Subject: Electronic CIPHER, Issue 51, November 16, 2002 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 51 November 16, 2002 Jim Davis, Editor Hilarie Orman, Assoc. Editor Bob Bruen, Book Review Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements o Call for papers for the 16th IEEE Computer Security Foundations Workshop, Asilomar, Pacific Grove, CA, USA, June 30-July 2, 2003. o Upcoming calls-for-papers and events 7 new calls added since Cipher E50: - 18th ACM Symposium on Access Control Models and Technologies (submissions due December 14, 2002) www.acm.org/sigsac/sacmat/ - 16th IEEE Computer Security Foundations Workshop (submissions due January 28, 2002) www.csl.sri.com/csfw/csfw16 - Second Annual PKI Research Workshop (submissions due January 31, 2003) middleware.internet2.edu/pki03/ - Security in Distributed Computing (special track of the 22nd Annual ACM SIGACT-SIGOPS Symposium on Principles of Distributed Systems) (submissions due January 31, 2003) www.podc.org/podc2003/ - Workshop on Data Mining for Counter Terrorism and Security (submissions due February 1, 2003) ic.arc.nasa.gov/~ashok/SIAM_2003_Conference.htm - 7th International Conference on Knowledge-Based Intelligent Information & Engineering Systems (special session on Artificial Intelligence Applications to Information Security) (submissions due February 1, 2003) scalab.uc3m.es/~docweb/AIIS_KES03.html - Communications Security Symposium (submissions due February 15, 2003) www.globecom2003.com/CFP1.html * Commentary and Opinion o Robert Bruen's review of Honeypots Tracking Hackers by Lance Spitzner o Robert Bruen's review of A Guide to Forensic Testimony. The Art and Practice of Presenting Testimony as an Expert Technical Witness by Fred Smith and Rebecca Bace o Robert Bruen's review of Hackers Beware by Eric Cole o Review of the New Security Paradigms 2002 Workshop Papers, by Christina Serban and Hilary Hosmer o NewsBits: Announcements and correspondence from readers o Book reviews from past Cipher issues o Conference Reports and Commentary from past Cipher issues o News items from past Cipher issues * Reader's guide to recent security and privacy literature, by Anish Mathuria (new entries March 15, 2002) * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We are pleased to bring you another issue of Cipher! In it you will find book reviews by Robert Bruen, a review of the 2002 New Security Paradigms Workshop by Christina Serban and Hilary Hosmer, and links to several new calls for papers. Of special note in the NewsBits column is the announcement of the new Editor in Chief of IEEE Security & Privacy Magazine. Some of you have have told me that you miss the conference reviews, so it's nice to be able to pass along the NSPW review in this issue. Many thanks to our colleagues who contributed to Cipher! Best regards, Jim Davis davis@iastate.edu ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at www.ieee-security.org/cfp.html. The Cipher event Calendar is at www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. * 11/17/02-11/21/02: HSN '2002, Taipei, Taiwan; opnear.utdallas.edu/hsnhome.htm * 11/17/02-11/21/02: CCS, Washington, DC, USA www.acm.org/sigs/sigsac/ccs/ * 11/17/02-11/21/02: IETF, Atlanta, GA www.ietf.org/meetings * 11/20/02-11/22/02: CARDIS '02, San Jose, CA; www.usenix.org/events/cardis02/ -------------- * 12/1/02-12/ 5/02: Asiacrypt 2002, Queenstown, New Zealand www.commerce.otago.ac.nz/infosci/asiacrypt/ * 12/1/02-12/ 6/02: ACM-MM 2002, Juan Les Pins, France; www.acm.org/sigmm/MM2002/index.html * 12/2/02: WPET 2003, Dresden, Germany; www.petworkshop.org * 12/3/02-12/6/02: IPSec, Paris, France www.upperside.fr/ipsec02/ipsec02intro.htm * 12/9/02-12/11/02: OSDI '02, Boston, Massachusetts, www.usenix.org/events/osdi02/cfp/ * 12/9/02-12/12/02: ICICS '02, Singapore. www.krdl.org.sg/General/conferences/icics/Homepage.html * 12/9/02-12/13/02: 18th ACSAC, Las Vegas, Nevada. www.acsac.org * 12/14/02: SACMAT '03, Como, Italy. www.acm.org/sigsac/sacmat/ * 12/15/02: POLICY 2003, Lake Como, Italy. www.labs.agilent.com/policy2003/ * 12/15/02-12/18/02: Indocrypt 2002, Hyderabad, India www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html * 12/16/02-12/18/02: WMN, Hsinchu, Taiwan www.ee.nthu.edu.tw/~PCM2002/ -------------- * 1/10/03: NetCompApp '03, Cambridge, MA. http://www.cs.utk.edu/~mbeck/NCA03/NCA03-cfp.pdf * 1/28/03: CSFW 16, Pacific Grove, CA. http://www.csl.sri.com/csfw/index.html * 1/31/03: PKI '03, Gaithersburg, MD. http://middleware.internet2.edu/pki03/ -------------- * 2/10/03: CRYPTO '03, Santa Barbara, CA. http://www.iacr.org/conferences/crypto2003/cfp.html -------------- * 3/12/03- 3/14/03: SPC-2003, Boppard, Germany; www.dkfi.de * 3/21/03: ICON 2003, Sydney, Australia. www.ee.unsw.edu.au/~icon/ * 3/26/03- 3/28/03: WPET 2003, Dresden, Germany; www.petworkshop.org -------------- * 4/13/03- 4/17/03: CT-RSA 2003, San Francisco, CA. http://reg2.lke.com/rs3/rsa2003/crypto.html * 4/16/03- 4/18/03: NetCompApp '03, Cambridge, MA. www.cs.utk.edu/~mbeck/NCA03/NCA03-cfp.pdf * 4/22/03: BITE 2003, Angers, France; www.iceis.org/ * 4/28/03- 4/29/03: PKI '03, Gaithersburg, MD. http://middleware.internet2.edu/pki03/ * 4/28/03- 4/30/03: ITCC, Las Vegas, Nevada www.cs.clemson.edu/~srimani/itcc2003/cfp.html -------------- * 5/11/03: SNPA 2003 www.icc2003.com/workshop1.html * 5/11/03- 5/14/03: IEEE S & P, Oakland, California. www.ieee-security.org/TC/SP-Index.html * 5/18/03- 5/21/03: IRMA 2003, Hershey, PA, USA www.irma-international.org/ * 5/20/03- 5/24/03: WWW-SEC-2003, Budapest, Hungary; www.www2003.org -------------- * 6/2/03- 6/3/03: SACMAT '03, Como, Italy. www.acm.org/sigsac/sacmat/ * 6/4/03- 6/6/03: POLICY 2003, Lake Como, Italy. www.labs.agilent.com/policy2003/ * 6/5/03- 6/6/03: EIT 2003, Indianapolis, IN. www.cis-ieee.org/eit2003 * 6/26/03- 6/28/03: WISE 3, Monterey, CA, USA cisr.nps.navy.mil/wise3/ -------------- * 7/2/03: CSFW 16, Pacific Grove, CA. www.csl.sri.com/csfw/index.html -------------- * 8/17/03- 8/21/03: CRYPTO '03, Santa Barbara, CA. www.iacr.org/conferences/crypto2003/cfp.html -------------- * 9/28/03-10/1/03: ICON 2003, Sydney, Australia. www.ee.unsw.edu.au/~icon/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers ____________________________________________________________________ Workshop on Privacy Enhancing Technologies 2003, Dresden, Germany, March 26-28, 2003. (submissions due December 2, 2002) Privacy and anonymity are increasingly important in the online world. Corporations and governments are starting to realize their power to track users and their behavior, and restrict the ability to publish or retrieve documents. Approaches to protecting individuals, groups, and even companies and governments from such profiling and censorship have included decentralization, encryption, and distributed trust. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of privacy technologies, as well as experimental studies of fielded systems. We encourage submissions from other communities such as law and business that present their perspectives on technological issues. As in past years, we will publish proceedings after the workshop. A list of topics of interest are provided on the conference web page at www.petworkshop.org/. 18th ACM Symposium on Access Control Models and Technologies, Como, Italy, June 2-3, 2003. (submissions due December 14, 2002) The mission of the symposium is to share novel access control solutions that fulfill the needs of interesting applications and to identify new directions for future research and development work. SACMAT gives researchers and practitioners a unique opportunity to share their perspectives with others interested in the various aspects of access control. Areas of interest include: - Access control within the context of emerging standards - Access control models and extensions - Access control for innovative applications - Methodologies and tools for access control policy design - Administration of access policies - Authorization management - Access control mechanisms, systems and tools - Access control in distributed and mobile systems - Safety analysis and enforcement - Theoretical foundations for access control models See the Web page at www.acm.org/sigsac/sacmat/ for detailed calls for papers, panels, tutorials and other useful information. WISE 3/ WECS 5 Third World Conference on Information Security Education and, Workshop on Education in Computer Security, Naval Postgraduate School, Monterey California, USA, June 26-28, 2003. (submissions due January 3, 2003) IFIP Working Group 11.8 -Information Security Education and the Workshop on Education in Computer Security invite you to contribute to their activities by submitting papers for presentation at their conference to be held at the Naval Postgraduate School in Monterey California, USA. The conference aims to address interested researchers and educators from universities, schools, industry or government. The theme for the conference is Teaching the Role of Information Assurance in Critical Infrastructure Protection. Relevant topics include, but are not limited to the following: - New Programs in Information Security and Privacy Education - Training the Cyberwarrior - Information Security Education in Non-Academic Contexts - Computer Security and Infrastructure Protection - Education of Citizens in Information Security - Information Security Education in Schools - Teaching Cyber Ethics - Education in Computer Forensics and the Law - Education in Electronic Commerce Security - Education of Information Security Professionals - Teaching Information Systems Auditing - International Standards of Security Education - Evaluation of Security Education - Programs to Raise Information Security Awareness - Holistic Approaches in Information Security Education - Practical and Experimental approaches to Information Security Education - Information Security Distance Learning and Web-based teaching The conference web site can be found at cisr.nps.navy.mil/wise3/. USENIX Security 2003 12th USENIX Security Symposium Washington, DC, USA August 4-8, 2003 (submissions due January 27, 2003) The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in security of computer systems. Refereed paper submissions are being solicited in all areas relating to systems and network security, including: - Adaptive security and system management - Analysis of malicious code - Analysis of network and security protocols - Applications of cryptographic techniques - Attacks against networks and machines - Automated tools for source code analysis - Authentication and authorization of users, systems, and applications - Denial-of-service attacks - File and filesystem security - Firewall technologies - Intrusion detection - Privacy preserving (and compromising) systems - Public key infrastructure - Rights management and copyright protection - Security in heterogeneous and large-scale environments - Security of agents and mobile code - Security of Internet voting systems - Techniques for developing secure systems - World Wide Web security Since USENIX Security is primarily a systems security conference, papers regarding new cryptographic algorithms or protocols, or electronic commerce primitives, are in general discouraged. 16th IEEE Computer Security Foundations Workshop, Asilomar, Pacific Grove, CA, USA, June 30-July 2, 2003. (submissions due January 28, 2003) This workshop series brings together researchers in computer science to examine foundational issues in computer security. We are interested both in new results in theories of computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories. Both papers and panel proposals are welcome. Possible topics include, but are not limited to: - Access control - Authentication - Data and system integrity - Database security - Network security - Distributed systems security - Anonymity - Intrusion detection - Security for mobile computing - Security protocols - Security models - Decidability issues - Privacy - Executable content - Formal methods for security - Information flow - Language-based security Information on submitting papers and panel proposals can be found on the workshop web page at www.csl.sri.com/csfw/csfw16. Second Annual PKI Research Workshop, NIST, Gaithersburg MD, USA, April 28-29, 2003. (submissions due January 31, 2003) This workshop among leading security researchers will explore the issues relevant to this area of security management, and will seek to foster a long-term research agenda for authentication and authorization in populations large and small via public key cryptography. We solicit papers, panel proposals, and participation. The goals of this workshop are to cross-pollinate existing research efforts, to identify the key remaining challenges in deploying public key authentication and authorization, and to develop a research agenda addressing those outstanding issues. - What are the key areas in current PKI approaches that need further work? - For each area, what approaches appear most promising? - How do the approaches in one area affect the methodologies in other areas? A complete list of topics of interest and the full call for papers can be found at the workshop web site at middleware.internet2.edu/pki03/. Security in Distributed Computing (special track of the 22nd Annual ACM SIGACT-SIGOPS Symposium on Principles of Distributed Systems), Boston, Massachusetts, USA, July 13-16, 2003. (submissions due January 31, 2003) We are soliciting research contributions on the design, specification, implementation, application and theory of secure distributed computing. We welcome submissions on any topic in the intersection of security and distributed computing, including but not limited to: - Secure multiparty and two-party computations - Secret sharing and verifiable secret sharing - Resiliency to corruptions: distributed, forward and proactive security - Security, privacy and anonymity in the Internet and in mobile communication systems - Secure/security protocols and distributed algorithms - Secure multicast and broadcast - Denial of service (clogging) and its prevention - Non-repudiation, certification and time stamping protocols - Distribution of intellectual property and its (copyright) protection - Secure distributed marketplaces, auctions, and gambling - Cryptographic protocols, including: authentication, key management, etc. - Secure electronic commerce, banking and payment protocols - Security for Peer to Peer computing - Secure bandwidth reservation and QOS - Distributed access control and trust management - Secure mobile agents and mobile code - Security for Storage Area Networks The special track is an integral part of PODC; see www.podc.org/podc2003/ for additional information. Workshop on Data Mining for Counter Terrorism and Security, (held in conjunction with the Third SIAM International Conference on Data Mining), San Francisco, CA, USA, May 3, 2003. (submissions due February 1, 2003) The purpose of this workshop is to discuss ways in which data mining and machine learning can be used to analyze data from numerous sources of high-complexity for the purpose of preventing future terrorist activity. This is inherently a multidisciplinary activity, drawing from areas such as intelligence, international relations, and security methodology. From the data mining and machine-learning world this activity draws from text mining, data fusion, data visualization, data warehousing, and high scalability are necessary for a successful endeavor. Papers in these areas with clear application to the issues of counter terrorism are particularly solicited. Topics of interest include: - Methods to integrate heterogeneous data sources, such as text, internet, video, audio, biometrics, and speech - Scalable methods to warehouse disparate data sources - Identifying trends in singular or group activities - Pattern recognition for scene and person identification - Data mining in the field of aviation security, port security, bio-security - Data mining on the web for terrorist trend detection. More information can be found on the workshop web page at http://ic.arc.nasa.gov/~ashok. 7th International Conference on Knowledge-Based Intelligent Information & Engineering Systems (special session on Artificial Intelligence Applications to Information Security), St Anne's College, University of Oxford, U.K., September 3-5, 2003. (submissions due February 1, 2003) In spite of the efforts from Information Security researchers, there are still a considerable number of unsolved problems that may benefit from the application of Artificial Intelligence techniques. The increasing awareness in solving such problems has resulted in a concerted effort of Artificial Intelligence and Information Security researchers. Therefore, AI techniques like agents, evolutionary computation, neural networks, cellular automata, classic and fuzzy logic and machine learning may play an important role in specific problems concerning Information Security. We particularly encourage the discussion of the following topics: - Semantic analysis of cryptologic protocols, - Security of mobile agents, - Security through agents, - Representation and use of trust induced by PKIs, - Optimisation heuristics in cryptanalysis - Machine Learning techniques in cryptanalysis - AI techniques in cryptology - Any other work addressing information security problems by means of AI techniques This session aims at bringing together members from the two research communities, information security and artificial intelligence. Consequently, discussion papers, conceptual papers, theoretical papers and application papers will be welcomed. Please visit the conference web site at scalab.uc3m.es/~docweb/AIIS_KES03.html for more detail on the topics of interest as well as general conference information. Communications Security Symposium (part of the IEEE GLOBECOM 2003 workshop), San Francisco, CA, USA, December 1-5, 2003. (submissions due February 15, 2003) The inaugural symposium on Communications Security solicits submissions of new results in all security topics for wireless, mobile, ad hoc, peer-to-peer, or landline communication networks. Please see the complete call posted at www.globecom2003.com/CFP1.html (under GLOBECOM 2003 Symposia Titles). ==================================================================== Conferences and Workshops (the call for papers deadline has passed) ==================================================================== CCS 2002 www.acm.org/sigs/sigsac/ccs/ 9th ACM Conference on Computer and Communication Security, Washington DC, USA, November 17-21, 2002. DRM 2002 crypto.stanford.edu/DRM2002/ ACM Workshop on Digital-Rights Management (in conjunction with the 9th Annual ACM CCS Conference), Washington DC, USA, November 18, 2002. SACT www.sait.fsu.edu/sactworkshop/sact.html First ACM Workshop on Scientific Aspects of Cyber Terrorism (in conjunction with the ACM Conference on Computer and Communication Security), Washington, DC, USA, November 21, 2002. WPES seclab.dti.unimi.it/~wpes ACM Workshop on Privacy in the Electronic Society (in association with 9th ACM Conference on Computer and Communication Security), Washington, DC, USA, November 21, 2002 ASIACRYPT 2002 www.sis.uncc.edu/ac02 Queenstown, New Zealand, December 1-5, 2002. ICISC 2002 www.krdl.org.sg/General/conferences/icics/Homepage.html Fourth International Conference on Information and Communications Security, Kent Ridge Digital Labs, Singapore, December 9-12, 2002. ACSAC2002 www.acsac.org 18th Annual Computer Security Applications Conference, Las Vegas, Nevada, USA, December 9-13, 2002. BCS-FACS www.bcs-facs.org/. British Computer Society Formal Aspects of Security, Royal Holloway, University of London, UK, December 19-20, 2002. PKC2003 www.sait.fsu.edu/pkc2003 The Sixth International Workshop on Practice and Theory in Public Key Cryptography, Miami, Florida, USA, January 6-8, 2003 HICSS-36 www.cs.uidaho.edu/~krings/HICSS36/HICSS36-cfp.htm Secure and Survivable Software Systems (Part of the Software Technology Track), Big Island, Hawaii, USA, January 6-9, 2003. SAINT2003 www.saint2003.org 2003 Symposium on the Internet and Applications, Orlando Florida, USA, January 27-31, 2003. www.sait.fsu.edu/wsaan2003/. Workshop on Security and Assurance in Ad hoc Networks, held in conjunction with The 2003 International Symposium on Applications and the Internet, Orlando, Florida, USA, January 28, 2003. NDSS'03 www.isoc.org/isoc/conferences/ndss/03/index.shtml The 10th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, February 5-7, 2002. SPC-2003 www.dfki.de/SPC2003. First International Conference on Security in Pervasive Computing, Boppard, Germany, March 12-14, 2003. www.ieee-tfia.org/iwia2003/ The First International Workshop on Information Assurance, Darmstadt, Germany, March 24, 2003. IPCCC'2003 www.ipccc.org. The International Performance, Computing, and Communications Conference, Phoenix, Arizona, USA, April 9-11, 2003 CT-RSA 2003 reg2.lke.com/rs3/rsa2003/crypto.html. Cryptographers' Track RSA Conference 2003, San Francisco, CA, USA, April 13-17, 2003. ICEIS'2003 www.iceis.org. 5th International Conference on Enterprise Information System, Angers, France, April 23-26, 2003. ITCC 2003 www.cs.clemson.edu/~srimani/itcc2003/cfp.html International Conference on Information Technology: Coding and Computing, Las Vegas, Nevada, April 28-30, 2003. S&P2003 www.research.att.com/~smb/oakland03-cfp.html The 2003 IEEE Symposium on Security and Privacy, Oakland, California, USA, May 11-14, 2003. IRMA 2003 www.irma-international.org. Information Resources Management Association International Conference, Philadelphia, Pennsylvania, USA, May 18-21, 2003 WWW2003 www.www2003.org/. The Twelfth International World Wide Web Conference, Security & Privacy Track, Budapest, Hungary, May 20-24, 2003 ____________________________________________________________________ Call For Papers 16th IEEE Computer Security Foundations Workshop June 30 - July 2, 2003 Asilomar, Pacific Grove, CA, USA Sponsored by the Technical Committee on Security and Privacy of the IEEE Computer Society www.csl.sri.com/programs/security/csfw/csfw16/index.hrml This workshop series brings together researchers in computer science to examine foundational issues in computer security. We are interested both in new results in theories of computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories. Both papers and panel proposals are welcome. Possible topics include, but are not limited to: Access control Authentication Data and system integrity Database security Network security Distributed systems security Anonymity Intrusion detection Security for mobile computing Security protocols Security models Decidability issues Privacy Executable content Formal methods for security Information flow Language-based security For background information about the workshop, see the CSFW home page. This year the workshop will be held in Pacific Grove, CA, USA. Information about the location and the organization will be soon available at the conference web page. The proceedings are published by the IEEE Computer Society Press and will be available at the workshop. Selected papers will be invited for submission to the Journal of Computer Security. Instructions for Participants Submission is open to anyone. Workshop attendance is limited to about 50 participants. Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. Papers should be at most 20 pages long excluding the bibliography and well-marked appendices (using 11-point font, single column format, and reasonable margins on 8.5"x11" paper), and at most 25 pages total. Alternatively, papers can be submitted using the two-column IEEE Proceedings style available for various document preparation systems by following this link. Papers in this style should be at most 12 pages long (at most 15 pages including bibliography and appendices). The page limit will be strictly adhered to. Committee members are not required to read the appendices, and so the paper should be intelligible without them. Proposals for panels should be no more than five pages in length and should include possible panelists and an indication of which of those panelists have confirmed participation. You may submit papers through the conference web site. Papers should be submitted in Postscript or Portable Document Format (PDF). Papers submitted in a proprietary word-processor format such as Microsoft Word cannot be considered. At least one coauthor of each accepted paper is expected to attend CSFW-16. Papers that do not adhere to this policy will be removed from the proceedings. Important Dates Submission deadline: January 28, 2003 Notification of acceptance: March 14, 2003 Camera-ready papers: April 8, 2003 Program Committee Michele Bugliesi, University of Venice, Italy Frederic Cuppens, ONERA, France Pierpaolo Degano, University of Pisa, Italy Riccardo Focardi (chair), University of Venice, Italy Dieter Gollmann, Microsoft Research, UK Carl Gunter, University of Pennsylvania, USA Joshua Guttman, The MITRE Corporation, USA Masami Hagiya, University of Tokyo, Japan Chris Hankin, Imperial College UK Matthew Hennessy, University of Sussex, UK Alan Jeffrey, DePaul University, USA Heiko Mantel, DFKI, Saarbrcken, Germany Fabio Martinelli, IIT-CNR, Italy Jonathan Millen, SRI International, USA Mike Reiter, Carnegie Mellon University USA Andrei Sabelfeld, Cornell University, USA Ravi Sandhu, George Mason University, USA Andre Scedrov, University of Pennsylvania, USA Steve Schneider, Royal Holloway, University of London, UK Geoffrey Smith, Florida International University, USA Paul Syverson, Naval Research Laboratory, USA Workshop Location The 16th IEEE Computer Security Foundations workshop will be held at the Asilomar Conference Center, located on the beautiful Monterey Peninsula in Pacific Grove California. Asilomar, meaning "refuge by the sea", is a tranquil environment surrounded by forest and white sand beaches. As a member of the California State Park system, it offers 107 extraordinary acres of forests, dunes, and coastline situated on the Monterey Bay National Marine Sanctuary. Founded in 1913 as the western conference center for the Young Women's Christian Association (YWCA), it is the ideal conference setting. Asilomar offers secluded guest rooms with forest or marine views. Rooms are clustered into quaint lodges, some of which feature fireplaces. Sunset walks along the beach and coastal trails are a great way to unwind. On-site recreation includes a heated swimming pool, volleyball and billiard tables. Just minutes away is Pebble Beach, featuring world-class golf courses and scenic 17-Mile Drive. And some of the most breathtaking coastline in the world can be found just 20 minutes to the south toward Big Sur along Hwy 1. Also nearby is the Monterey Bay Aquarium, featuring spectacular, deep-sea and kelp forest exhibits. Monterey Bay hosts a unique deep-sea environment close to shore. There is an underwater canyon over 2km deep at around 15km from shore. The Monterey Bay Aquarium will share their deep-sea, robotic observations and experiences with conference attendees on the evening of 1 July 2003. Asilomar is 2.3 hours by car from San Francisco International Airport (SFO). There are direct flights between San Francisco and most major European and American cities. The Monterey regional airport (MRY) is 10 minutes by car from Asilomar. There are direct flights to MRY from Los Angeles International Airport (LAX) and SFO about every 2 hours until 10pm. More travel information can be found on the CSFW16 website. Additional Information For further information contact: General Chair Program Chair Publications Chair Dennis Volpano Cranite Systems Inc. 6620 Via Del Oro San Jose, CA 95119 USA volpano@cranite.com Riccardo Focardi Dipartimento di Informatica Universita' di Venezia via Torino 155, I-30172 Mestre (Ve), Italy +39-041-2348438 focardi@dsi.unive.it Jonathan Herzog The MITRE Corporation 202 Burlington Road Bedford, MA 01730-1420 USA jherzog@mitre.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at www.ieee-security.org/Cipher/ConfReports.html. ____________________________________________________________________ Book Review By Robert Bruen November 13, 2002 ____________________________________________________________________ Eric Cole, "Hackers Beware". New Riders 2002. ISBN 0-7357-1009-0. 778 pages. $45.00. Index, appendix(references). As the world of security continues to move forward with improvements in exploits, both in types and implementation, pushing the defenders to improve in lock-step, the need for new books rises along the same wave. However, the new books must have something to offer, such as new material and better presentation. Rehashes of the same old stuff is no longer good enough. Security is an ever broadening, ever deepening discipline which is still seeking more theoretical work and a more organizational work for known information. There are a fair number of books available which deal with defending against hackers and crackers, so new books have to demonstrate quality to distinguish themselves. Hackers Beware is a quality book, shown mainly in the depth of treatment of the topics, although most exploits are described only. The amount of code is quite limited, but the description of something like Knark (Linux Kernel rootkit from last year) gives you enough information to use on a search engine to find more details or even the code. Since many exploits are described one can make intelligent decisions about what approach might be the most appropriate for particular goals. At the same time, defenders will learn about the myriad approaches which can (and will) be taken to attack systems. The better hacker/anti-hacker books provide enough background details as to why attacks work. Gaining an understanding of the how, why and what of exploits is critical, if the various operating systems and applications are to be hardened enough to withstand the relentless assaults. It is not unlike people shoring up dams and levies against a rising river in real time. If the dam was built to handle high enough flood levels in the first place, there would be no need to scramble. Unlike rivers that eventually recede to normal levels, exploits and attacks will only get worse. Trying to keep up is an ongoing problem for systems people. At least some of those who are good at this game are trying to communicate what they know in a way that is useful. Cole covers operating system specific problems with Unix and Windows, as well as looking at the broader network problems and web site weakness, as well common problems such as buffer overflows. The Windows information is confined to NT, but since NT underlies 2000 and XP, this is not so bad. The amount of exploit software is overwhelming, so it helps to have a number of resources for names and documentation for them. This book is one of the resources. I recommend this book because of its quality and it contains newer information than the last few I have read. Naturally, the next one I read will contain even newer information, but for now, this is worth the read. ____________________________________________________________________ Book Review By Robert Bruen November 11, 2002 ____________________________________________________________________ Lance Spitzner. "Honeypots Tracking Hackers." Addison-Wesley 2003. ISBN 0-321-10895-7 LoC QA769A25 S67 2002 452pages. $44.99. Endnotes, index, five appendices, CD-ROM. Honeypots/honeynets have matured into a field of their own with good reason. What started years ago as a deception toolkit has morphed into a tarpit and a weapon which has attracted the attention of some of the some three-letter government agencies. This title follows on the heels of "Know Your Enemy", an excellent introduction to honeynets. The original Honeynet Project was a team working to understand what the activities of the blackhats. This book takes the next step incorporating what has been learned this past year or so. In addition it brings together the work of others, including commercial products. It seems to me that the idea of a system that is only there to see if someone is breaking into your network is a fairly sound idea. The system need not be expensive, especially if it is not tasked for anything else. It can used as a tool to study behavior on a global scale, either over time or at a single event time with the cooperation of lots of whitehats. It can be used as cousin to the usual intrusion detection systems already in place or as a way for law enforcement to get a better handle on what is happening in general. Even though the basic idea is cheap and easy, the development process has added the usual layers of complexity, resulting even in a bit of competition among products. The complexity also demands some design work, policy creation, analysis and generally paying attention to the operation. Not only does one have to deal with all of this, but there may be legal ramifications, most notably, entrapment. While it appears that there is no legal hurdle to jump, it is always best to make sure. This requires becoming familiar with the issues and potential problems, at a minimum, then making a conscious decision about how to proceed. The drift of technology into social and legal arenas was inevitable and has been underway for years. Technical books need to address both technical topics and the social impact, which includes legal, economic, political, children, religious, and on and on. Fortunately, Spitzner has provided chapters that help. Issues are explained, relevant laws are quoted and important decision points are raised. Among the layers of complexity are some interesting technical areas. The basic tenet is to have a system which gets broken into in order to observe the cracker. Easy enough, except how do know when someone has breached the wall? That would be either watching the system all time, which sounds impractical. Or logging everything, which is fine, unless you want to know when someone has just shown up. Alerting features are clearly required. This means a bit more than just an email, things like reliability, proper content and the ability to prioritize are important considerations for a meaningful alert system. As necessary as alerts are, one must also think about data capture and analysis. One must figure out how to contain crackers once they are inside. There are jails (chroot) and cages (ManTrap) with somewhat different implementations of confinement. The question is: how much should the cracker be allowed to do? Risk will vary depending on what access the cracker has to services. Six different honeypots are reviewed in enough detail to help make decisions on how to proceed ranging from commercial to OpenSource, from a limited set of features to full featured. Honeypots is highly recommended reading for several reasons, not the least of which is that it comes from horse's mouth. It covers a wide range of technical and social implication points. It is a valuable resource for an idea whose time has come. Now The blackhats have to be a bit more careful when poking around in someone else's backyard. Not only are the honeypots waiting, but their operation is becoming more sophisticated everyday, due in some part because of this book. We can all benefit by learning more about the blackhats and you may want to implement your own honepot. Here is the resoure. ____________________________________________________________________ Book Review By Robert Bruen November 1, 2002 ____________________________________________________________________ Fred Smith and Rebecca Bace. "A Guide to Forensic Testimony. The Art and Practice of Presenting Testimony as an Expert Technical Witness." Addison-Wesley 2003. ISBN 0-201-75279-4. LoC KF8961.S63 2003.509 pages. $49.99. Index, two appendices. As feared by many in the early days of computers, the legal system has discovered the Internet and the world of digital technology. The early case are illustrated by security cases (Morris, Mitnik and LaMacchia), business problems (Lotus) and big cases (Microsoft). These cases were more the exception than the rule, but they were merely hints of what was to come. Today digital forensics are a fact of daily life. Now that business and commerce are almost completely dependent on digital technology for record keeping, communication, analysis, and so forth, the inevitable intrusion of the legal process has happened. This is not material for headlines, like the political process, but instead, is the standard procedure for handling disputes through the impartial third party: Our Legal System. This intrusion is not necessarily a bad thing, but any case, it is here to stay. If your corporate network has been compromised, perhaps resulting in the theft of a trade secret, then the legal system is your next stop. For the IT professional, this means several new experiences, most of which will be unpleasant. First, an evidence preservation team may swoop down and block your access to the machines you manage. Next, you may find yourself testifying in court. Yes, testifying in court. For most of the IT players, this is a new and terrifying experience. The world of lawyers and judges is very different from the comfortable world of SNMP, Apache and patching OS problems. The explosion of computers in business and the almost standard operating procedure of seizing computers in any criminal investigation and arrest, has created a need for IT experts to appear in court. Unfortunately, most IT folks are ill prepared for such an adventure, especially, when one considers than often they are invited to participate in the proceedings, rather than appearing by choice (read subpoena). Lawyers are trained to intimidate, confuse and impeach the credibility of witness. Juries and judges expect a level of expertise and courtroom demeanor that keyboard jocks are simply not used to. The involvement of IT professionals in courtroom will explode in the same way that the Internet exploded across the planet, simply because business lives there. It is therefore a good idea for IT people to learn about that world before learning through experience. If you have been making presentations on a regular basis, that will help. If you have been able to explain how to reverse engineer a binary to you mother, that will also help. However unless you also went to law school, I recommend strongly that you read this book. Smith is a lawyer and Bace is already known in the security field. The book is written to explain what it takes to appear in court as an expert witness. There are already books on appearing as an expert witness, but not one for IT professionals like this one. the Guide is a wonderful marriage of the two worlds, delivered with a sense humor, lots of examples and real testimony from the likes of Bill Gates. The analysis is of his testimony is enlightening. Not only are his mistakes explained, but so are the legal maneuvers behind the questions. This is a highly recommended book for security professionals and for most IT professionals. It deals with an area that most of us do not come in contact with very often, but being expert witness is not a skill one develops overnight. It is not only better to be prepared in advance, but also to be helped by authors who have a clue about what we do. Keep in mind that your chances of being called in court go up every day. It could be as a witness, or perhaps as a defendant, just because you work with IT, and not you have done anything wrong. Remember, these guys went to law school, not justice school. Be prepared. ____________________________________________________________________ Review of New Security Paradigms 2002 Workshop Papers by Christina Serban and Hilary Hosmer The New Security Paradigms Workshop (NSPW) offers researchers a safe, constructive environment to explore radical rather than evolutionary approaches to information assurance. This year's workshop took place at the Founders' Inn in Virginia Beach, VA from Sept. 23-26, 2002. Thirty-eight researchers participated, including Ph.D. students, faculty members, and information scientists. Most were from the USA, but participants came from Ireland, Switzerland, Japan, Russia/Israel, Czechoslovakia, Egypt, China, and India. Proceedings, which are published after the workshop, will be available from ACM and from the ACM Digital Library in 2003. In NSPW's highly interactive environment, each author presents a new paradigm for 20 minutes, but with discussion the session usually lasts about an hour. This year there were many interesting new paradigms. Below we summarize each one briefly. Session 1. Intrusion Detection and Response An Experimental System for Malicious Email Tracking M. Bhattacharyya, M. Schultz, E. Eskin, S. Hershkop, S. Stolpho, Columbia U. Commercial virus scanners find known viruses, but can't detect new ones. They also don't provide data about the propagation of viruses across the network to warn untouched users. Malicious Email Tracking (MET) limits propagation of malicious email attachments and tracks points of entry and initial distribution. This research proposes a MET server (trusted, central location) plus MET clients (at mail servers) to monitor the behavior of email attachments across all your mail domains, then detect and contain email-based attacks. Each email attachment entering the domain is assigned a unique identifier (MD5 hash / "signature"). The ID, timestamp, sender, and receiver are logged. Two key statistics are obtained for attachments: 1) Prevalence: # of times attachment observed by MET client; 2) Birth rate: average number of copies sent from same user. Because rapidly self-replicating viruses have extremely high birth rates, an attachment with a very high birth rate is a potential self-propagating virus. In practice, the MET server collects data on malicious activity, stores them in a DB, and calculates derived stats. It also keeps a list of IDs for known malicious viruses, updates it, and propagates to MET clients for automatic updates. The system can detect self-replicating viruses, even previously unknown ones, if the birth rate is > threshold t, sent to > u users. For emails over the threshold, blocking (discard or sideline) is used. Detection is done at MET clients with alerts to MET server which propagates to other MET clients. Future work includes IDs for polymorphic viruses, mailbox "fingerprinting" tool, and early spam categorization based upon cliques of senders. Predators: Good Will Mobile Codes Combat Against Computer Viruses H. Toyoizumi and A. Kara Just as white blood cells in animals replicate to attack invading organisms like viruses, bacteria, poisons, and foreign matter, in information technology good will mobile codes will self-replicate to attack invading malignant code (viruses, worms, etc.). The paper models the interactions between computer predators and viruses using the Lotka-Volterra equations widely used on mathematical biology. In nature predators are kept in check by the disappearance of their prey (food), but other techniques are needed to dampen the number of mobile code predators so they don't degrade the network. An Empirical Analysis of NATE- Network Traffic Analysis of Anomalous Traffic Events Carol Taylor and Jim Alves-Foss, University of Idaho, Moscow, Idaho NATE was presented at NSPW 2001 as a low-cost approach to intrusion- detection, detecting attacks from packet header information. It detects probes, scans, and DOS type attacks from normal traffic. Unlike most statistics-based anomaly-detection programs, NATE can self-configure, so does not require the system administrator to know a system's normal parameters in order to configure the system. Because it only looks at headers, it can handle encrypted information. Anomaly-based detection allows it to pick up new attacks, unlike firewalls and filters whose rules can be by-passed. NATE can operate inside or outside a firewall, providing additional filtering capabilities and monitoring compromised machines inside the firewall. Carol Taylor reported results this year from using NATE on a real operational non-academic data set from a small network with web, email, and firewalls. She found that the real data was much more variable than the constructed test data, and had to refine anomaly tests to eliminate large numbers of false negatives. She also had to include some of the constructed test data to cover possibilities not represented in the real data. She found that sampling by attribute distribution was a good alternative to sampling by TCP type, and that various measures of distance from the norm each had advantages and disadvantages. She recommends using a distance measure that captures relationships between TCP session attributes. Ms. Taylor recommends more testing with NATE, to see if expanding the number of attributes, such as time since DOS attacks, results in better attack detection. She also recommends an actual prototype deployed on a high band width network to assess real-time performance under actual working conditions. More testing with a wider range of attack and normal data needs to be done. False positives and negatives need to be researched. Session 2: Large Systems Small Worlds In Security Systems: An Analysis of the PGP Certificate Graph Srdjan Capkun, Levente Buttyan, and Jean-Pierre Hubaux, Swiss Federal Institute of Technology Lausanne, Switzerland The problem of securing fully self-organized mobile ad hoc networks motivates this work. Mobile ad hoc networks have no fixed infrastructure; all networking functions are performed by the nodes themselves in a self-organizing manner. Many of Milgram's small world phenomena apply, and PGP certificate graphs (directed graphs G(V,E) where V is a set of vertices representing users' public keys and E is a set of edges that represent public key certificates) are an inspiration. In a small world, the average number of acquaintance links between any two people is five or six. The equivalent of an acquaintance link in secure computing is a public key certificate. These are distributed among nodes based upon sociological relationships between users in the network, so small world principles apply. For example, to authenticate a public key, each user keeps a local certificate repository of certificates and processes them to develop a chain of trust. If the user's own certificates can't produce the chain of trust, the two users wishing to communicate can merge their certificates to get a chain of trust. Since existing small world models do not correctly model certificate graphs, the authors propose a new certificate graph model with irregular vertices and an irregular lattice. For future work, the authors propose to study in detail mechanisms by which trust is likely to emerge in fully self-organized systems. Breaking the Barriers: High Performance Security for High Performance Computing Kay Connelly, Indiana University and Andrew Chien, UC San Diego High performance workstation clusters are insecure computing environments. The standard practice is to have no security beyond simple logins and access rights, so that nothing interferes with the performance of the search engine, the reservations system, or command and control system. All data is sent in plaintext, since encryption requires too much overhead. Attackers can (1) send remote procedure calls (RPC) to various components to change the execution of an application; (2) eavesdrop and attack when the system is in a vulnerable state. Security mechanisms for the HPC environment must have low overhead and protect data long enough to change state. The authors' approach includes streamlining the encryption process when data is put onto the wire, and precomputing during idle time to reduce communication latency. The authors define three metrics and describe an initial prototype. From Privacy Promises to Privacy Management-A New Approach for Enforcing Privacy Throughout an Enterprise Ashley, M. Schunter, Powers, IBM Research Labs, Switzerland Privacy is the right of individuals to determine for themselves when, how, and to what extent information about them is communicated to others. The paper's focus is on Personally Identifiable Info (PII) privacy as managed by a service provider. Looking at OECD privacy principles and usage phases (Notice, Collection, Cataloguing, Control, Release, Recording, Response), there aren't any tools to address the phases beyond Notice and Collection throughout an enterprise. Most privacy policies are unimplemented throughout the enterprise. The proposed framework: - Define enterprise privacy policy - Deploy policy to IT systems containing PII - Record user consent to advertised privacy policy when submitting PII - Enforce privacy policy, create audit trail of access to PII - Generate enterprise-wide and individualized reports of accesses to PII and conformance to governing privacy policy. The privacy policy consists of: Elements: data users, operations, data types, purposes, conditions. Rules: ALLOW [data user] to perform [Operation] on [Data Type] for [Purpose] provided [Condition]. CARRY OUT [Obligation]. Deploy policy: Map data, users, tasks into policy elements. Record consent: Record collected data plus PII infor, timestamp of consent and applicable version of privacy policy. Enforce policy, create audit trail of access: Can be real-time or near-time. Report: Respond to individual inquiries as well as enterprise level inquiries (auditors, outside agencies). Session 3: Mobile Code Anomaly Intrusion Detection in Dynamic Execution Environments Hajime Inoue and Stefanie Forrest, University of New Mexico Products such as Java are based upon dynamic compilation, profiling, and optimization technologies. The potential exists to leverage their infrastructure for anomaly intrusion detection with extremely low performance penalties and customization to a specific application. The authors propose to automate the construction of an application intrusion detection system without modifying the application by profiling information already in place for dynamic optimization. They call this "dynamic sandboxing" and demonstrate the approach. Empowering Mobile Code Using Expressive Security Policies V.N. Venkatakrpishnan, Ram Peri, R. Sekar, SUNY at Stonybrook The authors aim to empower mobile code rather than disable it. Highly expressive security policies provide the basis for such empowerment while greatly mitigating the risks to the host system. Their implementation is based upon rewriting Java byte code so that security-relevant events are intercepted and forwarded to the enforcement automata before they are executed. The Source is the Proof Vivek Haldar, Christian Stork and Michael Franz, University of California, Irvine There are two main approaches to mobile code security: byte code and proof-carrying code. The authors propose an alternative called WELL (Well-formed Encoding at the Language Level) which transports compressed abstract syntax trees, permitting transporting programs at a much higher level of abstraction that is closer to the source. The method provides safety by construction. Future work includes improving performance and exploring transporting other annotations. Session 4: Usability An Approach to Usable Security Based on Event Monitoring and Visualization Paul Dourish and David Redemiles, University of California, Irvine One cause of the disparity between theoretical and effective security is the extent to which users can comprehend and make effective use of security mechanisms. The authors' thesis is that a technical infrastructure which makes available security mechanisms visible will enable users to make informed decisions, thus rendering the system more secure. They propose a layered framework for visualizing and monitoring security mechanisms, events, and sources, using probes, gauges, and alarms. Moving from the Design of Usable Security Techniques to the Design of Useful Applications D.K. Smetters and R.E. Grinter, PARC The usability of security technology may be one of the largest roadblocks standing in the way of increased computer security, and it is only going to get worse as security technology undergoes radical change. The authors approach the problem from a different perspective: if you put usability first, how much security can you get? The users look usable key management, authentication for ad hoc networks, and implicit security starting from usability. Three engineering approaches are: Build in implicit security, Refactor security infrastructure, Build Lego Blocks for Security Session 5: Panel Discussion on Assurance in Critical Endeavors Session 6: Securing Information Capacity is the Wrong Paradigm Ira Moskwitz, LiWu Chang, Richard Newman Capacity is the prevailing paradigm for covert channels. With respect to steganography, however, capacity is the wrong paradigm. The authors propose a new paradigm called "capability' to gauge the effectiveness of a stenographic method. Capability includes payload carrying ability, detectability, and robustness components. JPEG compressed images always have the potential to carry hidden information. Toward Achieving Acceptable Security in Secure Multi-party Computation Wenliang Du, Syracuse University Secure Multi-party Computations deal with situations where two (or more) parties want to jointly perform a computation but each wants to keep the data it provides hidden from the other parties. Approaches requiring zero-information disclosure fail. The author recommends an approach where partial information disclosure is acceptable. Guarding the Next Internet Frontier: Countering Denial of Information Attacks Mustaque Ahamad, Wenke Lee, Ling Liu, Leo Mark, Edward Omicienski, Carlton Pu and Andre dos Santos, Georgia Institute of Technology This position paper introduces the Quality of Information (QoI) concept and the denial of information (DoI) attack. The many dimensions of QoI include: consistency, timeliness, reliability, trustworthiness, and density/richness of information. A denial of information attack inserts noise or bogus information degrading the quality of data, in either a massive or a gradual way. ACM and ACM SIGSAC have sponsored the workshop since its start in 1992, and several organizations, including DOD, CERT, and James Madison University provided financial support this year. ____________________________________________________________________ NewsBits Announcements and correspondence from readers ____________________________________________________________________ October 24, 2002 Correspondence from Gene Spafford, CERIAS, Purdue University In May of this year, CERIAS and Accenture convened a two-day roundtable of experts to discuss the causes, solutions, and nature of challenges to security in a world of wireless connectivity. The group included notables from academia, government, and industry who participated in a variety of facilitated discussions. The result of these deliberations was captured and reduced to a set of documents that are now available on-line. These reports are intended for policymakers, vendors, and end-users. Included is an executive summary, a full report, and a "best-practices" document for organizations considering deployment of wireless systems. Copies of the "Roadmap to a Safer Wireless World" documents may be downloaded from www.cerias.purdue.edu/securitytrends/. ____________________________________________________________________ November 10, 2002 The IEEE Computer Society has named George Cybenko as the first Editor in Chief of the new IEEE Security & Privacy Magazine for 2003-2004. George is the Dorothy and Walter Gramm Professor of Engineering in the Thayer School of Engineering at Dartmouth College. He brings to the project extensive leadership experiences with IEEE publications as well as a long history of achievements in computer security. Congratulations George! IEEE Security & Privacy provides a unique combination of research articles, case studies, tutorials, and regular departments covering diverse aspects of information assurance such as legal and ethical issues, privacy concerns, tools to help secure information, analysis of vulnerabilities and attacks, trends and new developments, pedagogical and curricular issues in educating the next generation of security professionals, secure operating systems and applications, security issues in wireless networks, design and test strategies for secure and survivable systems, and cryptology. The magazine concept was developed by a Task Force which earlier this year published a supplement to IEEE Computer. That supplement and other details about Security & Privacy Magazine can be found at www.computer.org/security ____________________________________________________________________ November 4, 2002 Correspondence from Carl Landwehr: Carl Landwehr would like to remind Cipher readers that the next deadline for proposals to NSF's continuing Trusted Computing program is coming up on Wednesday, December 4, 2002. A description of the research projects funded in the first year of the program (including related NSF CAREER and ITR awards), with pointers to proposal abstracts, can be found directly at: www.cise.nsf.gov/fndg/pubs/display.cfm?pgm_pims_id=5158&pgm_supp_id=10091&loc=fndg_ops&pub_id=5370 or, alternatively by visiting: www.cise.nsf.gov and then selecting "funding opportunities" [then "Announcements and Solicitations"] and selecting "trusted computing". Carl encourages you to take a look at these pages and consider submitting a proposal this year. ____________________________________________________________________ This is surely old news by now, but between issues of Cipher, the President's Critical Infrastructure Protection Board released (on September 18, 2002) to the public the "National Strategy to Secure Cyberspace - Draft for Comment."  The Strategy is posted on www.securecyberspace.gov for review. (the comment period closed November 18, 2002) You can stay current on the latest new on the Homeland Security Department at www.whitehouse.gov/homeland/. ____________________________________________________________________ ____________________________________________________________________ News Bits contains correspondence, interesting links, non-commercial announcements and other snippets of information the editor thought that Cipher readers might find interesting. ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy, by Anish Mathuria ==================================================================== The Reader's Guide from Past issues of Cipher is archived at www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.navy.mil/pages/employment/cipher_employ.htm Information Security Group, Laboratories for Information Technology Singapore Postdoc/Associate Research Staff Cryptography and Information Security Contact email: baofeng@lit.org.sg CASE Center, Syracuse University, Syracuse, NY Visiting SUPRIA faculty position www.ecs.syr.edu/dept/eecs/positions/supria.html Max-Planck Institute for Computer Science, Saarbruecken, Germany Postdoc/Research associate position Areas of particular interest: static program analysis, verification, security, cryptographic protocols, critical software. Applications begin immediately. www.mpi-sb.mpg.de/units/nwg1/offers/positions.html Department of Computer Science James Madison University, Harrisonburg, VA Tenure-Faculty position The James Madison University Department of Computer Science is seeking applications of faculty that specialize in Information Security or closely related areas. www.cs.jmu.edu/faculty_openings.htm Vrije Universiteit Amsterdam, The Netherlands Postdoc/Assistant Professor Internet security. Position is available immediately. www.cs.vu.nl/~ast/jobs Department of Information and Software Engineering George Mason University, Fairfax, VA 1 Tenure-track, 1 visiting position Positions are in security. Areas of particular interest: Computer security, networking, data mining and software engineering. Search will continue until positions are filled. ise.gmu.edu/hire/ Department of Computer Science Purdue University,West Lafayette, IN Emphasis on Assistant Professor Positions, but more senior applicants will be considered. Areas of particular interest: Computer security, and INFOSEC. Positions beginning August 2000. www.cs.purdue.edu/announce/faculty2001.html Department of Computer Science Renesselaer Polytechnic InstituteTroy, NY Tenure Track, Teaching, and Visiting Positions Areas of particular interest: Computer security, networking, parallel and distributed computing and theory. Positions beginning Fall 2000. www.cs.rpi.edu/faculty-opening.html Swiss Federal Institute of Technology Lausanne (EPFL), Switzerland/Eurecom/Telecom Paris General Director Areas of particular interest: Education and research in telecommunications. Applications begin immediately. admwww.epfl.ch/pres/dir_eurecom.html Department of Computer Science Florida State University, Tallahassee, FL Tenure-track positions at all ranks, several positions available. Available (1/00) Areas of particular interest: Trusted Systems, security, cryptography, software engineering, provability and verification, real-time and software engineering, provability and verifications, real-time and safety-critical systems, system software, databases, fault tolerance, and computational/simulation-based design. www.cs.fsu.edu/positions/ -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at www.ieee-security.org/Cipher/NewReports.html and www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher@issl.iastate.edu (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher@issl.iastate.edu (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher@issl.iastate.edu with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher@issl.iastate.edu are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at www.ieee-security.org/Cipher/AddressChanges.html ______________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm. _____________________________________________________________ TC Publications for Sale _____________________________________________________________ Proceedings of the IEEE CS Symposium on Security and Privacy The Technical Committee on Security and Privacy has copies of its publications available for sale directly to you. You may pay for Proceedings by credit card or check. Proceedings of the IEEE Symposium on Security and Privacy Year(s) Format Price 2001 Hardcopy $25.00* 2000 Hardcopy $15.00* 1999 Hardcopy SOLD OUT 1998 Hardcopy $10.00* 2000-2001 CD-ROM $25.00* * Plus shipping charges Payment by Check: Please specify the items and quantities that you wish to receive, your shipping address, and the method of shipping (for overseas orders) Mail your order request and a check, payable to the 2002 IEEE Symposium on Security and Privacy to: Terry L. Hall Treasurer, IEEE Security and Privacy 14522 Gravelle Lane Florissant, Mo 63034 U S A Please include the appropriate amount to cover shipping charges as noted in the table below. Domestic shipping: $4.00 per order for 3 volumes or fewer Overseas surface mail: $6.00 per order for 3 volumes or fewer Overseas air mail: $12 per volume Credit Card Orders: For a limited time, the TC on Security and Privacy can charge orders to your credit card. Send your order by mail to the address above or send email to terry.l.hall2@boeing.com specifying the items and quantities that you wish to receive, your shipping address, method of shipping (surface or air for overseas orders) along with * the name of the cardholder, * credit card number, and * the expiration date. Exact shipping charges will be charged to your credit card and included in your receipt. Shipping charges may approximated from the table above. IEEE CS Press You may also order some back issues from IEEE CS Press at www.computer.org/cspress/catalog/proc9.htm. Right, this now becomes June 2001 in Cape Breton, Nova Scotia Proceedings of the IEEE CS Computer Security Foundations Workshop The most recent Computer Security Foundation Workshop (CSFW14) took place June 2001 in Cape Breton, Nova Scotia. Topics included formal specification of security protocols, protocol engineering, distributed systems, information flow, and security policies. Copies of the proceedings are available from the publications chair for $25 each. Copies of earlier proceedings starting with year 3 (1990) are available at $10. Photocopy versions of year 1 are also $10. Checks payable to Joshua Guttman for CSFW may be sent to: Joshua Guttman, MS S119 The MITRE Corporation 202 Burlington Rd. Bedford, MA 01730-1420 USA guttman@mitre.org ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Mike Reiter Thomas A. Berson Carnegie Mellon University Anagram Laboratories ECE Department P.O. Box 791 Hamerschlag Hall, Room D208 Palo Alto, CA 94301 Pittsburgh, PA 15213 USA (650) 324-0100 (voice) (412) 268-1318 (voice) berson@anagram.com reiter@cmu.edu Vice Chair: Chair,Subcommittee on Academic Affairs: Heather Hinton Cynthia Irvine IBM Software Group - Tivoli U.S. Naval Postgraduate School 11400 Burnett Road Computer Science Department Austin, TX 78758 Code CS/IC (512)436 1538 (voice) Monterey CA 93943-5118 hhinton@us.ibm.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair,Subcomm.on Security Conferences: David Aucsmith Jonathan Millen Intel Corporation SRI International EL233 JF2-74 Computer Science Laboratory 2111 N.E. 25th Ave 333 Ravenswood Ave. Hillsboro OR 97124 Menlo Park, CA 94025 (503) 264-5562 (voice) (650) 859-2358 (voice) (503) 264-6225 (fax) (650) 859-2844 (fax) awk@ibeam.intel.com millen@csl.sri.com Newsletter Editor: Jim Davis Department of Electrical and Computer Engineering 2413 Coover Hall Iowa State University Ames, Iowa 50011 (515) 294-0659 (voice) davis@iastate.edu BACK ISSUES: Cipher is archived at: www.ieee-security.org/cipher.html ========end of Electronic Cipher Issue #51, November 16, 2002===========