_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 174 July 25, 2023 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of Threats: What Every Engineer Should Learn From Star Wars by Adam Shostack o News Items from the Media - Don't Move (It): SQL Injection - Don't Put Fees On Me: Reddit's Woes - Crypto Wars Redux, UK Version - Microsoft Authentication Gaffe Grips the Govmt - Taxes and Targeting: User Data Harvested from Web Sites - Nation State Jumps on Our Cloud: JumpCloud Breached o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Summer is the time for conferences in pleasant locales. Security conferences have become multitrack behemoths with many hundreds of papers exploring every aspect of an attack surface that is now a fractal surface of unmeasurable area. In this environment, any security research result seems to contribute a decreasing increment of utility, a sort of Zeno's paradox of progress. Are we getting anywhere? How would we know? Based on the news articles selected for Cipher this month, it seems that the vulnerabilities causing the most stir are usually old problems in new products. SQL injection, two interacting authentication methods undermining one another, and websites that that enthusiastically turn over private information to third parties ... the old becomes new like a refurbished Barbie doll. Nonsensical Nursery Verse Sing a song of bitcoin A wallet for a spy. Four and twenty public keys Baked in a pie. When the pie was opened, The keys began to split. Wasn't that a dainty dish Stated in a qubit? The spy was in his counting house, Counting out his plenty. The tech was in the network, Setting traps so canny. The fault was with the user, Whose password did implode, Whence came the malware And made the files encode. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich 7/24/23 ____________________________________________________________________ Threats: What Every Engineer Should Learn From Star Wars by Adam Shostack Wiley 2023. ISBN ISBN-13 978-1-119-89516-9 330 + xxiv pages "A Playful Approach We Need." Sometimes we need a lighter approach to learn the difficult, or shall we say challenging, aspects of a field. Peeking into the troglodyte world shown in the movie Star Wars, we feel a bit distanced from our "daily normal." The filming set Tataouine, this little town in Southern Tunisia, took many sci-fi fans to other worlds, supposedly somewhere beyond our little Earth, including the planet of Tatooine. Adam Shostack uses this playful setting of Star Wars in his new book "Threats: What Every Engineer Should Learn From Star Wars" to introduce the concepts of threats, in the context of software security, not only to the regular engineer, but also the less experienced non-engineer. The book is a set of snippets about various security ideas often interspersed with anecdotes from the Star Wars movies as a means of explaining the more complex settings of computer security threats. We find the usual Star Wars suspects such as Darth Vader, Luke Skywalker, Princess Leia, Obi-Wan Kenobi, Yoda, R2-D2, and C3-P0 helping illustrate concepts such as authentication, spoofing, and more, via scenes from the Star Wars movies. The book is about 330 pages long. There is a preface, an introduction, plus an epilogue, a glossary, a bibliography, a (Star Wars) story index, and a traditional index, sandwiched around 9 chapters. The author uses the tried-and-true STRIDE models from his previous teachings to name the first 6 chapters (the first letters spell STRIDE). The first chapter is on Spoofing and Authenticity. Through basic concepts, command line examples, tables, diagrams, and a little help from Star Wars, the reader learns what those mean in a variety of settings (e.g. computer vs. user, computer vs. computer), how the bad guys work, and what the good guys are doing about it. The second chapter is on Tampering and Integrity. Here the reader learns about targets of tampering (e.g. storage) and how the defenses work (e.g. via cryptography). The references that are sprinkled within are for those who wish to delve deeper, but the concepts are kept light and easy to follow. The third chapter is on Repudiation and Proof. Here the reader will be exposed to identity theft, audit logs, attacks on logs, blockchains, and deepfakes. The style of description stays the same, always mixing the various views. The fourth chapter is on Information Disclosure and Confidentiality. How could one not talk about 'A New Hope' and the stealing of the plans of the Death Star here? It's a perfect setting to explain those ideas and the author does a fine job at delivering a properly fitting scene to the reader. The fifth chapter covers Denial of Service and Availability. Again, some explanations follow the first and second Death Star as examples. What attacks are possible, and how do we defend against them? Always anecdotes, little story boxes, and proper references to prior work and events. The sixth chapter is named Expansion of Authority and Isolation. Here the reader will learn about privileges, privilege escalation, as well as confused deputies. Access control and complexity in design are also discussed here. After the STRIDE chapters, the author adds the seventh chapter Predictability and Randomness. As a means of upping the ante against attackers, a lack of predictability defeats some attacks by the bad guys and randomness is still hard to achieve. There are always tradeoffs, such as time/memory as shown in rainbow tables. The eighth chapter on Parsing and Corruption addresses several problems, such as type confusion, confusing code and data, and even parsing errors that can lead to serious threats. Finally in the ninth chapter, the author wraps up with Kill Chains, such as the MITRE ATT&CK framework and attack trees. The bibliography, while far from complete due to the nature (and lightness) of the book, is complete enough to provide a good introduction to the field. Overall I liked reading this book: it is light and entertaining enough for the reader afraid to be overwhelmed by dense material, and it is light and entertaining enough for the reader who is "in the know" yet curious to see the parallels between Star Wars and software security. To put it in Yoda's terms, "Bored You Will Be Not." While I am more of a Trekkie than a Star Wars fan, this book put a smile on my face more than once while savoring those anecdotes. I hope you will enjoy reading this book as much as I did. ------------------------------------------------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ____________________________________________________________________ ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html Don't MOVE (It) Progress MOVEit Transfer Vulnerability Being Actively Exploited https://blog.qualys.com/vulnerabilities-threat-research/2023/06/07/progress-moveit-transfer-vulnerability-being-actively-exploited Date: June 12, 2023 Publisher: Threat Research Unit, Qualsys By: Travis Smith Summary: "Progress MOVEit Transfer" is used by businesses to transfer file securely, but it was undermined by an SQL injection attack. The cl0p ransomware gang exploited this vigorously and threatened to release purloined information on June 14. Qualsys estimates that over half the sites were patched within 48 hours. Nonetheless, some corporate and banking giants were affected. ------------------- See also Number of Victims Breached Via MOVEit Zero-Day Keeps Climbing Victim Count Is 378 Organizations, 20 Million Individuals - and It's Likely to Rise https://www.bankinfosecurity.com/count-victims-breached-via-moveit-zero-day-keeps-climbing-a-22573 Publisher: Bank Info Security Date: July 18, 2023 By: Mathew J. Schwartz -------------------------------------------------------------------------------- Don't Put Fees On Me Hackers threaten to leak stolen Reddit data if company doesn't pay $4.5 million and change controversial pricing policy https://www.cnn.com/2023/06/19/tech/reddit-hackers-demands-api/index.html Date: June 19, 2023 Publisher: CNN By: Jennifer Korn Summary: Reddit found itself faced with both a user revolt and an extortion attempt over stolen data after is announced plans to charge third party app developers for the right to offer the apps on Reddit. Although the extortion by the Black Cat ransomware gang is based on credible reports of having previously breached Reddit user's private data, observers were skeptical about the claims that the Black Cat gang cared about Reddit's pricing policies. The user revolt, however, shut down many subreddits. -------------------------------------------------------------------------------- Crypto Wars Redux, UK Version An encryption exodus looms over UK’s Online Safety Bill https://techcrunch.com/2023/06/27/an-encryption-exodus-looms-over-uks-online-safety-bill/ Date: June 27, 2023 Publisher: Tech Crunch By: Carly Page Summary: A recent piece of legislation in the UK would require that providers of end-to-end encryption provide back-door government access, and that has drawn sharp criticism from Apple and others. Apple had to reverse its plans to provide such a capability in the US in 2021, and it now strongly supports the idea that E2E has fundamental importance in messaging privacy. The UK legislation includes provisions for prosecuting executives of non-compliant companies, so much is at stake on both sides of this argument. -------------------------------------------------------------------------------- Microsoft Authentication Gaffe Grips the Govmt Chinese hackers accessed government emails, Microsoft says https://www.reuters.com/technology/chinese-hackers-accessed-government-emails-microsoft-says-2023-07-12/ Date: July 12, 2023 Publisher: Reuters Summary: A zero-day vulnerability in Microsoft authentication led to a breach of emails for some officials in the US Departments of Justice and Commerce. Although Microsoft discovered the problem and patched all customer systems, the incident was ongoing for several weeks. It has shaken trust in the systems. The problem was caused by a privilege escalation that let the user of a single compromised account to gain access to an entire organization's email account. The original compromised account was probably accessed via a phishing attack. There is likely to be quite a bit of fallout as the US considers the ease with which China seems to gain access to government systems. ------------------------------------- Microsoft Mitigates the Goof Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/ Date: July 11, 2023 Publisher: Microsoft Research Center Summary: This press release from Microsoft Research has information about the authentication token forging and the company's response. -------------------------------------------------------------------------------- Taxes and Targeting Senate Dems say 'massive' taxpayer privacy breach needs DOJ probe https://www.politico.com/news/2023/07/12/senate-dems-say-massive-taxpayer-privacy-breach-needs-doj-probe-00105853 The lawmakers' investigation piggybacks on a report published in way back in November 2022 by the tech news outlet The Markup that first put a spotlight on the issue. Date: July 12, 2023 Publisher: Politico By: Benjamin Guggenheim and Brian Faler Summary: It's hard to know what to say after "shocking breach of trust". At least 3 tax filing services have been forwarding sensitive user data to Facebook and/or Google, and those companies have been using the data to identify the users and to target advertising at them. This information "sharing" happened because the companies involved agreed to add code to their websites that would "improve the user experience." The result was that much of the data that customers entered into website forms was relayed to the tech giants where they felt free to make use of it for purposes far beyond what the tax companies realized. --------------------------------- Tax Filing Websites Have Been Sending Users' Financial Information to Facebook https://themarkup.org/pixel-hunt/2022/11/22/tax-filing-websites-have-been-sending-users-financial-information-to-facebook Date: November 22, 2022 Publisher: The Markup By: Simon Fondrie-Teitler, Angie Waller, and Colin Lecher The Markup found that tax filing services including TaxAct, TaxSlayer, and H&R Block sending sensitive data about their users to Facebook and Google. --------------------------------- Senate Takes a Look at Tax Preparers and Privacy Tax preparers shared personal data with Meta, Google: Senate report https://thehill.com/policy/technology/4093026-tax-preparers-shared-personal-data-with-meta-google-senate-report/ Date: 07/12/23 Publisher: The Hill By: Rebecca Klar Summary: Facebook pushed back against statements by Senate members condemning the collection of sensitive taxpayer information. The problems have been exaggerated, says Facebook, and some of the blame lies with the tax filing companies for configuring their systems incorrectly. One suspects this argument is far from over. ------------------------------------------------------------------------------- Nation State Jumps on Our Cloud JumpCloud says nation-state hackers breached its systems https://techcrunch.com/2023/07/17/jumpcloud-nation-state-breach/ Date: July 17, 2023 Publisher: Tech Crunch By: Carly Page Summary: JumpCloud provides identity management and access control to 5K customers representing 180K organizations. At some point, recently, its systems were infiltrated by actors who appeared to have nation-state capabilities or intentions. An internal investigation determined that only 5 customers and a few devices were impacted. Apparently the attack was initiated via spearphishing and was targeted narrowly. JumpCloud believes that they deflected the attack by forcing an update of all API keys. ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html UbiSec 2023 3rd International Conference on Ubiquitous Security, Exeter, UK, November 1-3, 2023. https://hpcn.exeter.ac.uk/ubisec2023/ Submission date: 31 July 2023 TrustCom 2023 22nd IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Exeter, UK, November 1-3, 2023. https://hpcn.exeter.ac.uk/trustcom2023/ Submission date: 31 July 2023 ICISS 2023 19th International Conference on Information Systems Security, NIT Raipur, India, December 16-20, 2023. https://iciss.isrdc.in Submission date: 20 July 2023 SP 2024 45th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-23, 2024. https://sp2024.ieee-security.org/cfpapers.html Submission dates: 13 April 2023, 3 August 2023, and 6 December 2023 CSET 2023 16th Cyber Security Experimentation and Test (CSET) Workshop, Hybrid, Marina del Rey, CA, USA, August 7, 2023. https://cset23.isi.edu/ USENIX Security 2023 32nd USENIX Security Symposium, Anaheim, CA, USA, August 9-11, 2023. https://www.usenix.org/conference/usenixsecurity23/call-for-papers NSS 2023 17th International Conference on Network and System Security, Canterbury, UK, August 14-16, 2023. ttps://nss2023.cyber.kent.ac.uk/ ASIACCS 2024 19th ACM ASIA Conference on Computer and Communications Security, Singapore, July 1-5, 2024. https://asiaccs2024.sutd.edu.sg/cfp/ Submission dates: 21 August 2023 and 7 December 2023 CUING 2023 7th International Workshop on Criminal Use of Information Hiding, Held in conjunction with the 18th International Conference on Availability, Reliability and Security (ARES 2023), Benevento, Italy, August 29 - September 1, 2023. https://www.ares-conference.eu/workshops/cuing-2023/ ENS 2023 5th International Workshop on Emerging Network Security, Held in conjunction with the 18th International Conference on Availability, Reliability and Security (ARES 2023), Benevento, Italy, August 29 - September 1, 2023. https://www.ares-conference.eu/workshops-eu-symposium/ens-2023/ C&ESAR 2023 Cybersecurity of Smart Peripheral Devices (Mobiles / IoT / Edge), Rennes, France, November 21-22, 2023. https://2023.cesar-conference.org Submission dates: 26 April 2023, 10 May 2023, and 30 August 2023 PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024 (to be confirmed). https://petsymposium.org/cfp24.php Submission dates: 31 May 2023, 31 August 2023, 30 November 2023, and 28 February 2024 FPS 2023 16th Foundations & Practice of Security Symposium, Bordeaux, France, December 11-13, 2023. https://www.fps-2023.com/ Submission date: 15 September 2023 ICBC 2023 International Conference on Blockchain, Honolulu, Hawaii, USA, September 23 - 26, 2023. http://blockchain1000.org/2023 ESORICS 2023 28th European Symposium on Research in Computer Security, Hague, Netherlands, September 25-29, 2023. https://esorics2023.org CLPSC 2023 3rd Annual Cybersecurity Law and Policy Scholars Conference, Boston, MA, USA, September 29-30, 2023. https://www.clpsc.org/ CSF 2024 37th IEEE Computer Security Foundations Symposium, Enschede, Netherlands, July 8-12, 2024. https://csf2024.ieee-security.org Submission date: 15 May 2023, 30 September 2023 and 3 February 2024 CNS 2023 11th annual IEEE Conference on Communications and Network Security, Orlando, FL, USA, October 2-5, 2023. https://cns2023.ieee-cns.org/ MarCaS 2023 1st IEEE LCN Workshop on Maritime Communication and Security, Held in conjunction with the 48th Annual IEEE Conference on Local Computer Networks (IEEE LCN 2023), Daytona Beach, Florida, USA, October 2-5, 2023. https://garykessler.net/lcn_marcas/ ICN 2023 10th ACM Conference on Information Centric Networking, Reykjavik, Iceland, October 8-10, 2023. https://conferences.sigcomm.org/acm-icn/2023 RAID 2023 26th International Symposium on Research in Attacks, Intrusions and Defenses, Hong Kong, October 16-18, 2023. https://raid2023.org/call.html USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 Submission dates: 6 June 2023, 17 October 2023, and 8 February 2024 SecDev 2023 IEEE Secure Development Conference, Atlanta, GA, USA, October 18-20, 2023. https://secdev.ieee.org/2023/home CANS 2023 22nd International Conference on Cryptology and Network Security, Augusta, Georgia, USA, October 31 - November 2, 2023. https://www.augusta.edu/ccs/conferences/cans2023/index.php UbiSec 2023 3rd International Conference on Ubiquitous Security, Exeter, UK, November 1-3, 2023. https://hpcn.exeter.ac.uk/ubisec2023/ TrustCom 2023 22nd IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Exeter, UK, November 1-3, 2023. https://hpcn.exeter.ac.uk/trustcom2023/ TPS 2023 IEEE International Conference on Trust, Privacy and Security in Intelligent systems, and Applications, Atlanta, GA, USA, November 1-3, 2023. http://www.sis.pitt.edu/lersais/conference/tps/2023/calls.html C&ESAR 2023 Cybersecurity of Smart Peripheral Devices (Mobiles / IoT / Edge), Rennes, France, November 21-22, 2023. https://2023.cesar-conference.org CCS 2023 30th ACM Conference on Computer and Communications Security, Copenhagen, Denmark, November 26-30, 2023. https://www.sigsac.org/ccs/CCS2023/index.html PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024 (to be confirmed). https://petsymposium.org/cfp24.php Submission dates: 31 May 2023, 31 August 2023, 30 November 2023, and 28 February 2024 SP 2024 45th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-23, 2024. https://sp2024.ieee-security.org/cfpapers.html Submission dates: 13 April 2023, 3 August 2023, and 6 December 2023 ASIACCS 2024 19th ACM ASIA Conference on Computer and Communications Security, Singapore, July 1-5, 2024. https://asiaccs2024.sutd.edu.sg/cfp/ Submission dates: 21 August 2023 and 7 December 2023 ACSAC 2023 Annual Computer Security Applications Conference, Austin, Texas, USA, December 4-8, 2023. https://www.acsac.org/2023/submissions/papers/ FPS 2023 16th Foundations & Practice of Security Symposium, Bordeaux, France, December 11-13, 2023. https://www.fps-2023.com/ ICISS 2023 19th International Conference on Information Systems Security, NIT Raipur, India, December 16-20, 2023. https://iciss.isrdc.in CSF 2024 37th IEEE Computer Security Foundations Symposium, Enschede, Netherlands, July 8-12, 2024. https://csf2024.ieee-security.org Submission dates: 15 May 2023, 30 September 2023 and 3 February 2024 USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 Submission dates: 6 June 2023, 17 October 2023, and 8 February 2024 NDSS 2024 Network and Distributed System Security Symposium, San Diego, California, uSA, February 26 - March 1, 2024. https://www.ndss-symposium.org/ndss2024/ PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024 (to be confirmed). https://petsymposium.org/cfp24.php Submission dates: 31 May 2023, 31 August 2023, 30 November 2023, and 28 February 2024 SP 2024 45th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-23, 2024. https://sp2024.ieee-security.org/cfpapers.html ASIACCS 2024 19th ACM ASIA Conference on Computer and Communications Security, Singapore, July 1-5, 2024. https://asiaccs2024.sutd.edu.sg/cfp/ CSF 2024 37th IEEE Computer Security Foundations Symposium, Enschede, Netherlands, July 8-12, 2024. https://csf2024.ieee-security.org PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024 (to be confirmed). https://petsymposium.org/cfp24.php USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Gabriela Ciocarlie Daniel Takabi Associate Professor Associate Professor University of Texas at Georgia State University San Antonio https://cas.gsu.edu/profile/daniel-takabi tcchair at ieee-security.org Vice Chair: Treasurer: Thorsten Holtz Yong Guan Faculty Member Professor CISPA Helmholtz Center for Department of Electrical and Computer Information Security Engineering tcchair at ieee-security.org Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2024 Chair: Hilarie Orman Trent Jaeger Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Pennsylvania State University Woodland Hills, UT 84653 https://www.cse.psu.edu/~trj1/ cipher-editor@ieee-security.org sp24-chair@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--