Alec is an independent technologist, writer & security consultant who has worked in cryptography and host & network security for more than 30 years, some 25 of those in industry, holding senior engineering, architecture, and consulting roles at Sun Microsystems, Facebook, and Deliveroo. From 2011 to 2020 he was also a member of the Board of Directors of the Open Rights Group.

He is noted for:

• developing tools for password security: Crack, CrackLib
• creating the sunmd5 password-hashing algorithm
• creating / leading the team which built Facebook’s Tor “onion” site
• co-authoring RFC 7686
• leading the team which added end-to-end encryption to Facebook Messenger
• assisting the New York Times, the BBC, the Guardian, Twitter, Reddit and other websites in creating Tor “onion” sites for their services via the Enterprise Onion Toolkit
• critiques of age verification technologies, their risks and public impact
• indexing “onion” sites for public good
• implementing and documenting DNS over HTTPS over Tor
• curated Twitter searches for civil society purposes

In spare time, Alec is a media-resource & speaker who provides consultancy services to select customers, specialising in helping people better understand end-to-end-secure communication, privacy-enhancing technologies, and civil liberties.

Contact

• Blog
• Blog via RSS
• Email: alec.muffett@gmail.com
• Messengers: several available, send details for message-back
• Twitter
• Facebook
• Mastodon.Social
• LinkedIn
• Github
• Medium
• Erdos

PGP / GPG Key Fingerprint: 0784 298C 7889 5209 CB44 A9C8 AD48 27CE 4406 5F76

History

Alec graduated with a degree in Astronomy from UCL in 1988. He spent the following three years working at UCW Aberystwyth as a systems programmer, aiding their transition from VMS and Honeywell GCOS-3, to Unix. There he developed the password-cracking suite Crack – and later Cracklib – releasing it to USENET with much notoriety. He also authored and subsequently edited the first USENET Security FAQ.

From that time forwards, please see LinkedIn.

Bibliography

See Medium for more recent essays; these will soon be migrated to this blog.

** denotes peer review process; see also /alecm/presentations/

• **MPQS with Three Large Primes (ANTS 2002: Sydney) Paul C. Leyland, Arjen K. Lenstra, Bruce Dodson, Alec Muffett, Sam Wagstaff
• **Factorization of a 512-Bit RSA Modulus (EUROCRYPT 2000) Stefania Cavallar, Bruce Dodson, Arjen K. Lenstra, Walter M. Lioen, Peter L. Montgomery, Brian Murphy, Herman te Riele, Karen Aardal, Jeff Gilchrist, Gerard Guillerm, Paul C. Leyland, Joel Marchand, Francois Morain, Alec Muffett, Chris Putnam, Craig Putnam, Paul Zimmermann
• Bruce: A Java-based Security Auditing Framework (UKUUG 1999) (DOWNLOAD)
• SENSS Bruce (USENIX “;login:” Magazine 1999) (LINK) (COLLATERAL1) (COLLATERAL2)
• Programming Holes that will hose your System Security (Cambridge 1997) Public lecture presented at the University of Cambridge. (DOWNLOAD)
• The BlackNet 384-bit PGP key has been BROKEN (1995) Alec Muffett, Paul Leyland, Arjen Lenstra, Jim Gillogly (LINK)
• WAN-Hacking with AutoHack (USENIX SECURITY 1995) Alec Muffett First description of a hyper-scalable vulnerability auditing tool, designed to deal with networks of 30,000+ hosts. (PDF) (SLIDES)
• How To Build Your Own Network Intrusion Kit (AAA 1995) Tongue-in-cheek security presentation to the Access All Areas conference. (DIR)
• Proper Care and Feeding of Firewalls (JANET 1994) Early paper detailing firewalling concepts, design, and selection. (DOWNLOAD)
• USENET Security FAQ (1993) Final draft of approximately two years of USENET FAQ postings. Very dated but still useful in parts. (DOWNLOAD)
• Crack v4.1 – A Sensible Password Checker for Unix (1991) Manual / whitepaper for Crack v4.1, reference only, now superceded. (DOWNLOAD)

Patents

• Method and apparatus for implementing a pluggable password obscuring mechanism – Inventors: Darren J. Moffat, Casper H. Dik, Alec Muffett.

Software

See also; GitHub

• Crack 5.0a A Password Cracker – if you have a problem with Crack, or any question regarding it whatsoever, please see the (FAQ); also (HUMOUR) (DIR)
• CrackLib v2.7 Password Checking Library – see the new CrackLib homepage for details and downloads! (LEGACY)
• SnarfNews v1.4 USENET Transport Toolkit (DIR)
• ASP v3.5 Scrolling / Animated “.plan compiler” (DIR)
• MHR v2.2 Shell frontend for MH mailer (DIR)

Quotes

1. Security Rots Over Time. (SOURCE)
2. Everybody Deserves Good Security.
3. There Is No Such Thing As “Security”.
4. Every Internet Freedom Is Someone Else’s Internet Problem.
5. If you’re doing something and you don’t have at least two reasons for doing it, you’re probably doing something wrong.
6. Never ascribe to “algorithms” that which can be adequately explained by “human action”

Headshot

(c) Alec Muffett 2017, licensed under CC-BY-SA (https://creativecommons.org/licenses/by-sa/3.0/)

In The Press

2023

• https://www.crikey.com.au/2023/06/21/esafety-commissioner-child-sex-abuse-online-privacy/
• https://www.theverge.com/2023/3/7/23629504/twitter-tor-onion-site-security-certificate-expired

2022

• https://www.theverge.com/2022/3/8/22967843/twitter-tor-onion-service-version-launch
• https://www.forbes.com/sites/emmawoollacott/2022/03/09/twitter-improves-access-for-russian-citizens-with-launch-of-tor-browser/
• https://techcrunch.com/2022/03/09/twitter-tor-bypass-blocks/
• https://www.ndss-symposium.org/ndss-paper/auto-draft-124/
• https://www.theguardian.com/uk-news/2022/jul/21/uk-cybersecurity-chiefs-back-plan-to-scan-phones-for-child-abuse-images

2021

• https://www.bbc.co.uk/news/business-58537599
• https://www.washingtonpost.com/politics/2021/09/08/technology-202-facebook-latest-attempt-build-crypto-empire-meets-familiar-skepticism-washington/
• https://www.techdirt.com/articles/20210908/17311947529/damned-if-you-do-damned-if-you-dont-propublicas-bizarre-reporting-whatsapp-abuse-reports.shtml
• https://www.ft.com/content/14440f81-d405-452f-97e2-a81458f5411f
• https://www.theguardian.com/politics/2021/jul/11/proof-of-age-verification-online-facial-analysis-data-protection-act
• https://www.techdirt.com/articles/20210429/23123346705/boris-johnsons-phone-number-leaks-turns-out-he-uses-end-to-end-encryption-while-trying-to-ban-it-everyone-else.shtml

2020

• this year didn’t really happen

2019

• https://www.bbc.co.uk/news/technology-50150981
• https://www.bbc.co.uk/blogs/internet/entries/936e460a-03b3-41db-be96-a6f2f27934e6
• https://www.npr.org/2019/10/24/773060596/bbc-launches-tor-mirror-site-to-thwart-media-censorship?t=1631609546229

2018

• https://www.vice.com/en/article/kzke7z/signal-disappearing-messages-are-stored-indefinitely-on-mac-hard-drives
• https://www.theverge.com/2018/3/29/17178086/facebook-growth-memo-leak-boz-andrew-bosworth
• https://www.nytimes.com/2018/03/30/technology/facebook-leaked-memo.html

2017

• https://open.nytimes.com/https-open-nytimes-com-the-new-york-times-as-a-tor-onion-service-e0d0b67b7482
• https://www.vice.com/en/article/7x4g4b/theres-now-a-dark-web-version-of-wikipedia-tor-alec-muffett
• https://www.theguardian.com/technology/2017/mar/29/uk-government-encryption-whatsapp-investigatory-powers-act
• https://qz.com/885212/whatsapp-says-its-security-backdoor-is-what-makes-encryption-easy-to-use/
• https://www.teenvogue.com/story/how-to-keep-messages-secure
• https://www.cyberscoop.com/tor-dark-web-andrew-lewman-securedrop/

2016

• https://boingboing.net/2016/10/18/uk-government-proposes-issuing.html
• https://www.zdnet.com/article/facebooks-android-app-will-gain-tor-support-this-week/

2015

• https://www.theverge.com/2015/10/28/9631006/tor-hidden-addresses-recognition
• https://www.scmagazine.com/feature/-/top-6-influential-security-thinkers

…many years elided…

1996

• https://alecmuffett.com/article/11135