Re: Interesting bit of a quote
On Fri, 14 Jul 2006, Travis H. wrote: Absent other protections, one could simply write a new WORM media with falsified information. I can see two ways of dealing with this: 1) Some kind of physical authenticity, such as signing one's name on the media as they are produced (this assumes the signer is not corruptible), or applying a frangible difficult-to-duplicate seal of some kind (this assumes access controls on the seals). 2) Some kind of hash chain covering the contents, combined with publication of the hashes somewhere where they cannot be altered (e.g. publish hash periodically in a classified ad in a newspaper). My MS Thesis was on this topic: http://lunkwill.org/cv/logcrypt_update.pdf If you store a value with a TTP (say, an auditor), and follow the protocol honestly, it's impossible to go back later and falsify records. The symmetric version uses hash chains, and was invented several times before I came along. -J - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
From: Travis H. [EMAIL PROTECTED] Sent: Jul 14, 2006 11:22 PM To: David Mercer [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Interesting bit of a quote ... The problem with this is determining if the media has been replaced. Absent other protections, one could simply write a new WORM media with falsified information. I can see two ways of dealing with this: 1) Some kind of physical authenticity, such as signing one's name on the media as they are produced (this assumes the signer is not corruptible), or applying a frangible difficult-to-duplicate seal of some kind (this assumes access controls on the seals). I think this is going to resolve to chain-of-custody rules of some kind. One problem is that so long as the company making the records is storing them onsite, it's hard for an outside auditor to be sure they aren't being tampered with. (Can the CEO really not work out a way to get one of his guys access to the tape storage vault?) 2) Some kind of hash chain covering the contents, combined with publication of the hashes somewhere where they cannot be altered (e.g. publish hash periodically in a classified ad in a newspaper). You could do the whole digital timestamping thing here. You could also just submit hashes of this week's backup tape to your auditor and the SEC or something. Another solution is to use cryptographic audit logs. Bruce Schneier and I did some work on this several years ago, using a MAC to authenticate the current record as it's written, and a one-way function to derive the next key. (This idea was apparently developed by at least two other people independently.) Jason Holt has extended this idea to use digital signatures, which makes them far more practical. One caveat is that cryptographic audit logs only work if the logging machine is honest when the logs are written. --John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
On 7/15/06, John Kelsey [EMAIL PROTECTED] wrote: Another solution is to use cryptographic audit logs. Bruce Schneier and I did some work on this several years ago, using a MAC to authenticate the current record as it's written, and a one-way function to derive the next key. (This idea was apparently developed by at least two other people independently.) Jason Holt has extended this idea to use digital signatures, which makes them far more practical. One caveat is that cryptographic audit logs only work if the logging machine is honest when the logs are written. Yeah, I love that idea, saw it at the 7th Usenix Security Symposium. For everyone else, there's an implementation here: http://isrl.cs.byu.edu/logcrypt/index.html I have been looking for something like this for a while. Note to Jason Holt: The subscribe links for the mailing lists are broken. I like the idea of encrypting the entries, but I thought that having to classify them into a finite number of classes, and restricting disclosure to be along class lines is restrictive, but I don't know offhand how to allow the logger to disclose arbitrary subsets efficiently. -- Resolve is what distinguishes a person who has failed from a failure. Unix guru for sale or rent - http://www.lightconsulting.com/~travis/ -- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
Travis H. wrote: 1) Some kind of physical authenticity, such as signing one's name on the media as they are produced (this assumes the signer is not corruptible), or applying a frangible difficult-to-duplicate seal of some kind (this assumes access controls on the seals). 2) Some kind of hash chain covering the contents, combined with publication of the hashes somewhere where they cannot be altered (e.g. publish hash periodically in a classified ad in a newspaper). a lot of that has to do with whether you have an original and/or whether an original has been modified. my view of audits for sox type stuff is whether the original is correct. that is where multiple independent sources of original information came in for purposes of cross checking (and possibility of any inconsistency is indication of something amiss) ... and where subsequently you have to start worrying about countermeasure to collusion. however, if you have collapsed the originals to single source, you loose the ability to cross-check multiple independent originals for validity of the information. so you ask for a lot more detailed information in the originals ... hoping the level of detail is harder to make consistent (since you may have some sense that you have lost the capability of cross checking multiple independent sources for inconsistency). the counterargument is that with IT technology ... that any level of detail can be programmed to be consistent (if you are going to create incorrect information in an original ... you could make it incorrectly consistent to any level of detail). So now you create significant threats and penalties for anybody (in charge) allowing incorrect information to appear in an audit (since you somehow realize that that with only a single source, it isn't likely that an audit is going to turn up inconsistent information as an indication that something is incorrect). So now you are potentially in a situation that audits are no longer an effective countermeasure to serious inconsistent or incorrect information ... its the threats and the penalties that are the countermeasure to serious inconsistent or incorrect information. At the same time there is some sense if audits previously had turned up inconsistency (from multiple independent sources) ... then possibly just increasing the level of audit detail might still provide some benefit. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
On 7/13/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Phenomenon 1: Computerized records are malleable, and it's in general impossible to determine if someone has changed them, when they changed them, what the previous value was, and so on. Further, changing computer records scales easily - it costs about as much to change a million records as it does to change one record. Well yes, and no. Relational database systems preform replication by copying and loading trasaction logs, and WORM drives (and WORM tapes) are used by organizations that need to prove that things weren't altered (or to be able to audit when they are). It is of course quite a lot more expensive to do things that way compared to how the typical IT shop does things. -David Mercer - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
John Kelsey wrote: From: Anne Lynn Wheeler [EMAIL PROTECTED] Sent: Jul 11, 2006 6:45 PM Subject: Re: Interesting bit of a quote .. my slightly different perspective is that audits in the past have somewhat been looking for inconsistencies from independent sources. this worked in the days of paper books from multiple different corporate sources. my claim with the current reliance on IT technology ... that the audited information can be all generated from a single IT source ... invalidating any assumptions about audits being able to look for inconsistencies from independent sources. A reasonable intelligent hacker could make sure that all the information was consistent. It's interesting to me that this same kind of issue comes up in voting security, where computerized counting of hand-marked paper ballots (or punched cards) has been and is being replaced with much more user-friendly DREs, where paper poll books are being replaced with electronic ones, etc. It's easy to have all your procedures built around the idea that records X and Y come from independent sources, and then have technology undermine that assumption. The obvious example of this is rules for recounts and paper record retention which are applied to DREs; the procedures make lots of sense for paper ballots, but no sense at all for DREs. I wonder how many other areas of computer and more general security have this same kind of issue. Another example, possibly of some importance, is found in registers of births, marriages and deaths. Details of the relevant events were entered contemporaneously in local paper ledgers whose pages were numbered. (They were later, perhaps every quarter, copied to central registers.) As a result it was very difficult to create a backdated record, or remove an original one, without it being obvious. When registers consist of electronic databases, these natural protections silently disappear. They could be replaced, perhaps by publishing an authenticated hash of the register every week, and cumulative hashes periodically; but there is no sign of such methods being adopted. The Law Society of England and Wales suggested to the Land Registry that it should adopt some such methods for its electronic land registers, especially when the transactions recorded in the registers become electronic rather than paper transactions, as is planned. I have no reason to think this suggestion will take root. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272(+44 1279 871272) Fax 020 7788 2198 (+44 20 7788 2198) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
On 7/14/06, David Mercer [EMAIL PROTECTED] wrote: WORM drives (and WORM tapes) are used by organizations that need to prove that things weren't altered (or to be able to audit when they are). The problem with this is determining if the media has been replaced. Absent other protections, one could simply write a new WORM media with falsified information. I can see two ways of dealing with this: 1) Some kind of physical authenticity, such as signing one's name on the media as they are produced (this assumes the signer is not corruptible), or applying a frangible difficult-to-duplicate seal of some kind (this assumes access controls on the seals). 2) Some kind of hash chain covering the contents, combined with publication of the hashes somewhere where they cannot be altered (e.g. publish hash periodically in a classified ad in a newspaper). -- Resolve is what distinguishes a person who has failed from a failure. Unix guru for sale or rent - http://www.lightconsulting.com/~travis/ -- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
[EMAIL PROTECTED] wrote: * That which was not recorded did not happen. * That which is not documented does not exist. * That which has not been audited is vulnerable. and he did not mean this in the paths to invisibility sense but rather that you have liability unless you can prove that you don't. Thanks for the quote. But That which was not recorded did not happen and the other two points can, and IMO should, also be taken in the positive sense that you need recorded, credible, audited evidence in order to support business in case arguments (as they do) arise. Trust depends on parallel channels. So based, trust actually reduces liability. The knife cuts the other way too, and that's why unrevocably expiring documents that can be so treated (legally and business wise) is also necessary to reduce liability. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
From: Anne Lynn Wheeler [EMAIL PROTECTED] Sent: Jul 11, 2006 6:45 PM Subject: Re: Interesting bit of a quote ... my slightly different perspective is that audits in the past have somewhat been looking for inconsistencies from independent sources. this worked in the days of paper books from multiple different corporate sources. my claim with the current reliance on IT technology ... that the audited information can be all generated from a single IT source ... invalidating any assumptions about audits being able to look for inconsistencies from independent sources. A reasonable intelligent hacker could make sure that all the information was consistent. It's interesting to me that this same kind of issue comes up in voting security, where computerized counting of hand-marked paper ballots (or punched cards) has been and is being replaced with much more user-friendly DREs, where paper poll books are being replaced with electronic ones, etc. It's easy to have all your procedures built around the idea that records X and Y come from independent sources, and then have technology undermine that assumption. The obvious example of this is rules for recounts and paper record retention which are applied to DREs; the procedures make lots of sense for paper ballots, but no sense at all for DREs. I wonder how many other areas of computer and more general security have this same kind of issue. --John Kelsey, NIST - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
On Thu, 13 Jul 2006, John Kelsey wrote: | From: Anne Lynn Wheeler [EMAIL PROTECTED] | ... | my slightly different perspective is that audits in the past have | somewhat been looking for inconsistencies from independent sources. this | worked in the days of paper books from multiple different corporate | sources. my claim with the current reliance on IT technology ... that | the audited information can be all generated from a single IT source ... | invalidating any assumptions about audits being able to look for | inconsistencies from independent sources. A reasonable intelligent | hacker could make sure that all the information was consistent. | | It's interesting to me that this same kind of issue comes up in voting | security, where computerized counting of hand-marked paper ballots (or | punched cards) has been and is being replaced with much more | user-friendly DREs, where paper poll books are being replaced with | electronic ones, etc. It's easy to have all your procedures built | around the idea that records X and Y come from independent sources, | and then have technology undermine that assumption. The obvious | example of this is rules for recounts and paper record retention which | are applied to DREs; the procedures make lots of sense for paper | ballots, but no sense at all for DREs. I wonder how many other areas | of computer and more general security have this same kind of issue. That's a very interesting comparison. I think it's a bit more subtle: We have two distinct phenomena here, and it's worth examining them more closely. Phenomenon 1: Computerized records are malleable, and it's in general impossible to determine if someone has changed them, when they changed them, what the previous value was, and so on. Further, changing computer records scales easily - it costs about as much to change a million records as it does to change one record. Contrast this to traditional record keeping systems, where forging even one record was quite difficult, and forging a million was so difficult and expensive that it was probably never done in history. Even *destroying* a million paper records is quite difficult. This phenomenon is present in both the auditing and voting examples. It's not so much that the DRE doesn't, or can't, keep a record just as the paper ballot system does; it's that the record is just something in memory, or maybe written to a disk, and we simply have no faith in our ability to detect tampering with such media. Similarly, as long as the books were physical books on paper, it was quite difficult to tamper with them. Now that they are in a computer database somewhere, it's very easy. Phenomenon 2: The only way to merge the information from paper records is to create new, combined paper records. The only way to filter out some of the data from paper records is to make new, redacted paper records. These are expensive, time-consuming operations. As a result, record-keeping systems based on paper tend to keep the originals distinct and only produce rare roll-ups for analysis. This lets you compare distinct sources for the same piece of information. Computerized systems, on the other hand, make it easy to merge, select, and reformat data. It's so easy that a central tenant of database design is to avoid storing the same information more than once (thus avoiding the problem of keeping multiple copies in sync). But when this principle is applied to data relevant to auditing, it discards exactly the redundancy that has always been used to detect problems. Sure, you can produce the traditional double- entry reports, but if they you generate them on the fly from a single database that just records transactions, sure enough, all the amounts will tally - always, regardless of what errors or shenanigans have occurred. This has no obvious analogue in voting systems, except I suppose in those that keep only totals, not individual votes. (Of course, that was the case with the old mechanical voting machines, too; but their resistance to Phenomenon 1 made that acceptable.) -- Jerry | | --John Kelsey, NIST | - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
John Kelsey wrote: It's interesting to me that this same kind of issue comes up in voting security, where computerized counting of hand-marked paper ballots (or punched cards) has been and is being replaced with much more user-friendly DREs, where paper poll books are being replaced with electronic ones, etc. It's easy to have all your procedures built around the idea that records X and Y come from independent sources, and then have technology undermine that assumption. The obvious example of this is rules for recounts and paper record retention which are applied to DREs; the procedures make lots of sense for paper ballots, but no sense at all for DREs. I wonder how many other areas of computer and more general security have this same kind of issue. being slightly perverse ... there is the analogy with the new england net. at one point somebody went to the trouble to get nine(?) 56kbit circuits routed out of the new england area on nine distinct physical trunks (diverse routing, telco provisioning). however, over a period of years, nobody appeared to pay attention as the unique circuits were consolidated to fewer and fewer physical trunks. one day, someplace in conn., the new england net fell victim a backhoe denial of service attack (and the new england net was partitioned from the rest of the world for a couple of days). so one might conjecture that the sox approach to the opportunity is to retrofit the complete length of the single physical trunk with a bunker, built to bank vault specifications ... as a countermeasure to the backhoe denial of service attack. possibly the only new real countermeasure in sox is the part about informants ... recently i was told that the typical sox bill for a small to medium size $25m corporation runs $800k. misc. past sox references: http://www.garlic.com/~lynn/2006h.html#58 Sarbanes-Oxley http://www.garlic.com/~lynn/2006i.html#1 Sarbanes-Oxley http://www.garlic.com/~lynn/aadsm24.htm#35 Interesting bit of a quote http://www.garlic.com/~lynn/aadsm24.htm#36 Interesting bit of a quote - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
[EMAIL PROTECTED] wrote: I can corroborate the quote in that much of SarbOx and other recent regs very nearly have a guilty unless proven innocent quality, that banks (especially) and others are called upon to prove a negative: X {could,did} not happen. California SB1386 roughly says the same thing: If you cannot prove that personal information was not spilled, then you have to act as if it was. About twenty states have followed California's lead. The surveillance requirements of both SEC imposed-regulation and NYSE self-regulation seem always to expand. One of my (Verdasys) own customers failed a SarbOx audit (by a big four accounting firm) because it could not, in advance, *prove* that those who could change the software (sysadmins) were unable in any way to change the financial numbers and, in parallel, *prove* those who could change the financial numbers (CFO reports) were unable to change the software environment. my slightly different perspective is that audits in the past have somewhat been looking for inconsistencies from independent sources. this worked in the days of paper books from multiple different corporate sources. my claim with the current reliance on IT technology ... that the audited information can be all generated from a single IT source ... invalidating any assumptions about audits being able to look for inconsistencies from independent sources. A reasonable intelligent hacker could make sure that all the information was consistent. a counter example is the IRS where individual reported income is correlated with other sources of reported financial information. however, i don't know how that could possibly work in the current environment where the corporation being audited is responsible for paying the auditors (cross checking information across multiple independent sources) some past posts on the subject http://www.garlic.com/~lynn/2006h.html#33 http://www.garlic.com/~lynn/2006i.html#1 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
You're talking about entirely different stuff, Lynn, but you are correct that data fusion at IRS and everywhere else is aided and abetted by substantially increased record keeping requirements. Remember, Poindexter's TIA thing did *not* posit new information sources, just fusing existing sources and that alone blew it up politically. As a security matter relevant here, we can't protect un-fused data so fused data is indeed probably worse. On the prove-a-negative area, every time I say this in front of CISO-level audiences I get nodding assent. Ain't making it up, in other words. Innocent until proven guilty seems now to be true in criminal matters; guilty until proven innocent holds sway in the civil arena. On the idea that our version of it is just one of many versions of the same phenomenon in all fields, not just the crypto-security one, today (literally) I was ordered by the State of Rhode Island to install smoke and fire detectors with direct tie-in to the Fire Department in my farm's riding arena (a steel frame building with dirt floor and three doors big enough for a semi). Why? Because the regulators couldn't figure out whether I was a place of assembly or not so, therefore, I must be a place of assembly and my next hearing is whether I need sprinklers. Mind you, klaxons strobes, now required, guarantee killing any non-expert riders who are in the ring when they go off, but since the regulators themselves cannot prove to themselves that they don't have to impose the same requirements as a movie theater, to protect their own asses it is me that has to now prove to them that I am not covered -- which appears to mean getting the Legislature to specifically exempt riding arenas since if that Legislature is silent the regulators will assume the worst and that means their ass versus mine. The core issue here is thus runaway positive feedback loops. When you hold regulators (fire inspectors, financial auditors, whatever) liable for not having proven that their clients cannot have anything wrong (which is why Arthur Anderson went out of business, e.g.), then you get prove-a-negative from the regulators and auditors -- madness on the same scale as tulip mania or the defenestration of Prague. --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
[EMAIL PROTECTED] Been with a reasonable number of General Counsels on this sort of thing. Maybe you can blame them and not SB1386 for saying that if you cannot prove the data didn't spill then it is better corporate risk management to act as if it did spill. Well, are you sure you haven't confused what they're saying about SOX, vs what they're saying about SB1386? It's easy for me to believe that they'd say this about SOX, but the plain language of SB1386 seems pretty clear. (It would also be easy for me to believe that a General Counsel would say that if you have knowledge of a breach of security in one of your systems and reason to believe that an unauthorized individual gained access to personal information as a result, then you must assume that you have to notify every person whose data was stored in the system and who may have been affected by the breach, unless you can prove that those persons weren't affected by that breach. But that's very different from how you characterized SB1386.) If General Counsels are really saying that SB1386 requires you to act as if data has spilled, even in absence of any reason whatsoever to think there has been any kind of security breach or unauthorized access, merely because you don't have proof that it hasn't spilled -- then yes, that does sound strange to me. That is not my understanding of the intent of SB1386, and it is not what the language of SB1386 seems to say. Then again, maybe your General Counsels know something that I don't; it's always possible that the text of the law is misleading, or that I'm missing something. They're the legal experts, not me. Personally, my suggestion is as follows: The next time that a General Counsel claims to you that SB1386 requires you to assume data has spilled (even in absence of any reason to believe there has been a security breach) until you can prove to the contrary, I suggest you quote from the text of SB1386, and let us know how they respond. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
[EMAIL PROTECTED] wrote: You're talking about entirely different stuff, Lynn, but you are correct that data fusion at IRS and everywhere else is aided and abetted by substantially increased record keeping requirements. Remember, Poindexter's TIA thing did *not* posit new information sources, just fusing existing sources and that alone blew it up politically. As a security matter relevant here, we can't protect un-fused data so fused data is indeed probably worse. but this is the security issue dating back to before the 80s ... when they decided they could no longer guarantee single point of security ... in part because of insider threats ... they added multiple independent sources as a countermeasure. the crooks responded with collusion ... so you started to see countermeasures to collusion appearing in the early 80s. the advent of the internet, sort of refocused attention to outsider attacks ... even tho the statistics continue to hold that the major source of fraud is still insiders ... including thru the whole internet era. the possibility of outsiders may have helped insiders obfuscate true source of many insider vulnerabilities. the issue with auditing to prove no possible vulnerability for a single point ... leading to the extremes of having to prove a negative ... can possibly be interpreted within the context of attempting to preserve the current audit paradigm. independent operation/sources/entities have been used for a variety of different purposes. however, my claim has been then auditing has been used to look for inconsistencies. this has worked better in situations where there was independent physical books from independent sources (even in the same corporation). As IT technology has evolved ... my assertion is a complete set of (consistent) corporate books can be generated from a single IT source/operation. The IRS example is having multiple independent sources of the same information (so that you can have independent sources to check for inconsistencies). The fusion scenarios tend to be having multiple independent sources of at least some different data ... so the aggregation is more than the individual parts (as opposed to the same data to corroborate). ref: http://www.garlic.com/~lynn/aadsm24.htm#35 Interesting bit of a quote http://www.garlic.com/~lynn/2006h.html#58 Sarbanes-Oxley http://www.garlic.com/~lynn/2006l.html#1 Sarbanes-Oxley - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
On 7/11/06, Adam Fields [EMAIL PROTECTED] wrote: On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry wrote: Business ultimately depends on trust. There's some study out there - Trust is not quite the opposite of security (in the sense of an action, not as a state of being), but certainly they're mutually exclusive. If you have trust, you have no need for security. Quoting Ross Anderson's TCPA comments: A trusted [entity] is one that can break your security. Quoting John Carrol in Computer Security: Just because it is trusted, doesn't mean it's trustworthy. -- Resolve is what distinguishes a person who has failed from a failure. Unix guru for sale or rent - http://www.lightconsulting.com/~travis/ -- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
On Tue, 11 Jul 2006, Anne Lynn Wheeler wrote: | ...independent operation/sources/entities have been used for a variety of | different purposes. however, my claim has been then auditing has been used to | look for inconsistencies. this has worked better in situations where there was | independent physical books from independent sources (even in the same | corporation). | | As IT technology has evolved ... my assertion is a complete set of | (consistent) corporate books can be generated from a single IT | source/operation. The IRS example is having multiple independent sources of | the same information (so that you can have independent sources to check for | inconsistencies) Another, very simple, example of the way that the assumptions of auditing are increasingly at odds with reality can be seen in receipts. Whenever I apply for a reimbursement of business expenses, I have to provide original receipts. Well ... just what *is* an original receipt for an Amazon purchase? Sure, I can print the page Amazon gives me. Then again, I can easily modify it to say anything I like. Hotel receipts are all computer-printed these days. Yes, some of them still use pre-printed forms, but as the cost of color laser printers continues to drop, eventually it will make no sense to order and stock that stuff. Restaurant receipts are printed on little slips of paper by one of a small number of brands of printer with some easily set custom- ization, readily available at low cost to anyone who cares to buy one. Back in the days when receipts were often hand-written or typed on good-quality letterhead forms, original receipts actually proved something. Yes, they could be faked, but doing so was difficult and hardly worth the effort. That's simply not true any more. Interestingly, the auditors at my employer - and at many others, I'm sure - have recognized this, and now accept fax images of all receipts. However, the IRS still insists on originals in case of an audit. Keeping all those little pieces of paper around until the IRS loses interest (I've heard different ideas about how long is safe - either 3 or 7 years) is now *my* problem. (If the IRS audits my employer, and comes to me for receipts I don't have, the business expense reimburse- ments covered by those missing receipts suddenly get reclassified as ordinary income, on which *I*, not my employer, now owe taxes - and their good friends interest and penalties.) -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
David Wagner writes: SB1386 says that if a company conducts business in Caliornia and has a system that includes personal information stored in unencrypted from and if that company discovers or is notified of a breach of the security that system, then the company must notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. [*] [*] This is pretty close to an direct quote from Section 1798.82(a) of California law. See for yourself: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html Does that mean that you (the company) are safe if all of the personal information in the database is simply encrypted with the decryption key laying right there alongside the data? Alot of solutions do this, some go to different lengths in trying to obfuscate the key. --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
On Tue, Jul 11, 2006 at 05:50:06PM -0700, David Wagner wrote: No, it doesn't. I think you've got it backwards. That's not what SB1386 says. SB1386 says that if a company conducts business in Caliornia and has a system that includes personal information stored in unencrypted from and if that company discovers or is notified of a breach of the security that system, then the company must notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. [*] A small, but very significant correction. The law says any breach of the security of the data, not security of the system. The more explicit paragraph is in 1798.82(b) (b) Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. And even though the code has already stated such, it further goes on to define security of the system in 1798.82(d): (d) For purposes of this section, breach of the security of the system means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. [...] If you know or are notified that the security of your system has been breached and if you know or have some reason to believe that someone has received unauthorized access to unencrypted personal information about California residents, then sure, you have to act on the presumption that the personal information was spilled. So what? That seems awfully reasonable to me. reasonable is for a judge or jury to decide. A lawyer's job is to do what's the the best interests of the client, and in this circumstance, make a determination of what will be considered reasonable in court. And ask three lawyers a question, you'll get at least four opinions. (the same can be said for security geeks). But ultimately, what the lawyer is deciding is what's going to cost the client less: disclosure or possibly penatly of non-disclosure. They'll often opt for the former to avoid the possibility high cost of the latter. I've been on and around the pointy end of this stick (and no, not any publicized events). If unauthorized access cannot clearly be substatiated, it becomes a judgement call, based on a variety of factors. Factors might include duration between compromise and discovery (e.g. they've been on the system so long that we just can't tell anymore), intruder activities, etc. In short, my reading of SB1386 is that companies only have to notify customers if (a) they know or are notified of a security breach and (b) they know or have reason to believe that this breach led to an unauthorized disclosure of personal information. In other words, SB1386 treats companies as innocent until there is some reason to believe that they are guilty. I don't know anything about SOX, but I think you've mis-characterized SB1386. Don't tar SB1386 with SOX-feathers. SB1386 doesn't spell out guilt or innocence. It just provides a liability shield for a company who complies with it, and spells out punitive damages for failing to comply. A company could make the decision that the penalty for non-disclosure is less than it would cost otherwise, and choose to keep quiet and hope for the best. [*] This is pretty close to an direct quote from Section 1798.82(a) of California law. See for yourself: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html Better yet, go directly to the California Code (Civil Code Section): http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civgroup=01001-02000file=1798.80-1798.84 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry wrote: [...] Business ultimately depends on trust. There's some study out there - I don't recall a reference - that basically finds that the level of trust is directly related to the level of economic success of an economy. There are costs associated with verification, some of them easily quantifiable, some of them much harder to pin down. The difficulty is in making the tradeoffs. We're now pushing way over on the verification side, in a natural reaction to a series of major frauds and scandals. Trust is not quite the opposite of security (in the sense of an action, not as a state of being), but certainly they're mutually exclusive. If you have trust, you have no need for security. Personally, given the choice, I'd rather have trust. I think that this is a distinction that could be made more often when deciding on how to implement a security system. -- - Adam ** Expert Technical Project and Business Management System Performance Analysis and Architecture ** [ http://www.adamfields.com ] [ http://www.aquick.org/blog ] Blog [ http://www.adamfields.com/resume.html ].. Experience [ http://www.flickr.com/photos/fields ] ... Photos [ http://www.aquicki.com/wiki ].Wiki - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
Jerrold, I can corroborate the quote in that much of SarbOx and other recent regs very nearly have a guilty unless proven innocent quality, that banks (especially) and others are called upon to prove a negative: X {could,did} not happen. California SB1386 roughly says the same thing: If you cannot prove that personal information was not spilled, then you have to act as if it was. About twenty states have followed California's lead. The surveillance requirements of both SEC imposed-regulation and NYSE self-regulation seem always to expand. One of my (Verdasys) own customers failed a SarbOx audit (by a big four accounting firm) because it could not, in advance, *prove* that those who could change the software (sysadmins) were unable in any way to change the financial numbers and, in parallel, *prove* those who could change the financial numbers (CFO reports) were unable to change the software environment. Jeffrey Ritter, partner in the electronic practice at (big-name) D.C. law firm Kirkpatrick Lockhart gave the major address at the annual meeting of the Cyber Security Industry Alliance recently. In it he said that what he and his firm tell their (big-name) clients is this: * That which was not recorded did not happen. * That which is not documented does not exist. * That which has not been audited is vulnerable. and he did not mean this in the paths to invisibility sense but rather that you have liability unless you can prove that you don't. While one can say that this has always been true or that the insider has always been the real threat, or whatever variation you like, as a consultant for nearly two decades the burgeoning prove a negative focus feels unprecedented to me. And it is not just our field -- today's Boston newspaper has the State of Massachusetts' building inspectors being suspended en masse' for refusing en masse' to accept GPS position tracking as a newly imposed job requirement. By next summer, every animal in the country is supposed to be chipped and the owner's home address recorded in GPS form (google for NAIS) with a requirement to file with USDA any off premises transportation (taking the kids' heifer to the the 4H show included). --dan === The great distinction: A conservative is a socialist who worships order. A liberal is a socialist who worships safety. -- Victor Milan', 1999 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]