_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 186 July 28, 2025 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News Items: - CyberSec EOs Skirt the Issue - Singing the Bluetooth Blues - GRU Moves Into the Cyber Era - Rowhammer Slams Into GPUs - No Password for Old Men - OverSharing o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Upcoming calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The recent announcements of severe bugs in car infotainment systems and Microsoft's SharePoint servers are unsettling. Are these the detritus of "move fast and break things", or is it just too hard to keep major security bugs out of production software? And if self-driving cars and "move it all to the cloud" are in our immediate future, then are we moving into a hacker's paradise where everything is hackable (maybe it is already)? Can AI rescue us from our own incompetence? Or will it magnify our failings? I offer the question as food for thought for those find other, more immediate, thoughts to be even more unsettling. An upheaval in funds and funding rules is causing havoc in some academic circles in the US. Mathematicians are finding that travel funds are scarce, for example. I expect to see hitchhikers with signs asking for lifts to conferences. I hope AI can learn to do proofs without hallucinations before the last mathematician turns out the lights. For security researchers with money, the options for summer conferencing are ample. Check our calendar in this issue. DRAM Hammer Song If I had a hammer, I'd hammer your memory, I'd hammer on your server, all over DRAM. I'd hammer out data, I'd hammer out crypto, I'd hammer out the meaning of your secrets, All over DRAM. Well I've got a hammer, and I've got a cell, I've mapped out your server and all your DRAM. It's the hammer of errors, it the cell of ciphertext, It's a song about the bytes between the AI and the crypto, All over DRAM. (with apologies to Lee Hays) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html --------------------------------------------------------------------------- CyberSec EOs Skirt the Issue The Cybersecurity Patchwork Quilt Remains Incomplete https://www.lawfaremedia.org/article/the-cybersecurity-patchwork-quilt-remains-incomplete Trump's first executive order on cybersecurity embraced more Biden initiatives than it overturned, but still misses the mark - accountability. Publisher: Lawfare Date: July 16, 2025 By: Jim Dempsey Summary: Back in March we mentioned the (https://ieee-security.org/Cipher/Newsbriefs/2025/news-032425.html#USGOVPOLICY) uncertainty about the fate of Biden's executive order on software security. This article is an in depth analysis of Trump's recent EO on the same topic. It is interesting to note that neither order requires that software producers provide any guarantee of security. Instead, they attest to the integrity of their development processes. ------------------------------------------------------------------------------- Singing the Bluetooth Blues Bluetooth Hack Exposes Millions of Cars to Remote Risk Bluetooth hack exposes millions of vehicles from Mercedes, VW, and Skoda to remote attacks. Here’s what drivers must know and how to protect themselves. https://www.testmiles.com/perfektblue-bluetooth-hack-remote-car-attacks/ Publisher: Testmiles Date: July 11, 2025 By: nik Summary: Hacking car computer systems may seem laughably out-of-date in a world in which we are only a few steps away from self-driving vehicles. Surely they've got security worked out by now? But it doesn't get much worse than PerfektBlue: "Researchers demonstrated remote code execution on production vehicles using only a Bluetooth connection no cables, no ports, no physical access required." Four separate vulnerabilities were leveraged to carry out the deep access to the car's data, and potentially to driving controls. "If your car runs on BlueSDK and hasn’t been patched since September 2024, it’s potentially exposed." The SDK is the basis for some infotainment systems on cars. -------------------------------- PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda https://securityaffairs.com/179789/hacking/perfektblue-bluetooth-attack-allows-hacking-infotainment-systems-of-mercedes-volkswagen-and-skoda.html Publisher: Security Affairs Date: July 10, 2025 By: Pierluigi Paganini Summary: Researchers at PCA Cyber Security (formerly formerly PCAutomotive) in 2024 identified 4 security flaws in the Bluetooth code provided by Open Synergy's in their SDK for Bluetooth. BlueSDK is a widely used framework used in cars. BlueSDK is a widely used framework used in cars. One of the vulnerabilities was designated "critical", and the PCA team did not disclose it until recently, after consultation with the software provider about the availability of patches. This article gives brief descriptions of the vulnerabilities and links to their CVE entries. Nonetheless, there is no further information available from CVE.org about the critical flaw: "Use-After-Free in AVRCP service" ------------------------------------------------------------------------------- GRU Moves Into the Cyber Era https://www.gov.uk/government/publications/profile-gru-cyber-and-hybrid-threat-operations/profile-gru-cyber-and-hybrid-threat-operations Profile: GRU cyber and hybrid threat operations Policy paper Published Publisher: UK.GOV Date: 18 July 2025 Summary: The UK ministry of Defence has released a report https://en.wikipedia.org/wiki/GRU_(Russian_Federation) about operations of the Russian GRU. "The UK is concerned that the GRU has used Ukraine as a testing ground for the development of a range of cyber capabilities, integrated into its military doctrine, since 2014 onwards." For example, email hacking was used as part the plot to poison of Sergei and Yulia Skripal in 2018 in the UK. The report covers actions of various GRU units, particularly Unit 29155 "also known as the 161st Specialist Training Center (TsPS), which has a cyber wing known in open source as Cadet Blizzard " ------------------------------------------------------------------------------- Rowhammer Slams Into GPUs GPUHammer: New RowHammer Attack Variant Degrades AI Models on NVIDIA GPUs https://thehackernews.com/2025/07/gpuhammer-new-rowhammer-attack-variant.html Publisher: The Hacker News Date: Jul 12, 2025 By: Ravie Lakshmanan Summary: GPUs are essential workhorses for artificial intelligence and many other applications today, but they recapitulate the security flaws of early computers, making them vulnerable to some well-known attacks. Researcher have demonstrated that RowHammer attacks are feasible on multi-tenant GPUs. "The most concerning consequence of this behavior, University of Toronto researchers found, is the degradation of an artificial intelligence (AI) model's accuracy from 80% to less than 1%." NVidia recommends enabling their error-correction code (ECC) option to protect the integrity of computations. Doing so can reduce the speed of computation by several per cent, and that may change the cost of doing AI business. ------------------------------------------------------------------------------- No Password for Old Men Weak password allowed hackers to sink a 158-year-old company https://www.bbc.com/news/articles/cx2gx28815wo Publisher: The BBC Date: Jul 21, 2025 By: Richard Bilton Summary: The British transport company KNPT has been in business for a very long time, but modern technology and a small mistake led to its demise. At least one employee computer account had a weak password that was exploited to launch a ransomware attack. The ransom demand was exorbitant, and the company lost all its data. Although it had insurance against cyberattacks, it was no longer able to operate. The UK faces an increasing number of disruptive ransomware attacks from organized crime. The average demand is for 4 million pounds. One proposal for dealing with the crime wave would bar any company or governmental body from paying ransom. ------------------------------------------------------------------------------- OverSharing A zero day RCE exploit against Microsoft's SharePoint servers has dominated the security news cycle for several days. A previous patch for the problem, revealed at a hackathon last May, was easily overcome by Chinese hacking groups. Some hundreds of servers have been compromised. Updated patches are available, but ransomware on vulnerable servers is spreading. ---------- Critical Unpatched SharePoint Zero-Day Actively Exploited, Breaches 75+ Company Servers https://thehackernews.com/2025/07/critical-microsoft-sharepoint-flaw.html https://thehackernews.com/2025/07/critical-microsoft-sharep Publisher: The Hacker News Date: Jul 20, 2025 By: Ravie Lakshmanan Summary: Microsoft released an advisory message on July 19, 2025 about a severe security problem with their SharePoint Server implementations: "[D]eserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network" The code hidden in the deserialization is executed before authentication takes place, allowing unfettered access to data. The exploit point s the HTTP Referer header "provided to the ToolPane endpoint." -------------------------------- Eye Security Detects Large-Scale Exploitation of Critical Microsoft SharePoint Vulnerability https://www.eye.security/press/eye-security-detects-large-scale-exploitation-of-critical-microsoft-sharepoint-vulnerability Publisher: Eye Security Date: July 20, 2025 Summary: Researchers were investigating "unusual activity" on a SharePoint server, when they discovered something seriously awry: "... a malicious file had been uploaded, enabling exfiltration of cryptographic keys. These keys can be abused to bypass authentication and maintain persistent access to SharePoint environments, even after standard patching. During the triage, Eye Security learned it had stumbled upon a SharePoint 0-day used in the wild." This has impacted hundreds of systems. -------------------------------- Microsoft SharePoint zero-day exploited in RCE attacks, no patch available https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/ Publisher: Bleeping Computer Date: July 20, 2025 By: Lawrence Abrams Summary: This article has more details about how the Remote Code Execution attack works, how to detect its activity, and which patches to apply. -------------------------------- Microsoft knew of SharePoint server exploit but failed to effectively patch it https://www.reuters.com/sustainability/boards-policy-regulation/microsoft-knew-sharepoint-server-exploit-failed-effectively-patch-it-2025-07-22/ Publisher: Reuters Date: July 22, 2025 By: James Pearson Summary: Microsoft appears to have have stumbled in its efforts to provide patches for a SharePoint server vulnerability. "The vulnerability opening the way for the attack was first identified in May at a Berlin hacking competition, opens new tab organised by cybersecurity firm Trend Micro (4704.T), opens new tab that offered cash bounties for finding computer bugs in popular software." Although Microsoft provided patches on July 8, hackers reopened the wound 10 days later and mounted active attacks. The attacks have been attributed to Chinese hackers. -------------------------------- Chinese Hackers Are Exploiting Flaws in Widely Used Software, Microsoft Says https://www.nytimes.com/2025/07/23/world/asia/chinese-hackers-microsoft-sharepoint.html Publisher: NY Times Date: July 23, 2025 By: Vivian Wang Summary: Microsoft said that the Chinese hacking groups Linen Typhoon and Violet Typhoon were actively exploiting unpatched SharePoint servers. The company has tracked the groups for several years and identified many of their targets. The cybersecurity firm Eye Security said that its investigations showed that about 6% of SharePoint servers worldwide had been infected. -------------------------------- Microsoft server hack has now hit 400 victims, researchers say https://www.reuters.com/sustainability/boards-policy-regulation/microsoft-server-hack-has-now-hit-400-victims-researchers-say-2025-07-23/ Publisher: Reuters Date: July 23, 2025 Summary: Microsoft announced that a hacker group known as "Storm-2603" has used the SharePoint vulnerability for launching ransomware attacks. -------------------------------- UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities https://www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities>Alert: Publisher: CISA Date: July 24, 2025 ----------------------------------------------------------------------- ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ IEEE Transactions on Privacy, https://www.computer.org/csdl/journals/pr Submission date: On-going APWG eCrime 2025 20th APWG Symposium on Electronic Crime Research, San Diego, CA, USA, November 4-7, 2025. https://apwg.org/events/ecrime2025 Submission date: 29 July 2025 HealthSec 2025 Workshop on Cybersecurity in Healthcare, Co-located with the Annual Computer Security Applications Conference (ACSAC41), Honolulu, HI, USA, December 9, 2025. https://publish.illinois.edu/healthsec2025/ Submission date: 1 August 2025 CSR 2025 IEEE International Conference on Cyber Security and Resilience, Chania, Crete, Greece, August 4-6, 2025. https://www.ieee-csr.org/ NDSS 2026 Network and Distributed System Security, San Diego, CA, USA, February 23-27, 2026. https://www.ndss-symposium.org/ndss2026/submissions/call-for-papers/ Submission dates: 23 April 2025 and 6 August 2025 TPS 2025 7th IEEE International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications, Pittsburgh, PA, USA, November 11-14, 2025. https://www.sis.pitt.edu/lersais/conference/tps/2025/ Submission date: 8 August 2025 ICISS 2025 21st International Conference on Information Systems Security, Indore, India, December 16-20, 2025. https://iciss.isrdc.in/ Submission date: 10 August 2025 XRSecurity 2025 Workshop on Security, Privacy, and Trust in Extended Reality Systems, Held in conjunction with ACM MobiHoc 2025, Houston, TX, USA, October 27-30, 2025. https://xrsecurity.github.io/2025/ Submission date: 10 August 2025 ARES 2025 20th International Conference on Availability, Reliability and Security, Ghent, Belgium, August 10-13, 2025. https://2025.ares-conference.eu/ EDId 2025 2nd International Workshop on Emerging Digital Identities, Co-located with the 20th International Conference on Availability, Reliability and Security (ARES 2025), Ghent, Belgium, August 11-14, 2025. https://2025.ares-conference.eu/program/edid/ ENS 2025 8th International Workshop on Emerging Network Security, Co-located with the 20th International Conference on Availability, Reliability and Security (ARES 2025), Ghent, Belgium, August 11-14, 2025. https://2025.ares-conference.eu/program/ens/ CUING 2025 9th International Workshop on Cyber Use of Information Hiding, Co-located with the 20th International Conference on Availability, Reliability and Security (ARES 2025), Ghent, Belgium, August 11-14, 2025. https://2025.ares-conference.eu/program/cuing/ USENIX Security 2025 34th USENIX Security Symposium, Seattle, WA, USA, August 13-15, 2025. https://www.usenix.org/conference/usenixsecurity25 USENIX Security 2026 35th USENIX Security Symposium, Baltimore, MD, USA, August 12-14, 2026. https://www.usenix.org/conference/usenixsecurity26 Submission date: 26 August 2025 and 5 February 2026 PST 2025 22nd Annual International Conference on Privacy, Security & Trust, Fredericton, Canada, August 26-28, 2025. http://pstnet.ca/ ACM Distributed Ledger Technologies: Research and Practice, Special Issue on Distributed Ledger Technologies for Trustworthy Internet of Vehicles. https://dl.acm.org/pb-assets/static_journal_pages/dlt/pdf/ACM-CFP-DLT-Trustworthy-IoV-1712343333363.pdf Submission date: 31 August 2025 Journal of Systems Architecture, Special Issue on Security and Privacy in AIoT-enabled Smart Cities. https://www.sciencedirect.com/special-issue/313735/security-and-privacy-in-aiot-enabled-smart-society Submission date: 31 August 2025 TPHAC 2025 IEEE Workshop on Trustworthy and Privacy-Preserving Human-AI Collaboration, Co-located with IEEE International Conference on CIC/TPS/CogMI, Pittsburgh, PA, USA, November 11-14, 2025. https://sites.google.com/pitt.edu/tphac/home Submission date: 31 August 2025 PETS 2026 26th Privacy Enhancing Technologies Symposium, Location TBD, July, 2026. https://petsymposium.org/cfp26.php Submission dates: 31 May 2025, 31 August 2025, 30 November 2025, and 28 February 2026 SICSI 2025 1st International Workshop on Secure Industrial Control Systems and Industrial-IoT, Co-located with IEEE CNS 2025, Avignon, France, September 8-11, 2025. https://aliteke.github.io/sicsi2025/ MLCS 2025 7th Workshop on Machine Learning for Cybersecurity, Co-located with the ECML PKDD 2025 conference, Porto, Portugal, September 15, 2025. http://mlcs.lasige.di.fc.ul.pt/ ESORICS 2025 30th European Symposium on Research in Computer Security, Toulouse, France September 22-26, 2025. https://www.esorics2025.org/ DPM 2025 20th Workshop on Data Privacy Management, Co-located with ESORICS 2025, Toulouse, France September 25, 2025. https://deic.uab.cat/dpm/dpm2025/ SECAI 2025 Workshop on Security and Artificial Intelligence, Co-located with ESORICS 2025, Toulouse, France September 25-26, 2025. https://sites.google.com/view/secai2025/home CBT 2025 9th International Workshop on Cryptocurrencies and Blockchain Technology, Co-located with ESORICS 2025, Toulouse, France September 25, 2025. http://cbtworkshop.org/ STM 2025 21st International Workshop on Security and Trust Management, Co-located with ESORICS 2025, Toulouse, France September 25-26, 2025. https://www.nics.uma.es/stm2025/index.html SaTML 2026 4th IEEE Conference on Secure and Trustworthy Machine Learning, Munich, Germany, March 23-25, 2026. https://satml.org/ Submission date: 24 September 2025 IFIP 119 DF 2026 22nd Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 5-6, 2026. http://www.ifip119.org/ Submission date: 30 September 2025 WPES 2025 24th Workshop on Privacy in the Electronic Society, Held in conjunction with ACM CCS 2025, Taipei, Taiwan, October 13, 2025. http://jianying.space/WPES2025/ ACM CCS 2025 32nd ACM Conference on Computer and Communications Security, Taipei, Taiwan, October 13-17, 2025. https://www.sigsac.org/ccs/CCS2025/call-for-papers/ MarCaS 2025 3rd LCN Special Track on Maritime Communication and Security, Held in conjunction with the 50th Annual IEEE Conference on Local Computer Networks (IEEE LCN 2025), Sydney, Australia, October 14-16, 2025. https://garykessler.net/lcn_marcas/ ASHES 2025 9th Workshop on Attacks and Solutions in Hardware Security, Held in conjunction with ACM CCS 2025, Taipei, Taiwan, October 17, 2025. https://ashesworkshop.online/ QSec 2025 ACM QSec: Quantum Security and Privacy Workshop, Held in conjunction with ACM CCS 2025, Taipei, Taiwan, October 17, 2025. https://acm-qsec.com/ AICCSA 2025 22nd ACS/IEEE International Conference on Computer Systems and Applications, Doha, Qatar, October 19-22, 2025. https://conferences.sigappfr.org/aiccsa2025/ APF 2025 Annual Privacy Forum, Frankfurt a.M., Germany, October 22-23, 2025. https://privacyforum.eu/ XRSecurity 2025 Workshop on Security, Privacy, and Trust in Extended Reality Systems, Held in conjunction with ACM MobiHoc 2025, Houston, TX, USA, October 27-30, 2025. https://xrsecurity.github.io/2025/ ICICS 2025 27th International Conference on Information and Communications Security, Nanjing, China, October 29-31, 2025. https://www.icics2025.org/index.html APWG eCrime 2025 20th APWG Symposium on Electronic Crime Research, San Diego, CA, USA, November 4-7, 2025. https://apwg.org/events/ecrime2025 TPS 2025 7th IEEE International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications, Pittsburgh, PA, USA, November 11-14, 2025. https://www.sis.pitt.edu/lersais/conference/tps/2025/ TPHAC 2025 IEEE Workshop on Trustworthy and Privacy-Preserving Human-AI Collaboration, Co-located with IEEE International Conference on CIC/TPS/CogMI, Pittsburgh, PA, USA, November 11-14, 2025. https://sites.google.com/pitt.edu/tphac/home SP 2026 47th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 18-21, 2026. https://sp2026.ieee-security.org/cfpapers.html Submission date: 5 June 2025 and 13 November 2025 CANS 2025 24th International Conference on Cryptology and Network Security, Osaka, Japan, November 17-20, 2025. https://cy2sec.comm.eng.osaka-u.ac.jp/miyaji-lab/event/cans2025/index.html PETS 2026 26th Privacy Enhancing Technologies Symposium, Location TBD, July, 2026. https://petsymposium.org/cfp26.php Submission dates: 31 May 2025, 31 August 2025, 30 November 2025, and 28 February 2026 ACSAC 2025 41th Annual Computer Security Applications Conference, Honolulu, Hawaii, USA, December 8-12, 2025. https://www.acsac.org/ HealthSec 2025 Workshop on Cybersecurity in Healthcare, Co-located with the Annual Computer Security Applications Conference (ACSAC41), Honolulu, HI, USA, December 9, 2025. https://publish.illinois.edu/healthsec2025/ ICISS 2025 21st International Conference on Information Systems Security, Indore, India, December 16-20, 2025. https://iciss.isrdc.in/ IFIP 119 DF 2026 22nd Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 5-6, 2026. http://www.ifip119.org/ USENIX Security 2026 35th USENIX Security Symposium, Baltimore, MD, USA, August 12-14, 2026. https://www.usenix.org/conference/usenixsecurity26 Submission dates: 26 August 2025 and 5 February 2026 NDSS 2026 Network and Distributed System Security, San Diego, CA, USA, February 23-27, 2026. https://www.ndss-symposium.org/ndss2026/submissions/call-for-papers/ PETS 2026 26th Privacy Enhancing Technologies Symposium, Location TBD, July, 2026. https://petsymposium.org/cfp26.php Submission dates: 31 May 2025, 31 August 2025, 30 November 2025, and 28 February 2026 SaTML 2026 4th IEEE Conference on Secure and Trustworthy Machine Learning, Munich, Germany, March 23-25, 2026. https://satml.org/ SP 2026 47th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 18-21, 2026. https://sp2026.ieee-security.org/cfpapers.html USENIX Security 2026 35th USENIX Security Symposium, Baltimore, MD, USA, August 12-14, 2026. https://www.usenix.org/conference/usenixsecurity26 ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Thorsten Holz Trent Jaeger Faculty Member Associate Professor CISPA Helmholtz Center for Pennsylvania State University Information Security https://www.cse.psu.edu/~trj1 tcchair at ieee-security.org sp24-chair@ieee-security.org Vice Chair: Treasurer: Alvaro Cardenas Yong Guan Professor Professor University of California, Department of Electrical and Computer Santa Cruz Engineering tcchair at ieee-security.org Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2025 Chair: Hilarie Orman Marina Blanton Purple Streak, Inc. Associate Professor 500 S. Maple Dr. University at Buffalo Woodland Hills, UT 84653 sp25-chair at ieee-security.org cipher-editor@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year