Notices by Steve Bellovin (stevebellovin@infosec.exchange)

Pro tip: be very careful about how you put an Apple Watch charger into a hotel safe. It's magnetic and can stick to mechanisms, jamming the safe so it won't open properly. No need to ask me how I learned this… (Yes, next time I'll disconnect the charger from the rats' nest of stuff I'm shoving into the safe.)

@xenotar @mattblaze 17.5 kg isn't lightweight…

Hey, @mattblaze, did you see https://mastodon.nz/@joncounts/116507624340205226 ?

New book, released under a Creative Commons BY-NC-ND license: "Don't Get Hacked! Protecting Yourself at Home": https://www.cs.columbia.edu/~smb/homesec/index.html

Retoot for reach!

#cybersecurity #homeCybersecurity #dontGetHacked

@inthehands I hate grading and everything that goes with it, e.g., exams. (Aside: in Spring 2020, when we went fully remote under emergency circumstances and all classes were pass/fail, I tried to cancel the final by announcing that at that point, everyone in the class was passing and I was happy to stick with that. A fair number of students insisted on a final exam… I was *extremely* liberal with exemption requests.) And I categorically refused to use any of these remote proctoring solutions, for many different reasons.

@inthehands Reasonable approach! Once I document my script, I'll open-source it and let others add that enhancement…
As for grade-recording: I first started teaching back when I was a grad student. Very early on, a student complained to me about her grade and showed me that I'd recorded it incorrectly. This horrified me, so I immediately wrote a grade-recording and calculation system (in APL…), and used it to create tear-sheets to hand to each student with their grades, there being no online way to send them in those days.

@inthehands Let me know what your second-best choice is — I need to document my version (see https://www.cs.columbia.edu/~smb/classes/f23/lectures.html for sample output) and post it somewhere, and I haven't even thought about a name. I've always posted my course material online and freely available, which is one reason I don't lock it up inside Canvas, but I despise Canvas about as much as you despise Moodle. (I've used Canvas only for grade recording—I didn't want to deal with the privacy issues of managing students' access to their own grades, plus the integration with the university's final grade system—and for the in-class chat room, since like you I prefer static web sites.)
Aside: my version started as a simple Python script to generate the list of dates for my lectures in any given semester, and it grew…

I've been thinking about the FCC's insane new ban on foreign-made routers. Note the end of the BBC story at https://www.bbc.com/news/articles/c74787w149zo:
"One exception to the general absence of US-made routers is the newer Starlink WiFi router. Starlink is part of Elon Musk's company SpaceX.

"The company says the Starlink routers are made in Texas."

And per the FCC's FAQ (https://www.fcc.gov/faqs-recent-updates-fcc-covered-list-regarding-routers-produced-foreign-countries), even US-written software (or, I assume, open source software like OpenWRT) won't exempt foreign-made routers from the ban.

Here we go again: the FBI seizes 2020 (and maybe 2024!) voting records from Arizona: https://www.nytimes.com/2026/03/09/nyregion/fbi-subpoena-arizona-maricopa-county-election.html

Not sure who needs to see this, but…

From the Wikipedia page on the Nuremberg trials: "The International Military Tribunal agreed with the prosecution that aggression was the gravest charge, stating in its judgment that because "war is essentially an evil thing", "to initiate a war of aggression, therefore, is not only an international crime; it is the supreme international crime differing only from other war crimes in that it contains within itself the accumulated evil of the whole".

From the Wikipedia page on Hideki Tojo: he was "found guilty of, among other actions, waging wars of aggression; war in violation of international law; unprovoked or aggressive war against various nations; and ordering, authorizing, and permitting inhumane treatment of prisoners of war".

Is this at all relevant today?

I said it during his first term, and I'll repeat it now: what Trump really wants is to be able to prosecute people for lèse-majesté: https://bsky.app/profile/did:plc:fa3rwygrp2ebgwdiq6sjn2te/post/3mf5xgsebzk24

Two stories, side by side, in the NY Times Technology section.

RE: https://flipboard.social/@newsguyusa/115850233260885949

Denmark says that if the US attacks Greenland, it will be the end of NATO. Of course, to Trump, that's a feature. Better yet, to him, his BFF Vladimir would love it.

Does Article 5 of the NATO treaty apply to insider attacks? Asking for a territory of Denmark's.

For the record, I hate git.

@mattblaze And take care of your students, both your advisees and classroom students. I've heard some truly horrific stories to accompany requests for short extensions on something. My response is always the same: take care of yourself, don't worry about the deadline, I'll do everything I can to support you if you have to appeal to the dean's office for an exception, and TAKE CARE OF YOURSELF—that's far more important than an arbitrary academic deadline. On more than one occasion, a student has asked for a one week extension due to a family tragedy that I knew was going to require them to get an Incomplete while they processed what happened and grieved—and I made sure that the dean's office knew how strongly I supported the request. People are important. Family is important. Close friends are important. Academic work? Much less so—and apart from anything else, you can't possibly do good academic work when your head and your heart are elsewhere.
I can't make their pain go away. I can make sure I don't add to it.

So this is insane even by his Orangeness Administration's standards. DoJ successfully extradited a Belarusian woman to prosecute her for smuggling aviation components into Russia. She's eligible to be released to home detention pending trial—but if she is, DHS wants to deport her for being in the US illegally.
https://www.washingtonpost.com/dc-md-va/2025/12/10/extradition-deportation-belarus-russia/

@lauren @dalias @huitema @lauerhahn @nikatjef Well, if we don't try we're certainly not going to find an answer. And again, unlike the GOP and Obamacare, I'm not saying "abolish it now while we think of something" (and remember that the part of Obamacare they objected to most, mandatory coverage, was essential to the financials of the scheme, which is why they could never find a replacement).
There is a problem: checks are expensive, environmentally awful, insecure, and subject to all sorts of crimes. What are we going to do about it? DON'T flash-cut, don't announce a short-term deadline, but let's start seriously thinking about this as a systems problem. (Aside: many years ago, I saw an article, I think in CACM, discussing the costs of EFT versus checks. The problem was that no one knew what it cost banks to handle checks—the accounting systems were not set up to capture that kind of data; they broke down costs differently.)

@huitema @lauerhahn @lauren @nikatjef In the UK, at least, checks are apparently all but extinct—everything seems to be done by EFT (or so I've been told by an American who lived there for about 10 years).

@dalias @lauren @huitema @lauerhahn @nikatjef Precisely. They're the legacy payment system; no one would invent anything like it today, but per the CNN article itself checks go back ~2400 years and in substantially modern form about 500 years.
Fraud? Theft? Absolutely. True story: my father was a certified public accountant, and several decades ago he tried explaining to one of his clients that no, banks did not routinely verify signatures on checks. They made a bet: the client wrote a check to my father and signed it Mickey Mouse or some such, with the understanding that if my father could cash it the money was his. Guess who won the bet? (I think I heard this story from him in the 1970s.)
Yes, we need a solution for the poor, the rural, the folks who can't cognitively handle something different than what they grew up with, etc. And no, I do not advocate a flash-cut to something other than checks. (I know of some very large, sophisticated institutions that are just starting to accept EFT payments, because their own internal systems are still legacy-based.) But we're dealing with theft of checks, forgeries, late or missed deliveries by the Postal Service, ridiculous floats by banks, and the environmental costs of moving around and handling all of that paper.
Do I know the answer? No. But as folks used to say back during the anti-Vietnam War protests, you don't have to be a cobbler to know that the shoe doesn't fit.