Interesting bit of a quote

leichter_jerrold at emc.com leichter_jerrold at emc.com
Thu Jul 13 11:40:02 EDT 2006 

On Thu, 13 Jul 2006, John Kelsey wrote:
| >From: Anne & Lynn Wheeler <lynn at garlic.com>
| ...
| >my slightly different perspective is that audits in the past have 
| >somewhat been looking for inconsistencies from independent sources. this 
| >worked in the days of paper books from multiple different corporate 
| >sources. my claim with the current reliance on IT technology ... that 
| >the audited information can be all generated from a single IT source ... 
| >invalidating any assumptions about audits being able to look for 
| >inconsistencies from independent sources. A reasonable intelligent 
| >hacker could make sure that all the information was consistent.
| 
| It's interesting to me that this same kind of issue comes up in voting
| security, where computerized counting of hand-marked paper ballots (or
| punched cards) has been and is being replaced with much more
| user-friendly DREs, where paper poll books are being replaced with
| electronic ones, etc.  It's easy to have all your procedures built
| around the idea that records X and Y come from independent sources,
| and then have technology undermine that assumption.  The obvious
| example of this is rules for recounts and paper record retention which
| are applied to DREs; the procedures make lots of sense for paper
| ballots, but no sense at all for DREs.  I wonder how many other areas
| of computer and more general security have this same kind of issue.   
That's a very interesting comparison.  I think it's a bit more subtle: We
have
two distinct phenomena here, and it's worth examining them more closely.

Phenomenon 1:
	Computerized records are malleable, and it's in general impossible
to
	determine if someone has changed them, when they changed them, what
	the previous value was, and so on.  Further, changing computer
records
	scales easily - it costs about as much to change a million records
as
	it does to change one record.  Contrast this to traditional record
	keeping systems, where forging even one record was quite difficult,
	and forging a million was so difficult and expensive that it was
	probably never done in history.  Even *destroying* a million paper
	records is quite difficult.

	This phenomenon is present in both the auditing and voting examples.
	It's not so much that the DRE doesn't, or can't, keep a record just
as
	the paper ballot system does; it's that the record is just something
	in memory, or maybe written to a disk, and we simply have no faith
	in our ability to detect tampering with such media.  Similarly,
	as long as "the books" were physical books on paper, it was quite
	difficult to tamper with them.  Now that they are in a computer
	database somewhere, it's very easy.

Phenomenon 2:
	The only way to merge the information from paper records is to
create
	new, combined paper records.  The only way to filter out some of the
	data from paper records is to make new, redacted paper records.
These
	are expensive, time-consuming operations.  As a result,
record-keeping
	systems based on paper tend to keep the originals distinct and only
	produce rare roll-ups for analysis.  This lets you compare distinct
	sources for the same piece of information.

	Computerized systems, on the other hand, make it easy to merge,
	select, and reformat data.  It's so easy that a central tenant of
	database design is to avoid storing the same information more than
	once (thus avoiding the problem of keeping multiple copies in sync).
	But when this principle is applied to data relevant to auditing,
	it discards exactly the redundancy that has always been used to
	detect problems.  Sure, you can produce the traditional double-
	entry reports, but if they you generate them on the fly from a
	single database that just records transactions, sure enough, all
	the amounts will tally - always, regardless of what errors or
	shenanigans have occurred.

	This has no obvious analogue in voting systems, except I suppose
	in those that keep only totals, not individual votes.  (Of course,
	that was the case with the old mechanical voting machines, too;
	but their resistance to Phenomenon 1 made that acceptable.)

							-- Jerry

| 
| --John Kelsey, NIST
| 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list