_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 83 March 17, 2008 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * News Briefs o A Heart Device Is Found Vulnerable to Hacker Attacks o Chinese hackers: No site is safe o Electronic gadgets latest sources of computer viruses * Commentary and Opinion o Richard Austin's review of "Mechanics of User Identification and Authentication: Fundamentals of Identity Management" by Dobromir Todorov o Richard Austin's review of The dotCrime Manifesto: How to Stop Internet Crime by Philip Hallam-Baker o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Calendar of Upcoming Submission Deadlines and Events * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This is the time of year to remind everyone that this newsletter is published by the IEEE Technical Committee on Security and Privacy, sponsor of two distinguished computer security events each year. The Security and Privacy Symposium ("Oakland") is now accepting registration for attendees. The program is varied and exciting --- for example "Compromising Reflections -or- How to Read LCD Monitors Around the Corner". See our www.ieee-security.org website for pointers to all the conference information, including the two workshops. The Web 2.0 Security workshop was such a success last year that it continues on for a second run, and a workshop about digital forensics is new this year. The Computer Security Foundations Symposium will be held June in Pittsburgh. Again, watch our web pages for the program and registration information. The news items that I've selected this month are from mainstream publications in recent weeks. Viruses seem to have continued nearly unabated over the last many years, long-distance hacking is a world-wide hobby, and we continue to learn that no digital device is safe from meddling. These issues, once known only to specialists in the niche of a new field, are now topics for the popular press. They are also going to be part of life as we and our descendents will know it for a very long time to come. Death, taxes, and computer viruses. Oh, and "bulging capacitors" --- the bane of my life this winter. Google it. Hold breath, close eyes, click "install", Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ____________________________________________________________________ A Heart Device Is Found Vulnerable to Hacker Attacks By Barnaby J. Feder New York Times, http://www.nytimes.com/2008/03/12/business/12heart-web.html March 12, 2008 ____________________________________________________________________ The threat seems largely theoretical, but a team of computer security researchers reports that it has been able to gain wireless access to a combination heart defibrillator and pacemaker. Two researchers well-known in the computer security community, Tadayoshi Kohno and Kevin Fu, were part of the research team, and their reports is available through http://www.secure-medicine.org ____________________________________________________________________ Chinese hackers: No site is safe By John Vause, CNN, March 11, 2008 http://www.cnn.com/2008/TECH/03/07/china.hackers/index.html ____________________________________________________________________ There are young Chinese hackers who claim, without proof, to have broken into Pentagon websites and been paid by the Chinese government. Although the presence of hackers young or old anywhere in the world is hardly a surprise, the article claims that the expertise in China is spread among at least 10,000 people. ____________________________________________________________________ Electronic gadgets latest sources of computer viruses Thu March 13, 2008, AP Press, reported in CNN
http://www.cnn.com/2008/TECH/ptech/03/13/factory.installed.virus.ap/index.html ____________________________________________________________________ That digital picture frame or GPS unit, so attractive and easy to install, may come with the dirty old viruses of the past, according to this article. The corruption may come from media reproduction services overseas, where the equipment and computers may be infected with or without the knowledge ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Reviews By Richard Austin March 10, 2008 Mechanics of User Identification and Authentication: Fundamentals of Identity Management by Dobromir Todorov ____________________________________________________________________ Auerbach 2008. ISBN 978-1420052190 amazon.com USD75.40 At over 700 pages, this book is not what one would call light reading, but in its five chapters, it provides an excellent overview of the current state of authentication practices. The book opens with an introductory chapter on the concepts of user identification and authentication. Of particular interest is the description of the threats (ranging from authentication bypass to social engineering and dumpster diving) that an identification and authentication solution must face and counter. Not too surprisingly. the following two chapters are devoted to authentication in UNIX and Windows. Coverage is thorough with numerous examples and case studies that put the concepts into practice. Tables and illustrations are common and provide ready reference to capabilities, parameters and usage scenarios. Chapter 4 is devoted to "Authenticating Access to Services and Applications" and is the longest chapter in the book. Its discussion is well organized and proceeds from security programming interfaces such as the GSS-API, to authentication protocols (NTLM, Kerberos and SASL) to SSL/TLS. It then discusses authentication in the context of common applications such as Telnet and FTP, POP3 and IMAP before moving on to databases such as MS SQL and Oracle. A final section delves into the newer topics of SAML and WS-Security. Chapter 5 covers how authentication functions in granting access to infrastructure such as routers/switches, remote access, wireless and centralized user authentication using RADIUS and TACACS+. Unlike many books on such topics, Todorov does not rehash product documentation and RFC's but focuses on how the technologies actually work and are used in practice (including many traffic captures as concrete illustrations) - a good indicator is Appendix B that describes the layout of the lab that he used while writing the book. The strengths of the book lie in its broad coverage and significant level of detail. It is well organized and allows one to quickly locate and drill down on the particular area of interest. With these advantages, I would see this book as an excellent reference work that belongs on the shelf of any practicing security professional. ____________________________________________________________________ Book Review By Richard Austin March 10, 2008 The dotCrime Manifesto: How to Stop Internet Crime by Philip Hallam-Baker ____________________________________________________________________ Addison-Wesley 2008. ISBN 978-0321503589 amazon.com USD21.89 bookpool.com USD19.95 The dotCrime Manifesto: How to Stop Internet Crime by Philip Hallam-Baker. Addison-Wesley, 2008. ISBN 978-0321503589 amazon.com USD21.89 bookpool.com USD19.95 The Internet is a crime-friendly place: SPAM clogs our EMAIL infrastructure, phishing EMAILs seem to arrive every other day or so, viruses and Trojans lurk at every corner to entrap the unwary, and organized crime seems to see the Internet as the successor to the drug trade. It's a pretty depressing picture but one that Hallam-Baker believes can be changed. The book is divided into four sections that form a logical progression toward Hallam-Baker's vision of taking the Internet back. The first section is entitled "People not Bits" and focuses on the human element of the problem of Internet crime, both perpetrators and victims. Motives are considered to reveal that, like many other crimes, it really is all about the money. The "Hollywood stereotype" of the socially-challenged teenager has been replaced by the skilled criminal whose objective is not "15 minutes of fame" in an Internet chatroom but a steady stream of income. Weaknesses in many countermeasures are traced to a lack of concern for usability and deployment - that bears repeating, in order for our countermeasures to be effective, they must actually be usable by the target population and relatively easy to put into effect. The second section focuses on "Stopping the Cycle" and begins with a charming analogy of "SPAM Whack-a-Mole" where one SPAM source is shut down to only pop up in another place. The point is made that a significant contributor to the frequency of SPAM is the underlying lack of accountability in the core messaging protocols and the key mantra of "authentication, accreditation and consequences" is introduced as an outline for guiding a solution. SPAM's ugly twin, the phishing EMAIL, is reviewed and found to flourish in the same ground of a lack of accountability. To complete the section, the botnets that play a major role in generating SPAM are examined. The point is made that many individual "bots" are created with the help of a SPAM/phishing EMAIL that lures the user into executing a malicious attachment or visiting a malicious website for a "drive by download". The third section, "Tools of the Trade" focuses on some of the tools that will play a part in creating accountability on the Internet. A relatively painless introduction to cryptography is followed by a good discussion of what "trust" is and how it can be established and verified. The final and longest section, "The Accountable Web", introduces Hallam-Barker's vision of the future and the tools that will help us get there. The section describes a mix of techniques that are available "off the shelf" such as SSL/TLS and others that are under active development (e.g., "Secure Internet Letterhead"). Chapter 14, "Secure Identity" is particularly recommended as a clear and cogent discussion of what "identity" really means and what it required to establish and use one. Other chapters cover secure transport, secure messaging, secure names (identities), secure networks, secure platforms (such as the Trusted Platform Module from the Trusted Computing Group), and law. The final chapter, "The dotCrime Manifesto", is hopeful in noting that while the issue of Internet crime is both huge and difficult, there are ways to address the underlying problems. Some of the ideas are controversial - for example, the idea of accountability for EMAIL will chill some human rights activists with the thought of a totalitarian regime being able to reliably trace a dissident's messages, but Hallam-Barker provides good advice - accountability should be only sufficient for its intended use. A dissident's EMAIL should have a much lower accountability standard than a physician's EMAIL communicating a patient's diagnosis. This book will serve a number of audiences particularly the interested general reader who wants to go beyond the media reports of SPAM incidence, fresh phish, etc. As Hallam-Barker points out, if we are going to "take a bite out of Internet crime", we have to pay attention to securing the last two feet (the separation between the user and the keyboard) and most of the people on the other side of that last two feet are not security professionals. The book also provides a good overview on accountability for security professionals both to shape the solutions we pursue and provide context for evaluating the roles of different technologies. ----- Before retiring, Richard Austin was the storage network security architect at a Fortune 25 company and currently earns his bread and cheese as an iterant university instructor and security consultant. He welcomes your thoughts and comments at rda7838@kennesaw.edu ==================================================================== Conference and Workshop Announcements ==================================================================== [This month's newsletter does not the topics from recents calls-for-papers, but they are, as always, up-to-date on our website at http://www.ieee-security.org ] Notation regarding proceedings:
NP = No proceedings AO = Proceedings are distributed to attendees only BP = Only "best papers" will be published No notation means that the proceedings will be published for distribution outside the conference. 2/15/08: Smart Card Research and Advanced Application Conference (CARDIS), Surrey, UK; Submissions are due; http://www.scc.rhul.ac.uk/CARDIS/index.html 3/ 4/08- 3/ 7/08: Secure Software Engineering (SecSE), Barcelona, Catalonia; info SecSE08 "replace with at-character" gmail.com, http://www.ares-conference.eu/conf/ 3/15/08: IEEE Computer and Communications Network Security Symposium (Globecom), New Orleans, LA; Submissions are due; info: info: abderrahim.benslimane@univ-avignon.fr; http://www.IEEE-Globecom.org/2008 3/15/08: Security and Multimodality in Pervasive Environments (SMPE), Dublin, Ireland; Submissions are due; info: coronato.a@na.ica.cnr.it; http://www.na.icar.cnr.it/smpe08/ 3/16/08- 3/20/08: Symposium on Applied Computing, Track on Trust, Recommendations, Evidence and other Collaboration Know-how (SAC-TRECK), Ceará, Brazil; info: Jean-Marc.Seigneur@trustcomp.org http://www.acm.org/conferences/sac/sac2008/ 3/17/08: Digital Forensic Research Workshop (DFRWS), Baltimore, MD; Submissions are due; http://www.dfrws.org/2008/ 3/17/08: Cyber Security and Information Intelligence Research Workshop (CSIIRW), Oak Ridge, TN; Submissions are due; NP; http://www.ioc.ornl.gov/csiirw 3/17/08: Interdisciplinary Studies in Information Privacy and Security (ISIPS), New Brunswick, New Jersey; Submissions are due; http://www.scils.rutgers.edu/ci/isips/WebPage%20ISIPS%20Practice/index.html 3/18/08- 3/20/08: Symposium on Information, Computer and Communications Security (ASIACCS), Tokyo, Japan; http://www.rcis.aist.go.jp/asiaccs08/ 3/21/08: Workshop in Information Security Theory and Practices (WISTP), Sevilla, Spain; Submissions are due; info: wistp2008sec@xlim.fr; http://wistp2008.xlim.fr/ 3/24/08: Security and Privacy for Communication Networks (Securecomm), Istanbul, Turkey; Submissions are due; NP; http://www.securecomm.org 3/31/08- 4/ 2/08: Wireless Network Security (WiSec), Alexandria, VA; http://discovery.csc.ncsu.edu/WiSec08/ 3/31/08: European Symposium on Research in Computer Security (ESORICS), Malaga, Spain; Submissions are due; http://www.isac.uma.es/esorics08 4/ 4/08: Recent Advances in Intrusion Detection (RAID), Cambridge, MA; Submissions are due; info: rkc@ll.mit.edu; http://www.ll.mit.edu/IST/RAID2008/ 4/ 7/08- 4/11/08: Asynchronous Circuits and Systems (ASYNC), Newcastle upon Tyne, UK; http://async.org.uk/async2008/ 4/11/08: New Security Paradigms Workshop (NSPW), Squaw Valley, CA; Submissions are due; http://www.nspw.org 4/14/08: Usability, Psychology, and Security (UPSEC), San Francisco, CA; info: upsec08chairs@usenix.org, http://www.usenix.org/upsec08/cfp 4/14/08: Conference on Embedded Networked Sensor Systems (SenSys), Raleigh, NC; Submissions are due; http://sensys.acm.org/2008/ 4/18/08: Workshop on Security (IWSEC), Kagawa, Japan; Submissions are due http://www.iwsec.org 4/21/08: IFIP International Workshop on Network and System Security (NSS), Shanghai, China; Submissions are due; info: wanlei@deakin.edu.au; http://nss.cqu.edu.au 4/25/08: International Conference on Network Protocols (ICNP), Orlando, Florida; Submissions are due; proceedings to attendees only (AO); info: icnp2008@cs.purdue.edu, http://www.cs.purdue.edu/homes/fahmy/icnp2008/ 4/25/08: Advances in Computer Security and Forensics (ACSF), Liverpool, UK; Submissions are due; info: J.Haggerty@ljmu.ac.uk; AO; http://www.cms.livjm.ac.uk/acsf3/ 4/30/08: Digital Forensics and Incident Analysis (WDFIA), Malaga, Spain; Submissions are due; info: wdfia08@aegean.gr; http://www.aegean.gr/wdfia08 4/30/08: Workshop on Aliasing, Confinement and Ownership (IWACO) Paphos, Cyprus; Submissions are due; info: mueller@microsoft.com; BP; (see the ieee-security.org website calendar for more info) 4/30/08: Conference on Risks and Security of Internet and Systems (CRiSIS), Tozeur, Tunisia; Submissions are due; NP; http://www.redcad.org/crisis2008/ 5/ 9/08: Workshop on Artificial Intelligence for Security (AISec), Alexandria, VA; Submissions are due; http://www.aisec.info 5/12/08- 5/14/08: Cyber Security and Information Intelligence Research Workshop (CSIIRW), Oak Ridge, TN; NP,http://www.ioc.ornl.gov/csiirw 5/12/08: Interdisciplinary Studies in Information Privacy and Security (ISIPS), New Brunswick, New Jersey; http://www.scils.rutgers.edu/ci/isips/WebPage%20ISIPS%20Practice/index.html 5/13/08- 5/16/08: Workshop in Information Security Theory and Practices (WISTP), Sevilla, Spain; info: wistp2008sec@xlim.fr http://wistp2008.xlim.fr/ 5/16/08: Workshop on Security and Privacy in Wireless and Mobile Computing, Networking and Communications (SecPri_WiMob), Avignon, France; Submissions are due; http://www.aegean.gr/SecPri_WiMob_2008 5/18/08- 5/21/08: Symposium on Security and Privacy (IEEE S&P), Berkeley/Oakland, CA; info: oakland08-generalchair @ ieee-security.org, http://www.ieee-security.org/TC/SP2008/oakland08-cfp.html 5/18/08: Asia-Pacific Trusted Infrastructure Technologies Conference (APTC), Yangtze River Cruiser, China; Submissions are due; http://grid.hust.edu.cn/aptc08/ 5/22/08: Systematic Approaches to Digital Forensic Engineering (SADFE), Oakland, CA; info: yasinac@cs.fsu.edu, http://conf.ncku.edu.tw/sadfe/sadfe08/ 5/22/08: Workshop on Web 2.0 Security (W2SP), Oakland, CA; http://www.ieee-security.org/TC/SP2008/oakland08.html 5/23/08: Workshop on Digital Identity Management (DIM), Fairfax, VA; info: ccs2008-dim_at_lab.ntt.co.jp; Submissions are due; NP; http://www2.pflab.ecl.ntt.co.jp/dim2008 5/25/08- 5/28/08: Service, Security and its Data management technologies in Ubi-comp (SSDU), Kunming, China; http://grid.hust.edu.cn/gpc2008/ 6/ 3/08- 6/ 6/08: Applied Cryptography and Network Security (ACNS), Columbia University, New York City, NY; http://acns2008.cs.columbia.edu/ 6/ 3/08- 6/ 6/08: Workshop on Security and High Performance Computing Systems (SHPCS), Nicosia, Cyprus; proceedings to attendees only (AO); info: guha@eecs.ucf.edu; http://www.diiga.univpm.it/~spalazzi/nicosia/ 6/ 3/08- 6/ 4/08: Applications of Pairing-Based Cryptography: IBE and Beyond (NIST-IBE), Gaithersburg, MD; info: ibe@nist.gov; http://csrc.nist.gov/groups/ST/IBE/index.html 6/ 4/08- 6/ 5/08: Symposium on Information Assurance (IASymp), Albany, NY; AO, http://www.albany.edu/iasymposium 6/20/08: Workshop on Wireless Security and Privacy (WISP), Beijing, China; info: zjiang@wcupa.edu; http://www.ieee.org/portal/pages/pubs/transactions/stylesheets.html 6/22/08- 6/27/08: USENIX Annual Technical Conference (USENIX), Boston MA; info: conference@usenix.org; http://www.usenix.org/events/usenix08/ 6/23/08- 6/25/08: Computer Security Foundations Symposium (CSF), Pittsburgh, PA; http://www.cylab.cmu.edu/CSF2008/ 6/25/08- 6/27/08: Workshop on the Economics of Information Security (WEIS), Hanover, New Hampshire; proceedings to attendees only (AO), http://weis2008.econinfosec.org 7/ 7/08: (or 7/8/08) ./cfps/cfp-IWACO2008.html>IWACO, Paphos, Cyprus; info: mueller@microsoft.com; BP 7/ 8/08- 7/18/08: Human Aspects of Information Security & Assurance (HAISA), Plymouth, UK; info: info@haisa.org; http://www.haisa.org 7/10/08- 7/11/08: Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Paris, France; http://www.dimva.org/dimva2008/ 7/10/08- 7/11/08: Advances in Computer Security and Forensics (ACSF), Liverpool, UK; info: J.Haggerty@ljmu.ac.uk; AO, http://www.cms.livjm.ac.uk/acsf3/ 7/14/08- 7/16/08: Australasian Conference on Information Security and Privacy (ACISP), Wollongong, Australia; http://www.uow.edu.au/conferences 7/21/08- 7/25/08: Security and Multimodality in Pervasive Environments (SMPE), Dublin, Ireland; info: coronato.a@na.ica.cnr.it; http://www.na.icar.cnr.it/smpe08/ 7/23/08- 7/25/08: Symposium On Usable Privacy and Security (SOUPS), Carnegie Mellon University, Pittsburgh, PA; http://cups.cs.cmu.edu/SOUPS/ 7/28/08- 8/ 1/08: USENIX Security Symposium (USENIXSec), San Jose, CA; info: sec08chair@usenix.org; http://www.usenix.org/sec08/cfpa/ 8/11/08- 8/13/08: Digital Forensic Research Workshop (DFRWS), Baltimore, MD; http://www.dfrws.org/2008/ 9/ 8/08- 9/10/08: Information Security Conference (SEC), Milan, Italy; http://sec2008.dti.unimi.it 9/ 8/08- 9/11/08: Smart Card Research and Advanced Application Conference (CARDIS), Surrey, UK; http://www.scc.rhul.ac.uk/CARDIS/index.html 9/15/08- 9/17/08: Recent Advances in Intrusion Detection (RAID), Cambridge, MA; info: rkc@ll.mit.edu; http://www.ll.mit.edu/IST/RAID2008/ 9/22/08- 9/25/08: New Security Paradigms Workshop (NSPW), Squaw Valley, CA; , http://www.nspw.org 9/22/08- 9/25/08: Security and Privacy for Communication Networks (Securecomm), Istanbul, Turkey; NP, http://www.securecomm.org 10/ 6/08-10/ 8/08: European Symposium on Research in Computer Security (ESORICS), Malaga, Spain; http://www.isac.uma.es/esorics08 10/ 9/08: Digital Forensics and Incident Analysis (WDFIA), Malaga, Spain; info: wdfia08@aegean.gr; http://www.aegean.gr/wdfia08 10/12/08: Workshop on Security and Privacy in Wireless and Mobile Computing, Networking and Communications (SecPri_WiMob), Avignon, France; http://www.aegean.gr/SecPri_WiMob_2008 10/14/08-10/17/08: Asia-Pacific Trusted Infrastructure Technologies Conference (APTC), Yangtze River Cruiser, China; http://grid.hust.edu.cn/aptc08/ 10/18/08-10/19/08: IFIP International Workshop on Network and System Security (NSS), Shanghai, China; info: wanlei@deakin.edu.au; http://nss.cqu.edu.au 10/19/08-10/22/08: International Conference on Network Protocols (ICNP), Orlando, Florida; proceedings to attendees only (AO); info: icnp2008@cs.purdue.edu; http://www.cs.purdue.edu/homes/fahmy/icnp2008/ 10/27/08: Workshop on Artificial Intelligence for Security (AISec), Alexandria, VA; http://www.aisec.info 10/28/08-10/30/08: Conference on Risks and Security of Internet and Systems (CRiSIS), Tozeur, Tunisia; NP, http://www.redcad.org/crisis2008/ 10/31/08: NIST SHA3 Hash Functio Competition (NIST-SHA3), info: bstein@nist.gov; Submissions are due; http://www.nist.gov/hash-competition 10/31/08: Workshop on Digital Identity Management (DIM), Fairfax, VA; info: ccs2008-dim_at_lab.ntt.co.jp; NP, http://www2.pflab.ecl.ntt.co.jp/dim2008 11/ 5/08-11/ 7/08: Conference on Embedded Networked Sensor Systems (SenSys), Raleigh, NC; http://sensys.acm.org/2008/ 11/25/08-11/27/08: Workshop on Security (IWSEC), Kagawa, Japan, http://www.iwsec.org 11/30/08-12/ 4/08: IEEE Computer and Communications Network Security Symposium (Globecom), New Orleans, LA; http://www.IEEE-Globecom.org/2008 info: abderrahim.benslimane@univ-avignon.fr, ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2007 proceedings are available in hardcopy for $30.00, the 28 year CD is $20.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2007 treasurer (below) with the order description, including shipping method, and send email to the 2007 Registration Chair (Yong Guan) (oakland07-registration @ ieee-security.org) with the shipping address, please. Terry Benzel Treasurer, IEEE Security and Privacy USC Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292 (310) 822-1511 IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog Department of Computer Science Naval Postgraduate School 1 University Circle Monterey, CA 93943 jcherzog@nps.edu ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Prof. Cynthia Irvine Deborah Shands U.S. Naval Postgraduate School The Aerospace Corporation Computer Science Department El Segundo, CA Code CS/IC oakland07-chair@ieee-security.org Monterey CA 93943-5118 (831) 656-2461 (voice) irvine@nps.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Hilarie Orman Prof. Cynthia Irvine Purple Streak, Inc. U.S. Naval Postgraduate School 500 S. Maple Dr. Computer Science Department, Code CS/IC Salem, UT 84653 Monterey CA 93943-5118 hilarie @purplestreak.com (831) 656-2461 (voice) irvine@nps.edu Treasurer: Chair, Subcomm. on Security Conferences: Terry Benzel Jonathan Millen USC Information Scieces Intnl The MITRE Corporation, Mail Stop S119 4676 Admiralty Way, Suite 1001 202 Burlington Road Rte. 62 Los Angeles, CA 90292 Bedford, MA 01730-1420 (310) 822-1511 (voice) 781-271-51 (voice) tbenzel @isi.edu jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2008 General Chair: Hilarie Orman Yong Guan Purple Streak, Inc. Iowa State University 500 S. Maple Dr. oakland08-chair@ieee-security.org cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year