_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 182 November 25, 2024 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of the book, "Serious Cryptography" by Jean-Philippe (JP) Aumasson o News items - DNS Authority Revived on a Whim - Water Works Stops Working - Water Bills Resume in Wake of Cyber Intrusion - Water Cyber Infrastructure Risks - Hacking Ho, Ho, Holidays - Telecoms Are Teletargets; Blame the US Government - CALEA Calamity: Compromise and Cupability - CALEA, We Told You So - Telecoms, CALEA, and National Security - Wifi Intrusions o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: A few days ago I wrote this first line for the Editor's Letter: "Computer security problems have not pervaded the news cycle of late, leading me to believe that in the grand scheme of things, malware is less important than politics and war." But, with the approach of the holidays, malware has picked up its pace, as is apparently a well-worn pattern. The news bag is full, and the need for vigilance is eternal. I do think that it is worth speculating about a future in which AI takes over our computers and our world. Do we have sufficient safeguards to prevent this? Are there required "manual override" standards for dismantling AI? If the past is any guide, those controls won't be implemented until the problems become serious, and we will be forever patching over problems. Here's to continued research, and research funding, in the new year! The lineup of accepted papers (89 so far) for next year's Security and Privacy Symposium is an impressive illustration of that spectrum and of the energy of the research community. There are papers about software compartmentalization, neural network security, society's engagement with computer security, cryptographic APIs, "personal cyber insurance", etc., etc. Check out the list (https://sp2025.ieee-security.org/accepted-papers.html), and perhaps you'll be inspired to attend the conference next May in San Francisco. Epitaph On An AI Computing Platform Perfection, of a kind, was what it was after, And the poetry it invented was easy to understand; It knew human folly like the back of its hand, And was greatly interested in security; When it laughed, respectable sysadmins burst with laughter, And when it cried, the applications got no activity. Apologies to W. H. Auden Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich Nov 23, 2024 ____________________________________________________________________ "Serious Cryptography" by Jean-Philippe (JP) Aumasson No Starch Press, 2025 ISBN-13: 978-1-7185-0384-7 (print), ISBN-13: 978-1-7185-0385-4 (ebook) 345 pages + xxiv Second edition, 2025 Crypto means business, but what does "crypto" mean to you? The short term "crypto" nowadays has taken another meaning aside from classical cryptography, namely referring to cryptocurrencies, a major player in business these days. We find the business of "crypto" in the world of spies, electronic commerce, banks, secure transactions, and digital assets. Cryptography was mostly in the world of governments before scientific exploration dared to venture there, with many (now classic) books covering seemingly forbidden knowledge at the time. In the last few decades, access to such knowledge has become much easier, but it doesn't necessarily make the subject matter itself easier. The feared quantum cryptoapocalypse is something many expect to happen with the advent of quantum computer capable of solving the "difficult math problems" at the basis of a few cryptosystems commonly in use today; this possibility challenges the status quo. Jean-Philippe Aumasson has written "Serious Cryptography," a roughly 350-page book in its second edition now, with the intent of explaining cryptography, or at least generating enough interest with a mix of general and highly technical terms to enable the reader investigate the topic further. 350 pages would normally not be enough to accommodate the wide spectrum of topics he covers in four parts and fifteen chapters total, but he presents the topics in quasi "Cliff Notes" style, with opportunities to delve deeper by either following links to eprint papers or by getting a more specialized book on that topic. While there is an index at the end of the book, there are no consolidated references, as they are sprinkled throughout the book, including the 'Further Reading' section at the end of the chapters. He shows the reader the overall concepts, mathematical formulas and equations, sample real-world configurations or code, all in good cryptographic engineering fashion. That's serious cryptography. Part I on "Fundamentals" contains three chapters. The first one, "Encryption", talks about the early ciphers such as the Caesar cipher, the Vigenere cipher, the One-Time Pad, and permutations. There are reflections on the security of these early schemes and how to break them. The second chapter adds another element to the mix, namely "Randomness," which is a important for making cryptographic operations secure. The focus here is on Pseudo-Random Number Generators (PRNGs). In particular, the reader learns how faulty PRNGs have caused headaches in some operating systems over time. In the third chapter, the author touches upon "Cryptographic Security." Here the reader learns about what it would mean to quantify and evaluate the security of a particular cryptographic scheme, in theory and in practice. There is talk about security levels, security proofs, and achieving security. Some examples illustrate some glaring mistakes of the past. Part II on "Symmetric Crypto" contains five chapters. Chapter 4 on "Block Ciphers" discusses ciphers that transform plaintext input one block of data at a time (e.g. 16, 32, 128 bits) into ciphertext. While the author mentions the classic US-originated Data Encryption Standard (DES) and the Russian standard GOST, the current US-based (read: NIST-issued) Advanced Encryption Standard (AES) is the center of attention in this chapter, with all its components explained. Chapter 5 covers "Stream Ciphers," where a stream of data is processed, typically one bit at a time, by performing an exclusive OR operation (XOR). Linear Feedback Shift Registers are described in the context of stream ciphers, even with some of the modern algebra behind it. The reader learns about the cipher RC4, among others, and all its security problems, including implementation ones. Chapter 6 on "Hash Functions" explains an essential cipher building block, but one that does not require a secret key. The latest secure hash standard, SHA-3 aka Keccak, is described. The book's author is a co-author of the BLAKE hash function, which was a finalist in the NIST SHA-3 competition. Chapter 7 adds a twist with "Keyed Hashing" where keys are used as additional material to perturb the output of the hash function, namely to achieve constructions such as message authentication codes (MACs). Chapter 8 finally concludes Part III with "Authenticated Encryption," where the reader learns about algorithms that do both encryption and authentication. One such example is AES in Galois Counter Mode, aka AES-GCM. Part III on "Asymmetric Crypto" touches on a field that only appeared in the "open" in the 1970s with advances by Whitfield Diffie and Martin Hellman and the RSA trio Ron Rivest, Adi Shamir, and Len Adleman. There are four chapters. Chapter 9 elaborates on the "Hard Problems" that gave rise to the discovery of (academic-originated) public key encryption, namely the hardness of Discrete Log problem and Factoring. Chapter 10 is entirely dedicated to RSA, published in 1977 as a way to perform public-key crypto, discussing inception and some of the flaws that arose as the algorithm was put into practice. Chapter 11, on the other hand, talks about "Diffie-Hellman," meaning the 1976 paper on "New Directions in Cryptography" as well as some of the extensions to it, and some vulnerabilities that came up over the years. Chapter 12 is on the more recent topic of "Elliptic Curves." One of the motivations of this approach was to create shorter keys than DH or RSA, while maintaining the same security levels. Here the reader will find more modern approaches in use in systems today (in addition to the two previous ones): Elliptic Curve Discrete Logarithm Problem and Elliptic Curve Digital Signature Algorithm. Those readers toying around with blockchain will recognize those approaches. Part IV on "Applications" covers three chapters, spread across three topics: TLS, Quantum and Post-Quantum, and last but not least Cryptocurrency Cryptography. Chapter 13 engages in the topic of Transport Layer Security (TLS), the successor to what some may know as simply SSL. TLS is the main protocol that makes browsing more secure (the 's' in https://...), but has had its flaws (Heartbleed, CRIME, BEAST, POODLE) in implementations over the years that get their fair share of mentions in this chapter. Chapter 14 "Quantum and Post-Quantum" talks about the cause of headaches for many, especially those who are worried about the "Hard Problems" in Chapter 9, e.g. what is a quantum computer and how does it affect the cryptography we are doing in practice today? Researchers and practitioners alike have been working on getting ready for the "post-quantum world," i.e. one where a tangible quantum computer has been realized that can break today's hard problems, say with Shor's or Grover's algorithms. The reader learns about the NIST Post-Quantum Cryptography standards, with appropriate ciphers that are usable today, that aim to thwart these challenges. Lastly, Chapter 15 rounds up this part with "Cryptocurrency Cryptography," a topic that many refer to as "crypto." Key phrases such as "Merkle Trees," "Multisignature protocols," "Proof of Work," "Zero Knowledge," and "zkSNARKs" find their proper place in this chapter, in the context of Bitcoin and other cryptocurrencies. It opens the world of "crypto" a bit further for those who may already have a vested interest in "crypto." This book is aimed at researchers, industry practitioners dealing with "crypto," and graduate students seeking to explore this exciting field with many entry points along the way. The author has made it easy to find that suitable entry point and guide the reader towards more in-depth material once the reader has swallowed the crypto bait. The book is a fine collection of ideas from theory to practice, and all the cryptographic engineering in between. I very much enjoyed reading this book. The book will find its place on my bookshelf for any needed reference on this fascinating topic or the random student that seeks help or inspiration on the topic of cryptographic engineering, err, I mean, "Serious Cryptography." ------------------------------------------------------------------------ Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org --------------------------------------------------------------------------- ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html DNS Authority Revived on a Whim Rogue WHOIS server gives researcher superpowers no one should ever have href=https://arstechnica.com/security/2024/09/rogue-whois-server-gives-researcher-superpowers-no-one-should-ever-have/ .mobi top-level-domain managers changed the location of its WHOIS server. No one got the memo. Publisher: Ars Technica Date : Sep 11, 2024 By: Dan Goodin Summary: The Internet grows and changes, but trust has trouble keeping up. A researcher wondered what would happen if an abandoned DNS name for a WHOIS server could be put back into service and have the trust of users. Apparently 135K entities around the world sent queries and presumably would have trusted the answers as if the original owner still controlled the server. --------------------------------------------------------------------------- Water Works Stops Working Water supplier American Water Works says systems hacked https://www.cbsnews.com/news/security-hack-breach-american-water-works/ Publisher: CBS News Date: October 8, 2024 By: Kate Gibson Summary: The company American Water Works has management systems for municipal and military water supplies. They can provide the software for controlling water delivery and for billing, and several million customers are reliant on their software for getting their bills and paying. In October the company discovered that an unknown entity had infiltrated their billing system, so in an exuberance of caution, they disconnected some of their customer portals and related systems for billing while they examined the extent of the intrusion. Apparently no software involved with managing water delivery was affected. This information came to light through a regulatory filing. ------------------------------------- Water Bills Resume in Wake of Cyber Intrusion American Water restarting systems shut down a week ago by hackers https://www.cbsnews.com/news/american-water-hack-systems-restored/ Publisher: CBS News Date: October 11, 2024 By: Kate Gibson Summary: The hacker intrusion into the billing and payment systems for American Water Work have been deemed clean, and the company is resuming customer services. There's no word on the identity of perpetrator of the intrusion. The company operates in about 1700 communities around the US. ------------------------------------- Water Cyber Infrastructure Risks The American Water cyberattack: Explaining how it happened https://www.techtarget.com/whatis/feature/The-American-Water-cyberattack-Explaining-how-it-happened A cyberattack on American Water disrupted customer systems. While water operations were unaffected, the incident underscores the vulnerability of critical infrastructure. Publisher: Techtarget Date: October 18, 2024 By: Sean Michael Kerner Summary: The article has a list of attacks on the computer systems of critical infrastructure systems since 2021. Although there have no been many, there have been four in this year already. The trend is upward. --------------------------------------------------------------------------- Hacking Ho, Ho, Holidays Former cyber czar urges vigilance ahead of holiday season: "It's not the attackers ... it's us" https://www.cbsnews.com/news/cyberattacks-vigilance-holiday-season/ Publisher: CBS News Date: November 22, 2024 By: Nicole Sganga Summary: The problem with holidays is that 24/7 vigilance is less effective when key employees enjoy time off. The reduced staffing gives hackers opportunities that may be normally unavailable. This seems to put security professionals into the same "no time off for holidays" category as emergency room doctors. The data showing how attacks proliferate during the holidays is in a report by security firm Semperis. Its title, "86% of Ransomware Victims Targeted on a Weekend or Holiday" should (see https://www.semperis.com/ransomware-holiday-risk-report/) be a red flag to all companies. --------------------------------------------------------------------------- - Telecoms Are Teletargets; Blame the US Government Chinese State-Sponsored 'Salt Typhoon' Hackers Also Breached T-Mobile https://www.pcmag.com/news/chinese-state-sponsored-salt-typhoon-hackers-also-breached-t-mobile The Wall Street Journal identifies a sequel to earlier attacks targeting AT&T and Verizon. Publisher: PC Mag Date: November 16, 2024 By: Rob Pegoraro Summary: According to the Wall Street Journal, several large telecom carriers were the object of a stealthy intrusion into customer data such as call records and unencrypted text message. The hacker group has been identified by Microsoft as one associated with the Chinese intelligence service. The group has been dubbed "Salt Typhoon". Although most text messages are encrypted, there was a gap until September for messages exchanged between Android and Apple phones. The same hacking group has shown up in investigations of intrusions of telecom carriers through the wiretapping entry point required by the Communications Assistance for Law Enforcement Act (CALEA). ------------------------------------- - CALEA Calamity: Compromise and Culpability Wyden Presses Biden Administration to Secure U.S. Wiretapping Systems Following Reported Hack https://www.wyden.senate.gov/news/press-releases/wyden-presses-biden-administration-to-secure-us-wiretapping-systems-following-reported-hack Wyden Calls out Lack of FCC Security Rules, Lax Cybersecurity by Telephone Companies and DOJ Failure to Hold Negligent Companies Accountable Publisher: Press release from Senator Ron Wyden Date: October 11, 2024 By: Summary: In the wake of revelations about the compromise of sensitive information at US telecoms, Senator Wyden sent a letter to the Department of Justice asking for greater oversight of the "backdoor" access required by CALEA. The senator would like to see corporations held liable for cyber negligence, among other reforms. ------------------------------------- - CALEA, We Told You So CALEA Was a National Security Disaster Waiting to Happen https://www.lawfaremedia.org/article/calea-was-a-national-security-disaster-waiting-to-happen Thanks to U.S. government requirements for tapping capabilities in phone switches, the Chinese have likely compromised wiretap orders. Publisher: Lawfare Media Date: November 13, 2024 By: Susan Landau Summary: This article clarifies what information was available to Chinese agents through US telecoms, why they were able to access it, and the history of the existence of the remote access interface and its obvious risks. ------------------------------------- - Telecoms, CALEA, and National Security National security officials meet with US telecom execs to share intel on Chinese cyber-espionage campaign, White House says https://www.cnn.com/2024/11/23/politics/chinese-cyber-espionage-telecom-execs/index.html Publisher: CNN Date: November 23, 2024 By: Sean Lyngaas Summary: The White House is taking the revelations about Chinese incursions into US telecommunications systems very seriously. The scope of the problem is as yet unknown, but Senator Mark Warner has called it the "worst telecom hack in our nation's history." Meetings will continue after the Thanksgiving holiday. --------------------------------------------------------------------------- - Transitive Wifi Intrusions Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack https://www.wired.com/story/russia-gru-apt28-wifi-daisy-chain-breach/ In a first, Russia's APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street. Publisher: Wired Date: Nov 22, 2024 By: Andy Greenberg Summary: It's no secret that a building's wifi network can be targeted by hackers who are nearby, but if the attack is launched remotely, say from miles away, one might think that the wifi signal was irrelevant. The attack describe here shows some cleverness on the part of the remote hacker. Finding the target network unbreachable from afar, a remote attack was launched against a computer in a nearby building. Once that was accomplished, the compromised computer was used to scan the network for an adjacent building. There was enough wifi signal strength to allow the remote hacker to launch a "parking lot attack" against the second building. Google Maps and a little information about where people live and work is enough to find a path from one vulnerable computer to a vulnerable network. Obviously, this can be extended indefinitely. --------------------------------------------------------------------------- ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ NSS-SocialSec 2024 Joint 18th International Conference on Network and System Security and 10th International Symposium on Security and Privacy in Social Networks and Big Data, Abu Dhabi, UAE, November 20-22, 2024. http://nsclab.org/nss-socialsec2024/index.html UIC 2024 21th IEEE International Conference on Ubiquitous Intelligence and Computing, Denarau Island, Fiji, December 2-7, 2024. https://www.ieee-smart-world.org/2024/uic/ ICISS 2024 20th International Conference on Information Systems Security, Jaipur, India, December 16-20, 2024. https://iciss.isrdc.in/ CSCML 2024 8th International Symposium on Cyber Security, Cryptology and Machine Learning, Beer-Sheva, Israel - Virtual, December 19-20, 2024. https://www.cscml.org/ FPS 2024 17th International Symposium on Foundations & Practice of Security, Montreal, Canada, December 9-11 2024. https://fps-2024.hec.ca/ ICSS 2024 10th Industrial Control System Security Workshop, Held in conjunction with the Annual Computer Security Applications Conference (ACSAC), Waikiki, Hawaii, Dec 10, 2024. https://www.acsac.org/2024/workshops/icss/ USEC 2025 Symposium on Usable Security and Privacy, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-usec/ Submission date: 25 November 2024 ACM WiSec 2025 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Arlington, Virginia, USA, June 30 - July 3, 2025. https://wisec2025.gmu.edu Submission date: 26 November 2024 and 12 March 2025 CRiSIS 2024 19th International Conference on Risks and Security of Internet and Systems, Aix-en-Provence, France, November 26-28, 2024. https://crisis2024.univ-gustave-eiffel.fr USENIX Security 2025 34th USENIX Security Symposium, Seattle, WA, USA, August 13-15, 2025. https://www.usenix.org/conference/usenixsecurity25 Submission date: 4 September 2024 and 22 January 2025 PETS 2025 25th Privacy Enhancing Technologies Symposium, Washington, DC and Online, July 14-19, 2025. https://petsymposium.org/cfp25.php Submission dates: 31 May 2024, 31 August 2024, 30 November 2024, and 28 February 2025 SDIoTSec 2025 Workshop on Security and Privacy in Standardized IoT, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-sdiotsec/ Submission date: 6 December 2024 SpaceSec 2025 Workshop on the Security of Space and Satellite Systems, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-spacesec/ Submission date: 9 December 2024 HOST 2025 18th IEEE International Symposium on Hardware Oriented Security and Trust, San Jose, CA, USA, May 5-8, 2025. http://www.hostsymposium.org/call-for-paper.php Submission date: 9 September 2024 and 9 December 2024 WOSOC 2025 Workshop on SOC Operations and Construction, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-wosoc/ Submission date: 15 December 2024 IFIP TC-11 SEC 2025 40th IFIP TC-11 International Information Security and Privacy Conference, Maribor, Slovenia, May 21-23, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-wosoc/ Submission date: 20 December 2024 UbiSec 2024 4th International Conference on Ubiquitous Security, Changsha, China, December 29-31, 2024. http://ubisecurity.org/2024/ IFIP 119 DF 2025 21st Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 6-7, 2025. http://www.ifip119.org/ DFRWS-USA 2025 25th Annual Digital Forensics Research Conference, Chicago, Illinois, USA, July 22-25, 2025. https://dfrws.org/conferences/dfrws-usa-2025/ Submission date: 20 January 2025 MADWeb 2025 Workshop on Measurements, Attacks, and Defenses for the Web, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 28, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-madweb/ Submission date: 9 January 2025 ACM CCS 2025 32nd ACM Conference on Computer and Communications Security, Taipei, Taiwan, October 13-17, 2025. https://www.sigsac.org/ccs/CCS2025/call-for-papers/ Submission date: 9 January 2025 and 14 April 2025 FutureG 2025 Workshop on Security and Privacy of Next-Generation Networks, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-madweb/ Submission date: 10 January 2025 IMPACT 2025 Workshop on Innovation in Metadata Privacy-Analysis and Construction Techniques, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 28, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-impact/ Submission date: 10 January 2025 BAR 2025 Binary Analysis Research Workshop, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 28, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-bar/ Submission date: 15 January 2025 SELLMOD 2025 Workshop on the Safety and Explainability of Large Models Optimization and Deployment, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 28, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-sellmod/ Submission date: 15 January 2025 NDSS 2025 Network and Distributed System Security Symposium and Workshops, San Diego, CA, USA, February 23-28, 2025. https://www.ndss-symposium.org/ndss2025/submisions/call-for-papers/ USEC 2025 Symposium on Usable Security and Privacy, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-usec/ SDIoTSec 2025 Workshop on Security and Privacy in Standardized IoT, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-sdiotsec/ SpaceSec 2025 Workshop on the Security of Space and Satellite Systems, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-spacesec/ WOSOC 2025 Workshop on SOC Operations and Construction, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-wosoc/ FutureG 2025 Workshop on Security and Privacy of Next-Generation Networks, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-madweb/ MADWeb 2025 Workshop on Measurements, Attacks, and Defenses for the Web, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 28, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-madweb/ IMPACT 2025 Workshop on Innovation in Metadata Privacy-Analysis and Construction Techniques, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 28, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-impact/ BAR 2025 Binary Analysis Research Workshop, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 28, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-bar/ SELLMOD 2025 Workshop on the Safety and Explainability of Large Models Optimization and Deployment, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 28, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-sellmod/ PETS 2025 25th Privacy Enhancing Technologies Symposium, Washington, DC and Online, July 14-19, 2025. https://petsymposium.org/cfp25.php Submission dates: 31 May 2024, 31 August 2024, 30 November 2024, and 28 February 2025 DFDS 2025 1st Digital Forensics Doctoral Symposium, Held in conjunction with Digital Forensics Research Conference Europe (DFRWS EU 2025), Brno, Czech Republic, April 1, 2025. https://www.dfrws.org/conferences/dfds2025/ DFRWS EU 2025 Digital Forensics Research Conference Europe, Hybrid, Brno, Czech Republic April 1-4, 2025. https://dfrws.org/conferences/dfrws-eu-2025/ SaTML 2025 3rd IEEE Conference on Secure and Trustworthy Machine Learning, Copenhagen, Denmark April 9-11, 2025. https://satml.org/participate-cfp/ ACM CCS 2025 32nd ACM Conference on Computer and Communications Security, Taipei, Taiwan, October 13-17, 2025. https://www.sigsac.org/ccs/CCS2025/call-for-papers/ Submission date: 9 January 2025 and 14 April 2025 HOST 2025 18th IEEE International Symposium on Hardware Oriented Security and Trust, San Jose, CA, USA May 5-8, 2025. http://www.hostsymposium.org/call-for-paper.php SP 2025 46th IEEE Symposium on Security and Privacy, San Francisco, CA, USA May 12-15, 2025. https://www.sp2025.ieee-security.org/cfpapers.html IFIP TC-11 SEC 2025 40th IFIP TC-11 International Information Security and Privacy Conference, Maribor, Slovenia May 21-23, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-wosoc/ CSF 2025 38th IEEE Computer Security Foundations Symposium, Santa Cruz, CA, USA, June 16-20, 2025. https://csf2025.ieee-security.org/ ACM WiSec 2025 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Arlington, Virginia, USA, June 30 - July 3, 2025. https://wisec2025.gmu.edu Submission date: 26 November 2024 and 12 March 2025 ACM WiSec 2025 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Arlington, Virginia, USA, June 30 - July 3, 2025. https://wisec2025.gmu.edu IEEE EuroS&P 2025 10th IEEE European Symposium on Security and Privacy, Venice, Italy, June 30 - July 4, 2025. https://eurosp2025.ieee-security.org/ PETS 2025 25th Privacy Enhancing Technologies Symposium, Washington, DC and Online, July 14-19, 2025. https://petsymposium.org/cfp25.php CSF 2025 38th IEEE Computer Security Foundations Symposium, Santa Cruz, CA, USA, June 16-20, 2025. https://csf2025.ieee-security.org/ Submission date: 28 May 2024, 1 October 2024, and 4 February 2025 DFRWS-USA 2025 25th Annual Digital Forensics Research Conference, Chicago, Illinois, USA, July 22-25, 2025. https://dfrws.org/conferences/dfrws-usa-2025/ USENIX Security 2025 34th USENIX Security Symposium, Seattle, WA, USA, August 13-15, 2025. https://www.usenix.org/conference/usenixsecurity25 ACM CCS 2025 32nd ACM Conference on Computer and Communications Security, Taipei, Taiwan, October 13-17, 2025. https://www.sigsac.org/ccs/CCS2025/call-for-papers/ ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Gabriela Ciocarlie Daniel Takabi Associate Professor Associate Professor University of Texas at Georgia State University San Antonio https://cas.gsu.edu/profile/daniel-takabi tcchair at ieee-security.org Vice Chair: Treasurer: Thorsten Holtz Yong Guan Faculty Member Professor CISPA Helmholtz Center for Department of Electrical and Computer Information Security Engineering tcchair at ieee-security.org Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2024 Chair: Hilarie Orman Trent Jaeger Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Pennsylvania State University Woodland Hills, UT 84653 https://www.cse.psu.edu/~trj1/ cipher-editor@ieee-security.org sp24-chair@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--