Notices by Steve Bellovin (stevebellovin@infosec.exchange)

RE: https://flipboard.social/@newsguyusa/115850233260885949

Denmark says that if the US attacks Greenland, it will be the end of NATO. Of course, to Trump, that's a feature. Better yet, to him, his BFF Vladimir would love it.

Does Article 5 of the NATO treaty apply to insider attacks? Asking for a territory of Denmark's.

For the record, I hate git.

@mattblaze And take care of your students, both your advisees and classroom students. I've heard some truly horrific stories to accompany requests for short extensions on something. My response is always the same: take care of yourself, don't worry about the deadline, I'll do everything I can to support you if you have to appeal to the dean's office for an exception, and TAKE CARE OF YOURSELF—that's far more important than an arbitrary academic deadline. On more than one occasion, a student has asked for a one week extension due to a family tragedy that I knew was going to require them to get an Incomplete while they processed what happened and grieved—and I made sure that the dean's office knew how strongly I supported the request. People are important. Family is important. Close friends are important. Academic work? Much less so—and apart from anything else, you can't possibly do good academic work when your head and your heart are elsewhere.
I can't make their pain go away. I can make sure I don't add to it.

So this is insane even by his Orangeness Administration's standards. DoJ successfully extradited a Belarusian woman to prosecute her for smuggling aviation components into Russia. She's eligible to be released to home detention pending trial—but if she is, DHS wants to deport her for being in the US illegally.
https://www.washingtonpost.com/dc-md-va/2025/12/10/extradition-deportation-belarus-russia/

@lauren @dalias @huitema @lauerhahn @nikatjef Well, if we don't try we're certainly not going to find an answer. And again, unlike the GOP and Obamacare, I'm not saying "abolish it now while we think of something" (and remember that the part of Obamacare they objected to most, mandatory coverage, was essential to the financials of the scheme, which is why they could never find a replacement).
There is a problem: checks are expensive, environmentally awful, insecure, and subject to all sorts of crimes. What are we going to do about it? DON'T flash-cut, don't announce a short-term deadline, but let's start seriously thinking about this as a systems problem. (Aside: many years ago, I saw an article, I think in CACM, discussing the costs of EFT versus checks. The problem was that no one knew what it cost banks to handle checks—the accounting systems were not set up to capture that kind of data; they broke down costs differently.)

@huitema @lauerhahn @lauren @nikatjef In the UK, at least, checks are apparently all but extinct—everything seems to be done by EFT (or so I've been told by an American who lived there for about 10 years).

@dalias @lauren @huitema @lauerhahn @nikatjef Precisely. They're the legacy payment system; no one would invent anything like it today, but per the CNN article itself checks go back ~2400 years and in substantially modern form about 500 years.
Fraud? Theft? Absolutely. True story: my father was a certified public accountant, and several decades ago he tried explaining to one of his clients that no, banks did not routinely verify signatures on checks. They made a bet: the client wrote a check to my father and signed it Mickey Mouse or some such, with the understanding that if my father could cash it the money was his. Guess who won the bet? (I think I heard this story from him in the 1970s.)
Yes, we need a solution for the poor, the rural, the folks who can't cognitively handle something different than what they grew up with, etc. And no, I do not advocate a flash-cut to something other than checks. (I know of some very large, sophisticated institutions that are just starting to accept EFT payments, because their own internal systems are still legacy-based.) But we're dealing with theft of checks, forgeries, late or missed deliveries by the Postal Service, ridiculous floats by banks, and the environmental costs of moving around and handling all of that paper.
Do I know the answer? No. But as folks used to say back during the anti-Vietnam War protests, you don't have to be a cobbler to know that the shoe doesn't fit.

The Trump regime wants to start making a list of Jews (https://www.nytimes.com/2025/11/21/us/eeoc-university-pennsylvania-antisemitism-jewish.html). Now where have I heard that one before?

Just got an email from Medicare warning me of scams during Open Enrollment season. Naturally, the email has embedded URLs to click—and the links don't point to medicare.gov, they point to a .com that will forward the HTTPS request. (The email was also sent by that .com, but at least there's a valid DKIM signature.)

A more subtle way that the Trump regime is going to kill people.
https://flipboard.com/@npr/health-930k6cv1z/-/a-beDov0XYRSOWB869HhFprQ%3Aa%3A3195441-%2F0

@mattblaze N-version programming, where N=1

Best sign I’ve seen thus far: “United we ribbet. Divided we croak.”

For the next No King demonstration, I’m going to wear a tricorn hat.

Part of an art installation outside Waterloo Station in London.

@adamshostack The op-ed isn't just calling for no payment for publishing, it's calling for no journals at all, because if you just abolish publication charges, the journal owners will simply charge more for subscriptions, and she doesn't want that, either. Note these near the end: "At Arcadia Science, a biotechnology company, we publish everything immediately, openly. Real peer review happens in public, where any expert can contribute. Our work gets tested, challenged, and built on in real time" and "Alternatives exist: preprint servers, public peer review, data repositories. Redirect the millions from publishers to these systems."
I've long complained about today's peer review (see, e.g., https://www.cs.columbia.edu/~smb/papers/04336288.pdf, near the end). But I'm not clear on what the alternative is—major papers might get reviewed, but most won't, and readers have no way to judge the merits of reviews that are done. Are they honest or corrupt? Properly reviewing papers is *hard*, and there are so many papers written that it's impossible to keep up with all of the ones that aren't obviously of great significance if correct. You were at Usenix Security last month, which had 490 members on the program committee. (By contract, my first program committee, in 1984, was *4*, plus two co-chairs…) Even so, you often get unqualified reviewers. (I just got back reviews for a paper where all of the reviewers indicated "some familiarity" with the subject—none of them are experts, but they control if this paper will appear in that venue.)
In a sense, it's the same as the open source problem: you need many eyes, but they have to be competent and motivated. Today's peer review solves the motivation problem, but not always the competence problem. I won't even go into the problem of making sure that links survive when some volunteer gets tired of running an archive.
This is a hard problem and I don't pretend to know the answer. But let's be clear on that that op-ed is really saying.

This quote from the article has gotten far too little attention: "The second person said that roughly a dozen court dockets were tampered with in one court district as a result of the hack. The first person was not aware of any tampering but said it was theoretically possible."
https://mastodon.laurenweinstein.org/@lauren/114987795151116380

Where are we going, and why are we in this handbasket?

@angusm @jack_daniel @pluralistic Yup. (Years ago, I was at a NANOG (North American Network Operators Group) meeting where a nearby street had a line of backhoes parked. I think it was a warning.)

I swear, as I was scrolling I thought this was an Onion headline.
https://flipboard.com/@newyorktimes/science-jpuunj5gz/-/a-KhzVHy5QRYm-yk515emFNQ%3Aa%3A3195393-%2F0