>From: Anne & Lynn Wheeler <[EMAIL PROTECTED]> >Sent: Jul 11, 2006 6:45 PM >Subject: Re: Interesting bit of a quote
... >my slightly different perspective is that audits in the past have >somewhat been looking for inconsistencies from independent sources. this >worked in the days of paper books from multiple different corporate >sources. my claim with the current reliance on IT technology ... that >the audited information can be all generated from a single IT source ... >invalidating any assumptions about audits being able to look for >inconsistencies from independent sources. A reasonable intelligent >hacker could make sure that all the information was consistent. It's interesting to me that this same kind of issue comes up in voting security, where computerized counting of hand-marked paper ballots (or punched cards) has been and is being replaced with much more user-friendly DREs, where paper poll books are being replaced with electronic ones, etc. It's easy to have all your procedures built around the idea that records X and Y come from independent sources, and then have technology undermine that assumption. The obvious example of this is rules for recounts and paper record retention which are applied to DREs; the procedures make lots of sense for paper ballots, but no sense at all for DREs. I wonder how many other areas of computer and more general security have this same kind of issue. --John Kelsey, NIST --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]