Dear Readers,
On beyond omicron! Plans are afoot for in-person conferences in late spring, and the Security and Privacy conference will be held in San Francisco, May 22-26. Fingers crossed! The program will have the usual selection of the best of recent research, and workshops will offer in-depth look at special areas: SecWeb for designing web security, ConPro for consumer protection, DLS for deep learning and security, LangSec for language-theoretic security, SafeThings for security with the IoT, and WOOT for "offensive technologies".
This month we have a "second edition" book review. Sven Dietrich reviewed Paul van Oorschot's "Computer Security and the Internet" book last year, but now there are two new chapters resulting in the second edition, so we have a book review update.
Sven Dietrich and Yong Guan are stalwarts in helping to produce this newsletter. I'm particularly grateful to them for persisting through the pandemic. Both are currently traveling and dealing with the worries and complexities of a constantly changing health and regulatory landscape.
A side effect of the pandemic has been the rush to move so much of life to online interactions. Disruptive as it has been, overall the move has caused little more than minor stirs with respect to the security of computers and communications. Is this a good sign, or the calm before the storm? One thing that has not improved, however, is the process of signing up for online services. It generally takes me about 30 minutes to complete the process of finding the correct "create an account" web page, filling in the information, wending through the thicket of allowable and required password characters, getting the confirmation email, putting the confirmation code into a webpage, and then, for reasons that are opaque to me, having to start all over. Is this security or insanity?
Last year we dealt with the SolarWind vulnerability, this year it is the Log4J shell that caused sleepless nights for security teams. Despite being billed as the biggest security loophole of all time, the problem seems to have been largely contained, though it may be "endemic", which is, oddly enough, what we hope that our current disease nemesis will become. I think "endemic" as used today means "we give up".
As someday it may happen that a victim must be found,
I've got a little list -- I've got a little list.
Of security offenders whose mistakes must be unwound,
And who never would be missed - who never would be missed.
There's the coder with the strings whose lengths are never checked,
They cause stack overflows that turn memory into dreck,
All sysadmins who leave the password files online,
All RAM designers who set the bytes that never will align,
And open source reusers who blithely set the sudo bits,
And all those snarky kids who make the zero day rootkits,
They'd none of them be missed -- they'd none of them be missed.
(Thank you to the immortal G&S)