_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 73 July 16, 2006 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Bob Bruen Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Jon Millen's report on the annual meeting of the Technical Committee on Security and Privacy o Announcement of nomination period for ACM SIGSAC awards contributed by Pierangela Samarati o News article touting Vista OS security o NIST Announces Hash Function Timeline o Robert Bruen's review of "The Governance of Privacy. Policy Instruments in a Global Perspective" by Bennett, Colin and Charles Raab o Review of the IEEE Computer Society Security and Privacy Symposium (Berkeley, California, May 21, 2006) by Ganesha Bhaskara and Justin Zhan o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This issue of Cipher covers the annual meeting of the IEEE Computer Society's Technical Committee on Security and Privacy, the organization that publishes Cipher and sponsors the Symposium on Security and Privacy. The TC meets at the Symposium each year. We also have a conference report about the technical sessions of the Symposium. Robert Bruen has contributed a book review about an interesting book covering the subject of privacy. As a fledgling author, he has had an unhappy interaction with a book publisher that he would gladly relate if you contact him directly. July weather here in Utah is hot enough that it might even convince our senior Senator of the reality of global warming. Whatever the future may bring in computer security, it will have to ensure cooler processors! Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Highlights of the annual meeting of the TCSP May 23, 2006 Report by Jon Millen, TCSP Chair ==================================================================== The IEEE Computer Society's Technical Committee on Security and Privacy meets annually at the Symposium on Security and Privacy . All conference attendees are encouraged to attend, to get the benefit of the more wide-ranging discussions, rather than just the brief notes given here. This year's statistics from the conference organizers showed positive trends. The 2006 Symposium had 252 registered attendees, significantly more than last year's 192. There were 251 paper submissions, with authors from 48 institutions. The new "short paper" category was viewed as a successful method for increasing the number of papers presented, a goal from last year. This year there was also an associated workshop at Berkeley on Web services security. The symposium organizers for 2007 are the following: Deborah Shands, general chair; Paul Karger, registration chair; Birgit Pfitzmann and Avi Rubin (the latter was not confirmed during the meeting, but accepted later), program chairs; Terry Benzel, symposium treasurer. The TC will review the current list of subcommittee chairs. In particular, the need for a standards chair and a security conferences chair was questioned; and a new academic affairs chair is being sought. Hilarie Orman has volunteered to be the new TC treasurer. Voting for a new TC Vice Chair will occur next year, as Cynthia Irvine becomes TC Chair in 2008. ==================================================================== News Briefs ==================================================================== ____________________________________________________________________ ACM SIGSAC AWARDS Announcement communicated by Pierangela Samarati June 22, 2006 ____________________________________________________________________ ACM SIGSAC is offering two annual awards: SIGSAC Outstanding Innovation Award and SIGSAC Outstanding Contributions Award. At most one award is given each year in each category. The award criteria are as follows: - SIGSAC Outstanding Innovation Award: This award is given for outstanding and innovative technical contributions to the field of computer and communication security that have had lasting impact in furthering or understanding the theory or development of secure systems. - SIGSAC Outstanding Contribution Award: This award is given for significant contribution to the field of computer and communication security through fostering research and development activities, educating students, or providing professional services such as the running of professional societies and conferences. The SIGSAC Awards Committee is now open to receiving nominations for the awards. The awards will be presented at ACM Computer and Communication Security Conference, Alexandria, VA, October 30 -- Nov. 3, 2006. NOMINATION PROCESS: Each nomination should be co-sponsored by at least 3 people. Email co-sponsorship is accepted. Nominations should include a proposed citation (up to 25 words), a succinct (100-250 words) description of the innovation/contribution, and a detailed statement (1-2 page) to justify the nomination as well as other supporting materials. Nominations should be submitted via e-mail (with subject "SIGSAC Innovation/Contribution Award nomination") to the chair of the SIGSAC Awards Committee: Pierangela Samarati (samarati@dti.unimi.it). DEADLINE FOR NOMINATIONS: Deadline for receiving nomination is August 5, 2006. EXCLUSION: Members of the ACM SIGSAC Awards Committee are not eligible to be nominated. The details related to the nomination process and administration of the awards are posted at http://www.acm.org/sigs/sigsac/awards.html ___________________________________________________________________ "Microsoft: Vista Most Secure OS Ever" News Watch Item Contributed by Richard Schroeppel ____________________________________________________________________ Nate Mook and Tim Conneally, BetaNews June 15, 2006, 6:08 AM http://www.betanews.com/article/Microsoft_Vista_Most_Secure_OS_Ever/1150366131 "Services are now run with reduced privileges that contain profiles specifying allowed file system, registry and network activities." "Internet Explorer 7 in Vista runs in a low Integrity Level known as 'Protected Mode' in order to prevent malicious Web sites from compromising an entire system." Vista supports full disk on-the-fly encryption using 256-bit AES. ____________________________________________________________________ NIST Announces Hash Function Timeline July 14, 2006 ____________________________________________________________________ A tentative timeline of the development of new hash functions has been posted on the Hash Workshop web site: "http://www.nist.gov/hash-function" This topic will be discussed in the Second Cryptographic Hash Workshop. Comments should be sent to hash-function@nist.gov August 4, 2006. Details about the workshop and a preliminary program are available at the same web site listed above. Sincerely, The Hash Workshop Program Committee NIST ____________________________________________________________________ News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== ____________________________________________________________________ Review of IEEE Computer Society Security and Privacy Symposium Berkeley, California, May 21-24, 2006 by Ganesha Bhaskara and Justin Zhan June 13, 2006 ____________________________________________________________________ Part 1, by Ganesha Bhaskara, Information Sciences Institute, University of Southern California. Attending IEEE Symposium on Security and Privacy for the first time, I was unsure what to expect during the reception, though I had high expectations from the days to follow. I walked into the reception room, met faculty, students and researchers from different universities. As I would find out the next day, there were researchers from 48 institutions from 14 countries presenting at the conference. Finally, I settled down with a group of people swapping stories about past projects and current state of affairs at NSF / DARPA and in software industry and computer security in general. As the evening wound down, and enough glasses of wine had been consumed, somebody commented, "how boring security would be without Microsoft", indicating it was time to call it a day. Day 1 The first day of the conference started with an address from the General Chair Hilarie Orman, and Program Co-Chair, Vern Paxon. One of the highlights on their address was the introduction of short papers in the conference to give better exposure to new and promising work in progress. The first session was about "Signature Generation". The first presenter discussed a language theoretic approach to automatically generate all and only those inputs that exploit a given vulnerability, indicating that in practice, they did not encounter cases where the inputs were dependent on the state of the program and hence they could express the vulnerability language as a regular expression. Though I thought this was one of the best papers in the conference, many had fundamental objections to the approach of addressing specific problems and patching them, instead of looking at the problem from a global perspective to find the root cause of the problem. Other papers in this session dealt with misleading worm signature detection algorithms and improving signature detection algorithms. The second session was about "Detection". The first presenter discussed a technique of improving intrusion detection by learning data flow behavior of programs. Unary and binary data flow relationships were used to show the empirical superiority of this technique over the existing ones, with the acknowledgement that there exists a tradeoff between accuracy and efficiency as the order of data flow relationships learned is increased. The next presentation dealt with developing a unified framework for evaluating intrusion detection systems. This paper took the approach of modeling the problem as a general instance of multi-criteria optimization problem to find the optimal tradeoff of the metrics used to evaluate an IDS system. The last paper of this session was a short paper that dealt with disrupting the learning process of malware by injecting crafted human like inputs using a system called "Siren". The next session of the day was about "Privacy". The first paper presented fundamental limits on anonymity provided by the MIX technique. The second presentation discussed fast a cheap attacks on Tor anonymous communication network that can reveal location of hidden servers leading to compromise of anonymity. The short paper presented during this session discussed an interesting approach that "allows a client to retrieve documents matching some search criteria from a remote server while the server evaluating the request remains completely oblivious to the search criteria". One of the members of the audience did a quick back of the envelope calculation and questioned it scalability as this technique was required to be used on a per client basis to achieve its objective. There was a poster session scheduled for the evening, but few posters materialized. Food and wine was good, thanks to the conference organizers. Day 2 The first session on day two was "Formal Methods". Presentations included a new mechanized prover for security properties of cryptographic protocols and a new logic for constraint based protocol analysis that could also specify data freshness properties and it corresponding decision procedure. A distinct lack of questions in many of the presentation in this session indicated how few people actually understand the guts of formal methods. The second session was on "Analyzing and Enforcing Policy". The first presentation discussed a conceptual framework to formalize some aspects of privacy expectation and its implication as developed in law, public and political philosophy. The author pointed out that one of the main difficulties that they faced in translating law to formal policies was that different people interpreted law in different ways and that modeling distributed enforcement policy was a hard problem. The second presentation discussed an efficient BDD based static analysis toolkit for modeling and analyzing configurations of centralized and distributed firewalls. The last presentation in the session was on "Retrofitting legacy code for authorization policy enforcement". This used trace analysis to determine points in the code that required authorization. One of the main concerns of the audience was lack of completeness of trace based techniques which that author hinted could be alleviated using static code analysis tools. The last session I attended in the conference was on "Authentication". The first presentation discussed an interesting concept of "Integrity codes" (inspired by ECC) for integrity protection of messages (without symmetric / asymmetric keys) transmitted over wireless channels. Using this, the authors introduced a concept of "Authentication through presence" that can be used for several security applications. The short paper in this session revolved around cognitive authentication scheme that is safe against spyware. There were questions from the audience about the attack space of this scheme.( For more on this please contact the author or David Wagner). Other presentations in this session included the use of cache cookies for browser authentication and secure device pairing on a visual channel. Overall, this was a great conference and I hope to attend future conferences. One aspect that was apparent from the start of the conference was the disconnect between the communities that work on MLS type of systems for the military and the communities that works on IDS, Signature generation and the likes, which aim to make existing systems secure. I believe both communities have much to learn from working with each other and would result in, as I optimistically put it, usable secure systems. Part 2, summaries for May 24 by Justin Zhan, University of Ottawa, Canada. Additional material by Sven Dietrich, Carnegie Mellon University Session: Attacks (Chair: Kevin Fu) Title: SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R. Lorch University of Michigan, USA, and Microsoft Research, USA Speaker: Samuel King This work examines a new type of malicious software which is called a virtual-machine based rootkit (VMBR). The virtual-machine based rootkits are difficult to detect since VMBR installs a virtual-machine monitor (VMM) underneath an existing operating system into a virtual machine. The VMM then can also launch an attack OS, which is hard to detect by the actual operating system. In particular, VMBR supports general-purpose malicious services. They evaluated this new malware threat by implementing four example malicious services, including keyloggers and a phishing web server. A restart can be easily handled by the VMBR, but a shutdown is more difficult to deal with. However, low-power modes allow for simulating a shutdown machine. A secure way to circumvent this is an actual powerdown (pulling the plug), which assures a real shutdown. Paul Karger mentioned earlier related works by Marv Schaefer and himself from as early as 1976. Title: Practical Attacks on Proximity Identification Systems (short) Author and Speaker: Gerhard P. Hancke, University of Cambridge, UK This talk presents some proof-of-concept attacks on RFID following ISO 14442 A. In particular, two types of attacks are described: (1) Eavesdropping: An eavesdropper can intercept a two-way communication sequence between a legitimate reader and a token within 4m, and it is possible to scan a token's response from 1.5m away after activating it from a distance of 15cm using a magnetic loop antenna. (2) Relay attacks: Relay attacks can successfully spoof the location of authentication tokens. Furthermore, the permissible system delay may cause attacks on the system's integrity by allowing enough time for the modification of legitimate communication sequences. The author compared his approach to various claims made by ACLU (read of e-passport at 1 meter), NIST (read of e-passport at 9m), and DEFCON (read at 20m). His results remain inconclusive in validation or refuting those claims, but he does point out that the testing conditions are not always well documented. Title: On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques Authors: Pai Peng, Peng Ning and Douglas S. Reeves North Carolina State University, USA Speaker: Pai Peng There are various approaches for watermarking packets. Timing-based active watermarking schemes are shown to be effective in tracing back attackers through stepping stone connections or anonymizing networks. Research on the timing-based active watermarking has overlooked an important issue: the secrecy of the parameters used in watermarking. This work studies two types of attacks against the watermarking schemes: (1) The attackers may attempt to remove the watermark. (2) The attackers may replicate the watermark in other network flows. The above attacks may be conducted through the following steps: estimating the watermark parameters, identifying watermark delayed packets, watermark recovery and duplication. Four configurations of the timing-based active watermarking are studied. It is shown that the above attacks are effective on the first two configurations and are effective on some cases for the later two configurations. One author of the original Timing-based active watermarking papers pointed out that, the proposed attack may not implement the full version of the watermarking schemes (otherwise, attacks may be more difficult). On the attack details, he also pointed out that the differentiation of the normal network delay and the delay caused by watermarking may also be harder than that assumed in this work. Session: Systems (Chair: Helen Wang) Title: A Safety-Oriented Platform for Web Applications Authors: Richard S. Cox, Jacob Gorm Hansen, Steven D. Gribble, and Henry M. Levy University of Washington, USA, and University of Copenhagen, Denmark Speaker: Steven D. Gribble (U. Washington) Modern browsers are de facto operating systems that manage dynamic and potentially malicious applications. This work reports the design of Tahoma, a browser operating system (BOS), which is a trusted software layer on which Web browsers execute. It has the following properties. First, it runs the client-side component of each Web application in its virtual machine, thus provides storage isolation between Web services and the user's local resources. Second, it requires Web publishers limit the scope of their Web applications by specifying which URLs and other resources their browsers are allowed to access, thus limits the harm that can be caused by a compromised browser. Third, it treats Web applications as first-class objects that users explicitly install and manage, giving them explicit knowledge about and control over downloaded content and code. Tohoma has been implemented using Linux and the Xen virtual machine monitor. The code will be released but not open-source. It has the following characteristics: (1) Security property: Evaluation results show that it can prevent up to 87% of the vulnerabilities that have been identified in the widely used Mozilla browser. (2)Overhead: Tohoma causes a higher latency than native browsers but the difference is not very high. The evaluation of overhead in terms of other resources (e.g., memory, storage) is under investigation. Title: Tamper-Evident, History-Independent, Subliminal-Free Data Structures on PROM Storage (or, How to store ballots on a voting machine) (short) Authors: David Molnar, Tadayoshi Kohno, Naveen Sastry and David Wagner University of California, Berkeley, USA, and University of California, San Diego, USA Speaker: David Molnar (UC Berkeley) The paper describes the requirements of a voting storage which contains (1) history-independent - hiding the order in which the votes are cast to protect the privacy of voters. (2) subliminal-free representation - adversarial voting machine's attempts to mark ballots through representation of the data structure (3) Tamper-evident is for preventing addition or deletion of votes after election. Their approaches are as follows. Tamper-evident can be achieved by applying Manchester codes and programmable read-only memory (PROM). Manchester encoding: encoding of a n-bit string x is a 2n-bit codeword M(x) obtained by applying the mapping 0->01 and 1->10 to each bit; we can use the property that if any set of 1 bits in a Manchester code are flipped to 0s, the result becomes invalid. These, together with property of a PROM, guarantee that changes to any codes written to the PROM can be detected. History-independent and Subliminal-free can be achieved by the following any of the following approaches: unary counter (Space complexity: O(n)), copy over list (space complexity: O(n^2)), lexicographic table (space complexity: O(n log^2 n), and random table (space complexity: O(n)). The full version of the report: www.cs.berkeley.edu/~dmolnar/papers.pdf Title: Analysis of the Linux Random Number Generator (LRNG) Authors: Zvi Gutterman, Benny Pinkas and Tzachy Reinman Hebrew University, Israel, Haifa University, Israel, and Safend, Israel Speaker: Zvi Gutterman (Safend and The Hebrew University of Jerusalem) In LRNG, randomness is generated from entropy of operating system events. LRNG is part of an open source project, but its source code is poorly documented and patched with hundreds of code patches. It is very hard to understand the algorithm from the existing code. This work reports a clear description and analysis of the LRNG algorithm. An attack is found that can break the forward-security of LRNG. Specifically, given a state of LRNG, it is possible to reconstruct previous states with the time complexity of 2^{64} or 2^{96} and the memory overhead of O(1). Some vulnerabilities (in the current code) are identified: denial of service, guessable passwords, prone to noise created by an adversary. The report is based on the analysis of Linux kernel labeled version 2.6.10. Title: The final nail in WEP's Coffin Authors: Andrea Bittau, Mark Handley and Joshua Lackey University College London, UK, and Microsoft, USA Speaker: Andrea Bittau (Univ College London) (WEP stands for Wired Equivalent Privacy, 802.11 encryption standard.) WEP is still widely used though more sophisticated encryption protocols since people believe that breaking the keystream in WEP takes a long time and is highly impractical. This work reports the finding of a novel vulnerability in WEP which allows an attacker to send arbitrary data packet after eavesdropping a single packet. The principle behind the attack is that each 802.11 packet starts with two headers (an LLC header followed by SNAP), which occupy the first 8 bytes and the content of these bytes can be easily derived. By intercepting a packet and knowing the first eight bytes of plaintext (as just mentioned), 8 bytes of the keystream could be calculated, thus an arbitrary 8-byte information can be sent out using the known keystream. IP fragmentation can be exploited for sending larger IP packets. Moreover, after 1500 bytes of keystream is recovered by sending large broadcasts in smaller fragments, transmission of any data of arbitrary length becomes possible. Furthermore, if Internet connectivity is available, it is possible to decrypt traffic in real-time. A fully automatic version of this attack is implemented and demonstrated near the end of the talk. It concludes that WEP must be abandoned rather than patched yet again. ____________________________________________________________________ Book Review By Robert Bruen July 12, 2006 ____________________________________________________________________ The Governance of Privacy. Policy Instruments in a Global Perspective by Bennett, Colin and Charles Raab MIT Press 2006. ISBN 0-262-52453-8 $30.00 (paperback), index, bibliography, endnotes Privacy is is one the most important issues in society today. Technology seems to have eroded what little privacy people may have had in the past. For security and privacy specialists, the issue is generally framed using technology concerns using technical terminology. However, privacy has many other dimensions that must be considered, such as philosophical, social, political, legal and economic, among others. The issues are sensitive because individuals are affected when, for example, a secret is revealed which causes harm, such as discrimination. Today, if it is discovered that you or a relative has cancer, you might not be able to get insurance coverage. Information about each person ranges from name, address, national identification number to medical history and financial information. During the past few years theft of databases from colleges, government agencies and businesses has become rampant. Most of the thefts were allowed by technical incompetence. The problem is getting worse, not better and is unlikely to improve in the near future. The privacy problem is a complex one that will not be solved by technology alone, thus it is the interest of technologists to learn about other approaches. Bennett and Raab have put together an excellent work in the political science world. The book is scholarly and well researched, but accessible. One approach is the philosophical one, where debates happen over topics such as whether or not privacy is a natural right. While these discussions are important, they generally do not produce practical results. The political world is where practical results are possible. Governance is more than simply enacting laws, it is building institutions and providing direction, especially important in the international environment of today. Viewpoints on privacy vary considerably between even the close cultures of Europe and the United States. Whatever differences Americans may see amongst themselves, the situation is far more complex when the whole world is involved. The Governance of Privacy has three main parts: (1) Policy Goals (2) Policy Instruments and (3) Policy Impacts. The authors expand the notions of privacy from concerns of the surveillance society and databases, which are mainly legal and technical in nature, to include areas of public policy and social concerns. They also note the competing interests of people who want to be left alone and the legitimate business and governmental interests to know about consumers and citizens. The global environment leads to different approaches, creating a patchwork in which businesses might flock to the less regulated places, not unlike the banking industry. In America, the federal government has been secretly tracking transactions of individuals, resulting in total loss of privacy. In Switzerland and the Cayman Islands, the banks have been happy to hold your money without sharing information with anyone (more or less). These differences affect where people deposit their money. This book is an excellent addition to my privacy collection and is highly recommended to technical people for expanding thought on the issues of privacy. My personal and unsolicited take is an economic one: we should all copyright our personal information and get paid whenever someone sells any of it. ____________________________________________________________________ Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html 7/16/06: Workshop on Cryptography for Ad hoc Networks (WCAN), S. Servolo Island, Venice, Italy, http://www.argreenhouse.com/society/wcan06/wcan06page.html 7/17/06- 7/28/06: Intensive Program on Information and Communication Security, Privacy Technology (IPICS), KU-Leuven, Belgium; info: George.Danezis esat kuleuven be), https://www.cosic.esat.kuleuven.be/ipics2006 7/20/06- 7/23/06: Security Issues in Adaptive Distributed Systems (SIADS), a session at CITSA, Orlando, Florida; peer review, printed proceedings, http://www.ieee-security.org/Calendar/cfps/cfp-SIADS.html 7/27/06- 7/28/06: Conference on Email and Anti-Spam (CEAS), Mountain View, CA; http://www.ceas.cc 7/31/06: Hot Topics in Security (HotSec), Vancouver, B.C., Canada, http://www.usenix.org/hotsec06/cfp 7/31/06- 8/ 4/06: USENIX-Security, Vancouver, BC, Canada; ; info sec06chair@usenix.org, http://www.usenix.org/sec06/cfpc/ 7/31/06- 8/ 1/06: Workshop on Models for Cryptographic Protocols (MCP), Aarhus, Denmark, http://www.daimi.au.dk/~buus/mcp2006/ ---------- 8/ 1/06: USENIX/ACCURATE Electronic Voting Technology Workshop (EVT), Vancouver, B.C., Canada, http://www.usenix.org/evt06/proga 8/ 1/06- 8/ 4/06: Workshop on Security in Ubiquitous Computing Systems (SecUbiq), Seoul, Korea, http://www.sitacs.uow.au/secubiq06/ 8/ 4/06: Workshop on Trusted Collaboration(TrustCol), Atlanta, Georgia; Submissions are due;, http://www.trustcol.org/ 8/ 5/06: Deadline for ACM SIGSAC award nominations, http://www.acm.org/sigs/sigsac/awards.html 8/ 6/06: The Workshop on the Economics of Securing the Information Infrastructure (WESII), Arlington, VA; ; submissions are due, http://wesii.econinfosec.org/ 8/ 7/06- 8/10/06: Conference on Security and Cryptography (SECRYPT), Setubal, Portugal, http://www.secrypt.org/ 8/11/06: HotNets - Workshop on Hot Topics in Networks (HotNets), Irvine, California; ; Submissions are due, http://www.acm.org/sigs/sigcomm/HotNets-V/ 8/13/06: Workshop on Advances in Trusted Computing 2006(WATC), Tokyo, Japan; Submissions are due; conf web page; info: , http://www.trl.ibm.com/projects/watc/ 8/14/06- 8/16/06: Digital Forensic Research Workshop (DFRWS), Lafayette, IN; conf web page; info dfrws2006 (at) dfrws (dot) org http://www.dfrws.org 8/15/06- 8/16/06: Foundations of Computer Security (FCS), Seattle, Washington; info: fcs-arspa06 -at- lists.inf.ethz.ch, http://www.inf.ethz.ch/~vigano/fcs-arspa06 8/20/06- 8/23/06: CRYPTO, Santa Barbara, CA, http://www.iacr.org/conferences/crypto2006/ 8/21/06- 8/27/06: Symposium on formal methods (FM), Ontario, Canada, http://fm06.mcmaster.ca/ 8/21/06- 8/22/06: Thread Verification) (TV), Seattle, Washington, http://www.cs.utah.edu/tv06 8/24/06- 8/25/06: NIST Cryptographic Hash Workshop(NIST-CHW2), Santa Barbara, CA, http://www.nist.gov/hash-function 8/26/06- 8/27/06: Workshop on Formal Aspects in Security & Trust (FAST), Hamilton, Ontario, Canada; http://www.iit.cnr.it/FAST2006 8/27/06- 8/29/06: Internet Surveillance and Protection (ICISP); Cote d'Azur, France, http://www.iaria.org/conferences/ICNS06.html 8/28/06- 9/ 1/06: Workshop on the Value of Security through Collaboration (SECOVAL); Baltimore, MD, http://www.securecomm.org 8/30/06- 9/ 2/06: Information Security Conference (ISC), Pythagoras, Greece, http://www.aegean.gr/ISC06 8/31/06: Handbook-Research-on-Information-Assurance-and-Security; Proposals are due; info: SSHARMA@bsu.edu, "mailto:SSHARMA@bsu.edu" ---------- 9/ 1/06: Workshop on Enterprise Network Security (WENS), Baltimore, MD, http://gipse.cse.nd.edu/WENS06 9/ 3/06- 9/ 8/06: School on Security for Wireless Networking (SWING), Bertinoro, Italy, http://www.dsi.uniroma1.it/~swing06 9/ 8/06: Computer-aided Law and Advanced Technologies track of ACM Symposium on Applied Computing, SAC 2007 (CLAT) Seoul, Korea; Submissions are due; info: lavinia.egidi@mfn.unipmn.it, http://www.clat.unibo.it 9/10/06- 9/16/06: School on Foundations of Security Analysis and Design (FOSAD); Bertinoro, Italy, http://www.sti.uniurb.it/events/fosad06 9/10/06: Conference on Availability, Reliability and Security (AReS), Vienna University of Technology, Austria; ; Submissions are due; info: tho@ifs.tuwien.ac.at, http://www.ares-conf.org 9/11/06- 9/15/06: Security and Privacy for Emerging Areas in Communication Networks (SecureComm), Baltimore/Washington, USA, http://www.securecomm.org 9/18/06- 9/21/06: New Security Paradigms Workshop (NSPW), Schloss Dagstuhl, Germany, http://www.nspw.org 9/18/06- 9/20/06: Workshop on Elliptic Curve Cryptography (ECC), Toronto, Canada, http://www.ieee-security.org/Calendar/cfps/cfp-ECC2006.html 9/18/06- 9/20/06: European Symposium On Research In Computer Security (ESORICS), Hamburg, Germany, http://www.esorics06.tu-harburg.de/ 9/20/06- 9/22/06: Recent Advances in Intrusion Detection (RAID), Hamburg, Germany, http://www.raid06.tu-harburg.de/ 9/20/06- 9/21/06: Workshop on Security and Privacy in Ad hoc and Sensor Networks (ESAS), Hamburg, Germany, http://www.crysys.hu/ESAS2006 9/20/06: Workshop on Security and Trust Mmanagement (STM), Hamburg,Germany, http://www.hec.unil.ch/STM06 9/25/06- 9/28/06: Cryptology in Vietnam (VIETCRYPT); Hanoi, Vietnam, http://www.vietcrypt.org 9/28/06- 9/29/06: Monitoring, Attack Detection and Mitigation (MonAM), Tuebingen, Germany; ; info: sloman@imperial.ac.uk, http://www.diadem-firewall.org/workshop06/ 9/28/06- 9/29/06: Secure Knowledge Management Workshop (SKM), Brooklyn, NY, http://www.cs.stonybrook.edu/skm2006 9/25/06- 9/27/06: Workshop on Codes and Lattices in Cryptography (CLC), Darmstadt, Germany, https://clc2006.cdc.informatik.tu-darmstadt.de/ 9/29/06-10/ 1/06: Dependable Autonomic and Secure Computing (DASC), Indianapolis, IN, http://www.cs.iupui.edu/DASC06/ 9/29/06- 9/30/06: Information and Computer Security (ICS), Timisoara, Romania, http://ics.ieat.ro/ ---------- 10/ 1/06: Symposium on InformAtion, Computer and Communications Security (ASIACCS), Singapore; ; Submissions are due, http://asiaccs07.i2r.a-star.edu.sg/ 10/ 9/06-10/12/06: Wireless and Sensor Networks Security (WSNS), Vancouver, Canada, http://www.cs.wcupa.edu/~zjiang/wsns06.htm 10/23/06-10/24/06: International Workshop on Security (IWSEC), Kyoto, Japan; ; info info@iwsec.org, http://www.iwsec.org/ 10/23/06-10/24/06: The Workshop on the Economics of Securing the Information Infrastructure (WESII), Arlington, VA, http://wesii.econinfosec.org/ 10/29/06-11/ 3/06: International Conference on Formal Engineering Methods (ICFEM), Macao SAR, China, http://www.iist.unu.edu/icfem06 10/30/06: Workshop on Storage Security and Survivability (StorageSS), http://www.storagess.org/ 10/30/05: Security of Ad Hoc and Sensor Networks (SASN), Alexandria, VA; info szhu (at) cse.psu.edu, http://www.cse.psu.edu/~szhu/SASN2006/ ---------- 11/ 1/06-11/ 3/06: International Symposium on Computer and Information Sciences (ISCIS), Istanbul, Turkey; ; info iscis06@sabanciuniv.edu, http://fens.sabanciuniv.edu/iscis06/ 11/ 1/06-11/ 3/06: Embedded Networked Sensor Systems (SenSys), Boulder, Colorado, http://www.isi.edu/sensys2006/ 11/ 3/06: Workshop on Recurring Malcode (WORM), Fairfax, VA, http://www.eecs.umich.edu/~farnam/worm2006.html 11/ 3/06: Visualization for Computer Security (VizSEC), Fairfax, VA, http://www.projects.ncassr.org/sift/vizsec/vizsec06/ 11/13/06-11/15/06: Workshop on Hot Topics in Web Systems and Technologies (HotWeb), Boston, MA, http://www.cs.bu.edu/pub/hotweb06 11/17/06-11/20/06: Workshop on Trusted Collaboration (TrustCol), Atlanta, Georgia, http://www.trustcol.org/ 11/29/06-11/30/06: HotNets - Workshop on Hot Topics in Networks (HotNets), Irvine, California, http://www.acm.org/sigs/sigcomm/HotNets-V/ 11/30/06-12/ 1/06: Workshop on Advances in Trusted Computing 2006 (WATC), Tokyo, Japan; conf web page; info: , http://www.trl.ibm.com/projects/watc/ ---------- 12/11/06-12/15/06: Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida, http://www.acsac.org/2006/cfp_2006.pdf ---------- 1/ 3/07- 1/ 6/07: HICSS Highly Trustworthy Computing Mini-Track (HICSS-HTC), Waikoloa, Hawaii; ; info: irvine@nps.edu, http://cisr.nps.edu/HICSS/ 1/ 3/07- 1/ 6/07: HICSS Mini-Track: Secure Software Architecture, Design, Implementation and Assurance (HICSS-SSADIA), Waikoloa, Hawaii, http://www.hicss.hawaii.edu 1/15/07: Security Conference (SecConf), Las Vegas, Nevada; ; Submissions are due, http://www.security-conference.org ---------- 2/ 1/07: High Performance Computing, Networking, and Communication Systems (HPCNCS) in Orlando, FL; ; Submissions are due, http://www.promoteresearch.org/ 2/13/07: Security in Storage Workshop (SISW), San Jose, California; info: jack.cole@ieee.org, http://ieeeia.org/sisw/2007/ ---------- 3/11/07- 3/15/07: Computer-aided Law and Advanced Technologies track of ACM Symposium on Applied Computing, SAC 2007 (CLAT), Seoul, Korea; info: lavinia.egidi@mfn.unipmn.it, http://www.clat.unibo.it 3/20/07- 3/22/07: Symposium on InformAtion, Computer and Communications Security (ASIACCS), Singapore, http://asiaccs07.i2r.a-star.edu.sg/ ---------- 4/10/07- 4/13/07: Conference on Availability, Reliability and Security (AReS), Vienna University of Technology, Austria; info: tho@ifs.tuwien.ac.at, http://www.ares-conf.org 4/11/07- 4/12/07: Security Conference (SecConf), Las Vegas, Nevada, http://www.security-conference.org 7/ 9/07- 7/12/07: High Performance Computing, Networking, and Communication Systems (HPCNCS), Orlando, FL, http://www.promoteresearch.org/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E72) ____________________________________________________________________ ICICS 2006 8th International Conference on Information and Communications Security, Raleigh, NC, USA, December 4-7, 2006. (Submissions due 24 July 2006) http://discovery.csc.ncsu.edu/ICICS06/ The 2006 International Conference on Information and Communications Security (ICICS '06) will be the eighth event in the ICICS conference series, started in 1997, that brings together researchers and scholars involved in multiple disciplines of Information and Communications Security in order to foster exchange of ideas. ICICS 2006 seeks submissions from academia and industry presenting novel research on all aspects of information and communications security, as well as experimental studies of fielded systems. Topics of interest include, but are not limited to, the following: - Access Control and Audit - Anonymity and Pseudonymity - Authentication - Automated and Large-Scale Attacks - Biometrics - Commercial and Industrial Security - Data Integrity - Database security - Denial of Service - Distributed Systems Security - Electronic Privacy - Information Flow - Intrusion Detection - Language-Based Security - Malicious Code - Mobile Code and Agent Security - Network Security - Peer-to-Peer Security - Secure Hardware and Smartcards - Security Protocols - Security Verification - Security of Emerging Networks (e.g., Ad-Hoc Networks) ------------------------------------------------------------------------- SWS 2006 1st Workshop on Secure Web Services, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA, November 3, 2006. (Submissions due 25 July 2006) http://sws06.univ-pau.fr/ Basic security protocols for Web Services, such as XML Security, the WS-* series of proposals, SAML, and XACML are the basic set of building blocks enabling Web Services and the nodes of GRID architectures to interoperate securely. While these building blocks are now firmly in place, a number of challenges are still to be met for Web services and GRID nodes to be fully secured and trusted, providing for secure communications between cross-platform and cross-language Web services. Also, the current trend toward representing Web services orchestration and choreography via advanced business process metadata is fostering a further evolution of current security models and languages, whose key issues include setting and managing security policies, inter-organizational (trusted partner) security issues and the implementation of high level business policies in a Web services environment. The SWS workshop explores these challenges, ranging from the advancement and best practices of building block technologies such as XML and Web services security protocols to higher level issues such as advanced metadata, general security policies, trust establishment, risk management, and service assurance. Topics of interest include, but are not limited to, the following: - Web services and GRID computing security - Authentication and authorization - Frameworks for managing, establishing and assessing inter-organizational trust relationships - Web services exploitation of Trusted Computing - Semantics-aware Web service security and Semantic Web Secure orchestration of Web services - Privacy and digital identities support ------------------------------------------------------------------------- WESII 2006 The Workshop on the Economics of Securing the Information Infrastructure, Arlington, VA, USA, October 23-24, 2006. (Submissions due 6 August 2006) http://wesii.econinfosec.org/ Our information infrastructure suffers from decades-old vulnerabilities, from the low-level algorithms that select communications routes to the application-level services on which we are becoming increasingly dependent. Are we investing enough to protect our infrastructure? How can we best overcome the inevitable bootstrapping problems that impede efforts to add security to this infrastructure? Who stands to benefit and who stands to lose as security features are integrated into these basic services? How can technology investment decisions best be presented to policymakers? We invite infrastructure providers, developers, social scientists, computer scientists, legal scholars, security engineers, and especially policymakers to help address these and other related questions. Suggested topics (not intended to be comprehensive): - The economics of deploying security into: The Domain Name System (DNS), BGP & routing infrastrucure, Email & spam prevention, Programming languages, Legacy code bases, User interfaces, and Operating systems - Measuring the cost of adding security - Models of deployment penetration - Empirical studies of deployment - Measuring/estimating damages - Code origin authentication - Establishing roots of trust - Identity management infrastructure - Data archival and warehousing infrastructure - Securing open source code libraries - Adding security to/over existing APIs - Liability and legal issues - Internet politics - Antitrust Issues - Privacy Issues ------------------------------------------------------------------------- WATC 2006 2nd Workshop on Advances in Trusted Computing, Tokyo, Japan, November 30 - December 1, 2006. (Submissions due 13 August 2006) http://www.trl.ibm.com/projects/watc/ Modern computer systems in large-scale, decentralized, and heterogeneous environments are now facing the diverse threats such as from viruses and other malware. Security research seeks to make computers safer and less vulnerable to those IT threats, and thus more dependable. The goal of Trusted Computing is to allow computers and servers to offer improved computer security relative to that what is currently available. The workshop solicits technical papers offering research contributions spanning from foundations, theory and tools of trusted computing to up-to-date issues. The workshop proceedings will be available at the workshop and via its website. Papers may present theory, applications, or practical experiences on topics including, but not limited to: - models and principles for trusted computing - formal models and verification - software- or hardware-based approaches - cryptographic approaches - remote attestation of trusted devices - standardization in trusted computing groups - issues in trusted platform modules - property-based and semantic attestation - theory and practice for trusted virtual domains - privacy and legal issues - applications and case studies - compliance and conformance - trust evaluations of computing systems - scalability - applications and use cases - system and platform architectures - access control and information flow control - communications - virtualization and trusted computing - trusted client architectures - integrity-evaluating architectures - integrity management infrastructures ------------------------------------------------------------------------- TrustCol 2006 Workshop on Trusted Collaboration, Held in conjunction with the 2nd IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom 2006), Atlanta, GA, USA, November 17th - 20th, 2006. http://www.trustcol.org/ (Submissions due 18 August 2006) The ongoing, rapid developments in information systems technologies and networking have enabled significant opportunities for streamlining decision making processes and maximizing productivity through distributed collaborations that facilitate unprecedented levels of sharing of information and computational resources. Emerging collaborative environments need to provide efficient support for seamless integration of heterogeneous technologies such as mobile devices and infrastructures, web services, grid computing systems, various operating environments, and diverse COTS products. Such heterogeneity introduces, however, significant security and privacy challenges for distributed collaborative applications. Balancing the competing goals of collaboration and security is difficult because interaction in collaborative systems is targeted towards making people, information, and resources available to all who need it whereas information security seeks to ensure the availability, confidentiality, and integrity of these elements while providing it only to those with proper trustworthiness. The key goal of this workshop is to foster active interactions among diverse researchers and practitioners, and generate added momentum towards research in finding viable solutions to the security and privacy challenges faced by the current and future collaborative systems and infrastructures. Topics of interest include, but are not limited to: - Access control models and mechanisms for collaboration environments - Security frameworks and architectures for trusted collaboration - Privacy control in collaborative environments - Secure middleware for large scale collaborative infrastructures - Secure dynamic coalition environments - Secure workflows for collaborative computing - Secure interoperation in multidomain collaborative environments - Security and privacy issues in mobile collaborative applications - Trust models, trust negotiation/management for collaborative systems - Policy-based management of collaborative workspace - Secure distributed multimedia collaboration - Protection models and mechanisms for peer-to-peer collaborative environments - Delegation, accountability, and information flow control in collaborative applications - Intrusion detection, recovery and survivability of collaborative systems/infrastructures - Security of web services and grid technologies for supporting multidomain collaborative applications - Semantic web technologies for security collaborative infrastructures ------------------------------------------------------------------------- SAC-TRECK 2007 22nd Annual ACM Symposium on Applied Computing, Trust, Recommendations, Evidence and other Collaboration Know-how (TRECK) Track, Seoul, Korea, March 11 - 15, 2007. http://www.acm.org/conferences/sac/sac2007/ (Submissions due 8 September 2006) Computational models of trust and online reputation mechanisms have been gaining momentum. One reason for this is that traditional security mechanisms are challenged by open, large scale and decentralised environments. The use of an explicit trust/reputation management component goes beyond security though. The goal of the ACM SAC 2007 TRECK track remains to review the set of applications that benefit from the use of computational trust and online reputation. Computational trust has been used in reputation systems, risk management, collaborative filtering, social/business networking services, dynamic coalitions and virtual organisations. In last year TRECK, a paper even described how computational trust and reputation could mitigate the privacy issues of trusted computing hardware modules. The TRECK track covers all computational trust applications, especially those used in real-world applications. The topics of interest include, but are not limited to: - Recommender and reputation systems - Trust-enhanced collaborative applications - Trusted computing, trusted platorm modules (TPM, TCG, TCPA, NGSCB...) - Trading privacy for trust and security - Tangible guarantees given by formal models of trust and risk - Trust metrics assessment and threat analysis - Pervasive computational trust and use of context-aware features - Trust/risk-based security frameworks - Automated collaboration and trust negotiation - Trust in peer-to-peer systems - Technical trust evaluation - Impacts of social networks on computational trust - Evidence gathering and management - Real-world applications, running prototypes and advanced simulations - Applicability in large-scale, open and decentralised environments - Legal and economic aspects related to the use of trust engines - User-studies and user interfaces of computational trust applications ------------------------------------------------------------------------- ASIACCS 2007 ACM Symposium on InformAtion, Computer and Communications Security, Singapore, March 20-22, 2007. http://asiaccs07.i2r.a-star.edu.sg/ (Submissions due 1 October 2006) To build on the success of ACM Conference on Computer and Communications Security (CCS) and ACM Transactions on Information and System Security (TISSEC), the ACM Special Interest Group on Security, Audit, and Control (SIGSAC) formally established the annual ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS) in 2005. Papers representing original research in both the theory and practice concerning information, computer and communications security are solicited. Topics of interest include, but are not limited to: - Access control and authorization - Applied cryptography - Authentication, biometrics, smartcards - Data integrity and audit - Database security - Digital Rights Management - Distributed systems security - E-commerce and mobile e-commerce - Electronic privacy, anonymity - Formal verification and testing - Hardware design - High speed networks - Information flow - Intrusion detection and survivability - Mobile code and mobile agent security - P2P & ad hoc networks - RFID applications - Security protocols - Viruses and other malicious codes - Watermarking and data hiding - Wireless communications - Wireless sensor networks ------------------------------------------------------------------------- ASC 2007 6th Annual Security Conference, Las Vegas, Nevada, USA, April 11-12, 2007. http://www.security-conference.org (Submissions due 15 January 2007) With the development of more complex networking systems and the rapid transition to the e-world, information security has become a real concern for many individuals and organizations. Advanced safeguards are required to protect the information assets of not only large but also small and distributed enterprises. New approaches to information security management, such as policies and certifications, are now being required. The security of strategic corporate information has become the foremost concern of many organizations, and in order to assure this security, methods and techniques must be conceptualized for small enterprises both from a functional and technical viewpoint. Recommended topics (but not limited to) include: - E-Commerce security - Biometrics - Smart Cards - Secure small distribution applications - Security of intelligent tokens - Methodologies for security of small to medium size enterprises - Methodologies and techniques for certification and accreditation - Evaluation of Information Security in companies - Information security surveys and case studies - International standards for Information Security Management ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2006 Symposium proceedings and 11-year CD are sold out. The 2005 Symposium proceedings are available for $20 plus shipping and handling. The 2004 proceedings are $15 plus shipping and handling; the 2003 proceedings are $15 plus shipping and handling. A CD of the 2000-2001 proceedings is $15 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the TC treasurer (see officers, below) with the order description, including shipping method, and send email to Deborah Shands (shands@aero.org) with the shipping address, please. IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Jonathan Millen Hilarie Orman The MITRE Corporation Purple Streak, Inc. Mail Stop S119 500 S. Maple Dr. 202 Burlington Road Rte. 62 Salem, UT 84653 Bedford, MA 01730-1420 oakland06-chair@ieee-security.org 781-271-51 (voice) jmillen@mitre.org Vice Chair: Chair, Subcommittee on Academic Affairs: Prof. Cynthia Irvine Prof. Cynthia Irvine U.S. Naval Postgraduate School U.S. Naval Postgraduate School Computer Science Department Computer Science Department Code CS/IC Code CS/IC Monterey CA 93943-5118 Monterey CA 93943-5118 (831) 656-2461 (voice) (831) 656-2461 (voice) irvine@cs.nps.navy.mil irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2007 General Chair: and Technical Committee Treasurer: Deborah Shands Hilarie Orman The Aerospace Corporation Purple Streak, Inc. El Segundo, CA 500 S. Maple Dr. oakland07-chair@ieee-security.org Salem, UT 84653 cipher-editor@ieee-security.org, treasurer@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year