_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 187 September 24, 2025 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of the book, "From Day Zero to Zero Day" by Eugene Lim o News from the Media - Do AI Chips Phone Home? - Cybersecurity Company Eats So That It Can Grow - Hens Hiring Foxes - Long Key Made Short --- Shades of DES - The EoE (Everyone on Earth) Database? - NICE Money o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The IEEE Computer Society recently held elections, and we are pleased to congratulate Terry Benzel, long-time leader in the sphere of cybersecurity, and especially of all things related to the Security and Privacy Symposium, on her election to the position of Vice President. The results of the election for officers and the Board of Governors is here: https://www.computer.org/press-room/joaquim-jorge-elected-ieee-computer-society-2027-president Somberly we note that two important figures in the history of computer security died recently: George Davida, who was a founder of the Security and Privacy Symposium, and Marv Schaefer, a researcher who was a pioneer in secure operating system design and the precise definition of security requirements. Information about them can be found at ACSA's In Memoriam page: https://www.acsac.org/acsa/memoriam.html (Davida will be added soon; see also his University of Wisconsin obituary at https://uwm.edu/engineering/george-davida-professor-emerit-passed-away-in-august/). It may be hard for people to remember the early days of our research field when conferences were small and papers were few. There were not many computers, and threats were minimal. That was the era when the foundational work was done by a handful of far-sighted people. News for this issue of the newsletter includes a recent report on the investigation into a widespread cyberattack on telecommunications infrastructure last year. The actors behind the attack could have acquired information of some kind or another for almost everyone in the US. In terms of database technology, an index for 350 million objects is not much of a challenge. There have been so many disclosures of personal information over the last several years that it would be surprising if such a database did not exist. Moreover, several different entities are probably maintaining their own versions of this. Should the "Whole Earth Phone Book" be a public service? ---------- Old Time EMail Blues You ain't nothin' but a filter, Just Bayesian design. You ain't never caught a phisher, Well, you ain't no friend of mine. When they said you was accurate, Well, that was just a lie You found false positives, And you ain't no friend of mine. (With apologies to The King), ---------- Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich "From Day Zero to Zero Day" Sep 22, 2025 ____________________________________________________________________ "From Day Zero to Zero Day" by Eugene Lim No Starch Press, 2025 ISBN ISBN-13: 978-1-7185-0394-6 (print), ISBN-13: 978-1-7185-0395-3 (ebook) 319 pages + xxv, first edition, June 2025 Recent software supply chain attacks on npm (Node Package Manager) repositories for JavaScript/Node.js code have brought upon us references to Frank Herbert's 1965 science-fiction novel "Dune" with its "Shai-Hulud" worms. "Shai-Hulud" is what security analysts have named this campaign in connection with the npm attacks. As we seek some projects for the upcoming shorter days (at least in the Northern Hemisphere now), we could of course consider re-reading the "Dune" novel or watching the corresponding movie(s)... Why not also consider reading about vulnerability discovery and reverse engineering? The continued challenges of new cybersecurity threats require constant recalibrating of our abilities to analyze malware or regular software applications, especially when we have to deal with zero-day vulnerabilities. To help with this process, Eugene Lim wrote "From Day Zero to Zero Day," a 340+ pages book to cover the various phases of vulnerability discovery and analysis. This book focuses on three major techniques in vulnerability research: code review, reverse engineering, and fuzzing. The author takes a practitioner-centric and hands-on approach for describing the various techniques, focusing on examples of actual (often C) code, screenshots, and web links (URLs). The book is divided into three parts, with each containing several chapters. Each chapter begins with a quote and concludes with a summary. There are no formal literature references other than perhaps URLs, but the book does have a companion website with downloads. The focus of the book is on the Linux operating system environment, with some stray MS Windows mentions. The main hardware focus concerns the Intel x86/x64 hardware architecture. Those on ARM architectures should be warned that some of the code may not run for them, or at least not natively or without a proper emulation layer. In the Introduction, the author sets the stage for the reader, identifies who the book is for, identifies the online resources, and recommends other books to complement the reading of his book. Some of those books the author mentions have been reviewed in this book review column. The author starts with - no surprise there - with a "Chapter 0," as the Day Zero. Here the reader learns about the basic terminology and how to navigate the various parts of the book, covering what a vulnerability is, what vulnerability research is, in particular zero-day vulnerability research, and how to approach any potential projects. The chapter actually starts with a quote about rapid learning from - you guessed it - Frank Herbert's "Dune." In Part I 'Code Review,' the reader is introduced to Taint Analysis in Chapter 1, 'Mapping Code to Attack Surface' in Chapter 2, and 'Automated Variant Analysis' in Chapter 3. Each chapter is structured in such a manner that simple examples are expanded into mini projects that the reader can try on their own. Command lines and configuration settings are clearly outlined and easy to follow. In Part II 'Reverse Engineering,' the topic shifts to something that is sometimes considered more an art than a science: reverse engineering of code. In Chapter 4 'Binary Taxonomy,' the discussion starts with Node.js Electron applications to be reverse engineered, switches to Intermediate Representations (a halfway point of sorts between source code and machine code), and eventually shifts to Machine Code. Chapter 5 'Source and Sink Discovery' delves into the free tool Ghidra (developed and maintained by NSA) for static analysis, discusses dynamic analysis, and explores exploitability of the vulnerabilities. Chapter 6 'Hybrid Analysis in Reverse Engineering' goes into code coverage, emulation, and symbolic analysis. In each of these chapters, examples of tools to achieve the various tasks are presented. In Part III 'Fuzzing,' the author shifts gears to discovering vulnerabilities by the techniques known as fuzzing, where various inputs are tried on programs to trigger errors and possibly crashes. In Chapter 7 'Quick and Dirty Fuzzing,' a few simple fuzzing techniques are shown for a protocol (e.g. the MQTT protocol, used for IoT) and there is also a reference to OSS-Fuzz, commonly used by Google on open-source software for vulnerability discovery. Chapter 8 'Coverage-Guided Fuzzing' shifts to tools such as American Fuzzing Lop (AFL) and its variants, as well as those and can measure how much of the code was covered by the fuzzing tool(s). In Chapter 9 'Fuzzing Everything' there is an expansion to other languages (e.g. Go) and different binary models. In the end, Chapter 10 'Beyond Day Zero,' the book wraps up with a more procedural tone and elaborates on vulnerability disclosure, CVE assignment, and integrating vulnerability discovery into the software development lifecycle. The summary at the end of Chapter 10 functions as the conclusion of the book, as it goes over all the parts with their respective chapters and ties all the pieces together. This book, written by the competent and accomplished Eugene Lim, is aimed at a practitioner security analyst/engineer audience or perhaps university students seeking more practical exploration. It does provide technical details for those wishing to explore the topic further, not just the "simple" examples discussed in the book. While there are no formal literature references, the URLs provided in the book and the companion code site give the reader ample opportunities to "play" with the techniques outlined in the book. As a caveat, many of the techniques are tied to contemporary operating systems and associated command lines. Time will tell how this seemingly more tutorial-oriented book will age. Nevertheless, the general principles and techniques will give the reader a solid introduction to the field, or perhaps fill a few gaps along the way for those who are already more or less versed in it. I enjoyed reading this book. It will find its place on my bookshelf for any unsuspecting student to discover should they ask about vulnerability discovery or zero days. --------------------------------------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html -------------------------------- Do AI Chips Phone Home? Nvidia says its chips have no 'backdoors' after China flags H20 security concerns https://www.reuters.com/world/china/nvidia-says-its-chips-have-no-backdoors-after-china-flags-h20-security-concerns-2025-07-31/> Publisher: Reuters Date: July 31, 2025 Summary: Nvidia's sales of its H2O AI chips to China were halted by US government policy earlier this year, but were permitted in July, in conjunction with a new policy that recommended that the chips have backdoors for location tracking. That caused the Cyberspace Administration of China to summon Nvidia to a meeting to explain its plans for compliance with the policy. Nvidia issued a statement saying "Cybersecurity is critically important to us. Nvidia does not have 'backdoors' in our chips that would give anyone a remote way to access or control them." China needs Nvidia chips for its AI businesses, and the article predicts that China will not introduce regulatory restrictions that will prevent companies from using Nvidia products. ----------------------------------------------------------------------------= Cybersecurity Company Eats So That It Can Grow Palo Alto's $25 billion deal for CyberArk targets rising AI-driven threats https://www.reuters.com/world/middle-east/palo-altos-25-billion-deal-cyberark-targets-rising-ai-driven-threats-2025-07-30/ Publisher: Reuters Date: July 30, 2025 By: Kritika Lamba and Aditya Soni Summary: Cybersecurity is becoming more important due to the potent combination of AI and cyberattacks that has been developing over the past few years. Palo Alto Network's acquisition of CyberArk demonstrates how security companies are widening their toolset to provide more comprehensive protection for their clients. This deal, valued at $25B, brings expertise in "privileged access management" to Palo Alto Network's customers. Some analysts have expressed concern about how the new technology will be merged into the acquirer's infrastructure. Imtiaz Koujalgi, Roth Capital Partners' managing director of software research. opines: "Also, Palo Alto talks about integrating its acquisitions into its platform, but given the scale of CyberArk and installed base that could be a challenge." ----------------------------------------------------------------------------= Hens Hiring Foxes Microsoft Used China-Based Engineers to Support Product Recently Hacked by China Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in its popular SharePoint software but didn't mention that it has long used China-based engineers to maintain the product. https://www.propublica.org/article/microsoft-sharepoint-hack-china-cybersecurityPublisher: Pro Publica Date: August 1, 2025 By: Renee Dudley Summary: This article shows how difficult it can be for a global business to provide a product to the US without relying on foreign workers. Microsoft's cloud-based SharePoint systems are widely used, and the US Department of Defense is a customer. Microsoft's team for maintaining the software includes workers in China (under the supervision of US managers). This became a cause for concern after Microsoft attributed a serious zero-day hack to Chinese hackers. The Department of Defense wants to more about the risks of maintaining critical software within the borders of a foreign country. Did the hackers benefit from information obtained by Microsoft employees in China? How much risk does this raise? For its part, Microsoft said they were in the process of moving the software maintenance tasks to the US. ----------------------------------------------------------------------------= Long Key Made Short --- Shades of DES Encryption Made for Police and Military Radios May Be Easily Cracked Researchers found that an encryption algorithm likely used by law enforcement and special forces can have weaknesses that could allow an attacker to listen in. https://www.wired.com/story/encryption-made-for-police-and-military-radios-may-be-easily-cracked-researchers-find/ Publisher: Wired Date: Aug 7, 2025 By: Kim Zetter Summary: The European Telecommunications Standards Institute (ETSI) developed an encryption algorithm a few years ago that is used around the world for protecting sensitive information for critical infrastructure and law and enforcement and military organizations. Dutch researchers found a serious flaw in that algorithm in 2023, and ETSI responded by endorsing an end-to-encryption scheme to be run 'on top of' the original scheme. Because the algorithms are proprietary, there has been no public examination of them. The researchers reversed engineered the schemes that were baked into a radio made by Sepura. The problems with the encryption security arise from how the keys are altered before being used in the algorithm. In one case the initial 80-bit key was reduced to 32 bits before use, and in another, an 80-bit key was reduced to 56 bits. ETSI said that they do not dictate the way keys are handled --- "The choice of encryption algorithm and key is made between supplier and customer organisation, and ETSI has no input to this selection". In some cases, the key length is reduced to meet export control requirements. However, it seems that many purchasers, including US critical infrastructure companies, are unaware of key length reduction and its affect on security. ----------------------------------------------------------------------------= The EoE (Everyone on Earth) Database? Information collected during the yearslong Salt Typhoon attack could allow Beijing's intelligence services to track targets from the United States and dozens of other countries. 'Unrestrained' Chinese Cyberattackers May Have Stolen Data From Almost Every American https://www.nytimes.com/2025/09/04/world/asia/china-hack-salt-typhoon.html Publisher: New York Times Date: Sept. 4, 2025 By: Adam Goldman Summary: The exploit known as Salt Typhoon was uncovered last year. Chinese hackers were able to access telecommunications infrastructure equipment worldwide and collect call information without detection for at least months. An investigation into the scope of the problem showed that the penetration was shockingly widespread, leading to a joint report by several governments: Joint Cybersecurity Advisory Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System (https://media.defense.gov/2025/Aug/22/2003786665/-1/-1/0/CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF). The investigation found that attackers were able to take full advantage of several vulnerabilities in telecommunications software to collect customer information and to obscure the artifacts of the intrusion by altering logs and authentication lists. It seems reasonable to assume that anyone in the US who used phone service in 2024 would have had that information swept up by the intruders. The calling patterns could reveal business and personal relationships for most of the US population, and that would be a treasure trove for social network analysts. That information could feed into espionage strategies, phishing scams, and much more. ----------------------------------------------------------------------------= NICE Money NIST Awards More Than $3 Million to Support Cybersecurity Workforce Development Across 13 States https://www.nist.gov/news-events/news/2025/09/nist-awards-more-3-million-support-cybersecurity-workforce-development> Publisher: NIST Date: September 17, 2025 Summary: The National Institute of Science and Technology announced grants under their NICE program which is intended to "Prepare, grow, and sustain a cybersecurity workforce that safeguards and promotes America's national security and economic prosperity." The grants went to 13 organizations to let them create "Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS)" that will build cybersecurity workforce and education initiatives. NIST estimates that the US currently has job openings for a half million cybersecurity workers, but only 75% of those jobs can be filled by the existing workforce. -------------------------------- ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html IEEE Transactions on Privacy, https://www.computer.org/csdl/journals/pr Submission date: On-going ESORICS 2025 30th European Symposium on Research in Computer Security, Toulouse, France, September 22-26, 2025. https://www.esorics2025.org/ SaTML 2026 4th IEEE Conference on Secure and Trustworthy Machine Learning, Munich, Germany, March 23-25, 2026. https://satml.org/ Submission date: 24 September 2025 DPM 2025 20th Workshop on Data Privacy Management, Co-located with ESORICS 2025, Toulouse, France, September 25, 2025. https://deic.uab.cat/dpm/dpm2025/ SECAI 2025 Workshop on Security and Artificial Intelligence, Co-located with ESORICS 2025, Toulouse, France, September 25-26, 2025. https://sites.google.com/view/secai2025/home CBT 2025 9th International Workshop on Cryptocurrencies and Blockchain Technology, Co-located with ESORICS 2025, Toulouse, France, September 25, 2025. http://cbtworkshop.org/ STM 2025 21st International Workshop on Security and Trust Management, Co-located with ESORICS 2025, Toulouse, France, September 25-26, 2025. https://www.nics.uma.es/stm2025/index.html IFIP 119 DF 2026 22nd Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 5-6, 2026. http://www.ifip119.org/ Submission date: 30 September 2025 FPS 2026 18th International Symposium on Foundations & Practice of Security, Brest, France, November 25-27, 2025. https://hub.imt-atlantique.fr/fps2025 Submission date: 30 September 2025 WPES 2025 24th Workshop on Privacy in the Electronic Society, Held in conjunction with ACM CCS 2025, Taipei, Taiwan, October 13, 2025. http://jianying.space/WPES2025/ ACM CCS 2025 32nd ACM Conference on Computer and Communications Security, Taipei, Taiwan, October 13-17, 2025. https://www.sigsac.org/ccs/CCS2025/call-for-papers/ MarCaS 2025 3rd LCN Special Track on Maritime Communication and Security, Held in conjunction with the 50th Annual IEEE Conference on Local Computer Networks (IEEE LCN 2025), Sydney, Australia, October 14-16, 2025. https://garykessler.net/lcn_marcas/ ASHES 2025 9th Workshop on Attacks and Solutions in Hardware Security, Held in conjunction with ACM CCS 2025, Taipei, Taiwan, October 17, 2025. https://ashesworkshop.online/ QSec 2025 ACM QSec: Quantum Security and Privacy Workshop, Held in conjunction with ACM CCS 2025, Taipei, Taiwan, October 17, 2025. https://acm-qsec.com/ AICCSA 2025 22nd ACS/IEEE International Conference on Computer Systems and Applications, Doha, Qatar, October 19-22, 2025. https://conferences.sigappfr.org/aiccsa2025/ APF 2025 Annual Privacy Forum, Frankfurt a.M., Germany, October 22-23, 2025. https://privacyforum.eu/ XRSecurity 2025 Workshop on Security, Privacy, and Trust in Extended Reality Systems, Held in conjunction with ACM MobiHoc 2025, Houston, TX, USA, October 27-30, 2025. https://xrsecurity.github.io/2025/ ICICS 2025 27th International Conference on Information and Communications Security, Nanjing, China, October 29-31, 2025. https://www.icics2025.org/index.html APWG eCrime 2025 20th APWG Symposium on Electronic Crime Research, San Diego, CA, USA, November 4-7, 2025. https://apwg.org/events/ecrime2025 TPS 2025 7th IEEE International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications, Pittsburgh, PA, USA, November 11-14, 2025. https://www.sis.pitt.edu/lersais/conference/tps/2025/ TPHAC 2025 IEEE Workshop on Trustworthy and Privacy-Preserving Human-AI Collaboration, Co-located with IEEE International Conference on CIC/TPS/CogMI, Pittsburgh, PA, USA, November 11-14, 2025. https://sites.google.com/pitt.edu/tphac/home SP 2026 47th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 18-21, 2026. https://sp2026.ieee-security.org/cfpapers.html Submission dates: 5 June 2025 and 13 November 2025 CANS 2025 24th International Conference on Cryptology and Network Security, Osaka, Japan, November 17-20, 2025. https://cy2sec.comm.eng.osaka-u.ac.jp/miyaji-lab/event/cans2025/index.html FPS 2026 18th International Symposium on Foundations & Practice of Security, Brest, France, November 25-27, 2025. https://hub.imt-atlantique.fr/fps2025 PETS 2026 26th Privacy Enhancing Technologies Symposium, Calgary, Canada, July 20-25, 2026. https://petsymposium.org/cfp26.php Submission dates: 31 May 2025, 31 August 2025, 30 November 2025, and 28 February 2026 ACSAC 2025 41th Annual Computer Security Applications Conference, Honolulu, Hawaii, USA, December 8-12, 2025. https://www.acsac.org/ HealthSec 2025 Workshop on Cybersecurity in Healthcare, Co-located with the Annual Computer Security Applications Conference (ACSAC41), Honolulu, HI, USA, December 9, 2025. https://publish.illinois.edu/healthsec2025/ ICISS 2025 21st International Conference on Information Systems Security, Indore, India, December 16-20, 2025. https://iciss.isrdc.in/ IFIP 119 DF 2026 22nd Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 5-6, 2026. http://www.ifip119.org/ ICBC 2026 8th IEEE International Conference on Blockchain and Cryptocurrency, Brisbane, Australia, June 1-5, 2026. https://icbc2026.ieee-icbc.org/ Submission date: 7 January 2026 USENIX Security 2026 35th USENIX Security Symposium, Baltimore, MD, USA, August 12-14, 2026. https://www.usenix.org/conference/usenixsecurity26 Submission dates: 26 August 2025 and 5 February 2026 NDSS 2026 Network and Distributed System Security, San Diego, CA, USA, February 23-27, 2026. https://www.ndss-symposium.org/ndss2026/submissions/call-for-papers/ PETS 2026 26th Privacy Enhancing Technologies Symposium, Calgary, Canada, July 20-25, 2026. https://petsymposium.org/cfp26.php Submission dates: 31 May 2025, 31 August 2025, 30 November 2025, and 28 February 2026 SaTML 2026 4th IEEE Conference on Secure and Trustworthy Machine Learning, Munich, Germany, March 23-25, 2026. https://satml.org/ SP 2026 47th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 18-21, 2026. https://sp2026.ieee-security.org/cfpapers.html ICBC 2026 8th IEEE International Conference on Blockchain and Cryptocurrency, Brisbane, Australia, June 1-5, 2026. https://icbc2026.ieee-icbc.org/ PETS 2026 26th Privacy Enhancing Technologies Symposium, Calgary, Canada, July 20-25, 2026. https://petsymposium.org/cfp26.php USENIX Security 2026 35th USENIX Security Symposium, Baltimore, MD, USA, August 12-14, 2026. https://www.usenix.org/conference/usenixsecurity26 ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Thorsten Holz Trent Jaeger Faculty Member Associate Professor CISPA Helmholtz Center for Pennsylvania State University Information Security https://www.cse.psu.edu/~trj1 tcchair at ieee-security.org sp24-chair@ieee-security.org Vice Chair: Treasurer: Alvaro Cardenas Yong Guan Professor Professor University of California, Department of Electrical and Computer Santa Cruz Engineering tcchair at ieee-security.org Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2025 Chair: Hilarie Orman Marina Blanton Purple Streak, Inc. Associate Professor 500 S. Maple Dr. University at Buffalo Woodland Hills, UT 84653 sp25-chair at ieee-security.org cipher-editor@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year