Notices by Steve Bellovin (stevebellovin@infosec.exchange)

Best sign I’ve seen thus far: “United we ribbet. Divided we croak.”

For the next No King demonstration, I’m going to wear a tricorn hat.

Part of an art installation outside Waterloo Station in London.

@adamshostack The op-ed isn't just calling for no payment for publishing, it's calling for no journals at all, because if you just abolish publication charges, the journal owners will simply charge more for subscriptions, and she doesn't want that, either. Note these near the end: "At Arcadia Science, a biotechnology company, we publish everything immediately, openly. Real peer review happens in public, where any expert can contribute. Our work gets tested, challenged, and built on in real time" and "Alternatives exist: preprint servers, public peer review, data repositories. Redirect the millions from publishers to these systems."
I've long complained about today's peer review (see, e.g., https://www.cs.columbia.edu/~smb/papers/04336288.pdf, near the end). But I'm not clear on what the alternative is—major papers might get reviewed, but most won't, and readers have no way to judge the merits of reviews that are done. Are they honest or corrupt? Properly reviewing papers is *hard*, and there are so many papers written that it's impossible to keep up with all of the ones that aren't obviously of great significance if correct. You were at Usenix Security last month, which had 490 members on the program committee. (By contract, my first program committee, in 1984, was *4*, plus two co-chairs…) Even so, you often get unqualified reviewers. (I just got back reviews for a paper where all of the reviewers indicated "some familiarity" with the subject—none of them are experts, but they control if this paper will appear in that venue.)
In a sense, it's the same as the open source problem: you need many eyes, but they have to be competent and motivated. Today's peer review solves the motivation problem, but not always the competence problem. I won't even go into the problem of making sure that links survive when some volunteer gets tired of running an archive.
This is a hard problem and I don't pretend to know the answer. But let's be clear on that that op-ed is really saying.

This quote from the article has gotten far too little attention: "The second person said that roughly a dozen court dockets were tampered with in one court district as a result of the hack. The first person was not aware of any tampering but said it was theoretically possible."
https://mastodon.laurenweinstein.org/@lauren/114987795151116380

Where are we going, and why are we in this handbasket?

@angusm @jack_daniel @pluralistic Yup. (Years ago, I was at a NANOG (North American Network Operators Group) meeting where a nearby street had a line of backhoes parked. I think it was a warning.)

I swear, as I was scrolling I thought this was an Onion headline.
https://flipboard.com/@newyorktimes/science-jpuunj5gz/-/a-KhzVHy5QRYm-yk515emFNQ%3Aa%3A3195393-%2F0

The times they are a changin'…
As of today, I'm a professor emeritus at Columbia University. I've also moved to the DC area, where I'm a senior affiliate scholar at Georgetown University's Institute for Technology Law and Policy (yup, back together organizationally with @mattblaze after >20 years at different schools).

@lauren @zer0unplanned @darkobserver No, it's not debatable; they were nowhere close, because Heisenberg made a crucial error in calculation (deliberate or not is murky) and British and Norwegian commands destroyed the stocks of heavy water produced in Norway. What's not as clear is whether the US knew that at the time.
There's another point, often underappreciated even today. Building a bomb is not just a matter of the science or even engineering—it requires a vast industrial infrastructure and (for many paths) a lot of electricity—think Oak Ridge, located where it is for access to TVA-generated power. "Niels Bohr had insisted in 1939 that U235 could be separated from U238 only by turning the country into a gigantic factory. “Years later,” writes Edward Teller, “when Bohr came to Los Alamos, I was prepared to say, ‘You see . . .’ But before I could open my mouth, he said, ‘You see, I told you it couldn’t be done without turning the whole country into a factory. You have done just that.’”" (Richard Rhodes, 'The Making of the Atomic Bomb')

@xenotar Yes, though even MAGA was split on this one.

At 2200, Trump will announce that US bombers dropped a load of bone spurs on Iran.

Getting increasingly more concerned about my flight from EWR in a couple of weeks …
https://mstdn.social/@GottaLaff/114489610461646639

@hpk @bsdphk Absolutely correct. My phrasing, to my students, is "what are you trying to protect, and against whom?"

@hacks4pancakes Yup. Some years ago, after a cascading failure blacked out a good chunk of the US, several people asked me if "hackers" had done it. My response was that power grid dynamics were so complex that there was no way attackers could predict what would happen. Sure enough, the eventual investigation showed that a series of improbable events had coincided; that plus the cascade effect did it. To quote myself, "complex systems fail in complex ways".

From the article: ‘Nara Milanich, a Barnard history professor, said it reminded her of her research into 1930s Italy, when lists of Jews were put together by the local government. “We’ve seen this movie before, and it ends with yellow stars,” she said.’

https://www.nytimes.com/2025/04/23/nyregion/barnard-faculty-eeoc-text-jewish.html

@inthehands Sorry—that's slide 27 of https://www.cs.columbia.edu/~smb/classes/f23/l_ml.pdf

@inthehands Yes. See slides 21-25 of https://www.cs.columbia.edu/~smb/classes/f23/l_intro.pdf

Worth noting: combining different databases is generally regarded as the single most dangerous thing to do from a privacy perspective. Here's what Paul Ohm wrote a few years ago (https://hbr.org/2012/08/dont-build-a-database-of-ruin):

In my work, I’ve argued that these databases will grow to connect every individual to at least one closely guarded secret. This might be a secret about a medical condition, family history, or personal preference. It is a secret that, if revealed, would cause more than embarrassment or shame; it would lead to serious, concrete, devastating harm. And these companies are combining their data stores, which will give rise to a single, massive database. I call this the Database of Ruin.
https://flipboard.com/@newyorktimes/the-upshot-imovb8bqz/-/a-pvsZrW8uTLKxDaAmALYvXw%3Aa%3A3195393-%2F0

@adamshostack Like so much else in the US constitution, there is a provision specifically aimed at that abuse. In particular, the Sixth Amendment starts "In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law."