_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ========================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic issue 70 January 16, 2006 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Bob Bruen Yong Guan Book Review Editor, Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ========================================================================== The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Robert Bruen's review of File System Forensic Analysis by Brian Carrier o Robert Bruen's review of Software Security. Building Security In by Gary McGraw o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * News and Announcements from Readers o The ISOC NDSS program o The Cassandra Vulnerability Notification System o Institute for Information Infrastructure Protection (I3P) Call for Proposals from post-doctoral researchers, junior faculty and research scientists. * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar items o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers, The Cipher newsletter is published under the auspices of the IEEE Technical Committee on Security and Privacy, and its major activities are the Symposium on Security and Privacy and the Computer Security Foundations Workshop. The symposium will be held May 21-24 at its traditional location, the Claremont Resort in Berkeley, California, and the workshop will be in Venice, Italy, July 5-7. Both events have a long history of featuring excellent research papers. The home page of the technical committee (www.ieee-security.org) has links to the events, and registration information will be forthcoming shortly. Cipher gets queries about advertising and announcements frequently, and its multiple modes of publication on occasion cause confusion. Cipher is a floorwax and a dessert topping and a facial lotion, which is to say that it is a newsletter in two forms and a website. The newsletter is published online six times a year; each publication is also sent as plain text email to about 2000 subscribers. The calendar of events and the associated calls-for-papers list on the website get frequent updates that are not tied to the newsletter publication schedule. This issue of Cipher has book reviews and news items, including an announcement of fellowships at the new Institute for Information Infrastructure Security (I3P), which is funded by the Department of Homeland Security. It is to no one's surprise that the Windows operating system turned out to have yet another in a long list of vulnerabilities resulting from obscure conditions for interpreting data as executable code. Does anyone remember that old phrase from security evaluations "and nothing else"? In today's world, there's always something else. The revelations about domestic wiretaps raise questions about what other forms of surveillance we are subjected to, and how would we know? Are there even more obscure forms of computer communication surveillance going by our government than have yet been revealed? Go privately and securely and suspiciously, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ____________________________________________________________________ Program for NDSS 06 (Feb. 2-3, 2006, San Diego) see http://www.isoc.org/isoc/conferences/ndss/06/index Contributed by Doug Szajda November 28, 2005 ____________________________________________________________________ Deploying a New Hash Algorithm Steven Bellovin, Eric Rescorla Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, Sam King Inoculating SSH Against Address Harvesting Stuart Schechter, Jaeyeon Jung, Will Stockwell, Cynthia McLain Enterprise Security: A Community of Interest Based Approach Patrick McDaniel, Shubho Sen, Oliver Spatscheck, Jacobus Van der Merwe, Bill Aiello, Charles Kalmanek Trust Negotiation with Hidden Credentials, Hidden Policies, and Policy Cycles Keith Frikken, Jiangtao Li, Mikhail Atallah A Crawler-based Study of Spyware in the Web Alex Moshchuk, Steven D. Gribble, Henry Levy Protocol-Independent Adaptive Replay of Application Dialog Weidong Cui, Vern Paxson, Nicholas Weaver, Randy Katz Isolating Intrusions by Automatic Experiments Stephan Neuhaus, Andreas Zeller Churn as Shelter Tyson Condie, Varun Kacholia, Sriram Sank, Joseph M. Hellerstein, Petros Maniatis Software Self-Healing Using Collaborative Application Stelios Sidiroglou, Michael Locasto, Angelos Keromytis Toward a Practical Data Privacy Scheme for a Distributed Implementation of the Smith-Waterman Genome Sequence Comparison Algorithm Doug Szajda, Michael Pohl, Jason Owen, Barry Lawson Toward Automated Information-Flow Integrity Verification for Security- Critical Applications Umesh Shankar, Trent Jaeger, Reiner Sailer Using Generalization and Characterization Techniques in the Anomaly- based Detection of Web Attacks William Robertson, Giovanni Vigna, Christopher Kruegel, Richard A. Kemmerer Key Regression: Enabling Efficient Key Distribution for Secure Distributed Storage Kevin Fu, Seny Kamara, Yoshi Kohno Device Identification via Analog Signal Fingerprinting: A Matched Filter Approach Ryan Gerdes, Thomas Daniels, Mani Mina, Steve Russell Modeling Botnet Propagation Using Time Zones David Dagon, Cliff Zou, Wenke Lee Vulnerability-Specific Execution Filtering for Exploit Prevention on Commodity Software James Newsome, David Brumley, Dawn Song, Jad Cha ____________________________________________________________________ The Cassandra Vulnerability Notification System Announcement by Pascal Meunier contributed by Gene Spafford December 2, 2005 ____________________________________________________________________ I am pleased to announce the availability of an open source, command-line version of the Cassandra system. For 5 years the Cassandra system (https://cassandra.cerias.purdue.edu) has been delivering free vulnerability notifications based on NIST's ICAT database of CVE entries, and later, Secunia advisories were added. These notifications were based on a profile of interest you entered, saving you time in doing searches for you every day and remembering which entries you had already seen (Meunier and Spafford, FIRST 2002). However, using Cassandra meant that I (and CERIAS) had a list of possible vulnerabilities in your organization's systems, and this list was sent to you in plain text emails. Even though Cassandra was never compromised, it (and the emails) made a tempting target; risk- averse people and organizations were therefore unable to benefit from the service. The new command-line tool, my_cassandra.php, solves these issues and can be downloaded from my home page: http://homes.cerias.purdue.edu/~pmeunier/ Because you get the source code and the custody of your profiles, this version of Cassandra should not generate the privacy concerns that the online version did. As it is under your control you can also run it at the intervals you choose. It is made available under an open source license so you can modify it. It runs under PHP so it should run on almost any platform (tested on Windows XP SP2 and PHP 5.1.1, and MacOS 10.4.3 and PHP 4.3.11 -- Windows users need to download also "cassandra.bat"). It works by downloading an XML export of recent entries in NIST's National Vulnerability Database, and comparing them to vendors, products and keywords specified in the file "profile.txt". The tool will then open a browser window for each new and relevant entry, and save the list of seen entries in a file named "seen_CVE.txt" on your workstation. WARNING: The first time you run it, it will open a large number of windows. It is then up to you to run it when you have time to read the new entries. Regards, Pascal Meunier Purdue University CERIAS P.S.: Thanks to the NVD team at NIST, and the people at MITRE doing the tedious and cautious work without which Cassandra would have no data, and special thanks for doing it swiftly. ____________________________________________________________________ Institute for Information Infrastructure Protection (I3P) Academic Positions Contributed by Sondra Walker January 13, 2005 ____________________________________________________________________ The Institute for Information Infrastructure Protection (I3P) has issued a Call for Proposals from post-doctoral researchers, junior faculty and research scientists. Applicants must submit proposals to the host institutions by February 27, 2006. Host Institutions must submit completed application packets to the I3P by March 10, 2006. For more information about application requirements see: www.thei3P.org/fellowships. I3P Research Areas of Interest: - Enterprise Security Management - Trust Among Distributed Autonomous Parties - Discovery and Analysis of Security Properties and Vulnerabilities - Secure systems and Network Responses and Recovery - Traceback, Identification and Forensics - Wireless Security -Metrics and Models - Law, Policy and Economic Issues The I3P - a national research consortium of universities, federally-funded labs, and non-profit organizations - is chaired by Dartmouth College The program is funded by the U.S. Department of Homeland Security. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Robert Bruen Jan 5, 2006 ____________________________________________________________________ File System Forensic Analysis by Brian Carrier Addison-Wesley 2005. ISBN 0-231-26817-2 $49.99. 569 pages; Index ; EoC bibliographies When I first started in the computer business, the only books were manuals published by vendors. Well, maybe there were a few books for sale, but not very many. This made it difficult to figure out problems, especially when I had experiences such as a co-worker salesman who told me that "We are not in the documentation business." We were working for a computer vendor. I moved on expecting the company would have difficulty within a few years. It did. The point of this story is that the need for technical details has always been important in a technical world. It has been most satisfying to see the publishing industry provide good books to fill the void. There is still a problem, however. As technical books appear and new disciplines are created, new people pop into view. Many are new to the field and need to catch up because they do not know the history. Computer forensics is one of those rediscovered fields. By and large, forensics done on a computer involves the disk [ed. disk == hard drive]. Yes, volatile memory and hardware memory are important, but the bulk of the work will be pulling out information from one or more disks. In the early days, besides being really small, disk were documented in a so-so manner. If you worked closely with them, you learned. As computers spread to the desktop and the desktop was Microsoft territory, most users did not pay attention to the disk details. Thus the structure, operation and drivers were forgotten. This all changed around 2000, when Law Enforcement realized just how much evidence was on these disks. Computer forensics has now become a important career unto itself. The forensics cases I am aware of tend to use packages, for example EnCase in the commercial space, and some great open source packages. Prosecutors tend to analyze a case quickly because they are busy and the case load only goes up. The need for real expertise has been diminished somewhat, due in part to the lack of sophistication on the criminal end. While the good forensics books are good, they do not go into the details of disks that Carrier does. He is not focusing on forensics as much as he is focusing on file systems and disk structure. I like this book because he is sticking to the expertise end of the game. Gathering the details of the file systems to be presented was not a trivial task. Mastering them so that they could be explained so well had to have been even more difficult. Naturally Carrier spends time with disk acquisition and investigation as a preface to the real technical work. He also includes information on two packages The Sleuth Kit and Autopsy, two very nice, free packages written by him. I use them in my security class for the forensics section. Criminals are getting much more sophisticated. Today's computer forensics specialist need to be just as sophisticated. The book completely covers FAT, NTFS, Ext2, Ext3, USF1 and USF2. I highly recommend this book for forensics specialists, but also for anyone who wants a proper look at disks. We can all benefit from Carrier's expertise. ____________________________________________________________________ Book Review By Robert Bruen Jan 5, 2006 ____________________________________________________________________ Software Security. Building Security In by Gary McGraw Addison-Wesley 2006. ISBN 0-321-35670-5 Annotated Bibliography, Glossary, 3 appendices This new book is another meaningful contribution to the problem of developing secure software. As with his other books, McGraw's expertise shows through clearly. This book is considered a unification, or maybe an intersection, of his other two books, one for black hats and one for white hats. I think of black hats more as being similar to quality assurance engineers and whistle blowers. I still can not figure out why problems with automobiles are public, government regulated and attractive to lawyers, yet the software industry still gets to demonize anyone who points out flaws. This is not to say that I believe using flaws to attack a site is a good idea, and I do not support criminals who use such knowledge to commit crimes. No business or discipline can make progress without some attention paid to truth. In this case we are looking at the academic discipline of software engineering and the business of producing software. Our world is extremely dependent on software, from embedded systems to enterprise systems. You can count on it being more so for a very long time. McGraw is bearing down on the business end in this book without sacrificing the technical side. It is not easy to make changes which affect the underlying structure of something, even if it is necessary. I am always distressed to hear someone, manager or otherwise, say that a perceived problem does not matter unless it has an impact on a schedule or some cost number. If a problem in design or construction of something exists, then the only issue is the size of the problem. I can imagine a a bridge construction site when an engineer realizes that inferior cement has been used. In the conversation with the manager, the replacement time and cost comes up, leading the manager to dismiss the problem because the schedule wins over all else. McGraw spends a goodly number of pages on topics like risk management, as he should. He does point out that in the business world, you need to not only say "There is a security problem in this software," but also add in "There will be a cost associated with it later if it is not fixed now." This is a helpful suggestion when communicating with non-technical bosses. This book would be good to give a boss up the food chain where software and security expertise go below 20% because there is enough in for such managers to be very useful. It is also a good book for those still designing, writing or reviewing software since there is enough helpful technical material to be meaningful. If you are one those software folk, you could learn more about how to talk to that 20% boss in a way that will be good for both of you. The problem today is still about writing good, secure software. If you are in doubt about just how much of it bad, check out vulnwatch, neohapsis and the rest, or just read CNN regularly. McGraw and others have done a good job of backfilling the literature with philosophy, methodology, techniques and so on, but there has not been enough traction in the cubicle to put it all into practice. Until the software folks put security into the design, we well continue to enjoy those "zero days" and the ensuing deluge of reports. On the other hand, if management does not support and fund security as a priority in software development, then the cube dwellers have a serious obstacle. This is highly recommended book for anyone involved or interested in secure software development, but anyone who cares about security should pay attention to this fundamental problem because it contributes to all the rest of the security problems we face. I look forward to new work from McGraw and the rest. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Singapore Management University School of Information Systems Tenure-track Assistant/Associate Professor of Information Systems in the following areas: * Secure and surviable computing services and systems * Security risk metrics, modeling, analysis and management * Access control and audit Applications are accepted until the position is filled. http://www.sis.smu.edu.sg/ ------------- http://cisr.nps.navy.mil/jobscipher.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 1/15/06: ACNS, 4th International Conference on Applied Cryptography and Network Security, Singapore; http://acns2006.i2r.a-star.edu.sg/; Submissions are due 1/16/06- 1/19/06: AISW-NetSec, Australasian Information Security Workshop Hobart, Tasmania, Australia; http://www.titr.uow.edu.au/AISWNS2006/ 1/17/06: USENIX, USENIX Annual Technical Conference Boston, MA; http://www.usenix.org/events/usenix06/index.html; Submissions are due 1/17/06: TSPUC, 2nd International Workshop on Trust, Security and Privacy for Ubiquitous Computing , Buffalo, NY; http://www.usenix.org/events/usenix06/index.html; Submissions are due 1/20/06: DeSeGov, Workshop on Dependability and Security in e-Government, Vienna, Austria; http://www.ares-conf.org/?q=DeSeGov; Submissions are due 1/30/06: CSFW, 19th IEEE Computer Security Foundations Workshop, Venice, Italy; http://www.dsi.unive.it/CSFW19; Submissions are due 1/31/06: CEC, IEEE CEC 2006 Special Session on Evolutionary Computation in Cryptology and Computer Security, Vancouver, BC, Canada; http://kolmogorov.seg.inf.uc3m.es/; Submissions are due 1/31/06: EUROPKI, 3rd European PKI workshop: theory and practice, Turin, Italy; http://security.polito.it/europki2006; Submissions are due 2/ 1/06: USENIX Security, 15th USENIX Security Symposium, Vancouver, B.C., Canada; http://www.usenix.org/events/sec06/; Submissions are due 2/ 2/06- 2/ 3/06: NDSS, Network and Distributed System Security Symposium San Diego, California; www.isoc.org/isoc/conferences/ndss/06/cfp.shtml 2/13/06: ACISP, 11th Australasian Conference on Information Security and Privacy, Melbourne, Australia; http://acisp2006.it.deakin.edu.au/; Submissions are due 2/22/06: TrustBus, 3rd International Conference on Trust, Privacy and Security of Digital Business, Krakow, Poland; http://www.icsd.aegean.gr/trustbus06; Submissions are due 2/22/06: SecUbiq, 2nd International Workshop on Security in Ubiquitous Computing Systems, Seoul, Korea; http://www.sitacs.uow.au/secubiq06/; Submissions are due 2/22/06- 2/23/06: Nano-Security, Nano-Security Workshop, Gaithersburg, MD; http://www.csrc.nist.gov/pki/Nano-Security/index.html 2/27/06-3/ 2/06: FC, 10th International Conference on Financial Cryptography and Data Security, Anguilla, British West Indies; http://fc06.ifca.ai/ 3/ 1/06: International Journal of Networks and Security (IJSN), Special Issue on Cryptography in Networks; Submissions are due 3/ 1/06: ISC, 9th Information Security Conference, Pythagoras, Greece; http://www.aegean.gr/ISC06; Submissions are due 3/ 1/06: DBSEC, 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Sophia Antipolis, France; http://cimic.rutgers.edu/ifip113/2006; Submissions are due 3/ 1/06- 3/ 3/06: TRIDENTCOM, 2nd International IEEE/Create-Net Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, Barcelona, Spain; http://www.tridentcom.org/ 3/ 3/06: PET, 6th Workshop on Privacy Enhancing Technologies, Robinson College, Cambridge, UK; http://petworkshop.org/2006/; Submissions are due 3/ 3/06: PLAS, ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottawa, Canada; http://www.cis.upenn.edu/~stevez/plas06.html; Submissions are due 3/13/06- 3/15/06: ISSSE, International Symposium on Secure Software Engineering; Washington DC; www.jmu.edu/iiia/issse/ 3/15/06: Journal of Machine Learning Research, Special Issue on Machine Learning for Computer Security; Submissions are due 3/15/06- 3/17/06: FSE, 13th annual Fast Software Encryption workshop Graz, Austria; http://fse2006.iaik.tugraz.at/ 3/20/06: WEIS, 5th Workshop on the Economics of Information Security, University of Cambridge, UK; http://www.cl.cam.ac.uk/~twm29/WEIS06/; Submissions are due 3/21/06- 3/23/06: AsiaCCS, ACM Symposium on Information, Computer and Communications Security Taipei, Taiwan; www.iis.sinica.edu.tw/asiaccs06/ 3/23/06: CEAS, 3rd Conference on Email and Anti-Spam, Mountain View, CA; http://www.ceas.cc/2006/cfp.html; Submissions are due 3/25/06- 3/26/06: WITS, 6th International Workshop on Issues in the Theory of Security, Vienna, Austria; http://www4.in.tum.de/~wits06/ 4/ 4/06- 4/ 6/06: PKI R&D Workshop, 5th Annual PKI R&D Workshop: Making PKI Easy to Use, Gaithersburg, MD; http://middleware.internet2.edu/pki06 4/10/06- 4/12/06: WIA, Workshop on Information Assurance, Phoenix, Arizona; http://www.sis.pitt.edu/~lersais/WIA2006/ 4/10/06- 4/13/06: WEBIST, 2nd International Conference on Web Information Systems and Technologies Setubal, Portugal; http://www.webist.org/ 4/11/06- 4/14/06: ISPEC 2006 2nd Information Security Practice and Experience Conference, Hangzhou, China; http://ispec2006.i2r.a-star.edu.sg 4/13/06- 4/14/06: IWIA, Information Assurance Workshop Royal Holloway, UK; iwia.org/2006/ 4/18/06: WSSEET, Workshop on Secure Software Engineering Education and Training, Turtle Bay, Oahu, HI; www.jmu.edu/iiia/wsseet/ 4/18/06- 4/20/06: SNDS, 2nd International Workshop on Security in Networks and Distributed Systems, Vienna, Austria; http://www.comp.polyu.edu.hk/SNDS06 4/18/06- 4/21/06: SPC, 3rd International Conference on Security in Pervasive Computing, York, UK; http://www.cs.york.ac.uk/security/spc-2006/spc-2006-cfp.html 4/20/06- 4/22/06: ARES, 1st International Conference on Availability, Reliability and Security, Vienna, Austria; http://www.ifs.tuwien.ac.at/ares2006/ 4/20/06- 4/22/06: DeSeGov, Workshop on Dependability and Security in e-Government, Vienna, Austria; http://www.ares-conf.org/?q=DeSeGov 4/23/06- 4/27/06: SAC-TRECK, ACM Symposium on Applied Computing, Track: Trust, Recommendations, Evidence and other Collaboration Know-how Dijon, France; www.acm.org/conferences/sac/sac2006/ 5/ 8/06- 5/11/06: ACIS, Applied Cryptography and Information Security Workshop, Glasgow, UK; http://www.acis06.org/ 5/16/06: iTrust, 4th International Conference on Trust Management Pisa, Tuscany, Italy; http://www.iit.cnr.it/iTrust2006/ 5/16/06- 5/19/06: Cluster-Sec, 2nd International Workshop on Cluster Security, Singapore; http://www.ncassr.org/projects/cluster-sec/ccgrid06/ 5/21/06- 5/24/06: Oakland, the 2006 IEEE Symposium on Security and Privacy, The Claremont Resort, Berkeley/Oakland, CA; http://www.ieee-security.org/TC/SP2006/oakland06-cfp.html 5/22/06- 5/24/06: SEC, IFIP TC-11 International Information Security Conference, Karlstad University, Sweden; www.sec2006.org 5/22/06- 5/24/06: I-NetSec, 4th Working Conference on Privacy and Anonymity in Networked and Distributed Systems, Karlstad, Sweden; http://www.sec2006.org/index.php?INETWS=true 5/30/06- 6/ 3/06: USENIX, USENIX Annual Technical Conference Boston, MA; http://www.usenix.org/events/usenix06/index.html 6/ 5/06- 6/ 7/06: SUTC, IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, Taichung, Taiwan; http://sutc2006.asia.edu.tw/ 6/ 6/06- 6/ 9/06: ETRICS, International Conference on Emerging Trends in Information and Communication Security, Freiburg, Germany; http://www.etrics.org/ 6/ 6/06- 6/ 9/06: ACNS, 4th International Conference on Applied Cryptography and Network Security, Singapore; http://acns2006.i2r.a-star.edu.sg/ 6/10/06: PLAS, ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottawa, Canada; http://www.cis.upenn.edu/~stevez/plas06.html 6/19/06- 6/20/06: EUROPKI, 3rd European PKI workshop: theory and practice, Turin, Italy; http://security.polito.it/europki2006 6/26/06: TSPUC, 2nd International Workshop on Trust, Security and Privacy for Ubiquitous Computing , Buffalo, NY; http://www.usenix.org/events/usenix06/index.html 6/26/06- 6/28/06: WEIS, 5th Workshop on the Economics of Information Security, University of Cambridge, UK; http://www.cl.cam.ac.uk/~twm29/WEIS06/ 6/28/06- 6/30/06: PET, 6th Workshop on Privacy Enhancing Technologies, Robinson College, Cambridge, UK; http://petworkshop.org/2006/ 7/ 3/06- 7/ 5/06: ACISP, 11th Australasian Conference on Information Security and Privacy, Melbourne, Australia; http://acisp2006.it.deakin.edu.au/ 7/ 5/06- 7/ 7/06: CSFW, 19th IEEE Computer Security Foundations Workshop, Venice, Italy; http://www.dsi.unive.it/CSFW19 7/10/06- 7/12/06: IHW, 8th Information Hiding Workshop, Alexandria, VA; http://ih2006.jjtc.com/ 7/13/06- 7/14/06: DIMVA, 3rd GI SIG SIDAR Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Berlin, Germany; http://www.dimva.org/dimva2006 7/16/06- 7/21/06: CEC, IEEE CEC 2006 Special Session on Evolutionary Computation in Cryptology and Computer Security, Vancouver, BC, Canada; http://kolmogorov.seg.inf.uc3m.es/ 7/25/06- 7/28/06: IFMIP, 5th International Forum on Multimedia and Image Processing, Special Sessions on Information Security and Hardware Implementations, Budapest, Hungary; http://wacong.org 7/27/06- 7/28/06: CEAS, 3rd Conference on Email and Anti-Spam, Mountain View, CA; http://www.ceas.cc/2006/cfp.html 7/31/06- 8/ 2/06: DBSEC, 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Sophia Antipolis, France; http://cimic.rutgers.edu/ifip113/2006 7/31/06- 8/ 4/06: USENIX Security, 15th USENIX Security Symposium, Vancouver, B.C., Canada; http://www.usenix.org/events/sec06/ 8/ 1/06- 8/ 4/06: SecUbiq, 2nd International Workshop on Security in Ubiquitous Computing Systems, Seoul, Korea; http://www.sitacs.uow.au/secubiq06/ 8/30/06- 9/ 2/06: ISC, 9th Information Security Conference, Pythagoras, Greece; http://www.aegean.gr/ISC06 9/ 4/06- 9/ 8/06: TrustBus, 3rd International Conference on Trust, Privacy and Security of Digital Business, Krakow, Poland; http://www.icsd.aegean.gr/trustbus06 ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers ____________________________________________________________________ International Journal of Networks and Security (IJSN), Special Issue on Cryptography in Networks, December 2006. http://www.uow.edu.au/~ymu/ijsn/ (Submissions due 1 March 2006) Guest editors: Liqun Chen (Hewlett-Packard Labs, UK), Guang Gong (University of Waterloo, Canada), Atsuko Miyaji (JAIST, Japan), Phi Joong Lee (Pohang Univ. of Science & Technology, Korea), Yi Mu (Univ. of Wollongong, Australia), David Pointcheval (Ecole Normale Sup?ieure, France), Josef Pieprzyk (Macquarie Univ., Australia), Tsuyoshi Takagi (Future Univ. - Hakodate, Japan), Jennifer Seberry (Univ. of Wollongong, Australia), Willy Susilo (Univ. of Wollongong, Australia), and Huaxiong Wang (Macquarie Uni., Australia) Cryptography plays a key role in network security. Advances of cryptography can make computer networks more secure. Computer technologies have been pushing forward computer networks for high speed and broad bandwidth. Therefore, new cryptographic methods and tools must follow up in order to adapt to these new technologies. Recent attacks on computer networks, especially on IEEE 802.11 and IEEE 802.15, are increasing, since underlying radio communication medium for wireless network provides serious exposure to attacks against wireless networks. Security must be enforced to suit the emerging technologies. This Special Issue aims to provide a platform for security researchers to present their newly developed cryptographic technologies in network security. Areas of interest for this special journal issue include, but are not limited to, the following topics: - Ad hoc network security - Anonymity in networks - Authentication in network and wireless systems - Cryptographic algorithms and their applications to network security - Cryptanalysis of network security schemes - Encryption in network and wireless systems - Email security - Data integrity - Fast cryptographic algorithms and their applications - Identity-based cryptography in network and mobile applications - IP security - Key management - Multicast security - Mobile and wireless system security - Privacy protection - Security group communications - Security in internet and WWW - Security in Peer-to-Peer networks - Secure routing protocols - Security in sensor networks ------------------------------------------------------------------------- Journal of Machine Learning Research, Special Issue on Machine Learning for Computer Security, 2006. http://www.cs.fit.edu/~pkc/mlsec/ (Submissions due 15 March 2006) Guest editors: Philip Chan (Florida Tech) and Richard Lippmann (MIT Lincoln Lab) As computers have become more ubiquitous and connected, their security has become a major concern. Of interest to this special issue is research that demonstrates how machine learning (or data mining) techniques can be used to improve computer security. This includes efforts directed at improving security of networks, hosts, and individual applications or computer programs. Research can have many goals including, but not limited to, authenticating users, characterizing the system being protected, detecting known or unknown vulnerabilities that could be exploited, using software repositories as training data to find software bugs, preventing attacks, detecting known and novel attacks when they occur, analyzing recently detected attacks, responding to attacks, predicting attacker actions and goals, performing forensic analysis of compromised systems, and analyzing activities seen in honey pots and network "telescopes" or "black holes." Of special interest are studies that use machine learning techniques, carefully describe their approach, evaluate performance in a realistic environment, and compare performance to existing accepted approaches. Studies that use machine learning techniques or extend current techniques to address difficult security-related problems are of most interest. It is expected that studies will have to address many classic machine learning issues including feature selection, feature construction, incremental/online learning, noise in the data, skewed data distributions, distributed learning, correlating multiple models, and efficient processing of large amounts of data. ------------------------------------------------------------------------- USENIX 2006 USENIX Annual Technical Conference, Boston, MA, USA, May 30-June 3, 2006. http://www.usenix.org/events/usenix06/index.html (Submissions due 17 January 2006) The 2005 USENIX Annual Technical Conference General Session Program Committee seeks original and innovative papers that further the knowledge and understanding of modern computing systems, with an emphasis on practical implementations and experimental results. We encourage papers that break new ground or present insightful results based on experience with computer systems. The USENIX conference has a broad scope, and we encourage papers in a wide range of topics in systems, including: - Architectural interaction - Benchmarking - Deployment experience - Distributed and parallel systems - Embedded systems - Energy/power management - File and storage systems - Networking and network services - Operating systems - Reliability, availability, and scalability - Security, privacy, and trust - Self-managing systems - Usage studies and workload characterization - Virtualization - Web technology - Wireless and mobile systems ------------------------------------------------------------------------- TSPUC 2006 2nd International Workshop on Trust, Security and Privacy for Ubiquitous Computing , Buffalo, NY, USA, June 26, 2006. http://www.iit.cnr.it/TSPUC2006/ (Submissions due 17 January 2006) This workshop aims at focussing the attention of the research community on the increasing complexity and relevance of trust, privacy and security issues in ubiquitous computing. Papers may present theory, applications or practical experiences on topics including, but not limited to: - key establishment and key distribution - access control models, policies and mechanisms - trust and reputation management - privacy and identity management - digital assets management - context/location aware computation - self-organizing networks and communities - intrusion and anomaly detection - secure user-device interfaces - distributed consensus in the presence of active adversaries - analysis/simulation/validation techniques - handling emergent properties - phishing - attacks and countermeasures - case studies ------------------------------------------------------------------------- DeSeGov 2006 Workshop on Dependability and Security in e-Government, Held in conjunction with the 1st International Conference on Availability, Reliability and Security (ARES 2006), Vienna, Austria, April 20-22, 2006. http://www.ares-conf.org/?q=DeSeGov (Submissions due 20 January 2006) The aim of this workshop is to foster a forum for discussing and presenting recent research results on dependability and security in e-Government applications. Scientific rigor and discussions of state of the art of dependability and security in e-Government are strongly encouraged. Besides, innovative research work in progress and studies of dependability aspects of practical e-Government projects and systems implementation are also welcome. Topics of interest include, although not limited to, the following: - Trust and security: provisions and instruments - Online availability of public services - Service survivability and maintainability - Interoperability of services - Security in e-democracy (including e-participation and e-voting) - E-justice (administration and workflow security for legal processes) - Secure federating information access (from different government and third party agencies) - Security and reliability in media integration - Secure e-government and Identity Management - Security and reliability of Smart Card System - Availability and reliability of mobile services - Data protection and data privacy (e.g. e-health and e-education) - Intrusion detection and prevention - Anti-spam legislation and solution - Public-private- partnerships management - Role-based management and usage restriction ------------------------------------------------------------------------- CSFW 2006 19th IEEE Computer Security Foundations Workshop, Venice, Italy, July 5-7, 2006. http://www.dsi.unive.it/CSFW19/ (Submissions due 30 January 2006) For nearly two decades, CSFW has brought together a small group of researchers to examine foundational issues in information security. Many seminal papers and techniques were first presented at CSFW. We are interested in new theoretical results in computer security, but also in more exploratory presentations. Exploratory work may examine open questions and raise fundamental concerns about existing theories. Panel proposals are welcome as well as papers. Possible topics include, but are not limited to: - Authentication - Information flow - Security protocols - Anonymity and Privacy - Electronic voting - Network security - Resource usage control - Access control - Trust and trust management - Security models - Intrusion detection - Data and system integrity - Database security - Distributed systems security - Security for mobile computing - Executable content - Decidability and complexity - Formal methods for security - Language-based security ------------------------------------------------------------------------- CEC 2006 IEEE CEC 2006 Special Session on Evolutionary Computation in Cryptology and Computer Security, Vancouver, BC, Canada, July 16-21, 2006. http://kolmogorov.seg.inf.uc3m.es/ (Submissions due 31 January 2006) Techniques taken from the field of Evolutionary Computation (especially Genetic Algorithms, Genetic Programming, Artificial Immune Systems, but also others) are steadily gaining ground in the area of cryptology and computer security. The special session encourages the submission of novel research at all levels of abstraction (from the design of cryptographic primitives through to the analysis of security aspects of "systems of systems"). ------------------------------------------------------------------------- EUROPKI 2006 3rd European PKI workshop: theory and practice, Turin, Italy, June 19-20, 2006. http://security.polito.it/europki2006 (Submissions due 31 January 2006) The 3rd European PKI workshop: theory and practice is focusing on research and applications on all aspects of public-key certificates and Public Key Infrastructures. Submitted papers may present theory, applications or practical experiences on topics including, but not limited to: - Modelling and Architecture - Bridge CA - Cross Certification - Directories - Mobile PKI - Authentication - Reliability in PKI - Certificate Policy - Privacy - Fault-Tolerance in PKI - Privilege Management and PMI - PKI Performance Evaluation - eCommerce, eBusiness, eGovernment applications - Key Management and Recovery - Certificate Status Information - Interoperability - Repository Protocols - Timestamping - Verification - Standards - Certification Practice Statements - Legal issues, Policies & Regulations - Case Studies - Trust ------------------------------------------------------------------------- USENIX Security 2006 15th USENIX Security Symposium, Vancouver, B.C., Canada, July 31-August 4, 2006. http://www.usenix.org/events/sec06/ (Submissions due 1 February 2006) The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. All researchers are encouraged to submit papers covering novel and scientifically significant practical works in security or applied cryptography. The Symposium will span five days: a training program will be followed by a two and one-half day technical program, which will include refereed papers, invited talks, Work-in-Progress reports, panel discussions, and Birds-of-a-Feather sessions. New in 2006, a workshop, titled Hot Topics in Security (HotSec '06), will be held in conjunction with the main conference. More details will be announced soon on the USENIX Web site. ------------------------------------------------------------------------- ACISP 2006 11th Australasian Conference on Information Security and Privacy, Melbourne, Australia, July 3 - 5, 2006. http://acisp2006.it.deakin.edu.au/ (Submissions due 13 February 2006) Original papers pertaining to all aspects of information security and privacy are solicited for submission to the 11th Australasian Conference on Information Security and Privacy (ACISP 2006). Papers may present theory, techniques, applications and practical experiences on a variety of topics. Topics of interest include, but are not limited to: - Cryptology - Mobile communications security - Database security - Authentication and authorization - Secure operating systems - Intrusion detection - Access control - Security management - Security protocols - Network security - Secure commercial applications - Privacy Technologies - Smart cards - Key management and auditing - Mobile agent security - Risk assessment - Secure electronic commerce - Privacy and policy issues - Copyright protection - Security architectures and models - Evaluation and certification - Software protection and viruses - Computer forensics - Distributed system security - Phishing attacks and countermeasures ------------------------------------------------------------------------- TrustBus 2006 3rd International Conference on Trust, Privacy and Security of Digital Business, Held in conjunction with the 17th International Conference on Database and Expert Systems Applications (DEXA 2006), Krakow, Poland, September 4-8, 2006. http://www.icsd.aegean.gr/trustbus06/ (Submissions due 22 February 2006) TrustBus'06 will bring together researchers from different disciplines, developers, and users all interested in the critical success factors of digital business systems. We are interested in papers, work-in-progress reports, and industrial experiences describing advances in all areas of digital business applications related to trust and privacy, including, but not limited to: - Anonymity and pseudonymity in business transactions - Business architectures and underlying infrastructures - Common practice, legal and regulatory issues - Cryptographic protocols - Delivery technologies and scheduling protocols - Design of businesses models with security requirements - Economics of Information Systems Security - Electronic cash, wallets and pay-per-view systems - Enterprise management and consumer protection - Identity and Trust Management - Intellectual property and digital rights management - Intrusion detection and information filtering - Languages for description of services and contracts - Management of privacy & confidentiality - Models for access control and authentication - Multimedia web services - New cryptographic building-blocks for e-business applications - Online transaction processing - PKI & PMI - Public administration, governmental services - P2P transactions and scenarios - Real-time Internet E-Services - Reliability and security of content and data - Reliable auction, e-procurement and negotiation technology - Reputation in services provision - Secure process integration and management - Security and Privacy models for Pervasive Information Systems - Security Policies - Shopping, trading, and contract management tools - Smartcard technology - Transactional Models - Trust and privacy issues in mobile commerce environments - Usability of security technologies and services ------------------------------------------------------------------------- SecUbiq 2006 2nd International Workshop on Security in Ubiquitous Computing Systems, Seoul, Korea, August 1-4, 2006. http://www.sitacs.uow.au/secubiq06/ (Submissions due 22 February 2006) Ubiquitous computing technology provides an environment where users expect to access resources and services anytime and anywhere. The serious security risks and problems arise because resources can now be accessed by almost anyone with a mobile device in such an open model. The security threats exploited the weakness of protocols as well as operating systems, and also extended to attack ubiquitous applications. The security issues, such as authentication, access control, trust management, privacy and anonymity, etc., should be fully addressed. This workshop provides a forum for academic and industry professionals to discuss recent progress in the area of ubiquitous computing system security, and includes studies on analyses, models and systems, new directions, and novel applications of established mechanisms approaching the risks and concerns associated with the utilization and acceptance of ubiquitous computing devices and systems. Topics: Topics of interest include, but are not limited to: - Access control - Ad hoc and sensor network security - Buffer overflows - Commercial and industrial security - Cryptographic algorithms and protocols - Data privacy and trustiness - Digital signatures - Distributed denial of service attacks - Information hiding and multimedia watermarking in distributed systems - Internet and web security - Intrusion detection and protection systems - Key management and authentication - Mobile codes security - Network security issues and protocols - Privacy and anonymity - Privacy issues in the use of smart cards and RFID systems - Security in e-commerce and e-business and other applications - Security in P2P networks and Grid computing - Security in distributed and parallel systems - Software security - Trust management ------------------------------------------------------------------------- ISC 2006 9th Information Security Conference, Pythagoras, Greece, August 30 - September 2, 2006. http://www.aegean.gr/ISC06 (Submissions due 1 March 2006) ISC is an annual international conference covering research in and applications of Information Security. ISC aims to attract high quality papers in all technical aspects of information security. Topics of interest include, but are not limited to, the following: - Access Control - Accounting and Audit - Anonymity and Pseudonymity - Applied Cryptography - Authentication and Non-repudiation - Biometrics - Cryptographic Protocols - Database and System Security - Design and Analysis of Cryptographic Algorithms - Digital Rights Management - eCommerce, eBusiness and eGovernment Security - Foundations of Computer Security - Grid Security - Identity and Trust Management - Information Flow - Information Hiding and Watermarking - Infrastructure Security - Intrusion Detection and Prevention - Mobile, Ad Hoc and Sensor Network Security - Network and Wireless Network Security - Peer-to-Peer Network Security - PKI and PMI - Privacy - Security and Privacy Economics - Security and Privacy in IT Outsourcing - Security and Privacy in Pervasive and Ubiquitous Computing - Security Verification - Security for Mobile Code - Security Modeling and Architecture - Trusted Computing - Security Models for Ambient Intelligence environments - Usable Security ------------------------------------------------------------------------- DBSEC 2006 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Sophia Antipolis, France, July 31-August 2, 2006. http://cimic.rutgers.edu/ifip113/2006/ (Submissions due 1 March 2006) The conference provides a forum for presenting original unpublished research results, practical experiences, and innovative ideas in data and applications security. Papers and panel proposals are solicited. The conference is limited to about forty participants so that ample time for discussion and interaction may occur. Proceedings will be published by Springer as the next volume in the Research Advances in Database and Information Systems Security series. Papers may present theory, techniques, applications, or practical experience on topics of interest of IFIP WG11.3: - Access Control - Application level attacks and intrusion detection - Applied cryptography in data security - Identity theft and countermeasures - Integrity maintenance - Intrusion tolerance and trusted recovery - Knowledge discovery and privacy - Organizational security - Privacy and privacy-preserving data management - Secure transaction processing - Security assessment, planning and administration - Secure information integration - Secure sensor information processing - Threats, vulnerabilities, and risk management - Trust management - Web services/application security - Secure Semantic Web ------------------------------------------------------------------------- PET 2006 6th Workshop on Privacy Enhancing Technologies, Robinson College, Cambridge, United Kingdom, June 28 - June 30, 2006. http://petworkshop.org/2006/ (Submissions due 3 March 2006) Privacy and anonymity are increasingly important in the online world. Corporations, governments, and other organizations are realizing and exploiting their power to track users and their behavior. Approaches to protecting individuals, groups, but also companies and governments from profiling and censorship include decentralization, encryption, distributed trust, and automated policy disclosure. This 6th workshop addresses the design and realization of such privacy services for the Internet and other communication networks by bringing together anonymity and privacy experts from around the world to discuss recent advances and new perspectives. Suggested topics include but are not restricted to: - Anonymous communications and publishing systems - Censorship resistance - Pseudonyms, identity management, linkability, and reputation - Data protection technologies - Location privacy - Privacy in Ubiquitous Computing Environments - Policy, law, and human rights relating to privacy - Privacy and anonymity in peer-to-peer architectures - Economics of privacy - Fielded systems and techniques for enhancing privacy in existing systems - Protocols that preserve anonymity/privacy - Privacy-enhanced access control or authentication/certification - Privacy threat models - Models for anonymity and unobservability - Attacks on anonymity systems - Traffic analysis - Profiling and data mining - Privacy vulnerabilities and their impact on phishing and identity theft - Deployment models for privacy infrastructures - Novel relations of payment mechanisms and anonymity - Usability issues and user interfaces for PETs - Reliability, robustness and abuse prevention in privacy systems ------------------------------------------------------------------------- PLAS 2006 ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottawa, Canada, June 10, 2006. http://www.cis.upenn.edu/~stevez/plas06.html (Submissions due 3 March 2006) The goal of PLAS 2006 is to provide a forum for researchers and practitioners to exchange and understand ideas and to seed new collaboration on the use of programming language and program analysis techniques that improve the security of software systems. The scope of PLAS includes, but is not limited to: - Language-based techniques for security - Program analysis and verification (including type systems and model checking) for security properties - Compiler-based and program rewriting security enforcement mechanisms - Security policies for information flow and access control - High-level specification languages for security properties - Model-driven approaches to security - Applications, examples, and implementations of these security techniques ------------------------------------------------------------------------- WEIS 2006 5th Workshop on the Economics of Information Security, University of Cambridge, England, June 26-28, 2006. http://www.cl.cam.ac.uk/~twm29/WEIS06/ (Submissions due 20 March 2006) One of the most exciting and rapidly-growing fields at the boundary between technology and the social sciences is the economics of information security. Many security and privacy failures are not purely technical: for example, the person best placed to protect a system may be poorly motivated if the costs of system failure fall on others. Many pressing problems, such as spam, are unlikely to be solved by purely technical means, as they have economic and policy aspects too. Building dependable systems also raises questions such as open versus closed systems, the pricing of vulnerabilities and the frequency of patching. The `economics of bugs' are of growing importance to both vendors and users. Original research papers are sought for the Fifth Workshop on the Economics of Information Security. Topics of interest include the dependability of open source and free software, the interaction of networks with crime and conflict, the economics of digital rights management and trusted computing, liability and insurance, reputation, privacy, risk perception, the economics of trust, the return on security investment, and economic perspectives on spam. ------------------------------------------------------------------------- CEAS 2006 3rd Conference on Email and Anti-Spam, Mountain View, CA, USA, July 27-28, 2006. http://www.ceas.cc/2006/cfp.html (Submissions due 23 March 2006) The Conference on Email and Anti-Spam (CEAS) invites short and long paper submissions on research results pertaining to a broad range of issues in email and Internet communication. Submissions may address issues relating to any form of electronic messaging, including traditional email, instant messaging, mobile telephone text messaging, and voice over IP. Issues of interest include the analysis and abatement of abuses (such as spam, phishing, identity theft, and privacy invasion) as well as enhancements to and novel applications of electronic messaging. ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2005 Symposium proceedings are available for $25 plus shipping and handling. The 2004 proceedings are $20 plus shipping and handling; the 2003 proceedings are $15 plus shipping and handling. A CD of the 2000-2001 proceedings is $15 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the TC treasurer (see officers, below) with the order description, including shipping method, and send email to Deborah Shands (shands@aero.org) with the shipping address, please. IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Past Chair: Heather Hinton Mike Reiter IBM Software Group - Tivoli Carnegie Mellon University 11400 Burnett Road ECE Department Austin, TX 78758 Hamerschlag Hall, Room D208 + 1 512 838 0455 (voice) Pittsburgh, PA 15213 USA hhinton@us.ibm.com (412) 268-1318 (voice) reiter@cmu.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Jonathan Millen Prof. Cynthia Irvine The MITRE Corporation U.S. Naval Postgraduate School Mail Stop S119 Computer Science Department 202 Burlington Road Rte. 62 Code CS/IC Bedford, MA 01730-1420 Monterey CA 93943-5118 781-271-51 (voice) (831) 656-2461 (voice) jmillen@mitre.org irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org 2006 SRSP Conference Treasurer: Newsletter Editor & 2006 SRSP General Chair: Terry Benzel Hilarie Orman USC ISI Purple Streak, Inc. 4676 Admiralty Way 500 S. Maple Dr. Marina Del Rey, CA 90292 Salem, UT 84653 tbenzel@isi.edu cipher-editor@ieee-security.org (310) 822-1511 (310) 823-6714 (fax) ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year