RE: Secure logging (was: King COunty)

From: Keith Copenhagen <k_at_copetech_dot_com>
Date: Wed Nov 10 2004 - 14:26:32 CST

Hi Ed,
I think a more interesting question is where one would record the
failure of a data logger.... (would you allow operation with no logging

You can detect the failure by silence, i.e. You certainly could put a
heartbeat out and check for it at the other end of the wire....
You can detect the failure by comparing multiple opinions, e.g. The
Shuttle actually has 3 completely independent computing systems which
produce results and then vote...
You can detect some failures by verifying it, It would be straight
forward to ocr the tape to detect print or transport failures. Or DRE
could print barcodes, which could then be scanned for confirmation.

There is a lot of charm to a cash register like trail.
The upsides include
    Existing & commodity hardened printers.
The downsides include
    Difficulty to re-read (I suspect, but it wouldn't be hard to build a
2.5" wide paper roll reader).
    Dependency on consumables, both paper and ink to operate (or thermal
    Slow paper tape would work if we needed to audit the booth, but
could be too slow for detail logging during the BRP.
    Paper is relatively easy to damage, and easy to select point of
damage if human readable stream.

We'd have to look at the MTBF and storage density
Power & Heat,
We could digitally sign it ( just print certificate on to it).

We'd have to look at how to authenticate any stand-alone logger in.
This is non-trivial.
We can authenticate a logger in the BRP by expanding trust to it by a
trusted operator.
The DRE can be attacked by untrusted users and so the logging mechanism
would need a higher bar.


-----Original Message-----
From: [mailto:]On Behalf Of Edmund R.
Sent: Wednesday, November 10, 2004 11:52 AM
Subject: Re: Secure logging (was: King COunty)

Hello All:

     How would one record the failure of the data logger? Would there
be a baseline time stamping every 30 seconds or something? BTW: Paper
does sound good for the medium. Solely in my opinion OVC likes paper
because we've been using it for thousands of years and know most of the
tricks people try with paper.

Thanks, Ed Kennedy

Keith Copenhagen <> wrote:
Thanks Ed,

Charlie, I added your comment and my thoughts as comments.


-----Original Message-----
From: [mailto:]On Behalf Of Edmund R.
Sent: Wednesday, November 10, 2004 11:25 AM
Subject: Re: Secure logging (was: King COunty)


Here, ya go. Look
for recent postings. Anything you haven't looked at lately should have
a red asterik at the end organized by subject matter. BTW: There is
now a link at the OVC page under links.

Thanks, Ed Kennedy

charlie strauss wrote:
how about a link.
a final desiderata is real-t! ime (not buffered) writes of each loggable
event to the write-once media.

-----Original Message-----
From: Keith Copenhagen
Sent: Nov 10, 2004 10:09 AM
Subject: Re: Secure logging (was: King COunty)

I've moved this thread to the ovc wiki, under considerations/autit

Let me know what you think of using that as a way to trap info.

I can use a clear goal for the audit log :
I propose it is to :
(1) Confirm that the subsytem has gone through it's workflow as
- Nota Bene: I think the paper trail has to be the definitive recount /
voter redundancy.
(2) Fault Tolerant design to anticipate most failure modes.
- Write-Once streaming
- Recognize the point the audit trail where itself ! has become


10777 Bendigo Cove
San Diego, CA 92126-2510
"We must all cultivate our garden! s." Candide-Voltaire
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Tue Nov 30 23:17:24 2004

This archive was generated by hypermail 2.1.8 : Tue Nov 30 2004 - 23:17:44 CST