Interesting bit of a quote

dan at geer.org dan at geer.org
Tue Jul 11 21:00:47 EDT 2006 

You're talking about entirely different stuff, Lynn,
but you are correct that data fusion at IRS and everywhere
else is aided and abetted by substantially increased record
keeping requirements.  Remember, Poindexter's TIA thing did
*not* posit new information sources, just fusing existing
sources and that alone blew it up politically.  As a security
matter relevant here, we can't protect un-fused data so
fused data is indeed probably worse.

On the "prove-a-negative" area, every time I say this in
front of CISO-level audiences I get nodding assent.  Ain't
making it up, in other words.  Innocent until proven
guilty seems now to be true in criminal matters; guilty
until proven innocent holds sway in the civil arena.

On the idea that our version of it is just one of many
versions of the same phenomenon in all fields, not just
the crypto-security one, today (literally) I was ordered
by the State of Rhode Island to install smoke and fire
detectors with direct tie-in to the Fire Department in
my farm's riding arena (a steel frame building with dirt
floor and three doors big enough for a semi).  Why?  Because
the regulators couldn't figure out whether I was a place of
assembly or not so, therefore, I must be a place of assembly
and my next hearing is whether I need sprinklers.  Mind you,
klaxons & strobes, now required, guarantee killing any
non-expert riders who are in the ring when they go off, 
but since the regulators themselves cannot prove to 
themselves that they don't have to impose the same 
requirements as a movie theater, to protect their own
asses it is me that has to now prove to them that I am
not covered -- which appears to mean getting the Legislature
to specifically exempt riding arenas since if that
Legislature is silent the regulators will assume the
worst and that means their ass versus mine.

The core issue here is thus runaway positive feedback loops.
When you hold regulators (fire inspectors, financial auditors,
whatever) liable for not having proven that their clients
cannot have anything wrong (which is why Arthur Anderson
went out of business, e.g.), then you get prove-a-negative
from the regulators and auditors -- madness on the same
scale as tulip mania or the defenestration of Prague.

--dan


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list