Search For:

Displaying 1-39 out of 39 total
The Puzzle of Privacy
Found in: IEEE Security and Privacy
By Steven M. Bellovin
Issue Date:September 2008
pp. 88
A number of recent news stories have made me wonder more about privacy. It's not just that the threats to privacy are increasing; rather, the problem is that the countervailing forces are becoming very much stronger. Was Scott McNealy right when he told us...
 
A Look Back at
Found in: Computer Security Applications Conference, Annual
By Steven M. Bellovin
Issue Date:December 2004
pp. 229-249
About fifteen years ago, I wrote a paper on security problems in the TCP/IP protocol suite, In particular, I focused on protocol-level issues, rather than implementation flaws. It is instructive to look back at that paper, to see where my focus and my pred...
 
Security as a Systems Property
Found in: IEEE Security and Privacy
By Steven M. Bellovin, Daniel G. Conway
Issue Date:September 2009
pp. 88
How do we protect systems? The answer is straightforward: each component must be evaluated independently and protected as necessary. Beware the easy answers, such as deploying stronger encryption while ignoring vulnerable end points; that's too much like l...
 
Information Assurance Technology Forecast 2008
Found in: IEEE Security and Privacy
By Steven M. Bellovin, Terry V. Benzel, Bob Blakley, Dorothy E. Denning, Whitfield Diffie, Jeremy Epstein, Paulo Verissimo
Issue Date:January 2008
pp. 16-23
A virtual roundtable (featuring panelists Steven Bellovin, Terry Benzel, Bob Blakely, Dorothy Denning, Whitfield Diffie, Jeremy Epstein, and Paulo Verissimo) discussing the next 15 years in computer security.
 
The Major Cyberincident Investigations Board
Found in: IEEE Security & Privacy
By Steven M. Bellovin
Issue Date:November 2012
pp. 96
One reason that airplanes are so safe is that crashes are investigated by government agencies; the results are published, and the lessons from one crash go into future airplane design, pilot training, and technology to prevent another. There's nothing like...
 
Fighting the Last War
Found in: IEEE Security & Privacy
By Steven M. Bellovin
Issue Date:May 2012
pp. 96
It would be nice to get rid of passwords entirely, but that isn't going to happen any time soon. What we need are better ways of entering, storing, and using passwords, ways that respond to today's threats instead of yesterday's. Sticking with checklists b...
 
Clouds from Both Sides
Found in: IEEE Security and Privacy
By Steven M. Bellovin
Issue Date:May 2011
pp. 88
Cloud computing
 
The Government and Cybersecurity
Found in: IEEE Security and Privacy
By Steven M. Bellovin
Issue Date:March 2009
pp. 96
We all realize that computer security is a serious problem. But who should solve it? More precisely, who should be responsible for coping with computer insecurity—governments or the private sector? To some extent, the answer depends on how we view the prob...
 
On the Brittleness of Software and the Infeasibility of Security Metrics
Found in: IEEE Security and Privacy
By Steven M. Bellovin
Issue Date:July 2006
pp. 96
How secure is a computer system? Bridges have a load limit, but it isn't determined (as
 
High Performance Firewalls in MANETs
Found in: Mobile Ad-hoc and Sensor Networks, International Conference on
By Hang Zhao, Steven M. Bellovin
Issue Date:December 2010
pp. 154-160
Doing route selection based in part on source addresses is a form of policy routing, which has started to receive increased amounts of attention. In this paper, we extend our previous work on ROLF (ROuting as the Firewall Layer) to achieve source prefix fi...
 
Encrypted Key Exchange: Password-Based Protocols SecureAgainst Dictionary Attacks
Found in: Security and Privacy, IEEE Symposium on
By Steven M. Bellovin, Michael Merritt
Issue Date:May 1992
pp. 72
Classical cryptographic protocols based on use-rchosen keys allow an attacker to mount password-guessing attacks. We introduce a novel combination of asymmetric (public-key) and symmetric (secret-key) cvptography that allow two parties sharing a common pas...
 
Usable, Secure, Private Search
Found in: IEEE Security & Privacy
By Mariana Raykova,Ang Cui,Binh Vo,Bin Liu,Tal Malkin,Steven M. Bellovin,Salvatore J. Stolfo
Issue Date:September 2012
pp. 53-60
Real-world applications commonly require untrusting parties to share sensitive information securely. This article describes a secure anonymous database search (SADS) system that provides exact keyword match capability. Using a new reroutable encryption and...
 
Design and Implementation of Virtual Private Services
Found in: Enabling Technologies, IEEE International Workshops on
By Sotiris Ioannidis, Steven M. Bellovin, John Ioannidis, Angelos D. Keromytis, Jonathan M. Smith
Issue Date:June 2003
pp. 269
Large scale distributed applications such as electronic commerce and online marketplaces combine network access with multiple storage and computational elements. The distributed responsibility for resource control creates new security and privacy issues, w...
 
Measuring Security
Found in: IEEE Security and Privacy
By Sal Stolfo, Steven M. Bellovin, David Evans
Issue Date:May 2011
pp. 60-65
To become a legitimate science, computer security requires metrics. However, metrics are the one thing most lacking in our current understanding of computer security. Computer security metrics can be based on computational complexity or on economic or biol...
 
Perceptions and Reality
Found in: IEEE Security and Privacy
By Steven M. Bellovin
Issue Date:September 2010
pp. 88, 87
Media outlets have reported that the cause of a 2008 jetliner crash in Spain was caused by malware. IEEE Security & Privacy's Steve Bellovin examines the facts to determine the true root cause.
 
Identity and Security
Found in: IEEE Security and Privacy
By Steven M. Bellovin
Issue Date:March 2010
pp. 88
People often suggest that adding strong identification to the Internet will solve many security problems. Strong, useful identification isn't possible and wouldn't solve the security issue; trying to have it will create privacy problems.
 
Walls and Gates
Found in: IEEE Security & Privacy
By Steven M. Bellovin
Issue Date:November 2013
pp. 88
Complexity should live at a single privilege level, isolated by strong walls and simple gates from other privilege levels. When we don't follow that principle, security failures become more likely.
 
Military cybersomethings
Found in: IEEE Security & Privacy
By Steven M. Bellovin
Issue Date:May 2013
pp. 88
You can hardly read the news without seeing dire warnings of national security problems lurking in our computers. If it isn't some country stealing some other country's commercial secrets—just who's the victim and who's the thief varies ...
 
Going Bright: Wiretapping without Weakening Communications Infrastructure
Found in: IEEE Security & Privacy
By Steven M. Bellovin,Matt Blaze,Sandy Clark,Susan Landau
Issue Date:January 2013
pp. 62-72
Mobile IP-based communications and changes in technologies, including wider use of peer-to-peer communication methods and increased deployment of encryption, has made wiretapping more difficult for law enforcement, which has been seeking to extend wiretap ...
 
A study of privacy settings errors in an online social network
Found in: Pervasive Computing and Communications Workshops, IEEE International Conference on
By Michelle Madejski,Maritza Johnson,Steven M. Bellovin
Issue Date:March 2012
pp. 340-345
Access control policies are notoriously difficult to configure correctly, even people who are professionally trained system administrators experience difficulty with the task. With the increasing popularity of online social networks (OSN) users of all leve...
 
Security Think
Found in: IEEE Security and Privacy
By Steven M. Bellovin
Issue Date:November 2011
pp. 88
The author discusses the problem of how a security specialist should think. In particular, such a person should know how to evaluate complex systems and look for vulnerabilities created by interactions. It's hard to do, and even harder to teach.
 
An Algebra for Integration and Analysis of Ponder2 Policies
Found in: Policies for Distributed Systems and Networks, IEEE International Workshop on
By Hang Zhao, Jorge Lobo, Steven M. Bellovin
Issue Date:June 2008
pp. 74-77
Traditional policies often focus on access control requirement and there have been several proposals to define access control policy algebras to handle their compositions. Recently, obligations are increasingly being expressed as part of security policies....
 
Risking Communications Security: Potential Hazards of the Protect America Act
Found in: IEEE Security and Privacy
By Steven M. Bellovin, Matt Blaze, Whitfield Diffie, Susan Landau, Peter G. Neumann, Jennifer Rexford
Issue Date:January 2008
pp. 24-33
A new US law allows warrantless wiretapping whenever one end of the communication is believed to be outside national borders. This creates serious security risks: danger of exploitation of the system by unauthorized users, danger of criminal misuse by trus...
 
Intrusion Tolerant Systems Workshop
Found in: Dependable Systems and Networks, International Conference on
By Carl E. Landwehr, Steven M. Bellovin
Issue Date:June 2002
pp. 785
No summary available.
   
Dr. Strangecode
Found in: IEEE Security & Privacy
By Steven M. Bellovin
Issue Date:May 2014
pp. 88
nullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnull...
   
Sub-operating systems: a new approach to application security
Found in: Proceedings of the 10th workshop on ACM SIGOPS European workshop: beyond the PC (EW10)
By Jonathan M. Smith, Sotiris Ioannidis, Steven M. Bellovin
Issue Date:July 2002
pp. 108-115
Users regularly exchange apparently innocuous data files using email and ftp. While the users view these data as passive, there are situations when they are interpreted as code by some system application. In that case the data become "active". Some example...
     
Private search in the real world
Found in: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC '11)
By Binh Vo, Mariana Raykova, Steven M. Bellovin, Tal Malkin, Vasilis Pappas
Issue Date:December 2011
pp. 83-92
Encrypted search --- performing queries on protected data --- has been explored in the past; however, its inherent inefficiency has raised questions of practicality. Here, we focus on improving the performance and extending its functionality enough to make...
     
Secure anonymous database search
Found in: Proceedings of the 2009 ACM workshop on Cloud computing security (CCSW '09)
By Binh Vo, Mariana Raykova, Steven M. Bellovin, Tal Malkin
Issue Date:November 2009
pp. 115-126
There exist many large collections of private data that must be protected on behalf of the entities that hold them or the clients they serve. However, there are also often many legitimate reasons for sharing that data in a controlled manner. How can two pa...
     
Laissez-faire file sharing: access control designed for individuals at the endpoints
Found in: Proceedings of the 2009 workshop on New security paradigms workshop (NSPW '09)
By Maritza L. Johnson, Robert W. Reeder, Steven M. Bellovin, Stuart E. Schechter
Issue Date:September 2009
pp. 1-10
When organizations deploy file systems with access control mechanisms that prevent users from reliably sharing files with others, these users will inevitably find alternative means to share. Alas, these alternatives rarely provide the same level of confide...
     
ROFL: routing as the firewall layer
Found in: Proceedings of the 2008 workshop on New security paradigms (NSPW '08)
By Chi-Kin Chau, Hang Zhao, Steven M. Bellovin
Issue Date:September 2008
pp. 85-91
We propose a new firewall architecture that treats port numbers as part of the IP address. Hosts permit connectivity to a service by advertising the IPaddr:port/48 address; they block connectivity by ensuring that there is no route to it. This design, whic...
     
The physical world and the real world
Found in: Communications of the ACM
By Steven M. Bellovin
Issue Date:May 2008
pp. 89-97
How the U.K. is confusing identity fraud with other policy agendas.
     
Virtual machines, virtual security?
Found in: Communications of the ACM
By Steven M. Bellovin
Issue Date:October 2006
pp. 104
Open source has changed the intellectual property landscape of the software industry.
     
Spamming, phishing, authentication, and privacy
Found in: Communications of the ACM
By Steven M. Bellovin
Issue Date:December 2004
pp. 144
Despite the push to adopt Web services as the universal OO architecture, the Web services reliability model ignores many real-world issues routinely encountered by users.
     
A technique for counting natted hosts
Found in: Proceedings of the second ACM SIGCOMM Workshop on Internet measurment workshop (IMW '02)
By Steven M. Bellovin
Issue Date:November 2002
pp. 267-272
There have been many attempts to measure how many hosts are on the Internet. Many of those end-points, however, are NAT boxes (Network Address Translators), and actually represent several different computers. We describe a technique for detecting NATs and ...
     
Efficient, DoS-resistant, secure key exchange for internet protocols
Found in: Proceedings of the 9th ACM conference on Computer and communications security (CCS '02)
By Angelos D. Keromytis, John Ioannidis, Matt Blaze, Omer Reingold, Ran Canetti, Steven M. Bellovin, William Aiello
Issue Date:November 2002
pp. 48-58
We describe JFK, a new key exchange protocol, primarily designed for use in the IP Security Architecture. It is simple, efficient, and secure; we sketch a proof of the latter property. JFK also has a number of novel engineering parameters that permit a var...
     
Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise
Found in: Proceedings of the 1st ACM conference on Computer and communications security (CCS '93)
By Michael Merritt, Steven M. Bellovin
Issue Date:November 1993
pp. 244-250
The encrypted key exchange (EKE) protocol is augmented so that hosts do not store cleartext passwords. Consequently, adversaries who obtain the one-way encrypted password file may (i) successfully mimic (spoof) the host to the user, and (ii) mount dictiona...
     
Computer security---an end state?
Found in: Communications of the ACM
By Steven M. Bellovin
Issue Date:January 1988
pp. 131-132
Case study findings from several corporate environments suggest that successful virtualization does not depend on the degree of technological sophistication. It's how the tools are used that matters.
     
Tapping on my network door
Found in: Communications of the ACM
By Matt Blaze, Steven M. Bellovin
Issue Date:January 1988
pp. 136
The online Risks Forum has long been a hotbed for discussions of the relative merits of openness relating to the dissemination of knowledge about security vulnerabilities. The debate has now been rekindled, and is summarized here.
     
Inside risks: evolving telephone networks
Found in: Communications of the ACM
By Fred B. Schneider, Steven M. Bellovin
Issue Date:January 1988
pp. 160
The online Risks Forum has long been a hotbed for discussions of the relative merits of openness relating to the dissemination of knowledge about security vulnerabilities. The debate has now been rekindled, and is summarized here.
     
 1