Notices by Steve Bellovin (stevebellovin@infosec.exchange)

@hacks4pancakes Yup. Some years ago, after a cascading failure blacked out a good chunk of the US, several people asked me if "hackers" had done it. My response was that power grid dynamics were so complex that there was no way attackers could predict what would happen. Sure enough, the eventual investigation showed that a series of improbable events had coincided; that plus the cascade effect did it. To quote myself, "complex systems fail in complex ways".

From the article: ‘Nara Milanich, a Barnard history professor, said it reminded her of her research into 1930s Italy, when lists of Jews were put together by the local government. “We’ve seen this movie before, and it ends with yellow stars,” she said.’

https://www.nytimes.com/2025/04/23/nyregion/barnard-faculty-eeoc-text-jewish.html

@inthehands Sorry—that's slide 27 of https://www.cs.columbia.edu/~smb/classes/f23/l_ml.pdf

@inthehands Yes. See slides 21-25 of https://www.cs.columbia.edu/~smb/classes/f23/l_intro.pdf

Worth noting: combining different databases is generally regarded as the single most dangerous thing to do from a privacy perspective. Here's what Paul Ohm wrote a few years ago (https://hbr.org/2012/08/dont-build-a-database-of-ruin):

In my work, I’ve argued that these databases will grow to connect every individual to at least one closely guarded secret. This might be a secret about a medical condition, family history, or personal preference. It is a secret that, if revealed, would cause more than embarrassment or shame; it would lead to serious, concrete, devastating harm. And these companies are combining their data stores, which will give rise to a single, massive database. I call this the Database of Ruin.
https://flipboard.com/@newyorktimes/the-upshot-imovb8bqz/-/a-pvsZrW8uTLKxDaAmALYvXw%3Aa%3A3195393-%2F0

@adamshostack Like so much else in the US constitution, there is a provision specifically aimed at that abuse. In particular, the Sixth Amendment starts "In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law."

I was at the midtown Manhattan demonstration today. I don't know how large the crowd was, but it was large. It did skew older—my partner and I were not the only ones who were veterans of the anti-Vietnam War protests decades ago. But youth was well-represented, too, including a store employee who climbed into the store window to show a large “FUCK TRUMP” on her phone. There were very few preprinted signs, which made for a lot of creative homemade signs. They ran the gamut of issues, and of course there are many. (My favorite sign: “IKEA HAS A BETTER CABINET”.) Naturally, although Trump was the primary target, Musk came in for a lot, too: “F-ELON”, “YOU CAN’T SPELL FELON WITHOUT ELON”, “DEPORT MUSK, LOCK UP TRUMP”, and more.
Will Trump pay attention? No, of course not. But apart from the importance of showing up and being counted, I hope that members of Congress will see the anger. They've already learned that open town halls are a bad idea, and last Tuesday's election results had to be scary for the GOP.
(Photos? No, out of respect for the privacy of other demonstrators.)

@arstechnica There's another problem here. If the encryption is being done client-side by *any* browser, it's being done by JavaScript—and who knows what the JavaScript is doing? I call this the trust-binding problem. When you download software or an update to it, you're making your decision to trust the vendor at that point. With JavaScript encryption and decryption, you're making that decision every time you load the page. This is a very different concept, and one that isn't make clear to users. (In theory, there could be browser extensions to do the encryption and decryption, but that's not easy for users, and there are many different browsers out there, with very different policies on extensions.)

What new device did this elevator discover? Is there another car in the shaft?

@nomad @mattblaze @20002ist @kims @obrien_kat Some of them don't seem to believe that they’ll die: https://www.vanityfair.com/news/2016/08/peter-thiel-wants-to-inject-himself-with-young-peoples-blood?srsltid=AfmBOooG7anMeF5BrlAkDh7gJM3yDCJEH5Fxe2xA5wtLKujGIXZUaJJP

@thetnholler.bsky.social @20002ist When you look at the population of Greenland, it's clear that if the US did own it, it would be a "territory" where the people have fewer rights to self-government, no ability to vote for president, etc.

The official statement from Columbia is at https://president.columbia.edu/content/fulfilling-our-commitments. The link to that was in an email so bland and uninformative that I ignored the links (one of which doesn't work anyway).

My undergrad degree is from Columbia, and I'm a faculty member for a few more months, though no longer teaching. I intend to continue wearing my mask, since I wear it for health reasons and not “for the purpose of concealing one’s identity in the commission of violations of University policies or state, municipal or federal laws.” After all, it's for health reasons, which is explicitly permitted by policy. My next step: an email to my chair and the dean. I have two thesis defenses coming up this semester; other than those, I don't need to be inside any campus buildings, and I'll run the defenses over Zoom if I have to.
https://flipboard.com/@newyorktimes/new-york-bat3un55z/-/a-0zIWJwAfQXmPJsJLILatFg%3Aa%3A3195393-%2F0

@adamshostack One reason I use slides for almost all of my class lectures is your #2: there are many such students, especially in our graduate programs. I also make the slides available to the students (and everyone else in the world…), ever since I saw non-English speakers at IETF meetings taking pictures of the screen.

Costa Rica doesn't have an army, but it does have a strategic feline reserve.
#Caturday

Starting to wonder when the Reichstag—sorry, I mean Capitol—fire will be.
https://journa.host/@w7voa/114027235487063134

To paraphrase and merge two Churchill speeches, we shall go on to the end, we shall fight in America, we shall fight on the streets and parks, we shall fight with growing confidence and growing strength on the Internet, we shall defend our democracy, whatever the cost may be, we shall fight in the courtrooms, we shall fight in the Congress, we shall fight in the voting booth, we shall fight in the hills; we shall never surrender. But if we fail, then the whole world, including the United States, including all that we have known and cared for, will sink into the abyss of a new Dark Age made more sinister, and perhaps more protracted, by the lights of perverted science. Let us therefore brace ourselves to our duties, and so bear ourselves that, if the United States lasts for a thousand years, people will still say, "This was their finest hour."

Waiting for the Orange Chaos Monkey to ban smartphones because the original ARM chip they run on was co-designed by a trans woman, Sophie Wilson.

Read https://www.nytimes.com/2025/01/18/opinion/immigration-trump-ww2-japanese-internment.html for the last time the US government tried—successfully, at least at first—to eliminate birthright citizenship.

An interesting unanimous, per curiam opinion from the Supreme Court upholding the law banning TikTok. The Court felt that intermediate scrutiny was the right standard to use, under which the law was constitutional; Sotomayor and probably Gorsuch felt that it should have been strict scrutiny, but that that standard was met, too. (Gorsuch had a bunch of other concerns I won't try to summarize.)

This snippet, from https://www.nytimes.com/2025/01/09/us/politics/trump-title-42-migrants.html, is really sick. I suspect that he's going to conclude that these migrants are using the blood of Aryan babies to make their tacos.