Thinking Security

Many computer applications are bound to a particular point in time; more precisely, to a given set of technologies and costs. The same is true of computer security. Unfortunately, once something becomes possible people become wedded to it, and never look back at the environment and assumptions that made it possible or even necessary. This is especially serious for security, since it causes us to endure the costs and annoyances of marginally useful (or even harmful) mechanisms while blinding us to newer threats. What can be done? How can we recognize the implicit assumptions in what we're doing? Can we do better in the future?

Steven M. Bellovin is currently serving as Chief Technologist of the Federal Trade Commission; he is on leave from his job as professor of computer science at Columbia University, where he does research on networks, security, and especially why the two don't get along. He joined the faculty in 2005 after many years at Bell Labs and AT&T Labs—Research, where he was an AT&T Fellow. He received a BA degree from Columbia University, and an MS and PhD in computer science from the University of North Carolina at Chapel Hill. While a graduate student, he helped create Netnews; for this, he and the other perpetrators were given the 1995 USENIX Lifetime Achievement Award (The Flame). He is a member of the National Academy of Engineering and is serving on the Computer Science and Telecommunications Board of the National Academies, the Department of Homeland Security's Science and Technology Advisory Committee, and the Technical Guidelines Development Committee of the Election Assistance Commission; he has also received the 2007 NIST/NSA National Computer Systems Security Award.

Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds a number of patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs; he was also a member of the information technology subcommittee of an NRC study group on science versus terrorism. He was a member of the Internet Architecture Board from 1996 to 2002; he was co-director of the Security Area of the IETF from 2002 through 2004.

More details may be found at http://www.cs.columbia.edu/~smb/informal-bio.html.