Steven M. Bellovin. Position paper: Security and simplicity. In W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT), March 2014. [ bib | .pdf ]

Maritza Johnson, Serge Egelman, and Steven M. Bellovin. Facebook and privacy: It's complicated. In Symposium On Usable Privacy and Security (SOUPS), July 2012. [ bib | .pdf ]

We measure users' attitudes toward interpersonal privacy concerns on Facebook and measure users' strategies for reconciling their concerns with their desire to share content online. To do this, we recruited 260 Facebook users to install a Facebook application that surveyed their privacy concerns, their friend network compositions, the sensitivity of posted content, and their privacy-preserving strategies. By asking participants targeted questions about people randomly selected from their friend network and posts shared on their profiles, we were able to quantify the extent to which users trust their “friends” and the likelihood that their content was being viewed by unintended audiences. We found that while strangers are the most concerning audience, almost 95% of our participants had taken steps to mitigate those concerns. At the same time, we observed that 16.5% of participants had at least one post that they were uncomfortable sharing with a specific friend-someone who likely already had the ability to view it-and that 37% raised more general concerns with sharing their content with friends. We conclude that the current privacy controls allow users to effectively manage the outsider threat, but that they are unsuitable for mitigating concerns over the insider threat-members of the friend network who dynamically become inappropriate audiences based on the context of a post.

Michelle Madejski, Maritza Johnson, and Steven M. Bellovin. A study of privacy setting errors in an online social network. In Proceedings of SESOC 2012, 2012. [ bib | .pdf ]

Access control policies are notoriously difficult to configure correctly, even people who are professionally trained system administrators experience difficulty with the task. With the increasing popularity of online social networks (OSN) users of all levels are sharing an unprecedented amount of personal information on the Internet. Most OSNs give users the ability to specify what they share with whom, but the difficulty of the task raises the question of whether users' privacy settings match their sharing intentions. We present the results of a study that measures sharing intentions to identify potential violations in users' real Facebook privacy settings. Our results indicate a serious mismatch between intentions and reality: every one of the 65 participants in our study had at least one confirmed sharing violation. In other words, OSN users' are unable to correctly manage their privacy settings. Furthermore, a majority of users cannot or will not fix such errors.

Carl Landwehr, Dan Boneh, John Mitchell, Steven M. Bellovin, Susan Landau, and Mike Lesk. Privacy and cybersecurity: The next 100 years. Proceedings of the IEEE, PP(99):1-15, 2012. [ bib | DOI | http ]

Hang Zhao, Jorge Lobo, Arnab Roy, and Steven M Bellovin. Policy refinement of network services for MANETs. In The 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011), Dublin, Ireland, May 2011. [ bib | .pdf ]

Sal Stolfo, Steven M. Bellovin, and David Evans. Measuring security. IEEE Security & Privacy, 9(3):88, May-June 2011. [ bib | DOI ]

Hang Zhao and Steven M. Bellovin. High performance firewalls in MANETs. In International Conference on Mobile Ad-hoc and Sensor Networks, pages 154-160, December 2010. [ bib | .pdf ]

Doing route selection based in part on source addresses is a form of policy routing, which has started to receive increased amounts of attention. In this paper, we extend our previous work on ROFL (ROuting as the Firewall Layer) to achieve source prefix filtering. This permits easy definition of “inside” and “outside”, even in MANET environment where there is no topological boundary. We present algorithms for route propagation and packet forwarding using ROFL; we measure its performance in a simulated environment with two different ad hoc routing protocols. Simulation results demonstrate that ROFL can significantly reduce unwanted packets without extra control traffic incurred, and thus improves overall system performance and preserves battery power of mobile nodes. ROFL is the first scheme to provide a concrete defense against some battery exhaustion attacks in MANETs. Moreover, it requires only minor changes to existing ad hoc network routing protocols, making it practical and feasible to be deployed in real world.

Maritza Johnson and Steven M. Bellovin. Policy management for e-health records. Usenix HealthSec, August 2010. Position paper. [ bib | .html | .pdf ]

Shaya Potter, Steven M. Bellovin, and Jason Nieh. Two person control administration: Preventing administration faults through duplication. In LISA '09, November 2009. [ bib | .pdf ]

Maritza Johnson, Steven M. Bellovin, Robert W. Reeder, and Stuart Schechter. Laissez-faire file sharing: Access control designed for individuals at the endpoints. In New Security Paradigms Workshop, September 2009. [ bib | .pdf ]

Yuu-Heng Cheng, Mariana Raykova, Alex Poylisher, Scott Alexander, Martin Eiger, and Steve M. Bellovin. The Zodiac policy subsystem: a policy-based management system for a high-security MANET. In IEEE Policy 2009, July 2009. Longer version issued as CUCS-023-09. [ bib ]

Steven M. Bellovin and Randy Bush. Configuration management and security. IEEE Journal on Selected Areas in Communications, 27(3):268-274, April 2009. [ bib | .pdf ]

Maritza Johnson and Steven M. Bellovin. Security assurance for web device APIs. In Security for Access to Device APIs from the Web - W3C Workshop, December 2008. [ bib | .pdf ]

There are currently proposals for web access to devices. The security threats are obvious. We propose design principles intended to ensure that the user actually controls access, despite potential errors in judgment, tricky web pages, or flaws in browsers.

Hang Zhao, Chi-Kin Chau, and Steven M. Bellovin. ROFL: Routing as the firewall layer. In New Security Paradigms Workshop, September 2008. A version is available as Technical Report CUCS-026-08. [ bib | http ]

Hang Zhao, Jorge Lobo, and Steven M. Bellovin. An algebra for integration and analysis of Ponder2 policies. In Proceeding of the 9th IEEE Workshop on Policies for Distributed Systems and Networks, June 2008. [ bib | .pdf ]

Maritza Johnson, Chaitanya Atreya, Adam Aviv, Mariana Raykova, Steven M. Bellovin, and Gail Kaiser. RUST: A retargetable usability testbed for website authentication technologies. In Usenix Workshop on Usability, Psychology, and Security, April 2008. [ bib | .pdf ]

Sotiris Ioannidis, Steven M. Bellovin, John Ioannidis, Angelos D. Keromytis, Kostas Anagnostakis, and Jonathan M. Smith. Coordinated policy enforcement for distributed applications. International Journal of Network Security, 4(1):69-80, January 2007. [ bib | .pdf ]

Steven M. Bellovin. Virtual machines, virtual security. Communications of the ACM, 49(10), October 2006. “Inside RISKS” column. [ bib | http | http ]

Ka-Ping Yee, David Wagner, Marti Hearst, and Steven M. Bellovin. Prerendered user interfaces for higher-assurance electronic voting. In Usenix/ACCURATE Electronic Voting Technology Workshop, August 2006. An earlier version appeared as Technical Report UCB/EECS-2006-35. [ bib | .pdf ]

Steven M. Bellovin, Angelos Keromytis, and Bill Cheswick. Worm propagation strategies in an IPv6 Internet. ;login:, pages 70-76, February 2006. [ bib | .pdf ]

Steven M. Bellovin. A look back at “Security problems in the TCP/IP protocol suite”. In Annual Computer Security Applications Conference, December 2004. Invited paper. [ bib | .pdf ]

Sotiris Ioannidis, Steven M. Bellovin, John Ioannidis, Angelos D. Keromytis, and Jonathan M. Smith. Design and implementation of virtual private services. In Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, Linz, Austria, June 2003. [ bib | .pdf ]

Steven M. Bellovin and Emden R. Gansner. Using link cuts to attack Internet routing, 2003. Draft. [ bib | .ps | .pdf ]

Sotiris Ioannidis, Steven M. Bellovin, and Jonathan Smith. Sub-operating systems: A new approach to application security. In SIGOPS European Workshop, September 2002. [ bib | .pdf ]

Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker. Controlling high bandwidth aggregates in the network. Computer Communications Review, 32(3):62-73, July 2002. [ bib | .pdf ]

John Ioannidis and Steven M. Bellovin. Implementing pushback: Router-based defense against DDoS attacks. In Proc. Internet Society Symposium on Network and Distributed System Security, 2002. [ bib | .ps | .pdf ]

Peter M. Gleitz and Steven M. Bellovin. Transient addressing for related processes: Improved firewalling by using IPv6 and multiple addresses per host. In Proceedings of the Eleventh Usenix Security Symposium,, August 2001. [ bib | .pdf ]

Sotiris Ioannidis and Steven M. Bellovin. Building a secure web browser. In Usenix Conference, June 2001. [ bib | .pdf ]

Steven M. Bellovin. Computer security-an end state? Communications of the ACM, 44(3), March 2001. [ bib | .pdf ]

Steven M. Bellovin, C. Cohen, J. Havrilla, S. Herman, B. King, J. Lanza, L. Pesante, R. Pethia, S. McAllister, G. Henault, R. T. Goodden, A. P. Peterson, S. Finnegan, K. Katano, R. M. Smith, and R. A. Lowenthal. Results of the “Security in ActiveX Workshop”, December 2000. [ bib | .pdf ]

Sotiris Ioannidis, Angelos D. Keromytis, Steven M. Bellovin, and Jonathan M. Smith. Implementing a distributed firewall. In ACM Conference on Computer and Communications Security, Athens, Greece, November 2000. [ bib | .pdf ]

Steven M. Bellovin. Distributed firewalls. ;login:, pages 39-47, November 1999. [ bib | .html | .ps | .pdf ]

J. S. Denker, S. M. Bellovin, H. Daniel, N. L. Mintz, T. Killian, and M. A. Plotnick. Moat: A virtual private network appliance and services platform. In Proceedings of LISA XIII, November 1999. [ bib | .pdf ]

Peter Gregory. Why systems administration is hard. In Solaris Security. Prentice-Hall, 1999. (Foreword). [ bib | .html ]

William Cheswick and Steven M. Bellovin. How computer security works: Firewalls. Scientific American, pages 106-107, October 1998. [ bib ]

Bill Cheswick and Steven M. Bellovin. A DNS filter and switch for packet-filtering gateways. In Proceedings of the Sixth Usenix Unix Security Symposium, pages 15-19, San Jose, CA, 1996. [ bib | .html ]

Steven M. Bellovin. Using the domain name system for system break-ins. In Proceedings of the Fifth Usenix Unix Security Symposium, pages 199-208, Salt Lake City, UT, June 1995. [ bib | .pdf ]

Steven M. Bellovin. Security and uses of the Internet. In Proceedings of the North American Serials Interest Group, June 1995. [ bib ]

S.M. Bellovin and W.R. Cheswick. Network firewalls. IEEE Communications Magazine, 32(9):50-57, Sept 1994. [ bib | DOI ]

Keywords: Unix;computer networks;internetworking;network servers;protocols;security of data;Internet;TCP/IP protocol;UNIX operating system;UNIX programs;UNIX systems;application gateways;circuit gateways;computer network firewalls;computer security;network gateways;networked computer;packet filtering;Application software;Circuits;Computer networks;Computer security;Information filtering;Information filters;Internet;Operating systems;Protocols;TCPIP

Steven M. Bellovin. There be dragons. In Proceedings of the Third Usenix Unix Security Symposium, pages 1-16, September 1992. [ bib | .pdf ]

Steven M. Bellovin. Security problems in the TCP/IP protocol suite. Computer Communications Review, 19(2):32-48, April 1989. [ bib | .pdf ]

Steven M. Bellovin. Towards a commercial IP security option. In Commercial IPSO Workshop, INTEROP '89, 1989. [ bib ]

Steven M. Bellovin. The “session tty” manager. In Proc. Usenix Conference, Summer 1988. [ bib | .pdf ]