Steven Bellovin
CircleID
Contact Steven
Discover and connect with journalists and influencers around the world, save time on email research, monitor the news, and more.
| Recent: |
|
| Past: |
|
Past articles by Steven:
In Memoriam: Frederick P. Brooks, Jr. – a Personal Recollection
Brooks is famous for many things. Many people know him best as the author of The Mythical Man-Month, his musings on software engineering and why it's so very hard. Some of his prescriptions seem quaint today -- no one these days would print out documentation on microfiche every night to distribute to developers -- but his observations about the problems of development remain spot-on. But he did… → Read More
The Importance of Understanding Attacker Target Selection
There's a bit of a debate going on about whether the Kaseya attack exploited a 0-day vulnerability. While that's an interesting question when discussing, say, patch management strategies, I think it's less important to understand attackers' thinking than understand their target selection. In a nutshell, the attackers have outmaneuvered defenders for almost 30 years when it comes to target… → Read More
An Inquiry Into an Organization's Security Priorities
In the wake of recent high-profile security incidents, I started wondering: what, generally speaking, should an organization's security priorities be? That is, given a finite budget - and everyone's budget is finite - what should you do first? More precisely, what security practices or features will give you the most protection per zorkmid? I suggested two of my own, and then asked my… → Read More
Hot Take on the Twitter Hack
If you read this blog, you've probably heard by now about the massive Twitter hack. Briefly, many high-profile accounts were taken over and used to tweet scam requests to send Bitcoins to a particular wallet, with the promise of double your money back. Because some of the parties hit are sophisticated and security-aware, it seems unlikely that the attack was a straightforward one directly on… → Read More
Trusting Zoom?
Since the world went virtual, often by using Zoom, several people have asked me if I use it, and if so, do I use their app or their web interface. If I do use it, isn't this odd, given that I've been doing security and privacy work for more than 30 years, and "everyone" knows that Zoom is a security disaster? To give too short an answer to a very complicated question: I do use it, via both Mac… → Read More
Zoom Cryptography and Authentication Problems
In my last blog post about Zoom, I noted that the company says "that critics have misunderstood how they do encryption." New research from Citizen Lab show that not only were the critics correct, Zoom's design shows that they're completely ignorant about encryption. When companies roll their own crypto, I expect it to have flaws. I don't expect those flaws to be errors I'd find unacceptable in… → Read More
Zoom Security: The Good, the Bad, and the Business Model
Zoom - one of the hottest companies on the planet right now, as businesses, schools, and individuals switch to various forms of teleconferencing due to the pandemic - has come in for much criticism due to assorted security and privacy flaws. Some of the problems are real but easily fixable, some are due to a mismatch between what Zoom was intended for and how it's being used now - and some are… → Read More
Y2038: It's a Threat
Last month, for the 20th anniversary of Y2K, I was asked about my experiences. (Short answer: there really was a serious potential problem, but disaster was averted by a lot of hard work by a lot of unsung programmers.) I joked that, per this T-shirt I got from a friend, the real problem would be on January 19, 2038, and 03:14:08 GMT. Why might that date be such a problem? On Unix-derived… → Read More
The Early History of Usenet, Part IX: Retrospective Thoughts
Usenet is 40 years old. Did we get it right, way back when? What could/should we have done differently, with the technology of the time and with what we should have known or could feasibly have learned? And what are the lessons for today? A few things were obviously right, even in retrospect. For the expected volume of communications and expected connectivity, a flooding algorithm was the only… → Read More
The Early History of Usenet, Part VII: Usenet Growth and B-News
For quite a while, it looked like my prediction – one to two articles per day – was overly optimistic. By summer, there were only four new sites: Reed College, University of Oklahoma (at least, I think that that's what uucp node uok is), vax135, another Bell Labs machine – and, cruciallyy, U.C. Berkeley, which had a uucp connection to Bell Labs Research and was on the ARPANET. → Read More
The Early History of Usenet, Part VI: The Public Announcement
Our goal was to announce Usenet at the January, 1980 Usenix meeting. In those days, Usenix met at universities; it was a small, comaparatively informal organization, and didn't require hotel meeting rooms and the like. (I don't know just when Usenix started being a formal academic-style conference; I do know that it was no later than 1984, since I was on the program committee that year for what… → Read More
The Early History of Usenet, Part V: Authentication and Norms
We knew that Usenet needed some sort of management system, and we knew that that would require some sort of authentication, for users, sites, and perhaps posts. We didn't add any, though -- and why we didn't is an interesting story. The obvious solution was something involving public key cryptography, which we (the original developers of the protocol: Tom Truscott, the late Jim Ellis, and… → Read More
The Early History of Usenet, Part IV: Implementation and User Experience
To understand some of our implementation choices, it's important to remember two things. First, the computers of that era were slow. The Unix machine at UNC's CS department was slower than most timesharing machines even for 1979 – we had a small, slow disk, a slow CPU, and – most critically – not nearly enough RAM. Duke CS had a faster computer – they had an 11/70; we had an 11/45 -- but since I… → Read More
The Early History of Usenet, Part III: File Format
When we set out to design the over-the-wire file format, we were certain of one thing: we wouldn't get it perfectly right. That led to our first decision: the very first character of the transmitted file would be the letter "A" for the version. Why not a number on the first line, including perhaps a decimal point? If we ever considered that, I have no recollection of it. → Read More
The Early History of Usenet, Part II: Hardware and Economics
There was a planning meeting for what became Usenet at Duke CS. We knew three things, and three things only: we wanted something that could be used locally for administrative messages, we wanted a networked system, and we would use uucp for intersite communication. This last decision was more or less by default: there were no other possibilities available to us or to most other sites that ran… → Read More
The Crypto Wars Resume
For decades, the US government has fought against widespread, strong encryption. For about as long, privacy advocates and technologists have fought for widespread, strong encryption, to protect not just privacy but also as a tool to secure our computers and our data. The government has proposed a variety of access mechanisms and mandates to permit them to decrypt (lawfully) obtained content;… → Read More
Facebook, Privacy, and Cryptography
There has long been pressure from governments to provide back doors in encryption systems. Of course, if the endpoints are insecure it doesn't matter much if the transmission is encrypted; indeed, a few years ago, I and some colleagues even suggested lawful hacking as an alternative. Crucially, we said that this should be done by taking advantage of existing security holes rather than be… → Read More
A Dangerous, Norm-Destroying Attack
Kim Zetter has a new story out describing a very serious attack. In fact, the implications are about as bad as possible. The attack has been dubbed ShadowHammer by Kaspersky Lab, which discovered it. Briefly, some crew of attackers -- I suspect an intelligence agency; more on that below -- has managed to abuse ASUS' update channel and private signing key to distribute bogus patches. → Read More
Facebook and Privacy
Mark Zuckerberg shocked a lot of people by promising a new focus on privacy for Facebook. There are many skeptics; Zuckerberg himself noted that the company doesn't "currently have a strong reputation for building privacy protective services." And there are issues that his blog post doesn't address; Zeynep Tufekci discusses many of them While I share many of her concerns, I think there are some… → Read More
Microsoft is Abandoning SHA-1 Hashes for Updates
Microsoft is shipping a patch to eliminate SHA-1 hashes from its update process. There's nothing wrong with eliminating SHA-1 - but their reasoning may be very interesting. SHA-1 is a "cryptographic hash function". That is, it takes an input file of any size and outputs 20 bytes. An essential property of cryptographic hash functions is that in practice (though obviously not in theory), no two… → Read More