Travis H. wrote:
1) Some kind of physical authenticity, such as signing one's name on
the media as they are produced (this assumes the signer is not
corruptible), or applying a frangible difficult-to-duplicate seal of
some kind (this assumes access controls on the seals).
2) Some kind of hash cha
On 7/15/06, John Kelsey <[EMAIL PROTECTED]> wrote:
Another solution is to use cryptographic audit logs. Bruce Schneier
and I did some work on this several years ago, using a MAC to
authenticate the current record as it's written, and a one-way
function to derive the next key. (This idea was app
>From: "Travis H." <[EMAIL PROTECTED]>
>Sent: Jul 14, 2006 11:22 PM
>To: David Mercer <[EMAIL PROTECTED]>
>Cc: cryptography@metzdowd.com
>Subject: Re: Interesting bit of a quote
...
>The problem with this is determining if the media has been replaced.
>
On Fri, 14 Jul 2006, Travis H. wrote:
Absent other protections, one could simply write a new WORM media with
falsified information.
I can see two ways of dealing with this:
1) Some kind of physical authenticity, such as signing one's name on
the media as they are produced (this assumes the sig
On 7/14/06, David Mercer <[EMAIL PROTECTED]> wrote:
WORM drives (and WORM tapes)
are used by organizations that need to prove that things weren't
altered (or to be able to audit when they are).
The problem with this is determining if the media has been replaced.
Absent other protections, one co
John Kelsey wrote:
>>From: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
>>Sent: Jul 11, 2006 6:45 PM
>>Subject: Re: Interesting bit of a quote
>
>
> ..
>
>>my slightly different perspective is that audits in the past have
>>somewhat been lookin
On 7/13/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Phenomenon 1:
Computerized records are malleable, and it's in general impossible
to
determine if someone has changed them, when they changed them, what
the previous value was, and so on. Further, changing computer
r
25m corporation runs $800k.
misc. past sox references:
http://www.garlic.com/~lynn/2006h.html#58 Sarbanes-Oxley
http://www.garlic.com/~lynn/2006i.html#1 Sarbanes-Oxley
http://www.garlic.com/~lynn/aadsm24.htm#35 Interesting bit of a quote
http://www.garlic.com/~lynn/aadsm24.htm#36 Intere
On Thu, 13 Jul 2006, John Kelsey wrote:
| >From: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
| ...
| >my slightly different perspective is that audits in the past have
| >somewhat been looking for inconsistencies from independent sources. this
| >worked in the days of paper books from multiple differ
>From: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
>Sent: Jul 11, 2006 6:45 PM
>Subject: Re: Interesting bit of a quote
...
>my slightly different perspective is that audits in the past have
>somewhat been looking for inconsistencies from independent sources. this
>worke
[EMAIL PROTECTED] wrote:
* That which was not recorded did not happen.
* That which is not documented does not exist.
* That which has not been audited is vulnerable.
and he did not mean this in the "paths to invisibility"
sense but rather that you have liability unless y
On Tue, Jul 11, 2006 at 05:50:06PM -0700, David Wagner wrote:
>
> No, it doesn't. I think you've got it backwards. That's not what SB1386
> says. SB1386 says that if a company conducts business in Caliornia and
> has a system that includes personal information stored in unencrypted from
> and i
Anton Stiglic wrote:
Does that mean that you (the company) are safe if all of the personal
information in the database is simply encrypted with the decryption key
laying right there alongside the data? Alot of solutions do this, some go
to different lengths in trying to obfuscate the key.
note
> David Wagner writes:
> SB1386 says that if a company conducts business in Caliornia and
> has a system that includes personal information stored in unencrypted from
> and if that company discovers or is notified of a breach of the security
> that system, then the company must notify any Californi
On Tue, 11 Jul 2006, Anne & Lynn Wheeler wrote:
| ...independent operation/sources/entities have been used for a variety of
| different purposes. however, my claim has been then auditing has been used
to
| look for inconsistencies. this has worked better in situations where there
was
| independent
On 7/11/06, Adam Fields <[EMAIL PROTECTED]> wrote:
On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry wrote:
> Business ultimately depends on trust. There's some study out there -
Trust is not quite the opposite of security (in the sense of an
action, not as a state of being), but certain
having multiple independent sources of
at least some different data ... so the aggregation is more than the
individual parts (as opposed to the same data to corroborate).
ref:
http://www.garlic.com/~lynn/aadsm24.htm#35 Interesting bit of a quote
http://www.garlic.com/~lynn/2006h.html#58 Sarb
[EMAIL PROTECTED]
> Been with a reasonable number of General Counsels
> on this sort of thing. Maybe you can blame them
> and not SB1386 for saying that if you cannot prove
> the data didn't spill then it is better corporate
> risk management to act as if it did spill.
Well, are you sure you have
David Wagner writes:
-+--
| [EMAIL PROTECTED] writes:
| >I can corroborate the quote in that much of SarbOx and
| >other recent regs very nearly have a guilty unless proven
| >innocent quality, that banks (especially) and others are
| >called upon to prove a negative: X {could
You're talking about entirely different stuff, Lynn,
but you are correct that data fusion at IRS and everywhere
else is aided and abetted by substantially increased record
keeping requirements. Remember, Poindexter's TIA thing did
*not* posit new information sources, just fusing existing
sources
[EMAIL PROTECTED] writes:
>I can corroborate the quote in that much of SarbOx and
>other recent regs very nearly have a guilty unless proven
>innocent quality, that banks (especially) and others are
>called upon to prove a negative: X {could,did} not happen.
>California SB1386 roughly says the same
[EMAIL PROTECTED] wrote:
I can corroborate the quote in that much of SarbOx and
other recent regs very nearly have a guilty unless proven
innocent quality, that banks (especially) and others are
called upon to prove a negative: X {could,did} not happen.
California SB1386 roughly says the same thi
--
Leichter, Jerry wrote:
> Business ultimately depends on trust. There's some
> study out there - I don't recall a reference - that
> basically finds that the level of trust is directly
> related to the level of economic success of an
> economy. There are costs associated with
> verificatio
Jerrold,
I can corroborate the quote in that much of SarbOx and
other recent regs very nearly have a guilty unless proven
innocent quality, that banks (especially) and others are
called upon to prove a negative: X {could,did} not happen.
California SB1386 roughly says the same thing: If you canno
On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry wrote:
[...]
> Business ultimately depends on trust. There's some study out there -
> I don't recall a reference - that basically finds that the level of
> trust is directly related to the level of economic success of an
> economy. There a
| That's not a change. You should never have granted unlimited trust to
| insiders. Just as most organizations do not have the same person handling
| accounts payable and vendor selection, you should have checks and balances in
| IT as well.
There have always been parts of the business where you ne
That's not a change. You should never have granted unlimited trust to
insiders. Just as most organizations do not have the same person handling
accounts payable and vendor selection, you should have checks and balances
in IT as well.
-Stiennon
At 07:49 AM 7/11/2006, [EMAIL PROTECTED] wrote:
...from a round-table discussion on identity theft in the current
Computerworld:
IDGNS: What are the new threats that people aren't thinking
about?
CEO Dean Drako, Sana Security Inc.: There has been a market
change over the last five-to-six years, primarily due to
28 matches
Mail list logo