Miranda Christ, Sarah Radway, and Steven M. Bellovin. Differential privacy and swapping: Examining de-identification's impact on minority representation and privacy preservation in the U.S. census. In IEEE Symposium on Security and Privacy, May 23, 2022. [ bib | DOI | http ]

John S. Koh, Jason Nieh, and Steven Bellovin. Encrypted cloud photo storage using Google Photo. In MobiSys 2021, June 2021. [ bib | http ]

John S. Koh, Steven M. Bellovin, and Jason Nieh. Easy email encryption with easy key management: Why Joanie can encrypt. In Proc. EuroSys 2019, Dresden, DE, March 2019. [ bib | .pdf ]

John S. Koh, Steven M. Bellovin, and Jason Nieh. Making it easier to encrypt your emails. ;login:, September, 2019. [ bib | http ]

Sebastian Zimmeck, Hyungtae Kim, Steven M. Bellovin, and Tony Jebara. A privacy analysis of cross-device tracking. In Usenix Security, August 2017. [ bib | http ]

Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shomir Wilson, Norman Sadeh, Steven M. Bellovin, and Joel Reidenberg. Automated analysis of privacy requirements for mobile apps. In Proceedings of NDSS '17, February 2017. [ bib | .pdf ]

Chris Riederer, Sebastian Zimmeck, Coralie Phanord, Augustin Chaintreau, and Steven M. Bellovin. I don't have a photograph but you can have my footprints---revealing the demographics of location data. In Proceedings of COSN '15, 2015. [ bib ]

Binh Vo and Steven M. Bellovin. Anonymous publish-subscribe systems. In SECURECOMM, Beijing, September 2014. [ bib | .pdf ]

Publish-subscribe protocols offer a unique means of data distribution, that has many applications for distributed systems. These protocols enable message delivery based on subscription rather than specific addressing; meaning a message is addressed by a subject string rather than to a specific recipient. Recipients may then subscribe to subjects they are interested in receiving using a variety of parameters, and receive these messages immediately without having to poll for them. This format is a natural match for anonymous delivery systems: systems that enable users to send messages without revealing their identity. These systems are an area of great interest, ranging from messaging relays like Tor, to publication systems like FreeHaven. However, existing systems do not allow delivery based on topics, a mechanism which is a natural match for anonymous communication since it is not addressed based on identity. We concretely describe the properties of and propose a system that allows publish-subscribe based delivery, while protecting the identities of both the publishers and subscribers from each other, from outside parties, and from entities that handle the implementation of the system.

Sebastian Zimmeck and Steven M. Bellovin. Privee: An architecture for automatically analyzing web privacy policies. In 23rd USENIX Security Symposium (USENIX Security 14), pages 1--16, San Diego, CA, August 2014. USENIX Association. [ bib | http ]

Privacy policies on websites are based on the notice-and-choice principle. They notify Web users of their privacy choices. However, many users do not read privacy policies or have difficulties understanding them. In order to increase privacy transparency we propose Privee---a software architecture for analyzing essential policy terms based on crowdsourcing and automatic classification techniques. We implement Privee in a proof of concept browser extension that retrieves policy analysis results from an online privacy policy repository or, if no such results are available, performs automatic classifications. While our classifiers achieve an overall F-1 score of 90 our experimental results suggest that classifier performance is inherently limited as it correlates to the same variable to which human interpretations correlate---the ambiguity of natural language. This finding might be interpreted to call the notice-and-choice principle into question altogether. However, as our results further suggest that policy ambiguity decreases over time, we believe that the principle is workable. Consequently, we see Privee as a promising avenue for facilitating the notice-and-choice principle by accurately notifying Web users of privacy practices and increasing privacy transparency on the Web.

Steven M. Bellovin. Position paper: Security and simplicity. In W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT), March 2014. [ bib | .pdf ]

Maritza Johnson, Serge Egelman, and Steven M. Bellovin. Facebook and privacy: It's complicated. In Symposium On Usable Privacy and Security (SOUPS), July 2012. [ bib | .pdf ]

We measure users' attitudes toward interpersonal privacy concerns on Facebook and measure users' strategies for reconciling their concerns with their desire to share content online. To do this, we recruited 260 Facebook users to install a Facebook application that surveyed their privacy concerns, their friend network compositions, the sensitivity of posted content, and their privacy-preserving strategies. By asking participants targeted questions about people randomly selected from their friend network and posts shared on their profiles, we were able to quantify the extent to which users trust their “friends” and the likelihood that their content was being viewed by unintended audiences. We found that while strangers are the most concerning audience, almost 95% of our participants had taken steps to mitigate those concerns. At the same time, we observed that 16.5% of participants had at least one post that they were uncomfortable sharing with a specific friend---someone who likely already had the ability to view it---and that 37% raised more general concerns with sharing their content with friends. We conclude that the current privacy controls allow users to effectively manage the outsider threat, but that they are unsuitable for mitigating concerns over the insider threat---members of the friend network who dynamically become inappropriate audiences based on the context of a post.

Michelle Madejski, Maritza Johnson, and Steven M. Bellovin. A study of privacy setting errors in an online social network. In Proceedings of SESOC 2012, 2012. [ bib | .pdf ]

Access control policies are notoriously difficult to configure correctly, even people who are professionally trained system administrators experience difficulty with the task. With the increasing popularity of online social networks (OSN) users of all levels are sharing an unprecedented amount of personal information on the Internet. Most OSNs give users the ability to specify what they share with whom, but the difficulty of the task raises the question of whether users' privacy settings match their sharing intentions. We present the results of a study that measures sharing intentions to identify potential violations in users' real Facebook privacy settings. Our results indicate a serious mismatch between intentions and reality: every one of the 65 participants in our study had at least one confirmed sharing violation. In other words, OSN users' are unable to correctly manage their privacy settings. Furthermore, a majority of users cannot or will not fix such errors.

Carl Landwehr, Dan Boneh, John Mitchell, Steven M. Bellovin, Susan Landau, and Mike Lesk. Privacy and cybersecurity: The next 100 years. Proceedings of the IEEE, PP(99):1--15, 2012. [ bib | DOI | http ]

Hang Zhao, Jorge Lobo, Arnab Roy, and Steven M. Bellovin. Policy refinement of network services for MANETs. In The 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011), Dublin, Ireland, May 2011. [ bib | .pdf ]

Sal Stolfo, Steven M. Bellovin, and David Evans. Measuring security. IEEE Security & Privacy, 9(3):88, May--June 2011. [ bib | DOI ]

Hang Zhao and Steven M. Bellovin. High performance firewalls in MANETs. In International Conference on Mobile Ad-hoc and Sensor Networks, pages 154--160, December 2010. [ bib | .pdf ]

Doing route selection based in part on source addresses is a form of policy routing, which has started to receive increased amounts of attention. In this paper, we extend our previous work on ROFL (ROuting as the Firewall Layer) to achieve source prefix filtering. This permits easy definition of “inside” and “outside”, even in MANET environment where there is no topological boundary. We present algorithms for route propagation and packet forwarding using ROFL; we measure its performance in a simulated environment with two different ad hoc routing protocols. Simulation results demonstrate that ROFL can significantly reduce unwanted packets without extra control traffic incurred, and thus improves overall system performance and preserves battery power of mobile nodes. ROFL is the first scheme to provide a concrete defense against some battery exhaustion attacks in MANETs. Moreover, it requires only minor changes to existing ad hoc network routing protocols, making it practical and feasible to be deployed in real world.

Maritza Johnson and Steven M. Bellovin. Policy management for e-health records. Usenix HealthSec, August 2010. Position paper. [ bib | .html | .pdf ]

Shaya Potter, Steven M. Bellovin, and Jason Nieh. Two person control administration: Preventing administration faults through duplication. In LISA '09, November 2009. [ bib | .pdf ]

Maritza Johnson, Steven M. Bellovin, Robert W. Reeder, and Stuart Schechter. Laissez-faire file sharing: Access control designed for individuals at the endpoints. In New Security Paradigms Workshop, September 2009. [ bib | .pdf ]

Yuu-Heng Cheng, Mariana Raykova, Alex Poylisher, Scott Alexander, Martin Eiger, and Steven M. Bellovin. The Zodiac policy subsystem: a policy-based management system for a high-security MANET. In IEEE Policy 2009, July 2009. Longer version issued as CUCS-023-09. [ bib ]

Steven M. Bellovin and Randy Bush. Configuration management and security. IEEE Journal on Selected Areas in Communications, 27(3):268--274, April 2009. [ bib | .pdf ]

Maritza Johnson and Steven M. Bellovin. Security assurance for web device APIs. In Security for Access to Device APIs from the Web - W3C Workshop, December 2008. [ bib | .pdf ]

There are currently proposals for web access to devices. The security threats are obvious. We propose design principles intended to ensure that the user actually controls access, despite potential errors in judgment, tricky web pages, or flaws in browsers.

Hang Zhao, Chi-Kin Chau, and Steven M. Bellovin. ROFL: Routing as the firewall layer. In New Security Paradigms Workshop, September 2008. A version is available as Technical Report CUCS-026-08. [ bib | http ]

Hang Zhao, Jorge Lobo, and Steven M. Bellovin. An algebra for integration and analysis of Ponder2 policies. In Proceeding of the 9th IEEE Workshop on Policies for Distributed Systems and Networks, June 2008. [ bib | .pdf ]

Maritza Johnson, Chaitanya Atreya, Adam Aviv, Mariana Raykova, Steven M. Bellovin, and Gail Kaiser. RUST: A retargetable usability testbed for website authentication technologies. In Usenix Workshop on Usability, Psychology, and Security, April 2008. [ bib | .pdf ]

Sotiris Ioannidis, Steven M. Bellovin, John Ioannidis, Angelos D. Keromytis, Kostas Anagnostakis, and Jonathan M. Smith. Coordinated policy enforcement for distributed applications. International Journal of Network Security, 4(1):69--80, January 2007. [ bib | .pdf ]

Steven M. Bellovin. Virtual machines, virtual security. Communications of the ACM, 49(10), October 2006. “Inside RISKS” column. [ bib | http | http ]

Ka-Ping Yee, David Wagner, Marti Hearst, and Steven M. Bellovin. Prerendered user interfaces for higher-assurance electronic voting. In Usenix/ACCURATE Electronic Voting Technology Workshop, August 2006. An earlier version appeared as Technical Report UCB/EECS-2006-35. [ bib | .pdf ]

Steven M. Bellovin, Angelos Keromytis, and Bill Cheswick. Worm propagation strategies in an IPv6 Internet. ;login:, pages 70--76, February 2006. [ bib | .pdf ]

Steven M. Bellovin. A look back at “Security problems in the TCP/IP protocol suite”. In Annual Computer Security Applications Conference, December 2004. Invited paper. [ bib | .pdf ]

Sotiris Ioannidis, Steven M. Bellovin, John Ioannidis, Angelos D. Keromytis, and Jonathan M. Smith. Design and implementation of virtual private services. In Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, Linz, Austria, June 2003. [ bib | .pdf ]

Steven M. Bellovin and Emden R. Gansner. Using link cuts to attack Internet routing, 2003. Draft. [ bib | .ps | .pdf ]

Sotiris Ioannidis, Steven M. Bellovin, and Jonathan Smith. Sub-operating systems: A new approach to application security. In SIGOPS European Workshop, September 2002. [ bib | .pdf ]

Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker. Controlling high bandwidth aggregates in the network. Computer Communication Review, 32(3):62--73, July 2002. [ bib | .pdf ]

John Ioannidis and Steven M. Bellovin. Implementing pushback: Router-based defense against DDoS attacks. In Proc. Internet Society Symposium on Network and Distributed System Security, 2002. [ bib | .ps | .pdf ]

Peter M. Gleitz and Steven M. Bellovin. Transient addressing for related processes: Improved firewalling by using IPv6 and multiple addresses per host. In Proceedings of the Eleventh Usenix Security Symposium, August 2001. [ bib | .pdf ]

Sotiris Ioannidis and Steven M. Bellovin. Building a secure web browser. In Usenix Conference, June 2001. [ bib | .pdf ]

Steven M. Bellovin. Computer security---an end state? Communications of the ACM, 44(3), March 2001. [ bib | .pdf ]

Steven M. Bellovin, C. Cohen, J. Havrilla, S. Herman, B. King, J. Lanza, L. Pesante, R. Pethia, S. McAllister, G. Henault, R. T. Goodden, A. P. Peterson, S. Finnegan, K. Katano, R. M. Smith, and R. A. Lowenthal. Results of the “Security in ActiveX Workshop”, December 2000. [ bib | .pdf ]

Sotiris Ioannidis, Angelos D. Keromytis, Steven M. Bellovin, and Jonathan M. Smith. Implementing a distributed firewall. In ACM Conference on Computer and Communications Security, Athens, Greece, November 2000. [ bib | .pdf ]

J. S. Denker, Steven M. Bellovin, H. Daniel, N. L. Mintz, T. Killian, and M. A. Plotnick. Moat: A virtual private network appliance and services platform. In Proceedings of LISA XIII, November 1999. [ bib | .pdf ]

Steven M. Bellovin. Distributed firewalls. ;login:, pages 39--47, November 1999. [ bib | .html | .ps | .pdf ]

Peter Gregory. Why systems administration is hard. In Solaris Security. Prentice-Hall, 1999. (Foreword). [ bib | .html ]

William Cheswick and Steven M. Bellovin. How computer security works: Firewalls. Scientific American, pages 106--107, October 1998. [ bib ]

Bill Cheswick and Steven M. Bellovin. A DNS filter and switch for packet-filtering gateways. In Proceedings of the Sixth Usenix Unix Security Symposium, pages 15--19, San Jose, CA, 1996. [ bib | .html ]

Steven M. Bellovin. Security and uses of the Internet. In Proceedings of the North American Serials Interest Group, June 1995. [ bib ]

Steven M. Bellovin. Using the domain name system for system break-ins. In Proceedings of the Fifth Usenix Unix Security Symposium, pages 199--208, Salt Lake City, UT, June 1995. [ bib | .pdf ]

Steven M. Bellovin and William R. Cheswick. Network firewalls. IEEE Communications Magazine, 32(9):50--57, Sept 1994. [ bib | DOI ]

Steven M. Bellovin. There be dragons. In Proceedings of the Third Usenix Unix Security Symposium, pages 1--16, September 1992. [ bib | .pdf ]

Steven M. Bellovin. Towards a commercial IP security option. In Commercial IPSO Workshop, INTEROP '89, May 1989. [ bib ]

Steven M. Bellovin. Security problems in the TCP/IP protocol suite. Computer Communication Review, 19(2):32--48, April 1989. [ bib | .pdf ]

Steven M. Bellovin. The “session tty” manager. In Proc. Usenix Conference, Summer 1988. [ bib | .pdf ]