_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ========================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 60 May 18, 2004 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Bob Bruen, Book Review Editor, cipher-bookrev @ ieee-security.org ========================================================================== The newsletter is also at http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements o Upcoming calls-for-papers and events o Calendar of events * Commentary and Opinion o Conference Report, Security and Privacy Symposium (Berkeley, California, May 10-12, 2004) by Hilarie Orman o Robert Bruen's review of The Shellcoder's Handbook. Discovering and Exploiting Security Holes by Koziol, Jack, David Litchfield, Dave Aitel, Chris Anley, Sinan Eren, Neel Mehta and Riley Hassell o Robert Bruen's review of Network Security Assessment by McNab, Chris o Robert Bruen's review of Defend IT. Security by Example by Gupta, Ajay and Scott Laliberte o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * News Items o IETF Revises Extensible Authentication Protocol, by Jari Arkko and Russ Housley o Task force releases security recommendations From Infoworld o Microsoft Shelves NGSCB Project As NX Moves To Center Stage From CRN o Microsoft: 'Palladium' Is Still Alive and Kicking From EWeek * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The IEEE Security and Privacy Symposium was held this month, and it was a very successful meeting by all measures. Attendance was up, paper submissions were up, the weather was beautiful, and it was good to see so many faces, both familiar and new. During one break at the conference I described my experience in perusing the website of a software vendor whose software vulnerability to a worm was the subject of several recent news stories (these seem time to coincide with Cipher issues, just so I will have something to mention in the editor's letter). After spending 30 minutes at the vendor's website, I was no wiser than when I started as to whether or not my machines might be susceptible and what the risks of applying the patch might be. Everyone I talked to said they applied the critical patches without question, having given up on understanding them several years ago. The gap between theory and practice inexorably widens. In the March Cipher issue, which came out very shortly after the terrorist bombings in Spain, I offered condolences to our Spanish readers. I was reminded by another reader about how widespread the victims of terrorism are, and in the subsequent weeks, it seems that each day has brought a fresh reason for mourning. As security researchers we are united in our desire to protect computer systems, and I hope that through our work we also contribute to protecting lives. We are at the height of conference season, and I hope some of you will take a few moments to enlighten us with impressions from the numerous workshops and conferences through the summer and fall. News reports from government and standards bodies and announcements of support for computer security research are also good material to contribute to Cipher. In this issue we have a report from two IETF members about revisions to the Extensible Authentication Protocol (EAP), and I hope have more such reports in the future. I am grateful to all our contributors for helping to make Cipher relevant and timely. May the worm be not with you, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== ---------------------------------------------------------------------- Calls for Papers, Conferences, Workshops, and Journals The complete Cipher Calls-for-Papers is located at http://home.adelphi.edu/~spock/cipher/cfp.html The Cipher event Calendar is at http://www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ---------------------------------------------------------------------- DIMACS Workshop on Security Analysis of Protocols, Piscataway, NJ, USA, June 7-9, 2004. (submissions due ASAP, pre-register by May 20) The analysis of cryptographic protocols is a fundamental and challenging area of network security research. Traditionally, there have been two main approaches, the logic approach aimed at developing (automated) tools for the formal veri.cation of protocols and the complexity theory approach that characterizes protocol security as a set of computational tasks and proves protocol security via reduction to the strength of the underlying cryptographic functions. Although these two lines of work share a common goal, there has been little commonality between them. The goal of this workshop is to generally promote work on security analysis of protocols and foster cooperative research combining the logical and complexity-based approaches. The workshop will include tutorials on the basics of each approach and will allow representatives from both communities to talk about their current work. Topics - Analysis methods involving computational complexity - Game-theoretic approaches - Methods based on logic and symbolic computation - Probabilistic methods - Model checking and symbolic search - Formal proof systems - Decision procedures and lower bounds - Anything else that sounds like a great idea Participation: The workshop will be open for the public. If you'd like to give a presentation please send a title and abstract to the organizers as soon as possible. Also, we intend this to be a participatory and interactive meeting so we hope you will be able to contribute to the meeting even without giving an announced talk. For more information, see: http://dimacs.rutgers.edu/Workshops/Protocols ---------------------------------------------------------------------- VANET2004 First ACM Workshop on Vehicular Ad Hoc Networks (held in conjunction with ACM MobiCom 2004), Loews Philadelphia Hotel, Philadelphia, PA, USA, October 1, 2004. (submissions due 24 May 2004) Creating high-performance, highly scalable, and secure VANET technologies presents an extraordinary challenge to the wireless research community. Yet, certain limitations commonly assumed in ad hoc networks are mitigated in VANET. For example, VANET may marshal relatively large computational resources. Ample and recharging power sources can be assumed. Mobility patterns are constrained by road paths and driving speed restrictions. VANET represents high resource/performance wireless technology. As such, VANET can use significantly different approaches than sensor networks. VANET applications will include on-board active safety systems leveraging vehicle-vehicle or roadside-vehicle networking. These systems may assist drivers in avoiding collisions. Non-safety applications include real-time traffic congestion and routing information, high-speed tolling, mobile infotainment, and many others. We invite papers from researchers on all aspects of vehicular ad hoc networks, such as new applications, networking protocols, security paradigms, network management technologies, power control, modulation, coding, channel modeling, etc. The session will bring together visionary researchers for an exciting exchange of ideas. For more info, please see: http://www.path.berkeley.edu/vanet/ ---------------------------------------------------------------------- SecCo2004 2nd International Workshop on Security Issues in Coordination Models, Languages and Systems, London, United Kingdom. August 30, 2004. (submissions due 31 May 2004) Coordination models, languages and middlewares, which advocate a distinct separation between the internal behaviour of the entities and their interaction, represent a promising approach. However, due to the openness of these systems, new critical aspects come into play, such as the need to deal with malicious components or with a hostile environment. Current research on network security issues (eg. secrecy, authentication, etc.) usually focuses on opening cryptographic point-to-point tunnels. Therefore, the proposed solutions in this area are not always exploitable to support the end-to-end secureinteraction between entities whose availability or location is not known beforehand. Topics of interest include, but are not limited to: Theoretical foundations, specification, analysis, case-studies, applications for authentication coordination models integrity web service technology privacy mobile ad-hoc networks confidentiality agent-based infrastructures access control -in- peer-to-peer systems denial of service global computing service availability context-aware computing safety aspects component-based systems fault tolerance ubiquitous/pervasive computing For more information, please see: http://cs.unibo.it/secco04 ---------------------------------------------------------------------- PDCS 2004 International Workshop on Security in Parallel and Distributed Systems (in conjunction with the 17th International Conference on Parallel and Distributed Computing Systems), San Francisco, CA, USA, September 15-17,2004. (submissions due May 31, 2004) In recent years, interest has increased in the field of security of parallel and distributed systems, which include the control mechanisms, mobile code security, denial-of-service attacks, trust management, modeling of information flow and its application to confidentiality policies, system composition, and covert channel analysis. We will focus our program on issues related to important properties of system security, such as measurability, sustainability, affordability, and usability in parallel and distributed systems. Topics ofinterest include: . Distributed Access Control and Trust Management . Key Management and Authentication . Privacy and Anonymity . Benchmark and Security Analysis . Security for Peer to Peer systems and Grid Computing Systems . Secure Multicast and Broadcast . Secure multiparty and two-party computations . Computer and Network Forensics . Denial-of-service Attacks and Countermeasures . Secure E-Commerce/E-Business . Security Verification . Distributed Database Security . Digital Rights Management . Secure Mobile Agents and Mobile Code . Intrusion detection . Security in ad-hoc and sensor networks . World Wide Web Security More information can be found at the conference web site at http://securityworkshop.ece.iastate.edu ---------------------------------------------------------------------- VLDB2004 Workshop "Secure Data Management in a Connected World", Royal York Hotel, Toronto, Canada, August 30, 2004. (submissions due 31 May 2004) Aim of the workshop is to bring together people from the security research community and data management research community in order to exchange ideas on the secure management of data in the context of emerging networked services and applications. The workshop will provide forum for discussing practical experiences and theoretical research efforts that can help in solving these critical problems in secure data management. Authors from both academia and industry are invited to submit papers presenting novel research on the topics of interest. Topics of interest include (but are not limited to) the following: - Data Hiding - Secure Storage - Secure Data Management in File Systems - Digital Rights Management - Data Encryption - Search on Encrypted Data - Metadata and Security - XML Security - Multimedia Security and Privacy - Authorization and Access Control Techniques - Security and Privacy Management - Privacy Enhanced Data Management (indexing, access control) - Private Information Retrieval - User Profiling and Privacy - Privacy Preserving Data Mining - Statistical Database Security - Security and Privacy Requirements for Ambient Applications - Information Dissemination Control - Protection of Personally Identifiable Information For further info, please see http://www.extra.research.philips.com/sdm-workshop/ ---------------------------------------------------------------------- June 2004 CT-RSA '05 RSA Conference 2005, Cryptographers' Track, February 14-18, 2005, San Francisco, CA, USA. (submissions due 1 June 2004) The RSA Conference is the largest, regularly staged computer security event. The Cryptographers' Track (CT-RSA) is a research conference within the RSA Conference. CT-RSA 2005 will be the fifth year of the Cryptographers' Track, which has become an established venue for presenting practical research results related to cryptography and data security. Original research papers pertaining to all aspects of cryptography as well as tutorials are solicited. Submissions may present theory, techniques, applications and practical experience on topics including, but not limited to: fast implementations, secure electronic commerce, network security and intrusion detection, formal security models, comparison and assessment, tamper-resistance, certification and time-stamping, cryptographic data formats and standards, encryption and signature schemes, public-key infrastructure, protocols, elliptic-curve cryptography, cryptographic algorithm design and cryptanalysis, discrete logarithm and factorization techniques, lattice reduction, and provable security. More information can be found at http://www.rsasecurity.com/rsalabs/node.asp?id=2015 ---------------------------------------------------------------------- ACSAC 20 The 20th Annual Computer Security Applications Conference, Hilton Tucson El Conquistador, Tucson, AZ, USA, December 6-10, 2004. (submissions due 1 June 2004) The 19th Annual Computer Security Applications Conference is an internationally recognized conference that provides a forum for experts in information system security to exchange practical ideas about solving real problems. Papers and proposals that address the application of technology, the implementation of systems, and lessons learned will be given special consideration. The ACSAC Program Committee is looking for papers, panels, forums, case studies presentations, tutorials, workshops, and works in progress that address practical solutions to problems related to protecting commercial enterprises or government information infrastructures. A list of topics of interest along with other conference information can be found at www.acsac.org. SCN'04 Fourth Conference on Security in Communication Networks,Amalfi, Italy, September 8-10, 2004. (submissions due 7 June 2004) [posted here 5/13/04] The Fourth Conference on Security in Communication Networks (SCN '04) will be held in Amalfi (Italy) on September 8-10 2004. SCN '04 aims at bringing together researchers in the field of security in communication networks to foster cooperation and exchange of ideas. Original papers on all technical aspects of cryptology and network security are solicited for submission to SCN04. Topics of interest are (but not limited to): Anonymity Implementations Authentication Key Distribution Block Ciphers Operating Systems Security Complexity-based Cryptography Privacy Cryptanalysis Protocols Digital Signatures Public Key Encryption Hash Functions Secret Sharing Identification Survey and state of the art For more information, please see http://www.dia.unisa.it/conferences/SCN04/ ---------------------------------------------------------------------- HICSS2005 Security and Survivability of Networked Systems (minitrack at HICSS2005), Hawai'i, USA, January 3-6, 2005. (submissions due 15 June 2004) Minitrack description: Malicious attacks on computing systems and networks have grown steadily over the last decade and have reached epidemic proportions. Despite much progress in security research, the numbers of reported vulnerabilities and incidents are increasing. We are fully embracing computer and network technology in all aspects of our daily lives, and even to control our critical infrastructures, where failures could result in loss of life or have huge financial and environmental consequences. We need to our increase research efforts in this arena. This minitrack focuses on security and survivability in networked computer systems. Of special interest are contributions that address survival, tolerance, recovery or masking of malicious attacks. Submissions will be sought from researchers in the area of system survivability, fault-tolerance and intrusion tolerance, software dependability, computer and network security, and economic or statistical modeling of secure/survivable systems. Topics include, but are not limited to: - System or software survivability - Safety critical failure modes - Network or system intrusion tolerance - Modeling malicious behavior or attacks - Survivability and security issues of mobile agent based systems - Survivability and security issues of ad-hoc networks - Mathematical models for verification of vulnerability to malicious acts - Models for measurement/evaluation/validation of survivability - Software and hardware fault tolerance - Design for dependability and/or survivability - PRA and hybrid fault models accounting for malicious acts For more information see: http://www.cs.uidaho.edu/~krings/HICSS38.htm ---------------------------------------------------------------------- SAPS'04 Workshop on Specification and Automated Processing of Security Requirements, Linz, Austria, September 20-25, 2004. (submissions due 10 June 2004) This workshop is being held as part of the 19th IEEE International Conference on Automated Software Engineering. The exchange of concepts, prototypes, research ideas, and other results which contribute to the academic arena and also benefit business and industrial communities, is of particular interest. Original papers are solicited for submission to the workshop related (but not limited) to the following topics of interest: - Security requirements specification and analysis - Formal semantics for security requirements - Integration of Security engineering into software engineering processes - Automated tools supporting integrated security engineering and software engineering processes - Security in programming languages - Automatic tools for secure software development - Automatic analysis/enforcement of security policies - Definition and analysis of security-related semantic models - Tools for formal analysis of security properties - Specification, characterisation and integration of security components and patterns For more information, please see: http://www.lcc.uma.es/SAPS04 ---------------------------------------------------------------------- WISA 2004 The 5th International Workshop on Information Security Applications, Ramada Plaza, Jeju Island, Korea, August 23-25, 2003. (submissions due 25 June 2004) The 5th International Workshop on Information Security Applications (WISA 2004) will be held in Jeju Island, Korea on August 23-25, 2004. It is sponsored by the Korea Institute of Information and Cryptology (KIISC), Electronics & Telecommunications Research Institute (ETRI), and Ministry of Information and Communication (MIC). The focus of this workshop is on all technical and practical aspects of cryptographic and non-cryptographic security applications. The workshop will serve as a forum for new results from the academic research community as well as from the industry. The areas of interest include, but are not limited to: . Internet & Wireless Security . Cyber Indication & Intrusion Detection . E-Commerce Protocols . Smart Cards & Secure Hardware . Access Control & Database Security . Mobile Security . Biometrics & Human Interface . Privacy & Anonymity . Network Security Protocols . Public Key Crypto Applications . Security & Trust Management . Threats & Information Warfare . Digital Rights Management . Virus Protection . Secure Software & Systems . Ubiquitous Computing Security . Information Hiding . Peer-to-Peer Security More information can be found at http://dasan.sejong.ac.kr/~wisa04 SASN2004 ACM Workshop on Security of Ad Hoc and Sensor Networks, Wyndham City Hotel, Washington, DC, October 25, 2004. (submissions due 2 July 2004) This workshop seeks submissions from academia and industry presenting novel research on all aspects of security for ad hoc and sensor networks, as well as experimental studies of fielded systems. Submission of papers based on work-in-progress is encouraged. Topics of interest include, but are not limited to, the following as they relate to wireless networks,mobile ad hoc networks, or sensor networks: - Security under resource constraints, e.g., energy, bandwidth, memory, and computation constraints - Performance and security tradeoffs - Secure roaming across administrative domains - Key management - Cryptographic protocols - Authentication and access control - Trust establishment, negotiation, and management - Intrusion detection and tolerance - Secure location services - Privacy and anonymity - Secure routing - Secure MAC protocols - Denial of service - Prevention of traffic analysis For more info, see http://www.cs.gmu.edu/sasn ---------------------------------------------------------------------- NORDSEC2004 9th Nordic Workshop on Secure IT Systems, Espoo, Finland, November 4-5, 2004. (submissions due 2 August 2004) The NORDSEC workshops started in 1996 with the aim of bringing researchers and practitioners within computer security in the Nordic countries. The theme of the workshop has been applied security, i.e. all kinds of security issues that could encourage interchange and cooperation between the research community and the industrial/consumer community. Possible topics include, but are not limited to the following: - Privacy and Privacy Enhancing Technologies - Wireless Communication Security - Inter/Intra/Extranet Security - Security Protocol Modeling and Analysis - E-and M-Business Security - New Firewall Technologies - Secure Infrastructures; TTP, PKI, Key Escrow/Recovery - Computer Crime and Information Warfare - Detecting Attacks, Intrusions and Computer Misuse - Smart Card Applications - Security Management and Audit - Security Evaluations and Measurements - Security in Commercial off-the-shelf Products, COTS - Operating System Security - Security Models - New Ideas and Paradigms for Security - Security Education and Training - Quality of Service or Software Engineering in Relation to Security The workshop will consist of paper sessions, panel discussions and invited talks. For a complete call for papers, see http://www.tml.hut.fi/Nordsec2004/call_for_papers.html ---------------------------------------------------------------------- FC'05 Ninth International Conference on Financial Cryptography and Data Security, Roseau, The Commonwealth Of Dominica, February 28-March 3, 2005 (submissions due 10 September 2004) Financial Cryptography and Data Security (FC'05) is the premier international forum for research, advanced development, education, exploration, and debate regarding security in the context of finance and commerce. We have augmented our conference title and expanded our scope to cover all aspects of securing transactions and systems. These aspects include a range of technical areas such as: cryptography, payment systems, secure transaction architectures, software systems and tools, user and operator interfaces, fraud prevention, payment systems, secure IT infrastructure, and analysis methodologies. Our focus will also encompass legal, financial, business and policy aspects. Material both on theoretical (fundamental) aspects of securing systems and on secure applications and real-world deployments will be considered. Original papers and presentations on all aspects of financial and commerce security are invited. Submissions must have a visible bearing on financial and commerce security issues, but can be interdisciplinary in nature and need not be exclusively concerned with cryptography or security. Possible topics for submission to the various sessions include, but are not limited to: - Anonymity and Privacy - Auctions - Audit and Auditability - Authentication and Identification, including Biometrics - Certification and Authorization - Commercial Cryptographic Applications - Commercial Transactions and Contracts - Digital Cash and Payment Systems - Digital Incentive and Loyalty Systems - Digital Rights Management - Financial Regulation and Reporting - Fraud Detection - Game Theoretic Approaches to Security - Infrastructure Design - Legal and Regulatory Issues - Microfinance and Micropayments - Monitoring, Management and Operations - Reputation Systems - RFID-Based and Contactless Payment Systems - Risk Assessment and Management - Secure Banking - Secure Financial Web Services - Securing Emerging Computational Paradigms - Security and Risk Perceptions and Judgments - Security Economics - Smart Cards and Secure Tokens - Trust Management - Trustability and Trustworthiness - Underground-Market Economics - Usability and Acceptance of Security Systems - User and Operator Interfaces For more info, please see http://www.ifca.ai/fc05/ ---------------------------------------------------------------------- November 2004 IWIA 2005 Third IEEE International Information Assurance Workshop, Washington D.C., USA, March 31-April 1, 2005. (submissions due 8 November 2004) The IEEE Task Force on Information Assurance is sponsoring a workshop on information assurance in cooperation with the ACM SIGSAC on research and experience in information assurance. The workshop seeks submissions from academia, government, and industry presenting novel research, applications and experience, and policy on all theoretical and practical aspects of IA. Possible topics include, but are not limited to the following: - Operating System IA & S - Storage IA & S - Network IA & S - IA Standardization Approaches - Information Sharing in Coalition Settings - Security Models - Survivability and Resilient Systems - Formal Methods and Software Engineering for IA - Survivability and Resilient Systems - Formal Methods and Software Engineering for IA - Proactive Approaches to IA - CCITSE Experience and Methodology - Intrusion Detection, Prediction, and Countermeasures - Insider Attack Countermeasures - Specification, Design, Development, and Deployment of IA Mechanisms - Policy Issues in Information Assurance More information can be found on the workshop web page at http://iwia.org/2005/ ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. ----- May * 5/21/04: Conference on Local Computer Networks, LCN, Tampa, Florida; Submissions are due; sjha@cse.unsw.edu.au, http://www.ieeelcn.org * 5/23/04- 5/25/04: Information Hiding Workshop, IH, Toronto, Canada http://msrcmt.research.microsoft.com/IH2004/CallForPapers.aspx, * 5/26/04- 5/28/04: Workshop on Privacy Enhancing Technologies, WPET, Toronto, Canada http://petworkshop.org/ * 5/31/04: International Conference on Information and Communications Security, ICICS, Malaga, Spain; submissions are due http://icics04.lcc.uma.es * 5/31/04: School on Foundations of Security Analysis and Design, FOSAD, Bertinoro, Italy ; applications are due; gorrieri@cs.unibo.it http://www.sti.uniurb.it/events/fosad * 5/31/04: Security Issues in Coordination Models, Languages and Systems, SecCo, London, UK; Submissions are due; focardi@dsi.unive.it http://cs.unibo.it/secco04 * 5/31/04: International Workshop on Security in Parallel and Distributed Systems, PDSC, San Francisco, CA; submissions are due http://securityworkshop.ece.iastate.edu, -------------- June * 6/ 1/04: RSA Conference, Cryptographers' Track, CT-RSA 2005, San Francisco, CA; submissions are due http://www.rsasecurity.com/rsalabs/cfp_ct_rsa05.html, * 6/ 1/04: Annual Computer Security Applications Conference, 20th ACSAC, Tucson, Arizona; Submissions are due; Workshop_chair@acsac.org http://www.acsac.org * 6/ 2/04- 6/ 4/04: ACM Symposium On Access Control Models And Technologies, SACMAT 2004, Yorktown Heights, NY http://www.www.sacmat.org, * 6/ 7/04- 6/ 9/04: DIMACS Workshop on Security Analysis of Protocols, DW-SAP, Rutgers University, New Jersey http://dimacs.rutgers.edu/Workshops/Protocols/, * 6/ 8/04- 6/11/04: Applied Cryptography and Network Security, ACNS, Yellow Mountain, China http://www.rsasecurity.com/rsalabs/staff/bios/mjakobsson/acns.htm, * 6/10/04- 6/11/04: Colleges, Code and Copyright, CCCpyrt, Adelphi, Maryland http://www.umuc.edu/odell/cip/symposium/cpapers.html * 6/10/04- 6/11/04: International Information Assurance Workshop, IAW, West Point, NY http://www.itoc.usma.edu/workshop/2004/index.html * 6/10/04: Specification and Automated Processing of Security Requirements SAPS, Linz, Austria; Submissions are due; amg@lcc.uma.es http://www.lcc.uma.es/SAPS04 * 6/11/04: Workshop on Privacy in the Electronic Society, WPES, Washington, DC; submissions are due http://seclab.dti.unimi.it/wpes2004 * 6/14/04: Workshop on Wireless Security, WiSe, Philadelphia, PA; submissions are due http://www.ece.cmu.edu/~adrian/wise2004 * 6/18/04: Workshop on Formal Aspects in Security and Trust, FAST, Toulouse, France; submissions are due http://www.iit.cnr.it/FAST2004 * 6/20/04- 6/23/04: Congress on Evolutionary Computation, special session on crypto and compsec, Portland, Oregon http://www.ohmsha.co.jp/ngc/ * 6/25/04- 6/26/04: European PKI Workshop, Euro PKI, Samos island, Greece http://www.aegean.gr/EuroPKI2004/ * 6/25/04: Workshop on Information Security Applications, WISA, Jeju Island, Korea; submissions are due; http://dasan.sejong.ac.kr/~wisa04 * 6/26/04: Security Issues with Petri Nets and other Computational Models, WISP; Bologna, Italy http://www.iit.cnr.it/staff/fabio.martinelli/WISP2004cfp.htm * 6/27/04- 7/ 2/04: USENIX, Boston, Massachusetts http://www.usenix.org/events/usenix04/ * 6/28/04- 6/30/04: Computer Security Foundations Workshop, 17th CSFW, Pacific Grove, CA http://www.csl.sri.com/csfw/index.html * 6/28/04- 7/ 1/04: Dependable Computing and Communications Symposium, DCCS, Florence, Italy http://www.dsn.org * 6/28/04- 6/29/04: Biometric Security, BioSec, Barcelona, Spain http://www.biosec.org -------------- July * 7/ 2/04: Security of Ad Hoc Sensor Networks, SASN, Washington, DC http://www.cs.gmu.edu/sasn * 7/ 6/04- 7/ 7/04: Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA, Dortmund, Germany http://www.gi-fg-sidar.de/dimva2004 * 7/04/04: Automated Reasoning for Security Protocols Analysis, ARSPA, Cork, Ireland http://www.avispa-project.org/arspa * 7/ 6/04- 7/ 9/04: Conference on Web Services, ICWS, San Diego, California http://conferences.computer.org/icws/2004/ * 7/12/04- 7/16/04: Workshop on Education in Computer Security, WECS 6, Monterey, CA http://cisr.nps.navy.mil/WECS6/, * 7/12/04- 7/13/04: Foundations of Computer Security, FCS, Turku, Finland http://www.cs.chalmers.se/~andrei/FCS04/ * 7/12/04- 7/13/04: Workshop on Logical Foundations of an Adaptive Security Infrastructure, WOLFASI, Turku, Finland http://www.dcs.ed.ac.uk/home/als/lics/lics04/ * 7/30/04- 7/31/04: Conference on Email and Anti-spam, First CEAS, Mountain View, CA http://www.ceas.cc ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html o IETF Revises Extensible Authentication Protocol, by Jari Arkko and Russ Housley Network access technologies such as PPP employ EAP (Extensible Authentication Protocol, RFC 2284) for authenticating clients that are attempting to connect to the network. In view of increased EAP usage in, for instance, IEEE 802.11 wireless LANs, the IETF has produced a revised version of the EAP specifications. The revised specifications include: - The EAP base specification, commonly called "RFC 2284bis", has been approved as a Proposed Standard, and it will be published as an RFC soon. The revised protocol specification includes requirements for EAP authentication methods, guidelines for running EAP over non-PPP links, and a comprehensive discussion of security issues related to EAP. This updated specification is expected to provide better interoperability among different products. http://www.ietf.org/internet-drafts/draft-ietf-eap-rfc2284bis-09.txt - The EAP state machine is as a companion Informational document. It is in the last steps of approval, so it should be published as an RFC soon. http://www.ietf.org/internet-drafts/draft-ietf-eap-statemachine-03.txt - The transport of EAP over RADIUS (RFC 3579) and the transport of EAP over Diameter (a very stable draft) provide details about the use of EAP with RADIUS and Diameter, respectively. The first of these specifications improves the interoperability and security of existing RADIUS transport, and the second one provides support for EAP in Diameter. http://www.ietf.org/rfc/rfc3579.txt http://www.ietf.org/internet-drafts/draft-ietf-aaa-eap-05.txt Ongoing work in the area includes guidelines and security considerations for use of EAP-derived cryptographic keys, and the publication of various authentication methods under the EAP framework. For more information, contact Jari Arkko (jari.arkko@ericsson.com), Bernard Aboba (bernarda@microsoft.com), or Russ Housley (housley@vigilsec.com). o Task force releases security recommendations Group includes reps from Microsoft, Computer Associates From Infoworld By Paul Roberts, IDG News Service April 01, 2004 http://www.infoworld.com/article/04/04/01/HNsecuretask_1.html BOSTON - A computer industry task force that includes representatives from Microsoft Corp. and Computer Associates International Inc. issued its first round of recommendations on Thursday for improving software security, including a role for the U.S. government in supporting creation of secure software products. o Microsoft Shelves NGSCB Project As NX Moves To Center Stage Windows XP SP2 hooks into No Execute technology in newer AMD, Intel processors By Paula Rooney, CRN, 9:32 AM EST Wed., May 05, 2004 http://www.crn.com/sections/BreakingNews/dailyarchives.asp?ArticleID=49936 After a year of tackling the Windows security nightmare, Microsoft has killed its Next-Generation Secure Computing Base (NGSCB) project and later this year plans to detail a revised security plan for Longhorn, the next major version of Windows, company executives said. o Microsoft: 'Palladium' Is Still Alive and Kicking From EWeek By Mary Jo Foley, Microsoft Watch May 5, 2004 http://www.eweek.com/article2/0,1759,1585373,00.asp SEATTLE -- Microsoft Corp. spent much of Day 2 of its Windows Hardware Engineering Conference (WinHEC) here refuting a published report claiming the company has axed its Next Generation Secure Computing Base (NGSCB) security technology. "NGSCB is alive and kicking," said Mario Juarez, a product manager in Microsoft's security and technology business unit. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Conference Report, Security and Privacy Symposium Berkeley, California, May 10-12, 2004 by Hilarie Orman May 16, 2004 ____________________________________________________________________ Selected Commentary on the 2004 Security and Privacy Symposium [This is a random selection of personal impressions of the conference and does not reflect on the quality of talks omitted] Social The venerable (25 years) Security and Privacy Symposium was held at the Claremont Resort and Spa in Berkeley, Calfornia. The symposium has always been at this location, and it probably will continue to be there through 2008. The Sunday evening reception featured beautiful sunset views across San Francisco Bay and excellent hors d'ouerves. There was a good mix of old and new faces, and this was a good time to catch up on the happenings in the security community and to meet new people. This year I learned that if one goes out the lower parking lot of the Claremont and across the street towards the residential area, and uphill a block to Tanglewood Road, and then up Tanglewood to Tanglewood path, there is access to the Claremont Canyon Reserve. This is a steep walk, but well worth it for the huge eucalyptus trees and sunset view of the entire San Francisco Bay area. General Lee Badger, as general chair, welcomed the audience and introduced Dave Wagner, the program chair. The attendance was slightly up for the conference, approaching 200 attendees. This was a good turnout, still 10% shy of the maximum number that the Claremont can handle, but showing a steady upward trend over the last few years. CMU and Berkeley in particular were well-represented. The number of paper submissions for the technical program was markedly increased over last year, with 185 submissions. Paradoxically, only 19 papers were accepted, making for a short program for the two and half days, even with two panels. There was no "best paper" award. Session on Attacks and Defenses The first session had two papers that were notable for their novelty (if not for simple amusement), and one on security problems in Internet protocols when used with "multi-homed" or "IP mobile" computers. Dmitri Asonov presented a paper about a covert channel analysis of acoustic emanations from ordinary computer keyboards. He showed that each key has a detectable acoustic signature which he tentatively attributed to percussion in the stop plate of the keyboard. He recommended designing the keys to minimize the energy in the two part "click". Some audience members privately wondered if mechanical wireless keyboards were an obvious follow-on invention. Adam Stubblefield presented an analysis of the electronic voting software revealed on the Diebold website last year. The software had a number of flaws, including a hard-coded DES key, and even the comments gave cause for amusement. While Diebold may have been unfortunate to have had their source code inadvertantly "published", it seems clear that informed scrutiny of voting software can help eliminate security flaws and ultimately increase confidence in the software. Tuomas Aura's presentation on how transport layer security measures can be thwarted by endpoints with multiple and/or variable IP addresses was an interesting litany of problems. While some of the problems afflict mechanisms that are fragile and lightweight in the first place (such as "cookies"), it is certainly true that multiple addresses complicate any part of a transport protocol that needs to maintain authenticated state while being address-aware. Panel on Electronic Voting Dan Wallach, Rice University Dana DeBeauvoir, County Clerk, Travis County, Texas Josh Benaloh, Microsoft Research The voting panel presented three viewpoints: advocacy of paper ballots produced by electronic machines and tabulated by optical readers, thus combining the best of both the electronic and the paper world (Wallach); a recommendation for electronic voting methods that permit verifying election results with untrusted software (Benaloh); the need for a easily usable election system that could be quickly and continuously estimated through partial tabulation (DeBeauvoir). The advantages of electronic voting are numerous, though perhaps not immediately obvious. Accessibility is important for handicapped voters and for those with special language needs. Ballot specialization (the ability to include exactly those issues and elected positions relevant to each district) helps the election officials. DeBeauvoir's pratical experience with voting procedures and use of electronic voting machines was a refreshing view into the real world of voting and how conscientious officials deal with testing and using the machines. The open discussion brought up one non-obvious problem with giving a voter a paper copy of his vote (to use in disputes) is that it facilitates vote selling and coercion. Opinions varied on whether or not electronic voting needed to deal with this problem. All agreed that the ability to validate the electronic vote was very important, but there was no consensus on best method. Panel on Grand Challenges in Computer Security Research Virgil Gligor, University of Maryland Mike Reiter, Carnegie Mellon University Dan Simon, Microsoft Research Gene Tsudik, UC Irvine The "Future Directions" panel had four diverse viewpoints: 1. "I'll puke if I see another paper about X" (Tsudik) 2. Emergent properties of wireless ad hoc sensor networks (Gligor) 3. Usability and security, from the Grand Challenges workshop (Reiter) 4. Usability, plumbing, and potholes (Simon) Each member of the panel gave a good presentation, and few people whose research interests lie within Tsudik's hurling range will ever forget his comments. Overall, though, this seemed a disjointed set of presentations and yielded no insight into what the future directions are likely to be. Session on Denial of Service Michael Collins presented an analysis of the effectiveness of several proposed methods for "target-resident" DOS protection measures. His conclusion, elucidated by Jay Lepreau, was that no method seemed to provide satisfactory performance with respect to both Type 1 and Type 2 errors. Session on Network Security Jaeyeon Jung presented work on detecting machines engaging in "port scanning", a method of finding vulnerable computers on a network. Machines doing port scans are often compromised by a worm or other form of malicious software, so finding port scanning machines quickly is a way to protect a network. By careful analysis using Bayesian probabilities, the researchers were able to tune their detection algorithms to find port scanners accurately with as few as 5 probes, much reduced from other methods that might need 100 probes to achieve similar accuracy. A paper by Maxwell Krohn et al. presented a method for verifying the packets used in rateless erase codes. Because the packets are not necessarily sequential, ordinary methods for authenticating transport protocols like TCP are not applicable. Their method does not require a public key signature on each packet, thus relieving the sender of some computational burden. It was left to Nikos Triandopoulos to present "Multicast Authentication in Fully Adversarial Networks", a topic denounced by Tsudik in his Grand Challenges presentation. However, the paper did contribute a definition of "adversarial network" that encompasses both invalid messages and message floods, the latter being something that has been traditionally ignored in security modeling. Business Meeting The conference probably will be at the Claremont for the next 3 years, there being no objection from the room, but it will be held later in the month than has been traditional. The Claremont has become an expensive venue, and the conference now needs sponsorship in order to provide the Sunday reception. The Monday reception is not as lavish, and the breakfasts and breaks are skimpy (in the opinion of this writer). Next year's general chair will be Steve Tate, and the program chair will be Michael Waidner. The open discussion at the Tuesday afternoon business meeting showed some disagreement in the program committee about the reasons for the high rejection rate. The main reason seemed to be that the committee could not reach consensus on more than 19 papers. One member opined that the standards being set by the committee were not exactly aligned with the needs of the conference. A non-committeee member said that recent experience with other security conferences indicated that the quality of the submissions was generally low. Offered remedies included advising the program chair that a full-length program was a priority, even if the committee could not come to consensus on the final few papers, volunteering for the program committee, submitting papers, and trusting in the wisdom of the program committee. ____________________________________________________________________ Book Review By Robert Bruen May 17, 2004 ____________________________________________________________________ The Shellcoder's Handbook. Discovering and Exploiting Security Holes by Koziol, Jack, David Litchfield, Dave Aitel, Chris Anley, Sinan Eren, Neel Mehta and Riley Hassell Wiley 2004. ISBN 0-7645-4468-3 LoC QA76.9.A5S464 2004. 620 pages. $50.00, Index. It is gratifying to see that the latest hacker oriented security books are reaching deeper into the technical aspects of how to exploit software. For better or worse, the technical demands increase in a geometric fashion as one goes down each level. There are number of levels in computing, even if you go up starting at the hardware level to assembly language. The knowledge of assembly language works in tandem with the architecture of the processor and other hardware parts. Understanding the system at this level provides insight into the next level up, the operating system, where things get managed, like devices, memory, files, processes, etc. These are the targets of exploits. It is common knowledge that many, but not all, exploits are carried out by folks who do not understand them, cannot write them and certainly cannot discover them. It is not much different from handing the car keys to an eight year old. This works well for field testing exploits, but it does not help all that much for understanding them. To be good at this, one needs discipline, intelligence, persistence and a few other characteristics that enable one gain expertise. The details matter. For example, is the machine big-endian or little-endian? This matters because if you want to try an off-by-one stack overflow, you will have a difficult time on a big-endian machine. Since many overflows involve null termination, the wrong end of the address would be changed because the address would be off by lots more than one. Perhaps you would like to search for a buffer, stack or heap overflow in some piece of code, you might start with a debugger to ascertain that particular address of importance. What happens when you run into registers, stack pointers and program status words? Did you skip that class? Well, have no fear. The Shellcoder's Handbook will provide you with the meanings, the uses and the code to learn all about them. The code from the book, available at the companion web site, is well worth looking at. The examples start from the simple and move up. The best thing about the book and code is that no operating system is safe from the wanderings of the authors: Windows, Solaris, HP and Linux are all discussed. Reading this book will educate you about system architecture used by the vendor's operating systems. You will learn just what shellcode means (it is not code run from a shell), and why you need to know about assembly language and hexadecimal opcodes. The lesson on how to write shellcode is very clear and very simple. With a little bit of work,this would make an excellent textbook for a course in writing exploits. Koziol and company get a highly recommended status for an excellent and must-have book. ____________________________________________________________________ Book Review By Robert Bruen May 17, 2004 ____________________________________________________________________ Network Security Assessment by McNab, Chris O'Reilly 2004. ISBN 0-596-00611-x 371 pages. $39.95. Index,two appendices In Security Assessment by Miles Greg, et al., the first of three parts of the National Security Agency (NSA) INFOSEC Assessment Methodology (IAM) assessment was covered. The three levels for assessing IP-based networks are: (1) Assessment (2) Evaluation and (3) Red Team. Greg's book covered level 1, assessment and McNab's book covers levels 2 and 3, making the two books a nice pair. The first level is concerned with policy, procedures, etc. The other two involve hands-on techniques such as scanning and penetration testing. Out of necessity, there is a certain amount of overlap with hacking techniques and open source tools, but the context of the book creates nuances that increase the value of the techniques and tools. Not only are the tools explained and used, but the output is used to go even further in the acquisition of more information. The use of real sites, like the NASDAQ and EBay as examples is a nice touch. NASDAQ still has the same information obtained for the book from the HTTP/HEAD against Microsoft IIS. EBay has upgraded from 4 to 6, so it no longer shows the address of the internal server. In addition, the exposed statistics page at BT Corp has disappeared. The tools, naturally, run the gamut from built in unix commands to cools tools of of kinds. One of the great features of the book is the broad range of what is assessed and the tools that accompany them. The explanations are some of the best around. This is good place to start for any pen tester, ethical or otherwise. Network Security Assessment almost reads like a cracking dictionary of techniques, tools and how-tos. In spite of the clear instructions and diagrams, the reader will still be required to have a good general technical understanding of software. It will not be enough to use whois to look up a site's owner or to use a tool like vncrack to brute force a password. McNab has a lot of knowledge which he is transferring to the rest of us. Given that we all know that no software, operating systems, application,or otherwise is perfect, then we know that all of it is vulnerable. The best we can do seems to be to figure the problems before someone else does.

This is a highly recommended book, hacker friendly and full of of good stuff. ____________________________________________________________________ Book Review By Robert Bruen May 17, 2004 ____________________________________________________________________ Defend IT. Security by Example by Gupta, Ajay and Scott Laliberte Addison-Wesley 2004. ISBN 0-321-19767-4 384 pages. Index. Bibliography. Defend I.T. uses the case method to instruct readers by illuminating problems through examples with enough detail and scope to be helpful. Case studies are a common way for business schools to teach would-be managers how to analyze situations in which decisions must be made. Background is given to the reader, such as organizational details and the path that brought the subjects to the current situation. Generally there is problem at hand that the reader must solve. In contrast, the technical world tends to provide an analysis and an answer in "man" pages, how-tos and help. This approach is quite helpful when one is stuck trying to get something working. However, when learning to think about how one goes about solving problems, one needs to practice using a case. Given the situation, how does one approach the problem? If there is no clear cut answer, then mapping out the steps toward some answer is a challenge. One needs to be able to defend a decision in a rational and logical way. There does not seem to be much in the case approach in the tech world, so it is good to have a security book that presents it. The sixteen cases use real but disguised organizations that have experienced a problem. Each case is analyzed in technical and managerial fashion to get a good overall picture of the problem and its accompanying solution. The step can be easily followed from problem presentation through the final step. In fact, the cases are very accessible to readers just starting out in security if they have some technical background. For those who are advanced in security, the value would be in how the analysis is presented. Although there are lots of helpful diagrams, none of the cases go into excruciating detail that some of us might like. The cases have not been shortened to summary status, but, for example, when looking at Return on Investment (ROI) for an Intrusion Detection System (IDS) purchase, the financial data is simplified. This does not detract from the example, but instead it does avoid unnecessary detail to keep the reader moving along. If the reader is well versed in the case method for teaching, these case s will not quite fit into the mold, but again, this is not problem when getting the most out of the book. The coverage is fairly broad including policy, hacking, forensics, and worms. Included are new topics like the Health Insurance Portability and Accountability Act (HIPAA), one of the major impacts on digital security through government regulation. HIPAA will certainly not be the last regulation to cause such disruption. The only real criticism I can levy is the inclusion of war dialing as a case. The chapter is in a section labeled "Old School," indicating that the authors knew what they were doing at the time. It makes me feel nostalgic for the good old days, but I would have replaced it with newer material. This is a bit of a nit pick, though, which some readers will still find valuable. This is definitely a recommended book, one that those of you who are teaching security especially ought to consider. ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy ==================================================================== The Reader's Guide from Past issues of Cipher is archived at http://www.ieee-security.org/Cipher/ReadersGuide.html and was last update in March 2002 ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.navy.mil/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil --------------- National ICT Australia, Formal Methods Program Researcher/Senior Researcher Formal Methods for Computer Security http://nicta.com.au National ICT Australia Program Leader Security and Trust Management Program http://nicta.com.au ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewReports.html and http://www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html ____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm _____________________________________________________________________ TC Publications for Sale _____________________________________________________________________ IEEE Security and Privacy Symposium The 2004 Symposium proceedings are available for $25 plus shipping and handling. The 2002 and 2003 proceedings are $20 plus shipping and handling. The 1998 proceedings are $15 plus shipping and handling. Shipping is $4.00 within the US, overseas surface mail is $7, and overseas airmail is $11, based on an order of 3 volumes or less. Send a check made out to the IEEE Symposium on Security and Privacy to the TC treasurer (see officers, below) with the order description, including shipping method, and send email to Hilarie Orman (see below) including the shipping address, please. IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Past Chair: Heather Hinton Mike Reiter IBM Software Group - Tivoli Carnegie Mellon University 11400 Burnett Road ECE Department Austin, TX 78758 Hamerschlag Hall, Room D208 + 1 512 838 0455 (voice) Pittsburgh, PA 15213 USA hhinton@us.ibm.com (412) 268-1318 (voice) reiter@cmu.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Jonathan Millen Prof. Cynthia Irvine SRI International EL233 U.S. Naval Postgraduate School Computer Science Laboratory Computer Science Department 333 Ravenswood Ave. Code CS/IC Menlo Park, CA 94025 Monterey CA 93943-5118 512-838-0455 (voice) (408) 656-2461 (voice) millen@csl.sri.com irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Intel Corporation SRI International EL233 JF2-74 Computer Science Laboratory 2111 N.E. 25th Ave 333 Ravenswood Ave. Hillsboro OR 97124 Menlo Park, CA 94025 (503) 264-5562 (voice) 512-838-0455 (voice) (503) 264-6225 (fax) millen@csl.sri.com awk@ibeam.intel.com Treasurer: Newsletter Editor: Tom Chen Hilarie Orman Department of Computer Science Purple Streak, Inc. and Engineering 500 S. Maple Dr. School of Engineering Salem, UT 84653 Southern Methodist University (801) 423-1052 (voice) P.O. Box 750122 cipher-editor@ieee-security.org Dallas, TX 75275-0122 (214) 768-8541 (voice) http://www.engr.smu.edu/~tchen ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html