Cipher Issue 86, September 2008, Editor's Letter

Dear Readers,

     Ross Anderson's 2nd edition of his broad spectrum book, "Security Engineering" is the subject of Richard Austin's book review this month. Judging from the massive cases of identity theft resulting from unsecured networks, more people should have read the first edition. NIST is doing its part by releasing new standards for security functions such as HMAC and digital signature randomized hashing, but one gets the feeling that carpenters are hand hewing new barn doors as many generations of horses are running rampant through the gaping structure.

Though we do not have a news story about the security of the Domain Naming System (DNS) this month, it is the subject of great scrutiny by the experts (see, for example, "Huge Internet Security Hole Slowly Being Fixed"). This is an interesting example of the old maxim that "security design cannot be an add-on". I do not believe that is true more than half the time, but for DNS, there is no question about the difficulty. DNS is a simple concept that has become complicated in practice. Despite 15 years of attempts to add security, it remains an elusive goal, always just about done, just on the horizon. Hierarchical object caching turns out to be a tough nut to crack, security-wise.

Please take note of the submission deadline for the 2009 Security and Privacy Symposium, one of the two prestigious conferences sponsored by our IEEE Technical Committee.

  Try identity shuffling, trade names with the person next you,
    Hilarie Orman
    Cipher Editor