RE: Secure logging

From: Edmund R. Kennedy <ekennedyx_at_yahoo_dot_com>
Date: Wed Nov 10 2004 - 14:41:55 CST

Hello Keith,
 
Can you think of some other technology or industry that would have similar problems? The journal tape of a retail cash register comes to mind. Is there something similar for ATM's? Obviously they print a receipt which means it is easy for them to print a journal tape at the same time. How about check processing or betting? Medical monitoring in ICU's?
 
Thanks, Ed Kennedy

Keith Copenhagen <k@copetech.com> wrote:
Hi Ed,
I think a more interesting question is where one would record the
failure of a data logger.... (would you allow operation with no logging
?).

You can detect the failure by silence, i.e. You certainly could put a
heartbeat out and check for it at the other end of the wire....
You can detect the failure by comparing multiple opinions, e.g. The
Shuttle actually has 3 completely independent computing systems which
produce results and then vote...
You can detect some failures by verifying it, It would be straight
forward to ocr the tape to detect print or transport failures. Or DRE
could print barcodes, which could then be scanned for confirmation.

There is a lot of charm to a cash register like trail.
The upsides include
Existing & commodity hardened printers.
The downsides include
Difficulty to re-read (I suspect, but it wouldn't be hard to build a
2.5" wide paper roll reader).
Dependency on consumables, both paper and ink to operate (or thermal
paper).
Slow paper tape would work if we needed to audit the booth, but
could be too slow for detail logging during the BRP.
Paper is relatively easy to damage, and easy to select point of
damage if human readable stream.

We'd have to look at the MTBF and storage density
Power & Heat,
We could digitally sign it ( just print certificate on to it).

We'd have to look at how to authenticate any stand-alone logger in.
This is non-trivial.
We can authenticate a logger in the BRP by expanding trust to it by a
trusted operator.
The DRE can be attacked by untrusted users and so the logging mechanism
would need a higher bar.

-Keith

-----Original Message-----
From: owner-voting-project@afterburner.sonic.net [mailto:
owner-voting-project@afterburner.sonic.net]On Behalf Of Edmund R.
Kennedy
Sent: Wednesday, November 10, 2004 11:52 AM
To: voting-project@lists.sonic.net
Subject: Re: Secure logging (was: King COunty)

Hello All:

How would one record the failure of the data logger? Would there
be a baseline time stamping every 30 seconds or something? BTW: Paper
does sound good for the medium. Solely in my opinion OVC likes paper
because we've been using it for thousands of years and know most of the
tricks people try with paper.

Thanks, Ed Kennedy

Keith Copenhagen wrote:
Thanks Ed,

Charlie, I added your comment and my thoughts as comments.

-Keith

-----Original Message-----
From: owner-voting-project@afterburner.sonic.net [mailto:
owner-voting-project@afterburner.sonic.net]On Behalf Of Edmund R.
Kennedy
Sent: Wednesday, November 10, 2004 11:25 AM
To: voting-project@lists.sonic.net
Subject: Re: Secure logging (was: King COunty)

Hello:

Here, ya go. Look
for recent postings. Anything you haven't looked at lately should have
a red asterik at the end organized by subject matter. BTW: There is
now a link at the OVC page under links.

http://openvotingconsortium.org/links.html

Thanks, Ed Kennedy

charlie strauss wrote:
how about a link.
a final desiderata is real-t! ime (not buffered) writes of each loggable
event to the write-once media.

-----Original Message-----
From: Keith Copenhagen
Sent: Nov 10, 2004 10:09 AM
To: voting-project@lists.sonic.net
Subject: Re: Secure logging (was: King COunty)

I've moved this thread to the ovc wiki, under considerations/autit
trail.

Let me know what you think of using that as a way to trap info.

I can use a clear goal for the audit log :
I propose it is to :
(1) Confirm that the subsytem has gone through it's workflow as
expected.
- Nota Bene: I think the paper trail has to be the definitive recount /
voter redundancy.
(2) Fault Tolerant design to anticipate most failure modes.
- Write-Once streaming
- Recognize the point the audit trail where itself ! has become
compromised.

-Keith

-- 
10777 Bendigo Cove
San Diego, CA 92126-2510
"We must all cultivate our garden! s." Candide-Voltaire
-- 
10777 Bendigo Cove
San Diego, CA 92126-2510
"We must all cultivate our gardens."  Candide-Voltaire
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Tue Nov 30 23:17:25 2004

This archive was generated by hypermail 2.1.8 : Tue Nov 30 2004 - 23:17:44 CST