Professor Steven Bellovin Discusses Computer Security

Adam Piore
October 24, 2011

Steven Bellovin always had a knack for catching computer hackers—even before most people knew what they were.

In 1971, Bellovin—now a professor of computer science at the engineering school—was an undergraduate at Columbia College, who made ends meet with part-time programming and systems administrator jobs around town.

He was working at City College’s computer center, then the central computing facility for the entire City University of New York, when he spotted a suspicious printout. He could tell at a glance that it contained administrative data like salaries and grades—not information students should have.

One of the culprits apparently was “exploring to learn,” Bellovin recalls, while the other seemed to have “more malicious intent.” So he hired one and sent the other to the dean.

Today Bellovin is recognized as one of the foremost experts on Internet security and privacy, and the coauthor of the classic Firewalls and Internet Security: Repelling the Wily Hacker. He also advises the Department of Homeland Security.

Q. How did you get into computers?

The simple answer is that it was fun. I just did what I enjoyed, and it turned out to be useful. I went to Stuyvesant High School in New York City, which had a computer at a time when that was very unusual, and a computer club. I was 14 when I joined. In college, I had a part-time job doing systems administration and systems programming, and you can’t be a good systems administrator without worrying about security. Then at Bell Labs, I was reading the specs for the protocols and I said ‘Gee, what if somebody did such and such? Oh my God!’ I concluded there were some serious, fundamental flaws in the way things were done and I started getting more and more involved in security.

Q. What type of computer courses do you teach?

Columbia is not a trade school. Some places will teach you about encryption or firewalls. I want people to be able to look at real-world scenarios and know how to think about a problem and protect against it. Because the technology is changing constantly. If I teach you a specific technique today, five years from now there will be a better technique. I also teach a seminar called “Anonymity and Privacy,” where we cover not just technical material, but legal material. We read Supreme Court decisions and European Union regulations and statutes. Computer science or any other practical subject doesn’t exist in a vacuum; it interacts with the real world. And computer scientists have not just a right, but a responsibility to lend their special knowledge to questions of public interest when there are technical aspects.

Q. What has your research focused on primarily?

Some of it has been on privacy issues—something called “private search.” Suppose you have two parties willing to cooperate and share information up to a certain extent, but you don’t want one party to have complete access to the database, and you don’t want the second party to know what the first party searched for. Is there a way to allow information sharing while maintaining this privacy? This could be useful for intelligence sharing between agencies. We’re also doing some work on the anonymization of systems. Large collections of medical records, for instance, are really valuable to epidemiologists trying to understand patterns of disease and risk factors. But medical records are very sensitive. Is there a way to anonymize the records so they are still useful for research purposes but protect personal privacy?

Q. Why has the issue of Internet privacy so captured your attention?

For me, it’s a philosophical issue about the right to control what happens to your information. I think that people should be able to control it. More pragmatically, if somebody is making money from my information, why shouldn’t it be me? Let’s take Facebook. Facebook is free, yet it’s a very large company with many employees. It monetizes the information it gathers from you, sometimes in ways that people find objectionable, or would find objectionable if they understood what was going on. We did a study here on campus that showed that basically, nobody can get their privacy settings correct on Facebook. It’s not designed with any attention to usability. Internet advertising also poses privacy problems. When you use the Internet, you are tracked by your Facebook login, your Twitter login and so on. Whenever you visit a web page that has ads, the advertising agency knows you have visited that page, and starts building up a large profile of what you have visited. If you read articles about cars, you will start seeing more ads about cars. This is targeted advertising, and the advertising industry thinks this is really important because it’s much more effective than random ads. But it also means somebody knows exactly what you like. So we have developed mechanisms that let the agencies target the ads just as well, but have no idea of who you are.

Q. What can people do to keep their email and other confidential information private?

Make sure it is stored by a trustworthy party. If you have a Gmail account, Google is storing it. Do we trust them? That’s a good question. All we can do is see what their previous behavior has been. Google has been pretty good. In 2010, after the Gmail accounts of Chinese human rights advocates were hacked, the company began encrypting email by default instead of leaving it up to the user. But the biggest risk is not necessarily your provider but your own machine, desktop or laptop. How safe is it? Anything that helps keep the computer secure will help protect email. Good antivirus is one step, and in general, being careful what you download and install. The most important thing is being up to date on patches, which correct security flaws in programs.

Q. Still, can email security anywhere be guaranteed?

No. Email can be read by lots of people, starting with the system administrator of every machine your mail touches, plus anyone who has hacked those machines, plus anyone who is eavesdropping on any of the networks where the email passed. There are many more ways that a hacker can get to it, too. Even the originating and receiving users’ machines are vulnerable, if not directly then via their network usage. For example, if the user relies on a network file server, that machine has the actual mail. And if a computer is backed up over the network, the backup server has copies. Encrypted email is an option, but not unless it’s used properly. In other words, don’t take shortcuts and follow the instructions; they’re there for a reason. My own laptop is probably more secure than the corporate firewalls—but I’m a paranoid by profession. And of course, keep your machine physically secure. Physical access wins—always.

Q. How has computer security changed in recent years?

In the beginning, most hackers were motivated by curiosity or a spirit of malicious mischief. They were doing it for the thrill—I called it ‘joy hacking.’ What makes some people walk down the street slashing car tires or spraying graffiti on walls? It took some skill. But what is different today is the motives of the attackers and the resources they can bring to bear. Most hacking is now done for money or furtherance of national government interests.

Q. What is the fallout from that?

Most of the spam you get is sent by hacked machines; the spammers pay the hackers for access to these machines. Another example is all the phishing—those emails that try to get you to log into your bank account so they can steal your bank account. These hackers also break into the databases of large chain stores to steal credit card numbers. In 2007, TJX, the parent company of T.J. Maxx, had to take a quarter of a billion dollar charge against earnings to cover potential losses from just one such attack. They lost tens of millions of credit cards numbers.

Governments have also changed the face of computer security, and governments have vast resources. I heard a number the other day—that 80 or 90 percent of the functionality of the new F-35 fighter plane is its software, which means if you want to build your own F-35, then you need a copy of the software, and if you want to be able to counter it, maybe you could do that by software instead of by surface-to-air missiles.

Q. How close is cyber warfare to becoming a reality?

Two attacks appear to have been launched by national governments for military purposes. A couple of years ago, Israel bombed what is believed to have been a Syrian nuclear reactor building despite really sophisticated Syrian air defenses. Reputable sources claim that Israel hacked into Syria’s defense network and took out the radars. Then there’s Stuxnet, the computer worm that attacked what appears to have been the Iranian centrifuge plant for enriching uranium, infecting the computers controlling the centrifuges and making them spin too fast. These computers were not connected to the Internet. The virus was spread from computer to computer by flash drives. Who did it? Speculation in the press is that it was the U.S. and/or Israel, but neither country is talking. If somebody can do that, I would believe they can take out air defense networks, too.

Q. How safe is the U.S. from hacking, cyber attacks and sabotage?

At this point, I have started wondering if anybody is safe. I see too many things that shouldn’t have been able to happen, happening. Everybody is running the same software. Inside the Pentagon and CIA, they don’t have some secure operating system that none of us have. They are running Windows, Mac OS and Linux just like everybody on the outside. The software seems to be so bad that all these systems seem to be failing.

Many of our security systems are unusable. Users and system administrators cannot carry out their intentions because the systems are too complex. The other issue is that most security problems are due to buggy code—essentially, software glitches. Buggy code is the oldest unsolved problem in computer science because it is really hard to get code correct. I’m starting to conclude it is impossible.