Electronic CIPHER, Issue 153, January 21, 2020 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 153 January 21, 2020 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of Computer Security: Art and Science, 2nd edition by Matt Bishop o News from the Media - User Data, User Privacy: A Framework from NIST - Phone Lock Wars Resume - Beware the Parameters of Elliptic Certs - Your Doorbell and Your Police - Home Security Cameras Hacked, Vendor Sued - Can Encryption Save IoT? - Citrix Patches Zero Day, Government Agencies at Risk - Election Hacking, a Compromised Server in 2016 Identified - Ukraine Oil Company (documents) to be Leaked? o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This month's newsletter has Sven Dietrich's review of the second edition of Matt Bishop's comprehensive book "Computer Security: Art and Science". As always, "we need some". The list of upcoming events that have opportunities for publishing research papers is maintained at our online site as always, but we have simplified the format used in the newsletter. If an event catches your interest, follow the link to the event's website, or look at our comprehensive lists with more details on the Cipher website. Yong Guan, our calendar editor, quickly pivoted to the new format for this issue. We have been publishing Cipher as an online computer security newsletter for over 25 years now. Carl Landwehr started this, he was the first editor, and Paul Syverson and Jim Davis were the subsequent editors before me. Sven Dietrich and Yong Guan loyally have helped keep this venture alive for many years. Carl Landwehr enlisted my help originally as the online "calendar of events" editor. I did this for quite a while but eventually started looking for someone to take it over. I discovered that security researchers were surprisingly bottom-line oriented, and a few hours per month of admin time was not something they were eager to offer. Thus, I realized that I was spending too much of my own time on the task. In the next months I wrote a convoluted set of pattern matching expressions for automatically turning a call-for-papers into a formatted piece of html and plain text. That saved me an order of magnitude in processing time. Today, the newsletter itself is constructed largely from automatically generated templates. That gives me time to write the flowery prose in this Editor's Letter each month. As for computer security itself, the shared interest of the readers of the newsletter, I think that our ability to protect systems is unequal to the task of covering the ever expanding attack surface. As the several news items about the Internet of Things illustrate, the things that are new and popular are the continual enemies of security and privacy. In the digital world, we live on the brink of extinction in the same way that that our biosphere holds a delicate balance against the raw forces of chaos. A Song About the NSA Advisory re Internet Explorer and the CryptoAPI Your cheating cert, Had IE fooled. It missed the point, And chaos ruled. The verify, It all went through, Your cheating cert, Rickrolled a few. When malware hits, And naught remains, We'll wish we'd patched, Our browser's brain. We'll walk the curve, And add in vain, Your cheatin' cert, Is EC's bane. (Apologies to Hank Williams, Sr. and the great Patsy Cline) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich 01/18/2020 ____________________________________________________________________ Computer Security: Art and Science, 2nd edition by Matt Bishop (with contributions by Elizabeth Sullivan and Michelle Ruppel) November 2018 Publisher: Addison-Wesley Professional ISBN-13: 978-0321712332, ISBN-10: 0321712331 1440 pages Review by Sven Dietrich January 17, 2020 Matt Bishop's classic "Computer Security: Art and Science" textbook is getting a makeover in this second edition published in 2018. For those familiar with the first edition that came out in 2002, this textbook was often found in rigorous computer security courses starting in the early 2000s. And for a good reason: it prepared many students, both undergraduate and graduate, as well as professionals for the intricacies of computer security as we knew it then. In this second edition, enhanced by contributions from Elizabeth Sullivan and Michelle Ruppel, Matt Bishop constructs a heavy - yet comprehensive - textbook on computer security with about additional 300 pages to bring it up to 1440 pages. The electronic edition feels so much lighter than its paper counterpart. The book is divided into nine parts, which in total contain 31 chapters and eight appendices, plus a bibliography with over 2200 entries at the end. The nine parts are, in order, Introduction, Foundations, Policy, Implementation I: Cryptography, Implementation II: Systems, Assurance (contributed by Elizabeth Sullivan and Michelle Ruppel), Special Topics, Practicum, and Appendices. Each chapter typically has illustrations and clear diagrams explaining the various concepts, and at the end a summary, a set of research issues, a list for further reading, and a set of exercises. There is supplementary material on the author's page for the book at UC Davis, including sample chapters, the full bibliography with URLs, slides and errata for the first printing from November 2018 as well as for the electronic edition from July 2019. Part I Introduction, has just one chapter that covers an overview of computer security, such as the CIA (no, not the one in Langley, VA or even Hyde Park, NY: we mean Confidentiality, Integrity, and Availability here), threats, assumptions, and trust, operational issues, and human issues. Part II Foundations covers two chapters, Access Control Matrices and Foundational Results. Here the reader learns about basic protection states, protection models (e.g. Take-Grant, Schematic Protection Model) and their expressive power. Part III on Policy, which contains six chapters, lets the reader explore policies for security and the related policy languages, as well as an example of an academic security policy. The book describes the Bell-Lapadula model and its issues for confidentiality policies, for integrity it touches on the Biba, Clark-Wilson, and other models, for availability it describes some denial-of-service models, and finally some hybrid models such as the Chinese Wall model. Part III gets rounded up by the classic concepts of noninterference and policy composition. Part IV covers "Implementation I: Cryptography" in four chapters. The topics here are basic cryptography, key management, cipher techniques, and authentication in a thorough yet complete treatise. Cipher types, cipher modes, protocols (SSL/TLS, IPsec), and password selection and attacks are among the main topics, complemented by discussions of indentity establishment through biometrics and challenge-response mechanisms. Part V covers "Implementation II: Systems". Here the system-centric view comes into play with design principles (such as least astonishment, least privilege, separation of privilege), identity representation and its meaning (on the computer system vs. the Web) plus anonymity approaches such as Onion Routing, access control mechanisms (access control lists, capabilities, ring-based access control, and propagated access control lists), as well as information flow and its policies. Part V ends with a discussion of the confinement problem with isolation and covert channels. Part VI is the contributed assurance section by Elizabeth Sullivan and Michelle Ruppel with four chapters on introduction to assurance (the need for assurance, requirements, building secure systems using a Waterfall Life Cycle or Agile Software Development approach), formal methods for verifying systems (such as the older HDM, Gypsy, as well as the current PVS, SMV, and NRL Protocol Analyzer). This part wraps up with an overview (historical in parts) of various evaluation and certification approaches, including FIPS 140, Common Criteria, and the Secure Systems Engineering Capability Maturity Model. Part VII is on special topics and in five chapters covers malware (e.g. logic bombs, virus, ransomware) and their defenses, vulnerability analysis (e.g. penetration testing approaches illustrated by a few examples, and the notions of CVEs and CWEs and their classification), auditing (logging, log sanitization, auditing file systems), and intrusion detection (various models such as anomaly, misuse, or specification, architecture, and some examples of intrusion detection systems such as NSM, DIDS, and AAFID). The last chapter covers attacks and responses by illustrating attack representation (e.g. attack graphs and trees), intrusion responses (incident prevention and handling), and digital forensics including anti-forensics. Part VIII "Practicum" takes a real-world, practical perspective on four scenarios: network security, systems security, user security, and program security. In each scenario, the reader is engaged in thinking in proper terms (e.g. how does one handle public access, how does one deal with the DMZ or the Cloud, how does one design user groups/classes, how does one consider encrypted email, how does one deal with proper input to programs). Part IX is a set of eight appendices that provide the reader with background they may not have had elsewhere. The areas covered here are: mathematical background in lattices, the extended Euclidean algorithm, and entropy and uncertainty, virtual machines, symbolic logic, encryption standards, examples of academic security policies, and programming rules. Overall the book is aimed at advanced undergraduate (computer science) students wishing to learn about computer security, practitioners wanting to dig deeper, or at early graduate students getting into the basics as an on-ramp for more advanced security topics. Matt Bishop did an excellent job with "Computer Security: Art and Science, 2nd edition," covering all the bases needed for a go-to book in the area of computer security. I enjoyed reading it and look forward to having this book readily available on my (virtual?) book shelf. Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== News Briefs ==================================================================== User Data, User Privacy: A Framework from NIST NIST Releases Version 1.0 of Privacy Framework Tool will help optimize beneficial uses of data while protecting individual privacy. https://www.nist.gov/news-events/news/2020/01/nist-releases-version-10-privacy-framework January 16, 2020 Summary: Organizations that handle user data can rely on a new document that lays out the principles of collecting and protecting that data. The newly released here is here: NIST's Privacy Framework V1.0 https://www.nist.gov/system/files/documents/2020/01/16/NIST%20Privacy%20Framework_V1.0.pdf --------------------------------------- Phone Lock Wars Resume This Apple-FBI Fight Is Different From the Last One In 2016 the iPhone encryption debate ended in a draw. Don't count on 2020's scuffle over the Pensacola shooter's devices to play out the same way. https://www.wired.com/story/apple-fbi-iphone-encryption-pensacola/ Wired 01.16.2020 By Lily Hay Newman Summary: When the perpetrator of a mass shooting leaves behind an iPhone, the tensions over digital privacy escalate in the aftermath. In the case of the Pensacola shooter, the US government has resumed an argument that it largely lost after the San Bernadino killings. The Department of Justice wants Apple to unlock a phone, but Apple does not have a "backdoor" that allows it. Apple might be able to develop a special operating system and convince the phone to install it, but Apple says that is a dangerous path that could undermine the security of all its phones. In the meantime, private security firms have exploits that will break the security of any iPhone. Indeed, a privately developed hacking method was what the FBI used on the San Bernadino phone. Apple says that has given gigabytes of data to DoJ from the cloud storage of the Pensacola phone. DoJ maintains that Apple is uncooperative. [Ed. Did the FBI ever mention getting any data that was useful to its investigation from the San Bernadino phone?] --------------------------------------- Beware the Parameters of Elliptic Certs A Windows 10 Vulnerability Was Used to Rickroll the NSA and Github A researcher demonstrated the attack less than a day after Microsoft disclosed one of the most critical Windows vulnerabilities ever. https://www.wired.com/story/windows-10-vulnerability-rickroll-nsa-github/ Ars Technica 01.16.2020 By Dan Goodin Summary: Elliptic curve cryptography is based on interesting mathematics and has implementation advantages for signatures of the type that are needed for certificates of trust. NSA found a pernicious bug in the implemenation of that cryptography Microsoft's CryptoAPI. Rather than hoarding it for themselves, they decided to let Microsoft know about the problem (see the NSA advisory here https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF). As a result, users of Internet Explorer really should install the patch immediately. Although it takes some setup activity for an attacker to deploy it, the victim user can be diverted to a fake website despite reassurance from the browser that the website has been properly, cryptographically, verified. The NSA advisory warns: "Certificates containing explicitly-defined elliptic curve parameters which only partially match a standard curve are suspicious, especially if they include the public key for a trusted certificate, and may represent bona fide exploitation attempts." --------------------------------------- Your Doorbell and Your Police Amazon Doubles Down on Ring Partnerships With Law Enforcement The company's top hardware executive told WIRED he's "proud" of the controversial program and hinted at a future with more facial recognition. https://www.wired.com/story/ces-2020-amazon-defends-ring-police-partnerships/ Wired 01.07.2020 By Lauren Goode Louise Matsakis Summary: The Ring company provides home security cameras, and they collect a lot of video from users' front porches. The surveillance of public sidewalks and streets can benefit law enforcement, and Ring's David Limp has said that he is proud of the partnerships that currently exist. Other worry that the cameras are a step towards a dystopian society in which the government gathers detailed dossiers on the movements of all citizens. Facial recognition enhancements to Ring are a real possibility. Limp suggest that opt-in/opt-out mode of operation would satisfy all concerns, but critics point out that this requires a fair amount of trust in Ring and its owner, Amazon. --------------------------------------- Home Security Cameras Hacked, Vendor Sued Amazon's Ring blamed hacks on consumers reusing their passwords. A lawsuit says that's not true. Plaintiffs suing the company say they created unique passwords but were hacked anyway. https://www.vox.com/recode/2020/1/17/21068703/amazon-ring-hacks-lawsuit-passwords Vox Jan 17, 2020 By Rani Molla Summary: The Amazon Ring security cameras for home use are very popular, but there have been reports of hacker access to the devices. Some users are suing the company for not putting enough security into the devices. For example, multiple unsuccessful login attempts do not result in any warnings to the account owner. The response from Ring, without giving any specific examples, is that users are to blame for reusing passwords from other systems. There's some suspicion that the passwords aren't the problem. --------------------------------------- Can Encryption Save IoT? An Open Source Effort to Encrypt the Internet of Things IoT is a security hellscape. One cryptography company has a plan to make it a little bit less so. https://www.wired.com/story/e4-iot-encryption/ Wired 01.20.2020 Lily Hay Newman Summary: End-to-end encryption is taken for granted for web services today. It is easy to use TLS with a web server, browsers support it, and there is a reasonable certificate infrastructure to support it. Shouldn't IoT have the same open standards and open source implementations? The company Tesserakt proposes to do just that, as explained here https://teserakt.io/doc/teserakt-product.pdf in an E4 Product Sheet. The algorithms are designed for low energy devices, and the protocol should support a Very Large Number of connected devices. --------------------------------------- Citrix Patches Zero Day, Government Agencies at Risk Citrix ships patch As attacks begin, Citrix ships patch for VPN vulnerability Hundreds of US government agencies have vulnerable VPNs, data shows. https://arstechnica.com/information-technology/2020/01/as-attacks-begin-citrix-ships-patch-for-vpn-vulnerability/ Ars Technica 1/20/2020 By Sean Gallagher Summary: A carefully crafted packet can open a Citrix VPN gateway to unauthorized code execution, but Citrix has a patch for that. The problem is, there are tens of thousands of vulnerable sites, and they have been slow to install the patches. Government agencies, businesses, and some US military sites are affected. --------------------------------------- Election Hacking, a Compromised Server in 2016 Identified A Georgia election server was vulnerable to Shellshock and may have been hacked Vulnerable server distributed election and voter files to counties throughout the state. https://arstechnica.com/information-technology/2020/01/a-georgia-election-server-was-vulnerable-to-shellshock-and-may-have-been-hacked/ Ars Technica 1/18/2020 By Dan Goodin Summary: The difficulty of protecting election equipment and data was highlighted by discovery of malware used on a server machine at Kennesaw Universiity. Back in 2016, the state of Georgia used the services of the "Center for Election Systems" to program the state's voting machines (that relationship ended in 2017). Because of some problem with the servers in 2016 (see https://www.wabe.org/two-georgia-election-servers-timeline for a timeline of anomalies), there has been an ongoing forensic analysis of those servers. This recent announcement says that one of the servers was accessed using the "ShellSh0ck" malware. The hacker seems to have successfully erased the history of the session, and there is no way to know if the hacking affected the election. --------------------------------------- Ukraine Oil Company to be Leaked? If Russia Hacked Burisma, Brace for the Leaks to Follow The Kremlin likely hacked the oil giant. Its next play: selectively release and even forge documents. Did the US learn enough from 2016 to ignore them? https://www.wired.com/story/russia-burisma-hack-leaks/ Wired 01.14.2020 By Andy Greenberg Summary: Russia's cybercrime unit has been implicated in a series of disruptive hacking attacks against businesses and infrastructure in Ukraine. If it did hack the oil company Burisma, then the pattern would indicate that documents reflecting badly on the Ukraine company will start appearing. [Ed. Greenberg is the author of a recent book "Sandworm". It follows the twisted tale of specific exploits that are belived to have originated in Russia and directed at Ukraine. The software mutated, diverged, acquired misleading add-ons, but the purpose always seemed to be to hurt Ukraine, even if collateral damage to other targets, some in Russia, occurred. The telling evidence is probably the use of specific command and control servers tied to Russia cyberwarfare units.] -------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== Events shown here are also available with the complete CFP in these pages: The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ------------------------------ SADFE 2020 13th International Conference on Systematic Approaches to Digital Forensic Engineering, New York, NY, USA, May 14-15, 2020. http://www.sadfe.org/conference.html Submission date: 31 January 2020 SBC 2020 8th International Workshop on Security in Blockchain and Cloud Computing, Taipei, Taiwan, June 1-5, 2020. https://conference.cs.cityu.edu.hk/asiaccsscc/ Submission date: 31 January 2020 ICCWS 2020 IEEE International Conference on Cyber Warfare and Security, Islamabad, Pakistan, March 31 - April 2, 2020. http://nccs.pk/activities/conference Submission date: 31 January 2020 CNS 2020 8th IEEE Conference on Communications and Network Security, Avignon, France, June 29 - July 1, 2020. https://cns2020.ieee-cns.org/ Submission date: 10 February 2020 CPSS 2020 6th ACM Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2020, Taipei, Taiwan, June 1, 2020. https://www.nics.uma.es/pub/CPSS2020/ Submission date: 10 February 2020 SACMAT 2020 25th ACM Symposium on Access Control Models and Technologies, Barcelona, Spain, June 10-12, 2020. http://www.sacmat.org/ Submission date: 10 February 2020 SECRYPT 2020 17th International Conference on Security and Cryptography, Paris, France, July 08 - 10, 2020. http://www.secrypt.icete.org Submission date: 14 February 2020 USENIX-Security 2020 29th USENIX Security Symposium, Boston, MA, USA, August 12-14, 2020. https://www.usenix.org/conference/usenixsecurity20/call-for-papers Submission date: 15 May 2019, 23 August 2019, 15 November 2019, and 15 February 2020 DASC 2020 18th IEEE International Conference on Dependable, Autonomic and Secure Computing, Calgary, Canada, June 22-26, 2020. http://cyber-science.org/2020/dasc/ Submission date: 15 February 2020 DBSec 2020 34th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Regensburg, Germany, June 25-27, 2020. https://dbsec2020.ur.de Submission date: 15 February 2020 PETS 2020 20th Privacy Enhancing Technologies Symposium, Montreal, Canada, July 14-18, 2020. https://petsymposium.org Submission date: 31 May 2019, 31 August 2019, 30 November 2019, and 29 February 2020 WTMC 2020 5th International Workshop on Traffic Measurements for Cybersecurity, Held in conjunction with the IEEE Euro S&P 2020, Genova, Italy, June 15, 2020. http://wtmc.info/ Submission date: 29 February 2020 Blockchain 2020 IEEE International Conference on Blockchain, Rhode Island, Greece, August 2-6, 2020. http://www.blockchain-ieee.org/ Submission date: 1 March 2020 CLOUD S&P 2020 2nd Workshop on Cloud Security and Privacy, Held in conjunction with ACNS2020, Rome, Italy, June 22-25, 2020. https://www.albany.edu/cloudsp2020/ Submission date: 1 March 2020 SecMT 2020 International Workshop on Security in Mobile Technologies, Held in conjunction with ACNS2020, Rome, Italy, June 22-25, 2020. https://spritz.math.unipd.it/events/2020/ACNS_Workshop/index.html Submission date: 1 March 2020 SciSec 2020 3rd International Conference on Science of Cyber Security, Shanghai, China, August 9-11, 2020. http://www.sci-cs.net Submission date: 1 May 2020 CCS 2020 27th ACM Conference on Computer and Communications Security, Orlando, FL, USA, November 9-13, 2020. Submission date: 20 January 2020 and 4 May 2020 CUING 2020 4th International Workshop on Criminal Use of Information Hiding, Held in conjunction with the 15th International Conference on Availability, Reliability and Security (ARES 2020), Dublin, Ireland, August 24-28, 2020. https://www.ares-conference.eu/workshops/cuing-2020/ Submission date: 11 May 2020 IWCC 2020 9th International Workshop on Cyber Crime, Held in conjunction with the 15th International Conference on Availability, Reliability and Security (ARES 2020), Dublin, Ireland, August 24-28, 2020. https://www.ares-conference.eu/workshops/iwcc-2020/ Submission date: 11 May 2020 SpaCCS 2020 13th International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage, Nanjing, China, October 23-25, 2020. http://www.spaccs2020.com/ Submission date: 23 May 2020 IEEE Transactions on Intelligent Transportation Systems, Special Issue on Deep Learning Models for Safe and Secure Intelligent Transportation Systems. http://jolfaei.info/IEEE-TITS.html Submission date: May 30, 2020 ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sean Peisert Mark Gondree UC Davis and Sonoma State University Lawrence Berkeley oakland19-chair@ieee-security.org National Laboratory speisert@ucdavis.edu Vice Chair: Treasurer: Ulfar Erlingsson Yong Guan Manager, Security Research 3219 Coover Hall Google Department of Electrical and Computer tcchair at ieee-security.org Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor Security and Privacy Symposium, 2020 Chair: Hilarie Orman Gabriela Ciocarlie Purple Streak, Inc. SRI International 500 S. Maple Dr. oakland20-chair@ieee-security.org Woodland Hills, UT 84653 cipher-editor@ieee-security.org TC Awards Chair EJ Jung UCSF ejun2 @ usfca.edu https://www.usfca.edu/faculty/eunjin-ej-jung ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year