_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 155 May 29, 2020 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Impressions of the online Security and Privacy Symposium by Lesly-Ann Daniel, Julia Lanier, Terry Benzel, Dave DeAngelis, and Sven Dietrich o Sven Dietrich's review of "Computer Security and the Internet: Tool and Jewels" by Paul C. van Oorschot o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: It seems like only yesterday the world was in turmoil and cities were burning, but that was 50 years ago, and I was just starting my adult life. Bad as things are now, what we have in abundance, in startling contrast to yesteryear, is communication. That has meant that some semblance of normal life can continue in some economic sectors and in some social interactions. We can "go virtual" and keep talking. The recent Security and Privacy Symposium offers an important case study in what we gain and what we lose by replacing in-person interactions with online interactions in a research community. This issue of Cipher has several personal accounts of what it was like to be part of this seismic paradigm shift. I am most grateful to the people who shared their impressions. We have been slogging through about 25 years of ineffectual attempts to use the Internet for large scale videoconferencing, and it began to seem an unreachable goal. The communication lines weren't fat enough, end users did not have computers that were fast enough, bandwith was too expensive, it was unreliable, the synchronization never worked, ... and somehow, without much fanfare, piece-by-piece, the infrastructure was created, ready for the emergency we never expected. And so it happened that in about two months, the S&P Symposium plans were changed, speakers recorded their talks, an amazing company pulled together an online schedule with sequenced videos and smooth transitions to Q&A, and "virtual Oakland" took shape. No one would say that it was the same as "being there", but with more papers than ever, over 1500 "attendees", and no financial problems, the Symposium achieved a surprising success in the midst of a disruptive time. No travel, no problem. My personal note is that I enjoyed the virtual conference. In normal times, the week of the conference is an opportunity for me to see personal and professional friends in the San Francsico area, and I greatly missed that. On the other hand, late May is the time of year when I most enjoy my garden, and being able to watch it day by day without travel interruption was a pleasure that I've not had in 20 years. Every professional meeting that I've been in via Zoom during the past few months has ended with a plea from some participants to keep the virtual participation option open even when in-person meetings are again possible. This is true of Security and Privacy -- it will be forever altered by the events of this spring. Unfazed by having his professorial life upended by pandemic and riot, Sven Dietrich has contributed both impressions of the virtual conference and a review of an important new text in computer security by Paul van Oorschot. Two TCSP sponsored events will also be virtual: the Computer Security Foundations Workshop in June and the Secure Development Conference in September. EuroS&P, originally scheduled for spring this year, has been rescheduled to early September in Italy. With hopes for health, peace and understanding of all things in computer security, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Impressions from the first ever online version of the Security and Privacy Symposium Contributors: Lesly-Ann Daniel Julia Lanier Terry Benzel Dave DeAngelis Sven Dietrich -------------------------------------------------------------- Experience with IEEE Symposium on Security and Privacy, 2020 From the perspective of a speaker and PhD student. Lesly-Ann Daniel, CEA List Attending the Conference I'm glad that I had the chance to attend and present my work at the IEEE Symposium on Security and Privacy. It was my fist time at SP and I really enjoyed the interesting talks and the friendly atmosphere. The fact that the conference was online and had a low registration cost made it a great opportunity for non-speakers to attend. For instance, in my lab, we were encouraged to register for the conference. The format of the conference, relying on videos for the talks, was probably a good guarantee to get good quality presentations with (almost always) proper sound, and also to avoid technical problems on the speakers side. This planning helped make the whole experience run smoothly without interruption and delay. Sometimes, I found it a bit confusing to know exactly what sessions were currently running because of time zone conversion and potential delays, so the announcements of the sessions on the slack channel were helpful. While attending the conference, I only had one technical issue which made me miss the introduction of a talk, but fortunately the talks are available on YouTube for replay. Posting replays of the talks has the advantage of making them available for people who cannot attend the conference (and I wish more conference would publish then because I really like watching videos to discover new topics). Moreover, knowing that replays are available makes tough choices less heart-breaking - like whether to attend session eight on fuzzing or on program analysis! Previews, Presentations, and Papers I really enjoyed watching the previews for the presentations. They did not influence my choice on which session to attend, but they made me discover new topics, and some of them were really fun. I especially loved the preview for LVI (Load Value Injection): it was fun, original and very well done! I find the classes of Spectre attacks very interesting and I was really happy that we had a couple of talks about it in the first session. The paper which I liked the most was "Spectector: Principled Detection of Speculative Information Flows" because it is a first step towards automatically detecting vulnerabilities to Spectre attacks in software, and more importantly towards proving their absence. The paper defines speculative noninterference, a property to reason about speculative execution attacks, proposes a tool to analyze this property, and uses it to check countermeasures introduced by compilers. Two papers that I find remarkable are "The Last Mile: High-Assuranceand High-Speed Cryptographic Implementations" and "EverCrypt: A Fast,Verified, Cross-Platform Crytographic Provider". Both of them provide cryptographic implementations that are functionally correct, protected against side-channels, and as efficient as non-verified cryptographic implementations. I think that these two papers represent a tremendous work and provide a concrete improvement for security. Finally, the paper that was the most surprising for me was "RAMBleed: Reading Bits in Memory Without Accessing Them" which demonstrates that Rowhammer can be used not just to compromise data integrity, but also to leak data via side channels. Online Discussions What I liked the most with this remote experience were the public discussions via Slack to which anybody could participate, read, and learn. Especially, on the first day of the conference, a question was asked about whether fuzzing is applicable to liveness properties, which triggered an enlightening discussion with many pointers to good papers. While reading this discussion, I discovered new things on fuzzing and a very good paper on the evaluation of fuzzing techniques. However, compared to face-to-face events I had fewer "random" interactions and the connections via the donut bot seemed a bit artificial and did not really work for me. Even though the online chat platform does not fully replace face-to-face interactions, it makes it really easy to have discussions opened for the whole community, and to share links and papers to enrich these discussions. For these reasons, I think that it might be a good idea to set up online chat platforms, even for non-remote events. Final Words It was my first time attending IEEE Symposium on Security and Privacy, and (even if it was online) it was a really great experience because I could participate in discussions and, thanks to the previews, I discovered new topics that wouldn't have caught my attention otherwise. Setting up a virtual conference in such a shorttime was a remarkable achievement by the organizers -- for this I would like to thank them! -------------------------------------------------------------- Oakland 2020: Thoughts on a Virtual Conference by a Michigan EECS PhD Student by Julia Lanier IEEE Security and Privacy 2020 was as good as I could have hoped for as a rising second-year PhD student in embedded security research. While nothing will beat the perks of in-person conferences, this was still a beneficial learning experience. Like all things that have moved online as a result of the pandemic, there were pros and cons. The biggest challenge for me was understanding presenters with the lack of facial expressions and hand gestures. I never realized how much they contribute to conversation, but I noticed I felt lost more than usual during presentations. Some presenters put a small video overlay on the slides of themselves speaking, which helped tremendously. Another aspect of the virtual conference that created a challenge: meeting new people. Personally, I think the conference handled this beautifully. Everyday a slack bot would pair up two people who did not know each other and place them in a private slack channel. Participants could submit a list of people they did not want to be paired with as to ensure each pair would be strangers. As imagined, this was more awkward than the organic introductions and conversations that happen at random at these types of gatherings, but I found this to be an inventive and effective solution. One thing I would like to see improved is the Q&A sessions. After each paper presentation session, a zoom link would automatically pop up taking attendees to the Q&A session. There were a couple issues arising with this process, the first being how short the Q&A sessions were. One perk of being online is that multiple things can happen in parallel, so having such a short Q&A session made me wonder how to improve the opportunity. The second being the throughput of the Q&A sessions due to attendees being muted. While I understand the reasoning behind the forced mute, it took a significant amount of time for an attendee to type the question, the presenter to read the question, comprehend the question, and then provide an answer. Back and forth communication for clarification or expansion was simply impossible, especially because of how short the time limit was. Some of this would have been solved if attendees were required to use the "raise your hand" feature of zoom and then be unmuted to ask their question. Unfortunately, I'm sure different issues would also arise with this alternative approach. With all of that being said, having an online conference had some amazing benefits! The greatest benefit: accessibility to many people. The affordable cost and easy access allowed more people to attend the conference. Some undergraduate research assistants in my lab were able to attend and would have never been able to afford the travel and registration costs if it were held in person. I would love to see conferences and other similar events be offered both in person and online in the future. I believe IEEE Security and Privacy has created a solid foundation for this. (My PhD advisor Kevin Fu tells me that in ancient history in the 1990s, some security conferences live-cast Q&A on the Mbone using multicast. It was sick.) Overall, the conference went very smoothly for me. I would not have guessed this was the first time this massive conference was held online. To me, that says everything. I am so grateful to the people who worked behind the scenes and took the time and ensured the conference would be a great experience and go on with minimal hiccups. They did a fantastic job! I am so glad I chose to register and I thoroughly enjoyed attending IEEE Security and Privacy 2020 online. Bio: Julia Lanier is entering her second year in the Computer Science and Engineering PhD program at the University of Michigan. Her graduate advisor is Prof. Kevin Fu of the SPQR.eecs.umich.edu group. Her interests pertain to hardware and sensor security and VLSI design. In her spare time, she enjoys running, hiking, and playing video games. For more information about her research in embedded security, see julialanier.com. -------------------------------------------------------------- IEEE S&P Goes Virtual Terry Benzel Director Networking and Cybersecurity Research Information Sciences Institute University of Southern California Having attended IEEE S&P since 1982, I was relieved to learn that the show would go on and we would have the chance to participate in this premier conference during this disruptive time. The volunteer organizers did a truly phenomenal job of creating a virtual conference in a very short time (reportedly the decisions was finalized a mere 6 weeks before the conference?). The conference consisted of: 104 papers 104 paper previews 9 Paper Q&A sessions 17 posters 15 short talks, 9 Test of Time Awards 2 Birds of a Feather sessions 1 Student Mentoring session 1 Technical Committee meeting 6 Workshops All of these had some component of pre recorded video and many also included a live video-based audience participation component. These numbers represent a very significant undertaking. Considering that all of the authors created quality videos and worked with the conference to provide them in a timely manner is a massive cat herding job if I ever saw one. In addition to managing the presentations, there are also considerable logistics and decisions involved in creating this virtual conference on short notice including the need to work with the IEEE sponsoring organization requirements and constraints as well as contractual issues. I was impressed by the choices that the committee made regarding platforms, technology, and social engagement on such short notice. The use of On24 as the staging platform for all of the talks and sessions enabled mostly seamless transitions from Webinar based video presentations of pre recorded talks to live Zoom Q&A sessions. The use of Zoom participant hand raise, chats and screen sharing in smaller settings such as poster and Q&A sessions was largely effective. The conference ended up making extensive use of Slack. It was originally set up with some "standard" channels - Conference, General, Tech Support, and a "Hallway Track" however it quickly became the primary communication mechanism for communicating about schedule changes, serving as an alternative site for presentation materials when there were technical difficulties, and a number of discussion channels were created to continue discussions from the Q&A sessions. The General Chair, Gabriela Ciocarlie, was truly a master of ceremonies and somehow seemed to be in every session and rapidly managed technical difficulties. She and the team of volunteers and staff deserve recognition and gratitude from the community for their service. Obviously there were technical difficulties, a few talks that did not play at the proper time, sessions running late, failed coordination points, and awkward use of technology in some sessions. As computer scientists and engineers it is easy for us to second guess the decisions that were made and to attempt to engineer a better virtual conference. The organizers for the 2021 conference will have the chance to analyze the lessons learned and to take advantage of the growing wisdom in the community around virtual event planning. I found the conference interesting, stimulating, and a productive use of time. In fact, I found that I was more focused during the presentations and I got more out of this virtual conference than I have in recent F2F conferences. Of course I truly missed connecting with people. Dave Balenson's text Monday morning joking that he had saved us our usual seats brought tears to my eyes. -------------------------------------------------------------- 2020 IEEE Symposium onSecurity and Privacy From the perspective of a first-time attendee Dave DeAngelis, USC/ISI I had the privilege to attend the IEEE Symposium on Security and Privacy (S&P) as an attendee for the first time. Moreover, 2020 was the first year that S&P was held entirely online. As a researcher returning to the field, I found the opening remarks and the test of time awards particularly valuable. The histogram of accepted paper topics provided a great snapshot of the field, and the test of time awards showcase the most impactful work over many years of S&P. I was struck by the breadth of the conference. Research covered many topics including those you might expect like microarchitectural security, authentication, and protocols, but also extended to diverse topics such as large platforms to support further cybersecurity experimentation, global anonymity & censorship, and cyber insurance. I particularly enjoyed the Workshop on Technology and Consumer Protection (ConPro '20). This workshop brought together industry, academia, and regulatory bodies in a new and interesting way to discuss topics with an impact on consumers. The online conference format introduced several challenges, including how to motivate spontaneous interactions that spark new ideas and collaborations. The comprehensive suite of tools including Zoom, Slack, on24, and Youtube was incredibly helpful in holding the conference remotely, encountering only minor technical difficulties. I think the Donut bot that pairs people together randomly for conversations was a great idea, though it seemed other attendees differed in their opinion. A little more prompting or directed matching could help encourage discussion. I was fortunate to have a productive and interesting conversation about industrial control system security with a leader in the field. Paper session talks were pre-recorded and broadcast to attendees in order to obviate any streaming technical issues and to accommodate presenters based in widely differing time zones, and sessions began with 2 minute short previews of the talks. The pre-recorded format had some unexpected advantages. First, speakers whose native language is not English were more able to script their presentation and provide subtitles if necessary. Secondly, it helped to manage the presentation pace and scope of detail provided. Lastly, it enabled presenters to showcase entertaining production while maintaining rigorous research quality, as shown in the LVI preview presentation. Like an in-person conference, sessions were scheduled with 3 in parallel, and the sessions were thoughtfully scheduled to minimize the number of conflicts among competing research interests. However, it was very easy to keep all three tracks open simultaneously and seamlessly switch from one "room" to another, and having the videos available on Youtube was enormously helpful. An indispensable component of an academic conference is lively Q&A, and I think this was handled as well as can be expected by the moderators, participants, and the Zoom platform. The Slack platform and particularly the #hallway-track channels were very useful for discovering others with shared interests and reaching out directly. Slack is great for 1-on-1 conversations or to discuss a topic prescribed in a particular channel. However, spontaneous unmoderated small group conversations are notoriously difficult to facilitate virtually. Some of the concessions made to facilitate a fully-remote conference would be very welcome even at a traditional live event, including broad access to recorded talks, Slack-like communication tools, and low registration fees for remote participants. As a final note, I was impressed with the quality and breadth of the research as well as the agility and dedication demonstrated by the organizing committee in hosting a successful and enjoyable conference. Thank you. -------------------------------------------------------------- Virtual S&P 2020 - a long-timer's view by Sven Dietrich After attending S&P (it will always be "Oakland" for me, no matter where it's going to be held) since 1998, I attended it virtually this year to the Covid-19 pandemic. While I have enjoyed the talks at Oakland, the most interesting aspect has always been the personal interaction with my peers, the mentoring of the students or upcoming young researchers/faculty (informally at the breaks and meals, or formally at the speed mentoring sessions that I participated in the last few years), and the hallway track. And the wandering off in cliques to nearby dinner restaurants and regrouping at the hotel bar or for those who remember, in Room 606. Forced to make the best of the situation, the organizing committee did some serious heavy lifting and put together a mixed platform that attracted close to 2000 registrants, but perhaps much less attended at the same time. The Oakland talks were pre-recorded by the paper authors and its teaser talks could be pre-viewed the day of the talks. There were three major components to the virtual presence: the web videos linked off the program on the conference website, Zoom videoconferencing (both in webinar and in meeting modes) for Q&A sessions, BoFs, and workshop sessions, and Slack as a backchannel between them all. There was a virtual hallway track on Slack, and many Slack channels for the conference locations, plus topic-centric hallway tracks. There were multiple tracks to Oakland, up to three that I could count, which made it harder to split my time. To list all the talks I listened to and enjoyed would exceed the space to talk about here, but the ones that fostered discussions among the participants were the most rewarding. Managing all these channels on top of a regular work day was a bit challenging. Since I wasn't "away" for the conference as I normally would, I still had to tend to my normal day-to-day meetings and interactions and missed a few talks in the process. Of course I could go back to the talks once they had been presented, but the key part is the ability to ask questions at the end of the talk. One would have needed an additional laptop (or desktop) to manage just the Oakland conference, while still keeping up with the other audio/video demands on the viewer's time. Nevertheless, I enjoyed the Oakland virtual conference as a good substitute under the circumstances. While I did catch up with a few long-time colleagues in the hallway track and in the session, I am looking forward to returning to the real, in-person conference. What I do miss is the scene: who is there to listen to the talks and interact with them. When in webinar mode, the conference is in consumer mode: one sees the moderator, the presenters (called panelists in Zoom webinar speak), but not who else is attending. When some sessions switched to meeting mode, one could see who was there and was asking questions, perhaps chat with them later on Zoom, or catch them in the Slack #hallway-track. And I had just run SADFE, the digital forensics workshop turned conference, a few days before Oakland using Zoom. I had chosen Zoom meeting mode over the webinar mode for the same reason I experienced at Oakland: the desire to see and be seen. I look forward to seeing future instantiations of Oakland, whichever form they may take on, but I will always be true to the classic. I tip my hat to the organizing committee this year: job well done! ____________________________________________________________________ Book Review By Sven Dietrich 05/31/2020 ____________________________________________________________________ Computer Security and the Internet: Tool and Jewels by Paul C. van Oorschot Springer International Publishing 2020. ISBN 978-3-030-33648-6 (Hardcover) ISBN-13: 978-3-030-33649-3 (eBook) XXII, 365 pages Review by Sven Dietrich May 30, 2020 When looking at my library (ok, ok, I have to virtually place myself in my office in this pandemic), my eyes first rest on the name Paul C. van Oorschot on the classic cryptography book "Handbook of Applied Cryptography" from 1996. Now, he has published a book meant to resolve a challenge with computer security books -- being somewhat complete while being somewhat short -- with his new title "Computer Security and the Internet: Tools and Jewels." In close to 400 pages, Paul has succeeded in writing a book that provides the basic principles of computer security as well as pointing to further materials for those readers eager to absorb more knowledge, or perhaps that had whet their appetite for more "Gedankenexperimente" (thought experiments) and real practice. The book is divided into eleven chapters, plus a foreword, preface, and epilogue, and a set of contextual references at the end of each chapter in endnote style. The preface labels those chapters or sections that can be skipped without losing continuity in a course or reading seminar. The foreword by Peter G. Neumann, a long-time and well-respected presence in the field of computer security, is difficult to surpass as it sings the praises of this book. The book is a nice middle ground between theory and practice, yet provides the solid foundations needed to start reading and understanding the next levels of computer security in the context of the Internet. It awakens sufficient levels of curiosity to make you want to read that research paper so you understand the question: "how did we get here?" For computer security intents and purposes, of course. The eleven chapters are 'Basic Concepts and Principles,' 'Cryptographic Building Blocks,' 'User Authentication - Passwords, Biometrics, and Alternatives,' 'Authentication Protocols and Key Establishment.' 'Operating System Security and Access Control,' 'Software Security - Exploits and Privilege Escalation,' 'Malicious Software,' 'Public-Key Certificate Management and Use Cases,' 'Web and Browser Security,' 'Firewalls and Tunnels,' and finally 'Intrusion Detection and Network-Based Attacks.' The text throughout the book is color-coded, with different colors for concepts, program or operating system names, and keywords. Many diagrams and figures illustrating this book are also in color. The first chapter 'Basic Concepts and Principles' covers the fundamental goals of computer security, talks about computer security policies and attacks, risk assessment, and describes security modeling and the challenges that shake computer security. Already here, we find chapters that are labeled 'optional,' those that go deeper than a regular introduction. The second chapter 'Cryptographic Building Blocks' discusses generic concepts of encryption and decryption, covering both the symmetic and asymmetric cases, digital signatures, cryptographic hash functions, and message authentication. As a "build-on" topic, the reader is encouraged to read up on authenticated encryption, modes of encryption, certificates and elliptic curves, and the different keylengths that matter. The third chapter, on 'User authentication', talks about passwords as means of authentication, password cracking, account recovery, one-time systems and hardware tokens, and biometric authentication. The advanced sections look at graphical passwords, password managers, captchas, and entropy. The fourth chapter about 'Authentication Protocols and Key Establishment' is a very short summary of a large field (such as most other chapters in this book), as I recently reviewed an entire book just on this topic. The journey takes the reader from entity authentication and key establishment (e.g. Diffie-Hellman) to basic authentication protocol concepts , lessons learned, and some examples of Password-authenticated key exchanges (PAKEs such as EKE and SPEKE), and eventually to harder topics such as weak secrets, single sign-on, and cyclic group and subgroup attacks on Diffie-Hellman. The fifth chapter on 'Operating System Security and Access Control' mentions key concepts such as memory protection, access control matrices, reference monitors, setuid and effective user ids, file and directory permissions, file deletion challenges, and last but not least the RBAC and MAC approaches. As a higher-ground bonus, the reader discovers finer protection mechanisms such as protection rings for isolation, and also protection domains. The sixth chapter 'Software Security - Exploits and Privilege Elevation' introduces the reader to the fun subject of exploits via race conditions, integer-based vulnerabilities (as contrasted to string-based vulnerabilities), and then the classic stack-based vulnerabilities and its pendants in the heap and elsewhere. While heading to covering defenses against these exploits, the chapter intermingles the advanced sections on return-to-libc attacks and shellcode, rather than saving them for the end, allowing the reader to appreciate the intricacies of the attacks "inline" while reading. The seventh chapter on 'Malicious Software', as a logical next topic after exploits, describes malware (mal[icious][soft]ware) in its variety, from the early viruses to the latest ransomware, botnets, rootkits, and their stealthy techniques. Wrapping up the chapter, it offers approaches for categorizing malware. The eighth chapter about 'Public-Key Certificate Management and Use Cases' describes the world of the Public-Key Infrastructure (PKI), certification authorities (CA) , various CA/PKI architectures. It explains how this all fits with your web browser and surfing the Internet. As a bonus, the reader gains insight into specific secure email solutions and certificate revocation. The ninth chapter 'Web and Browser Security' builds on concepts in the previous chapter to illustrate the problems (and features!) present in the modern web and its many browsers. Terms such as HTML, HTTP/HTTPS, and TLS quickly give way to cookies, same-origin policy, cross-site scripting, and SQL injection. A very important tidbit is left for "additional" reading: the concept of usability in security (aka usable security), and that nicely wraps up the chapter. The tenth chapter about 'Firewalls and Tunnels' delves into the world of packet-filterr firewalls, various architectures found in the firewall setting, secure shell, and Virtual Private Networks (VPNs). Detailed background in IP security (IPsec) as well as networking and TCP/IP rounds off the chapter. The eleventh, and last, chapter on 'Intrusion Detection and Network-Based Attacks' saves "the best for last" (ok, so I have a special place for that subject in my 'computer security heart'). The tough subject that intrusion detection is, having fueled many papers and research/practitioner efforts over the years, it's summarized here with methodological overview of its approaches. There is discussion of sniffers, reconnaissance, vulnerability scanners, and attacks on the infrastructure, including denial-of-service attacks (also very dear to my heart) and domain name service (DNS) as well as the address resolution protocol (ARP) attacks. The extra section on TCP session hijacking evokes fond memories of the early days of the Internet. In the epilogue, in which Paul suggests to the readers that they have attained "walking speed" for computer security, he plants little seeds of interest to pursue further, just as he had done at the end of each chapter. To me that sounds like: "Go brandish that knowledge and join the ranks of security practitioners and researchers!" Paul C. van Oorschot did an great job with Computer Security and the Internet for producing a concise and (sufficiently) complete computer security book, as he had set out to do. At first, the book seems like a large Cliff Notes, but it is so much more: it supplies a golden thread to follow through the computer security field, with the option to delve deeper at the next strand. I enjoyed reading it and look forward to having this book readily available on my book shelf for many years to come. --------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org -------------------------------------------------------------------- Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulfar Erlingsson Gabriela Ciocarlie Manager, Security Research SRI International Google oakland20-chair@ieee-security.org tcchair at ieee-security.org Vice Chair: Treasurer: Brian Parno Yong Guan Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor Security and Privacy Symposium, 2021 Chair: Hilarie Orman oakland21-chair@ieee-security.org Purple Streak, Inc. 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org TC Awards Chair EJ Jung UCSF ejun2 @ usfca.edu https://www.usfca.edu/faculty/eunjin-ej-jung ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year