_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 167 June 9, 2022 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of "A Vulnerable System: The History of Information Security in the Computer Age" by Andrew J. Stewart o News Items - Sophisticated Leapfrogging Undermines Microsoft - The Other Shoe: Identity Provider Shaken by Account Hack - Cyberattacks May Target Energy - Hawaiian Cable Hacking - Command-and-Control Domains being Whack-a-Moled - Because That's Where the Money Is - "Here's a Useless Piece of Code ..." - Russian Cyberattacks are Part of War - Microsoft's Special Report on Russia vs. Ukraine Cyberattacks - Pentagon Seeks to Improve Contractor Cybersecurity - A Bounty on Conti - Costa Rica's Cyber Troubles Intensify o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The Security and Privacy Symposium successfully resumed its in-person (hybrid) meeting in San Francisco last month with nearly 600 people in attendance physically and 224 virtually. There were 147 papers presented out of 1012 submitted. Thorsten Holz will be the TCSP Vice Chair starting in 2023. The conference will be held in San Francisco at the same location through 2024, but beyond that, all options are being considered. The conference registration fee has gone up by a factor of 10 in less than 20 years, and there is some sentiment for changing the sign of the first derivative, even that means leaving the San Francisco Bay area. On the other hand, all conferences are having sticker shock in the maybe-COVID-is-over era, so alternatives may be few. Sven Dietrich's review of a book taking a long backward look at computer security is in this Cipher issue. It harks back to the beginnings of the S&P conference in its recounting of events like the creation of the Orange Book. A time traveler from that long ago era might think that the smattering of news items in this issue show that computer security research ceased in the 1980s. Although the same problems recur again and again, the failures are probably a drop in the bucket of our massive shift to online services. Costa Rica's government might think differently, having had their customs system thoroughly disrupted. "Yet a definite improvement is discernible today." All Too Literal: The Poetry of S&P Titles Anonymous privacy Byzantine, Side-channel rowhammered timing, Blockchain suspicious, Verified malicious, Fuzzy phish spectres be hardening. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich 6/8/22 "A Vulnerable System: The History of Information Security in the Computer Age" by Andrew J. Stewart Cornell University Press 2022. ISBN 978-1-5017-589-42 303 pages ____________________________________________________________________ Haven't you always wondered about the backstories and the anecdotes in the history of information security? What were the early motivations of computer security? How did all those concepts come about? If that is what you are wondering about, you are in luck: Andrew J. Stewart acts as a historian and digs into the history of information security in this new book. While other writers have provided insights into the history of cryptography, in this work we learn about the Orange Book, the early attacks on computer systems, and how it all evolved to current times. Andrew J. Stewart's book "A Vulnerable System: The History of Information Security Age" takes a stab at shining light into the far and dark corners of computer security. It mentions some names of early-day computer security researchers that I had the honor of meeting in the Claremont Tower Suite ("606") at the Security and Privacy conference in the late 1990s. It includes stories about the creation of the Internet as well. The book is divided into several chapters and contains an extensive bibliography from popular science sources and research articles in supplement to the many contextual and chapter-related notes at the end of the book. The introduction mentioning the "Three Stigmata" is followed by a chapter on 'A "New Dimension" for the Security of Information', 'The Promise, Success, and Failure of the Early Researchers', 'The Creation of the Internet and the Web, and a Dark Portent', 'The Dot-Com Boom and the Genesis of a Lucrative Feedback Loop', 'Software Security and the "Hamster Wheel of Pain"', 'Usable Security, Economics, and Psychology', 'Vulnerability Disclosure, Bounties, and Markets', 'Data Breaches, Nation-State Hacking, and Epistemic Closure', and 'The Wicked Nature of Information Security'. The author writes in an easily accessible style, allowing the reader to gain a good overview of computer security at various stages of development, from the mid-20th-century events to the late 2010s, and to delve deeper either by following the notes at the back of the book (there are over 70 pages of them!), or even by reading the relevant research articles that are referenced in the select (and somewhat short) bibliography. Most topics are covered this way, and this lends a curious reader to complement their scientific knowledge with amusing or eye-opening anecdotes. Some topics, such as vulnerability disclosure, are approached in a controversial manner, but then again those topics are controversial in real life. Also there are surprising shortcomings: while the book takes note of cyberattacks, including general and nation-state ones, there is no mention of distributed denial-of-service (DDoS) attacks for example, even though he mentions the Morris worm attack from 1988. I enjoyed reading this book: some of the anecdotes brought back fond (or not so fond, depending on how you look at computer security events) memories for me, spanning the last three decades or so. Perhaps it will intrigue you as well. ------------ Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ------- LAPSES 'R US: Sophisticated Leapfrogging Undermines Microsoft Microsoft confirms it was breached by hacker group https://www.cnn.com/2022/03/23/tech/microsoft-lapsus/index.html Publisher: CNN Date: March 23, 2022 By: Brian Fung Summary: With everyone working remotely, the security of off-site employee computers is crucially important. Microsoft fell victim to this, and although the damage was minor, the red flags for all companies are obvious. During "a five-day window of time between January 16-21, 2022 ... an attacker had access to a support engineer's laptop." Microsoft notes that the breach provided only "'limited access'" to company systems, including source files. Nonetheless, the hackers, believed to be a group known as Lapsus$, show "a sophisticated grasp of technology supply chains, understanding how to use one organization's relationships or reliance on another to its advantage." ------------- The Other Shoe: Identity Provider Shaken by Account Hack Authentication firm Okta's shares slide after hack warning https://www.reuters.com/technology/okta-says-up-366-customers-have-potentially-been-impacted-by-hacker-attack-2022-03-23/ Publisher: Reuters Date: March 23, 2022 By: Raphael Satter Summary: Okta is an identity provider company, and it was also hit by the Lapsus$ hackers. In this case, a contractor to Okta had an engineer whose computer was hacked. Okta said that private data of "at most" 366 customers may have been exposed. Some observers were startled at Okta's subdued response to the problem which was discovered in January. The contractor was quickly identified as the problem source, but Okta did not provide a full report to the contractor for 2 months. It was only then that the contractor was able to stop the exposure. ------------- Comments by OKTA's Chief Security Officer https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/ Updated Okta Statement on LAPSUS$ Publisher: Blog by OKTA CSO Date:Mar 22, 2022 By: David Bradbury ----------------------------------------------------------------------------- Cyberattacks May Target Energy US federal alert warns of the discovery of malicious cyber tools Cybersecurity officials said the evidence suggests Russia is behind the tools – configured to target North American energy concerns https://www.theguardian.com/us-news/2022/apr/13/us-alert-malicious-cyber-tools-russia Publisher: Associated Press Date: 13 Apr 2022 Summary: Industrial control systems in the energy sector (and others) often use a simple, serial protocol called SCADA. Interfaces between Internet systems and SCADA controls allow operational control of larges networks of devices. Malicious software that attacks SCADA systems is not common, but a new instance of it surfaced recently and was detected, thwarted, and analyzed by the US government and security firms. Their opinion is that is circumstantially connected to prior Russian exploits. The targets were, initially, liquefied natural gas and electric power sites in North America. ----------------------------------------------------------------------------- Hawaiian Cable Hacking Agency disrupts cyberattack on an underwater cable https://www.mauinews.com/news/local-news/2022/04/agency-disrupts-cyberattack-on-an-underwater-cable/ Publisher: The Maui News Date: Apr 13, 2022 Summary: An attack on servers that might be involved in managing Internet traffic on an undersea cable was thwarted by DHS's Homeland Security Investigations team. At least one person was arrested in connection with the "unauthorized access." There were no reports of exploits associated with the breakin, but agents emphasized the potential of causing various forms of havoc on Internet service. See also this article from CYBERSCOOP on Apr 13, 2022 by A. J. Vicens: DHS investigators say they foiled cyberattack on undersea internet cable in Hawaii. https://www.cyberscoop.com/undersea-cable-operator-hacked-hawaii/ ----------------------------------------------------------------------------- Command-and-Control Domains being Whack-a-Moled Microsoft and other tech firms take aim at prolific cybercrime gang https://www.cnn.com/2022/04/13/tech/microsoft-zloader-malware/index.html Publisher: CNN Business Date: April 13, 2022 By: Sean Lyngaas Summary: Most ransomware has an Achilles heel: the reliance on a few allied Internet servers that direct the attack after the initial breach. These "command and control servers" have to be surreptitious and anonymous, else they would give away the identity of the attackers. Attackers register meaningless DNS names for the servers, pay for them via circuitous routes, and often move them from one physical infrastructure to another. If the DNS names can be wiped out, then the attack will cease. Microsoft claims to have done exactly that by seizing 65 DNS domains used by "ZLoader". A court order allowed the seizure. Although this doesn't mean that ZLoader cannot be resurrected, it might mean that there will be a hiatus before it is reconstituted. The identity of one hacker was discovered and referred to authorities. ----------------------------------------------------------------------------- Because That's Where the Money Is North Korea, NFTs and a hit video game: inside a $500m cryptocurrency theft Another high-profile hack has raised more questions about the vulnerabilities of the blockchain "End users may not necessarily be cognizant of the security risks that they incur," says Nicholas Christin. https://www.theguardian.com/technology/2022/apr/16/nft-blockchain-north-korea-hack-ronin-axie-infinity Publisher: The Guardian Date: 16 Apr 2022 By: Carly Olson Summary: Perhaps one measure of the success of a cryptocurrency scheme is the amount of theft that it can tolerate without becoming useless. Last year, about $3.2bn was stolen. This year it will be more, and part of it will be from the hack that drained the "Ronin Bridge" of half a billion dollars. "Axie" is a "wildly popular" video game in which players purchase cartoon characters that are NFTs. The NFTs can be sold to other players. This commerce uses Ethereum for exchanging money. What could go wrong? One problem is that while Ethereum transactions are faster than Bitcoin, they aren't fast enough for the volume of activity in a wildly popular video game. Thus, one needs an Ethereum "sidechain" that processes transactions faster by bridging between the game and Ethereum. The sidechain is called Ronin, and it runs smart contracts for Axie players. What could go wrong? The smart contracts are pieces of software in which the actions are secured by private keys. Smart contracts sometimes have exploitable bugs. In the case of Ronin, hackers were able to extract private keys via the contracts, and once they got enough keys, they were able to commandeer the system and collect all the money for themselves. Who carried out the dastardly deed? Possibly North Korea. But the fact that $500 million was left dangling in an insecure cryptocurrency bag shows that this technology is hardly mature, and ordinary people who just enjoy playing a video game can be simply putting their money out on the porch for any clever software expert to carry away. ----------------------------------------------------------------------------- "Here's a Useless Piece of Code ..." Oracle already wins 'crypto bug of the year' with Java digital signature bypass Whole new meaning for zero consequences https://www.theregister.com/2022/04/20/java_authentication_bug/ Publisher: The Register Date: 20 Apr 2022 By: Liam Proven Summary: When a large software company makes a newbie mistake in its security code, it's cause for embarrassment. Oracle became the butt of many jokes and general derision when it revealed a security patch showing that a crucial piece of code was trivially vulnerable and had been for as much as 6 months. Much of cryptography that Internet security depends on uses digital signatures. Oracle undertook to implement their elliptic curve digital signature software in Java. The original code was in C++, and the translation from that to Java was successfully carried out and introduced into Java version 15. Unfortunately, a crucial check to prevent the use of the "zero signature" was omitted. A "zero signature" always satisfies the verification step, and for this reason it must be summarily rejected, but Oracle's Java code didn't look for it. Oracle has not explained how such a serious error was overlooked during code review. Perhaps there was some clever but non-obvious way it was coded in C++, and the expression was "simplified" in the Java version. ----------------------------------------------------------------------------- Russian Cyberattacks are Part of War Russian hacking in Ukraine has been extensive and intertwined with military operations, Microsoft says https://www.cnn.com/2022/04/27/europe/russia-cyberattacks-ukraine-war-microsoft/index.html Publisher: CNN Date: April 27, 2022 By: Sean Lyngaas Summary: It seems like an eon has passed since the Ukraine invasion began. As Russian forces gathered on the border, the US warned about Russian cyberattacks on Ukraine assets. Microsoft monitored the Ukrainian Internet, watching for attack attempts, and documented several of them. "NATO officials David Cattler and Daniel Black noted a series of alleged Russian data-wiping hacks aimed at Ukrainian organizations over multiple weeks." They noted that the attacks seems to be timed to support Russian military objectives. The correlations are difficult to see in the overall "fog of war" and the images of unrelenting violence. ------------ Microsoft's Special Report on Russia vs. Ukraine Cyberattacks Special Report: An overview of Russia's cyberattack activity in Ukraine An overview of Russia's cyberattack activity in Ukraine https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd Publisher: Microsoft Date: April 27, 2022 By: Digital Security Unit Summary: This report summarizes the known cyberattacks launched against Ukraine as part of the military offensive against that country. These are infrastructure attacks as well as disinformation attacks. ----------------------------------------------------------------------------- Pentagon Seeks to Improve Contractor Cybersecurity Pentagon contractors go looking for software flaws as foreign hacking threats loom https://www.cnn.com/2022/05/02/politics/pentagon-defense-contractors-software-flaws/index.html Publisher: CNN Date: May 2, 2022 By: Sean Lyngaas Summary: Given that "an estimated 300,000 companies comprise the US defense industrial base" and also given the ability of hackers to move through supply chains stealthily, the Defense Department has been looking for ways to improve the security of those 300,000 companies. Smaller companies are assumed to be especially vulnerable because they might not have the resources needed to keep their systems locked up tight. A pilot program of the Pentagon called VDP ("Vulnerability Disclosure Program", shows some promise. Over the course of a year, the Pentagon probed the computers of a few dozen participating small companies to "to find and fix flaws in the email programs, mobile devices and industrial software". The pilot program was successful in identifying a panoply of weaknesses, but it is a drop in the bucket. The Pentagon is looking for ways to expand the program. ----------------------------------------------------------------------------- A Bounty on Conti U.S. offers $15 mln reward for information on Conti ransomware group https://www.reuters.com/world/us-offers-15-mln-reward-information-conti-ransomware-group-2022-05-06/ Publisher: Reuters Date: May 6, 2022 By: Eric Beech Summary: The US state department wants to apprehend the people behind the Conti ransomware group. The $15 million reward offered is one tenth of the amount the Russian affiliated group is believed to have extorted. They attacked 16 medical and first responder groups in the United States and hurt Costa Rica's tax and customs systems. ----------------------------------------------------------------------------- Costa Rica's Cyber Troubles Intensify Cyber attack on Costa Rica grows as more agencies hit, president says https://www.reuters.com/world/americas/cyber-attack-costa-rica-grows-more-agencies-hit-president-says-2022-05-16/ Date: May 16, 2022 Publisher: Reuters Reporter: Alvaro Murillo By: Brendan O'Boyle Summary: Costa Rica has not paid a ransom to the hackers who have damaged government systems, and the problems are widening. There is some suspicion that locals are cooperating with the Russian group behind the attacks. ----------------------------------------------------------------------------- ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Euro S&P 2022 7th IEEE European Symposium on Security and Privacy, Genoa, Italy, June 6-10, 2022. https://www.ieee-security.org/TC/EuroSP2022/cfp.html Euro S&P Workshops 2022 7th IEEE European Symposium on Security and Privacy, Genoa, Italy, June 6-10, 2022. https://www.ieee-security.org/TC/EuroSP2022/cfw.html USENIX Security 2023 32nd USENIX Security Symposium, Anaheim, CA, USA, August 9-11, 2023. https://www.usenix.org/conference/usenixsecurity23/call-for-papers Submission date: 7 June 2022, 11 October 2022, and 7 February 2023 EURO CSEP 2022 1st European Workshop on Cyber Security Education and Practice, Genoa, Italy, June 10, 2022. https://www.ieee-security.org/TC/EuroSP2022/cfw.html CNS 2022 IEEE Conference on Communications and Network Security, Austin, TX, USA, Hybrid, September 26-28, 2022. https://cns2022.ieee-cns.org Submission date: 10 June 2022 SYSTOR 2022 15th ACM International Systems and Storage Conference, Haifa, Israel, June 13-15, 2022. https://www.systor.org/2022 Cloud S&P 2022 4th Workshop on Cloud Security and Privacy, Rome, Italy, June 20-23, 2022. https://cloudsp2022.encs.concordia.ca/ CAD4Sec 2022 1st CAD for Hardware Security Workshop, Co-located with ACM/IEEE DAC 2022 conference, San Francisco, CA, USA, July 10, 2022. http://cad4security.org SERVICES 2022 2022 IEEE World Congress on Services, Barcelona, Spain, July 10-16, 2022. https://conferences.computer.org/services/2022/cfp/ NDSS 2023 Network and Distributed System Security Symposium, Location and Dates unknown (or TBD). https://www.ndss-symposium.org/ndss2023-call-for-papers/ Submission date: 13 May 2022 and 19 July 2022 PODC 2022 41st ACM Symposium on Principles of Distributed Computing, Salerno, Italy, July 25-29, 2022. https://www.podc.org CSR 2022 IEEE International Conference on Cyber Security and Resilience, Virtual Conference, July 27-29, 2022. https://www.ieee-csr.org/ SSS 2022 24th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Clermont-Ferrand, France, November 15-17, 2022. https://sss2022.limos.fr/ Submission date: 15 April 2022 and 5 August 2022 CSET 2022 15th Cyber Security Experimentation and Test Workshop, Preceding USENIX Security Symposium 2022, Virtual, August 8, 2022. https://cset22.isi.edu/ USENIX-Security 2022 31st USENIX Security Symposium, Boston, MA, USA, August 10-12, 2022. https://www.usenix.org/conference/usenixsecurity22/call-for-papers S&P 2023 44th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 22-26, 2023. https://www.ieee-security.org/TC/SP2023/cfpapers.html Submission dates: 1 April 2022, 19 August 2022, and 2 December 2022 SIGCOMM 2022, Amsterdam, the Netherlands, August 22-26, 2022. https://conferences.sigcomm.org/sigcomm/2022/ CUING 2022 International Workshop on Criminal Use of Information Hiding, Held in conjunction with the 17th International Conference on Availability, Reliability and Security (ARES 2022), Vienna, Austria, August 23-26, 2022. https://www.ares-conference.eu/workshops/cuing-2022/ PETS 2023 23rd Privacy Enhancing Technologies Symposium, Lausanne, Switzerland, Hybrid, July 10-14, 2023 (to be confirmed). https://petsymposium.org/cfp23.php Submission date: 31 May 2022, 31 August 2022, 30 November 2022, 28 February, 2023 ASIACCS 2023 18th ACM ASIA Conference on Computer and Communications Security, Melbourne, Australia, July 10-14, 2023. https://asiaccs2023.org/ Submission date: 1 September 2022 and 15 December 2022) SCN 2022 13th Conference on Security and Cryptography for Networks, Amalfi, Italy, September 12-14, 2022. https://scn.unisa.it/ SEED 2022 IEEE International Symposium on Secure and Private Execution Environment Design, Virtual, September 26-27, 2022. https://seed22.engr.uconn.edu CNS 2022 IEEE Conference on Communications and Network Security, Austin, TX, USA, Hybrid, September 26-28, 2022. https://cns2022.ieee-cns.org ISC2 2022 8th IEEE International Smart Cities Conference, Paphos, Cyprus, September 26-29, 2022. https://attend.ieee.org/isc2-2022/call-for-papers/ USENIX Security 2023 32nd USENIX Security Symposium, Anaheim, CA, USA, August 9-11, 2023. https://www.usenix.org/conference/usenixsecurity23/call-for-papers Submission date: 7 June 2022, 11 October 2022, and 7 February 2023 SecureComm 2022 18th EAI International Conference on Security and Privacy in Communication Networks, Kansas City, USA, October 17-19, 2022. https://securecomm.eai-conferences.org/2022/ ACM CCS 2022, Los Angeles, U.S.A, November 7-11, 2022. https://sigsac.org/ccs/CCS2022/call-for-papers.html SSS 2022 24th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Clermont-Ferrand, France, November 15-17, 2022. https://sss2022.limos.fr/ ISPEC 2022 International Conference on Information Security Practice and Experience, Taipei, Taiwan, November 23-25, 2022. https://ispec2022.ndhu.edu.tw/ PETS 2023 23rd Privacy Enhancing Technologies Symposium, Lausanne, Switzerland, Hybrid, July 10-14, 2023 (to be confirmed). https://petsymposium.org/cfp23.php Submission date: 31 May 2022, 31 August 2022, 30 November 2022, 28 February, 2023 S&P 2023 44th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 22-26, 2023. https://www.ieee-security.org/TC/SP2023/cfpapers.html Submission date: 1 April 2022, 19 August 2022, and 2 December 2022 ASIACCS 2023 18th ACM ASIA Conference on Computer and Communications Security, Melbourne, Australia, July 10-14, 2023. https://asiaccs2023.org/ Submission date: 1 September 2022 and 15 December 2022) USENIX Security 2023 32nd USENIX Security Symposium, Anaheim, CA, USA, August 9-11, 2023. https://www.usenix.org/conference/usenixsecurity23/call-for-papers Submission date: 7 June 2022, 11 October 2022, and 7 February 2023 PETS 2023 23rd Privacy Enhancing Technologies Symposium, Lausanne, Switzerland, Hybrid, July 10-14, 2023 (to be confirmed). https://petsymposium.org/cfp23.php Submission date: 31 May 2022, 31 August 2022, 30 November 2022, 28 February, 2023 SP 2023 44th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 22-26, 2023. https://www.ieee-security.org/TC/SP2023/cfpapers.html ASIACCS 2023 18th ACM ASIA Conference on Computer and Communications Security, Melbourne, Australia, July 10-14, 2023. https://asiaccs2023.org/ PETS 2023 23rd Privacy Enhancing Technologies Symposium, Lausanne, Switzerland, Hybrid, July 10-14, 2023 (to be confirmed). https://petsymposium.org/cfp23.php USENIX Security 2023 32nd USENIX Security Symposium, Anaheim, CA, USA, August 9-11, 2023. https://www.usenix.org/conference/usenixsecurity23/call-for-papers ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Brian Parno Alvaro Cardenas Associate Professor Associate Professor Carnegie Mellon University University of California, Santa Cruz tcchair at ieee-security.org sp21-chair@ieee-security.org Vice Chair: Treasurer: Gabriela Ciocarlie Yong Guan Elpha Secure Professor tcchair at ieee-security.org Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2022 Chair: Hilarie Orman Rakesh Bobba Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Oregon State University Woodland Hills, UT 84653 https://eecs.oregonstate.edu/ cipher-editor@ieee-security.org people/bobba-rakesh sp22-chair@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--