Subject: Electronic CIPHER, Issue 57, November 15, 2003 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ========================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 57 November 15, 2003 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Bob Bruen, Book Review Editor, cipher-bookrev @ ieee-security.org ========================================================================== The newsletter is also at http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * National Science Foundation cyber research announcement * Conference and Workshop Announcements * Commentary and Opinion o A note from the Book Editor o Robert Bruen's review of Fighting Malicious Code by Ed Skoudis with Lenny Zeltser o Robert Bruen's review of Secure Programming Cookbook for C and C++ by John Viega and Matt Messier o Robert Bruen's review of Secure Coding. Principles and Practices by Mark Graff and Kenneth van Wyck * News Items o What's up at the CERT Coordination Center o Changes at Purdue's CERIAS * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The theme of this Cipher issue is the security of software - writing it securely, fighting the bad code. That seems to be the main concern today, though spam email is probably the computer topic that causes the most world-wide wrath. Robert Bruen has three book reviews on these topics, and he invites new reviewers to contribute. This past week I attended the IETF meetings in Minneapolis, where participants noted a significant milestone: the IP Security working group held its last meeting. This effort to standardize the means of securing IP packets, the lingua franca of the Internet, has been running for about a decade. Its conclusion does not marked a highpoint in Internet security, but it does show that in some cases, given enough engineers, security *can* be retrofitted. I also attended a meeting of DARPA's new IPTO organization and heard about its focus on cognitive systems, including a new program aimed at robust systems founded on cognitive immunity. The artificial intelligence community seemed much amused by the analogy to the movie "Groundhog Day", and several speakers referred to this phenomenon of having to go back and repeat their examination of old concepts, trying to make them work in a world with greater computing power and a finer sense of what problems are much harder than they seemed 30 years ago. I kept thinking that to work in the computer security arena is to accept Groundhog Day as a permanent state of mind. As always, I am grateful to our Cipher contributers, but would like to be grateful to more of you. If you attend a conference, a workshop, or other security related meeting, think of writing up a review for Cipher. If something in a publication seems noteworthy, send it in and I'll see that others get to enjoy it, too. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Research Announcements ==================================================================== News from the National Science Foundation, via Carl Landwehr: NSF plans a new Cyber Trust theme announcement (late) this fall. Thisannouncement will encompass a broad range of activities relating to trustworthy computing and communications and will subsume some existing programs, including Trusted Computing, Communications Network Security, and Data and Applications Security. The Cyber Trust announcement is currently under internal review within NSF. Although the release date is uncertain, it will probably be out within the next month. Deadlines for proposals will be at least 90 days after the announcement is officially released, probably placing them in late January or early February. To receive information relating to this announcement, you may sign up for the the Cyber Trust Announce mailing list by sending a blank email message to: join-cyber-trust-announce@lists.nsf.gov No subject or message body is necessary. Also for slides from the Cyber Trust PI meeting held August, 2003, see http://www.jhuisi.jhu.edu/institute/cybertrust.html (scroll down to "Meeting Follow-up Postings") ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://vulcan.ee.iastate.edu/~cipher/cfp.html The Cipher event Calendar is at http://www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html o Upcoming calls-for-papers and events (for more information on these conferences, please see the Cipher Hypercalendar at http://www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ) ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 11/14/03: World Wide Web (WWW), New York City, NY; Submissions are due; www2004-pc-chairs@cs.wpi.edu, http://www2004.org/ 11/15/03: Radio Frequency Identifiers (RFID), Privacy, MIT, Cambridge, MA http://www.rfidprivacy.org 11/16/03-11/19/03: Grand Challenges in Security, Warrenton, Virginia; http://www.cra.org/grand.challenges/ 11/19/03: Privacy Preserving Data Mining (PPDM), Melbourne, FL http://www.cis.syr.edu/~wedu/ppdm2003/ 11/19/03: Data Mining for Computer Security (DMSEC), Melbourne, Florida, http://www.cs.fit.edu/~pkc/dmsec03/ 12/ 1/03-12/ 5/03: Communications Security Symposium (CSS) (inaugural meeting), San Francisco, CA; http://www.globecom2003.com/CFP1.html 12/ 6/03: Workshop on Information Assurance (IAWS), Phoenix, Arizona, ; Submissions are due; dtipper@mail.sis.pitt.edu http://www.tele.pitt.edu/~sais/iaws04 12/ 8/03-12/12/03: 19th Annual Computer Security Applications Conference (ACSAC), Las Vegas, Nevada http://www.acsac.org 12/ 8/03-12/10/03: Workshop on Security of Information Technologies (WSTI), Algiers, http://etudiant.epita.fr:8000/~wsti03/en/home.htm 12/10/03-12/12/03: Session on Architectures and Languages for Digital Rights Management and Access Control at Communication Systems and Networks, New York City, NY http://www.iasted.com/conferences/2003/NewYork/cnis-specsess1.htm 12/10/03: Dependable Computing and Communications Symposium (DCCS), Florence, Italy; ; Submissions are due; mootaz@us.ibm.com http://www.dsn.org 12/ 8/03-12/12/03: Special session at the Congress on Evolutionary Computation (CEC), Canberra, Australia; http://tracer.uc3m.es/CFP-SS-CEC2003.html 12/12/03: Information Hiding Workshop (IH), Toronto, Canada; Submissions are due, Jessica Fridrich, Mike Reiter http://msrcmt.research.microsoft.com/IH2004/CallForPapers.aspx 12/15/03: Symposium On Access Control Models And Technologies (SACMAT), Yorktown Heights, NY; submissions are due http://www.www.sacmat.org 12/15/03: Workshop on Issues in the Theory of Security (WITS), Barcelona, Spain, submissions are due, http://www.dsi.unive.it/IFIPWG1_7/wits2004.html 12/16/03: USENIX 2004, Boston, Massachusetts; Submissions are due; conference@usenix.org http://www.usenix.org/events/usenix04/ 12/19/03: Policy 2004 5th IEEE International Workshop on Policies for Distributed Systems and Networks, IBM Thomas J Watson Research Center, Yorktown Heights, NY, USA http://www.policy-workshop.org/2004 1/ 5/04: Special Issue of Computer Magazine, High-Speed Internet Security; Submissions are due; sshim@email.sjsu.edu http://www.computer.org/computer 1/ 5/03- 1/ 8/03: Security and Survivability of Networked Systems (in conjunction with HICSS-37), Big Island, Hawaii, USA, January 5-8, 2004, http://www.cs.uidaho.edu/~krings/HICSS37.htm 1/11/04: Applied Cryptography and Network Security (ACNS), Yellow Mountain, China; submissions are due http://www.rsasecurity.com/rsalabs/staff/bios/mjakobsson/acns.htm 1/25/04: USENIX Security, San Diego, California; Submissions are due; conference@usenix.org http://www.usenix.org/events/sec04/ 1/26/04: Conference on Web Services (ICWS), San Diego, California; Submissions are due; jain@uwm.edu http://conferences.computer.org/icws/2004 1/27/04: 17th Computer Security Foundations Workshop (CSFW), Pacific Grove, CA; Submissions are due; focardi@dsi.unive.it http://www.csl.sri.com/csfw/index.html 1/30/04- 1/31/04: A Multiple View of Individual Privacy in a Networked World (WHOLES), Stockholm, Sweden; http://www.sics.se/privacy/wholes2004 1/30/04: ACM Special Interest Group on Communications (SIGCOMM), Portland, Oregon; ; Submissions are due; yavatkar@intel.com http://www.acm.org/sigcomm/sigcomm2004 1/31/04: Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Dortmund, Germany; submission are due http://www.gi-fg-sidar.de/dimva2004 ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers ____________________________________________________________________ New Announcements (since Cipher Issue 56: IAWS 2004 Workshop on Information Assurance (in conjunction with IPCCC), Phoenix, Arizona, USA, April 14-17, 2004. (Submission deadline: December 6, 2003) We seek papers that address theoretical, experimental, systems-related and work in-progress in the area of Information Assurance at the network and system levels. We expect to have three types of sessions - the first related to survivability and fault tolerance, the second related to security, and the third related to the interactions between security and survivability. Papers in the form of extended abstracts should describe original, previously unpublished work, not currently under review by another conference, workshop, or journal. Topics of interest include: - Security and availability of web services - Authorization and access-control - Database and system security - Risk analysis and security management - Verification and validation of security - Wireless LAN Security - Restoration techniques for networks - Multi-layer protection design - Reliability of IP networks - Digital Rights Management - DoS protection for the Internet - Cryptographic protocols and Key management - Network security and Intrusion detection - Ad hoc and sensor network security - Models and architectures for systems security and survivability - Security and survivability in optical networks - Restoration of security services under failure - Security and survivability architectures for e-commerce and m-commerce - Public policy issues for security and survivability More information can be found at www.tele.pitt.edu/~sais/iaws04. IH2004 6th Information Hiding Workshop, Toronto, Ontario, Canada, May 23-25, 2004. (Submission deadline: December 12, 2003). [posted here 11/1/03] Many researchers are interested in hiding information or, conversely, in preventing others from doing so or detecting and extracting the hidden data. Although the protection of digital intellectual property has recently motivated most of the research in this area, there are many other applications of increasing interest to both the academic and business communities. Current research themes include: - anonymous communications, - covert channels in computer systems, - detection of hidden information (steganalysis), - digital elections, - digital forensic, - information hiding aspects of privacy, - low-probability-of-intercept communications, - steganography, - subliminal channels in cryptographic protocols, - watermarking for protection of intellectual property, - other applications of watermarking. More information can be found at http://msrcmt.research.microsoft.com/IH2004/CallForPapers.aspx SACMAT'04 The 9th ACM Symposium on Access Control Models and Technologies, IBM Thomas J Watson Research Center, Yorktown Heights, NY, USA, June 2-4, 2004. (Submission deadline: December 15, 2003). The missions of the symposium are to share novel access control solutions that fulfill the needs of heterogeneous applications and environments and to identify new directions for future research and development. Industry reports are a unique opportunity for the practitioners to provide feedback on the state of the practice in access control models, architectures, technologies, and systems to the research community. SACMAT steering committee invites practicing researchers, security consultants, security officers and architects, security managers, and end user representative to share their experience on implementing and using access control solutions in real world with the researchers in the field. Topics of interest include: - Access control requirements - Access control within the context of emerging standards - Access control models and extensions - Access control for innovative applications - Methodologies and tools for access control policy design - Administration of access policies - Authorization management - Access control mechanisms, systems and tools - Access control in distributed and mobile systems - Safety analysis and enforcement - Theoretical foundations for access control models More information can be found at www.sacmat.org. WITS'04 Workshop on Issues in the Theory of Security, Barcelona, Spain, April 3-4, 2004 (submissions due December 15, 2003). WITS is the official workshop organised by the IFIP WG 1.7 on "Theoretical Foundations of Security Analysis and Design", established to promote the investigation on the theoretical foundations of security, discovering and promoting new areas of application of theoretical techniques in computer security and supporting the systematic use of formal techniques in the development of security related applications. Extended abstracts of work (accepted after selection and) presented at the Workshop are collected and distributed to the participants. There will be no formally published proceedings; however, selected papers will be invited for submission to a special issue of the Journal of Computer Security. Suggested submission topics include: - formal definition and verification of the various aspects of security: confidentiality, privacy, integrity, authentication and availability - new theoretically-based techniques for the formal analysis and design of cryptographic protocols and their manifold applications (e.g., electronic commerce) - information flow modelling and its application to the theory of confidentiality policies, composition of systems, and covert channel analysis - formal techniques for the analysis and verification of code security, including mobile code security - formal analysis and design for prevention of denial of service - security in real-time/probabilistic systems - language-based security More information about the workshop can be found at http://www.dsi.unive.it/IFIPWG1_7/wits2004.html Policy 2004 5th IEEE International Workshop on Policies for Distributed Systems and Networks, IBM Thomas J Watson Research Center, Yorktown Heights, NY, USA, June 7-9, 2004. (Submission deadline: December 19, 2003). The policy workshop aims to bring together researchers and practitioners working on policy-based systems across a wide range of application areas including policy-based networking, security management, storage area networking, and enterprise systems. POLICY 2004 invites contributions on all aspects of policy-based computing. A detailed list of topics of interest can be found on the workshop web page at www.policy-workshop.org/2004. ICWS 2004 IEEE International Conference on Web Services, San Diego, California, USA, July 6-9, 2004. (submissions due February 2, 2004) ICWS is a forum for researchers and industry practitioner to exchange information regarding advancements in the state of art research and practice of Web Services, to identify emerging research topics, and to define the future directions of Web Services computing. ICWS 2004 has special interest in papers that contribute to the convergence of Web Services, Grid Computing, e-Business and Autonomic Computing, or those that apply techniques from one area to another. A complete list of topics of interest (which includes Trust, Security and Privacy in Web Services) can be foudn at http://conferences.computer.org/icws/2004/. IFIP WG 11.3 18th Annual IFIP WG 11.3 Working Conference on Data and Application Security, Sitges, Spain, July 25-28, 2004. (submissions due February 15, 2004) The conference provides a forum for presenting original unpublished research results, practical experiences, and innovative ideas in data and applications security. Papers and panel proposals are solicited. The conference is limited to about forty participants so that ample time for discussion and interaction may occur. Papers may present theory, technique, applications, or practical experience on topics of interest of IFIP WG11.3: - Techniques and methodologies for data and application security - Threats, vulnerabilities, and risk management - Web application security - Secure Semantic Web technologies and applications - Privacy - Secure information integration - Security planning and administration - Security assessment methodologies - Access Control - Integrity maintenance - Knowledge discovery and privacy - Cryptography - Concurrency control - Sensor information management - Fault-tolerance/recovery methods - Organizational security - Security tradeoffs Additional topics of interest include but not limited to: Critical Infrastructure Protection, Cyber Terrorism, Information Warfare, Intrusion Protection, Damage assessment and repair, Database Forensics, and Electronic Commerce Security. Mroe information can be found at http://seclab.dti.unimi.it/~ifip113/2004/. ==================================================================== News Briefs ==================================================================== What's Up at the CERT Coordination Center The director of the CERT Coordination Center, Richard D. Pethia, gave testimony on September 10, 2003 to the House Committee on Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census regarding viruses and worms. In particular, he discusses such threats as Code Red, Slammer, and Blaster, and what we need to do about them. The full testimony can be found at: http://www.cert.org/congressional_testimony/Pethia-Testimony-9-10-2003/ The CERT Coordination Center is an active participant in the Center for Communications Security (C3S), a multi-disciplinary research program at Carnegie Mellon University that was started a year ago. For more info on the research efforts, see http://www.ece.cmu.edu/c3s/ ------------------------------------------------------------------------ From Eugene Spafford: Eugene Spafford was promoted to the position of Executive Director of CERIAS at Purdue University. This was in recognition of his expanded role regarding both research and policy work, both at Purdue and in Washington. Along with his service on several advisory committees, including the PITAC, Spaf is currently serving as a Senior Advisor at NSF on issues of Cyber Trust. Elisa Bertino will be joining the Computer Science faculty at Purdue University as a full professor, effective January 5, 2004. Along with this position she will also fill the newly-created position of Director of Research for CERIAS. ---------------------------------------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ The Book Review Editor Speaks ____________________________________________________________________ Since 1996, my approach to Cipher book reviews has been to look at as many books as I can, reviewing the three best I have when in it comes time to publish. It is a personal choice that I do not review books that I do not think are up to snuff. This does not mean that bad books should not be reviewed. They should, even if it just to warn readers. Cipher welcomes other reviewers to contribute reviews and comments. In this issue three excellent books on code (secure and malware) are reviewed. Understanding secure coding and malicious code together will go a long way towards securing software. Bob Bruen, Cipher Book Review Editor ____________________________________________________________________ Book Review By Robert Bruen November 8, 2003 ____________________________________________________________________ Fighting Malicious Code by Ed Skoudis with Lenny Zeltser Prentice Hall 2003. ISBN 0131014056 647 pages, index Malicious code - we all know what it is, right? It is that code that does bad things and causes us all so much consternation. It is viruses and worms and rootkits. It is the stuff the the antivirus community wants to fight against, but now really understand. Thank the stars for Ed Skoudis. Malware Understood and Explained in Depth would have been a fine title for this book. In spite of what some people believe, no one will be successful fighting against malware without understanding what it is and how it is constructed. Moreover, no one gets to be an Uber Haxor without serious skills. The attacks and defenses in the digital battlefield are dependent on expertise. Being smart is major asset, but knowing how the target is constructed is the starting point. Understanding how to attack the construction is where the knowledge comes in. Creating the attack is the plane of expertise. Without a proper understanding of how attacks are put together makes it really difficult to defend the target. The scenario is something akin to a some tribe with bows and arrows meeting an attacked with cannons and rifles. The best you can is run for cover because you do not understand how it all works. The time has come for as many as possible to acquire an in depth understanding of the weapons used in the digital war. The creators of the attacks certainly do. Obviously many of those who use the tools are clueless, but is not all that important. Digital weapons need to be studied and understood. Skoudis, as with his earlier books, has provided and excellent source. One possible measure of the book might be the hue and cry that springs up from certain sectors of the security world. This book covers user mode rootkits and kernels from both Linux and Windows, down to a particular address where an attacker can take over memory, among other things. Linux kernel modules and interesting potential bios attacks are explained clearly. One characteristic of book by Skoudis is the research that goes into his writing. Each chapter has a useful list of references. For example, one reference describes how to go about remote installations of Windows VNC servers. One of my favorite chapters is the step by step instructions on malware analysis. Whether you are a defender or attacker, this is a helpful chapter. The instructions start with equipment, costs, and rationale. A checklist that spans several pages is invaluable, as is the description of the process of analyzing malware code and operation. This is one of those highly recommended, must-have books of this year. Not only is the information contained in the book valuable, but the explanations are superb. Not a page is wasted. ____________________________________________________________________ Book Review By Robert Bruen November 8, 2003 ____________________________________________________________________ Secure Programming Cookbook for C and C++ by John Viega and Matt Messier O'Reilly, 2003. ISBN 0-596-00394-3. 762 pages Writing secure is hard, even if if you are allowed to do it while working on that project. Viega has already contributed an excellent book on secure coding ("Building Secure Software", Addison-Wesley 2002), but there is nothing like a cookbook full of good examples. The chapters are generally organized with a problem statement, discussion of salient points and a code recipe to deal with the problem. The recipes can be used to help your code by using them directly. They can be used as a model on how to go about coding for the problem stated or a similar problem. Best of all, they can be used to learn how it is done coming from guys who know how it is done, because the reasons and the explanations are so good. In the earliest days of programming (i.e. Banks and COBOL), input validation was a standard part of programming courses and practice. Somehow, that concept was lost, with the expected consequences as demonstrated over the past decade. Sending malformed requests to web servers is a common practice, for example. The authors have brought back input validation in one of the chapters. The authors say that most of the book is really about preventing malicious input in one way or another. The principles are simple: Do not trust any input period; Reject rather than filter; Validate a lot at each level. In general, you follow firewall principles such as deny(reject) everything, then allow only specific input based on some reason. All programmers are aware that C has a few features that are inherently insecure such as library functions and a lack of checking by the language itself. The buffer overflow problem is a well known, pervasive problem which has been around for quite a while. One would think that these days anyone writing code would pay attention, but one would be wrong. I choose to believe that the real source of the continuing problem is that some programmers just do not understand enough about how to avoid it. This book is where those few programmers can get help. Cross-Site scripting problems seem to appear almost daily with some web app or another. One would expect that like buffer overflows, there should be fewer of them because of the publicity of XSS. Again, the problem continues anew. There is a good technical description of how it happens and some good pointers about how to prevent it. SQL injection and the problems of environment variables are addressed in the same, well thought out, manner. Much of the book deals with encryption issues such as random numbers, public keys, and authentication. There are separate chapters on symmetric encryption fundamentals and one on more advanced topics. The networking chapter covers SSL, Kerberos, sockets and other connections. There does not seem to anything that was overlooked, but I will keep trying to find it. One especially interesting chapter looks at the problem of software protection. It is a timely topic as vendors look for software solutions to protect copyrighted materials and lock outs from playing CDs and DVDs. Reverse engineering will probably always win out, but at least analyzing the various approaches is a god exercise. This is one of the few places assembly language shows up, just to highlight how technical the book is. Assuming a fair amount of knowledge, the Secure Code Cookbook is aimed at the programmer to provide help where it counts: in writing code. This is a highly recommended book for those writing code, but anyone who wants to truly understand what secure code is about would benefit by reading it. ____________________________________________________________________ Book Review By Robert Bruen November 8, 2003 ____________________________________________________________________ Secure Coding. Principles and Practices by Mark Graff and Kenneth van Wyck O'Reilly 2003, 2003. ISBN 0-596-00242-4. Index, one appendix, 202 pages. $29.95. This is a surprisingly short book, especially given the propensity of publishers to put out books of 800 pages without hesitation. Do not be fooled by the size. The book is packed with ideas and suggestions to improve the design of secure code. There is no code in the book, one of the reasons for the size. Instead the focus is on thinking before you start coding, something that should be standard procedure. Unlike the cookbook approach, the authors are up a level or two looking at the software development process itself. They break it down into initial architecture, design, coding and operation -- what is called the waterfall development methodology. The context is important because the process methodology can be a help or hindrance when trying to produce a software application or system. Any general software development methodology will have stages equivalent to requirements, design, code and test. What this the authors add to the mix is what should happen at the various stages to keep the final product secure. We often hear the mantra that security can not be retrofitted, so here is how it should be fitted in the first place. While the book does not include vulnerabilities per se, there are examples of past vulnerabilities to clarify the consequences of not following security principles at each stage. This is a case of a small item becoming a huge problem later on. On example used as a mouse driver bug. The mouse driver, like any driver, needs privileges, in this to move the mouse around the display screen. The author was focused on making it work -- after all it was just the mouse. Malicious code was written to overflow the numbers which kept track of the position. Oops. The authors have determined that rapid prototyping is not a good idea for production systems. Instead, real engineering is required. If you do not understand this, reading the book will be helpful. They also deal with the problem of existing applications that perhaps cannot be rewritten or fixed easily. The idea of using wrappers is not new, but it is one of the many suggestions offered throughout the book to improve operations. Wrappers, in general, filter input and access to existing code to prevent insecure code from being attacked. The code for one wrapper is one the few code examples in the book. Asking questions at the various stages is a key activity when systems of any kind are under development. This seems to be a lost art these days. Sometimes questions are few or not asked at all and sometimes the right questions are not asked. Throughout the book, lists of questions are offered to assist at each phase. While security is not achieved through a checklist, such a list should be an integral part of the development process. Any pilot I know uses a checklist before flying a plane. The list does not fly the plane, but its value is obvious. The book is a easy and quick read. It was not intended as a deep level technical text. It does provide a number of real world examples that are enlightening and entertaining. The number of books available on secure coding is a small, but growing list. Thankfully, most are worthwhile, even if there are a few flaws here and there. "Secure Coding Principles and Practices" is a welcome addition to the collection. Definitely recommended reading. ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy ==================================================================== Nothing new. The Reader's Guide from Past issues of Cipher is archived at http://www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Athens University of Economics and Business Department of Informatics Athens, Greece Lecturer/Assistant Professor (tenure track) in Network and Computer Security Application deadline (postal stamp date): November 17, 2003 http://www.cs.aueb.gr/cs_sivut/cs_english/ (look under News-Announcements) The George Washington University Washington, DC Assistant Professor (not tenure track) open until position filled http://www.cs.gwu.edu/prospective/faculty2/position2.html Gjovik University College Norway Professor/Associate Professor in Information Security Two permanent positions (professor/associate professor) http://nislab.hig.no/People/Jobs/ Mississippi State Univ Department of Computer Science and Engineering Starkville, MS Tenure Track (Assistant/Associate Professor) Open until filled http://www.cse.msstate.edu These openings are listed on the page: http://cisr.nps.navy.mil/jobscipher.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== Nothing new. "Reports Available" links from previous issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewReports.html and http://www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Recent Address Changes ==================================================================== Rick Smith Assistant Professor University of St. Thomas Dept. of Qualitative Methods and Computer Science 2115 Summit Avenue, Mail OSS 402 St. Paul, MN 55105-1079 rick @ cryptosmith.com http://www.cryptosmith.com/ phone: 651-962-5395 ---------------------------------------------------------------------- Charlie Kaufman, Microsoft, ckaufman @ microsoft.com ---------------------------------------------------------------------- William Bushby, william130.4bushby32 @ ntlworld.com ---------------------------------------------------------------------- Terry Benzel Assistant Director of Special Projects USC Information Sciences Institute 4676 Admiralty Way Suite 1001 Marina del Rey, CA 90292 tbenzel @ isi.edu (310) 448-9438 ---------------------------------------------------------------------- Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. _______________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm _____________________________________________________________ TC Publications for Sale _____________________________________________________________ IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Mike Reiter Thomas A. Berson Carnegie Mellon University Anagram Laboratories ECE Department P.O. Box 791 Hamerschlag Hall, Room D208 Palo Alto, CA 94301 Pittsburgh, PA 15213 USA (650) 324-0100 (voice) (412) 268-1318 (voice) berson@anagram.com reiter@cmu.edu Vice Chair: Chair,Subcommittee on Academic Affairs: Heather Hinton Cynthia Irvine IBM Software Group - Tivoli U.S. Naval Postgraduate School 11400 Burnett Road Computer Science Department Austin, TX 78758 Code CS/IC (512)436 1538 (voice) Monterey CA 93943-5118 hhinton@us.ibm.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair,Subcomm.on Security Conferences: David Aucsmith Jonathan Millen Intel Corporation SRI International EL233 JF2-74 Computer Science Laboratory 2111 N.E. 25th Ave 333 Ravenswood Ave. Hillsboro OR 97124 Menlo Park, CA 94025 (503) 264-5562 (voice) (650) 859-2358 (voice) (503) 264-6225 (fax) (650) 859-2844 (fax) awk@ibeam.intel.com millen@csl.sri.com Newsletter Editor: Hilarie Orman Purple Streak, Inc. 500 S. Maple Dr. Salem, UT 84653 (801) 423-1052 (voice) cipher-editor @ ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html