997. He has been a wonderful colleague and friend since 1965, and is still very much involved with computer technology. His wife Emily is a fine concert pianist, photographess, and wit. I delight in visiting with them both.

    E.L. (Ted) Glaser, 7 Oct 1929--5 Dec 1990 [d], was a man of many careers, whom I knew best during the Multics days. He taught me many things -- including how to communicate effectively adapting to the needs of the listener, but also to appreciate the critical need for basic principles in any development effort. (He and I coauthored the first declaration of Multics principles!) Despite his blindness, he had the most extraordinary vision and insights. He had an uncanny practical sense and wisdom. He had the ability to hear and understand multiple conversations simultaneously, to listen to speech at many times its normal speed, and to correlate information across multiple disciplines. He was superb at spotting security flaws long before anyone else. I particularly remember one day in May 1965 when we were working out the early Multics design in a room with three walls of blackboards. Late in the afternoon when we had moved to the end of the third blackboard, someone had made a particular suggestion. Ted pointed to an item that was still on the blackboard from the early morning (most everything else around it having been erased and overwritten several times), and noted that this suggestion contradicted what we had agreed on earlier. Not just a great memory, but an amazing perception of how things appeared to the sighted. He was also a marvelous organist, and had a delightful sense of humor. For example, a modular system is ``one that falls apart easily.'' !Multiprogramming is like ``trying to keep 10 balls in the air at the same time, and discovering that two of them are yours.''

    Herbert Blomstedt, conductor of the San Francisco Symphony for ten years, mid-1980s to mid-1990s (and Conductor Laureate since 1995). I audited his conducting course at Loma Linda University in the summer of 1985, and attend as many of his SFS rehearsals as I can manage (although in his emeritus role, he now usually visits San Francisco for only two weeks each year). He inspired a rebirth of my musical existence in 1984 that is still ongoing. He is an extraordinarily wise person, and has thought deeply about many musical issues. Conversations with him are truly enlightening.

    Martin and Emily Lee, dedicated Tai Chi teachers in Palo Alto, themselves mentored by Kuo Lien-Ying and Yu Pen-Shi. See their book, Ride the Tiger to the Mountain, Addison-Wesley, ISBN 0-201-18077-4. Martin is also a SLAC physicist. The teaching of Martin and Emily has contributed a wonderful inner peace and balance to my life.

    There are many others as well, including (among many others) good friends and colleagues Edsger Dijkstra (11 May 1930--6 August 2002 [d]), Dave Parnas, Nancy Leveson, Marc Rotenberg, Bob Morris (college classmate and Bell Labs) [d. 26 Jun 2011] and Whit Diffie. Mae Churchill [d, 10 February 1996, at 84] (creator of Election Watch, in the early 1980s if not sooner) convinced me long ago to become more involved in the never-ending battle for integrity in elections, and particularly those that are computerized. I had a wonderful long visit with her in Los Angeles in December 1988. Mae was an enormous inspiration to me, Rebecca Mercuri, and other early advocates for election integrity. What a blessing to have such wonderful influences.

    At Harvard, I just missed getting Tom Lehrer for Math 1 in 1950 (which might have changed my entire life?). But I did have a wonderful bunch of professors in the 1950s, including Edward Purcell (a Nobelist in physics), Leonard Nash (who did marvelous explosions in chemistry class), Hartley Rogers (in a scintillating probability course), Fred Mosteller (a statistical wizard, later famous for his classes on public television), a General Education class English lecturer named Martin Swerdlow; he was categorized as an Academic Roué in the Crimson Confidential's annual faculty evaluations; he espoused what Marsden Dillenbeck had instilled in me -- the love of writing), John Finley, Thornton Wilder, Ernest Hooton (with raunchy anthropology-related jokes), Willard Van Orman Quine [d] (mathematical logic titan, who died at 92 on Christmas Day 2000; he considered state lotteries as ``a public subsidy of intelligence'' on the grounds that ``it yields public income that is calculated to lighten the tax burden of us prudent abstainers at the expense of the beknighted masses of wishful thinkers.''), Howard Aiken [d], Ken Iverson, Bob Minnick [d] -- among others. They all provided lots of inspiration, as did some of my graduate-school colleagues -- Bob Ashenhurst [d, 27 October -- 2009], Albert Hopkins, Fred Brooks, Peter Calingaert, Robin Esch, Rick Gould [d, June 1958], Marty Cohn, Jim Lincoln, Ramon Alonso, and Willard (Bill) Eastman, to name just a few.

    Incidentally, in a typically imaginative effort, Bob Ashenhurst played a marvelous trick on my then office-mate Rick Gould. What was perhaps the gnarliest convoluted page in Rick's 1957 Harvard PhD thesis had to do with properties of two-terminal graphs representing bridge-network relay switching function implementations where current could go in either direction through the bridge elements (as distinct from the one-way direction in a relay tree). Bob rewrote one page in the thesis to refer to two-terrible giraffes and subgiraffes (with other creative msipelingz as well) and placed it in the copy that went to Aiken. Having been tipped off by Bob, Aiken (who was well-known for his irascibility) charged in and demanded that Rick explain the meaning of this outrage, pointing to the altered page. [Tragically, Rick died in an ice-climbing accident, falling into a crevasse on Dent Blanc in the spring of 1958 together with another climber.]

    Reflecting on the deaths of my sons John and Chris, I am deeply moved by an excerpt from a letter that Ambassador Joseph Kennedy wrote in 1958 to a close friend whose son had died:
    ``When one of your loved ones goes out of your life, you think of what he might have done for a few more years, and you wonder what you are going to do with the rest of yours. Then one day, because there is a world to be lived in, you find yourself a part of it, trying to accomplish something -- something he did not have time to do. And, perhaps, that is the reason for it all. I hope so.''


    Considering how important all of the above people (and others) are and were to me, I hope I can return something by mentoring others. Long ago in the 1960s, I was on PhD committees for Jeff Ullman at Princeton, and in 1969 for Jim Gray [d, 28 Jan 2007] at the University of California at Berkeley -- whose wonderful and extraordinary presence is now sorely missed. [See John Markoff's NYTimes blog item on 31 May 2008.] More recent PhDs are
    * Drew Dean, 1999 ( at Princeton, with an elegant thesis on modeling Java-like environments. (Formal Aspects of Mobile Code Security)
    * Lenny Foner, 1999 ( at MIT (with a nifty thesis A Distributed, Privacy-Protected Matchmaking System, on his Yenta system for discerning group relationships, while at the same time respecting security and privacy).
    * Chenxi Wang, 2001 ( at the University of Virginia (a fascinating thesis on creative obfuscation to hinder reverse engineering (A Security Architecture for Survivable Systems)
    * Rebecca Mercuri, 2001 (, University of Pennsylvania, a really important thesis on the integrity and lack of integrity in the electronic voting-system process (Electronic Vote Tabulation Checks and Balances).
    * Michael LeMay, 2009, (), University of Illinois, Urbana-Champaign, (Compact Integrity-Aware Architectures).


    Music is a fundamental part of my life. I play a variety of instruments (bassoon, French horn, trombone, piano, etc.), in the Institooters (the SRI alumni 1940s-style swing band), the Foothill Wind Symphony, the Peninsula Symphonic Band, and summertimes in the Los Altos Olde Towne Band. My wonderful wife Liz (neé Susan Dal Juvet) plays tuba in all of those groups. We have also played in the Peninsula Pops Orchestra, and for a few years played traditional Dixieland in the Pastoria Avenue Jazz Band. With Liz on tuba, I played baritone horn in the 1998 Tuba Christmas (with 216 tuba-family instruments) and Eb tuba in the 1999, 2000, and 2002 Tuba Christmas spectacle (with great acoustics in the three-level Eastridge Mall in San Jose). Since the summer of 2000, Liz and I have played in the Vineyard Haven town band (and once as ringers with the Boston University Alumni Concert Band). Our brass ensemble -- the Shasta Brass Quintet -- (trumpets Dan Swinehart and Ted Tilton, trombone Cliff Smith, French horn Peter, and tubist Liz -- ``Du bist die Tubiste!'') has been playing together regularly for our own enjoyment, although we have now had a bunch of public appearances. The StePeLi Trio (for Steve, Peter, and Liz, with my SRI colleague Steve Dawson, an excellent clarinetist with whom I also occasionally play four-hand piano) meets as often as schedules permit; we've been working on Mozart, Beethoven, and Brahms piano trios (!), among other works. We get together now and then with Rob and Nan Shostak for various quartets, and played the Schubert Trout Quintet when Frieder von Henke was in town. I played bassoon in a Stanford Savoyards Gilbert and Sullivan performances of The Grand Duke in 2007, Gondoliers, and The Yeomen of the Guard in April 2008 and 2015. I play self-duos on two recorders at once, occasionally hum and whistle some two-part harmony at the same time (a master at self-duos is Andy Stein, long-time music man and violinist for Garrison Keillor's The Prairie Home Companion; however, unlike Ron Graham and various other MIT/BellLabs folks, I never learned how to juggle while riding a unicycle), sing, and dabble at conducting and composing. For four years, I accompanied a young violinist neighbor in violin sonatas throughout her high-school years -- until she went off to college. I still have on the back burner a collection of about 50 small compositions that I have written (mostly for piano, and some with voice or other instruments as well), intended to be relatively easy to play because of their use of concepts of software engineering, abstraction, structure, symmetries, and iterative learning strategies. (They were actually inspired by the Einstein quote above.) These simple pieces are intended to almost play themselves! Perhaps I'll eventually put a few of them online. (Several of you have inquired about when I might do that. Too many distractions, although I do write a new piece now and then.) And perhaps you'll hear more here about the Shasta Brass Quintet, which performs occasionally for friendly occasions.

    Long ago, my musical endeavors were many and varied. As an undergraduate, I did Gilbert and Sullivan operettas. I prepared the chorus and sang the Sergeant of Police in summer 1951 performances of Pirates of Penzance in Old Greenwich, Connecticut, which the late Barry Morley directed and sang. I sang Mount Ararat with Allan David Miller and Barry as the other two lords in Winthrop House's Iolanthe in 1953, and conducted performances of Pirates a few weeks later in a production directed by Barry). I was also in the chorus of The Mikado in Winthrop House performances in 1952, with Barry and Al in leads. I sang in the Harvard Glee Club throughout my college years (including many symphony concerts with the Boston Symphony under Charles Munch, the then-definitive recording of Berlioz Damnation of Faust, and a performance of Stravinsky's Oedipus Rex under William Steinberg and the Buffalo Philharmonic), and in my freshman year played in the orchestra (including an LP record of Shostakovich's 5th). My theatrical debut (apart from playing Peter Pan in the 3rd grade) was as a policeman in a very dumb musical skit Sally Rand (a then-well-known ecdysiast and fan dancer) had written for our 1950-51 freshman year class Smoker (which also featured Tom Lehrer). It was basically puerile, but segued into Sally pulling a 7-page political manuscript out of her bodice and greatly disappointing the audience by reading it verbatim -- resulting in pennies, pencils, and other loose objects being tossed in her direction. (This was the early years of Senator Joseph McCarthy's activities.) With ambitions as a nonprofessional musician, I spent the summer of 1954 working at Tanglewood, as Assistant Registrar of the Berkshire Music Center, hobnobbing with students, composers, and symphony players, and attending almost every concert. In graduate school, there was more:
    (1) Joint work in 1954-55 with Fred Brooks, Bill Wright, and Albert Hopkins for Tony Oettinger's seminars on computational linguistics, in which Al and I used Fred and Bill's Markov analysis of 37 common-meter hymn tunes on the Harvard Mark IV to compose generate over 600 "new" hymn tunes based on Markov chain lengths from 0 to 7 eighth notes, all of which were statistically consistent with the sample space. The 0-order tunes sounded completely random, while the 7-th order tunes were more or less indistinguishable from the chosen 37 hymns -- but all recognizably different (See the first item in my abridged reference list.) At a subsequent event to celebrate the unveiling of Harvard's Univac I, probably around 1956, Harvard's Official Poet David McCord wrote the following common-meter hymn-tune verse (giving credit to Univac, even though the computing had been done on the Harvard Mark IV) -- I just stumbled onto a copy in my archives, in 2011:
    O God, Our help in ages past,
    Thy help we now eschew.
    Hymn tunes on Univac at last,
    Dear God, for Thee, for You.
    We turn them out almighty fast,
    Ten books to every pew.
    (2) Bob Ashenhurst, Albert Hopkins, and I used to sing Gilbert and Sullivan trios in the basement of the old Computation Lab (subsequently renamed the Aiken Lab, and now torn down and replaced with a new building).
    (3) In February 1956, I sang the part of the Man in the Moon in what I believe to be the world's first science-fiction opera, Joel Mandelbaum's The Man in the Man-Made Moon, in which the Man in the Moon becomes quite jealous of the Man in the Man-Made Moon and threatens celestial war, whereupon the Scientist who created the Man in the Man-Made Moon performs an operation whereby the Man-Made Man in the Man-Made Moon is transformed into the Man-Made Maid in the Man-Made Moon, leading to a Happy Ending. It is a wonderful opera. (In case you had not guessed, it was written post-Christine Jorgenson, but pre-Sputnik -- and, for that matter, before mooning became popular.) I managed to contact Joel for the first time in 45 years, and he sent me an audio tape! What a delight! And after 49 years, Joel informed me of the first full performance since 1956, on 15 April 2015 at Queens College. The subject matter still seems timely today!
    (4) I did and still do Tom Lehrer interpretations, e.g., once in a while at USENIX Security conferences. I still revel in the Tom Lehrer title for which he never wrote the song -- because it would have been an anticlimax: ``If I had it to do all over again, I'd do it all over you.'' And then there was the Boston subway song, to the tune of Mother, on the stations at the time (Harvard, Central, Kendall, Charles, Park, Washington). (I presume it is copyrighted, so I don't want to put it on the Net. It begins, to the tune of Mother, ``H is for my Alma Mater, Hahvahd.'') and ends with the aggregate pronounciation, HCKC PW. He must have observed this nicely pronounceable string while riding the Boston MTA in his graduate-school days.

    (5) I had a ten-year stint on the Board of Greenwood Music Camp in Cummington, Massachusetts (1992-2001), where I was a camper from 1946 to 1950, and regularly attend an annual reunion each June. I am now back on the board, as of June 2014. The camp still thrives as a superb summer experience for youngsters; a new performance structure was completed in the summer of 2000.
    (6) In March 1999 I was in Cambridge to help Tony Oettinger celebrate his 70th birthday; Bob Ashenhurst wrote an adaptation of the Gilbert and Sullivan ``I am so proud" from the Mikado [see item (2) above], which came out as ``He is so wise'', sung by Bob, Jim Adams, and myself. (As noted above, Tony was my PhD thesis advisor "many years ago" -- which happens to be the lead line of another G&S song.)

    Both of Liz's sons are also enjoying their own music. Her younger son, New York City bassist Tim Luntzel, in 2006 released a wonderful CD with his group, Brooklyn Boogaloo Blowout: Who Burnt The Bacon? The CD is ``outrageous good'' (as Tim might say). As a bonus for us, Liz plays tuba on two cuts (including Rumpty Dumpty Part 2), and I'm doing some very-low-bass backup vocals for Norah Jones (Day and Night) and Richard Julian (Calypso Boogaloo) -- including some resonant low-A notes (below the bottom bassoon note). Tim has now has put his recordings online, for playing and downloading. See also a review of Who Burnt the Bacon by John Book. A recent (2011) CD by Tim's Brooklyn Boogaloo Blowout group is also online for download.. Tim has also played with Jesse Harris, Jim Campilongo, Jenny Scheinman, Leah Siegel, Roseanne Cash, and others, and had a tour with Bright Eyes. See his his bio page. Liz's older son Mark Luntzel plays guitar in his spare time, when he is not working in his day job as a computer wizard.

    Statistical Metalinguistics and Zipf/Pareto/Mandelbrot

    I frequently see cryptic references to the magic of Zipf or Pareto or Mandelbrot, with reference to linguistic and other structures, and sometimes in the context of 80-20 rules relating to almost anything. (See Note.)

    There is no surprise at all in the Zipf/Pareto/Mandelbrot theories once you understand that each formula can be derived mathematically. In 1959, my old Russo-Belgian friend Vitold Belevitch [2 Mar 1921--*26 Dec 1999] (see On the Statistical Laws of Linguistic Distribution, Ann. Soc. Sci. Bruxelles 73, III, 1959, 310-326) considered a wide class of more or less well-behaved statistical distributions (normal or whatever), and performed a functional rearrangement that represents the frequency as a function of rank-ordered decreasing frequency, and then did a Taylor expansion of the resulting formula. Belevitch's lovely result is that "Zipf's Law" follows directly as the first-order truncation of the Taylor series. Furthermore, "Mandelbrot's Law" (which seem even more curious and mysterious to most people) follow immediately as the second-order truncation. ("Pareto's Law" lies in between Zipf and Mandelbrot, with different slope of the 45-degree curve.) There is nothing magical or mystical about it! And yet very few people know of his wonderful paper, and tend to overendow the amazingness of one of the various "Laws", oblivious to this remarkably simple result. Click here for a copy of this wonderful paper. (I referred long ago to Belevitch's article in a paper based on my PhD work, Efficient Error-Limiting Variable-Length Codes, I.R.E. [precursor to the IEEE] Transactions on Information Theory IT-8, July 1962, 292-304.) I am grateful to Pierre-Jacques Courtois, who has written a superb biographical piece on Vitold, and reminded me that my earlier memory of the paper had been misrepresenting Vitold's work -- which did not explicitly mention Pareto. I was also delighted in a more recent discussion with Jean-Jacques Quisquater to discover that JJ was long ago a colleague of Vitold.

    Jim Horning [d] once asked me about a possible connection with the 80-20 rule. My response was this:

    See my thesis work and subsequent papers on rapidly self-resynchronizing variable-length Huffman-like codes for large alphabets, which demonstrate a wide range of departures from the so-called 80-20 rule. Two examples illustrate this:

    * In 36,299 occurrences of English words (Miller et al.), the most frequent 18% of the words account for over 80% of the word occurrences. That's close to the so-called 80-20 rule.

    * In over 11 million occurrences of German words (Kaeding -- fascinating book, incidentally), the most frequent .6% of the words account for over 75% of the word occurrences, which is in some sense roughly 20 times more skewed than the so-called 80-20 rule. Perhaps the wider skewing is due to the fact that conjugated forms and declined forms (such as the most frequent der, die, das, etc.) are counted as different words, which linguistically of course, they are.

    Both of these language statistical studies closely follow Zipf-Mandelbrot all the way down to the tails. But the parameters are slightly different. Thus, the supposed 80-20 split does not in anyway follow directly from Z-M. It could be 80-20, or 99-1, or worse!

    [NOTE: The so-called 80-20 rule is discussed in Linked, Albert-László Barabási (Plume, 2003), which Paul Concus once shared with me. (The book subtitle is ``How Everything Is Connected to Everything Else and What It Means for Business, Science, and Everyday Life'' -- which is very relevant.) Linked has a few errors that strike home: (1) p.147 mentions Paul Baran at the 1967 symposium in Gatlinburg, Texas. It was indeed 1967, the first ACM Symposium on Operating Systems Principles, in Gatlinburg, Tennessee. (ALB must have been thinking of the Texas Steak House in Gatlinburg, Tennessee.) (2) p.149: ``e-mail was born when an adventurous hacker, Rag Tomlinson ...'' Well, e-mail was born on CTSS at MIT by Tom Van Vleck and Noel Morris [d] in the mid-1960s, possibly somewhat contemporaneous with a similar effort at Dartmouth. ARPANET e-mail was around close to the beginning of the ARPANET in 1969. (3) p.151 cites the first Internet (NO, ARPANET) node at UCLA, and the first e-mail having been sent from UCLA to Stanford. NO NO NO. It was UCLA to SRI. The first two sites on the ARPANET were UCLA and Stanford Research Institute (now SRI International), in 1969. But Linked is an excellent read despite slips such as these.]

    With respect to everything being linked, one of my favorite quotes is from Bob Morris (then chief scientist of the National Computer Security Center): ``To a first approximation, every computer in the world is connected with every other computer.'' (19 September 1988, in a briefing from Bob, K Speierman -- then Chief Scientist of the NSA -- me, and Don Good, for the National Research Council Computer Science and Technology Board in Washington DC) (This was of course about 6 weeks before the Internet Worm!)

    Some Quasi-Literary Pursuits

    Peter Neumann's Multiply-Mixed Metaphor Mania

    * Pandora's cat is out of the barn, and the genie won't go back in the closet. [This polymorphic statement can be variously applied to cryptography, export controls, viruses, spam, terrorism, outsourcing, and many other issues.]

    * It's like shooting a straw herring in midstream. [Straw men have a difficult time catching red herrings!] An alternative version that I have used is ``It's like flogging a straw herring in the foot.''

    * In an article by John Schwartz in The New York Times, 30 Mar 2001, on Internet technologies in business, reflecting on the acceleration being a double-edged sword, I was quoted as saying, ``Many of the swords have more than two edges -- sort of a Swiss Army Knife with the blades in upside down, so that you keep cutting yourself on some of the implements whenever you try to take one out.'' Tad Simmons of *Presentations* (June 2001) cited this, and added ``Without saying a single word directly about the economy, Neumann was able to convey the idea that business propositions in the Internet age are complex, multi-faceted, and often painful.'' [Seems appropriate for the U.S. and world economies as well, a truly multidimensional situation.]

    * Giving the camel an inch leads to a foot over the dam. [The camel's nose under the tent and a foot in the door together cause water on the knee over the dam. Don't burn your britches over spilled camel's milk. Sorry. This is still a work in progress.]

    * In September 2004, I happened to stumble onto this one from Molly Ivins for the first time, even though it is an oldie (1991): ``Legislators do not merely mix metaphors: they are the Waring blenders of metaphors, the Cuisinarts of the field. By the time you let the head of the camel into the tent, opening a loophole big enough to drive a truck through, you may have thrown the baby out with the bathwater by putting a Band-Aid on an open wound, and then you have to turn over the first rock in order to find a sacred cow.'' Molly Ivins, *The New York Times Magazine* (quoted in *Molly Ivins Can't Say That, Can She? Vintage Books, 1991). Her presence is sorely missed.

    * In December 2008, Steven J. Greenwald contributed this item to the cause, from Futurama, by the idiot character, Captain Zapp Brannigan: ``If we hit that bull's eye, the rest of the dominoes will fall like a house of cards. Checkmate.''

    * In any case, I've bitten the bull by the hornist, or tried to take the bullet by the hornets.

    Annoying Words and Expressions, especially `Best Practices'

    Timothy Egan, in The New York Times Sunday Review section on 29 Dec 2013, wrote an op-ed piece entitled Words for the Dumpster, citing his list of ``the most annoying, overused and abused words of the year.'' He managed to use each one of those words in his penultimate paragraph: ``I'm as guilty as anyone in letting these banish-worthy words get into print. This column is both artisan and gluten-free, an extension of my brand in a 24/7 environment full of world-class competitors. Whatever. At the end of the day, I'll try to use best practices and resolve to do better.'' Although the best may be the enemy of the good (Voltaire), I've long noted that the good that results is often nowhere near enough. (Recently, see my CACM Inside Risks columns from October 2012 and February 2013.) The poster child for that problem may be what are commonly called best practices, which are usually not best, and certainly even good. Some of the worst examples arise in connection with the so-called best practices for security.

    An Epic Annotated Limerick

    In 1973 I wrote an Epic Annotated Limerick in honor of my literary mentor, Marsden V. Dillenbeck (noted above). It was later extended in 1978. His passing was one that left me de-ment(or)ed. WARNING: This should probably be read only by folks who enjoy crypto-pseudoliterary puns (some multilingual), alliteration, poetic meters, cryptic puzzles, and other linguistic weirdnesses.

    Speaking of puns, one of my favorite situational puns is attributable to Rishiyur S. Nikhil in RISKS-20.01, in response to a comment I made in RISKS-19.97:
    I had written ``Combine digital photography with the see-through infrared camera technology described in RISKS-19.93 and we get undie-lewded truth?''
    To this, Nikhil replied ``Beware of geeks baring gifs.''

    Metrics, Schmetrics!

    The current mad craze for good metrics
    Is somewhat like judging cute pet tricks.
    For software with purity
    And cybersecurity,
    We're doggedly seeking a quick fix.

    (Note: Trustworthiness is inherently multidimensional. Trying to find single-valued metrics is itself risky. PGN, 20 May 2010)

    My Favorite Meta-Limerick

    In the fall of 1950, scrawled on the walls of what was then Claverly Hall at Harvard was the following limerick:

    There once was a man overweaning
    Who expounded the meaning of meaning.
    In the limelight he basked
    'Til at last he was asked
    The meaning of meaning of meaning.

    (I never metalimerick I did not enjoy.)

    A Large-System Glossary for EWD

    For Edsger Dijkstra's 60th birthday in 1990, I wrote a chapter called "Beauty and the Beast of Software Complexity -- Elegance versus Elephants", which appeared in Beauty is Our Business, A Birthday Salute to Edsger W. Dijkstra, edited by W.H.J. Feijen, A.J.M. van Gasteren, D. Gries, J. Misra, Springer-Verlag, 1990. My appendix to the chapter included this bit of doggerel:

    * Elephantine equations: Large-system requirements for which there may be a multiplicity of integral solutions.

    * Pachydermatitis: A breakdown in the outermost layer of a very large system (e.g., manifesting itself as a flaky user interface). (Ichthyosis scales up inefficiently.)

    * Behemotherhood. In very large systems, motherhood that has a high likelihood of running amok.

    * Hippodromederriere. An awkward race down the back stretch to write the last half-million lines of code before the system self-destructs in an evolutionary backwater.

    Writing Style and Grammar

    * Hyphen-related ambiguity: You might be interested in a few items I wrote for a would-be book on English language usage. One section, referred to as the Hyphen(h)ater's Handbook, appeared in RISKS, vol 17, issue 95, discussing the deeper implications of ``email'' versus ``e-mail'' and related ambiguities.

    Whit Diffie once sent me an item on Facebook `Like' scams, having read it as Facebook-like scams (not to be confused with Facebook Likes Scams or even Facebook Likes Cams). I responded by noticing the difference between `Diffie-Hellman like crypto' and `Diffie-Hellman-like crypto'.

    * The misplaced `only': Another section of that would-be treatise, Only His Only Grammarian Can Only Say Only What Only He Only Means, discusses the risks of the misplaced ``only'' --- in particular, the ambiguity that can result.

    * The missing `than': A more recent addition discusses the ambiguities that arise from Incomplete Comparisons: The Missing ``than'' in ``more than''.

    * Ambiguities in `less': An addition discusses the ambiguities that arise from some uses of `less'.

    * Commas, Apostrophes, and More In Lynne Truss's book ``Eats, Shoots & Leaves'' (which, without the comma, is what a Panda does), the author notes the wonderful ambiguity between ``Those old things over there are my husbands'.'' and ``Those old things over there are my husbands.'' to illustrate the importance of apostrophes -- which are so frequently misused (e.g., its vs it's). The book's subtitle is The Zero Tolerance Approach to Punctuation, and should be of interest to anyone who has read thus far through my Web site. Gotham Books, April 2004. Now I guess I don't need to write the rest of the book of which the Hyphen(-H)aters Handbook was somewhat facetiously conceived to be a part!

    Another addition, from the Oxford University Press, Edpress News:
    It's is not, it isn't ain't, and it's it's, not its, if you mean it is. If you don't, it's its. Then too, it's hers. It isn't her's. It isn't our's either. It's ours, and likewise yours and theirs.

    * Acronyms: Although we introduced ACLs in Multics in 1965 (as noted above), I would now like to introduce something we might call Role-Name Groups (RNGs), so that we can compare ACLs and RNGs! [The previous sentence is actually a test to see whether, in reading, you pronounce acronyms (a) as if they are words (ackle), or (b) sequences of letters (R-N-G), or (c) expansions based on what is referred to by each letter. I know people who fairly consistently go one way or the other. In the case of my example, ACLs and RNGs are of course intended to be treated ~GNU's Not Unix).

    Other onomatopoeic or self-referential backronyms, in addition to ACCURATE:
    * SPAWN: Salmon Protection and Waterways Network

    Some Absurdities

    Combatting ``Combating''

    I've been struggling with people who insist on spelling ``combatting'' as ``combating'. Since COMBATING seems to have replaced COMBATTING in our absurdly inconsistent American English language, I am horrified that we might now have to live with COTTON BATING and BASEBALL BATING AVERAGES. I await with BATED but not BATING breath for this idiocy to someday get reversed. It is utterly absurd. Indeed, I am shocked and horrified that the spelling correctors are not becoming spell correctors for those of you who are in a total spell as a result. And I am not baiting you if you too have succumbed to this utter stupidity. I'm just biting my tongue, and BIDING my time, betting that soon BETTING will become BETING, BITTER will become BITER, and BIDDING will become BIDING. BETTER BETTER NOT BE BECOME BETER.

    * Msipelingz and speling simplifications. But what about `spell checkers'? They certainly would have been relevant in the pre-computer days of the Salem Witchcraft trials.

    * Cut 'em Off at The Cyber Pass: `Cyber' is popular these days, but its misusage seems to proliferate.
    Cyber is not a verb: you cannot cyber something.
    Cyber is not a noun: you cannot buy me a cyber.
    Cyber is disparaged as an adjective: you are not a cyber person and a computer is not a cyber computer.
    So, this leaves us with a logical conclusion: Cyber is a combining form: as in Cybernetics (Norbert Wiener) and cybersecurity. But it is grossly overused and abused, especially by the buzzword-dependent folks who tend to oversimplify everything by referring to a popular buzzword or buzzphrase, as in referring to `cloud computing' as the salvation of everyone's computer problems.
    Note that `Web' (short for the World Wide Web) and `web' are somewhat different: `web' is a noun (not an adjective), and `Web' is a proper noun. However, I seem to prefer `website' to `Web site'.

    * Quotes and Periods: I have had many battles with old-think editors who insist on putting terminating punctuation (e.g., periods) inside of quotes even when those periods are not part of the quoted text or literal string. Consider the editor's forced use of `string.' at the end of a sentence, when the period is not part of the string but coerced because it is the end of a sentence. This is just plain silly. Opposing that, consider a quoted phrase `` `string.'. '', when the literal string (`string.' in single quotes) actually includes the period and appears at the end of a sentence, requiring another period. That seems perfectly reasonable (albeit unusual). It is refreshing that some new-school editorializers allow a quoted string not to include the `period'. My rule is fairly simple: never put a period inside the quotes unless that period is part of what ``you are quoting''. This makes perfect sense logically. One way around this is to use italics instead of single quotes around strings, and reserve double quotes to quote things that are actually quotes!

    * Apostrophe mistakes: The most common apostrophic misuse seems to arise in the popular confusion between it's and its. It's easy to know its proper use if you think about a little grammar -- the difference between a contraction (ambiguously, for either it is or it has) and a possessive (its x-ness is precisely the x-ness of it, where x-ness is, for example, some sort of attribute), respectively.

    The possessive apostrophe-s following a word that ends in s is a little trickier. Proper names generally get an extra s, because the final s in the name is not a plural being apostrophesized, as in ``Parnas's''. But no extra s is generally needed when a nonProper word is already plural, as in ``The dogs' blankets are wet.''

    An article by Sarah Lyall in The New York Times (16 June 2001) noted John Richards (a retired newspaper copy editor and reporter living in Boston, England), who has founded the Apostrophe Protection Society. Richards -- pictured in front of ``Sweeney Todd, the Modern Mans Barber Shop'' -- is vigorously trying to protect against misuse of the Queen's English such as todays menue's and Nigels special pudding's.

    Geoff Kuenning noted this one from the Oxford University Press, Edpress News: ``It's is not, it isn't ain't, and it's it's, not its, if you mean it is. If you don't, it's its. Then too, it's hers. It isn't her's. It isn't our's either. It's ours, and likewise yours and theirs.''

    * Old-style grammatical rules don't rule anymore: It may have begun with California English, such as ``Her and me are going.'' Objectively unsubjective? Or subjectively unobjective! And now we have things like ``My bad.'' Well, if any noun can be verbed, then perhaps any adjective can be nouned, and so on -- with a tendency toward totally interchangeable parts of speech. Is this also happening in much more strongly typed languages such as German and Russian? It is certainly somewhat more difficult. Furthermore, ending sentences with prepositions is usually avoidable (note Winston Churchill's observing that is something up with which he would not put), but how about the `modern' trend toward prepositions without the rest of the phrase -- as in ``come with!"


    * ``Nuclear'': Could there be possible ideological or other noticeable cultural differences between people who pronounce the word ``nuclear'' correctly, and those who pronounce it as ``nuke-yu-ler''? This question needs some further psychosocial exploration, because I know some seemingly thoughtful and open-minded people who consistently pronounce the word incorrectly (perhaps because their colleagues do?), but also many folks with seriously closed minds who are incapable of realizing that they are wrong. Or are they? (Some dictionary publishers seem to think that this mispronunciation is acceptable -- or perhaps was at least in the first eight years of the previous decade!

    * ``Neumann'': After many questions regarding the pronunciation of my name, and many mispronunciations, I thought it might be appropriate to dust off an old piece of doggerel written on 22 November 1976, in response to a query:

    On Peter Noimann

    While hoi polloi enjoy the ``new'',
    The cognoscenti are the few
    Who use the ``noi'' that he as boy
    Had always managed to employ,
    And which he somehow still does use.
    While that it's ``noi'' may come as news,
    The use of ``new'' never annoys --
    Although it sometimes sounds as noise.

    On 23 September 1992, I ran into an SRI mail-delivery person, whom I had not seen in many years. This was the exchange:

    ``Mr. Newmann, I'm presumin'?''


    ``No. Mr. Noymann, 'cuz it's Joyman.''

    (Well, Germanic, but actually Dad was born in 1887 in the Austro-Hungarian Empire.)

    By the way, There are quite a few other Peter Neumanns. I met Peter M. Neumann (group theorist at Queens College at Oxford) at the Brooklyn Polytechnic Symposium on Automata in 1962. Peter J. Neumann is a professor at Tufts (he is director of the University School of Medicine Institute ofr Clinical Research and Health Policy Studies. and also associated with Harvard). There is also a Peter R. Neumann at Kings College London, Director of the International Centre for the Study of Radicalisation and Political Violence in the Department of War Studies. Browsing `Peter Neumann' gets you a bunch of others as well. So if you looking for me, the middle initial G seems to be more or less unique.

    * Other poetry: A few pieces of poetry are published in various places, including some in my Harvard class reunion books. One of my favorites is a work of abstract poetry that I did long ago with my poet friend Emmett Williams, an homage to Guillaume Apollinaire on the 50th anniversary of his untimely death. It was exhibited as a huge banner at the Institute of Contemporary Arts in London in 1968 spelling out his name. It appears on pages 348-359 of Emmett's book, Selected Shorter Poems, 1950-1970, Edition Hansjörg Mayer, Stuttgart, 1974, and published in the U.S. by New Directions Publishing Corporation. The work is a graphical representation of Apollinaire's utterance of hopes for the future: ``O mouths, mankind is in search of a new form of speech, with which no grammarians of any language will be able to talk. We want new sounds.'' These words are embedded into a diamond shape out of which the large-font letters of his name are formed. Reading across within the large letters gives all sorts of `new sounds' ... such as `neundsnearch' (with neunds from new sounds and earch from search) among the interwoven diamond shapes.

    Other Odds and Ends

    One of the sports rareties of my life occurred during one of the Sunday summer softball games that the Chilmark Massachusetts community has engaged in for something approaching 100 years, and in which I have played whenever possible since the early 1950s. On this occasion, I was playing third base and Spike Lee was playing first. Runners were on second and third with no outs. A ball was hit to me sharply down the third-base line, starting out foul but bouncing fair. I checked the runner at third, and threw the batter out at first. Spike noticed that the runner at second had run down to third base, and so he ran directly to third. In the blink of an eye, Spike tagged the original runner at third as he broke for home, and then the other runner who had panicked and started back to second. This was a most unusual Triple Play, 5-3-3-3!

    Incidentally, one of the legends of the Chilmark game going back to the 1950s is the long-time spectacularly steady third baseman Jerry Kohlberg, best known in that context as The Man in the Red Hat. He was widely known elsewhere as Jerome Kohlberg, a founder of Kohlberg Kravis Roberts in 1976. Jerry played in the triple-play game noted above, although he was at second base. (After years as a fixture at third, he migrated to shortshop and then second base as his arm strength -- but not his accuracy -- waned.) I was absolutely delighted at the news in November 2010 that Jerry and his wife bought the Vineyard Gazette (reported in its Volume 165 Number 30), becoming only the fourth family to own the newpaper founded in 1846. The Kohlbergs follow the Restons, who acquired it in 1975. I'm sad to note here that Jerry died on 30 July 2015. There is a beautifully written obit on the front page of the Vineyard Gazette of 7 August 2015 written by Julia Wells, a testament to his being a remarkably human person who always cared about doing the right thing -- despite his earlier days at Bear Stearns and then founding KKR. Julia notes that he was horrified by what was happening to Wall Street during his time off -- his long-time sense of fairness having been superceded by a world of hostile takeovers. Jerry will be very sorely missed by those of us who played in the Chilmark softball games for so many years -- and of course by many others.

    Many years before that, I was playing right field, with a runner on second. The second-baseman lost a popup in the sun and it bounced directly off his head to me on the fly. The runner on second had taken off, so I was able to double him off at second, and had both putouts in a rather unusual if not historically unique 4-9-9 double play. He was still playing second base in a game in 2014 -- and he remembered the play. Very few people seem to remember the freak triple play, especially now that Jerry is gone.

    I recently stumbled onto a somewhat discolored copy of Herb Caen's column in the San Francisco Chronicle from Feb 4 1976, which included the following squib that I would like to record for posterity before I toss it: "Down at Stanford Research Institute yesterday morning, computer programmer Peter Neumann was thinking about having breakfast, glanced out the window toward the cafeteria, saw two trucks parked in front of it -- Menlo Park Garbage, Dean's Animal Feeds -- and changed his mind." I really miss Herb's trenchant humor. (One of my favorites was Herb's puzzlement when he saw a license plate "ICECAR", until he realized that it represented "Datsunicecar". In 2008, Don Hudson read that item on my website, and reported that he had seen a license plate in Vancouver BC "NFUGUE"; it was (of course) a Honda Prelude, evidently honoring J.S. Bach. And then there is my musical doormat, ``Bach Later; Offenbach Sooner''.


    If you read all the way through this to get here (rather than merely clicking on the last menu item), you have my greatest appreciation! Best wishes and cheers! PGN