_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 93 November 17, 2009 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance by Tim Mather, Subra Kumaraswamy and Shahed Latif o NIST releases Special Publications on Pairwise Key Establishment and Timeliness of Digital Signatures o TLS Allows Man-in-the-Middle Attacks o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Calendar of Events o Upcoming calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Plans for the gala celebration of the 30th anniversary the Security and Privacy Symposium ("Oakland") are underway, and the evening of Monday, May 17, 2010 will be a night to remember. The events committee will be sending invitations to as many of our valued contributors as we can locate from the past 3 decades, but we are looking forward to seeing all our old and young friends from the security community. Watch Cipher pages and the ieee-security.org website for news announcements and registration information. If you are reading this on November 18, then you have only a few hours to submit a technical paper for consideration in the conference technical sessions. The workshop deadline was earlier than usual this year, and three have been accepted. The excellent technical sessions will include "systems" papers which are overviews of technical approaches, and the proceedings and Monday night dinner will have various retrospectives on the security research field. None of this is meant to detract from the other symposium in the Technical Committees quiver, the Computer Security Foundations Symposium, July 17-19, 2010. Next year the conference will be part of the Federated Logic Conference (FLOC) in Edinburgh. The Program Chairs are Michael Backes of Saarland University, and Andrew C. Myers, Cornell University. Medical information is an area in need of creative and practical security solutions, but I was surprised a recent article in the New York Times indicating that it was impossible to correlate electronic records with any measurable benefit to patients. There is no improvement in outcome, no cost reduction. Is it reasonable to ask people to accept more privacy risks in exchange for no benefit? What are the actual economics behind privacy? Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin November 11, 2009 ____________________________________________________________________ Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance by Tim Mather, Subra Kumaraswamy and Shahed Latif O'Reilly 2009. ISBN ISBN: 978-0-596-80275-9 Amazon.com USD 31.49 Unless you've been living under the proverbial rock with no sort of network access, you will have heard some of the buzz regarding cloud computing. Whether it's solving the problem of a greener data center, improved flexibility in the face of wildly varying workloads or just the classic conundrum of being tasked with doing more with less, cloud computing is being touted as the latest answer to all of IT's ills. However, amidst the hype, there is an increasing chorus of voices asking the unpleasant questions about security, compliance and risk management. Some cloud aficionados see those concerns as sort of an evolutionary appendix held over from the previous generations of IT solutions but as this book so amply illustrates, many of the old problems survive the translation into the cloud relatively unscathed. The authors are an interesting selection - a former CISO, a security access lead for a major vendor and an audit professional. They present a realistic and well-rounded perspective on the challenges of getting cloud computing right. The book is organized into 12 chapters and three appendices. The first chapter provides a history of how cloud computing has evolved and sets the stage for the definitions that follow in chapter 2. The definitions for the delivery models (SaaS, PaaS and IaaS)* and the deployment models (private, public and hybrid) establish a firm basis for the discussion to follow as well as giving a firm basis to the rather over-hyped definitions that litter the trade press. Chapters 3 through eight each consider an important security domain(infrastructure, data and storage, identity and access management, etc) in the context of cloud computing and provide solid guidance on what changes (sometimes significantly) and, just as importantly, what remains the same. Each chapter opens with an overview of the domain to establish just exactly which piece of the security puzzle they intend to tackle and then considers that domain in the context of each of the delivery and deployment models. The authors are not shy and do not hesitate to identify where the cloud model has shortcomings in its current state. For example, in Chapter 6, "Data and Storage Security", after careful consideration, they advise that "Currently, the only viable option for mitigation is to ensure that any sensitive or regulated data is not put into a public cloud". Chapter 9, "Examples of Cloud Service Providers", gives an overview of the types of cloud services that are currently available (either for purchase or in beta). Chapter 10, "Security-As-a-[Cloud]Service" considers what security-relevant services (ranging from anti-malware to content filtering and vulnerability management) might be migrated into the cloud paradigm. The next chapter, "The Impact of Cloud Computing on the Role of Corporate IT" is a welcome look at just what effect cloud computing might have on the IT organization itself (whether in budget, responsibility or compliance). The final chapter provides an overall summary and looks to the future of cloud computing while identifying areas where the cloud paradigm will need to mature before it can fully realize its potential. The three appendices are really offered out of order. It would be better to read appendix C, "Open Security Architecture for Cloud Computing" to see why audit is such an important requirement for establishing trust in a cloud environment before looking at the example SAS-70 (appendix A) and SysTrust (appendix B) audit reports. This is a welcome book that takes a balanced look at the security and privacy issues in cloud computing. The authors have no visible axe to grind and focus their attention on WHERE cloud services should best be used and HOW they may be used wisely rather than the polemics for or against cloud computing in general. The authors are careful to provide definitions and develop concepts as they go along so the book can be profitably read by those with little previous knowledge or exposure to cloud concepts. Definitely a "must read" on a technology that will likely be appearing in an organization near you, soon. * SaaS = Software as a Service PaaS = Platform as a Service IaaS = Infrastructure as a Service ------------------------ Before beginning life as an itinerant university instructor and security consultant, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rausti19 at Kennesaw dot edu ==================================================================== News Briefs ==================================================================== -------------------------------------------------------------------- Sara Caswell of NIST October 5, 2009, NIST bulletin -------------------------------------------------------------------- NIST announces the completion of two NIST Special Publications (SPs): SP 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography, and SP 800-102, Recommendation for Digital Signature Timeliness. Both publications are available at http://csrc.nist.gov/publications/PubsSPs.html. --------------------------------- SP 800-56B provides specifications of key establishment schemes that are appropriate for use by the U.S. Federal Government, based on a standard developed by the Accredited Standards Committee (ASC) X9, Inc.: ANS X9.44, Key Establishment using Integer Factorization Cryptography. A key establishment scheme can be characterized as either a key agreement scheme or a key transport scheme. This Recommendation provides asymmetric-based key agreement and key transport schemes that are based on the Rivest Shamir Adleman (RSA) algorithm. --------------------------------- SP 800-102 is intended to address the timeliness of the digital signatures generated using the techniques specified in Federal Information Processing Standard (FIPS) 186-3. Establishing the time when a digital signature was generated is often a critical consideration. A signed message that includes the (purported) signing time provides no assurance that the private key was used to sign the message at that time unless the accuracy of the time can be trusted. SP 800-102 provides methods of obtaining assurance of the time of digital signature generation using a trusted timestamp authority that is trusted by both the signatory and the verifier. ____________________________________________________________________ November 4, 2009 TLS Allows Man-in-the-Middle Attacks Marsh Ray and Steve Dispensa Reported by Hilarie Orman ____________________________________________________________________ The cryptographic protocol TLS (Transport Layer Security) began life as a formally verified protocol called SSL. Over the years it was the subject of standardardization by the IETF, and it evolved. Today it is widely used for authenticating and encrypting http transactions. Thus, it is a matter of some significance that there are practical attacks that allow a man-in-the-middle to inject arbitrary plaintext into the protocol stream. The weakness resulted from protocol changes that allow a cryptographic context and an associated request to be re-used. The client sends a request, the server decides to renegotiate, the man-in-the-middle modifies the server's response, and the client mindlessly sends information from the server and man-in-the middle as if it were from the client. The result is that the server sees the man-in-the-middle information as authentic, and it ignores the request that the client intended. The descent from "secure verified design" to "broken in practice" is an ongoing saga for many protocols. Error handling methods have rendered even the best cryptography insecure, but in this case, it was a misguided attempt to streamline cryptographic negotiations that led to the problem. See http://extendedsubset.com/?p=8 for details. --------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 11/18/09: S&P, 31st IEEE Symposium on Security and Privacy, The Claremont Resort, Oakland/Berkeley, CA, USA; http://oakland10.cs.virginia.edu/cfp.html; Submissions are due 11/18/09-11/20/09: IWNS, International Workshop on Network Steganography, Held in conjunction with the International Conference on Multimedia Information Networking and Security (MINES 2009), Wuhan, Hubei, China; http://stegano.net/workshop 11/18/09-11/20/09: SECMCS, Workshop on Secure Multimedia Communication and Services, Held in conjunction with the 2009 International Conference on Multimedia Information Networking and Security (MINES 2009), Wuhan, China; http://liss.whu.edu.cn/mines2009/SECMCS.htm 11/20/09: WISTP, 4th Workshop on Information Security Theory and Practice, Passau, Germany; http://www.wistp.org/; Submissions are due 11/22/09: IDtrust, 9th Symposium on Identity and Trust on the Internet, Gaithersburg, Maryland, USA; http://middleware.internet2.edu/idtrust/2010/; Submissions are due 11/30/09: MidSec, 2nd Workshop on Middleware Security, Held in conjunction with the 10th ACM/IFIP/USENIX International Middleware Conference (MIDDLEWARE 2009), Urbana Champaign, Illinois, USA; http://www.cs.kuleuven.be/conference/MidSec2009/ 12/ 6/09: COSADE, 1st Workshop on Constructive Side-channel analysis and Secure Design, Darmstadt, Germany; http://cosade2010.cased.de/; Submissions are due 12/ 6/09-12/ 9/09: WIFS, 1st IEEE International Workshop on Information Forensics and Security, London, UK; http://www.wifs09.org 12/ 6/09-12/10/09: ASIACRYPT, 15th Annual International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan; http://asiacrypt2009.cipher.risk.tsukuba.ac.jp 12/ 7/09-12/11/09: ACSAC, 25th Annual Computer Security Applications Conference, Honolulu, Hawaii, USA; http://www.acsac.org 12/ 8/09-12/11/09: ICPADS, 15th IEEE International Conference on Parallel and Distributed Systems, Shenzhen, China; http://www.comp.polyu.edu.hk/conference/icpads09/ 12/ 9/09-12/11/09: ReConFig, International Conference on ReConFigurable Computing and FPGAs, Special Track on Reconfigurable Computing for Security and Cryptography, Cancun, Mexico; http://www.reconfig.org 12/10/09-12/12/09: F2GC, 2nd International Workshop on Forensics for Future Generation Communication environments, Jeju, Korea; http://www.ftrg.org/F2GC2009/ 12/10/09-12/12/09: MPIS, 2nd International Workshop on Multimedia, Information Privacy and Intelligent Computing Systems, Jeju, Korea; http://www.ftrg.org/MPIS2009/ 12/12/09-12/14/09: CANS, 8th International Conference on Cryptography and Network Security, Kanazawa, Ishikawa, Japan; http://www.rcis.aist.go.jp/cans2009/ 12/12/09-12/14/09: UbiSafe, 2nd IEEE International Symposium on Ubisafe Computing, Chengdu, China; http://cs.okstate.edu/ubisafe09/ 12/12/09-12/14/09: SCC, Workshop on Security in Cloud Computing, Chengdu, Sichuan, China; http://bingweb.binghamton.edu/~ychen/SCC09.htm 12/12/09-12/15/09: Inscrypt, 5th China International Conference on Information Security and Cryptology, Beijing China; http://www.inscrypt.cn/ 12/14/09: TaPP, 2nd Workshop on the Theory and Practice of Provenance, Held in conjunction with the 8th USENIX Conference on File and Storage Technologies (FAST 2010), San Jose, CA, USA; http://www.usenix.org/events/tapp10/cfp/; Submissions are due 12/14/09-12/18/09: ICISS, 5th International Conference on Information Systems Security, Kolkata, India; http://www.eecs.umich.edu/iciss09/ 12/17/09-12/19/09: INTRUST, The International Conference on Trusted Systems, Beijing, P. R. China; http://www.tcgchina.org 12/19/09: IFIP-TM, 4th IFIP International Conference on Trust Management, Morioka, Japan; http://www.ifip-tm2010.org/; Submissions are due 12/31/09: IFIP-CIP, 4th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Fort McNair, Washington, DC, USA; http://www.ifip1110.org; Submissions are due 1/ 3/10- 1/ 6/10: IFIP-DF, 6th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Hong Kong, Hong Kong; http://www.ifip119.org/Conferences/WG11-9-CFP-2010.pdf 1/ 5/10- 1/ 8/10: HICSS-DF, 43rd Hawaii International Conference on System Sciences, Digital Forensics Minitrack, Koloa, Kauai, Hawaii; http://www.hicss.hawaii.edu/hicss_43/apahome43.html 1/ 8/10: SACMAT, 15th ACM Symposium on Access Control Models and Technologies, Pittsburgh, PA, USA; http://www.sacmat.org; Submissions are due 1/10/10: AH, 1st ACM Augmented Human International Conference, Mege`ve ski resort, France; http://www.augmented-human.com/; Submissions are due 1/11/10: MOBISEC, 2nd International ICST Conference on Security and Privacy in Mobile Information and Communication Systems, Catania, Sicily; http://mobisec.org/; Submissions are due 1/25/10- 1/28/10: FC, Financial Cryptography and Data Security, Tenerife, Canary Islands, Spain; http://fc10.ifca.ai/ 1/28/10- 1/29/10: WECSR, Workshop on Ethics in Computer Security Research, Held in conjunction with the 14th International Conference on Financial Cryptography and Data Security (FC 2010), Tenerife, Canary Islands, Spain; http://www.cs.stevens.edu/~spock/wecsr2010/ 2/ 1/10: International Journal of Secure Software Engineering (IJSSE), Special Issue on Software Safety & Dependability - the Art of Engineering Trustworthy Software; http://www.igi-global.com/journals/details.asp?id=34297; Submissions are due 2/ 3/10- 2/ 4/10: ESSoS, 2nd International Symposium on Engineering Secure Software and Systems, Pisa, Italy; http://distrinet.cs.kuleuven.be/events/essos2010 2/ 4/10- 2/ 5/10: COSADE, 1st Workshop on Constructive Side-channel analysis and Secure Design, Darmstadt, Germany; http://cosade2010.cased.de/ 2/ 5/10: ACNS, 8th International Conference on Applied Cryptography and Network Security, Beijing, China; http://www.tcgchina.org/acns2010/; Submissions are due 2/15/10- 2/18/10: SecSE, 4th International Workshop on Secure Software Engineering, Held in conjunction with the 5th International Conference on Availability, Reliability and Security (ARES 2010), Krakow, Poland; http://www.sintef.org/secse 2/15/10- 2/18/10: SPattern, 4th International Workshop on Secure systems methodologies using patterns, Held in conjunction with the 5th International Conference on Availability, Reliability and Security (ARES 2010), Krakow, Poland; http://www-ifs.uni-regensburg.de/spattern10/ 2/17/10- 2/19/10: SNDS, 18th Euromicro International Conference on Parallel, Distributed and network-based Processing, Special Session on Security in Networked and Distributed Systems, Pisa, Italy; http://www.comsec.spb.ru/SNDS10/ 2/22/10: WEIS, 9th Workshop on the Economics of Information Security, Harvard University, Cambridge, MA, USA; http://weis2010.econinfosec.org/cfp.html; Submissions are due 2/22/10- 2/23/10: RFIDsec, The 2010 Workshop on RFID Security, Singapore; http://rfidsec2010.i2r.a-star.edu.sg/ 2/22/10: TaPP, 2nd Workshop on the Theory and Practice of Provenance, Held in conjunction with the 8th USENIX Conference on File and Storage Technologies (FAST 2010), San Jose, CA, USA; http://www.usenix.org/events/tapp10/cfp/ 2/25/10: LEET, 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, Held in conjunction with the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2010), San Jose, CA, USA; http://www.usenix.org/events/leet10/cfp/; Submissions are due 2/28/10- 3/ 3/10: NDSS, 17th Annual Network & Distributed System Security Symposium, San Diego, CA, USA; http://www.isoc.org/isoc/conferences/ndss/10/cfp.shtml 3/ 5/10: SOUPS, Symposium On Usable Privacy and Security, Redmond, WA, USA; http://cups.cs.cmu.edu/SOUPS/; Submissions are due 3/14/10- 3/17/10: IFIP-CIP, 4th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Fort McNair, Washington, DC, USA; http://www.ifip1110.org 3/22/10- 3/24/10: WiSec, 3rd ACM Conference on Wireless Network Security, Stevens Institute of Technology, Hoboken, NJ, USA; http://www.sigsac.org/wisec/WiSec2010 3/22/10- 3/26/10: SAC-CF, 25th ACM Symposium on Applied Computing, Computer Forensics Track, Sierre, Switzerland; http://comp.uark.edu/~bpanda/sac2010cfp.pdf 3/22/10- 3/26/10: SAC-TRECK, 25th ACM Symposium on Applied Computing, Trust, Reputation, Evidence and other Collaboration Know-how Track, Sierre, Switzerland; http://www.trustcomp.org/treck/ 3/22/10- 3/26/10: SAC-ISRA, 25th ACM Symposium on Applied Computing, Information Security Research and Applications Track, Sierre, Switzerland; http://www.albany.edu/~er945/CfP_SAC2010_ISRA.html 3/22/10- 3/26/10: SAC-SEC, 25th ACM Symposium on Applied Computing, Computer Security Track, Sierre, Switzerland; http://www.dmi.unict.it/~giamp/sac/10cfp.html 3/29/10- 4/ 2/10: SESOC, International Workshop on SECurity and SOCial Networking, Mannheim, Germany; http://www.sesoc.org 4/ 1/10: ESORICS, 15th European Symposium on Research in Computer Security, Athens, Greece; http://www.esorics2010.org; Submissions are due 4/ 2/10- 4/ 4/10: AH, 1st ACM Augmented Human International Conference, Mege`ve ski resort, France; http://www.augmented-human.com/ 4/ 5/10: SECURECOMM, 6th International Conference on Security and Privacy in Communication Networks, Singapore; http://www.securecomm.org/; Submissions are due 4/13/10- 4/14/10: WISTP, 4th Workshop on Information Security Theory and Practice Passau, Germany; http://www.wistp.org/ 4/13/10- 4/15/10: IDtrust, 9th Symposium on Identity and Trust on the Internet Gaithersburg, Maryland, USA; http://middleware.internet2.edu/idtrust/2010/ 4/13/10- 4/16/10: ASIACCS, 5th ACM Symposium on Information, Computer and Communications Security, Beijing, China; http://www.dacas.cn/asiaccs2010 4/27/10: LEET, 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, Held in conjunction with the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2010), San Jose, CA, USA; http://www.usenix.org/events/leet10/cfp/ 5/16/10- 5/19/10: SP, 31st IEEE Symposium on Security and Privacy, The Claremont Resort, Oakland, CA, USA; http://oakland10.cs.virginia.edu/cfp.html 5/26/10- 5/28/10: MOBISEC, 2nd International ICST Conference on Security and Privacy in Mobile Information and Communication Systems, Catania, Sicily; http://mobisec.org/ 6/ 7/10- 6/ 8/10: WEIS, 9th Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA, USA; http://weis2010.econinfosec.org/cfp.html 6/ 9/10- 6/11/10: SACMAT, 15th ACM Symposium on Access Control Models and Technologies, Pittsburgh, PA, USA; http://www.sacmat.org 6/16/10- 6/18/10: IFIP-TM, 4th IFIP International Conference on Trust Management, Morioka, Japan; http://www.ifip-tm2010.org/ 6/22/10- 6/25/10: ACNS, 8th International Conference on Applied Cryptography and Network Security, Beijing, China; http://www.tcgchina.org/acns2010/ 7/14/10- 7/16/10: SOUPS, Symposium On Usable Privacy and Security, Redmond, WA, USA; http://cups.cs.cmu.edu/SOUPS/ 9/ 7/10- 9/10/10: SECURECOMM, 6th International Conference on Security and Privacy in Communication Networks, Singapore; http://www.securecomm.org/ 9/20/10- 9/22/10: ESORICS, 15th European Symposium on Research in Computer Security, Athens, Greece; http://www.esorics2010.org ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E92) ___________________________________________________________________ SP 2010 31st IEEE Symposium on Security and Privacy, The Claremont Resort, Oakland, CA, USA, May 16-19, 2010. http://oakland10.cs.virginia.edu/cfp.html (Submissions due 18 November 2009) Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of computer security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation of secure systems. S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. *Systematization of Knowledge Papers*: In addition to the standard research papers, we are also soliciting papers focused on systematization of knowledge. The goal of this call is to encourage work that evaluates, systematizes, and contextualizes existing knowledge. These papers will provide a high value to our community but would otherwise not be accepted because they lack novel research contributions. Suitable papers include survey papers that provide useful perspectives on major research areas, papers that support or challenge long-held beliefs with compelling evidence, or papers that provide an extensive and realistic evaluation of competing approaches to solving specific problems. Submissions will be distinguished by a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, except instead of emphasizing novel research contributions the emphasis will be on value to the community. Accepted papers will be presented at the symposium and included in the proceedings. *Workshops*: The Symposium is also soliciting submissions for co-located workshops. Workshop proposals should be sent by Friday, 21 August 2009 by email to Carrie Gates (carrie.gates@ca.com). Workshops may be half-day or full-day in length. Submissions should include the workshop title, a short description of the topic of the workshop, and biographies of the organizers. ------------------------------------------------------------------------- WISTP 2010 4th Workshop on Information Security Theory and Practice, Passau, Germany, April 13-14, 2010. http://www.wistp.org/ (Submissions due 20 November 2009) The impact of pervasive and smart devices on our daily lives is ever increasing, and the rapid technological development of information technologies ensures that this impact is constantly changing. It is imperative that these complex and resource constrained technologies are not vulnerable to attack. This workshop will consider the full impact of the use of pervasive and smart technologies on individuals, and society at large, with regard to the security and privacy of the systems that make use of them. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and privacy of pervasive systems and smart devices, as well as experimental studies of fielded systems. We encourage submissions that address the application of security technology, the implementation of systems, and lessons learned. We encourage submissions from other communities such as law and business that present these communities' perspectives on technological issues. Topics of interest include, but are not limited to: - Access control - Ad hoc networks security - Anonymity - Biometrics, national ID cards - Data and application security and privacy - Data protection - Delay-tolerant network security - Digital rights management (DRM) in pervasive environments - Domestic network security - Embedded systems security and TPMs - Human and psychological aspects of security - Human-computer interaction and human behavior impact for security - Identity management - Information assurance and trust management - Interplay of TPMs and smart cards - Intrusion detection and information filtering - Mobile codes security - Mobile commerce security - Mobile devices security - New applications for secure RFID systems - Peer-to-peer security - Privacy enhancing technologies - RFID and NFC systems security - Secure self-organization and self-configuration - Security in location services - Security issues in mobile and ubiquitous networks - Security metrics - Security models and architecture - Security of GSM/GPRS/UMTS systems - Security policies - Security protocols - Sensor networks security - Smart card security - Smart devices applications - Vehicular network security - Wireless communication security - Wireless sensor node security ------------------------------------------------------------------------- IDtrust 2010 9th Symposium on Identity and Trust on the Internet, Gaithersburg, Maryland, USA, April 13-15, 2010. http://middleware.internet2.edu/idtrust/2010/ (Submissions due 22 November 2009) IDtrust is looking for papers related to all parts of the public-key mediated authentication and access control problem. All software systems, from enterprise data centers to small businesses and consumer-facing applications, must make access control decisions for protected data. IDtrust is a venue for the discussion of the complete access control process (authentication, authorization, provisioning and security decision workflow), addressing questions such as: "What are the authorization strategies that will succeed in the next decade?" "What technologies exist to address complex requirements today?" "What research is academia and industry pursuing to solve the problems likely to show up in the next few years?" Identity as used here refers to not just the principal identifier, but also to attributes and claims. Topics of interest include, but are not limited to: - Analysis of existing identity management protocols and ceremonies (SAML, Liberty, CardSpace, OpenID, and PKI-related protocols) - Analysis or extension of identity metasystems, frameworks, and systems (Shibboleth, Higgins, etc.) - Design and analysis of new access control protocols and ceremonies - Cloud/grid computing implications on authorization and authentication - Assembly of requirements for access control protocols and ceremonies involving strong identity establishment - Reports of real-world experience with the use and deployment of identity and trust applications for broad use on the Internet (where the population of users is diverse) and within enterprises who use the Internet (where the population of users may be more limited), how best to integrate such usage into legacy systems, and future research directions. Reports may include use cases, business case scenarios, requirements, best practices, implementation and interoperability reports, usage experience, etc. - User-centric identity, delegation, reputation - Identity and Web 2.0, secure mash-ups, social networking, trust fabric and mechanisms of "invited networks" - Identity management of devices from RFID tags to cell phones; Host Identity Protocol (HIP) - Federated approaches to trust - Standards related to identity and trust, including X.509, S/MIME, PGP, SPKI/SDSI, XKMS, XACML, XRML, and XML signatures - Intersection of policy-based systems, identity, and trust; identity and trust policy enforcement, policy and attribute mapping and standardization - Attribute management, attribute-based access control - Trust path building and certificate validation in open and closed environments - Analysis and improvements to the usability of identity and trust systems for users and administrators, including usability design for authorization and policy management, naming, signing, verification, encryption, use of multiple private keys, and selective disclosure - Identity and privacy - Levels of trust and assurance - Trust infrastructure issues of scalability, performance, adoption, discovery, and interoperability - Use of PKI in emerging technologies (e.g., sensor networks, disaggregated computers, etc.) - Application domain requirements: web services, grid technologies, document signatures, (including signature validity over time), data privacy, etc. ------------------------------------------------------------------------- COSADE 2010 1st Workshop on Constructive Side-channel analysis and Secure Design, Darmstadt, Germany, February 4-5, 2010. http://cosade2010.cased.de/ (Submissions due 6 December 2009) Side-channel analysis (SCA) has become an important field of research at universities and in the industry. Of particular interest is constructive side-channel analysis, as successful attacks support a target-oriented associated design process. In order to enhance the side-channel resistance of cryptographic implementations within the design phase, constructive SCA may serve as a quality metric to optimize the design- and development process. This workshop provides an international platform for researchers, academics, and industry participants to present their work and their current research topics. It is an excellent opportunity to meet experts and to initiate new collaborations and information exchange at a professional level. The workshop will feature both invited presentations and contributing talks. The topics of COSADE 2010 include but are not limited to: - Constructive side-channel attacks in general - Stochastic approach in power analysis - Interaction between side-channel analysis and design - Advanced stochastic methods in side-channel analysis, especially in power analysis and EM analysis - Leakage models and security models for side-channel analysis in the presence and absence of countermeasures - Side-channel analysis under black-box assumption - Evaluation methodologies for side-channel resistant designs, acquisition and analysis - Side-channel leakage assessment methodologies, models, and metrics - SCA-aware design criteria and design techniques - Verification methods and models for side-channel leakages within the design phase - Methods, tools, and platforms for evaluation of side-channel characteristics of a design - Criteria for the design flow of countermeasures - HW / SW-acceleration for (constructive) SCA - Leakage-resilient designs - Countermeasures for HW / SW-Co-Design architectures - Countermeasures against implementation attacks at algorithmic-, logic-, register transfer- and physical level - Countermeasures against side-channel attacks on FPGAs, HW / SW Co-design architectures, SoC - Countermeasures against attacks at the algorithmic-, logic-, register transfer-, and physical levels ------------------------------------------------------------------------- TaPP 2010 2nd Workshop on the Theory and Practice of Provenance, Held in conjunction with the 8th USENIX Conference on File and Storage Technologies (FAST 2010), San Jose, CA, USA, February 22, 2010. http://www.usenix.org/events/tapp10/cfp/ (Submissions due 14 December 2009) Provenance, or meta-information about computations, computer systems, database queries, scientific workflows, and so on, is emerging as a central issue in a number of disciplines. The TaPP workshop series builds upon a set of workshops on Principles of Provenance organized in 2007-2009, which helped raise the profile of this area within diverse research communities, such as databases, security, and programming languages. We hope to attract serious cross-disciplinary, foundational, and highly speculative research and to facilitate needed interaction with the broader systems community and with industry. We invite submissions addressing research problems involving provenance in any area of computer science, including but not limited to: - Databases (Data provenance and lineage, Uncertainty/probabilistic databases, Curated databases, Data quality/integration/cleaning, Privacy/anonymity, Data forensics) - Programming languages and software engineering (Bi-directional, adaptive, and self-adjusting computation, Traceability, Source code management/version control/configuration management, Model-driven design and analysis) - Systems and security (Provenance aware/versioned file systems, Provenance and audit/integrity/information flow security, Trusted computing, Traces and reflective/adaptive/self-adjusting systems, Digital libraries) - Workflows/scientific computation (Efficient/incremental recomputation, Scientific data exploration and visualization, Workflow provenance querying, User interfaces) ------------------------------------------------------------------------- IFIP-TM 2010 4th IFIP International Conference on Trust Management, Morioka, Japan, June 16-18, 2010. http://www.ifip-tm2010.org/ (Submissions due 19 December 2009) The mission of the IFIPTM 2010 Conference is to share research solutions to problems of Trust and Trust management, including related Security and Privacy issues, and to identify new issues and directions for future research and development work. IFIPTM 2010 invites submissions presenting novel research on all topics related to Trust, Security and Privacy, including but not limited to those listed below: - Trust models, formalization, specification, analysis and reasoning - Reputation systems and architectures - Engineering of trustworthy and secure software - Ethics, sociology and psychology of trust - Security management and usability issues including security configuration - Trust management frameworks for secure collaborations - Language security - Security, trust and privacy for service oriented architectures and composite applications - Security, trust and privacy for software as a service (SaaS) - Security, trust and privacy for Web 2.0 Mashups - Security, privacy, and trust as a service - Legal issues related to the management of trust - Semantically-aware security management - Adaptive security policy management - Mobile security - Anonymity and privacy vs. accountability - Critical infrastructure protection, public safety and emergency management - Privacy and identity management in e-services - Biometrics, national ID cards, identity theft - Robustness of trust and reputation systems - Distributed trust and reputation management systems - Human computer interaction aspects of privacy, security & trust - Applications of trust and reputation management in e-services - Trusted platforms and trustworthy systems ------------------------------------------------------------------------- IFIP-CIP 2010 4th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Fort McNair, Washington, DC, USA, March 14-17, 2010. http://www.ifip1110.org (Submissions due 31 December 2009) The IFIP Working Group 11.10 on Critical Infrastructure Protection is an active international community of researchers, infrastructure operators and policy-makers dedicated to applying scientific principles, engineering techniques and public policy to address current and future problems in information infrastructure protection. Following the success of the first three conferences, the Fourth Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection will again provide a forum for presenting original, unpublished research results and innovative ideas related to all aspects of critical infrastructure protection. Papers are solicited in all areas of critical infrastructure protection. Areas of interest include, but are not limited to: - Infrastructure vulnerabilities, threats and risks - Security challenges, solutions and implementation issues - Infrastructure sector interdependencies and security implications - Risk analysis and risk assessment methodologies - Modeling and simulation of critical infrastructures - Legal, economic and policy issues - Secure information sharing - Infrastructure protection case studies - Distributed control systems/SCADA security - Telecommunications network security ------------------------------------------------------------------------- SACMAT 2010 15th ACM Symposium on Access Control Models and Technologies, Pittsburgh, PA, USA, June 9-11, 2010. http://www.sacmat.org/ (Submissions due 8 January 2010) Papers offering novel research contributions in all aspects of access control are solicited for submission to the ACM Symposium on Access Control Models and Technologies (SACMAT). The missions of the symposium are to share novel access control solutions that fulfill the needs of heterogeneous applications and environments and to identify new directions for future research and development. SACMAT gives researchers and practitioners a unique opportunity to share their perspectives with others interested in the various aspects of access control. Topic of Interest include: - Access control models and extensions - Access control requirements - Access control design methodology - Access control mechanisms, systems, and tools - Access control in distributed and mobile systems - Access control for innovative applications - Administration of access control policies - Delegation - Identity management - Policy/Role Engineering - Safety analysis and enforcement - Standards for access control - Trust management - Trust models - Theoretical foundations for access control models - Usage control ------------------------------------------------------------------------- AH 2010 1st ACM Augmented Human International Conference, Mege`ve ski resort, France, April 2-4, 2010. http://www.augmented-human.com/ (Submissions due 10 January 2010) The AH international conference focuses on scientific contributions towards augmenting humans capabilities through technology for increased well-being and enjoyable human experience. The topics of interest include, but are not limited to: - Augmented and Mixed Reality - Internet of Things - Augmented Sport - Sensors and Hardware - Wearable Computing - Augmented Health - Augmented Well-being - Smart artifacts & Smart Textiles - Augmented Tourism and Games - Ubiquitous Computing - Bionics and Biomechanics - Training/Rehabilitation Technology - Exoskeletons - Brain Computer Interface - Augmented Context-Awareness - Augmented Fashion - Safety, Ethics and Legal Aspects - Security and Privacy Aspects ------------------------------------------------------------------------- MOBISEC 2010 2nd International ICST Conference on Security and Privacy in Mobile Information and Communication Systems, Catania, Sicily, May 26-28, 2010. http://mobisec.org/ (Submissions due 11 January 2010) The focus of MOBISEC 2010 is the convergence of information and communication technology in mobile scenarios. This convergence is realised in intelligent mobile devices, accompanied by the advent of converged, and next-generation, communication networks. As mobile communication and information processing becomes a commodity, economy and society require protection of this precious resource. Mobility and trust in networking go hand in hand for future generations of users, who need privacy and security at all layers of technology. MobiSec strives to bring together the leading-edge of academia and industry in mobile systems security, as well as practitioners, standards developers and policymakers. Topics of interest include, but are not limited to the following focus areas, as applied to mobile ICT: - Security architectures for next-generation, new-generation and converged communication networks - Trusted mobile devices, hardware security - Network resilience - Threat analyses for mobile systems - Multi-hop authentication and trust - Non-repudiation of communication - Context-aware and data-centric security - Protection and safety of distributed mobile data - Mobile application security - Security for voice and multimedia communication - Machine-to-machine communication security - Trust in autonomic and opportunistic communication - Location based applications security and privacy - Security for the networked home environment - Security and privacy for mobile communities - Mobile emergency communication, public safety - Lawful interception and mandatory data retention - Security of mobile agents and code - Identity management - Embedded security ------------------------------------------------------------------------- International Journal of Secure Software Engineering (IJSSE), Special Issue on Software Safety & Dependability - the Art of Engineering Trustworthy Software, January 2011. http://www.igi-global.com/journals/details.asp?id=34297 (Submission Due 1 February 2010) Guest editor: Lei Wu (University of Houston-Clear Lake, Houston, Texas, U.S.A) and Yi Feng (Algoma University, Sault Ste. Marie, Ontario, Canada) Software Safety is an element of the total safety program. It optimizes system safety & dependability in the design, development, use, and maintenance of software systems and their integration with safety critical application systems in an operational environment. Increasing size and complexity of software systems makes it harder to ensure their dependability. At the same time, the issues of safety become more critical as we more and more rely on software systems in our daily life. These trends make it necessary to support software engineers with a set of techniques and tools for developing dependable, trustworthy software. Software safety cannot be allowed to function independently of the total effort. Both simple and highly integrated multiple systems are experiencing an extraordinary growth in the use of software to monitor and/or control safety-critical subsystems or functions. A software specification error, design flaw, or the lack of generic safety-critical requirements can contribute to or cause a system failure or erroneous human decision. To achieve an acceptable level of dependability goals for software used in critical applications, software safety engineering must be given primary emphasis early in the requirements definition and system conceptual design process. Safety-critical software must then receive continuous management emphasis and engineering analysis throughout the development and operational lifecycles of the system. In this special issue, we are seeking insights in how we can confront the challenges of software safety & dependability issues in developing dependable, trustworthy software systems. Some suggested areas include, but not limited to: - Safety consistent with mission requirements - Secure software engineering with software security & trustworthy software development - State-of-arts literature review of technology dealing with software system security - Identify and analysis of safety-critical functionality of complex systems - Intrusion detection, security management , applied cryptography - Derive hazards and design safeguards for mitigations - Safety-Critical functions design and preliminary hazards analysis - Identification, evaluation, and elimination techniques for hazards associated with the system and its software, throughout the lifecycle - Complexity of safety critical interfaces, software components - Sound secure software engineering principles that apply to the design of the software-user interface to minimize the probability of human error - Failure & hazard models, including hardware, software, human and system are addressed in the design of the software - Software testing techniques targeting at software safety issues at different levels of testing ------------------------------------------------------------------------- ACNS 2010 8th International Conference on Applied Cryptography and Network Security, Beijing, China, June 22-25, 2010. http://www.tcgchina.org/acns2010/ (Submissions due 5 February 2010) Original papers on all aspects of applied cryptography and network security are solicited for submission to ACNS '10. Topics of relevance include but are not limited to: - Applied cryptography and provably-secure cryptographic protocols - Design and analysis of efficient cryptographic primitives: public-key and symmetric-key cryptosystems, block ciphers, and hash functions - Network security protocols - Techniques for anonymity; trade-offs between anonymity and utility - Integrating security into the next-generation Internet: DNS security, routing, naming, denial-of-service attacks, TCP/IP, secure multicast - Economic fraud on the Internet: phishing, pharming, spam, and click fraud - Email and web security - Public key infrastructure, key management, certification, and revocation - Security and privacy for emerging technologies: sensor networks, mobile (ad hoc) networks, peer-to-peer networks, bluetooth, 802.11, RFID - Trust metrics and robust trust inference in distributed systems - Security and usability - Intellectual property protection and digital rights management - Modeling and protocol design for rational and malicious adversaries - Automated analysis of protocols ------------------------------------------------------------------------- WEIS 2010 9th Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA, USA, June 7-8, 2010. http://weis2010.econinfosec.org/cfp.html (Submissions due 22 February 2010) The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science. Prior workshops have explored the role of incentives between attackers and defenders, identified market failures dogging Internet security, and assessed investments in cyber-defense. This workshop will build on past efforts using empirical and analytic tools to not only understand threats, but also strengthen security through novel evaluations of available solutions. How should information risk be modeled given the constraints of rare incidence and high interdependence? How do individuals' and organizations' perceptions of privacy and security color their decision making? How can we move towards a more secure information infrastructure and code base while accounting for the incentives of stakeholders? We encourage economists, computer scientists, business school researchers, legal scholars, security and privacy specialists, as well as industry experts to submit their research and attend the workshop. Suggested topics include (but are not limited to) empirical and theoretical studies of: - Optimal investment in information security - Online crime (including botnets, phishing and spam) - Models and analysis of online crime - Risk management and cyberinsurance - Security standards and regulation - Cybersecurity policy - Privacy, confidentiality and anonymity - Behavioral security and privacy - Security models and metrics - Psychology of risk and security - Vulnerability discovery, disclosure, and patching - Cyberwar strategy and game theory - Incentives for information sharing and cooperation ------------------------------------------------------------------------- LEET 2010 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, Held in conjunction with the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2010), San Jose, CA, USA, April 27, 2010. http://www.usenix.org/events/leet10/cfp/ (Submissions due 25 February 2010) LEET aims to provide a unique forum for the discussion of threats to the confidentiality of our data, the integrity of digital transactions, and the dependability of the technologies we increasingly rely on. We encourage submissions of papers that focus on the malicious activities themselves (e.g., reconnaissance, exploitation, privilege escalation, rootkit installation, attack), our responses as defenders (e.g., prevention, detection, and mitigation), or the social, political, and economic goals driving these malicious activities and the legal and ethical codes guiding our defensive responses. Topics of interest include but are not limited to: - Infection vectors for malware (worms, viruses, etc.) - Botnets, command, and control channels - Spyware - Operational experience - Forensics - Click fraud - Measurement studies - New threats and related challenges - Boutique and targeted malware - Phishing - Spam - Underground markets - Carding and identity theft - Miscreant counterintelligence - Denial-of-service attacks - Hardware vulnerabilities - Legal issues - The arms race (rootkits, anti-anti-virus, etc.) - New platforms (cellular networks, wireless networks, mobile devices) - Camouflage and detection - Reverse engineering - Vulnerability markets and zero-day economics - Online money laundering - Understanding the enemy - Data collection challenges ------------------------------------------------------------------------- SOUPS 2010 Symposium On Usable Privacy and Security, Redmond, WA, USA, July 14-16, 2010. http://cups.cs.cmu.edu/SOUPS/ (Submissions due 5 March 2010) The 2010 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. We invite authors to submit original papers describing research or experience in all areas of usable privacy and security. Topics include, but are not limited to: - innovative security or privacy functionality and design - new applications of existing models or technology - field studies of security or privacy technology - usability evaluations of new or existing security or privacy features - security testing of new or existing usability features - longitudinal studies of deployed security or privacy features - the impact of organizational policy or procurement decisions - lessons learned from the deployment and use of usable privacy and security features ------------------------------------------------------------------------- ESORICS 2010 15th European Symposium on Research in Computer Security, Athens, Greece, September 20-22, 2010. http://www.esorics2010.org (Submissions due 1 April 2010) ESORICS is the annual European research event in Computer Security. The Symposium started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities. Papers offering novel research contributions in computer security are solicited for submission to the Symposium. The primary focus is on original, high quality, unpublished research and implementation experiences. We encourage submissions of papers discussing industrial research and development. Papers should focus on topics such as: - Access Control - Accountability - Anonymity - Applied Cryptography - Attacks and Viral Software - Authentication and Delegation - Data Integrity - Database Security - Inference Control - Identity Management - Information Flow Control - Intrusion Tolerance - Formal Security Methods - Language-based Security - Network Security - Privacy Enhancing Technologies - Risk Analysis and Management - Secure Electronic Voting - Security Architectures - Security Economics - Security for Mobile Code - Security for Dynamic Coalitions - Security in Location Services - Security in Social Networks - Security Models - Security Verification - System Security - Trust Models and Management - Trust Theories - Trustworthy User Devices ------------------------------------------------------------------------- SECURECOMM 2010 6th International Conference on Security and Privacy in Communication Networks, Singapore, September 7-10, 2010. http://www.securecomm.org/ (Submissions due 5 April 2010) SecureComm'10 seeks high-quality research contributions in the form of well developed papers. Topics of interest encompass research advances in ALL areas of secure communications and networking. Topics in other areas (e.g., formal methods, database security, secure software, applied cryptography) will also be considered if a clear connection to private or secure communications/networking is demonstrated. ------------------------------------------------------------------------- ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy ==================================================================== The Reader's Guide from Past issues of Cipher is archived at http://www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== (Nothing new since Cipher E92) http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $12, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $10.00 The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $10.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2010 treasurer (below) with the order description, including shipping method and shipping address. Al Shaffer Treasurer, IEEE Symposium Security and Privacy 2010 Glasgow East Annex, Rm. 218 (GE-218) 1411 Cunningham Rd. Naval Postgraduate School Montrerey, CA 93943 831/656\3319, voice oakland10-treasurer @ ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officer Roster ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Prof. Cynthia Irvine David Du U.S. Naval Postgraduate School Department of Computer Science Computer Science Department and Engineering Code CS/IC University of Minnesota Monterey CA 93943-5118 Minneapolis, MN 55455 (831) 656-2461 (voice) du@umn.edu irvine@nps.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Hilarie Orman Prof. Cynthia Irvine Purple Streak, Inc. U.S. Naval Postgraduate School 500 S. Maple Dr. Computer Science Department, Code CS/IC Salem, UT 84653 Monterey CA 93943-5118 hilarie @purplestreak.com (831) 656-2461 (voice) irvine@nps.edu Treasurer: Chair, Subcomm. on Security Conferences: Terry Benzel Jonathan Millen USC Information Sciences Intnl The MITRE Corporation, Mail Stop S119 4676 Admiralty Way, Suite 1001 202 Burlington Road Rte. 62 Los Angeles, CA 90292 Bedford, MA 01730-1420 (310) 822-1511 (voice) 781-271-51 (voice) tbenzel @isi.edu jmillen@mitre.org Newsletter Editor: Security and Privacy Symposium: General Chair 2010 Hilarie Orman Ulf Lindqvist Purple Streak, Inc. SRI 500 S. Maple Dr. Menlo Park, CA Salem, UT 84653 (650)859-2351 cipher-editor@ieee-security.org ulf.lindqvist@sri.com ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year