_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 78 June 3, 2007 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Technical Committee Annual Report * Commentary and Opinion and News o Richard Austin's review of Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI, by D. Herrmann o NIST Announcement of Public Comments on Proposed Cryptographic Hash Function Competition o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Upcoming calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The 28th IEEE Security and Privacy Symposium was held May 20-23, and it was a great celebration of past and current research. Peter Neuman was the keynote speaker (see his presentation at http://www.csl.sri.com/neumann/ssp07.pdf), and he anchored the conference in its early roots, following through to the present. All participants got a CD with all the papers from the entire history of the conference, making it possible for them to form their own impressions of the history of the field. Please note that the CD is for sale as described in this issue. The food and drink at the Symposium were excellent, making the social events particularly enjoyable. There is a report from the business meeting in this issue. Richard Austin, recently retired, has contributed a book review for this issue, delineating the virtues of "Complete Guide to Security and Privacy Metrics" by D. Herrmann. The pressures of the Symposium contributed to the lateness of Cipher this month. By July we should have additional information about the program, some issues raised during the business meeting, and any noteworthy events affecting security and privacy in our electronic world. For the time being, enjoy the controversy surrounding Google's maps and photos --- when do accessibility and transparency become surveillance? Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Technical Committee Annual Business Meeting May 21, 2007 ==================================================================== Technical Committee on Security and Privacy Annual Meeting Unofficial Minutes Claremont Resort, Oakland/Berkeley, California Jon Millen called the meeting to order at 5:45pm. The registration chair, Yong Guan, presented the registration information for the last several years: Registrations by Category and Year 2007 2006 2005 2004 2003 Early IEEE members 88 67 47 64 42 Non-members 53 45 35 40 34 Students 53 57 55 44 37 Late IEEE members 22 28 21 19 34 Non-members 12 27 19 14 27 Students 20 28 19 20 21 Totals 248 252 196 201 195 Workshop Early IEEE members 21 Non-members 14 Late IEEE members 2 Non-members 3 Total 40 Guan noted that in 2007 a lot more people registered on/before April 23 (early registration deadline): 194, 77% 169 (2006) 137 (2005) Another notable fact is that we have 80-140 new attendees each year compared to that in previous years (2003-2007). Terry Benzel reported on the finances of the Security and Privacy Symposium. Donations from Microsoft Research and the National Science Foundation helped fund several student travel grants. The surplus was less than in recent years due to several factors, including a larger number of registrants with IEEE membership and a larger number of early registrants taking advantage of the lower fees. Election of next TC Vice Chair (Jon Millen; TC nomination is Hilarie Orman) Hilarie Orman was nominated by the TC and elected by what appeared to be a unanimous vote. [Ed. TC terms begin and end on calendar year boundaries, so the new terms begins next year]. Computer Society Issues (Cynthia Irivine) - IEEE Computer Society report C. Irvine attended the IEEE OpCOM/TAB meeting in Los Angeles on 15 May. It is clear that the Computer Society is losing money. This is a result of the relationship the IEEE has with its societies. Because of its size, the Computer Society provides substantial income to the IEEE, however its funding allocation from the IEEE is insufficient to cover expenses. A discussion regarding the cost to the TC on S&P of its association with the Computer Society ensued. It was pointed out that a major benefit of the affiliation was the use of the IEEE name, which for academics is quite important, and the insurance available for conferences. It was noted that the charges for conferences will change on 1 June. A study by another TC indicates that small conferences may incur deficit spending, while large conferences will profit. The S&P Symposium is likely to see little change. There was a discussion initiated by Carl Landwehr, regarding cooperation with the IEEE Security and Privacy magazine, of which he is an associate editor in chief. It was suggested that a subscription option be included in the S&P registration. Hilarie Orman was charged with exploring the alternatives with Carl Landwehr and reporting to the TCSP through Cipher. [Ed. Next year conference attendees will probably have the opportunity to subscribe to the magazine at the same time as they register for the conference]. - Task Force on Information Assurance There was a discussion on the relationship of the Technical Committee with the Computer Society's Task Force on Information Assurance. As a result, Irvine was charged to engage the TF leadership in a discussion regarding merger. Policy on duplicate submissions. (Patrick McDonald) P. McDaniel noted that the number of duplicate submissions (viz., simultaneous submission of the same paper to different conferences with overlapping review periods) appears to be on the rise and is a both a burden to review committees and threat to fairness. The current policy is to reject duplicate submissions if they are detected, and the way this is usually detected is by the happenstance of an alert reviewer who also serves as a reviewer for another conference. It was suggested that statistics were needed before the TC could develop a new policy on eliminating duplicate submissions. The 2009-2011 Claremont contract. (Deborah Shands) D. Shands has been negotiating with the Claremont to develop a contract for the 2009-2011 conferences. The Claremont has given us a sequence of proposals, the last of which appears to be in the ballpark of what we want. We have considered moving the conference to other locations. At the 2006 business meeting, we invited attendees with an interest in other locations to acquire a proposal from another hotel before the business meeting in 2007. We have received no proposals. D. Shands enlisted the help of the IEEE Computer Society's contracting group to pursue the contract negotiations. Note that this is one of the services that IEEE Computer Society provides to conference organizers. Student travel grants (Patrick McDonald) Several student travel grants were funded thanks to the generosity of several sponsors, including the National Science Foundation, Microsoft Research, and the Technical Committee. These were a big success and the TC hopes to have at least this number for the 2008 meeting. Options for new committee for S&P positions: - separate publications/CD chair - separate fund-raising chair - others? And a plea for volunteers. Contact the 2008 General Chair (Yong Guan) Next year's S&P organizing committee   General Chair: Yong Guan   Registration and Publicity Chair: David Du   Treasurer/finance chair: David Shambroom   Program Committee Chair: Patrick McDonald   Program Committee Chair: Avi Rubin Technical Committee positions:   General Chair Emeritus: Deborah Shands (automatic)   Technical Committee Treasurer: TBD Cipher editor, webmaster: Currently both positions are held by Hilarie Orman; replacements will be considered, apply to the Technical Committee through Jon Millen. ==================================================================== Commentary and Opinion and News ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin May 24, 2007 ____________________________________________________________________ Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI by D. Herrmann Auerbach: Boca Raton 2007. ISBN 978-0-8493-5402-1 Amazon $119.95 (USD) Is there a number for that? "When you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot measure it, when you cannot express it in numbers, your knowledge of it is of a meager and unsatisfactory kind" --- Sir William Thompson, Lord Kelvin We live in a society obsessed with numeracy but work in a field where meaningful numbers are hard to come by. It is particularly challenging for security professionals because a perfectly effective security program produces no visible results as nothing untoward happens. There are no virus outbreaks, no hacker intrusions, no disclosures of confidential information and business pretty much just runs the way it's supposed to. This leaves the Chief Information Security Officer (CISO) in a quandary when she approaches the corporate coffers with a budget request only to find herself in the position of the fellow who religiously beat a gong for two hours outside his suburban home at 6:00AM every morning much to the irritation of his neighbors. When local law enforcement arrived to inquire regarding his reasons for disturbing the peace in this raucous fashion, he replied that he was keeping tigers away. The puzzled patrolman replied that "There aren't any tigers around here" only to be met with a beatific smile and "See how well it's working!!" Equally troublesome issues arise when the CISO looks at her own operations to assess effectiveness, proper allocation of resources and needs for new technologies. Without a realistic way to measure effectiveness, she is left with vague (and largely indefensible) notions of how well the program is working and where efforts should be focused next. The subject of this month's review offers a roadmap for moving from a "meager and unsatisfactory" knowledge of our security efforts to one backed by meaningful metrics. Your humble correspondent admits to an instinctive cringe when anything crosses his desk with the words "complete guide" in its title but within its 800+ pages and some 900 metrics, this book makes a noble effort at surveying the entire landscape of security and privacy metrics. Laudably and immediately , Dr. Herrmann points out in her introduction a glaring limitation to many books on IT Security: it doesn't function in a vacuum and must embrace the related domains of physical, personnel and operational security. Embracing that single insight would better many organizations' efforts at securing their information. The introduction continues to map out her approach to organizing the metrics into compliance, resilience and ROI metrics culminating in a 4-page table that organizes the 900+ metrics into those categories (with numeric designations that are carried though in later chapters to the individual metrics). This table provides an excellent starting point for reading the book and also allows quick identification of the particular sections most relevant to a reader's interests. However, under no circumstances should you skip chapter 2, which provides valuable directions on how measurement works and what goes into producing a useful metric. The discussion covers such basics as the measurement scales (nominal, ordinal, etc), the types of operations appropriate to measurements on each scale and the characteristics of a useful metric (accuracy, precision, validity and correctness). Paying attention to these matters will help avoid the more egregious errors such as those inflicted on us by the marketing departments of the various security product vendors. She introduces Victor Basili's useful GQM (Goal, Question, Metric) approach which will appear again in the following two chapters. The chapter concludes with a useful survey of terms and their meanings as they will be used throughout the book. On the down side, this chapter is replete with acronyms. Most are decoded in the glossary, but a wise reader will keep a cheat sheet of their meanings and avoid a great deal of flipping back and forth. The next three chapters form the real meat of the book. Each chapter follows the form of an introductory exposition on the topic (Compliance, Resilience or ROI), the chapter's overall GQM (except for chapter 4) and then an in depth development of the metrics for that topic. Metrics are not just listed in endless tables but are developed within the framework of the discussion so that there is little question as to where that metric came from or its relevance to the topic. Chapter 3 on compliance metrics contains one of the most complete and concise expositions of the bewildering landscape of legal and regulatory mandates (and their implications) that I have ever encountered. If we awarded meritorious service medals for authors then I think Dr. Herrmann deserves one for wading through the arid text of the laws and regulations to distill their meaning into something understandable and usable by mere mortals. However, an evolving regulatory landscape may rapidly date the details with the value remaining in how the approach developed meaningful metrics to match the current regulatory environment. Chapter 4 addresses measuring resiliency (the ability of an infrastructure to maintain essential services and protect assets while repelling attacks and minimizing loss of integrity) across all four domains and develops a solid basis for each metric as it is developed. Again, the user of these metrics will have a clear understanding of their relevance and the reasons for their choice in assessing a particular program. Chapter 5 addresses the thorny issue of ROI for security investments and is the shorter of the "meat" chapters. Herrmann immediately makes the important point that ROI does not always equate to increasing profit but often needs to measure increased efficiency, reduction/avoidance of costs and prevention of losses. She provides clear guidance on troubling issues such as how to merge best/worst case estimates into a single number when evaluating costs, asset values and losses. An added bonus is that the illustrations are in the nature of tables that can be easily customized and mapped into a spreadsheet application for immediate use. In summary, this is not a book that you'll be likely to read from cover to cover, but when faced with the necessity of developing a metrics program to measure the effectiveness of some aspect of your security efforts, this rather imposing tome is one I would heartily recommend as a way to jumpstart your efforts. The master table in the introduction provides a quick guide to the particular section most relevant to the reader's needs but I earnestly recommend that the first two chapters ("Introduction" and "The Whats and Whys of Metrics") be reviewed before diving immediately into the details. ------ Richard Austin recently retired from his position as storage security architect for a Fortune 25 company but his curmudgeonly nature has survived the transition and will serve him well in his future efforts as a university instructor and consultant. He can be reached at rda7838@kennesaw.edu and welcomes comments on this review as well as suggestions for future reviews. ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ____________________________________________________________________ Public comments on the hash algorithm requirements and evaluation criteria posted online Shu-jen Chang ____________________________________________________________________ Public comments on the hash algorithm requirements and evaluation criteria (see Federal Register Notice Vol. 72, No. 14, January 23, 2007) are now available for review at http://www.csrc.nist.gov/pki/HashWorkshop/Public_Comments/2007_May.html For other information related to NIST's hash algorithm competition, please visit http://www.nist.gov/hash-function ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html (sorry, no detailed CFP's this month) ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman 5/31/07: Workshop on Internet Communications Security (WICS) Regensburg, Germany; ; Submissions are due; http://aspects.uc3m.es/wics07 5/31/07: International School on Foundations of Security Analysis and Design (FOSAD) Bertinoro, Italy; ; Submissions are due; http://www.sti.uniurb.it/events/fosad07 ---- 6/ 1/07: ASIACRYPT Kuching, Sarawak, Malaysia; Submissions are due; info: asiacrypt2007@iacr.org; http://www.swinburne.edu.my/asiacrypt2007/ 6/ 3/07: Annual Computer Security Applications Conference (ACSAC) Miami Beach, Florida; Submissions are due; http://www.acsac.org/ 6/ 4/07: Security Issues in Concurrency (SecCo) Lisboa, Portugal; ; Submissions are due; http://www.dsi.uniroma1.it/~gorla/SecCo07/ 6/ 4/07: Information and Communications Security Standards and Regulations (StaR_SEC) Alexandria, VA; Submissions are due; info: StaR_SEC_2007@aegean.gr; http://www.aegean.gr/StaR_SEC_2007 6/ 5/07- 6/ 8/07: Applied Cryptography and Network Security (ACNS), Zhuhai, China; http://www.i2r.a-star.edu.sg/icsd/acns2007/ 6/ 6/07: Quality of Protection (QoP), Alexandria, VA; Submissions are due; http://www.qop-workshop.org 6/ 7/07- 6/ 8/07: Economics of Information Security (WEIS), Pittsburgh, PA; info: weis-07@andrew.cmu.edu; http://weis2007.econinfosec.org/ 6/10/07: Formal Methods in Security Engineering: From Specifications to Code (FMSE) George Mason University, Fairfax, VA; Submissions are due; http://www.fmis.informatik.tu-darmstadt.de/fmse07/ 6/13/07- 6/15/07: Workshop on Policies (Policy), Bologna, Italy; http://www.policy-workshop.org/2007 6/14/07: Programming Languages and Analysis for Security (PLAS), San Diego, California; http://www.cs.umd.edu/~mwh/PLAS07/index.html 6/15/07: Digital Identity Management (DIM) Fairfax, VA; Submissions are due; (no published proceedings); http://www2.pflab.ecl.ntt.co.jp/dim2007/ 6/17/07- 6/22/07: FIRST (FIRST), Seville, Spain; (no published proceedings); info: first-2007papers@first.org; http://www.first.org/conference/2007/ 6/17/07: Workshop on Recurring Malcode (WORM) George Mason University, VA; Submissions are due; http://www.auto.tuwien.ac.at/~chris/worm07.html 6/17/07: Computer Security Architecture Workshop (CSAW) Fairfax, Virginia; Submissions are due; http://www.rites.uic.edu/csaw 6/18/07: Steps to Reducing Unwanted Traffic on the Internet (SRUTI), Santa Clara, CA; info: sruti07chair@usenix.org 6/18/07: ACM Digital Rights Management Workshop (DRM) Alexdrandria, VA Submissions are due; http://www.cse.uconn.edu/~drm2007 6/20/07- 6/22/07: Privacy Enhancing Technologies (PET), Ottawa, Canada; http://petworkshop.org/2007/ 6/20/07- 6/22/07: Information Assurance Workshop (IAW), West Point, New York; info: john.james@usma.edu; http://www.itoc.usma.edu/workshop/2007/index.htm 6/20/07: Workshop on Scalable Trusted Computing (STC) Alexandria, VA; Submissions are due; http://www.cs.utsa.edu/~shxu/stc07/ 6/20/07: Workshop on Embedded Systems Security (WESS) Salzburg, Austria; (no proceedings, journal publication of some papers); Submissions are due; http://netsys.ece.upatras.gr/emsoft07/ 6/21/07: Workshop on Security and Trust Management (STM) Dresden, Germany; Submissions are due; info: stm07 at item.ntnu.no; http://www.item.ntnu.no/infosik/stm07/ 6/22/07: Workshop on Privacy Aspects of Data Mining (PADM) Omaha, NE; Submissions are due; info: padm@cimic.rutgers.edu; http://cimic.rutgers.edu/~padm 6/24/07: European Conference on Computer Network Defence (EC2ND) Crete, Greece; Submissions are due; http://2007.ec2nd.org/ 6/25/07- 6/29/07: International Conference on Distributed Computing Systems (ICDCS), Toronto, Canada; info: tsa@eecg.utoronto.ca; http://www.eecg.utoronto.ca/icdcs07 6/25/07- 6/28/07: Hot Topics in System Dependability (HotDep), Edinburgh, UK; info: chairs@hotdep.org; http://www.hotdep.org/2007 6/25/07: Secure Information Systems (SIS) Wisla, Poland; ; Submissions are due; http://www.imcsit.org/ 6/27/07: Assurance Cases for Security: the Metrics Challenge (DSN-WACS), Edinburgh, Scotland; info: ssaydjari at CyberDefenseAgency.com 6/28/07- 6/30/07: European PKI Workshop: Theory and Practice (EUROPKI), Mallorca, Spain; http://dmi.uib.es/europki07 6/29/07: Security and Rewriting Techniques (SecReT), Paris, France; ; info: monica at di dot univaq dot it; http://www.rdp07.org/secret.html ---- 7/ 1/07- 7/ 6/07: Cyber-Fraud (CYBER-FRAUD), San Jose, CA; info: tchen@engr.smu.edu; http://www.iaria.org/conferences2007/CYBERFRAUD.html 7/ 1/07: Computer Magazine Special Issue, "Security for the Rest of Us" Submissions are due; info: beznosov@ece.ubc.ca 7/ 2/07- 7/ 3/07: Security and Privacy in Ad hoc and Sensor Networks (ESAS), Cambridge, England; http://www.netlab.nec.de/esas/ 7/ 2/07- 7/ 5/07: Conference on Risks and Security of Internet and Systems (CRiSIS) Marrakech, Morocco, http://www.crisis2007.org 7/ 4/07- 7/ 5/07: Workshop on Formal and Computational Cryptography (FCC), Venice, Italy; http://www-verimag.imag.fr/~lakhnech/FCC/ 7/ 6/07- 7/ 8/07: Computer Security Foundations Symposium (CSFS), Venice, Italy; info: focardi AT dsi.unive.ithttp://www.dsi.unive.it/CSFW20/ http://www.dsi.unive.it/CSFW20/ 7/ 8/07- 7/11/07: Working Conference on Data and Applications Security (IFIP WG11.3), Redondo Beach Marina, California; http://www.dcs.kcl.ac.uk/staff/steve/ifip07/index.html 7/ 9/07- 7/12/07: High Performance Computing, Networking, and Communication Systems (HPCNCS), Orlando, FL; http://www.promoteresearch.org/ 7/11/07- 7/13/07: RFID Security (RFIDSec), Malaga, Spain; 7/12/07- 7/13/07: Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), Lucerne, Switzerland; info: info@dimva.org; http://www.dimva.org/dimva2007 7/12/07- 7/13/07: Advances in Computer Security and Forensics (ACSF), Liverpool, England; info: J.Haggerty@ljmu.ac.uk; http://www.cms.livjm.ac.uk/acsf2/ 7/18/07- 7/20/07: Symposium On Usable Privacy and Security (SOUPS), Pittsburgh, PA; http://cups.cs.cmu.edu/SOUPS/ 7/18/07: Workshop on Usable IT Security Management (USM), Carnegie Mellon University in Pittsburgh, PA; (no proceedings); http://cups.cs.cmu.edu/soups/2007/usm.html 7/23/07: Nordic Workshop on Secure IT Systems (NordSec) Reykjavik, Iceland; Submissions are due; http://www.ru.is/nordsec2007/ ---- 8/ 1/07- 8/ 3/07: Wireless Algorithms, Systems and Applications (WASA), Chicago, IL; http://www.wasaconf.org/index.html 8/ 6/07- 8/10/07: USENIX Security Symposium (USENIXSEC), Boston, MA; info: sec07chair@usenix.org; http://www.usenix.org/sec07/cfpa/ 8/ 6/07: USENIX/ACCURATE Electronic Voting Technology Workshop (EVT), Boston, Massachusetts; info: evt07chairs@usenix.org; 8/12/07- 8/15/07: Symposium on the Principles of Distributed Computing (PODC), Portland, Oregon; http://www.podc.org/podc2007 8/13/07- 8/15/07: Digital Forensic Research Workshop (DFRWS), Pittsburgh, PA; http://www.dfrws.org/ 8/22/07- 8/24/07: CHINACOM (CHINACOM), Shanghai, China; http://www.chinacom.org 8/19/07- 8/23/07: IACR CRYPTO (CRYPTO), Santa Barbara, CA; http://www.iacr.org/conferences/crypto2007/cfp.html 8/27/07- 8/31/07: ACM Special Interest Group on Communications (SIGCOMM), Kyoto, Japan; info: francis@cs.cornell.edu; http://www.sigcomm.org/sigcomm2007/ 8/27/07- 8/29/07: Workshop on Information Security Applications (WISA), Jeju Island, Korea; http://www.wisa.or.kr 8/27/07- 8/28/07: Workshop on Digital Forensics and Incident Analysis (WDFIA); Samos, Greece; info: wdfia07@aegean.gr; http://www.aegean.gr/wdfia07 8/29/07- 8/31/07: Information Assurance and Security (IAS), Manchester, United Kingdom; http://www.ias07.org/ ---- 9/ 3/07- 9/ 7/07: Trust, Privacy, and Security in Digital Business (TrustBus), Regensburg, Germany; info: AMin@ifs.tuwien.ac.at http://www.icsd.aegean.gr/trustbus07/ 9/ 3/07- 9/ 7/07: Workshop on Internet Communications Security (WICS), Regensburg, Germany; http://aspects.uc3m.es/wics07 9/ 3/07: Security Issues in Concurrency (SecCo), Lisboa, Portugal; http://www.dsi.uniroma1.it/~gorla/SecCo07/ 9/ 5/07- 9/ 7/07: Recent Advances in Intrusion Detection (RAID), Brisbane, Australia; info: g.mohay@qut.edu.au; http://www.isi.qut.edu.au/go/raid07 9/ 5/07- 9/ 7/07: Workshop on Elliptic Curve Cryptography (ECC), University College Dublin, Ireland; info: gary.mcguire@ucd.ie; http://www.shannoninstitute.ie/conferences.htm 9/ 9/07- 9/15/07: International School on Foundations of Security Analysis and Design (FOSAD), Bertinoro, Italy; http://www.sti.uniurb.it/events/fosad07 9/10/07- 9/13/07: Workshop on Cryptographic Hardware and Embedded Systems (CHES), Vienna, Austria; info: pascal.paillier@gemalto.com; http://www.chesworkshop.org/ 9/13/07- 9/15/07: Mathematical Methods, Models and Architectures for Computer Network Security (MMM-ACNS), Petersburg, Russia; info: spiiran@mail.iias.spb.su; http://www.comsec.spb.ru/mmm-acns07/ 9/17/07- 9/21/07: Security and Privacy for Communication Networks (SecureComm), Nice, France; http://www.securecomm.org 9/18/07- 9/21/07: New Security Paradigms Workshop (NSPW), North Conway, New Hampshire; http://www.nspw.org/ 9/20/07: Workshop on Network and System Security (NSS), Dalian, China; info: wanlei@deakin.edu.au; http://nss2007.cqu.edu.au 9/25/07- 9/27/07: Dependable, Autonomic and Secure Computing (DASC), Columbia, MD; info: mike.hinchey@usa.net; http://www.DASC-conference.org/ 9/26/07: Workshop on Security and Trust Management (STM), Dresden, Germany; info: stm07 at item.ntnu.no; http://www.item.ntnu.no/infosik/stm07/ ---- 10/ 4/07: Workshop on Embedded Systems Security (WESS), Salzburg, Austria; http://netsys.ece.upatras.gr/emsoft07/ 10/ 4/07-10/ 5/07: Anti-Phishing Working Group (APWG) eCrime Researchers Summit (APWG), Pittsburgh, PA; http://www.ecrimeresearch.com/2007/cfp.html 10/ 4/07-10/ 5/07: European Conference on Computer Network Defence (EC2ND); Crete, Greece; http://2007.ec2nd.org/ 10/ 9/07-10/12/07: Information Security Conference (ISC), Valparaiso, Chile; info: info@isc07.cl; http://www.isc07.cl 10/11/07-10/12/07: Nordic Workshop on Secure IT Systems (NordSec), Reykjavik, Iceland; http://www.ru.is/nordsec2007/ 10/15/07-10/17/07: Secure Information Systems (SIS), Wisla, Poland; http://www.imcsit.org/ 10/28/07-10/30/07: Autonomic Computing and Communication Systems (AUTONOMICS), Rome, Italy; http://www.autonomics-conference.eu/ 10/28/07: Workshop on Privacy Aspects of Data Mining (PADM), Omaha, NE info: padm@cimic.rutgers.edu; http://cimic.rutgers.edu/~padm 10/29/07-10/31/07: Workshop on Security (IWSEC), Nara, Japan; info: info@iwsec.org; http://www.iwsec.org/ 10/29/07: Quality of Protection (QoP), Alexandria, VA; 10/29/07-11/ 2/07: ACM Conference on Computer and Communications Security (CCS), Alexandria, VA; http://www.acm.org/sigsac/ccs/CCS2007 10/29/07: ACM Digital Rights Management Workshop (DRM), Alexdrandria, VA; http://www.cse.uconn.edu/~drm2007 10/29/07: Information and Communications Security Standards and Regulations (StaR_SEC), Alexandria, VA; info: StaR_SEC_2007@aegean.gr; http://www.aegean.gr/StaR_SEC_2007 ---- 11/ 2/07: Digital Identity Management (DIM), Fairfax, VA; (no proceedings); http://www2.pflab.ecl.ntt.co.jp/dim2007/ 11/ 2/07: Workshop on Recurring Malcode (WORM), George Mason University, VA; http://www.auto.tuwien.ac.at/~chris/worm07.html 11/ 2/07: Computer Security Architecture Workshop (CSAW), Fairfax, VA http://www.rites.uic.edu/csaw 11/ 2/07: Workshop on Scalable Trusted Computing (STC), Alexandria, VA; http://www.cs.utsa.edu/~shxu/stc07/ 11/ 2/07: Formal Methods in Security Engineering: From Specifications to Code (FMSE), George Mason University, Fairfax, VA; http://www.fmis.informatik.tu-darmstadt.de/fmse07/ ---- 12/ 2/07-12/ 6/07: ASIACRYPT, Kuching, Sarawak, Malaysia; info: asiacrypt2007@iacr.org; http://www.swinburne.edu.my/asiacrypt2007/ 12/10/07-12/14/07: Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida; http://www.acsac.org/ 12/16/07-12/20/07: Information Systems Security (ICISS), Delhi, India; http://siis.cse.psu.edu/iciss07 ---- 3/18/08- 3/20/08: Symposium on Information, Computer and Communications Security (ASIACCS), Tokyo, Japan; http://www.rcis.aist.go.jp/asiaccs08/ ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2007 proceedings are available in hardcopy for $30.00, and the 28 year CD is $20.00 (plus shipping and handling). The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2007 treasurer (below) with the order description, including shipping method, and send email to the 2007 Registration Chair (Yong Guan) (oakland07-registration @ ieee-security.org) with the shipping address, please. Terry Benzel Treasurer, IEEE Security and Privacy USC Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292 (310) 822-1511 IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog Department of Computer Science Naval Postgraduate School 1 University Circle Monterey, CA 93943 jcherzog@nps.edu ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Jonathan Millen Deborah Shands The MITRE Corporation The Aerospace Corporation Mail Stop S119 El Segundo, CA 202 Burlington Road Rte. 62 oakland07-chair@ieee-security.org Bedford, MA 01730-1420 781-271-51 (voice) jmillen@mitre.org Vice Chair: Chair, Subcommittee on Academic Affairs: Prof. Cynthia Irvine Prof. Cynthia Irvine U.S. Naval Postgraduate School U.S. Naval Postgraduate School Computer Science Department Computer Science Department Code CS/IC Code CS/IC Monterey CA 93943-5118 Monterey CA 93943-5118 (831) 656-2461 (voice) (831) 656-2461 (voice) irvine@cs.nps.navy.mil irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2008 General Chair: and Technical Committee Treasurer: Yong Guan Hilarie Orman Iowa State University Purple Streak, Inc. oakland08-chair@ieee-security.org 500 S. Maple Dr. cipher-editor@ieee-security.org, treasurer@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year