On Thu, 13 Jul 2006, John Kelsey wrote:
| >From: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
| ...
| >my slightly different perspective is that audits in the past have
| >somewhat been looking for inconsistencies from independent sources. this
| >worked in the days of paper books from multiple different corporate
| >sources. my claim with the current reliance on IT technology ... that
| >the audited information can be all generated from a single IT source ...
| >invalidating any assumptions about audits being able to look for
| >inconsistencies from independent sources. A reasonable intelligent
| >hacker could make sure that all the information was consistent.
|
| It's interesting to me that this same kind of issue comes up in voting
| security, where computerized counting of hand-marked paper ballots (or
| punched cards) has been and is being replaced with much more
| user-friendly DREs, where paper poll books are being replaced with
| electronic ones, etc. It's easy to have all your procedures built
| around the idea that records X and Y come from independent sources,
| and then have technology undermine that assumption. The obvious
| example of this is rules for recounts and paper record retention which
| are applied to DREs; the procedures make lots of sense for paper
| ballots, but no sense at all for DREs. I wonder how many other areas
| of computer and more general security have this same kind of issue.
That's a very interesting comparison. I think it's a bit more subtle: We
have
two distinct phenomena here, and it's worth examining them more closely.
Phenomenon 1:
Computerized records are malleable, and it's in general impossible
to
determine if someone has changed them, when they changed them, what
the previous value was, and so on. Further, changing computer
records
scales easily - it costs about as much to change a million records
as
it does to change one record. Contrast this to traditional record
keeping systems, where forging even one record was quite difficult,
and forging a million was so difficult and expensive that it was
probably never done in history. Even *destroying* a million paper
records is quite difficult.
This phenomenon is present in both the auditing and voting examples.
It's not so much that the DRE doesn't, or can't, keep a record just
as
the paper ballot system does; it's that the record is just something
in memory, or maybe written to a disk, and we simply have no faith
in our ability to detect tampering with such media. Similarly,
as long as "the books" were physical books on paper, it was quite
difficult to tamper with them. Now that they are in a computer
database somewhere, it's very easy.
Phenomenon 2:
The only way to merge the information from paper records is to
create
new, combined paper records. The only way to filter out some of the
data from paper records is to make new, redacted paper records.
These
are expensive, time-consuming operations. As a result,
record-keeping
systems based on paper tend to keep the originals distinct and only
produce rare roll-ups for analysis. This lets you compare distinct
sources for the same piece of information.
Computerized systems, on the other hand, make it easy to merge,
select, and reformat data. It's so easy that a central tenant of
database design is to avoid storing the same information more than
once (thus avoiding the problem of keeping multiple copies in sync).
But when this principle is applied to data relevant to auditing,
it discards exactly the redundancy that has always been used to
detect problems. Sure, you can produce the traditional double-
entry reports, but if they you generate them on the fly from a
single database that just records transactions, sure enough, all
the amounts will tally - always, regardless of what errors or
shenanigans have occurred.
This has no obvious analogue in voting systems, except I suppose
in those that keep only totals, not individual votes. (Of course,
that was the case with the old mechanical voting machines, too;
but their resistance to Phenomenon 1 made that acceptable.)
-- Jerry
|
| --John Kelsey, NIST
|
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
