Don't bring a knife to a gunfight

Several articles from past issues have been so timely that they have received broad national news media coverage (The New York Times and Financial Times, for example) not to mention real impact on practice (broader scrutiny of electronic voting technology). And, to boot, IEEE Security & Privacy has exceeded its first year subscription goals by more than 20 percent. We should be proud of what we have accomplished this past year, especially our achievements regarding the standards of novelty, clarity, and relevance. Heartfelt thanks go to several groups: to the experts on IEEE Security & Privacy's editorial board for insisting on high standards and high impact; to the IEEE Computer So-ciety's staff editors for shepherding papers, authors, and reviewers so deftly, often transforming sow's ears of geekspeak into silk purses of prose; to the authors who recognized the need to write to a larger audience and took the necessary extra steps with their manuscripts to accomplish that; to the anonymous reviewers who volunteered their time and expert opinions so generously and professionally; and most importantly, to our readers for supporting these efforts and providing much needed feedback about what was good, what was bad, and even what was ugly. However, there is no resting on one's laurels in the security business. We have much more to accomplish in the traditional problem spaces of computer security, let alone the need to start dealing with application domains we didn't think much about scarcely two years ago (such as electronic voting and User Datagram Protocol worms!). It's becoming increasingly clear that the cybersecurity and privacy business is a gunfight to which, unfortunately , many combatants are still bringing knives. The following are perfect examples. In terms of skill levels, I recently interviewed a graduate student candidate who has been the security expert at a regional application service provider with more than 500 clients. Based on his three years of experience in that position, he had an ambitious design for a distributed system of honeypots and agents that would quickly detect and respond to all types of attacks on his ASP's network. To ground the discussion and gauge the real depth of his understanding, I asked him to explain buffer overflow attacks (I am a professor, after all). Starting with some hand waving and references to C libraries, he quickly confessed he didn't really know how buffer overflow exploits worked or how they are …