Re: Interesting bit of a quote

2006-07-16 Thread Jason Holt


On Fri, 14 Jul 2006, Travis H. wrote:

Absent other protections, one could simply write a new WORM media with
falsified information.

I can see two ways of dealing with this:

1) Some kind of physical authenticity, such as signing one's name on
the media as they are produced (this assumes the signer is not
corruptible), or applying a frangible difficult-to-duplicate seal of
some kind (this assumes access controls on the seals).
2) Some kind of hash chain covering the contents, combined with
publication of the hashes somewhere where they cannot be altered (e.g.
publish hash periodically in a classified ad in a newspaper).


My MS Thesis was on this topic:
http://lunkwill.org/cv/logcrypt_update.pdf

If you store a value with a TTP (say, an auditor), and follow the protocol 
honestly, it's impossible to go back later and falsify records.  The symmetric 
version uses hash chains, and was invented several times before I came along.



-J

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-16 Thread John Kelsey
From: Travis H. [EMAIL PROTECTED]
Sent: Jul 14, 2006 11:22 PM
To: David Mercer [EMAIL PROTECTED]
Cc: cryptography@metzdowd.com
Subject: Re: Interesting bit of a quote

...
The problem with this is determining if the media has been replaced.
Absent other protections, one could simply write a new WORM media with
falsified information.

I can see two ways of dealing with this:

1) Some kind of physical authenticity, such as signing one's name on
the media as they are produced (this assumes the signer is not
corruptible), or applying a frangible difficult-to-duplicate seal of
some kind (this assumes access controls on the seals).

I think this is going to resolve to chain-of-custody rules of some
kind.  One problem is that so long as the company making the records
is storing them onsite, it's hard for an outside auditor to be sure
they aren't being tampered with.  (Can the CEO really not work out a
way to get one of his guys access to the tape storage vault?) 

2) Some kind of hash chain covering the contents, combined with
publication of the hashes somewhere where they cannot be altered (e.g.
publish hash periodically in a classified ad in a newspaper).

You could do the whole digital timestamping thing here.  You could
also just submit hashes of this week's backup tape to your auditor and
the SEC or something.  

Another solution is to use cryptographic audit logs.  Bruce Schneier
and I did some work on this several years ago, using a MAC to
authenticate the current record as it's written, and a one-way
function to derive the next key.  (This idea was apparently developed
by at least two other people independently.)  Jason Holt has extended
this idea to use digital signatures, which makes them far more
practical.  One caveat is that cryptographic audit logs only work if
the logging machine is honest when the logs are written.  

--John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-16 Thread Travis H.

On 7/15/06, John Kelsey [EMAIL PROTECTED] wrote:

Another solution is to use cryptographic audit logs.  Bruce Schneier
and I did some work on this several years ago, using a MAC to
authenticate the current record as it's written, and a one-way
function to derive the next key.  (This idea was apparently developed
by at least two other people independently.)  Jason Holt has extended
this idea to use digital signatures, which makes them far more
practical.  One caveat is that cryptographic audit logs only work if
the logging machine is honest when the logs are written.


Yeah, I love that idea, saw it at the 7th Usenix Security Symposium.

For everyone else, there's an implementation here:
http://isrl.cs.byu.edu/logcrypt/index.html
I have been looking for something like this for a while.

Note to Jason Holt: The subscribe links for the mailing lists are broken.

I like the idea of encrypting the entries, but I thought that having
to classify them into a finite number of classes, and restricting
disclosure to be along class lines is restrictive, but I don't know
offhand how to allow the logger to disclose arbitrary subsets
efficiently.
--
Resolve is what distinguishes a person who has failed from a failure.
Unix guru for sale or rent - http://www.lightconsulting.com/~travis/ --
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-16 Thread Anne Lynn Wheeler

Travis H. wrote:

1) Some kind of physical authenticity, such as signing one's name on
the media as they are produced (this assumes the signer is not
corruptible), or applying a frangible difficult-to-duplicate seal of
some kind (this assumes access controls on the seals).
2) Some kind of hash chain covering the contents, combined with
publication of the hashes somewhere where they cannot be altered (e.g.
publish hash periodically in a classified ad in a newspaper).


a lot of that has to do with whether you have an original and/or whether 
an original has been modified.


my view of audits for sox type stuff is whether the original is correct. 
that is where multiple independent sources of original information came 
in for purposes of cross checking   (and possibility of any 
inconsistency is indication of something amiss) ... and where 
subsequently you have to start worrying about countermeasure to collusion.


however, if you have collapsed the originals to single source, you loose 
the ability to cross-check multiple independent originals for validity 
of the information. so you ask for a lot more detailed information in 
the originals ... hoping the level of detail is harder to make 
consistent (since you may have some sense that you have lost the 
capability of cross checking multiple independent sources for 
inconsistency). the counterargument is that with IT technology ... that 
any level of detail can be programmed to be consistent (if you are going 
to create incorrect information in an original ... you could make it 
incorrectly consistent to any level of detail).


So now you create significant threats and penalties for anybody (in 
charge) allowing incorrect information to appear in an audit (since you 
somehow realize that that with only a single source, it isn't likely 
that an audit is going to turn up inconsistent information as an 
indication that something is incorrect).


So now you are potentially in a situation that audits are no longer an 
effective countermeasure to serious inconsistent or incorrect 
information ... its the threats and the penalties that are the 
countermeasure to serious inconsistent or incorrect information.
At the same time there is some sense if audits previously had turned up 
inconsistency (from multiple independent sources) ... then possibly just 
increasing the level of audit detail might still provide some benefit.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-14 Thread David Mercer

On 7/13/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

Phenomenon 1:
Computerized records are malleable, and it's in general impossible
to
determine if someone has changed them, when they changed them, what
the previous value was, and so on.  Further, changing computer
records
scales easily - it costs about as much to change a million records
as
it does to change one record.


Well yes, and no.  Relational database systems preform replication by
copying and loading trasaction logs, and WORM drives (and WORM tapes)
are used by organizations that need to prove that things weren't
altered (or to be able to audit when they are).  It is of course quite
a lot more expensive to do things that way compared to how the typical
IT shop does things.

-David Mercer

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-14 Thread Nicholas Bohm
John Kelsey wrote:
From: Anne  Lynn Wheeler [EMAIL PROTECTED]
Sent: Jul 11, 2006 6:45 PM
Subject: Re: Interesting bit of a quote
 
 
 ..
 
my slightly different perspective is that audits in the past have 
somewhat been looking for inconsistencies from independent sources. this 
worked in the days of paper books from multiple different corporate 
sources. my claim with the current reliance on IT technology ... that 
the audited information can be all generated from a single IT source ... 
invalidating any assumptions about audits being able to look for 
inconsistencies from independent sources. A reasonable intelligent 
hacker could make sure that all the information was consistent.
 
 
 It's interesting to me that this same kind of issue comes up in voting
 security, where computerized counting of hand-marked paper ballots (or
 punched cards) has been and is being replaced with much more
 user-friendly DREs, where paper poll books are being replaced with
 electronic ones, etc.  It's easy to have all your procedures built
 around the idea that records X and Y come from independent sources,
 and then have technology undermine that assumption.  The obvious
 example of this is rules for recounts and paper record retention which
 are applied to DREs; the procedures make lots of sense for paper
 ballots, but no sense at all for DREs.  I wonder how many other areas
 of computer and more general security have this same kind of issue.   

Another example, possibly of some importance, is found in registers of
births, marriages and deaths.  Details of the relevant events were
entered contemporaneously in local paper ledgers whose pages were
numbered.  (They were later, perhaps every quarter, copied to central
registers.)  As a result it was very difficult to create a backdated
record, or remove an original one, without it being obvious.  When
registers consist of electronic databases, these natural protections
silently disappear.  They could be replaced, perhaps by publishing an
authenticated hash of the register every week, and cumulative hashes
periodically; but there is no sign of such methods being adopted.

The Law Society of England and Wales suggested to the Land Registry that
it should adopt some such methods for its electronic land registers,
especially when the transactions recorded in the registers become
electronic rather than paper transactions, as is planned.  I have no
reason to think this suggestion will take root.

Nicholas Bohm
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone   01279 871272(+44 1279 871272)
Fax  020 7788 2198   (+44 20 7788 2198)
Mobile  07715 419728(+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-14 Thread Travis H.

On 7/14/06, David Mercer [EMAIL PROTECTED] wrote:

WORM drives (and WORM tapes)
are used by organizations that need to prove that things weren't
altered (or to be able to audit when they are).


The problem with this is determining if the media has been replaced.
Absent other protections, one could simply write a new WORM media with
falsified information.

I can see two ways of dealing with this:

1) Some kind of physical authenticity, such as signing one's name on
the media as they are produced (this assumes the signer is not
corruptible), or applying a frangible difficult-to-duplicate seal of
some kind (this assumes access controls on the seals).
2) Some kind of hash chain covering the contents, combined with
publication of the hashes somewhere where they cannot be altered (e.g.
publish hash periodically in a classified ad in a newspaper).
--
Resolve is what distinguishes a person who has failed from a failure.
Unix guru for sale or rent - http://www.lightconsulting.com/~travis/ --
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-13 Thread Ed Gerck

[EMAIL PROTECTED] wrote:

* That which was not recorded did not happen.
* That which is not documented does not exist.
* That which has not been audited is vulnerable.

and he did not mean this in the paths to invisibility
sense but rather that you have liability unless you can
prove that you don't.


Thanks for the quote. But That which was not recorded did
not happen and the other two points can, and IMO should, also
be taken in the positive sense that you need recorded, credible,
audited evidence in order to support business in case arguments
(as they do) arise. Trust depends on parallel channels. So
based, trust actually reduces liability.

The knife cuts the other way too, and that's why unrevocably
expiring documents that can be so treated (legally and business
wise) is also necessary to reduce liability.

Cheers,
Ed Gerck

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-13 Thread John Kelsey
From: Anne  Lynn Wheeler [EMAIL PROTECTED]
Sent: Jul 11, 2006 6:45 PM
Subject: Re: Interesting bit of a quote

...
my slightly different perspective is that audits in the past have 
somewhat been looking for inconsistencies from independent sources. this 
worked in the days of paper books from multiple different corporate 
sources. my claim with the current reliance on IT technology ... that 
the audited information can be all generated from a single IT source ... 
invalidating any assumptions about audits being able to look for 
inconsistencies from independent sources. A reasonable intelligent 
hacker could make sure that all the information was consistent.

It's interesting to me that this same kind of issue comes up in voting
security, where computerized counting of hand-marked paper ballots (or
punched cards) has been and is being replaced with much more
user-friendly DREs, where paper poll books are being replaced with
electronic ones, etc.  It's easy to have all your procedures built
around the idea that records X and Y come from independent sources,
and then have technology undermine that assumption.  The obvious
example of this is rules for recounts and paper record retention which
are applied to DREs; the procedures make lots of sense for paper
ballots, but no sense at all for DREs.  I wonder how many other areas
of computer and more general security have this same kind of issue.   

--John Kelsey, NIST

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-13 Thread leichter_jerrold
On Thu, 13 Jul 2006, John Kelsey wrote:
| From: Anne  Lynn Wheeler [EMAIL PROTECTED]
| ...
| my slightly different perspective is that audits in the past have 
| somewhat been looking for inconsistencies from independent sources. this 
| worked in the days of paper books from multiple different corporate 
| sources. my claim with the current reliance on IT technology ... that 
| the audited information can be all generated from a single IT source ... 
| invalidating any assumptions about audits being able to look for 
| inconsistencies from independent sources. A reasonable intelligent 
| hacker could make sure that all the information was consistent.
| 
| It's interesting to me that this same kind of issue comes up in voting
| security, where computerized counting of hand-marked paper ballots (or
| punched cards) has been and is being replaced with much more
| user-friendly DREs, where paper poll books are being replaced with
| electronic ones, etc.  It's easy to have all your procedures built
| around the idea that records X and Y come from independent sources,
| and then have technology undermine that assumption.  The obvious
| example of this is rules for recounts and paper record retention which
| are applied to DREs; the procedures make lots of sense for paper
| ballots, but no sense at all for DREs.  I wonder how many other areas
| of computer and more general security have this same kind of issue.   
That's a very interesting comparison.  I think it's a bit more subtle: We
have
two distinct phenomena here, and it's worth examining them more closely.

Phenomenon 1:
Computerized records are malleable, and it's in general impossible
to
determine if someone has changed them, when they changed them, what
the previous value was, and so on.  Further, changing computer
records
scales easily - it costs about as much to change a million records
as
it does to change one record.  Contrast this to traditional record
keeping systems, where forging even one record was quite difficult,
and forging a million was so difficult and expensive that it was
probably never done in history.  Even *destroying* a million paper
records is quite difficult.

This phenomenon is present in both the auditing and voting examples.
It's not so much that the DRE doesn't, or can't, keep a record just
as
the paper ballot system does; it's that the record is just something
in memory, or maybe written to a disk, and we simply have no faith
in our ability to detect tampering with such media.  Similarly,
as long as the books were physical books on paper, it was quite
difficult to tamper with them.  Now that they are in a computer
database somewhere, it's very easy.

Phenomenon 2:
The only way to merge the information from paper records is to
create
new, combined paper records.  The only way to filter out some of the
data from paper records is to make new, redacted paper records.
These
are expensive, time-consuming operations.  As a result,
record-keeping
systems based on paper tend to keep the originals distinct and only
produce rare roll-ups for analysis.  This lets you compare distinct
sources for the same piece of information.

Computerized systems, on the other hand, make it easy to merge,
select, and reformat data.  It's so easy that a central tenant of
database design is to avoid storing the same information more than
once (thus avoiding the problem of keeping multiple copies in sync).
But when this principle is applied to data relevant to auditing,
it discards exactly the redundancy that has always been used to
detect problems.  Sure, you can produce the traditional double-
entry reports, but if they you generate them on the fly from a
single database that just records transactions, sure enough, all
the amounts will tally - always, regardless of what errors or
shenanigans have occurred.

This has no obvious analogue in voting systems, except I suppose
in those that keep only totals, not individual votes.  (Of course,
that was the case with the old mechanical voting machines, too;
but their resistance to Phenomenon 1 made that acceptable.)

-- Jerry

| 
| --John Kelsey, NIST
| 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-13 Thread Anne Lynn Wheeler

John Kelsey wrote:

It's interesting to me that this same kind of issue comes up in voting
security, where computerized counting of hand-marked paper ballots (or
punched cards) has been and is being replaced with much more
user-friendly DREs, where paper poll books are being replaced with
electronic ones, etc.  It's easy to have all your procedures built
around the idea that records X and Y come from independent sources,
and then have technology undermine that assumption.  The obvious
example of this is rules for recounts and paper record retention which
are applied to DREs; the procedures make lots of sense for paper
ballots, but no sense at all for DREs.  I wonder how many other areas
of computer and more general security have this same kind of issue.   


being slightly perverse ... there is the analogy with the new england 
net. at one point somebody went to the trouble to get nine(?) 56kbit 
circuits routed out of the new england area on nine distinct physical 
trunks (diverse routing, telco provisioning). however, over a period of 
years, nobody appeared to pay attention as the unique circuits were 
consolidated to fewer and fewer physical trunks. one day, someplace in 
conn., the new england net fell victim a backhoe denial of service 
attack (and the new england net was partitioned from the rest of the 
world for a couple of days).


so one might conjecture that the sox approach to the opportunity is to 
retrofit the complete length of the single physical trunk with a bunker, 
built to bank vault specifications ... as a countermeasure to the 
backhoe denial of service attack.


possibly the only new real countermeasure in sox is the part about 
informants ...


recently i was told that the typical sox bill for a small to medium size 
$25m corporation runs $800k.


misc. past sox references:
http://www.garlic.com/~lynn/2006h.html#58 Sarbanes-Oxley
http://www.garlic.com/~lynn/2006i.html#1 Sarbanes-Oxley
http://www.garlic.com/~lynn/aadsm24.htm#35 Interesting bit of a quote
http://www.garlic.com/~lynn/aadsm24.htm#36 Interesting bit of a quote

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-12 Thread Anne Lynn Wheeler

[EMAIL PROTECTED] wrote:

I can corroborate the quote in that much of SarbOx and
other recent regs very nearly have a guilty unless proven
innocent quality, that banks (especially) and others are
called upon to prove a negative: X {could,did} not happen.
California SB1386 roughly says the same thing: If you cannot
prove that personal information was not spilled, then you
have to act as if it was.  About twenty states have followed
California's lead.  The surveillance requirements of both
SEC imposed-regulation and NYSE self-regulation seem always
to expand.  One of my (Verdasys) own customers failed a
SarbOx audit (by a big four accounting firm) because it
could not, in advance, *prove* that those who could change
the software (sysadmins) were unable in any way to change
the financial numbers and, in parallel, *prove* those who
could change the financial numbers (CFO  reports) were
unable to change the software environment.


my slightly different perspective is that audits in the past have 
somewhat been looking for inconsistencies from independent sources. this 
worked in the days of paper books from multiple different corporate 
sources. my claim with the current reliance on IT technology ... that 
the audited information can be all generated from a single IT source ... 
invalidating any assumptions about audits being able to look for 
inconsistencies from independent sources. A reasonable intelligent 
hacker could make sure that all the information was consistent.


a counter example is the IRS where individual reported income is 
correlated with other sources of reported financial information. 
however, i don't know how that could possibly work in the current 
environment where the corporation being audited is responsible for 
paying the auditors (cross checking information across multiple 
independent sources)


some past posts on the subject
http://www.garlic.com/~lynn/2006h.html#33
http://www.garlic.com/~lynn/2006i.html#1

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-12 Thread dan

You're talking about entirely different stuff, Lynn,
but you are correct that data fusion at IRS and everywhere
else is aided and abetted by substantially increased record
keeping requirements.  Remember, Poindexter's TIA thing did
*not* posit new information sources, just fusing existing
sources and that alone blew it up politically.  As a security
matter relevant here, we can't protect un-fused data so
fused data is indeed probably worse.

On the prove-a-negative area, every time I say this in
front of CISO-level audiences I get nodding assent.  Ain't
making it up, in other words.  Innocent until proven
guilty seems now to be true in criminal matters; guilty
until proven innocent holds sway in the civil arena.

On the idea that our version of it is just one of many
versions of the same phenomenon in all fields, not just
the crypto-security one, today (literally) I was ordered
by the State of Rhode Island to install smoke and fire
detectors with direct tie-in to the Fire Department in
my farm's riding arena (a steel frame building with dirt
floor and three doors big enough for a semi).  Why?  Because
the regulators couldn't figure out whether I was a place of
assembly or not so, therefore, I must be a place of assembly
and my next hearing is whether I need sprinklers.  Mind you,
klaxons  strobes, now required, guarantee killing any
non-expert riders who are in the ring when they go off, 
but since the regulators themselves cannot prove to 
themselves that they don't have to impose the same 
requirements as a movie theater, to protect their own
asses it is me that has to now prove to them that I am
not covered -- which appears to mean getting the Legislature
to specifically exempt riding arenas since if that
Legislature is silent the regulators will assume the
worst and that means their ass versus mine.

The core issue here is thus runaway positive feedback loops.
When you hold regulators (fire inspectors, financial auditors,
whatever) liable for not having proven that their clients
cannot have anything wrong (which is why Arthur Anderson
went out of business, e.g.), then you get prove-a-negative
from the regulators and auditors -- madness on the same
scale as tulip mania or the defenestration of Prague.

--dan


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-12 Thread David Wagner
[EMAIL PROTECTED]
 Been with a reasonable number of General Counsels
 on this sort of thing.  Maybe you can blame them
 and not SB1386 for saying that if you cannot prove
 the data didn't spill then it is better corporate
 risk management to act as if it did spill.

Well, are you sure you haven't confused what they're saying about SOX, vs
what they're saying about SB1386?  It's easy for me to believe that they'd
say this about SOX, but the plain language of SB1386 seems pretty clear.

(It would also be easy for me to believe that a General Counsel would
say that if you have knowledge of a breach of security in one of your
systems and reason to believe that an unauthorized individual gained
access to personal information as a result, then you must assume that
you have to notify every person whose data was stored in the system and
who may have been affected by the breach, unless you can prove that those
persons weren't affected by that breach.  But that's very different from
how you characterized SB1386.)

If General Counsels are really saying that SB1386 requires you to act
as if data has spilled, even in absence of any reason whatsoever to
think there has been any kind of security breach or unauthorized access,
merely because you don't have proof that it hasn't spilled -- then yes,
that does sound strange to me.  That is not my understanding of the
intent of SB1386, and it is not what the language of SB1386 seems to say.

Then again, maybe your General Counsels know something that I don't;
it's always possible that the text of the law is misleading, or that
I'm missing something.  They're the legal experts, not me.

Personally, my suggestion is as follows: The next time that a General
Counsel claims to you that SB1386 requires you to assume data has spilled
(even in absence of any reason to believe there has been a security
breach) until you can prove to the contrary, I suggest you quote from
the text of SB1386, and let us know how they respond.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-12 Thread Anne Lynn Wheeler

[EMAIL PROTECTED] wrote:

You're talking about entirely different stuff, Lynn,
but you are correct that data fusion at IRS and everywhere
else is aided and abetted by substantially increased record
keeping requirements.  Remember, Poindexter's TIA thing did
*not* posit new information sources, just fusing existing
sources and that alone blew it up politically.  As a security
matter relevant here, we can't protect un-fused data so
fused data is indeed probably worse.


but this is the security issue dating back to before the 80s ... when 
they decided they could no longer guarantee single point of security ... 
in part because of insider threats ... they added multiple independent 
sources as a countermeasure. the crooks responded with collusion ... so 
you started to see countermeasures to collusion appearing in the early 80s.


the advent of the internet, sort of refocused attention to outsider 
attacks ... even tho the statistics continue to hold that the major 
source of fraud is still insiders ... including thru the whole internet 
era. the possibility of outsiders may have helped insiders obfuscate 
true source of many insider vulnerabilities.


the issue with auditing to prove no possible vulnerability for a single 
point ... leading to the extremes of having to prove a negative ... can 
possibly be interpreted within the context of attempting to preserve the 
current audit paradigm.


independent operation/sources/entities have been used for a variety of 
different purposes. however, my claim has been then auditing has been 
used to look for inconsistencies. this has worked better in situations 
where there was independent physical books from independent sources 
(even in the same corporation).


As IT technology has evolved ... my assertion is a complete set of 
(consistent) corporate books can be generated from a single IT 
source/operation. The IRS example is having multiple independent sources 
of the same information (so that you can have independent sources to 
check for inconsistencies).


The fusion scenarios tend to be having multiple independent sources of 
at least some different data ... so the aggregation is more than the 
individual parts (as opposed to the same data to corroborate).


ref:
http://www.garlic.com/~lynn/aadsm24.htm#35 Interesting bit of a quote
http://www.garlic.com/~lynn/2006h.html#58 Sarbanes-Oxley
http://www.garlic.com/~lynn/2006l.html#1 Sarbanes-Oxley

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-12 Thread Travis H.

On 7/11/06, Adam Fields [EMAIL PROTECTED] wrote:

On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry wrote:
 Business ultimately depends on trust.  There's some study out there -
Trust is not quite the opposite of security (in the sense of an
action, not as a state of being), but certainly they're mutually
exclusive. If you have trust, you have no need for security.


Quoting Ross Anderson's TCPA comments:
A trusted [entity] is one that can break your security.

Quoting John Carrol in Computer Security:
Just because it is trusted, doesn't mean it's trustworthy.
--
Resolve is what distinguishes a person who has failed from a failure.
Unix guru for sale or rent - http://www.lightconsulting.com/~travis/ --
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-12 Thread leichter_jerrold
On Tue, 11 Jul 2006, Anne  Lynn Wheeler wrote:
| ...independent operation/sources/entities have been used for a variety of
| different purposes. however, my claim has been then auditing has been used
to
| look for inconsistencies. this has worked better in situations where there
was
| independent physical books from independent sources (even in the same
| corporation).
| 
| As IT technology has evolved ... my assertion is a complete set of
| (consistent) corporate books can be generated from a single IT
| source/operation. The IRS example is having multiple independent sources
of
| the same information (so that you can have independent sources to check
for
| inconsistencies)
Another, very simple, example of the way that the assumptions of
auditing are increasingly at odds with reality can be seen in receipts.
Whenever I apply for a reimbursement of business expenses, I have to
provide original receipts.  Well ... just what *is* an original
receipt for an Amazon purchase?  Sure, I can print the page Amazon
gives me.  Then again, I can easily modify it to say anything I like.

Hotel receipts are all computer-printed these days.  Yes, some of them
still use pre-printed forms, but as the cost of color laser printers
continues to drop, eventually it will make no sense to order and stock
that stuff.  Restaurant receipts are printed on little slips of paper by
one of a small number of brands of printer with some easily set custom-
ization, readily available at low cost to anyone who cares to buy one.

Back in the days when receipts were often hand-written or typed on
good-quality letterhead forms, original receipts actually proved
something.  Yes, they could be faked, but doing so was difficult and
hardly worth the effort.  That's simply not true any more.

Interestingly, the auditors at my employer - and at many others, I'm
sure - have recognized this, and now accept fax images of all receipts.
However, the IRS still insists on originals in case of an audit.
Keeping all those little pieces of paper around until the IRS loses
interest (I've heard different ideas about how long is safe - either 3
or 7 years) is now *my* problem.  (If the IRS audits my employer, and
comes to me for receipts I don't have, the business expense reimburse-
ments covered by those missing receipts suddenly get reclassified as
ordinary income, on which *I*, not my employer, now owe taxes - and
their good friends interest and penalties.)
-- Jerry


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-12 Thread Anton Stiglic
 David Wagner writes:
 SB1386 says that if a company conducts business in Caliornia and
 has a system that includes personal information stored in unencrypted from
 and if that company discovers or is notified of a breach of the security
 that system, then the company must notify any California resident whose
 unencrypted personal information was, or is reasonably believed to have
 been, acquired by an unauthorized person. [*]


 [*] This is pretty close to an direct quote from Section 1798.82(a)
 of California law.  See for yourself:
   
 http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Does that mean that you (the company) are safe if all of the personal
information in the database is simply encrypted with the decryption key
laying right there alongside the data?  Alot of solutions do this, some go
to different lengths in trying to obfuscate the key.

--Anton




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-12 Thread Abe Singer
On Tue, Jul 11, 2006 at 05:50:06PM -0700, David Wagner wrote:
 
 No, it doesn't.  I think you've got it backwards.  That's not what SB1386
 says.  SB1386 says that if a company conducts business in Caliornia and
 has a system that includes personal information stored in unencrypted from
 and if that company discovers or is notified of a breach of the security
 that system, then the company must notify any California resident whose
 unencrypted personal information was, or is reasonably believed to have
 been, acquired by an unauthorized person. [*]

A small, but very significant correction.  The law says any breach of the 
security of the data, not security of the system.

The more explicit paragraph is in 1798.82(b)

   (b) Any person or business that maintains computerized data that
   includes personal information that the person or business does not
   own shall notify the owner or licensee of the information of any
   breach of the security of the data immediately following discovery,
   if the personal information was, or is reasonably believed to have
   been, acquired by an unauthorized person.


And even though the code has already stated such, it further goes on
to define security of the system in 1798.82(d):

   (d) For purposes of this section, breach of the security of the
   system means unauthorized acquisition of computerized data that
   compromises the security, confidentiality, or integrity of personal
   information maintained by the person or business. [...]

 If you know or are notified that the security of your system has been
 breached and if you know or have some reason to believe that someone
 has received unauthorized access to unencrypted personal information
 about California residents, then sure, you have to act on the presumption
 that the personal information was spilled.  So what?  That seems awfully
 reasonable to me.

reasonable is for a judge or jury to decide.  A lawyer's job is to do
what's the the best interests of the client, and in this circumstance,
make a determination of what will be considered reasonable in court.
And ask three lawyers a question, you'll get at least four opinions. (the
same can be said for security geeks).

But ultimately, what the lawyer is deciding is what's going to cost the
client less: disclosure or possibly penatly of non-disclosure.  They'll
often opt for the former to avoid the possibility high cost of the latter.

I've been on and around the pointy end of this stick (and no,
not any publicized events).  If unauthorized access cannot clearly
be substatiated, it becomes a judgement call, based on a variety of
factors.  Factors might include duration between compromise and discovery
(e.g. they've been on the system so long that we just can't tell anymore),
intruder activities, etc.

 In short, my reading of SB1386 is that companies only have to notify
 customers if (a) they know or are notified of a security breach and
 (b) they know or have reason to believe that this breach led to an
 unauthorized disclosure of personal information.  In other words, SB1386
 treats companies as innocent until there is some reason to believe that
 they are guilty.  I don't know anything about SOX, but I think you've
 mis-characterized SB1386.  Don't tar SB1386 with SOX-feathers.

SB1386 doesn't spell out guilt or innocence.  It just provides a liability
shield for a company who complies with it, and spells out punitive
damages for failing to comply.

A company could make the decision that the penalty for non-disclosure
is less than it would cost otherwise, and choose to keep quiet and hope
for the best.


 [*] This is pretty close to an direct quote from Section 1798.82(a)
 of California law.  See for yourself:
   
 http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Better yet, go directly to the California Code (Civil Code Section):

http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civgroup=01001-02000file=1798.80-1798.84

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Interesting bit of a quote

2006-07-11 Thread leichter_jerrold
...from a round-table discussion on identity theft in the current
Computerworld:

IDGNS: What are the new threats that people aren't thinking
about?

CEO Dean Drako, Sana Security Inc.: There has been a market
change over the last five-to-six years, primarily due to
Sarbanes-Oxley. It used to be that you actually trusted your
employees. What's changed -- and which is really kind of morally
and socially depressing -- is that now, the way the auditors
approach the problem, the way Sarbanes-Oxley approaches the
problem, is you actually put in systems assuming that you can't
trust anyone.  Everything has to be double-signoff or a
double-check in the process of how you organize all of the
financials of the company

-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-11 Thread Adam Fields
On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry wrote:
[...]
 Business ultimately depends on trust.  There's some study out there -
 I don't recall a reference - that basically finds that the level of
 trust is directly related to the level of economic success of an
 economy.  There are costs associated with verification, some of them
 easily quantifiable, some of them much harder to pin down.  The
 difficulty is in making the tradeoffs.  We're now pushing way over
 on the verification side, in a natural reaction to a series of major
 frauds and scandals.

Trust is not quite the opposite of security (in the sense of an
action, not as a state of being), but certainly they're mutually
exclusive. If you have trust, you have no need for security.

Personally, given the choice, I'd rather have trust. I think that this
is a distinction that could be made more often when deciding on how to
implement a security system.

-- 
- Adam

** Expert Technical Project and Business Management
 System Performance Analysis and Architecture
** [ http://www.adamfields.com ]

[ http://www.aquick.org/blog ]  Blog
[ http://www.adamfields.com/resume.html ].. Experience
[ http://www.flickr.com/photos/fields ] ... Photos
[ http://www.aquicki.com/wiki ].Wiki

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Interesting bit of a quote

2006-07-11 Thread dan

Jerrold,

I can corroborate the quote in that much of SarbOx and
other recent regs very nearly have a guilty unless proven
innocent quality, that banks (especially) and others are
called upon to prove a negative: X {could,did} not happen.
California SB1386 roughly says the same thing: If you cannot
prove that personal information was not spilled, then you
have to act as if it was.  About twenty states have followed
California's lead.  The surveillance requirements of both
SEC imposed-regulation and NYSE self-regulation seem always
to expand.  One of my (Verdasys) own customers failed a
SarbOx audit (by a big four accounting firm) because it
could not, in advance, *prove* that those who could change
the software (sysadmins) were unable in any way to change
the financial numbers and, in parallel, *prove* those who
could change the financial numbers (CFO  reports) were
unable to change the software environment.

Jeffrey Ritter, partner in the electronic practice at
(big-name) D.C. law firm Kirkpatrick  Lockhart gave the 
major address at the annual meeting of the Cyber Security
Industry Alliance recently.  In it he said that what he
and his firm tell their (big-name) clients is this:

* That which was not recorded did not happen.

* That which is not documented does not exist.

* That which has not been audited is vulnerable.

and he did not mean this in the paths to invisibility
sense but rather that you have liability unless you can
prove that you don't.

While one can say that this has always been true or that
the insider has always been the real threat, or whatever
variation you like, as a consultant for nearly two decades
the burgeoning prove a negative focus feels unprecedented
to me.  And it is not just our field -- today's Boston
newspaper has the State of Massachusetts' building inspectors
being suspended en masse' for refusing en masse' to accept
GPS position tracking as a newly imposed job requirement.
By next summer, every animal in the country is supposed to
be chipped and the owner's home address recorded in GPS
form (google for NAIS) with a requirement to file with
USDA any off premises transportation (taking the kids'
heifer to the the 4H show included).

--dan

===
The great distinction: 
A conservative is a socialist who worships order.
A liberal is a socialist who worships safety. 
-- Victor Milan', 1999


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]