Subject: Electronic CIPHER, Issue 40, December 19, 2000 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 40 December 19, 2000 Jim Davis, Editor Hilarie Orman, Assoc. Editor Bob Bruen, Book Review Editor Mary Ellen Zurko, Assoc. Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements o Call for papers for the 2001 Security & Privacy Conference, May 13-16, 2001, Oakland, CA, USA o Call for papers for the 14th IEEE Computer Security Foundations Workshop, June 11-13, 2001, Cape Breton, Nova Scotia, Canada o New Jersey Computer Security Seminar o Upcoming calls-for-papers and events (new calls since Cipher E39: IEEE Computer, SMC-IAW, IFIP/SEC2001, ISSE2001, CCS-8, Indocrypt 2001) * News Briefs: o LISTWATCH by Mary Ellen Zurko * Commentary and Opinion o A note from Carl Landwehr on DARPA's workshop on open source operating systems and security o Robert Bruen's review of "SSL and TLS. Designing and Building Secure Systems by Eric Rescorla * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Reader's guide to recent security and privacy literature, by Anish Mathuria * List of Computer Security Academic Positions, by Cynthia Irvine * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We are pleased to bring you this issue of Cipher! In it you will find a book review by Robert Bruen, Mary Ellen Zurko's LISTWATCH, and several new calls-for-papers. Within the context of the recently settled US presidential election, a frequent topic of conversation around our break room has been the viability of voting on the Internet. I'll bet you've had those discussions too. A small, local, upside to the ordeal is that it sparked a genuine interest in students to review some of the literature on electronic voting protocols. I'd like to pass along a few links to papers that we found interesting and useful. Avi Rubin recently authored a paper entitled "Security Considerations for Remote Electronic Voting Over the Internet" [1] that summarizes his comments at the National Workshop on Internet Voting [2]. Ron Rivest's research group on electronic voting maintains a web page with interesting articles and a great bibliography on many aspects of electronic voting [3]. Also of note is the Sensus project by Lorrie Cranor and Ron Cytron, specifically the paper entitled "Design and Implementation of a Practical Security-Conscious Electronic Polling System" [4]. These are a few of the resources that we found helpful.  On December 8, 2000 at a speech at the University of Nebraska, President Clinton highlighted a new Scholarship for Service program (SFS) to support students who are preparing to enter into careers in Information Assurance [5]. This was certainly good news to many in our community who have invested years making the case that we do in fact have a shortage of trained security practitioners and educators, and worse, we lack the capacity to educate professionals in the numbers needed to have an impact. Key aspects of these problems were detailed in Eugene Spafford's 1997 briefing to the US House of Representatives Committee on Science [6]. Matt Bishop's insightful keynote presentation at the National Colloquium on Information Systems Security Education in May 2000 also highlights these concerns and gives us a look at what we have accomplished in computer security education in the past four years [7]. The Scholarship for Service program also provides modest support for curriculum and faculty development, and "capacity-building" efforts for Universities that desire to ramp up new education and research programs in computer security. It's a small step, but it's certainly timely and in the right direction. There are many innovative ideas floating around...sharing courses...sharing students...sharing faculty...a national dialog on information assurance curricula...it will be interesting to see what emerges.  One of the aspects of assembling Cipher that I enjoy is working with the fantastic volunteers that make the newsletter happen. I'd like to introduce our newest volunteer, Joe Morsello. Joe is employed by the Concero group, currently assigned to Nortel Networks at Research Triangle Park in North Carolina, USA. Joe is also pursuing a MS degree at North Carolina State University in Innovation and Technology Management. With so many of our readers shaping the future of information assurance, we thought it would be interesting to provide a forum for you to write an occasional editorial piece. Joe has agreed to take this on as a project. If you have thoughts on this (or would like to volunteer an editorial!) please contact Joe at jp.morsello@computer.org. Many thanks to our contributors for their help with this issue!    Best regards and Happy Holidays! Jim Davis 12/19/2000   [1] www.avirubin.com/e-voting.security.html [2] www.netvoting.org/ [3] theory.lcs.mit.edu/~cis/voting/voting.html [4] www.ccrc.wustl.edu/~lorracks/sensus/ [5] www.whitehouse.gov/library/hot_releases/December_8_2000_7.html [6] www.cerias.purdue.edu/homes/spaf/house.html [7] seclab.cs.ucdavis.edu/~bishop/scriv/Bish2000d.html ==================================================================== Conference and Workshop Announcements ==================================================================== CALL FOR PAPERS 2001 IEEE Symposium on Security and Privacy May 13-16, 2001 The Claremont Resort Oakland, California, USA sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for the presentation of developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. Previously unpublished papers offering novel research contributions in any aspect of computer security or electronic privacy are solicited for submission to the 2001 symposium. Papers may represent advances in the theory, design, implementation, analysis, or empirical evaluation of secure systems, either for general use or for specific application domains. We particularly welcome papers that help us continue our re-established emphasis on electronic privacy. Topics of interest include, but are not limited to, the following: Commercial and industrial security Electronic privacy Mobile code and agent security Distributed systems security Network security Anonymity Data integrity Access control and auditing Information flow Security verification Viruses and other malicious code Security protocols Authentication Biometrics Smartcards Electronic commerce Intrusion detection Database security Language-based security Denial of service INSTRUCTIONS FOR PAPER SUBMISSIONS Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. Papers should be at most 15 pages excluding the bibliography and well-marked appendices (using 11-point font,single column format, and reasonable margins on 8.5"x11" or A4 paper), and at most 25 pages total. Committee members are not required to read the appendices, so the paper should be intelligible without them. Papers should be submitted in a form suitable for anonymous review: remove author names and affiliations from the title page, and avoid explicit self-referencing in the text. To submit, please visit URL: http://cmt.research.microsoft.com/SSP2001/ and enter your paper in Portable Document Format (.pdf) or as a Postscript file (.ps). Submissions received after the submission deadline or failing to conform to the guidelines above risk rejection without consideration of their merits. Where possible all further communications to authors will be via email. Paper submissions due: November 7, 2000 Acceptance notification: January 29, 2001 If for some reason you cannot conform to these submission guidelines, please send email to needham@microsoft.com. Please use a subject field containing the string "Oakland01". PANEL PROPOSALS The conference may include panel sessions addressing topics of interest to the computer security community. Proposals for panels should be no longer than five pages in length and should include possible panelists and an indication of which of those panelists have confirmed participation. Send an email with a MIME attachment containing your panel proposal in PDF or Postscript format to needham@microsoft.com. This email should state that your proposal is for the 2001 IEEE Symposium on Security and Privacy, and should include the proposers' names, email and postal addresses, and phone and fax numbers. Please use a subject field containing the string "Oakland01". Panel proposals due: November 7, 2000 Acceptance notification: January 29, 2001 5-MINUTE TALKS A continuing feature of the symposium will be a session of 5-minute talks, where attendees can present preliminary research results or summaries of works published elsewhere. Printed abstracts of these talks will be distributed at the symposium. Abstracts for 5-minute talks should fit on one 8.5"x11" or A4 page, including the title and all author names and affiliations. Send an email with a MIME attachment containing your abstract in PDF or Postscript format to needham@microsoft.com. This email should state that your abstract is for the session of 5-minute presentations at the 2001 IEEE Symposium on Security and Privacy, and should include the presenter's name, email and postal addresses, and phone and fax numbers. Please use a subject field containing the string "Oakland01". 5-Minute abstracts due: March 13, 2001 Acceptance notification: March 31, 2001 General chair: Li Gong (Sun Microsystems, USA) Vice chair: Heather Hinton (Tivoli Systems, USA) Program co-chairs: Roger Needham (Microsoft Research, UK) Martin Abadi (Bell Labs - Lucent, USA) Treasurer: Brian Loe (Secure Computing Corporation, USA) Program Committee: Paul Ammann (George Mason University, USA) Lee Badger (Network Associates, USA) Mihir Bellare (University of California San Diego, USA) Marc Dacier (IBM Zurich Research Laboratory, Switzerland) Simon Foley (University College, Cork, Ireland) Virgil Gligor (University of Maryland, USA) Stuart Haber (Intertrust, USA) Paul Karger (IBM Research, USA) Markus Kuhn (University of Cambridge, UK) Teresa Lunt (Xerox PARC, USA) Andrew Myers (Cornell University, USA) Dan Simon (Microsoft Research, USA) David Wagner (University of California Berkeley, USA) Avishai Wool (Bell Labs - Lucent, USA) ----------------------------------------------------------------- Call For Papers 14th IEEE Computer Security Foundations Workshop June 11-13, 2001 Keltic Lodge, Cape Breton, Nova Scotia, Canada Sponsored by the Technical Committee on Security and Privacy of the IEEE Computer Society. This workshop series brings together researchers in computer science to examine foundational issues in computer security. For background information about the workshop, and an html version of this Call for Papers, see the CSFW home page www.csl.sri.com/csfw/csfw14/ This year the workshop will be in Cape Breton, Nova Scotia, Canada. We are interested both in new results in theories of computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories. Both papers and panel proposals are welcome. Possible topics include, but are not limited to: access control authentication data and system integrity database security network security distributed systems security anonymity intrusion detection security for mobile computing security protocols security models decidability issues privacy executable content formal methods for security information flow The proceedings are published by the IEEE Computer Society and will be available at the workshop. Selected papers will be invited for submission to the Journal of Computer Security. Instructions for Participants ----------------------------- Submission is open to anyone. Workshop attendance is limited to about 40 participants. Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with a proceedings. Papers should be at most 20 pages excluding the bibliography and well-marked appendices (using 11-point font, single column format, and reasonable margins on 8.5"x11" paper), and at most 25 pages total. The page limit will be strictly adhered to. Committee members are not required to read the appendices, and so the paper should be intelligible without them. Proposals for panels should be no longer than five pages in length and should include possible panelists and an indication of which of those panelists have confirmed participation. To submit a paper, send to s.schneider@rhbnc.ac.uk a plain ASCII text email containing the title and abstract of your paper, the authors' names, email and postal addresses, phone and fax numbers, and identification of the contact author. To the same message, attach your submission (as a MIME attachment) in PDF or portable postscript format. Do not send files formatted for word processing packages (e.g., Microsoft Word or WordPerfect files). Submissions received after the submission deadline or failing to conform to the guidelines above risk rejection without consideration of their merits. Where possible all further communications to authors will be via email. If for some reason you cannot conform to these submission guidelines, please contact the program chair at s.schneider@rhbnc.ac.uk. Important Dates --------------- Submission deadline: February 1, 2001 Notification of acceptance: March 16, 2001 Camera-ready papers: April 5, 2001 Program Committee Pierre Bieber, ONERA, France Ed Clarke, Carnegie Mellon University, USA Riccardo Focardi, University of Venice, Italy Dieter Gollmann, Microsoft Research, UK Li Gong, Sun Microsystems, USA Carl Gunter, University of Pennsylvania, USA Joshua Guttman, MITRE, USA Gavin Lowe, Oxford University, UK Teresa Lunt, Xerox PARC, USA Fabio Martinelli, IAT-CNR, Italy John McLean, Naval Research Laboratory, USA Ravi Sandhu, George Mason University, USA Andre Scedrov, University of Pennsylvania, USA Steve Schneider (chair), Royal Holloway, University of London, UK Rebecca Wright, AT&T Labs, USA Workshop Location ----------------- The workshop will be held at the Keltic Lodge in beautiful Cape Breton, Nova Scotia. Located on a narrow peninsula on the Atlantic Ocean, the Lodge's comfortable rooms offer breathtaking views of the rugged shore, vibrant in sunny days and majestic when shrouded in mist. Activities on the premises include tennis, swimming in the heated pool, golf, and mountain biking. The picturesque fishing villages along the scenic Cabot Trail offer opportunities to get acquainted with the local lifestyle and also to embark in such activities as ocean swimming, whale watching, and sea kayaking. Moose, bears and other wildlife are often seen while hiking and camping in the surrounding Cape Breton Highlands National Park. Cape Breton also hosts the final home of Alexander Graham Bell and the station from which Guglielmo Marconi transmitted the first recorded East-bound radio signal across the Atlantic. The Keltic Lodge is 4 hours by car from Halifax International Airport along a magnificent drive. There are direct flights between Halifax and numerous European and American cities. Sydney Regional Airport is 1 1/2 hours by car from the Keltic Lodge and has flights every 2 hours to Halifax. People attending LICS 2001 in Boston may also consider the ferry between Portland, ME and Yarmouth, NS. More travel information can be found from the CSFW website. For further information contact: General Chair Iliano Cervesato ITT Industries, Inc. - AES Division 2560 Huntington Avenue Alexandria, VA 22303-1410 USA +1-202-404-4909 iliano@itd.nrl.navy.mil Program Chair Steve Schneider Department of Computer Science Royal Holloway, University of London Egham, Surrey, TW20 0EX UK +44 1784 443431 s.schneider@rhbnc.ac.uk Publications Chair Jonathan Herzog The MITRE Corporation 202 Burlington Road Bedford, MA 01730-1420 USA +1-781-271-2907 jherzog@mitre.org ____________________________________________________________________ Live in the tri-state area? Check out the New Jersey Computer Security Seminar. Many computer security researchers work in and around New Jersey. The New Jersey Computer Security Seminar (NJCSS) is a forum for those researchers to meet and discuss their work. NJCSS is modeled on the successful New Jersey Programming Language Seminar. Ed Felten (Princeton University) and Mike Reiter (Bell Labs) are organizing the first NJCSS meeting, which will probably be held in late January, 2001. See www.cs.princeton.edu/~felten/njcss.html for more information. ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at www.ieee-security.org/cfp.html. The Cipher event Calendar is at www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, e-mail for more info. See also Cipher Calls for Papers file (www.ieee-security.org/cfp.html) for details on many of these listings. Also worth a look are the ICL calendar and the IACR site, and several others. 12/31/00: IFIP/Sec '01, Paris, France; www.ifip.tu-graz.ac.at/TC11/SEC2001/ Submissions to ifipsec2001@gemplus.com; [*] 1/15/01: SCITS-II, Bratislava, Slovakia; submissions due fischer-huebner@kau.se; [*] www.conference.sk/ifip/ 2/ 1/01: CSFW14, Nova Scotia,Canada;Submissions: schneider@rhbnc.ac.uk [*] www2.csl.sri.com/csfw/csfw14/ 2/ 1/01: WIAPP01, San Jose, CA; submission due [*] www.cs.berkeley.edu/~gribble/wiapp01 2/ 7/01- 2/ 9/01: NDSS '01, San Diego, California; www.isoc.org/ndss01/cfp 2/19/01- 2/22/01: FC01. Grand Cayman, BWI fc01.ai 2/20/01: ACISP '01, Sydney, Australia; submissions due; [*] www.cit.nepean.uws.edu.au/~acisp01 3/12/01- 3/16/01: FME 2001Berlin, Germany www.informatik.hu-berlin.de/top/fme2001 3/26/01- 3/29/01: DOCSec '01, Annapolis, MD www.cs.utah.edu/flux/cipher/cfps/cfp-DOCSec01.html 3/28/01: ISADS 2001, Dallas, Texas isads.utdallas.edu/ 3/29/01- 3/30/01: CaLC '01, Providence, RI; www.math.brown.edu/~jhs/CALC/CALC.html 4/16/01- 4/19/01: ICDCS-21, Phoenix, Arizona cactus.eas.asu.edu/ICDCS2001/call_for_papers.htm 4/22/01- 4/23/01: OPENARCH '01, Anchorage, Alaska www.openarch.org 4/25/01- 4/27/01: WOIH-4, Pittsburgh, PA; chacs.nrl.navy.mil/IHW2001 5/ 1/01- 5/ 5/01: WWW10, Hong Kong, China www10.org 5/ 6/01- 5/10/01: Eurocrypt 2001, Innsbruck, Austria; www.ec2001.ocg.at 5/13/01- 5/16/01: IEEE S&P '01, Oakland, California; www.ieee-security.org/TC/SP01/cfp.html 5/20/01: ICICS '01, Xian, China; submissions due; [*] homex.coolconnect.com/member2/icisa/icics2001.html 6/11/01- 6/13/01: CSFW 14, Nova Scotia, Canada www.csl.sri.com/csfw/csfw14/ 6/11/01- 6/13/01: IFIP/Sec '01, Paris, France; www.ifip.tu-graz.ac.at/TC11/SEC2001/ 6/11/01- 6/15/01: CITSS '01, Ottawa, Canada; www.cse-cst.gc.ca/cse/english/annual.html 6/15/01- 6/16/01: SCITS-II, Bratislava, Slovakia; www.conference.sk/ifip/ 6/17/01- 6/22/01: FIRST, Toulouse, France www.first.org/ 7/2/01 - 7/4/01: ACISP '01, Sydney, Australia; www.cit.nepean.uws.edu.au/~acisp01 7/23/01- 7/24/01: WIAPP '01, San Jose, CA; www.cs.berkeley.edu/~gribble/wiapp01 8/13/01- 8/16/01: 10th USENIX Security Symposium, Washington, D.C. 11/13/01-11/16/01: ICICS, Xian, China homex.coolconnect.com/member2/icisa/icics2001.html 5/13/02- 5/15/02: (tentative date) IEEE S&P 2002 ____________________________________________________________________ Conference and Workshop *Calls-for-Papers* December 2000 - May 2001 ____________________________________________________________________ IEEE Computer, Special issue on embedded system security. Guest editors: William A. Arbaugh, University of Maryland, and Leendert Van Doorn, IBM Research. Submission deadline is March 15, 2001. Embedded systems range from personal digital assistants to disk controllers and from home thermostats to microwave regulators. These near-ubiquitous devices are often networked and thus present security challenges similar to those already of concern on the Internet. This special issue will consider the security and privacy that networked embedded systems present. Submissions are sought on all topics relating to embedded system security including risk analysis, privacy issues, software security architectures, security requirements for embedded operating systems, embedded cryptographic devices, using embedded devices to build secure systems, and secure firmware upgrades. Contact William Arbaugh at wwa@cs.umd.edu. SMC-IAW 2nd Annual IEEE Systems, Man, and Cybernetics Information Assurance Workshop, United States Military Academy, West Point, New York, USA, June 5-6, 2001. 2000-3000 word extended abstracts due: 12/20/00 www.itoc.usma.edu/Workshop/2001/Workshop2001.htm The purpose of the Information Assurance Workshop is to provide a forum for discussion and sharing ideas in information assurance. Information assurance is a broad area, and for purposes of this workshop, it includes the following topics:Intrusion detection and response; Cryptography and its applications; Data and information fusion; Computer security; Cyber ethics and policy; Planning and decision support tools; Military and government research, development, and application efforts. While this workshop focuses on novel applications of simulations, agents, artificial intelligence,and operations research techniques to ensuring the confidentiality, integrity,and availability of information, it is not limited to these topics. If you are unsure of whether your paper would be applicable, contact the Program Chair. IFIP/Sec 2001 16th International Conference on Information Security, Paris, France, June 11-13, 2001. Papers due December 31,2000 www.ifip.tu-graz.ac.at/TC11/SEC2001/ The annual conference devoted to information systems security, organized by the TC-11 (Technical Committee on Security and Protection in Information Processing Systems) of IFIP (International Federation for Information Processing) will be held on June 11-13, 2001, in Paris, France. Regular papers, panel proposals and tutorial proposals should be sent to: ifipsec2001@gemplus.com. SCITS-II IFIP WG 9.6/11.7 Working Conference on Security and Control of IT in Society II, Bratislava, Slovakia, June 15-16, 2001. (papers due January 15, 2001) In the Global Information Society, dependencies on IT are wide-spread already and still rising. Yet IT and the emerging Global Information Infrastructure (GII)introduce new opportunities for criminal activities, and new potential threats to people and society. These threats and opportunities have to be countered and controlled in a manner that balances the benefits of IT. In order to make good use of the advantages offered by the new Global Information Infrastructure, a secure and trustworthy environment is needed, which takes also into account social and legal values. The working conference will focus on legal, social, technical, and organisational aspects of information infrastructures and of new global applications. It will further address how to prevent emerging threats to IT systems security as well as risks to people, organisations, and society as a whole. Invited topics include, but are not limited to the following: - Case studies of Misuse - Risks in the GII to system security, people, and society - Risks of malware and intelligent agents - Internet Fraud - Risks through interception and tracking technologies - Risks analysis methods: new approaches and experiences - Critical Information Infrastructure Protection and Social Implications - Approaches to high-tech crime prevention, detection, and investigation - International Cooperation in fighting high-tech crime - Multilateral Security - Protecting users/usees by Privacy-Enhancing Technologies - Users´ security responsibilities - Crypto / Anonymity debate - IT law for preventing Misuse (e.g. in the area of Electronic Commerce) - Regulations for Digital Signatures, concepts of Certification Authorities - Perception of security in society, security awareness Complete instructions for submitting a paper can be found on the conference web page at www.conference.sk/ifip/. CSFW'14 14th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia, Canada, June 11-12, 2001. Papers due February 1, 2001. See the call for papers earlier in this issue of Cipher, or visit the conference web site at www.csl.sri.com/csfw/csfw14/. ACISP'2001 The Sixth Conference on Information Security and privacy, Sydney, Australia, July 2-4, 2001. (papers due February 20, 2001) Original papers pertaining to all aspects of computer systems and information security are solicited for submission to the Sixth Australasian Conference on Information Security and Privacy (ACISP 2001). Papers may present theory, techniques, applications and practical experiences on a variety of topics including: * Authentication and authority * Cryptology * Database security * Access control * Mobile communications security * Network security * Secure operating systems * Smart cards * Security management * Risk assessment * Secure commercial applications * Copyright protection * Key management and auditing * Mobile agents security * Secure electronic commerce * Software protection & viruses * Security architectures and models * Security protocols * Distributed system security * Evaluation and certification Detailed information about the conference can be found at the conference web site: www.cit.nepean.uws.edu.au/~acisp01 ISSE 2001 Information Security Solutions Europe Conference, QEII Conference Centre, London, UK, September 26-28, 2001. proposals due March 5, 2001. www.eema.org/isse EEMA - The European Forum for Electronic Business and TeleTrusT - The Association for the Promotion of Trustworthiness of IT-Systems invite you to participate in the Call for Papers for ISSE 2001. ISSE is the European institution for the presentation and discussion of technical, organisational, legal and political concepts for information security and data protection. As a user-oriented conference it provides presentations and panel discussions about existing and future information security solutions for large scale corporations, enterprises, especially for SMEs, commerce, financial institutions, public sector, health care, legal practitioners and security professionals. An extensive list of topics of interest along with instructions for submitting a paper is given in the full call-for-papers at www.eema.org/isse. CCS-8 Eighth ACM Conference on Computer and Communications Security, Philadelphia, Pennsylvania, USA, November 6-8, 2001. Panel proposals and papers are due April 20, 2001. www.bell-labs.com/user/reiter/ccs8/ Papers offering novel research contributions in any aspect of computer security are solicited for submission to the Eighth ACM Conference on Computer and Communications Security. Papers may present theory, technique, applications, or practical experience. A complete list of topics and instructions for submitting a paper or panel proposal can be found on the conference web site at www.bell-labs.com/user/reiter/ccs8/. ICICS'2001 Web: homex.coolconnect.com/member2/icisa/icics2001.html Third International Conference on Information and Communications Security, Xian, China, November 13-16, 2001. (submissions due May 20, 2001) ICICS’01 covers all aspects of theory and application of information and communications security. More information can be found on the conference web page at homex.coolconnect.com/member2/icisa/icics2001.html Indocrypt'2001 www.cs.iitm.ernet.in/indocrypt Second International Conference on Cryptology in India, Chennai, India, December 16-20, 2001. Papers due August 10, 2001. Original papers on all technical aspects of cryptology are solicited for submission to Indocrypt 2001. Detailed instructions for submission of a paper are given on the conference web site. ==================================================================== Conferences and Workshops (the call for papers deadline has past) December 20, 2000 - January 2001 ==================================================================== NDSS'01, www.isoc.org/ndss01 The Internet Society 2001 Network and Distributed System Security Symposium, Catamaran Resort, San Diego, California, February 7-9, 2001. PKC2001 caislab.icu.ac.kr/pkc01/ International Workshop on Practice and Theory in Public Key Cryptography, Cheju Island, Korea, February 13-15, 2001. FC'01 CFP: www.syverson.org Conf Web site: fc01.ai Fifth International Conference on Financial Cryptography, Grand Cayman, BWI, February 19-22, 2001. SREIS www.cerias.purdue.edu/SREIS.html Symposium on Requirements Engineering for Information Security, Purdue University CERIAS, West Lafayette, Indiana, USA, March 5-6, 2001. FME2001 www.informatik.hu-berlin.de/top/fme2001 FORMAL METHODS EUROPE Formal Methods for Increasing Software Productivity, Humboldt-Universitaet zu Berlin, Germany, March 12-16, 2001. ISADS 2001 isads.utdallas.edu The Fifth International Symposium on Autonomous Decentralized Systems, Dallas, Texas, USA, March 26-28, 2001. DODsec'2001 www.omg.org/news/meetings/docsec2001/workshop.htm Fifth Workshop on Distributed Objects and Components Security, Annapolis, MD, USA, March 26-29, 2001. CaLC 2001 www.math.brown.edu/~jhs/CALC/CALC.html Cryptography and Lattices Conference, Brown University, Providence, Rhode Island, USA, March 29-30, 2001. ICDCS'2001 cactus.eas.asu.edu/ICDCS2001/call_for_papers.htm 21st International Conference on Distributed Computing Systems, Phoenix, AZ, USA, April 16-19, 2001. OPENARCH'01 www.openarch.org The Fourth IEEE Conference on Open Architectures and Network Programming, Hilton Anchorage Hotel, Anchorage, Alaska, April 22-23, 2001. IHW2001 chacs.nrl.navy.mil/IHW2001 4th International Information Hiding Workshop, Holiday Inn University Center, Pittsburgh, PA, USA, April 25-27, 2001. WWW10 www10.org The Tenth International World Wide Web Conference, Hong Kong, China. May 1-5, 2001. Eurocrypt'2001 www.ec2001.ocg.at 20th Annual Eurocrypt Conference, Innsbruck, Austria, May 6-10, 2001. S&P'2001 www.ieee-security.org/TC/sp2001.html 2001 IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 13-16, 2001. FIRST'2001 Web: www.first.org/conference/2001/ The 13th Annual FIRST Conference on Computer Security and Incident Handling, Toulouse, France, June 17-22, 2001. ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at www.ieee-security.org/Cipher/NewsBriefs.html ____________________________________________________________________ LISTWATCH: items from security-related mailing lists (December 15, 2000) by Mary Ellen Zurko (mzurko@iris.com) ____________________________________________________________________ This issue's highlights are from DCSB, cypherpunks, risks, ACM TechNews, and Crypto-Gram. This is a rather light issue of ListWatch. I'm in the middle of the paper review cycle of WWW10 (www10.org.hk), which is adding a lot to the standard responsibilities of job, family, the end of the year, and the holiday season. ____________________ The moderator of the Bugtraq list is beginning to refuse to post advisories from companies who send out minimal information on the problem and point readers to their web site for useful information. Both Microsoft and @Stake posted advisories that summarized a particular flaw and directed readers back to the companies' Web sites. Steve Lipner, manager of Microsoft's Security Response Center (and well known to this community), said "If we post an advisory with an error in it, we would have to go out and get the information changed where ever else it may be mirrored." Weld Pond of @stake says "I think everyone out there knows that we are committed to full disclosure and the concept of freely available security advisories. What we are doing is adding more information than we have in the past and we are adding it on our Web site." ____________________ A computer hacker stole credit card numbers from CreditCards.com and has been trying to extort the company. A representative said that none of the numbers were compromised. Some consumers were told that web pages with credit card numbers had been published. MSNBC verified this. A possible victim did get asked for confirmation for an order she never placed. CreditCards.com has not contacted any of its customers. ____________________ Zero Knowledge Systems has come under a lot of fire on cypherpunks (which seems to happen any time they put out a press advisory). It started with concerns about their support of split key encryption (charges that that is a tool for third party holding of keys), kibitzing about their business strategy (privacy consultants to enterprises), and the NymIP effort (a pre-IETF BOF-like meeting to promote open standards for pseudonym protocols). ___________________ The progress of the latest US presidential election has caused more pundits to posit that computer-based voting would work better. There have been postings that smell of snake oil about tested and totally security mechanisms for Internet voting on some lists. Peter Neumann, Rebecca Mercuri, and Lauren Weinstein wrote a sensible caution which includes the inability of public "tests" to prove much of anything security-wise, and the raft of system level issues involved in producing a secure system, including environmental concerns. ____________________ There's a lot of activity in the cybercrime law space. Hong Kong has proposed new laws that draw strong parallels between online and offline crime. A draft Council of Europe treaty would each the cross-border constraints on tracking cybercrime. The US Justice Department has endorsed the main principles of the pact. A 27-member coalition including the ACLU, Privacy International, and Internet Society has urged the Justice Department not to follow through on the international pact for fear it will enable police agencies and other private interests to include the redesign of system architecture to facilitate surveillance. The US Chamber of Commerce are concerned that it could undermine economic growth. Other concerns about the treaty are that it could require ISPs to keep customer data around for a specified time period, and that it could restrict the distribution of certain kinds of security tools. ____________________ Internet privacy legislation is predicted to have a good chance of being passed in some form in next year's US Congress, as it's one of the issues with bipartisan support. ____________________ An article in the Wall Street Journal claims that online stock traders are beginning to use digital signatures now that they are explicitly legal. ____________________ Class action lawsuits against MatchLogic and Avenue A charge that the companies violated the Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act by placing cookies on the hard drives of consumers' computers. ____________________ The IITRI report on Carnivore is in, and so are the comments on the report. Bellovin, Blaze, Farber, Neumann, and Spafford (www.crypto.com/papers/carnivore_report_comments.html) are concerned about the limitations of the analysis: a lack of analysis of operational and "systems" issues, no evidence of a systematic search for bugs, exclusion from analysis or testing of RADIUS, and inadequate discussion of audit and logging. They say "the Department of Justice must consider an on-going process to maintain confidence in the system. One such approach is to publish the Carnivore source code for public review." ____________________ Stephen King has discontinued his self-publishing experiment. He had said that if he got $1 from at least 75% of the downloads, he'd continue. The most recent chapter only yielded a 46% payment rate. ____________________ The Digital Commerce Society of Boston is looking for speakers. If you are in Boston on the first Tuesday of some month, are a principal in digital commerce, and would like to make a presentation to the Society, please send e-mail to the DCSB Program Committee, care of Robert Hettinga (rah@shipwright.com). It's a fun and stimulating group of people. ____________________ There has been a lot of digital signature backlash going on. Bruce Schneier wrote an essay on "Why Digital Signatures are not Signatures". One wag commented that 'The standards he applies to digital signatures are much too severe. I think that even pen-and-ink signatures wouldn't pass, a conclusion that would lead to the strange sentence, "Signatures aren't signatures and they can't fulfill their promise."' Some of the problems called out about digital signatures have to do with the intentions of the signer and the linkage between a person and the signing key (Bruce strongly emphasizes the former). ____________________ MIT's Technology Review magazine has a special issue looking at 10 technologies it thinks will soon have a profound impact on the economy and how we live and work. One of them is digital rights management (www.techreview.com/articles/jan01/TR10_toc.html). Various people on various lists have argued you can't do DRM without a TCB. Maybe it's time to dust off that copy of the Orange Book :-). ____________________ In a move that reminds me of a lot of the community and security discussions that occurred in NSPW 2000, Visa has announced plans that it will oblige Web merchants to protect credit card numbers and customer data from hack attacks. It will begin monitoring sites that allow transactions with Visa to ensure that the online merchants are complying with their own privacy and security policies. (www.theregister.co.uk/content/1/14625.html). ____________________ Sprint's wireless division said it will put global-positioning-system chips in its cell phones. ____________________ A security breach has forced New Jersey officials to temporarily shut down a service that allows E-ZPass users to get monthly statements via e-mail. It seems that they send a URL which is easy to guess (probably some standard format with name and month in it). ____________________ ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at www.ieee-security.org/Cipher/ConfReports.html. ---------------------------------------------------------------------- A note from Carl Landwehr on DARPA's workshop on open source operating systems and security December 20, 2000 For CIPHER: I had the opportunity to participate in a DARPA-sponsored invitational workshop on open source operating systems and security last month that I thought might be of interest to CIPHER readers.The workshop was convened by Dr. Doug Maughan of DARPA ITO, as the first step in a new program called Composable High Assurance Trusted Systems (CHATS), aimed at developing technologies for high assurance open-source operating systems. This workshop followed one held about a year earlier on a similar topic. Goals of the workshop were to: 1) Identify and describe key technical research areas to improve the assurance and security of existing open-source operating systems. 2) Begin discussions toward the development of a long-term architectural framework for composable, high-assurance open-source operating systems. 3) Provide a forum for interchange and community building among participants from the open source and operating system security communities. Participants were an interesting mix of prominent contributors to open source systems, including FreeBSD, OpenBSD, Linux, and Apache, vendors, including Apple, Silicon Graphics, IBM, and Microsoft, and members of the security research community from Penn, Berkeley, Maryland, Utah, NSA, NRL, SRI, NAI Labs, Wirex, Argus (apologies to any group I have omitted!). I was personally pleased to see a great deal of interest on the part of the open source community members on improving the security of their systems in practical ways. While I don't buy the "millions of eyes" argument that simply opening the source to a system will assure that it gets reviewed thoroughly for security flaws, it seems to me that having the source available at least makes it possible for anyone who wishes to invest in reviewing the source to do so. Cipher readers interested in this topic should be alert for announcements from DARPA expected to issue early 2001. Program information and workshop results (both from the 1999 workshop and the 2000 workshop will be placed at http://schafercorp-ballston.com/CHATS/ as they are released; some information is there already. --Carl Landwehr --Mitretek Systems ____________________________________________________________________ Book Review by Robert Bruen, Cipher Book Review Editor. bruen@exile.ne.mediaone.net "SSL and TLS. Designing and Building Secure Systems" by Eric Rescorla Addison-Wesley Index, bibliography, 2 appendicies and an acronym table ISBN 0-201-61598-3. $39.95 Secure Sockets Layer (SSL) was created at Netscape in 1994 to address the problem of secure transaction over networks using HTTP. Since then it has mutated, evolved, and been transformed by Netscape, Microsoft and others, including some very enterprising individuals. The result is that SSL is the primary method for securing web based transactions. There are open versions (openssl) and one for wireless (WTLS). The most recent incantation is Transport Layer Security (TLS), still not yet widely deployed, but certainly appears to be the future of SSL. It is always a pleasure to review a good technical book such as SSL and TLS. The author is not only knowledgable, he explains everything with a rare sense of clarity without reverting to black magic and hand waving. Code examples are written in C and Java. Additional examples given for HTTPS and mod_ssl (used to add SSL/TLS to the Apache web server). SSL and TLS was written for those of us who want to design systems and write code. The first part of the book covers the basics of SSL, including a background chapter on cryptography. The basics cover the history and mechanics of SSL, meaning connections, handshakes, alerts and sessions. The in between chapters cover security within SSL and SSL performance. Although I like the book in general, I especially enjoyed the performance analysis chapter. Everyone knows that encrypting and decrypting take compute cycles, usually from places that are already somewhat overburdened. After acknowledging this the author then covers Amdahl's Law (used in performance tuning), then delves into I/O and where the locations of transmission choke points. The author's thoroughness in analyzing the performance problem helps considerably in understanding some of the details of SSL as well as how one ought to go about performance analysis. Graphs, timing charts and operation executions are presented in depth for both hardware and software. Java, C, algorithms and networks all come the microscope as the author makes it look easy. The next part of the book covers designing and coding with SSL, presenting topics such as authentication, reference integrity implementation and threads. Then there are two good chapters on HTTP (SSL) and SMTP (TLS). Why HTTP is a better match than SMTP for SSL/TLS is shown is detail. This a book with substance for anyone with is interested in securing systems and networks. It well written, informative and highly recommended. ==================================================================== Staying in Touch ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher@issl.iastate.edu with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher@issl.iastate.edu are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at www.ieee-security.org/Cipher/AddressChanges.html Entered August 4, 2000 David Bell retired, quit 2415 Andorra Place Reston VA 20191 voice: 703-476-0839 fax: 703-476-3964 email: dbell@clark.net Entered June 3, 2000 Randall Atkinson Senior Scientist Extreme Networks PO Box 11147 McLean, VA 22102-9147 rja@inet.org Tom Van Vleck Encirq Inc 64 Bayonne Pl Ocean City, NJ 08226 609-398-5926 Entered May 20, 2000 Bob Bruen bruen@exile.ne.mediaone.net Entered April 26, 2000 Bill Bartgis TRW P.O. Box 58992 Riyadh 11515 Saudi Arabia Voice: +966.1.476.9777 ext. 42776 Fax: +966.1.478.5622 E-mail: bartgis@gibraltar.ncsc.mil Entered March 20, 2000 Heather Hinton IBM Tivoli Security Business Unit 9020 Capital of Texas Hwy N. Great Hills Corporate Center Building 1, Suite 270 Austin, TX 78759 USA e-mail: hhinton@tivoli.com Telephone: +1:(512)458-4037x5023 Fax: +1(512)458-2377 ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at www.ieee-security.org/Cipher/NewReports.html and www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy, by Anish Mathuria ==================================================================== The Reader's Guide from Past issues of Cipher is archived at www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine December 18, 2000 ==================================================================== Information Security Group, Royal Holloway, University of London, Egham, Surrey, United Kingdom Post-doctoral Research Assistant. Position closes January 12, 2001. http://isg.rhbnc.ac.uk/ISG_Jobs.htm Department of Information and Software Engineering, George Mason University, Fairfax, VA 1 Tenure-track and 1 visiting position in security (05/01/00) Areas of particular interest: Computer security, networking, data mining and software engineering. Search will continue until positions are filled. http://ise.gmu.edu/hire/ Department of Computer Science, Purdue University, West Lafayette, IN Emphasis on Assistant Professor Positions, but more senior applicants will be considered. Areas of particular interest: Computer security, and INFOSEC. Positions beginning August 2000. http://www.cs.purdue.edu/announce/faculty.html Department of Computer Science, Renesselaer Polytechnic Institute, Troy, NY Tenure Track, Teaching, and Visiting Positions Areas of particular interest: Computer security, networking, parallel and distributed computing and theory. Positions beginning Fall 2000. http://www.cs.rpi.edu/faculty-opening.html Swiss Federal Institute of Technology, Lausanne (EPFL), Switzerland/Eurecom/Telecom Paris. General Director Areas of particular interest: Education and research in telecommunications. Applications begin immediately. http://admwww.epfl.ch/pres/dir_eurecom.html Department of Computer Science, Naval Postgraduate School, Monterey, CA Junior and Senior Tenure Track Positions in Professorship Areas of particular interest: Computer Security, but applicants from all areas of Computer Science will be considered. Applications begin immediately and are open until filled. http://apache.cs.nps.navy.mil/app/ Department of Computer Science, Florida State University, Talahassee, FL Tenure-track positions at all ranks. Several positions available.(1/00) Areas of particular interest: Trusted Systems, security, cryptography, software engineering, provability and verification, real-time and software engineering, provability and verifications, real-time and safety-critical systems, system software, databases, fault tolerance, and computational/simulation-based design. http://www.cs.fsu.edu/positions/ Naval Postgraduate School Center for INFOSEC Studies and Research, Monterey, CA, Visiting Professor (Assistant, Associate, or Full Professor levels) (9/98) Areas of particular interest: Computer and information systems security. http://cisr.nps.navy.mil/jobs/npscisr_prof_ad.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ______________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you). Members of the IEEE Computer Society may join the TC via an https link. The full and complete form is available on the IEEE Computer Society's Web Server by following the application form hyperlink at the URL: computer.org/tcsignup/ IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 _____________________________________________________________ TC Publications for Sale _____________________________________________________________ Proceedings of the IEEE CS Symposium on Security and Privacy The Technical Committee on Security and Privacy has copies of its publications available for sale directly to you. Proceedings of the IEEE Symposium on Security and Privacy -------------------------------------- 2000 $25.00 1999 -- SOLD OUT -- 1998 $15.00 For domestic shipping and handling, add $3.20 (3 volumes or fewer). For overseas delivery: -- by surface mail, please add $5 per order (3 volumes or fewer) -- by air mail, please add $10 per volume If you would like to place an order, please specify * how many issues you would like, and * where to send them, and * the shipping method (air or surface) for overseas orders. For mail orders, please send a check in US dollars, payable to the "2000 IEEE Symposium on Security and Privacy" to: Brian J. Loe Treasurer, IEEE TC on Security and Privacy Secure Computing Corp. 2675 Long Lake Rd. Roseville, MN 55113 U S A For electronic orders, in addition to the information above, please send the following credit card information to brian.loe@computer.org: - the name of the cardholder, - type of card (VISA, Mastercard, American Express, and Diner's Club are accepted) - credit card number, and - the expiration date. You may use the following PGP public key to encrypt any information that you're not comfortable sending as cleartext. -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBOSVyE0y6WVOs56vlAQFVRwQAg3/SovqmTqWKCExfeTDkgMaFpkOGRKpo A/p5c/oSrg8g2ev7GBllKz+e3/frSi27pyA5HBxXzm5tnqnCafjS1Fub8S7XepWo opI/lPGGXRmHHlBDNQ+58ui5/SH68cT64auBbYmvhh8YQqJJnoieMMWDlU3fvR/y RynPbZ2hMn0= =FL5l -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 4.0 Business Edition mQCNAy+T6TkAAAEEAN/fnVu7VCPtcmBQhXFhJbejSoZJkEmWNUYvx13yRwl/gyir 61ae+GUjgWjWs9O06C6dugRGrjFZpBhMosu7sgGJMz54hvKbBNrYBSHpH0yex6e/ +c2mzbCbh40naARgPAaAki2rCkV2ryETj2Z6w98/k5fMgOZDnEy6WVOs56vlAAUR tBtCcmlhbiBKLiBMb2UgPGxvZUBzY3RjLmNvbT6JARUDBRA5FvlSehjn4trNNnMB AVulCAC/cqeBfMVohQqSZSHsaBudKUaKRCbH9PoKB0xr2SkmI/XYTzm6X7Cc+CXb hfcO/t++p1IscnB9Ne7Qa/MYqTD3zzgp/x/xor0bHnLSLGlVCN3XoRr3oxWuGOE9 Bul85Jse5V3FqMjsnGzm3PFRnYEJ9EPfTbWLnmmPteNSCwzFJe0z2nSAWbW+X4BQ W6qN/5SHFWQ/0xcpSWte7TD98BDpZl12ow3W+NY1P01AYfby0IthvuPL7PMrcOgV cGz8sBflkF4QbL/CJW42oPjztvj+Ks+I2b1W9oSJgX5fPeU9hcsPg3wVO5o3/Mdb lEtBSrdQfnbfOpiEm16/CK3OGr3NiQB1AwUQL5UPKjVOHVCprfxtAQG2tgMAruPD qtQzxJVdegzUG+0r0AMEDxmGDN84PUU9AMhXl2owR2/TthpDpmovMq8ibeLd0PGk NgXJFlLHJNvU09jP1O4TqwvoSTzG84qm8OY7kfdOqY7PTsz0keT7WgFuuglKiQCV AwUQL5UOenp25Pxx+Z6ZAQH5MAP/c1SngCYf1+Ks1M2Cbf8PR4t5hQAM5tGFHA8J zS5L/3NZNyoNAD4fgRm62xr8trFWtT4BSmZboXgqklTvwbQKWn90EsoKEtdfJNtJ swVNkLF/SjLyes/J6HEgllPUaKVIq5PM8AIrKsAKvHZoDcDbDH8QypnQsdxYhOOh a0pxCpaJAJUDBRAvlCiXTLpZU6znq+UBAdmiA/9eq6niZHHykR/27P9chkqhYLuq /E1CirA+aYP73OdbfXeV+vwDxr9Zzv2iTra/DUNyJzU7JelWRFlov+k7yiO6Pr7j bWeqms0WYsQV30jIelBs6w34A4CC1bnuHxt6gKxd63EZCqhVsZV+GN3pGfL2CQBc mraYYRb4Q1+gSocsAIkAdQMFEDXRyzCbYv3kpAuW2QEBv+AC/jDstmZP0UTTwixB htVd50TqxE0vU/g6YC6sKg1wyHNlYEvwP0xRsM1P+Qs1603SV6TarP8q5AQVMuwg 1qQxxuThCAG/hXcsI5t/5pbMTQSAMUkZQHittS69sSQtNSd+R7QlQnJpYW4gSi4g TG9lIDxicmlhbi5sb2VAY29tcHV0ZXIub3JnPrQmQnJpYW4gSi4gTG9lIDxsb2VA c2VjdXJlY29tcHV0aW5nLmNvbT4= =PUX1 -----END PGP PUBLIC KEY BLOCK----- You may also order some back issues from IEEE CS Press at www.computer.org/cspress/catalog/proc9.htm. Proceedings of the IEEE CS Computer Security Foundations Workshop The most recent Computer Security Foundation Workshop (CSFW13) took place the 3rd through 5th of July 2000 in Cambridge, UK. Topics included formal specification of security protocols, protocol engineering, distributed systems, information flow, and security policies. Copies of the proceedings are available from the publications chair for $25 each. Copies of earlier proceedings starting with year 5 are available at $10. Photocopy versions of year 1 are also $10. Checks payable to "Joshua Guttman for CSFW" may be sent to: Joshua Guttman, MS A150 The MITRE Corporation 202 Burlington Rd. Bedford, MA 01730-1420 USA guttman@mitre.org ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Thomas A. Berson Charles P. Pfleeger Anagram Laboratories Arca Systems, Inc. P.O. Box 791 8229 Boone Blvd, Suite 750 Palo Alto, CA 94301 Vienna VA 22182-2623 (650) 324-0100 (voice) (703) 734-5611 (voice) berson@anagram.com (703) 790-0385 (fax) c.pfleeger@computer.org Vice Chair: Chair, Subcommittee on Academic Affairs: Michael Reiter Prof. Cynthia Irvine Bell Laboratories U.S. Naval Postgraduate School 600 Mountain Ave., Room 2A-342 Computer Science Department Murray Hill, NJ 07974 USA Code CS/IC Monterey CA 93943-5118 (908) 582-4328 (voice) (408) 656-2461 (voice) (908) 582-1239 (fax) irvine@cs.nps.navy.mil reiter@research.bell-labs.com Newsletter Editor: Jim Davis Department of Electrical and Computer Engineering 2413 Coover Hall Iowa State University Ames, Iowa 50011 (515) 294-0659 (voice) davis@iastate.edu Chair, Subcommittee on Standards: Chair, Subcomm.on Security Conferences: David Aucsmith Jonathan Millen Intel Corporation SRI International EL233 JF2-74 Computer Science Laboratory 2111 N.E. 25th Ave 333 Ravenswood Ave. Hillsboro OR 97124 Menlo Park, CA 94025 (503) 264-5562 (voice) (650) 859-2358 (voice) (503) 264-6225 (fax) (650) 859-2844 (fax) awk@ibeam.intel.com millen@csl.sri.com BACK ISSUES: Cipher is archived at: www.ieee-security.org/cipher.html ========end of Electronic Cipher Issue #40, December 19, 2000============