Last year, Adam Stubblefield was driving home from his summer internship at Microsoft Research in Redmond, Wash., thinking of how to find alternative password mechanisms, when it hit him. "I realized that the shape of clouds reminded me of objects in the real world," he said.
He had read that people presented with the same inkblot over a number of months said that it reminded them of the same set of words. The same technique, Stubblefield reasoned, could be used to help people remember forgotten passwords. So the college student spent the rest of his summer proving his theory, and Microsoft filed a patent. The method, it seems, has a better than 95% success rate, and the software giant is planning to include it in future products.
Stubblefield, now a second year doctoral student at Johns Hopkins University, is one of the rising stars in the world of computer security research. At 23, he was the youngest speaker at the IEEE Symposium on Security and Privacy in Oakland, Calif., last week, where he presented a paper on electronic voting technology.
Computer security has always been his calling. Even as a math undergraduate at Rice University, Stubblefield interned at Wang, Xerox's PARC and AT&T. He reverse engineered MP3.com's Beamit, a digital rights management software program, as a freshman. He was part of the team that cracked SDMI digital watermarking technology and co-authored a number of academic papers on topics from Web security to IP traceback. As a senior he also took an academic paper on a theoretical hole in the cipher RC4, used for encrypting WiFi (using WEP), and created an attack. His paper has given rise to use of new ciphers such as WPA as well as WiFi hacking tools like AirSnort.
Last summer, it was Stubblefield and UC San Diego's Yosh Kohno working with and under the guidance of professors Avi Rubin of Johns Hopkins University and Dan Wallach of Rice University who produced a report detailing the security problems with Diebold's electronic voting system, which created a great deal of controversy.
"What we found was that all the voting machines used the same secret encryption key code, that the code had never been changed and that all of the developers had access to it," he said. Other problems with the technology have led states to reconsider e-voting in the upcoming presidential election.
Stubblefield dismisses conspiracy theories that surround Diebold. "In some ways it's far worse than that, they just did not know what they were doing," he said. For example, they were able to analyze the Diebold voting machine source code because the company had accidentally left it on an open FTP server.
He is uninterested in the political activism that has emerged as a result of the report. "I do not have a political point of view that I am trying to prove. I am just interested in what I can contribute from a technical point of view," he said. "What I am surprised about, though, is that unlike previous discoveries such as SDMI or WEP, where the companies changed what they were doing because of the papers published, Diebold has done little to fix these problems."
As an undergraduate, Stubblefield was one of the eight researchers that cracked SDMI technology. The researchers had taken part in the SDMI public challenge in 2001, which offered $10,000 to anybody who could crack one of four digital watermarking technologies. The team cracked them all but rather than take the money, they attempted to publish the report. The music industry sued the group, led by Princeton professor Edward Felten, which eventually was able to publish its findings.
Now Stubblefield is working on his doctorate by developing new systems for implementing security technologies. For example, he's trying to create basic building blocks so that security programmers can more easily build in features, such as encryption and authentication, into products. It's sort of an algorithmic equivalent to object-oriented programming in that it could mean programmers won't have to build these features from scratch each time they build a new application.
"As an academic, all I want to do is to make technical discoveries and publish papers," said Stubblefield. "However, these days often the first call we have to make is to university lawyers."