John Kelsey wrote:
It's interesting to me that this same kind of issue comes up in voting
security, where computerized counting of hand-marked paper ballots (or
punched cards) has been and is being replaced with much more
user-friendly DREs, where paper poll books are being replaced with
electronic ones, etc. It's easy to have all your procedures built
around the idea that records X and Y come from independent sources,
and then have technology undermine that assumption. The obvious
example of this is rules for recounts and paper record retention which
are applied to DREs; the procedures make lots of sense for paper
ballots, but no sense at all for DREs. I wonder how many other areas
of computer and more general security have this same kind of issue.
being slightly perverse ... there is the analogy with the new england
net. at one point somebody went to the trouble to get nine(?) 56kbit
circuits routed out of the new england area on nine distinct physical
trunks (diverse routing, telco provisioning). however, over a period of
years, nobody appeared to pay attention as the unique circuits were
consolidated to fewer and fewer physical trunks. one day, someplace in
conn., the new england net fell victim a backhoe denial of service
attack (and the new england net was partitioned from the rest of the
world for a couple of days).
so one might conjecture that the sox approach to the opportunity is to
retrofit the complete length of the single physical trunk with a bunker,
built to bank vault specifications ... as a countermeasure to the
backhoe denial of service attack.
possibly the only "new" real countermeasure in sox is the part about
informants ...
recently i was told that the typical sox bill for a small to medium size
$25m corporation runs $800k.
misc. past sox references:
http://www.garlic.com/~lynn/2006h.html#58 Sarbanes-Oxley
http://www.garlic.com/~lynn/2006i.html#1 Sarbanes-Oxley
http://www.garlic.com/~lynn/aadsm24.htm#35 Interesting bit of a quote
http://www.garlic.com/~lynn/aadsm24.htm#36 Interesting bit of a quote
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
