Subject: Electronic CIPHER, Issue 47, March 15, 2002 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 47 March 15, 2002 Jim Davis, Editor Hilarie Orman, Assoc. Editor Bob Bruen, Book Review Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements o Upcoming calls-for-papers and events o Preliminary program for the 2002 IEEE Symposium on Security and Privacy (May 12-15, 2002, Oakland, CA, USA) o Information on the 15th IEEE Computer Security Foundations Workshop (June 24-26, 2002) can be found at www.csl.sri.com/programs/security/csfw/index.html. The call for papers is included in the News Bits section below. * Commentary and Opinion o Robert Bruen's review of "Hack I. T. - Security Through Penetration Testing" by T.J. Klevinsky, Scott Laliberte and Ajay Gupta o Robert Bruen's review of "Handbook of Computer Crime Investigation. Forensic Tools and Technology", edited by Eoghan Casey o Robert Bruen's review of "Computer Forensics and Privacy" by Michael Caloyannides * Reader's guide to recent security and privacy literature, by Anish Mathuria (new entries March 15, 2002) * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We are pleased to bring you another  issue of Cipher! In it you will find three book reviews by Robert Bruen, additions to Anish Mathuria's Reader's Guide, links to new calls for papers, and the preliminary program for S&P 2002. I'd like to offer a correction for the January 2002 Cipher. We inadvertently omitted Gary McGraw as a co-author of a text we reviewed. The corrected citation is: John Viega and Gary McGraw. "Building Secure Software. How to Avoid Security Problems the Right Way". Addison-Wesley 2002. My apologies Gary! As we head into a busy conference and workshop season, please consider writing a review of an event you are involved with. I will be contacting program chairs for assistance in identifying volunteers, but we often get a better outcome if someone steps forward on their own. Many thanks to our colleagues who contributed to this issue! Best regards, Jim Davis davis@iastate.edu 3/15/2002 ==================================================================== Conference and Workshop Announcements ==================================================================== PRELIMINARY PROGRAM 2002 IEEE Symposium on Security and Privacy May 12-15, 2002 The Claremont Resort Oakland, California, USA sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) Sunday, 12 May 2002 4:00 - 7:00 Registration and Reception Monday, 13 May 2002 8:45 - 9:00 Opening Remarks 9:00 - 10:30 Session: Attacks "Optical Time-Domain Eavesdropping Risks of CRT Displays", Markus G. Kuhn (University of Cambridge) "Statistical Identification of Encrypted Web Browsing Traffic", Qixiang Sun (Stanford University), Daniel R. Simon (Microsoft Research), Yi-Min Wang (Microsoft Research), Wilf Russell (Microsoft Research), Venkat Padmanabhan (Microsoft Research), Lili Qiu (Microsoft Research) "Partitioning Attacks: Or How to Rapidly Clone Some GSM Cards", Josyula R. Rao (IBM Watson Research Center), Pankaj Rohatgi (IBM Watson Research Center), Stephane Tinguely (EPFL, Lausanne) Helmut Scherzer (IBM Germany) 10:30 - 11:00 Break 11:00 - 12:00 Session: Privacy and Anonymity "Collaborative Filtering with Privacy ", John Canny (UC Berkeley) "P5: A Protocol for Scalable Anonymous Communication", Rob Sherwood (University of Maryland), Bobby Bhattacharjee (University of Maryland), Aravind Srinivasan (University of Maryland) 12:00 - 1:30 Lunch 1:30 - 2:30 Invited Talk: "Exploits of Large-Scale Web Services and Counter-measures", Udi Manber (Yahoo!) 2:30 - 3:00 Break 3:00 - 4:00 Session: Composition and Conciliation "Methods and Limitations of Security Policy Reconciliation", Patrick McDaniel (AT&T Labs - Research), Atul Prakash (University of Michigan) "On the Composition of Secure Systems", Heiko Mantel (German Research Center for Artificial Intelligence, DFKI) 4:00 - 6:00 5-minute Recent Research Presentations 6:15 - 7:15 Reception 7:00 - ??? Poster Sessions Tuesday, 14 May 2002 9:00 - 10:30 Session: Authorization and Delegation "Binder, a Logic-based Security Language", John DeTreville (Microsoft Research) "Design of a Role-based Trust-management Framework", Ninghui Li (Stanford University), John C. Mitchell (Stanford University), William H. Winsborough (NAI Labs, Network Associates, Inc.) "Constrained Delegation", Olav Bandmann (SICS), Mads Dam (KTH/IMIT/LECS), Babak Sadighi Firozabadi (SICS) 10:30 - 11:00 Break 11:00-12:0 Session: Static Analysis "Detecting Lots of Security Holes Using System-Specific Static Analysis", Ken Ashcraft (Stanford University), Dawson Engler (Stanford University) "Improving Computer Security Using Extended Static Checking", Brian V Chess (University of California at Santa Cruz) 12:00 - 1:30 Lunch 1:30 - 2:30 Invited Talk: Bob Blakley (IBM Software Group/Tivoli) 2:30 - 3:00 Break 3:00 - 5:00 Session: Intrusion Detection I "Noninterference and Intrusion Detection", Calvin Ko (NAI Labs, Network Associates), Timothy Redmond (NAI Labs, Network Associates) "Why 6? Defining the Operational Limits of stide", Kymie M.C. Tan (Carnegie Mellon University), Roy A. Maxion (Carnegie Mellon University) "Alert Correlation in a Cooperative Intrusion Detection Framework", Frederic Cuppens (ONERA Centre de Toulouse), Alexandre Miege (ONERA Centre de Toulouse) "Intrusion-Tolerant Enclaves", Bruno Dutertre (SRI International), Valentin Crettaz (SRI International) 5:15 - 5:45 Security and Privacy Technical Committee Meeting Wednesday, 15 May 2002 9:00 - 10:30 Session: Network Protocols "Efficient Multicast Packet Authentication Using Signature Amortization", Jung Min Park (Purdue University), Edwin K.P. Chong (Colorado State University), Howard Jay Siegel (Colorado State University) "Self-Healing Key Distribution with Revocation", Dirk Balfanz (Xerox PARC), Drew Dean (SRI), Matt Franklin (University of California at Davis), Sara Miner (University of California at San Diego), Jessica Staddon (Xerox PARC). "Expander Graphs for Digital Stream Authentication and Robust Overlay Networks", Dawn X. Song (University of California at Berkeley), David Zuckerman (University of Texas at Austin), J. D. Tygar (University of California at Berkeley) 10:30 - 11:00 Break 11:00 - 12:00 Session: Intrusion Detection II "Automated Generation and Analysis of Attack Graphs", Oleg Sheyner (Carnegie Mellon University), Somesh Jha (University of Wisconsin), Jeannette Wing (Carnegie Mellon University), Richard Lippmann (MIT Lincoln Labs), Joshua Haines (MIT Lincoln Labs) "Stateful Intrusion Detection for High-Speed Networks", Christopher Kruegel (University of California at Santa Barbara), Fredrik Valeur (University of California at Santa Barbara), Giovanni Vigna (University of California at Santa Barbara), Richard A. Kemmerer (University of California at Santa Barbara) ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at www.ieee-security.org/cfp.html. The Cipher event Calendar is at www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, e-mail for more info. See also Cipher Calls for Papers file (www.ieee-security.org/cfp.html) for details on many of these listings. Also worth a look are the ICL calendar and the IACR site, and several others. * 3/18/02- 3/21/02: DOCSec 2002, Baltimore, MD www.omg.org/news/meetings/docsec2002/call.htm * 3/18/02: HSN '2002, Taipei, Taiwan; Submissions are due, jcb@dnrc.bell-labs.com; opnear.utdallas.edu/hsnhome.htm * 3/22/02: ICON 2002, Singapore; Submissions due, icon2002@sp.edu.sg; icon2002.calendarone.com * 4/ 1/02: ISSRE 2002, Annapolis, MD; submissions due, www.issre2002.org * 4/ 5/02: NSPW 2002, Hampton, VA Conf Web page Submissions are due www.cs.utah.edu/flux/cipher/cfps/cfp-NSPW.html * 4/ 6/02 - 4/14/02: ETAPS 2002, Grenoble, France * 4/12/02: Special Issue, JAR Proof-Carrying Code, Journal Web page afelty@site.uottawa.ca www-unix.mcs.anl.gov/JAR/ * 4/14/02- 4/15/02: WPET '02, San Francisco, CA; Conf Web page www.cs.utah.edu/flux/cipher/cfps/cfp-WPET02.html * 4/15/02: IASTED, Malaga, Spain; Submissions due www.cs.utah.edu/flux/cipher/cfps/cfp-IASTED.html * 4/15/02- 4/16/02: AVoCS '02; Birmingham, UK; www.cs.bham.ac.uk/~gxn/avocs/ * 4/15/02: ACM-MM 2002, Juan Les Pins, Franc ; submissions due, www.acm.org/sigmm/MM2002/index.html * 4/15/02: CW 2002, Tokyo, Japan Conf Web page; wwwcis.k.hosei.ac.jp/CW2002/call_for_pagers.jsp * 4/15/02: LFM '02, Copenhagen, Denmark; Submissions are due, fp@cs.cmu.edu; www.cs.cmu.edu/~lfm02/ * 4/24/02- 4/25/02: PKI Res, Gaithersburg, MD www.cs.dartmouth.edu/~pki02/ * 4/28/02-5/ 2/02: Eurocrypt 2002, Amsterdam, Netherlands. www.ec2002.tue.nl/ * 4/29/02: 7th WCW7, Boulder, Colorado; submissions due, questions to chase@cs.duke.edu; http://2002.iwcw.org/ * 5/ 3/02: SAC 2002, Newfoundland, Canada; Submissions due sac2002@engr.mun.ca. www.cs.utah.edu/flux/cipher/cfps/cfp-SAC2002.html * 5/ 5/02: 5th WOIH, Noordwijkerhout, The Netherlands; submissions due research.microsoft.com/ih2002/ * 5/ 5/02- 5/10/02: North America CACS '02, San Francisco, CA www.isaca.org/nacacscfp.htm * 5/ 7/02- 5/11/02: WWW 2002, Honolulu, Hawaii Conf Web page www.cs.utah.edu/flux/cipher/cfps/cfp-WWW2002.html * 5/ 7/02- 5/ 9/02: IFIP-Sec 2002, Cairo, Egypt; www.sec2002.eun.eg * 5/ 7/02- 5/11/02: WWW 2002, Honolulu, Hawaii www2002.org * 5/13/02- 5/15/02: IEEE S&P, Oakland, CA www.ieee-security.org/TC/SP02/sp02index.html * 5/17/02: OSDI '02, Boston, Massachusetts; osdi02chairs@usenix.org www.cs.utah.edu/flux/cipher/cfps/cfp-OSDI02.html * 5/24/02: ASIACRYPT '2002, Queenstown, New Zealand; submissions due www.sis.uncc.edu/ac02/ * 5/31/02: InfraSec 2002, Bristol, UK; submissions are due, www.infrasec-conf.org * 6/ 1/02: 18th ACSAC, Las Vegas, NV; Conf Web page; submissions due, www.acsac.org * 6/17/02- 6/19/02: NetSec 2002, San Francisco, CA www.gocsi.com/netsec/02/ * 6/24/02- 6/26/02: CSFW-15, Nova Scotia, Canada www.csl.sri.com/csfw/csfw15/ * 6/24/02: DIREN, New York, NY Conf Web page comet.columbia.edu/diren * 6/24/02- 6/27/02: ICWN '02, Las Vegas www.ece.queensu.ca/hpages/faculty/yeh/icwn02.html * 6/24/02- 6/27/02: IMCS 2002, Las Vegas, Nevada; www.ashland.edu/~iajwa/conferences * 6/24/02- 6/28/02: 14th FIRST, Hilton Waikoloa Village, Hawaii www.first.org/conference/2002/ * 6/24/02- 6/26/02: CSFW-15, Nova Scotia, Canada http:// www.cs.utah.edu/flux/cipher/cfps/cfp-CSFW15.html * 7/ 1/02: HotNets-I, Princeton, NJ; submissions due, www.acm.org/sigcomm/HotNets-I * 7/ 3/02- 7/ 5/02, ACISP '02, Melbourne, Australia www.cm.deakin.edu.au/ACISP'02 * 7/11/02- 7/12/02: STEG '02, Kitakyushu, Japan www.know.comp.kyutech.ac.jp/STEG02/ * 7/14/02- 7/19/02: IETF, Yokohama, Japan www.ietf.org * 7/26/02: LFM '02, Copenhagen, Denmark; www.cs.cmu.edu/~lfm02/ * 8/ 5/02- 8/ 9/02: USENIX 11, San Francisco, CA www.usenix.org/events/sec02/ * 8/13/02-8/15/02: CHES 2002, Redwood City, CA www.chesworkshop.org * 8/14/02- 8/16/02: 7th WCW, Boulder, Colorado; 2002.iwcw.org/ * 8/15/02- 8/16/02: SAC 2002, Newfoundland, Canada www.cs.utah.edu/flux/cipher/cfps/cfp-SAC2002.html * 8/18/02- 8/22/02: CRYPTO 2002, Santa Barbara, CA * 8/19/02- 8/23/02: SIGCOMM '02, Pittsburgh, Pennsylvania www.cs.utah.edu/flux/cipher/cfps/cfp-SIGCOMM02.html * 8/27/02- 8/30/02: ICON 2002, Singapore, icon2002.calendarone.com * 9/ 2/02- 9/6/02: Trustbus '02, Aix-en-Provence, France www.wi-inf.uni-essen.de/~dexa02ws/ * 9/ 4/02- 9/ 5/02: Workshop on Trust and Privacy in Digital Business, Aix en Provence, France www.wi-inf.uni-essen.de/~dexa02ws/ * 9/ 5/02- 9/ 7/02: VII Spanish Meeting on Cryptology and Information Security, Asturias, Espana enol.etsiig.uniovi.es/viirecsi/ * 9/ 9/02- 9/12/02: IASTED, Malaga, Spain; Conf Web page www.cs.utah.edu/flux/cipher/cfps/cfp-IASTED.html * 9/10/02- 9/13/02: SAFECOMP 2002, Catania, Italy www.dcs.ed.ac.uk/home/safecomp/Download/safecomp2002/ * 9/23/02- 9/25/02: ECC 2002, University of Essen, Germany www.cacr.math.uwaterloo.ca/conferences/2002/ecc2002/announcement.html * 9/23/02- 9/26/02: NSPW 2002, Hampton, VA www.nspw.org * 9/23/02- 9/26/02: MobiCom 2002, Atlanta, Georgia; www.acm.org/sigmobile/mobicom/2002/ * 9/26/02- 9/27/02: CMS 2002, Portoroz, Slovenia; www.setcce.org/cms2002/ * 10/ 1/02-10/ 3/02: InfraSec 2002, Bristol, UK; www.infrasec-conf.org * 10/ 7/02- 10/ 9/02: IH '02, Noordwijkerhout, The Netherlands research.microsoft.com/ih/2002/ * 10/ 7/02- 10/ 9/02: 5th IH ('02), Noordwijkerhout, The Netherlands research.microsoft.com/ih2002/ * 10/14/02-10/16/02: ESORICS 2002, Zurich, Switzerland; www.esorics2002.org/ * 10/15/02-10/16/02: SREIS 2002, Raleigh, NC; www.sreis.org * 10/22/02-10/24/02: FOUNDATIONS '02, Laurel, MD; www.cs.clemson.edu/~steve/ivandv/ResearchCallv2.pdf * 10/28/02-10/29/02: HotNets-I, Princeton, NJ; www.acm.org/sigcomm/HotNets-I * 11/ 4/02-11/ 8/02: QUANTUM, Berkeley, CA zeta.msri.org/calendar/workshops/WorkshopInfo/203/show_workshop * 11/ 6/02-11/ 8/02: CW 2002, Tokyo, Japan wwwcis.k.hosei.ac.jp/CW2002/call_for_pagers.jsp * 11/12/02-11/15/02: ISSRE 2002, Annapolis, MD; www.issre2002.org * 11/17/02-11/21/02: HSN '2002, Taipei, Taiwan; opnear.utdallas.edu/hsnhome.htm * 12/ 1/02-12/ 5/02: Asiacrypt 2002, Queenstown, New Zealand www.commerce.otago.ac.nz/infosci/asiacrypt/ * 12/ 1/02-12/ 6/02: ACM-MM 2002, Juan Les Pins, France; www.acm.org/sigmm/MM2002/index.html * 12/ 9/02-12/11/02: OSDI '02, Boston, Massachusetts, www.usenix.org/events/osdi02/cfp/ * 12/ 9/02-12/12/02: ICICS '02, Singapore. www.krdl.org.sg/General/conferences/icics/Homepage.html * 12/ 9/02-12/13/02: 18th ACSAC, Las Vegas, Nevada; www.acsac.org * 12/15/02-12/18/02: Indocrypt 2002, Hyderabad, India www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers ____________________________________________________________________ The Sixteenth Annual IFIP WG 11.3 Working Conference on Data and Application Security, King's College, University of Cambridge, UK, July 29-31, 2002. (submissions due March 22, 2001) The conference provides a forum for presenting original unpublished research results, practical experiences, and innovative ideas in data and applications security. Papers and panel proposals are solicited. The conference is limited to about forty participants so that ample time for discussion and interaction may occur. Additional information and a list of topics can be found at www.cis.utulsa.edu/ifip02. The conference location can be explored at http://www.kings.cam.ac.uk/ and the WG 11.3 home page is at sansone.crema.unimi.it/~ifip113. NSPW2002 New Security Paradigms Workshop, Hampton, Virginia, USA, September 23-26, 2002. (submissions due March 28, 2002, April 5th if submitting via email) For ten years the New Security Paradigms Workshop has provided a productive and highly interactive forum for innovative new approaches to computer security. The workshop offers a constructive environment for experienced researchers and practitioners as well as newer participants in the field. The result is a unique opportunity to exchange ideas. NSPW 2002 will take place September 23 - 26, 2001 at the Chamberlain Hotel, Fort Monroe, Hampton, Virginia, about 2.5 hours from Washington, DC. The complete CFP is at www.nspw.org. RAID'2002 Fifth International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland, October 16-18, 2002 (Held in conjunction with Esorics 2002). (submissions due March 31, 2002) This symposium, the fifth in an annual series, brings together leading figures from academia, government, and industry to discuss state-of-the-art intrusion detection technologies and issues from the research and commercial perspectives. The RAID International Symposium series is intended to further advances in intrusion detection by promoting the exchange of ideas in a broad range of topics. More information can be found on the conference web page at: www.raid-symposium.org/raid2002/. Workshop on Economics and Information Security, University of California, Berkeley, CA, USA, May 16-17, 2002. (submissions due March 31, 2002) Do we spend enough on keeping `hackers' out of our computer systems? Do we not spend enough? Or do we spend too much? Many system security failures occur not so much for technical reasons but because of failures of organisation and motivation. For example, the person or company best placed to protect a system may be insufficiently motivated to do so, because the costs of system failure fall on others. Such perverse incentives raise many issues best discussed using economic concepts such as externalities, asymmetric information, adverse selection and moral hazard. They are becoming increasingly important now that information security mechanisms are not merely used to protect against malicious attacks, but also to protect monopolies, differentiate products and segment markets. There are also interesting security issues raised by industry monopolization and the accompanying reduction in product heterogeneity. For these and other reasons, the confluence between information security and economics is of growing importance. We are organising the first workshop on the topic, to be held in the School of Information Management and Systems at the University of California, Berkeley, on the 16th and 17th May 2002. In order to keep the event informal and interactive, attendance will be limited to about 30-35 participants. If you would like to participate, please send us a position paper (of 1-2 pages) by the 31st March 2002. We welcome interest not just from economists and information security professionals, but from people with relevant experience, such as in the insurance industry, corporate risk management, or law enforcement agencies. More information can be found on the workshop web page at www.cl.cam.ac.uk/users/rja14/econws.html WTCP'2002 Workshop on Trusted Computing Paradigms (in conjunction with ICPP-2002), Vancouver, British Columbia, Canada, August 18-21, 2002. (submissions due April 1, 2002) The information technology revolution has changed the way business is transacted, government operates, and national defense is conducted. Those three functions now depend on an interdependent network of critical information infrastructures. To build the secure and reliable systems required for our increasingly mobile, interconnected information-technology enabled society, research is needed to develop the large-scale information systems of the future such that they not only behave as expected, but, more importantly, continue to produce expected behavior against security breaches and hostile attacks. Moreover, we must ensure that any service disruptions that occur are infrequent, of minimal duration, manageable, and cause the least damage possible. The aim of this workshop is to consolidate state-of-the-art research in this area. Fundamental research articles and practical experience reports are solicited. More information can be found on the conference web site at www.cs.odu.edu/~wadaa/ICPP02/WTCP/ IASTED'2002 IASTED Conference on Conference on Communication Systems and Networks, Malaga, Spain, September 9-12, 2002. (submissions due April 15, 2002) This conference is an international forum for researchers and practitioners interested in the advances in, and applications of, networks and communication systems. This conference will be comprised of the following four Symposia: Telecommunications Technology, Optical Communication Systems, Wireless Networks, and Satellite Communications and Antennas. More information on areas of interest and complete instructions for submitting a paper or tutorial proposal can be found at the conference web site at: www.iasted.org and www.iasted.org/conferences/2002/spain/submit-371.htm FCS'02 LICS Satellite Workshop on Foundations of Computer Security, Copenhagen, Denmark, July 26, 2002. (submissions due April 22, 2002) Computer security is an established field of Computer Science of both theoretical and practical significance. In recent years, there has been increasing interest in logic-based foundations for various methods in computer security, including the formal specification, analysis and design of cryptographic protocols and their applications, the formal definition of various aspects of security such as access control mechanisms, mobile code security and denial-of-service attacks, and the modeling of information flow and its application to confidentiality policies, system composition, and covert channel analysis. The aim of this workshop is to provide a forum for continued activity in this area, to bring computer security researchers in contact with the FLoC community, and to give FLoC attendees an opportunity to talk to experts in computer security. We are interested both in new results in theories of computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories. More information can be found at the workshop web page: floc02.diku.dk/FCS/ SREIS2002 Second Symposium on Requirements Engineering for Information Security, Raleigh, North Carolina, USA, October 15-16, 2002. (submissions due May 3, 2002) The second symposium on requirements engineering for information security invites papers on a diversity of topics, particularly ones that point out new directions. Theoretical, experimental, and experience papers are all welcome. SREIS provides researchers and practitioners from various disciplines with a highly interactive forum to discuss security and privacy-related requirements. Specifically, we encourage attendance from those in the fields of requirements engineering, software engineering, information systems, information and network security and trusted systems as well as those interested in approaches to analyzing, specifying, and testing requirements to increase the level of security provided to users interacting with pervasive commerce, research and government systems. Information for authors about how to submit a paper will be available via the symposium URL: www.sreis.org. For additional information contact: sreis-inf@cerias.purdue.edu . The SREIS will be followed by the Second Annual Government-Industry Forum on Strategies for the Development of Security Requirements and Security Specifications for Critical Information Technologies. The forum, hosted by the National Institute of Standards and Technology (NIST) will take place on October 17, 2002 from 9:00 A.M. to 5:00 P.M. For further information, please contact Dr. Ron Ross at (301) 975-5390 or rross@nist.gov. SIGSAC 2002 9th ACM Conference on Computer and Communication Security, Washington DC, USA, November 17-21, 2002. (submissions due May 10, 2002) Papers offering novel research contributions in any aspect of computer security are solicited for submission to the Ninth ACM Conference on Computer and Communications Security. The primary focus is on high-quality original unpublished research, case studies, and implementation experiences. Papers should have practical relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make convincing argument for the practical significance of the results. Theory must be justified by compelling examples illustrating its application. See the conference web site at www.acm.org/sigsac/ccs for details on submitting a paper. ASIACRYPT 2002 Queenstown, New Zealand, December 1-5, 2002. (submissions due May 24, 2002) Original papers on all technical aspects of cryptology are solicited for submission to Asiacrypt 2002. The conference is organized by the International Association for Cryptologic Research (IACR). Submissions must not substantially duplicate work that any of the authors has published elsewhere or has submitted in parallel to any other conference or workshop that has proceedings. More information can be found on the conference web page at www.sis.uncc.edu/ac02. ACSAC2002 18th Annual Computer Security Applications Conference, Las Vegas, Nevada, USA, December 9-13, 2002. (submissions due June 1, 2002). This internationally recognized conference provides a forum for experts in information system security to exchange practical ideas about solving these critical problems. See the conference web page at www.acsac.org for details on submitting papers and tutorial proposals. WISA2002 The 3rd International Workshop on Information Security Applications, Jeju Island, Korea, August 28-30, 2002. (submissions due June 28, 2002) Please see the conference web page at icns.ewha.ac.kr/wisa2002 for details on submitting papers. ICISC 2002 Fourth International Conference on Information and Communications Security, Kent Ridge Digital Labs, Singapore, December 9-12, 2002. (submissions due July 1, 2002) Original papers on all aspects of information and communications security are solicited for submission to ICICS'02. More information can be found on the conference web page at www.krdl.org.sg/General/conferences/icics/Homepage.html. SAINT2003 2003 Symposium on the Internet and Applications, Orlando, Florida, USA, January 27-31, 2003. (submissions due July 1, 2002) THEME: The Evolving Internet. The Symposium on Applications and the Internet focuses on emerging and future Internet applications and their enabling technologies. The symposium provides a forum for researchers and practitioners from the academic, industrial, and public sectors, to share their latest innovations on Internet technologies and applications. Information for prospective authors, including paper format and submission instructions can be found in the symposium web page at www.saint2003.org. NORDSEC2002 7th Nordic Workshop on Secure IT Systems, Karlstad University, Sweden, November 7-8, 2002. (submissions due August 1, 2002) The NordSec workshops were started in 1996 with the aim of bringing together researchers and practitioners within computer security in the Nordic countries. The theme of the workshops has been applied security, i.e., all kinds of security issues that could encourage interchange and cooperation between the research community and the industrial/consumer community. A main theme of NordSec 2002, to which a special track within the workshop will be devoted, is Privacy Enhancing Technologies. NordSec 2002 will also specifically address the areas of Software Engineering and Quality of Service in relation to IT security. More information can be found on the conference web page at www.cs.kau.se/nordsec2002. ==================================================================== Conferences and Workshops (the call for papers deadline has passed) ==================================================================== The 1st Annual PKI Research Workshop www.cs.dartmouth.edu/~pki02/index.shtml NIST, Gaithersburg, MD, USA, April 24-25, 2002. WWW2001 www2002.org The Eleventh International World Wide Web Conference, Sheraton Waikiki Hotel, Honolulu, Hawaii, USA, May 7-11, 2002. NCISSE'2002 www.ncisse.org The 6th National Colloquium for Information Systems Security Education, Redmond, Washington, USA, June 3-7, 2002. POLICY2002 www.policy-workshop.org/2002/ IEEE Third International Workshop on Policies for Distributed Systems and Networks, June 5-7, 2002. 3rd Annual IEEE Information Assurance Workshop, United Stated Military Academy, West Point, NY, USA, June 17-19, 2002. (submissions due February 18, 2002) www.itoc.usma.edu/Workshop/2002 DSN2002 www.dsn.org The International Conference on Dependable Systems and Networks, Bethesda, Maryland, USA, June 23-26, 2002. FIRST www.first.org/ The 14th Annual Computer Security Incident Handling Conference, Hilton Waikoloa Village, Hawaii, USA, June 24-28, 2002. CSFW15 15th IEEE Computer Security Foundations Workshop, Keltic Lodge, Cape Breton, Nova Scotia, Canada, July 29-31, 2002. (submissions due February 5, 2002) Trust and Privacy in Digital Business (on conjunction with DEXA 2002), Aix-en-Provence, France, September 2-6, 2002. (submissions due February 21, 2002) site at www.wi-inf.uni-essen.de/~dexa02ws/ CMS2002 The Seventh IFIP Communications and Multimedia Security Conference, Portoroz, Slovenia, September 26-27, 2002. (submissions due March 8, 2001) www.setcce.org/cms2002/, or contact: Prof. Borka Jerman-Blazic / ESORICS 2000 7th European Symposium on Research in Computer Security, Zurich, Switzerland, October 14-16, 2002. (submissions due March 15, 2001) ____________________________________________________________________ ____________________________________________________________________ ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at www.ieee-security.org/Cipher/ConfReports.html. ____________________________________________________________________ Book Review By Robert Bruen ____________________________________________________________________ Hack I. T. - Security Through Penetration Testing by T.j. Klevinsky, Scott Laliberte and Ajay Gupta. Addison-Wesley, 2002. 512 pages. Index, two appendices and CD-ROM $42.99 softcover. ISBN 0-201-71956-8 One of the early entries into books on penetration testing (pen test), Hack I.T. takes the next step from hacking tools to a systematic approach to discovering vulnerabilities. This is not a theoretical book, the authors have engaged in pen testing for clients and are sharing their expertise. They cover both Unix and Windows systems, with examples for each that start with deciding on a target and go to achieving the objective. The objective may be root, file access or some other permission which was not allowed. Defining the hacker levels right away helps to put them in perspective. Often, we only think about the "real" hackers/crackers and the script kiddies. Hack I. T. divides them into three levels, then also illuminates the security professional in the same light. There is a broad range of skills that are necessary to be competent in the pen test environment as well as a depth of knowledge for certain areas. The book is quite comprehensive in its coverage, which makes it useful for someone who is considering hiring a pen test professional or group. It is also valuable for someone who might be interested becoming a professional or doing their own work. One chapter of note is the tool kit chapter. More than just a list of software, the rationale for a tool kit is given so that you can adjust your tool kit to specific situations. It is up to date enough to include VMWare, a virtual machine that allows several operating systems on one machine without the need for dual booting. Although it may seem a bit old fashion, war dialing is included. Software which dials a series of phone numbers looking for modems, and possibly open ports, still turns out to be useful. In many organizations, for example, some employees have modems attached to their desktop. The managers of this example company might want the pen tester to check all the phone numbers within the company to see who has a live modem attached. The modems could be a security problem or simply against company policy. In addition to this example, many, if not most, network users connect to their ISP using a phone line. A more modern chapter deals with web server testing. A web server is generally susceptible to operating systems vulnerabilities. If you can break into a system and escalate your privileges, it does not matter that it was a web server. You still have access to everything. However, web servers have CGI (Common Gateway Interface) vulnerabilities which are specific to the web server. This chapter presents the concepts and tools for this environment. This book is welcome addition to the security library. It goes beyond the idea of simply hacking into systems to the world on pen testing. It is an excellent book for anyone interested in providing security beyond the firewall. ____________________________________________________________________ Book Review By Robert Bruen ____________________________________________________________________ Handbook of Computer Crime Investigation. Forensic Tools and Technology edited by Eoghan Casey. Academic Press 2002. 448 pages. Subject index, author index, 5 appendices. ISBN 0-12-163103-6. The Handbook is a collection of fourteen papers addressing three major areas, tools, technology and cases within computer forensics. Computer forensics is basically recovering information from a disk for evidence. It seems that, perhaps because of window interfaces, many users no longer understand the intricacies of disks and files. Of the few that do understand, some try to hide files by various means which others will try to uncover. Often times, the files are not encrypted or hidden, but there are a large number that need to be sifted through to find the key files of interest. The need for computer forensics is growing all the time. In many criminal cases law enforcement personnel will take the computer and/or disk as standard operating procedure. The bad guys not only use their computers for criminal activities, but the need to keep records just like the rest of us. Simply pulling out the information, collecting, then providing the proper documentation is the task at hand. The biggest challenge is getting the evidence without disrupting dates, permission, etc that would destroy the integrity of the evidence making it worthless in court. As the need grows, so does the business response. Some of the tools covered are commercial products, such as EnCase. There are several approaches to forensic evidence gathering from disks. Some companies operate on the principle that software is all that is necessary, some push hardware and some a combination. There are also those who think that the real money is to be made by selling expertise. This is normal evolution in the business world where several approaches are taken with the best one or combination surviving. The software only proponents believe that the hardware piece will become routine such that anyone will be operate whatever the hardware ends up being. The hardware guys are trying to develop the best hardware. EnCase is hardware, software and expertise. The basic process is to get a copy of the disk and analyze the copy. EnCase takes an image of the disk that goes into its own file format for analysis. This leaves the original disk to be put in the evidence storage facility while the image is searched through by software. EnCase has a portable machine that takes the image on site and it even handles RAID. Although the principle of making a copy for analysis seems straight forward, there are number of twists and turns involved in getting it right. The Handbook is geared towards crime, such as pornography, but we can all learn a lot from this great set of papers. I did and I am glad I did. This is an area worth exploring for security folks, especially if you believe that you might be involved with a computer that might end up as evidence. ____________________________________________________________________ Book Review By Robert Bruen ____________________________________________________________________ Computer Forensics and Privacy by Michael Caloyannides. Artech House 2001. 392 pages. Index, two appendices, glossary, chapter bibliographies. Hardcover. ISBN 1-58053-283-7 Privacy is near and dear to my heart, so I was intrigued by this book's title. Computer forensics is becoming commonplace within criminal investigations and as a tool within organizations, for many reasons that will not end up involving law enforcement. Much of our lives is stored on computers somewhere, often not under our control. The time has come for everyone to understand what that means to each of us and our privacy. The stored information is not only in purposeful databases, but it is unexpected places. The author has done a superb job going into significant detail for a large number of topics. There are explanations of the slack space in Windows disks, the swap file, free space and other such places where random data winds up. These are places where you have little control over what gets written, therefore may provide a wealth of useful information the forensic examiner and maybe will cause problems for you. Windows likes to write to disks in cluster units. A cluster is group of sectors on a disk with different sizes depending a number a factors. If your file only fills up a half a cluster, then it will use whatever is handy to fill up the remaining space. This could be passwords or worse. Worse for you, but great for the investigator. The swap file has a similar problem, although what gets written there was supposed to be written there. It is just that is does not get erased, so whatever was there last is still there. The registry in Windows is another place the forensic examiner will want to look through carefully. If you would like to protect yourself, then you might want to get there first. The Windows Media Player problem has an entry that you should fix. Caloyannide's instructions for dealing with the registry are clear and concise, making it is easy for the reader to take care of it. Swinging from the technical aspects, the book goes into legal issues related to online privacy ranging from banking to the Digital Millennium Copyright Act and the laws governing evidence gathering. The author is obviously well versed in the privacy and technology game. In fact, this book works very well for someone who is simply interested in security. The author brings together very nicely the worlds of security and privacy in the field of computer forensics. I gladly recommend this title as a book that brings to light the hidden world of bits on a disk. It is technical in nature, but written well enough to be understood. ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy, by Anish Mathuria ==================================================================== The Reader's Guide from Past issues of Cipher is archived at www.ieee-security.org/Cipher/ReadersGuide.html [New entries March 15, 2002] Workshop on Privacy Enhancing Technologies, San Francisco, CA, USA, April 14-15, 2002: "Privacy-enhancing technologies for the Internet, II: Five years later", I. Goldberg "Detecting Web Bugs With Bugnosis: Privacy Advocacy Through Education", A. Alsaid and D. Martin "Private authentication", M. Abadi "Towards an Information Theoretic Metric for Anonymity", A. Serjantov and G. Danezis "Towards Measuring Anonymity", C. Diaz, S. Seys, J. Claessens and B. Preneel "The Platform for Enterprise Privacy Practices -- Privacy-enable Management of Customer Data", G. Karjoth, M. Schunter and M. Waidner "Privacy Enhancing Profile Disclosure", P. Dornbach and Z. Nemeth "Privacy Enhancing Service Architectures", T. Alamaki, M. Bjorksten, P. Dornbach, C. Gripenberg, N. Gyorbiro, G. Marton, Z. Nemeth, T. Skytta and M. Tarkiainen "Dummy Traffic Against Long Term Intersection Attacks", O. Berthold and H. Langos "Protecting Privacy during On-line Trust Negotiation", K. Seamons, M. Winslett, T. Yu, L. Yu and R. Jarvis "Prototyping an Armored Data Vault: Rights Management on Big Brother's Computer", A. Iliev and S. Smith "Preventing Interval-based Inference by Random Data Perturbation", Y. Li, L. Wang and S. Jajodia "Fingerprinting Websites Using Traffic Analysis", A. Hintz "A Passive Attack on the Privacy of Web Users Using Standard Log Information", T. Demuth "Covert Messaging Through TCP Timestamps", J. Giffin, R. Greenstadt, P. Litwack and R. Tibbetts "Almost Optimal Private Information Retrieval", D. Asonov and J.-C. Freytag "Unobservable Surfing on the World Wide Web: Is Private Information Retrieval an alternative to the MIX based Approach?", D. Kesdogan, M. Borning and M. Schmeink 9th International SPIN Workshop on Model Checking of Software (SPIN 2002), April 11-13, 2002, Grenoble, France: [Security-related paper only] "Using SPIN to verify security properties of cryptographic protocols", P. Maggi and R. Sisto Foundations of Software Science and Computation Structures (FOSSACS'02) Grenoble, France, April 6-14, 2002: [Security-related papers only] "Conflict Detection and Resolution in Access Control Policy Specifications", M. Koch, L. Mancini and F. Parisi-Presicce "On Compositional Reasoning in the Spi-Calculus", M. Boreale and D. Gorla 9th annual IEEE Conference and Workshop on Engineering of Computer-Based Systems, Lund, Sweden, April 8-11, 2002: [Security-related papers only] "An Intelligent Agent Security Intrusion System", J. Pikolulas, W. Buchanan, M. Mannion and K. Triantafyllopoulos "Exploiting Process Patterns in Security Enginering", W. Lam and K. R. S. Murthy 12th International Workshop on Research Issues on Data Engineering (RIDE-2EC'2002) in conjunction with ICDE'02, San Jose, USA, February 24-25, 2002 [Security-related papers only] "Privacy Preserving Association Rule Mining", Y. Saygin, V. Verykios and A. Elmagarmid "Building consumer self-anonymity scalable payment protocol for Internet purchase", H. Wang, J. Cao, Y. Kambayashi ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.navy.mil/pages/employment/cipher_employ.htm CASE Center, Syracuse University, Syracuse, NY Visiting SUPRA faculty position www.ecs.syr.edu/dept/eecs/positions/supria.html Max-Planck Institute for Computer Science, Saarbruecken, Germany Postdoc/Research associate position Areas of particular interest: static program analysis, verification, security, cryptographic protocols, critical software. Applications begin immediately. www.mpi-sb.mpg.de/units/nwg1/offers/positions.html School of Information Sciences and Technology PennState, University Park, PA Full-Time Faculty Positions: Security and Privacy Perspectives ist.psu.edu/jobposts/index2.cfm?pageID=30 Department of Computing Imperial College of Science, Technology and Medicine, London, UK Up to 5 Lecturer (Assistant Professor) appointments Closing date: 7 January 2002 www.doc.ic.ac.uk/situation.html#job8 Cornell University Ithaca, NY Post-Doctoral Position Position closes 12/31/2001 www.cs.cornell.edu/cdlrg/prism/postdoc.htm Department of Computer Science James Madison University, Harrisonburg, VA Tenure-Faculty position The James Madison University Department of Computer Science is seeking applications of faculty that specialize in Information Security or closely related areas. www.cs.jmu.edu/faculty_openings.htm Vrije Universiteit Amsterdam, The Netherlands Postdoc/Assistant Professor Internet security. Position is available immediately. www.cs.vu.nl/~ast/jobs Department of Information and Software Engineering George Mason University, Fairfax, VA 1 Tenure-track, 1 visiting position Positions are in security. Areas of particular interest: Computer security, networking, data mining and software engineering. Search will continue until positions are filled. ise.gmu.edu/hire/ Department of Computer Science Purdue University,West Lafayette, IN Emphasis on Assistant Professor Positions, but more senior applicants will be considered. Areas of particular interest: Computer security, and INFOSEC. Positions beginning August 2000. www.cs.purdue.edu/announce/faculty2001.html Department of Computer Science Renesselaer Polytechnic InstituteTroy, NY Tenure Track, Teaching, and Visiting Positions Areas of particular interest: Computer security, networking, parallel and distributed computing and theory. Positions beginning Fall 2000. www.cs.rpi.edu/faculty-opening.html Swiss Federal Institute of Technology Lausanne (EPFL), Switzerland/Eurecom/Telecom Paris General Director Areas of particular interest: Education and research in telecommunications. Applications begin immediately. admwww.epfl.ch/pres/dir_eurecom.html Department of Computer Science Florida State University, Talahassee, FL Tenure-track positions at all ranks, several positions available. Available (1/00) Areas of particular interest: Trusted Systems, security, cryptography, software engineering, provability and verification, real-time and software engineering, provability and verifications, real-time and safety-critical systems, system software, databases, fault tolerance, and computational/simulation-based design. www.cs.fsu.edu/positions/ -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at www.ieee-security.org/Cipher/NewReports.html and www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher@issl.iastate.edu with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher@issl.iastate.edu are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at www.ieee-security.org/Cipher/AddressChanges.html ______________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you). Members of the IEEE Computer Society may join the TC via an https link. The full and complete form is available on the IEEE Computer Society's Web Server by following the application form hyperlink at the URL: computer.org/tcsignup/ IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 _____________________________________________________________ TC Publications for Sale _____________________________________________________________ Proceedings of the IEEE CS Symposium on Security and Privacy The Technical Committee on Security and Privacy has copies of its publications available for sale directly to you. You may pay for Proceedings by credit card or check. Proceedings of the IEEE Symposium on Security and Privacy Year(s) Format Price 2001 Hardcopy $25.00* 2000 Hardcopy $15.00* 1999 Hardcopy SOLD OUT 1998 Hardcopy $10.00* 2000-2001 CD-ROM $25.00* * Plus shipping charges Payment by Check: Please specify the items and quantities that you wish to receive, your shipping address, and the method of shipping (for overseas orders). Mail your order request and a check, payable to the 2002 IEEE Symposium on Security and Privacy to: Terry L. Hall Treasurer, IEEE Security and Privacy 14522 Gravelle Lane Florissant, Mo 63034 U S A Please include the appropriate amount to cover shipping charges as noted in the table below. Domestic shipping: $4.00 per order for 3 volumes or fewer Overseas surface mail: $6.00 per order for 3 volumes or fewer Overseas air mail: $12 per volume Credit Card Orders: For a limited time, the TC on Security and Privacy can charge orders to your credit card. Send your order by mail to the address above or send email to terry.l.hall2@boeing.com specifying the items and quantities that you wish to receive, your shipping address, method of shipping (surface or air for overseas orders) along with * the name of the cardholder, * credit card number, and * the expiration date. Exact shipping charges will be charged to your credit card and included in your receipt. Shipping charges may approximated from the table above. IEEE CS Press You may also order some back issues from IEEE CS Press at www.computer.org/cspress/catalog/proc9.htm. Right, this now becomes June 2001 in Cape Breton, Nova Scotia Proceedings of the IEEE CS Computer Security Foundations Workshop The most recent Computer Security Foundation Workshop (CSFW14) took place June 2001 in Cape Breton, Nova Scotia. Topics included formal specification of security protocols, protocol engineering, distributed systems, information flow, and security policies. Copies of the proceedings are available from the publications chair for $25 each. Copies of earlier proceedings starting with year 3 (1990) are available at $10. Photocopy versions of year 1 are also $10. Checks payable to Joshua Guttman for CSFW may be sent to: Joshua Guttman, MS S119 The MITRE Corporation 202 Burlington Rd. Bedford, MA 01730-1420 USA guttman@mitre.org ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Mike Reiter Thomas A. Berson Carnegie Mellon University Anagram Laboratories ECE Department P.O. Box 791 Hamerschlag Hall, Room D208 Palo Alto, CA 94301 Pittsburgh, PA 15213 USA (650) 324-0100 (voice) (412) 268-1318 (voice) berson@anagram.com reiter@cmu.edu Vice Chair and S&P 2002 chair: Chair,Subcommittee on Academic Affairs: Heather Hinton Cynthia Irvine IBM Software Group - Tivoli U.S. Naval Postgraduate School 11400 Burnett Road Computer Science Department Austin, TX 78758 Code CS/IC (512)436 1538 (voice) Monterey CA 93943-5118 hhinton@us.ibm.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair,Subcomm.on Security Conferences: David Aucsmith Jonathan Millen Intel Corporation SRI International EL233 JF2-74 Computer Science Laboratory 2111 N.E. 25th Ave 333 Ravenswood Ave. Hillsboro OR 97124 Menlo Park, CA 94025 (503) 264-5562 (voice) (650) 859-2358 (voice) (503) 264-6225 (fax) (650) 859-2844 (fax) awk@ibeam.intel.com millen@csl.sri.com Newsletter Editor: Jim Davis Department of Electrical and Computer Engineering 2413 Coover Hall Iowa State University Ames, Iowa 50011 (515) 294-0659 (voice) davis@iastate.edu BACK ISSUES: Cipher is archived at: www.ieee-security.org/cipher.html ========end of Electronic Cipher Issue #47, March 15, 2002===========