Issue No. 02 - March-April (2004 vol. 2)
Since launching in January 2003, IEEE Security & Privacy has had an enormously successful first year. The quality of the technical material published has been outstanding—not only germane, but also largely intelligible by nonexperts in the security field.
Several articles from past issues have been so timely that they have received broad national news media coverage ( The New York Times and Financial Times, for example) not to mention real impact on practice (broader scrutiny of electronic voting technology). And, to boot, IEEE Security & Privacy has exceeded its first year subscription goals by more than 20 percent.
We should be proud of what we have accomplished this past year, especially our achievements regarding the standards of novelty, clarity, and relevance. Heartfelt thanks go to several groups: to the experts on IEEE Security & Privacy's editorial board for insisting on high standards and high impact; to the IEEE Computer Society's staff editors for shepherding papers, authors, and reviewers so deftly, often transforming sow's ears of geekspeak into silk purses of prose; to the authors who recognized the need to write to a larger audience and took the necessary extra steps with their manuscripts to accomplish that; to the anonymous reviewers who volunteered their time and expert opinions so generously and professionally; and most importantly, to our readers for supporting these efforts and providing much needed feedback about what was good, what was bad, and even what was ugly.
However, there is no resting on one's laurels in the security business. We have much more to accomplish in the traditional problem spaces of computer security, let alone the need to start dealing with application domains we didn't think much about scarcely two years ago (such as electronic voting and User Datagram Protocol worms!).
Wielding the Wrong Tools
It's becoming increasingly clear that the cybersecurity and privacy business is a gunfight to which, unfortunately, many combatants are still bringing knives. The following are perfect examples.
In terms of skill levels, I recently interviewed a graduate student candidate who has been the security expert at a regional application service provider with more than 500 clients. Based on his three years of experience in that position, he had an ambitious design for a distributed system of honeypots and agents that would quickly detect and respond to all types of attacks on his ASP's network. To ground the discussion and gauge the real depth of his understanding, I asked him to explain buffer overflow attacks (I am a professor, after all). Starting with some hand waving and references to C libraries, he quickly confessed he didn't really know how buffer overflow exploits worked or how they are designed. This young security expert and his employer are bringing a knife to a gunfight.
In terms of technologies, consider the distributed denial-of-service attacks routinely launched from hundreds, even thousands, of hosts that are compromised by automated scripts and managed by covert encrypted channels. Compare this with the expensive, week-long security short courses tailored to systems administrators in which students are taught how to read single host log files manually. Again, those systems administrators are being taught how to wield blades, but they are going to a gunfight.
In terms of threats, several countries are now exploring electronic voting technology's effectiveness. At least one vendor of such technology argues that their software is now secure because it fixed the flaws that a cursory examination of some of its source code uncovered. That vendor is making and selling daggers while the other side has bazookas!
One of the main challenges for IEEE Security & Privacy, as we move through our second year, is to keep communicating the differences between guns and knives. In fact, many people still don't know that guns even exist. Clearly, IEEE Security & Privacy still has much to do.