Subject: Electronic CIPHER, Issue 45, November 17, 2001
_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/ _/
_/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/
_/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/
====================================================================
Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 45 November 17, 2001
Jim Davis, Editor
Hilarie Orman, Assoc. Editor Bob Bruen, Book Review Editor
Mary Ellen Zurko, Assoc. Editor Anish Mathuria, Reader's Guide
====================================================================
http://www.ieee-security.org/cipher.html
Contents:
* Letter from the Editor
* Conference and Workshop Announcements
o Upcoming calls-for-papers and events
o Information on the 2002 IEEE Symposium on Security and Privacy
(May 12-15, 2002) can be found at www.ieee-security.org/TC/SP-Index.html
o Information on the 15th IEEE Computer Security Foundations Workshop
(June 24-26, 2002) can be found at
www.csl.sri.com/programs/security/csfw/index.html. The call for papers
is included in the News Bits section below.
* News Briefs:
o LISTWATCH by Mary Ellen Zurko will return January 15, 2002
o Correspondence from TCSP Chair Tom Berson
o Carl Landwehr leads new NSF program in Trusted Computing
o News Bits: correspondence and announcements
* Commentary and Opinion
o Mary Ellen Zurko's review of the New Security Paradigms Workshop
(September 10-13, 2001)
* Reader's guide to recent security and privacy literature,
by Anish Mathuria
* List of Computer Security Academic Positions, by Cynthia Irvine
* Staying in Touch
o Information for subscribers and contributors
o Recent address changes
* Interesting Links and New reports available via FTP and WWW
* Links for the IEEE Computer Society TC on Security and Privacy
o Becoming a member of the TC
o TC Officers
o TC publications for sale
====================================================================
Letter from the Editor
====================================================================
Dear Readers:
We are pleased to bring you another issue of Cipher! In it you will
find a review of NSPW by Mary Ellen Zurko, an updated Reader's Guide
by Anish Mathuria, and a note from Tom Berson. As you know, Tom Berson's
term as Chair of the TCSP is coming to a close. I know you join me in
thanking Tom for his leadership and wisdom during his tenure. The TCSP
Chair position will continue to be well-served when current Vice Chair
Mike Rieter steps forward. Welcome Mike!
I'd like to put out the call for more conference reviews for Cipher.
If you have interest in contributing, please let me know. Also, are there
items you would like to see in future issues of Cipher? I would appreciate
hearing your ideas. Many thanks to our colleagues who contributed to this
issue!
Best regards,
Jim Davis
davis@iastate.edu
11/17/2001
====================================================================
Conference and Workshop Announcements
====================================================================
====================================================================
Upcoming Calls-For-Papers and Events
====================================================================
The complete Cipher Calls-for-Papers is located at
www.ieee-security.org/cfp.html. The Cipher event Calendar is at
www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html
____________________________________________________________________
Cipher Event Calendar
____________________________________________________________________
Calendar of Security and Privacy Related Events
maintained by Hilarie Orman
Date (Month/Day/Year), Event, Locations, e-mail for more info.
See also Cipher Calls for Papers file (www.ieee-security.org/cfp.html)
for details on many of these listings. Also worth a look are the
ICL calendar and the IACR site, and several others.
12/10/01-12/14/01: 17th ACSAC, New Orleans, Louisiana,
www.acsac.org/2001/cfp/
12/16/01-12/20/01: Indocrypt '2001, Chennai, India
5/13/02- 5/15/02: (tentative date) IEEE S&P 2002
____________________________________________________________________
Journal, Conference and Workshop Calls-for-Papers
____________________________________________________________________
IEEE Journal on Selected Areas in Communications, Special issue on Design
and Analysis Techniques for Security Assurance. Publication: 1st
quarter 2003. Editors: Li Gong (SUN Microsystems), Joshua Guttman
(The MITRE Corp), Peter Ryan (Carnegie Mellon University), and
Steve Schneider (University of London). Submission deadline is
March 1, 2002.
Information security plays a dominant and increasingly critical role
in society. It is therefore essential that we have effective tools and
techniques to design and evaluate secure systems and demonstrate that
they meet their security requirements. The application of rigorous methods
to the specification, modeling, analysis, and design of security-critical
systems has made considerable strides in recent years, and the field is
rapidly gaining in maturity. The scope of this issue will range over all
rigorous, mathematically well founded, approaches to all aspects of
security system development. This issue is intended to gather together
the leading edge approaches in this area. Papers are solicited in the
following areas:
* Security protocol analysis
* Computer security models and policies
* Information flow
* Secure architectures
* Mobility
* Tools for security analysis
* Languages
* Logics
* Static/typechecking techniques
* Smartcards
Original, unpublished contributions and invited articles will be considered
for the issue. The paper should be no longer than 20 double-spaced pages,
excluding illustrations and graphs and follow the IEEE J-SAC manuscript
format described in the Information for Authors. Authors wishing to submit
papers should send an electronic version (postscript or PDF files ONLY) to
Steve Schneider at S.Schneider@rhul.ac.uk by March 1, 2002.
--------
IPTPS'02 The First International Workshop on Peer-to-Peer Systems,
Cambridge, MA, USA, March 7-8, 2002. (submissions due December 3, 2001)
Peer-to-peer has emerged as a promising new paradigm for distributed computing.
The 1st International Workshop on Peer-to-Peer Systems (IPTPS'02) aims to
provide a forum for researchers active in peer-to-peer computing to discuss
the state-of-the-art and to identify key research challenges in peer-to-peer
computing. The goal of the workshop is to examine peer-to-peer technologies,
applications and systems, and also to identify key research issues and
challenges that lie ahead. In the context of this workshop, peer-to-peer systems
are characterized as being decentralized, self-organizing distributed systems,
in which all or most communication is symmetric. Topics of interest include,
but are not limited to:
* novel peer-to-peer applications and systems
* peer-to-peer infrastructure
* security in peer-to-peer systems
* anonymity and anti-censorship
* performance of peer-to-peer systems
* workload characterization for peer-to-peer systems
See the conference web page at www.cs.rice.edu/Conferences/IPTPS02/ for details.
POLICY2002 IEEE Third International Workshop on Policies for Distributed
Systems and Networks, June 5-7, 2002. (submissions due December 7, 2001)
POLICY 2002 invites contributions on all aspects of policy-based computing.
Papers must describe original work and must not have been accepted or submitted
for publication elsewhere. Submitted papers will be evaluated for technical
contribution, originality, and significance. Topics of interest include, but
are not limited to the following:
* processes, methodologies, and tools for discovering, specifying,
reasoning about, and refining policy
* abstractions and languages for policy specification
* policy models for access-control, systems management, QoS adaptation,
intrusion detection, privacy
* policy based networking
* policy frameworks for active networks, mobile systems, e-commerce
* implementation models and techniques
* integrating policies into existing systems and environments
* provisioning of policies
* business rules and organizational modeling
* trust models and trust management
* extensions and refinements to policy standards
* case studies of applying policy-based technologies
See the conference web page at www.policy-workshop.org/2002/ for details.
PET2002 Workshop on Privacy Enhancing Technologies, San Francisco, CA, USA,
April 14-15, 2002. (submissions due December 10, 2001)
Privacy and anonymity are increasingly important in the online world.
Corporations and governments are starting to realize their power to track
users and their behavior, and restrict the ability to publish or retrieve
documents. Approaches to protecting individuals, groups, and even companies
and governments from such profiling and censorship have included
decentralization, encryption, and distributed trust. The workshop seeks
submissions from academia and industry presenting novel research on all
theoretical and practical aspects of privacy technologies, as well as
experimental studies of fielded systems. We encourage submissions from
other communities such as law and business that present these communities'
perspectives on technological issues. We will publish accepted papers in
proceedings in the Springer Lecture Notes in Computer Science (LNCS) series.
Suggested topics include but are not restricted to:
* Efficient realization of privacy services
* Techniques for and against traffic analysis
* Attacks on anonymity systems
* New concepts for anonymity systems
* Novel relations of payment mechanisms and anonymity
* Models for anonymity and unobservability
* Models for threats to privacy
* Techniques for censorship resistance
* Resource management in anonymous systems
* Pseudonyms, linkability, and trust
* Policy and human rights -- anonymous systems in practice
* Fielded systems and privacy enhancement techniques for existing systems
* Frameworks for new systems developers
More information can be found on the workshop web page at www.pet2002.org.
NCISSE'2002 The 6th National Colloquium for Information Systems Security
Education, Redmond, Washington, USA, June 3-7, 2002. (submissions due
January 15, 2002)
The colloquium solicits papers from practitioners, students, educators,
and researchers. The papers should discuss course or lab development,
INFOSEC curricula, standards, best practices, existing or emerging programs,
trends, and future vision, as well as related issues. We are especially
interested in novel approaches to teaching information security as well
as what should be taught. This includes the following general topics:
- Assessment of need (e.g. how many information security
workers/researchers/faculty are needed?)
- Integrating information assurance topics in existing graduate or
undergraduate curricula
- Experiences with course or laboratory development
- Alignment of curriculum with existing information assurance education
standards
- Emerging programs or centers in information assurance
- Late breaking topics
- Best practices
- Vision for the future
Papers reporting work in progress are also welcomed, especially if enough
information to evaluate the work will be available at the time of the
colloquium. Please see the NCISSE web site at www.ncisse.org for details on
submitting a paper.
CSFW15 15th IEEE Computer Security Foundations Workshop, Keltic Lodge,
Cape Breton, Nova Scotia, Canada, July 29-31, 2002. (submissions due
February 5, 2002)
This workshop series brings together researchers in computer science to examine
foundational issues in computer security. For background information about
the workshop, and an html version of this Call for Papers, see the CSFW home
page www.csl.sri.com/csfw/index.html We are interested both in new results
in theories of computer security and also in more exploratory presentations
that examine open questions and raise fundamental concerns about existing
theories. Both papers and panel proposals are welcome. Possible topics include,
but are not limited to:
Access control Authentication Data and system integrity
Database security Network security Distributed systems security
Anonymity Intrusion detection Security for mobile computing
Security protocols Security models Decidability issues
Privacy Executable content Formal methods for security
Information flow Language-based security
Trust and Privacy in Digital Business (on conjunction with DEXA 2002),
Aix-en-Provence, France, September 2-6, 2002. (submissions due
February 21, 2002)
The Internet and the powerful WWW have created a tremendous opportunity to
conduct business electronically. However, the lack of trust in electronic
procedures as well as the diversity of threatens to users' privacy are the
major inhibitors for a full deployment of digital business. The purpose of this
workshop is twofold: First, all issues of digital business, focusing on trust
and privacy problems will be discussed. Second, the workshop will be a forum for
the exchange of results and ongoing work performed in R&D projects. Authors are
invited to submit papers describing both theoretical and practical work to:
trustbus02@wi-inf.uni-essen.de or trustbus02@lcc.uma.es. Papers accepted for
presentation will be published by IEEE Computer Society Press as proceedings
of the DEXA'02 workshops. More information can be found on the workshop web
site at www.wi-inf.uni-essen.de/~dexa02ws/
The Sixteenth Annual IFIP WG 11.3 Working Conference on Data and Application
Security, King's College, University of Cambridge, UK, July 29-31, 2002.
(submissions due March 22, 2001)
The conference provides a forum for presenting original unpublished research
results, practical experiences, and innovative ideas in data and applications
security. Papers and panel proposals are solicited. The conference is limited
to about forty participants so that ample time for discussion and interaction
may occur. Additional information and a list of topics can be found at
www.cis.utulsa.edu/ifip02. The conference location can be explored at
www.kings.cam.ac.uk/ and the WG 11.3 home page is at
sansone.crema.unimi.it/~ifip113.
ASIACRYPT 2002 Queenstown, New Zealand, December 1-5, 2002.
(submissions due May 24, 2002)
Original papers on all technical aspects of cryptology are solicited for
submission to Asiacrypt 2002. The conference is organized by the International
Association for Cryptologic Research (IACR). Submissions must not substantially
duplicate work that any of the authors has published elsewhere or has submitted
in parallel to any other conference or workshop that has proceedings. More
information can be found on the conference web page at www.sis.uncc.edu/ac02.
====================================================================
Conferences and Workshops
(the call for papers deadline has passed)
====================================================================
IW2001 www.we-bcentre.com/iw2001/
2nd Australian Information Warfare and Security Conference,
Scarborough, Perth, Western Australia, November 29-30, 2001.
Yuforic'01 yuforic.upv.es
Youth Forum in Computer Science and Engineering, Valencia, Spain,
November 29-30, 2001.
ACSAC'2001 www.acsac.org/2001/cfp
17th Annual Computer Security Applications Conference, New Orleans,
USA, December 10-14, 2001.
Indocrypt'2001 www.cs.iitm.ernet.in/indocrypt
Second International Conference on Cryptology in India, Chennai, India,
December 16-20, 2001.
WITS'2001 www.cs.iitm.ernet.in/indocrypt
Workshop on Issues in the Theory of Security (in conjunction with POPL'02),
Portland, Oregon, USA, January 14-15, 2002.
FAST 2002 www.usenix.org/events/fast/cfp/
File and Storage Technologies Conference, Monterey, CA, USA,
January 28-29, 2002.
Cryptographer's Track at the RSA 2002 Conference, San Jose, California,
USA, February 18-22, 2002. www.rsaconference.com/rsa2002/cryptotrack.html.
PKC'2002 www.novamedia.fr/conferences/conferences/confpkc.html
International Workshop on the Practice and Theory of Public Key
Cryptography, Paris, France, February 12-14, 2002.
FC'2002 www.crypto.com/papers/fc02cfp.html
Financial Cryptography, Southhampton, Bermuda, March 11-14, 2002.
WWW2001 www2002.org
The Eleventh International World Wide Web Conference, Sheraton Waikiki Hotel,
Honolulu, Hawaii, USA, May 7-11, 2002.
DSN2002 www.dsn.org
The International Conference on Dependable Systems and Networks, Bethesda,
Maryland, USA, June 23-26, 2002.
FIRST www.first.org/
The 14th Annual Computer Security Incident Handling Conference, Hilton
Waikoloa Village, Hawaii, USA, June 24-28, 2002.
====================================================================
News Briefs
====================================================================
News briefs from past issues of Cipher are archived at
www.ieee-security.org/Cipher/NewsBriefs.html
____________________________________________________________________
LISTWATCH: items from security-related mailing lists (September 7, 2001)
by Mary Ellen Zurko (mzurko@iris.com)
LISTWATCH will return January 15, 2002
____________________________________________________________________
____________________________________________________________________
Correspondence from Tom Berson, Chair of the TCSP
November 11, 2001
____________________________________________________________________
Dear Member of the TC on Security and Privacy,
This is a season of change. Even here in California the days grow short and
the nights grow chill at the approach of winter.
There's a verse toward the end of Tennyson's Idylls of the King, a retelling
of the Arthurian Romance that reads,
The old order changes, yielding place to new;
And God fulfils himself in many ways,
Lest one good custom should corrupt the world.
Arthur is dead; things are not necessarily better; life must go on.
Certainly the old order was changed by the tragic events of 11 September
and their aftermath. We have the responsibility as information security
professionals to use our skills and knowledge to protect and defend what
we hold precious. There was not a significant cyber component to the
attacks we have witnessed. Neither has there been a significant role yet
for cyber defense. Still, my phone hasn't stopped ringing with queries about
cyberterrorism. People are looking for informed opinion and guidance in a
time of widespread anxiety. This is an important role for our community.
I know that each of you will do your part to encourage debate and
effective preparation based on facts rather than on wild speculations.
There's another change in the air. This is my last letter to you as TC Chair.
I will be succeeded on 1 January 2002 by Mike Reiter, who has been our
Vice Chair for the past two years. This is a planned succession, and it's
a good thing. We are fortunate in our TC to have many talented members who
volunteer some of their time to help run the TC. To all of you who have
helped during the past two years: many thanks for your help. To those who
haven't yet volunteered: if not now, when?
The Oakland conference this year will be very important. It will be the first
post-attack opportunity for us to get together, to tell one another our
stories, and to discover how our work is relevant in this new time. I'll
see you there.
All the best,
--Tom Berson
____________________________________________________________________
Carl Landwehr leads a new NSF initiative in Trusted Computing
October 25, 2001
____________________________________________________________________
Colleagues and Friends,
I'm pleased to tell you that I've recently assumed the position of Director
of the Trusted Computing program at the National Science Foundation. I am
very happy to have the opportunity to help NSF build a strong, focused
research program in this area, and I look forward to working with you and
my other colleagues in government, academe, and industry to make this happen.
Initially, this is a one-year appointment to help get the program started;
I am on leave from my position as Senior Fellow with Mitretek Systems.
Let me first direct you to the initial announcement for the Trusted Computing
program: www.nsf.gov/pubs/2001/nsf01160/nsf01160.html The deadline for
proposals is 5 December; if you are in a position to conduct research in
this area, I encourage you to consider submitting a proposal. NSF focuses on
funding research at universities and not-for-profit organizations. I also
hope you will consider helping me staff the review panels for the proposals
that are submitted.
My new contact information is provided below; please use this e-mail address
for future correspondence.
Best regards,
--Carl
Carl E. Landwehr
Program Director, Trusted Computing
CISE/CCR
Suite 1175
National Science Foundation
4201 Wilson Blvd.
Arlington, VA 22230
e-mail: clandweh@nsf.gov
phone: 703-292-8936
fax: 703-292-9059
____________________________________________________________________
News Bits
____________________________________________________________________
Gary McGraw's new book "`Building Secure Software" was just published by
Addison-Wesley as part of the Professional Computing Series. AW's web site
is undergoing renovation and is temporarily down. You should be able to
obtain more information soon at www.aw.com/aw/.
____________________
Note From Heather Hinton, General Chair of the 2002 S&P symposium:
Please welcome Terry Hall of Boeing to the Security and Privacy Leadership
group. Terry has graciously volunteered to take over as treasurer from
Brian Loe. Terry has been with Boeing (and previous Boeing-bought companies)
for 6 years. Brian has recently changed jobs and is no longer able to act
as Treasurer. He has certainly worked hard enough to deserve the break.
Many thanks for your time and dedication over the last several years, Brian
Welcome Terry and many thanks Brian!
____________________
Early registration for the Applied Computer Security Applications Conference
(ACSAC) has been extended to November 30, 2001. Some hotel rooms may be
available at the Sheraton at the ACSAC block rate (equal to the US Govt.
per diem rate), so be sure to mention this conference when you reserve.
The 17th ACSAC Advance Program for the 17th Annual Computer Security
Applications Conference (ACSAC) on our web site at www.acsac.org.
The Conference will be held 12 - 14 December 2001 in New Orleans, Louisiana,
USA. Our tutorials will be held on 10 - 11 December 2001.
This year's program features 13 tutorials, 42 papers, 4 panels, and a
number of case studies. New this year are three "classic papers", a
"Birds of a Feather" session on Wednesday evening, and a "Works in
Progress" session on Thursday evening.
____________________
Call For Papers
15th IEEE Computer Security Foundations Workshop
June 24-26, 2002
Keltic Lodge, Cape Breton, Nova Scotia, Canada
Sponsored by the Technical Committee on Security and Privacy of the
IEEE Computer Society
This workshop series brings together researchers in computer science to
examine foundational issues in computer security. For background
information about the workshop, and an html version of this Call for
Papers, see the CSFW home page www.csl.sri.com/csfw/index.html.
We are interested both in new results in theories of computer security
and also in more exploratory presentations that examine open questions
and raise fundamental concerns about existing theories. Both papers and
panel proposals are welcome.
Possible topics include, but are not limited to:
* Access control Authentication Data and system integrity
* Database security Network security Distributed systems security
* Anonymity Intrusion detection Security for mobile computing
* Security protocols Security models Decidability issues
* Privacy Executable content Formal methods for security
* Information flow Language-based security
For background information about the workshop, see
www.csl.sri.com/csfw/index.html. This year the workshop will be held in
Cape Breton, Nova Scotia, Canada. For background information about the
location and the organization, see last year's edition web page
www.csl.sri.com/csfw/csfw14.
The proceedings are published by the IEEE Computer Society Press and will
be available at the workshop. Selected papers will be invited for submission
to the Journal of Computer Security. In addition, attendees will receive
"CSFW 1-15", a compendium CD-ROM containing papers from CSFW-15 and all
previous editions of the workshop.
Instructions for Participants
Submission is open to anyone. Workshop attendance is limited to about 50
participants. Submitted papers must not substantially overlap papers that
have been published or that are simultaneously submitted to a journal or a
conference with a proceedings. Papers should be at most 20 pages long
excluding the bibliography and well-marked appendices (using 11-point font,
single column format, and reasonable margins on 8.5x11; paper),
and at most 25 pages total. Alternatively, papers can be submitted using the
two-column IEEE Proceedings style available for various document preparation
systems at ftp://pubftp.computer.org/Press/Outgoing/proceedings/. Papers
in this style should be at most 12 pages long (at most 15 pages including
bibliography and appendices). The page limit will be strictly adhered to.
Committee members are not required to read the appendices, and so the paper
should be intelligible without them. Proposals for panels should be no longer
than five pages in length and should include possible panelists and an
indication of which of those panelists have confirmed participation.
To submit a paper, send to s.schneider@rhul.ac.uk a plain ASCII text email
containing the title and abstract of your paper, the authors' names, email
and postal addresses, phone and fax numbers, and identification of the
contact author. To the same message, attach your submission (as a MIME
attachment) in PDF or portable postscript format. Do NOT send files
formatted for word processing packages (e.g., Microsoft Word or
WordPerfect files). Submissions received after the submission deadline or
failing to conform to the guidelines above risk rejection without
consideration of their merits. Where possible all further communications
to authors will be via email. If for some reason you cannot conform to
these submission guidelines, please contact the program chair at
s.schneider@rhul.ac.uk. At least one coauthor of each accepted paper is
expected to attend CSFW-15. Papers that do not adhere to this policy will
be removed from the proceedings.
Important Dates
Submission deadline: February 5, 2002
Notification of acceptance: March 15, 2002
Camera-ready papers: April 9, 2002
Program Committee
Drew Dean, SRI International, USA
Yves Deswarte, LAAS-CNRS, France
Riccardo Focardi, University of Venice, Italy
Dieter Gollmann, Microsoft Research, UK
Joshua Guttman, MITRE, USA
Masami Hagiya, University of Tokyo, Japan
Alan Jeffrey, DePaul University, USA
Fabio Massacci, University of Trento, Italy
Cathy Meadows, Naval Research Labs, USA
John Mitchell, Stanford, USA
Peter Ryan, Carnegie Mellon University, USA
Andrei Sabelfeld, Chalmers University, Sweden
Steve Schneider (chair), Royal Holloway, University of London, UK
Vijay Varadharajan, Macquarie University, Australia
Rebecca Wright, AT&T Labs, USA
Workshop Location
Like last year's edition, the workshop will be held at the Keltic Lodge in
beautiful Cape Breton, Nova Scotia. Located on a narrow peninsula on the
Atlantic Ocean, the Lodge's comfortable rooms offer breathtaking views of
the rugged shore, vibrant in sunny days and majestic when shrouded in mist.
Activities on the premises include tennis, swimming in the heated pool, golf,
and mountain biking. The picturesque fishing villages along the scenic Cabot
Trail offer opportunities to get acquainted with the local lifestyle and also
to embark in such activities as ocean swimming, whale watching, and sea
kayaking. Moose, bears and other wildlife are often seen while hiking and
camping in the surrounding Cape Breton Highlands National Park. Cape Breton
also hosts the final home of Alexander Graham Bell and the station from which
Guglielmo Marconi transmitted the first recorded East-bound radio signal
across the Atlantic. The Keltic Lodge is 4 hours by car from Halifax
International Airport along a magnificent drive. There are direct flights
between Halifax and numerous European and American cities. Sydney Regional
Airport is 1 1/2 hours by car from the Keltic Lodge and has flights every
2 hours to Halifax. More travel information can be found from the CSFW website.
Additional Information
The web page of CSFW-14, at www.csl.sri.com/csfw/csfw14, (same location,
same organization) contains relevant information and is likely to provide
answers to many questions. For further information contact:
General Chair
Iliano Cervesato
ITT Industries, Inc. - AES Division
2560 Huntington Avenue
Alexandria, VA 22303-1410
USA
+1-202-404-4909
iliano@itd.nrl.navy.mil
Program Chair
Steve Schneider
Department of Computer Science
Royal Holloway, University of London
Egham, Surrey, TW20 0EX
UK
+44 1784 443431
s.schneider@rhul.ac.uk
Publications Chair
Jonathan Herzog
The MITRE Corporation
202 Burlington Road
Bedford, MA 01730-1420
USA
jherzog@mitre.org
_______________________
News Bits contains correspondence, interesting links, non-commercial
announcements and other snippets of information the editor thought that
Cipher readers might find interesting. And, like a UCITA protected
product, by reading the above page you have already agreed to not hold
the editor accountable for the correctness of its contents.
====================================================================
Commentary and Opinion
====================================================================
Book reviews from past issues of Cipher are archived at
www.ieee-security.org/Cipher/BookReviews.html, and conference reports
are archived at www.ieee-security.org/Cipher/ConfReports.html.
____________________________________________________________________
Conference Report on
New Security Paradigms Workshop (NSPW)
September 10-13, 2001
by Mary Ellen Zurko
____________________________________________________________________
NSPW 2001 Conference Report
New Security Paradigms Workshop was held September 10 - 13, 2001 at
Cloudcroft, New Mexico, USA. It was sponsored by the Association for
Computing Machinery with Support from the Department of Defense, USA,
and SEI/CERT. The first session began on Tuesday, September 11, after
a recognition of the tragedy of the attacks, and various participants
needs to contact loved ones.
Session 1, Creative Mathematics, was chaired by Mike Williams.
The first paper was "Computational Paradigms and Protection" by Simon N.
Foley and John P. Morrison. Simon presented. Their security model uses the
sequencing control in parallel and concurrent programming to specify access
control over the states in a transaction. In the traditional imperative
paradigm, the programmer must explicitly specify the sequencing constraints
on operations. The availability and coercion paradigms take a sequence of
operations and drive it from either the beginning or the end result. In the
availability paradigm, operations run when their input data is available.
In the coercion paradigm, operations are executed when their results are
needed. The authors suggest that casting protection in the availability or
coercion styles provides the basis for more flexible and distributed
control over the sequencing and mediation of the operations. They use the
Condensed Graph model to specify the flow and triggers. An operation may be
scheduled to a particular security domain if the domain is permitted to
execute the operation. The example equates these permissions with user
roles. A tenaciously protected operation will only produce results in an
appropriate domain, while a fragilely protected operation may produce null
if it is not in an appropriate domain when it fires. They have a prototype
implementation of this system.
The next paper was "Secure Multi-Party Computation Problems and their
Applications: A Review and Open Problems" by Wenliang (Kevin) Du and
Mikhail J. Attalah. Kevin presented. After an overview of what Secure
Multi-party Computation (SMC) is an the related work in the area, Kevin
discussed their framework for identifying and defining SMC problems for a
spectrum of computation domains. Their transformation framework
systematically transforms normal computations into SMC computations.
Computations can be multi-input (often two) or single-input. The inputs are
considered private, and sometimes the results are too. In the latter case,
some participating party is not allowed to know the results. The SMC model
assumes two parts of input, coming from different two different parties,
each of whom is keeping their input private. In the single input case, the
input is divided into two data sets. In the homogeneous transformation,
each data item maintains its atomicity. In the heterogeneous
transformation, each data item is split in two. Problems identified with
this framework include privacy-preserving (PP) database queries, PP data
mining, PP intrusion detection, PP statistical analysis, PP geometric
computations, and PP scientific computations.
The next paper was "Model-Carrying Code (MCC): A New Paradigm for
Mobile-Code Security" by R. Sekar, C.R. Ramakrishnan, I.V. Ramakrishnan and
S.A. Smolka. Sekar presented. The primary motivation is that with existing
approaches, neither the producer nor the consumer can unilaterally
determine the security needs of a mobile program. This vision includes
consumers refining their policies when mismatches occur. In addition to
conformance with the consumer's policy, their approach checks if the model
represents a safe approximation of program behavior, based on the
particular execution of the program at the consumer's site. With MCC,
mobile code comes equipped with an expressive yet concise model of the
code's security relevant behavior. The code can be restricted to that
model, as accepted by the consumer, when it runs. Alternatively, the
consumer can trust a signature over the code and model, or rely on
proof-carrying code to check the code against the model. The approach is
applicable to code written in C or C++; it is not language-specific or
limited to type-safe languages. It is an alternative to approaches such as
proof-carrying code and Java security. They use extended finite-state
automata to represent program models. They have looked at compile-time
analysis and machine learning to generate the models.
Session 2: Survivability, was chaired by Abe Singer.
The first paper of that session was "Heterogeneous Networking - A New
Survivability Paradigm" by Yonguang Zhang, Son K. Dao, Harrick Vin, Lorenzo
Alvisi, and Wenke Lee. Yongguang presented. Their paper proposes
systematically increasing a network's heterogeneity to improve a its
defense capabilities, without sacrificing interoperability. Their diversity
space diagram organizes functional capabilities of a network (protocols,
routers) along the dimensions of operating systems, communication medium
and service model. The distance between any two elements would represent
their vulnerability to attacks. A key question is how many elements a
survivable network needs to support. In principle, composing different
selections of network elements from each functional capability layer can
yield different versions of an end-to-end network service. Their
methodology supports network reconstitution through heterogeneous
replication and dynamic reconfiguration. IDS reports drive the dynamic
behavior. As an example of their heterogeneous service model, they show the
standard client/server WWW application over the Internet being replicated
with a broadcast/filter information dissemination application over a
satellite network. Discussion points that will be integrated into the final
paper include problems with single physical points of failure (the dreaded
back hoe attack) and studies that show that different programmers given the
same problem produce solutions with overlapping vulnerabilities.
The next paper was "Safe and Sound: a safety-critical approach to security
(Position Paper)" by Sacha Brostoff and M. Angela Sasse. Sacha presented.
Their emphasis is on socio-technical design of security. They note that
safety-critical systems design has similar goals and issues as security
design. On similarity is that failures in both types of systems may result
in an attribution of failure that does more to identify who to blame than
it does to fix the problem. On difference they point out is that violation
of security rules is encouraged in certain contexts to identify security
flaws. They suggest Reason's Generic Error Modeling System (GEMS) as a
starting point. It identifies three error types: slips (attentional
failures), lapses (memory failures), and mistakes (intended action that
leads to unintended result). With violations, these form the class of
unsafe acts. An organization is described by decision-makers, line
managers, preconditions, productive activities, and defenses. The model's
distinction between active and latent failures offers a way to identify and
address security issues that involve human behavior.
Session 3 was a discussion session, chaired by Bob Blakley, based on Victor
Raskin's "Ontology in Information Security: A Useful Theoretical Foundation
and Methodological Tool". Victor argues that the security community needs
an ontology. He has seen researchers argue about the definition of terms
such as anonymity, unlinkability, unobservability, and pseudonym. An
ontology is a highly structured system of concepts covering the processes,
objects, and attributes of a domain in all of their pertinent complex
relationships. Ontology organizes and systematizes all phenomena in a
research purview. Most approaches gain from the induced modularity. I can
predict additions from the full combinatorics of the compatible properties.
Discussion questions included ontology's relationship to glossaries, how
practitioners would use and profit from it, and whether or not an ontology
makes it easier to miss security flaws that have gone unnamed.
The first session on Wednesday, September 12, was Session 4: Innovative
Solutions, chaired by Carla Marceau.
Carla also stepped in and presented "AngeL: A Tool to Disarm Computer
Systems" for Danilo Bruschi and Emilia Rosti. This tool attempts to stop
distributed denial of service attacks from the hosts that are used without
their owner's knowledge to launch the attacks, as opposed to more
traditional approaches that try to defend from the target on back. The tool
works for DOS attacks targeted to the local host as well. It can currently
detect and block more than 70 documented attacks. They had presented their
initial concept of connecting disarmed hosts at NSPW 2000. One of the
things AngeL does is wrap the execve(). It checks the contents of
environment variables for suspicious characters, it checks that stats and
privileges on the calling program, and it checks the parameters. There is
also a module that can be integrated into the personal firewall capability
of Linux which looks for attacks that exploit network and transport layer
and application layer protocol vulnerabilities. A protection mechanism to
keep the tool from being removed was also implemented. AngeL is a loadable
kernel module. An MD5 encrypted password is associated with it during
loading. The password must be written to the write only /dev/angel device
to allow removal. Some performance evaluation was also included in the
paper.
The next paper was "Survival by Defense-Enabling" by Partha Pal, Franklin
Webber and Richard Schantz. Partha presented. Their work attempts to give
applications attack survival and intrusion tolerance, even when their
environment is untrustworthy. They emphasize survival by defense, which
aims to frustrate an attacker if protection fails and the attacker gains
some privilege. This work assumes the ability to modify or extend the
design of critical applications. The paper focuses on corruption that
results from a malicious attack exploiting flaws in an application's
environment. They discuss slowing down the attacker's acquisition of
privilege, by distributing the application's parts across domains and
constraining privilege accumulation concurrently across a set of domains.
Requiring application privilege separate from domain administrator
privilege can slow down attackers. Use of redundancy, monitoring, and
adaptation can also be used. The paper also considers both direct attacks
on the application itself and indirect attacks which target the resources
applications need. Pro-active defensive adaptation can further slow the
attacker. While their emphasis is on sequential attacks, they are looking
at rapid reaction to anomalies for non-sequential attacks (such as DDOS).
The next paper was "A Trusted Process to Digitally Sign a Document" by
Boris Balacheff, Liqun Chen, David Plaquin and Graeme Proudler. Graeme
presented. This approach relies on the Trusted Computing Platform Alliance
. The trusted process creates a signature over a digital
image that represents the document. It uses a trusted display controller
(TDC) and a smartcard owned by the signer. The method relies on the
protected communications between the TDC and users' smart card, and on
privileged access to the computer's display. The trusted display controller
is pat of the video processing path, and can display video data on a
monitor without interference or subversion by any software on the platform.
The smart card is able to authenticate the trusted display controller and
demonstrate to the signer the results of that authentication using the
trusted display controller. It uses a user-specified thumbnail image to
mark its displays. This thumbnail seal image should be written to the smart
card securely. The smart card signs image data on the authority of the TDC
without direct authorization from the signer. The TDC generates an ascii
string nonce, which is also displayed with the thumbnail seal image. If the
user wants to sign the document, they type the nonce into the normal
keyboard.
Session 5, Less is More, was chaired by Sami Saydjari.
The first paper was "NATE - Network analysis of Anomalous Traffic Events, a
Low-Cost Approach" by Carol Taylor and Jim Alves-Foss. Carol presented.
Their work is specifically designed for high speed traffic and low
maintenance. It features minimal traffic measurements, an anomaly-based
detection method, and a limited attack scope. The expectation is that the
anomaly based approach combined with simplified design will be more
efficient in both operation and maintenance than other lightweight
approaches. NATE only measures packet headers. They monitor counts of the
TCP flags and the number of bytes transferred for each packet. They also
aggregate sessions based on source and destination IP and port. They use
cluster analysis, a multivariate technique, to find normal groups of TCP/IP
sessions, and they used Principal Components Analysis for data reduction.
They evaluated their method against the Lincoln Labs data set. They found
it was successful in identifying the attacks that could be identified from
analyzing network headers, and it had a low false positive rate.
The next paper was "Information Security is Information Risk Management" by
Bob Blakley, Ellen McDermott, and Dan Geer. Bob presented. The paper argues
the information security technology deals with only a small fraction of the
problem of information risk. The evidence increasingly suggests that it
does not reduce information risk very effectively. Generally speaking,
businesses manage risk as part of their day-to-day operations. They may
transfer liability for an adverse event to another party. A business may
indemnify itself against the consequences, either by pooling with other
businesses (insurance policies) or hedging by placing a bet that the
adverse event will happen (options). Risk can be mitigated by systems or
process redesign, or reducing the damage that is likely to occur (building
codes). Businesses can retain risks, and either set aside funds to offset
the cost, or not. A table of information security products and processes
shows them to be heavily clustered in the mitigation category. The FBI/CSI
survey shows nearly universal deployment of security technology and rapidly
and steadily rising losses from security incidents. Information security
risk assessments should focus on quantifying risks. Security technology
development and selection should be based on quantitative studies of
effectiveness. Information that needs to be collected to do this includes
vulnerabilities, incidents, losses, and countermeasure effectiveness. The
authors ask, if the IT security industry can design countermeasures and
counsel clients on how to defend their systems, why can't _we_ help
underwriters develop assessment and underwriting tools and train claims
professionals in the intricacies of IT losses? Do we have something more
important to do?
Session 6 was a panel celebrating the 10th NSPW, called "The New Security
Paradigm Workshop: Boom or Bust?" Steven J. Greenwald was Panel Chair. The
panel statements were "Neither Boom Nor Bust" by Hilary H. Hosmer,
"Tracking Influence Through Citation Index Comparisons and Preliminary Case
Studies" by Mary Ellen Zurko, and "Thinking in an Age of Instant
Communication; Communicating in a Time of Reflective Thought" by Marv
Schaefer. Steve asked the question, has NSPW been effective for advancing
new ideas, challenging old ones, and encouraging new authors? Paradigm
shifts predicted by the first NSPW authors included a shift to application
level security, decentralized interoperable networks, systemic flaw
reporting and correction, and enterprise modeling of sociotechnological
aspects of computers. Holly pointed out that the Boom and Bust model is not
applicable. Her paper points out that the boom and bust model is a dynamic
model with delayed feedback, resulting in the failure of the system to
adjust rapidly enough to reach sustainable equilibrium. Most new paradigms
take at least a generation to win general acceptance, when the holders of
the old paradigm die off. Mez presented some citation index numbers from
CiteSeer comparing NSPW, Computer Security Foundations
Workshop, and IEEE Symposium on Security and Privacy. She also had some
feedback from authors of the most heavily referenced NSPW papers on
CiteSeer. It was unclear from the data that influence could be tracked that
way. Victor Raskin mentioned that universites are considering dropping
citations indices as a criterion for promotion because the data is
worthless. John McHugh recommended a more intelligent literature search
tracking subfields such as inline reference monitors and immune system
approaches. Marv emphasized the workshop nature of NSPW. It's value is that
it gives individual participants more in return than they individually
contributed, and not just during hallway conversations, but during the
actual paper presentations as well. Putting the contributions of more
traditional conferences in context, he noted that the security posture of
most computer systems today is far weaker than ever before, and that every
few years the past is recreated in our profession, because computer
security professionals do not read the literature they cite. Sami Saydjari
commented that the worth of NSPW is its willingness to accept papers out of
the traditional categories.
The final session, on Thursday, September 13, was Session 7: Passwords
Revisited, chaired by Tom Daniels.
The first paper was "A Note on Proactive Password Checking" by Jeff Jianxin
Yan. Jeff argues that hackers may attempt to brute force passwords based on
entropy. He proposes using entropy-based proactive password checking as an
enhancement to current use of dictionary-based checking. Proactive password
checking checks a user's (new) password in order to determine its strength.
He gives 12a34b5 as an example of a low entropy password not currently
caught by proactive password checkers. Using a 7 character password as an
example (because the length is widely used), he notes that the highest
entropy pattern is 5 alphabetical and 2 numeric characters, while 2
alphabetic characters and 5 numeric characters is in an area of low
entropy. The paper outlines a simple and efficient algorithm to detect low
entropy 7 character passwords. Future work includes extending the analysis
to longer passwords. Much of the discussion centered around the potential
pitfalls of attempting to deploy proactive low entropy password checking.
The final paper was "Pretty Good Persuasion: A First Step Towards Effective
Password Security" by Dirk Weirich and Martina Angela Sasse. Dirk
presented. This work starts from the assumption that in most organizations,
users cannot be forced to comply with security policies. They must be
persuaded to do so. The persuasion may rely on changes to the policies and
the way they are enforced, or on changing the social discourse around the
subject. This work focuses on rules around and use of passwords. They
conducted semi-structured in-depth interviews to try to understand why some
users are motivated to behave in a security-conscious fashion, and some are
not. The interviews were guided by the theory of fear appeals, which says
that to be effective, they must convince the recipient that the problem is
serious, it may affect them, it can be avoided by taking appropriate
action, and the recipient is capable of performing that action. Discourse
analysis brought out a number of points. A large number of participants had
mental constructs that make it almost impossible to use fear appeals
effectively. There was a strong social element in sharing passwords; it is
seen as a sign of trust among co-workers. People who behave in a
security-conscious way are often described in negative terms such as
"paranoid", even by themselves. Initial ideas on how to solve these
problems include changing the discourse about password mechanisms using
social marketing techniques, changing policy so that it will increase
compliance, and designing mechanisms with their persuasive power in mind. A
very extreme change that might be used for further study would be to
implement a password mechanism that did not allow a user who forgot their
password to change it for 24 hours, and which was unique and used without a
name, to strengthen personal association.
====================================================================
Reader's Guide to Current Technical Literature in Security and
Privacy, by Anish Mathuria
====================================================================
The Reader's Guide from Past issues of Cipher is archived at
www.ieee-security.org/Cipher/ReadersGuide.html
____________________________________________________________________
Conference Entries
____________________________________________________________________
Third ACM Conference on Electronic Commerce, October 14-17, 2001, Tampa,
Florida, USA: [Security-related papers only]
E-privacy in 2nd generation E-Commerce: privacy preferences
versus actual behavior. S. Spiekermann, J. Grossklags and B. Berendt
Concepts for Personal Location Privacy Policies.
E. Snekkenes
Escrow Services and Incentives in Peer-to-Peer Networks.
B. Pinkas, B. Horne and T. Sander
The 2001 IEEE International Conference on Data Mining, November 29- December
2, 2001, San Jose, California, USA: [Security-related paper only]
Using Artificial Anomalies to Detect Unknown and Known Network
Intrusions. W. Fan, M. Miller, S. Stolfo, W. Lee and P. Chan
9th International Conference on Network Protocols, November 11-14, 2001, CA,
USA: [Security-related papers only]
Using Dynamic Buffer Limiting to Protect Against Belligerent Flows
in High-speed Networks. F. Ertemalp, D. Cheriton and A. Bechtolsheim
Fast Firewall Implementations for Software and Hardware based Routers.
L. Qiu, G. Varghese and S. Suri
Providing Robust and Ubiquitous Security Support for MANET.
J. Kong, P. Zerfos, H. Luo, S. Lu and L. Zhang
Scalable Secure Group Communication over IP Multicast.
S. Banerjee and B. Bhattacharjee
Second International Workshop on Electronic Commerce (WELCOM'01),
November 16-17, 2001, Heidelberg, Germany: [Security-related papers only]
Mobile Payments - State of the Art and Open Problems.
K. Wrona, M. Schuba and G. Zavagli
Enabling Privacy Protection in E-Commerce Applications.
D. Kuegler
Using Smart Cards for Fair Exchange.
H. Vogt, H. Pagnia and F. Gaertner
Rational Exchange - A Formal Model Based on Game Theory.
L. Buttyan and J. Hubaux
First International IFIP TC-11 WG 11.4 Working Conference on Network
Security, November 26-27, 2001, Leuven, Belgium:
A Role-Based Specification of the SET Payment Transaction Protocol.
H. Sakurada and Y. Tsudada
Information Security: Mutual Authentication in E-Commerce.
S. Von Solms and M. Kisimov
Software-Based Receipt-Freeness in On-Line Elections.
E. Magkos, V. Chrissikopoulos and N. Alexandris
ID-Based Structured Mutisignature Schemes.
C.-Y. Lin, T.-C. Wu and J.-J. Hwang
Probabilistic Relations for the Solitaire Keystream Generator.
M. Pudovkina
Hazard Analysis for Security Protocol Requirements.
N. Foster and J. Jacob
Securing RMI Communication.
Naessens, B. Vanhaute and B. De Decker
Secure Java Development With UML. J. Jurjens
Security Through Aspect-Oriented Programming.
B. De Win, B. Vanhaute and B. De Decker
Extending a Campus Network with Remote Bubbles using IPsec.
A. Bonnet and M. Lobelle
Combining World Wide Web and Wireless Security.
J. Claessens, B. Preneel and J. Vandewalle
On Mobile Agent Based Transactions in Moderately Hostile Environments.
N. Borselius, C. Mitchell and A. Wilson
SPARTA, A Mobile Agent Based Intrusion Detection System.
C. Krugel, T. Toth and E. Kirda
====================================================================
Listing of academic positions available
by Cynthia Irvine
====================================================================
http://cisr.nps.navy.mil/pages/employment/cipher_employ.htm
Cornell University
Cornell University, Ithaca, NY
Post-Doctoral Position
Position closes 12/31/2001
www.cs.cornell.edu/cdlrg/prism/postdoc.htm
Department of Computer Science
Florida State University, Talahassee, FL
www.cs.fsu.edu/positions
Department of Computer Science
James Madison University, Harrisonburg, VA
Tenure-Faculty position
The James Madison University Department of Computer Science is seeking
applications of faculty that specialize in Information Security or
closely related areas.
www.cs.jmu.edu/faculty_openings.htm
Vrije Universiteit
Vrije Universiteit, Amsterdam, The Netherlands
Postdoc/Assistant Professor
Internet security. Position is available immediately.
www.cs.vu.nl/~ast/jobs
Department of Information and Software Engineering
George Mason University, Fairfax, VA
1 Tenure-track, 1 visiting position
Positions are in security. Areas of particular interest: Computer security,
networking, data mining and software engineering. Search will continue until
positions are filled.
ise.gmu.edu/hire/
Department of Computer Science
Purdue University,West Lafayette, IN
Emphasis on Assistant Professor Positions, but more senior applicants will be
considered. Areas of particular interest: Computer security, and INFOSEC.
Positions beginning August 2000.
www.cs.purdue.edu/announce/faculty2001.html
Department of Computer Science
Renesselaer Polytechnic InstituteTroy, NY
Tenure Track, Teaching, and Visiting Positions
Areas of particular interest: Computer security, networking, parallel and
distributed computing and theory.
Positions beginning Fall 2000.
www.cs.rpi.edu/faculty-opening.html
Swiss Federal Institute of Technology
Lausanne (EPFL), Switzerland/Eurecom/Telecom
Paris
General Director
Areas of particular interest: Education and research in telecommunications.
Applications begin immediately.
admwww.epfl.ch/pres/dir_eurecom.html
Department of Computer Science
Florida State University, Talahassee, FL
Tenure-track positions at all ranks, several positions available. Available (1/00)
Areas of particular interest: Trusted Systems, security, cryptography, software
engineering, provability and verification, real-time and software engineering,
provability and verifications, real-time and safety-critical systems, system
software, databases, fault tolerance, and computational/simulation-based design.
www.cs.fsu.edu/positions/
--------------
This job listing is maintained as a service to the academic community. If you
have an academic position in computer security and would like to have in it
included on this page, send the following information:
Institution,
City, State,
Position title,
date position announcement closes, and
URL of position description
to: irvine@cs.nps.navy.mil
====================================================================
Interesting Links and Reports Available via FTP and WWW
====================================================================
"Reports Available" links from previous issues of
Cipher are archived at www.ieee-security.org/Cipher/NewReports.html
and www.ieee-security.org/Cipher/InterestingLinks.html
====================================================================
Information on the Technical Committee on Security and Privacy
====================================================================
____________________________________________________________________
Information for Subscribers and Contributors
____________________________________________________________________
SUBSCRIPTIONS:
Two options:
1. To receive the full ascii CIPHER issues as e-mail, send e-mail to
(which is NOT automated) with subject line "subscribe".
2. To receive a short e-mail note announcing when a new issue of
CIPHER is available for Web browsing send e-mail to
(which is NOT automated) with subject line "subscribe postcard".
To remove yourself from the subscription list, send e-mail to
cipher@issl.iastate.edu with subject line "unsubscribe".
Those with access to hypertext browsers may prefer to read Cipher
that way. It can be found at URL www.ieee-security.org/cipher.html
CONTRIBUTIONS:
to cipher@issl.iastate.edu are invited. Cipher is a NEWSletter,
not a bulletin board or forum. It has a fixed set of departments,
defined by the Table of Contents. Please indicate in the
subject line for which department your contribution is intended. For
Calendar entries, please include a URL and/or e-mail address for the
point-of-contact. For Calls for Papers, please submit a one paragraph
summary. See this and past issues for examples. ALL CONTRIBUTIONS
CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses
of Cipher material should respect stated copyright notices, and should
cite the sources explicitly; as a courtesy, publications using Cipher
material should obtain permission from the contributors.
____________________________________________________________________
Recent Address Changes
____________________________________________________________________
Address changes from past issues of Cipher are archived at
www.ieee-security.org/Cipher/AddressChanges.html
______________________________________________________________________
How to become <> a member of the
IEEE Computer Society's TC on Security and Privacy
________________________________________________________________________
You do NOT have to join either IEEE or the IEEE Computer Society to
join the TC, and there is no cost to join the TC. All you need to
do is fill out an application form and mail or fax it to the
IEEE Computer Society. A copy of the form is included below (to
simplify things, only the TC on Security and Privacy is included, and
is marked for you). Members of the IEEE Computer Society may join the
TC via an https link. The full and complete form is available on the
IEEE Computer Society's Web Server by following the application form
hyperlink at the URL: computer.org/tcsignup/
IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED
(BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER.
---------
IEEE Computer Society
Technical Committee Membership Application
-----------------------------------------------------------
Please print clearly or type.
-----------------------------------------------------------
Last Name First Name Middle Initial
___________________________________________________________
Company/Organization
___________________________________________________________
Office Street Address (Please use street addresses over P.O.)
___________________________________________________________
City State
___________________________________________________________
Country Postal Code
___________________________________________________________
Office Phone Fax
___________________________________________________________
Email Address (Internet accessible)
___________________________________________________________
Home Address (optional)
___________________________________________________________
Home Phone
___________________________________________________________
[ ] I am a member of the Computer Society
IMPORTANT: IEEE Member/Affiliate/Computer Society Number:
____________________
[ ] I am not a member of the Computer Society*
Please Note: In some TCs only current Computer Society members are
eligible to receive Technical Committee newsletters.
Please select up to four Technical Committees/Technical Councils of
interest.
TECHNICAL COMMITTEES
[ X ] T27 Security and Privacy
Please Return Form To:
IEEE Computer Society
1730 Massachusetts Ave, NW
Washington, DC 20036-1992
Phone: (202) 371-0101
FAX: (202) 728-9614
_____________________________________________________________
TC Publications for Sale
_____________________________________________________________
TC Publications for Sale
Proceedings of the IEEE CS Symposium on Security and Privacy
The Technical Committee on Security and Privacy has copies of
its publications available for sale directly to you. You may pay
for Proceedings by credit card or check.
Proceedings of the IEEE Symposium on Security and Privacy
Year(s) Format Price
2001 Hardcopy $25.00*
2000 Hardcopy $15.00*
1999 Hardcopy SOLD OUT
1998 Hardcopy $10.00*
2000-2001 CD-ROM $25.00*
* Plus shipping charges
Payment by Check
Please specify the items and quantities that you wish to receive, your
shipping address, and the method of shipping (for overseas orders).
Mail your order request and a check, payable to the 2001 IEEE Symposium
on Security and Privacy to:
Brian J. Loe
Treasurer, IEEE Security and Privacy
c/o Secure Computing Corp.
2675 Long Lake Rd.
Roseville, MN 55113
U S A
Please include the appropriate amount to cover shipping charges as
noted in the table below.
Shipping Charges for Mail Orders
Domestic shipping: $4.00 per order for 3 volumes or fewer
Overseas surface mail: $6.00 per order for 3 volumes or fewer
Overseas air mail: $12.00 per volume
Credit Card Orders
For a limited time, the TC on Security and Privacy can charge orders to your
credit card. Send your order by mail to the address above or send email to
brian.loe@computer.org specifying the items and quantities that you wish to
receive, your shipping address, method of shipping (surface or air for overseas
orders) along with
the name of the cardholder,
credit card number, and
the expiration date.
Exact shipping charges will be charged to your credit card and included in
your receipt. Shipping charges may approximated from the table above.
You may use the following PGP public key to encrypt any information that
you're not comfortable sending as cleartext.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 4.0 Business Edition
mQCNAy+T6TkAAAEEAN/fnVu7VCPtcmBQhXFhJbejSoZJkEmWNUYvx13yRwl/gyir
61ae+GUjgWjWs9O06C6dugRGrjFZpBhMosu7sgGJMz54hvKbBNrYBSHpH0yex6e/
+c2mzbCbh40naARgPAaAki2rCkV2ryETj2Z6w98/k5fMgOZDnEy6WVOs56vlAAUR
tBtCcmlhbiBKLiBMb2UgPGxvZUBzY3RjLmNvbT6JARUDBRA5FvlSehjn4trNNnMB
AVulCAC/cqeBfMVohQqSZSHsaBudKUaKRCbH9PoKB0xr2SkmI/XYTzm6X7Cc+CXb
hfcO/t++p1IscnB9Ne7Qa/MYqTD3zzgp/x/xor0bHnLSLGlVCN3XoRr3oxWuGOE9
Bul85Jse5V3FqMjsnGzm3PFRnYEJ9EPfTbWLnmmPteNSCwzFJe0z2nSAWbW+X4BQ
W6qN/5SHFWQ/0xcpSWte7TD98BDpZl12ow3W+NY1P01AYfby0IthvuPL7PMrcOgV
cGz8sBflkF4QbL/CJW42oPjztvj+Ks+I2b1W9oSJgX5fPeU9hcsPg3wVO5o3/Mdb
lEtBSrdQfnbfOpiEm16/CK3OGr3NiQB1AwUQL5UPKjVOHVCprfxtAQG2tgMAruPD
qtQzxJVdegzUG+0r0AMEDxmGDN84PUU9AMhXl2owR2/TthpDpmovMq8ibeLd0PGk
NgXJFlLHJNvU09jP1O4TqwvoSTzG84qm8OY7kfdOqY7PTsz0keT7WgFuuglKiQCV
AwUQL5UOenp25Pxx+Z6ZAQH5MAP/c1SngCYf1+Ks1M2Cbf8PR4t5hQAM5tGFHA8J
zS5L/3NZNyoNAD4fgRm62xr8trFWtT4BSmZboXgqklTvwbQKWn90EsoKEtdfJNtJ
swVNkLF/SjLyes/J6HEgllPUaKVIq5PM8AIrKsAKvHZoDcDbDH8QypnQsdxYhOOh
a0pxCpaJAJUDBRAvlCiXTLpZU6znq+UBAdmiA/9eq6niZHHykR/27P9chkqhYLuq
/E1CirA+aYP73OdbfXeV+vwDxr9Zzv2iTra/DUNyJzU7JelWRFlov+k7yiO6Pr7j
bWeqms0WYsQV30jIelBs6w34A4CC1bnuHxt6gKxd63EZCqhVsZV+GN3pGfL2CQBc
mraYYRb4Q1+gSocsAIkAdQMFEDXRyzCbYv3kpAuW2QEBv+AC/jDstmZP0UTTwixB
htVd50TqxE0vU/g6YC6sKg1wyHNlYEvwP0xRsM1P+Qs1603SV6TarP8q5AQVMuwg
1qQxxuThCAG/hXcsI5t/5pbMTQSAMUkZQHittS69sSQtNSd+R7QlQnJpYW4gSi4g
TG9lIDxicmlhbi5sb2VAY29tcHV0ZXIub3JnPrQmQnJpYW4gSi4gTG9lIDxsb2VA
c2VjdXJlY29tcHV0aW5nLmNvbT4=
=PUX1
-----END PGP PUBLIC KEY BLOCK-----
IEEE CS Press
You may also order some back issues from IEEE CS Press at
www.computer.org/cspress/catalog/proc9.htm.
Proceedings of the IEEE CS Computer Security Foundations Workshop
The most recent Computer Security Foundation Workshop (CSFW13) took place
the 3rd through 5th of July 2000 in Cambridge, UK. Topics included formal
specification of security protocols, protocol engineering, distributed systems,
information flow, and security policies.
Copies of the proceedings are available from the publications chair for $25
each. Copies of earlier proceedings starting with year 5 are available at $10.
Photocopy versions of year 1 are also $10.
Checks payable to Joshua Guttman for CSFW may be sent to:
Joshua Guttman, MS A150
The MITRE Corporation
202 Burlington Rd.
Bedford, MA 01730-1420 USA
guttman@mitre.org
________________________________________________________________________
TC Officer Roster
________________________________________________________________________
Chair: Past Chair:
Thomas A. Berson Charles P. Pfleeger
Anagram Laboratories Arca Systems, Inc.
P.O. Box 791 8229 Boone Blvd, Suite 750
Palo Alto, CA 94301 Vienna VA 22182-2623
(650) 324-0100 (voice) (703) 734-5611 (voice)
berson@anagram.com (703) 790-0385 (fax)
c.pfleeger@computer.org
Vice Chair: Chair,Subcommittee on Academic Affairs:
Michael Reiter Prof. Cynthia Irvine
Bell Laboratories U.S. Naval Postgraduate School
600 Mountain Ave., Room 2A-342 Computer Science Department
Murray Hill, NJ 07974 USA Code CS/IC
Monterey CA 93943-5118
(908) 582-4328 (voice) (408) 656-2461 (voice)
(908) 582-1239 (fax) irvine@cs.nps.navy.mil
reiter@research.bell-labs.com
Newsletter Editor:
Jim Davis
Department of Electrical and Computer Engineering
2413 Coover Hall
Iowa State University
Ames, Iowa 50011
(515) 294-0659 (voice)
davis@iastate.edu
Chair, Subcommittee on Standards: Chair,Subcomm.on Security Conferences:
David Aucsmith Jonathan Millen
Intel Corporation SRI International EL233
JF2-74 Computer Science Laboratory
2111 N.E. 25th Ave 333 Ravenswood Ave.
Hillsboro OR 97124 Menlo Park, CA 94025
(503) 264-5562 (voice) (650) 859-2358 (voice)
(503) 264-6225 (fax) (650) 859-2844 (fax)
awk@ibeam.intel.com millen@csl.sri.com
BACK ISSUES:
Cipher is archived at: www.ieee-security.org/cipher.html
========end of Electronic Cipher Issue #45, November 17, 2001===========