Issue No. 01 - January-February (2003 vol. 1)
George Cybenko , Dartmouth University
IEEE Security & Privacy is a new magazine with an ambitious mission—to build a world-class community of professionals at the leading edge of research and practice in information technology security and privacy. This is no small task. The computer security and privacy fields have been relatively diffuse, and their practitioners are widely scattered. In spite of these challenges, there is a great urgency for building such a community and doing it with the high levels of quality and leadership that are associated with IEEE activities.
The concept for an IEEE magazine on security and privacy germinated in the late summer of 2001 at an editorial board meeting of IEEE Pervasive Computing magazine. That editorial board, which consists of leaders in mobile and ubiquitous computing, identified a pressing need for accelerating security and privacy technology development, seeing it as an important step toward broad deployment of pervasive systems. Planning for Security & Privacy was already underway when the tragic events of 11 September 2001 redefined the importance of security in this century.
We now more clearly recognize that secure networks and computer systems are but subsystems of the complex, comprehensive infrastructures sustaining industrial society today. While the focus of Security & Privacy will be primarily on information technology, we need to understand the evolving relationships of computer security to transportation, financial, commercial, military, health care, energy, and other critical infrastructures.
In this respect, the IEEE Computer Society is the ideal professional society to sponsor this activity, because its members already cover many of the key areas—transportation, military electronics, health care systems, telecommunications, and energy utilities. Accordingly, an important goal of Security & Privacy is to build a broadly based community that includes practitioners and researchers from these other domains. Without them, we have little understanding of requirements and possibly no customers for our efforts.
Privacy is a growing issue
Another consequence of 11 September has been the mounting concern about privacy in a digital society. While privacy has been traditionally largely a consumer concern driven by the desire to protect an individual's identity and activities in the commercial arena, the push to enhance "homeland security" in the US and other countries has raised a different set of challenges. For example, in the coming years, government-sponsored biometric identification and counterterrorism-motivated data mining of multiple transactional databases will lead to fundamental questions about what is legally appropriate and technologically feasible. Security & Privacy will address such issues from all perspectives.
The security and privacy community
Security & Privacy's editorial scope is broad and comprehensive. While this is easy to envision, it is more difficult to implement—achieving such broad coverage depends critically on the contributions of the security and privacy community. We must repeatedly emphasize the inclusion of both researchers and practitioners because each group has much to offer the other but the communication channels are not yet so well developed.
Dealing with the existing vulnerabilities and never-ending torrents of new exploits in operational systems has been a full-time job for a large community of systems administrators and security consultants. This community is held together by networks of mailing lists, specialized conferences, and small support groups that are usually outside the purview of professional societies such as the IEEE. These security practitioners have largely learned in the school of hard "NOCs" (network operations centers; please excuse the pun) because most computer science and IT academic program curricula have not traditionally included usable computer and network security material. The practitioner community's valuable knowledge and perspective need a forum.
By the same token, researchers and software developers who are more typically professional society members work full time on what they hope will be the next generation of hardware and software systems. This community's new ideas and developing technologies must reach an audience broader than their peers. Furthermore, time-to-market pressures too often result in the attitude that "what's behind me is not important," resulting in research and products that marginally impact real systems. Calibrating future systems development against operational needs is something we hope to support by bringing practitioners and researchers together through this magazine.
A third important group we must acknowledge consists of IT managers—folks who are responsible for administering large enterprise-critical information systems. They seek to internally develop, outsource, or otherwise acquire the personnel and technology resources needed to assure the integrity of their information systems. With all the publicity surrounding the vulnerabilities, real or perceived, of global consumer, commercial, and government information systems, there has been something of a gold rush into security and privacy with more companies wanting to cash in on the phenomenon since 11 September. With so many voices vying to be heard, the signal-to-noise ratio of information about IT security is relatively low compared to that of two years ago.
Security & Privacy vision
IEEE's strict peer-review policies and the quality of the magazine's editorial board provide readers with a trustworthy source of information. While Security & Privacy strives to meet the professional needs of a diverse readership, we have a limited number of pages for each issue. This issue's articles and departments represent (although not exhaustively) the topics we will be covering. Equally important to the magazine's scope is the goal of making as much of the material accessible to as large a technically literate audience as possible.
When writing for an archival technical journal, an author needs must sound smart. But when writing for a time-critical, widely read magazine such as this, an author must be useful as well. Based on many years of personal experience, sounding smart is much easier than being useful! In any case, we will strive to publish articles and departments that educate experts as well as novices, and we are counting on reader feedback to keep us honest.
Security & Privacy's format will follow other IEEE magazine models by publishing a mix of peer-reviewed feature articles and editorial departments in each issue. Often, some featured articles will have a common identifiable theme. We deliberately chose not to have such focused themes for at least the first two issues so that you can clearly see Security & Privacy's breadth. The magazine's departments are edited by experts in the corresponding areas who will oversee a department's content, sometimes writing it, and sometimes asking guest authors to lend a hand. We ask your help in guiding this magazine to the best it can be—the most useful, readable, timely, security magazine with integrity. Readers who believe they can make contributions of feature articles or department pieces should contact the appropriate editors.
This premier issue has five outstanding feature articles. In "Remembrance of Data Passed: A Study of Disk Sanitization Practices," Simson L. Garfinkel and Abhi Shelat offer remarkable insights into what can be extracted from recycled hard drives available on the used equipment market, identifying a previously neglected source of privacy leakage. Mike Howard and Steve Lipner write about the processes and preliminary results of the highly publicized Microsoft Windows Security Push that occurred in 2002 in "Inside the Windows Security Push." Nick L. Petroni Jr. and William A. Arbaugh describe an IEEE 802.11b wireless networking security patch that leads to other, unintended vulnerabilities in "The Dangers of Mitigating Security Design Flaws: A Wireless Case Study." In "Software Security for Open-Source Systems," Crispin Cowan surveys tools and technology supporting the development of secure open source code, an area of constantly growing importance. Joshua Haines, Dorene Kewley Ryder, Laura Tinnel, and Stephen Taylor describe the first experimental validation of correlation systems with the goal of assessing the overall progress in the field in "Validation of Sensor Alert Correlators."
Security & Privacy will be published bimonthly. That means two things: the material will be timely and, by the same token, we need a steady stream of contributions from the community to sustain it. Future issues will flesh out the scope of the magazine by example. We need your help as critical readers and as authors of high-quality articles that deal with research and practice in the field.
2003 IEEE SECURITY & PRIVACY TASK FORCE MEMBERS
George Cybenko is the Dorothy and Walter Gramm Professor of Engineering at Dartmouth College, Hanover, New Hampshire. He was the founding editor in chief of Computing in Science & Engineering, published jointly by the IEEE Computer Society and the American Institute of Physics. His research interests are in signal processing, distributed computing, and information systems, and more recently, computer security investigations. He has a BS in mathematics from the University of Toronto and a PhD in electrical engineering and computer science from Princeton University. He is a member of SIAM, an IEEE fellow, and a member of the Computer Society's Board of Governors. Contact him at firstname.lastname@example.org.
Massoud Amin is area manager of infrastructure security and serves as lead of Mathematics and Information Science at the Electric Power Research Institute (EPRI). He is a member of the Board on Infrastructure and the Constructed Environment (BICE) at the US National Academy of Engineering, SIAM, and Informs. Contact him at email@example.com.
Ross Anderson leads the security group at the computer laboratory of the University of Cambridge, where he is a reader in security engineering. He invented the Eternity Service, which inspired modern peer-to-peer systems such as Gnutella and Freenet. Contact him at firstname.lastname@example.org.
Iván Arce is founder and chairman of the board of Core Security Technologies, an information security company based in Buenos Aires. He has been involved in the discovery, research, and report of security vulnerabilities. Contact him at email@example.com.
Matt Bishop is an associate professor of computer science at the Department of Computer Science at the University of California, Davis. He is a charter member of the National Colloquium on Information Systems Security Education. Contact him at firstname.lastname@example.org.
Michael A. Caloyannides is a senior fellow at Mitretek Systems. He is also an adjunct professor of Information Security with Johns Hopkins University. He is a senior member of the IEEE. Contact him at email@example.com.
Deborah M. Cooper is president and CEO of an independent consulting firm in northern Virginia specializing in computer security. She is a member of the IEEE Computer Society's Board of Governors and is also a member of the IEEE, ACM, AFCEA, and AAUW. Contact her at firstname.lastname@example.org.
Jim Davis is an associate professor and associate chair of the Department of Electrical and Computer Engineering at Iowa State University. He is a senior member of the IEEE, a member of the ACM, and editor of the newsletter Cipher. Contact him at email@example.com.
Marc Donner is an executive director in the Institutional Securities division of Morgan Stanley where he focuses on system and data architecture around client relationships. He is a member of the IEEE Computer Society and Usenix. Contact him at firstname.lastname@example.org.
Anup K. Ghosh is a program manager in the Advanced Technology Office of the US Defense Advanced Research Projects Agency. He wrote E-Commerce Security: Weak Links, Best Defenses (Wiley, 1998). Contact him at email@example.com.
Jim Hearn taught a course in information systems and has consulted for two small companies since retiring five years ago from a 35-year career with the US National Security Agency. He is associated with the Cyber Corps program and occasionally reviews papers for Harvard University's Program on Information Resources Policy. Contact him at firstname.lastname@example.org.
Charles J. Holland is the US Deputy Undersecretary of Defense for Science and Technology, where he is responsible for defense science and technology strategic planning, budget allocation, and program review and execution. Contact him at email@example.com.
Thomas F. Keefe is a consulting member of technical staff in the Database Security Group at Oracle Corporation. He is a member of the IEEE Computer Society, the ACM and the IFIP Working Group 11.3 on Data and Application Security. Contact him at firstname.lastname@example.org.
Richard A. Kemmerer is a professor and past chair of the Department of Computer Science at the University of California, Santa Barbara. He is an IEEE fellow, ACM fellow, member of the IFIP Working Group 11.3 on Database Security, and a member of the International Association for Cryptologic Research. Contact him at email@example.com.
David Ladd is the senior manager of External Security Research Programs at Microsoft Research. He is a member of the IEEE, ACM, and Usenix. Contact him at firstname.lastname@example.org.
Carl E. Landwehr is director of the Trusted Computing Program at the US National Science Foundation, on leave from his post as senior fellow in the Security and Privacy Technical Center at Mitretek Systems. He is a senior member of the IEEE, founding chair of IFIP Working Group 11.3 on Database Security, and a member of IFIP Working Group 10.4 on Dependable Computing and Fault Tolerance. Contact him at email@example.com.
Elias Levy is an architect with Symantec. His research interests include buffer overflows and networking protocol vulnerabilities. He is also a frequent commentator on computer security issues and participates as a technical advisor to a number of security related companies. Contact him at firstname.lastname@example.org.
J. M. "Mike" McConnell is a vice president at Booz-Allen, spearheading the firm's assignments in infrastructure and information assurance for departments and agencies of the US federal government and commercial clients. Contact him at email@example.com.
Gary McGraw is currently CTO at Cigital. He has a dual PhD in cognitive science and computer science from Indiana University. He writes a monthly software security column for Software Development magazine and serves on several corporate advisory boards. Contact him at firstname.lastname@example.org.
Nancy R. Mead is an adjunct faculty member at Carnegie Mellon University, where she teaches software engineering and information security. Her objective is to synthesize advances in software engineering and information security in a holistic way. She has a PhD in mathematics. Contact her at email@example.com.
Bruce Schneier, CTO and founder of Counterpane Internet Security ( www.counterpane.com), has authored seven books, including Secrets & Lies, and Applied Cryptography. Contact him at firstname.lastname@example.org.
S. W. Smith is currently an assistant professor of computer science at Dartmouth College. He was educated at Princeton and CMU, and is a member of the ACM, USENIX, the IEEE Computer Society, Phi Beta Kappa, and Sigma Xi. Contact information exists at www.cs.dartmouth.edu/~sws/.
Martin R. Stytz is a senior principal research scientist and engineer at the Air Force Research Laboratory. He received a PhD in computer science and engineering from the University of Michigan. He is a member of the ACM, the IEEE, the IEEE Computer Society, the AAAI, and the Society for Computer Simulation. Contact him at email@example.com.
Francis Sullivan is the editor in chief of Computing in Science & Engineering magazine and director of the Institute for Defense Analyses' Center for Computing Sciences. He is past chairman of the IMA Board of Governors and a member of the SIAM Board of Trustees. Contact him at firstname.lastname@example.org.
James A. Whittaker is a professor of computer science at Florida Tech and director of the Center for Information Assurance. His research interests are security testing, reverse engineering, and software protection. He is a member of the ACM and the IEEE. Contact him at email@example.com.