PGP "master keys"

leichter_jerrold at emc.com leichter_jerrold at emc.com
Mon May 1 11:26:38 EDT 2006 

| > issues did start showing up in the mid-90s in the corporate world ... 
| > there were a large number of former gov. employees starting to show up 
| > in different corporate security-related positions (apparently after 
| > being turfed from the gov). their interests appeared to possibly reflect

| > what they may have been doing prior to leaving the gov.
| 
| one of the issues is that corporate/commercial world has had much more 
| orientation towards prevention of wrong doing. govs. have tended to be 
| much more preoccupied with evidence and prosecution of wrong doing. the 
| influx of former gov. employees into the corporate world in the 2nd half 
| of the 90s, tended to shift some of the attention from activities 
| related to prevention to activities related to evidence and prosecution 
| (including evesdropping).
What I've heard described as "the bull in the china shop theory of
security":  You can always buy new china, but the bull is dead meat.
(I'm pretty sure I heard this from Paul Karger, who probably picked it
up during his time at the Air Force.)

| for lots of drift ... one of the features of the work on x9.59 from the 
| mid-90s
| http://www.garlic.com/~lynn/x959.html#x959
| http://www.garlic.com/~lynn/subpubkey.html#x959
| 
| was its recognition that insiders had always been a major factor in the 
| majority of financial fraud and security breaches. furthermore that with 
| various financial functions overloaded for both authentication and 
| normal day-to-day operations ... that there was no way to practical way 
| of eliminating all such security breaches with that type of information. 
| ... part of this is my repeated comment on security proportional to risk
| http://www.garlic.com/~lynn/2001h.html#61
The dodge of creating phantom troops and then collecting their pay
checks has been around since Roman times.  No one has ever found a
way of detecting it cost-effectively.  However, it's also been known
forever that it's just about impossible to avoid detection indefinitely:
The officer who created the troops gets transferred, or retires, and
he has no way to maintain the fiction.  Or the troops themselves are
transferred. other events intervene.  So armies focus on making sure
they *eventually* find and severely and publicly punish anyone who tries
this, no matter how long it takes.  A large enough fraction of the
population is deterred to keep the problem under control.

A similar issue occurs in a civilian context, sometimes with fake
employees, other times with fake bills.  Often, these get found
because they rely on the person committing the fraud being there
every time a check arrives:  It's the check sitting around with no
one speaking for it that raises the alarm.  The long-standing
policy has been to *require* people in a position to handle those
checks to take their vacation.  (Of course, with direct deposit
of salaries, the form of the fraud, and what one needs to do to
detect it, have changed in detail - but probably not by much.)

							-- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list