PGP "master keys"

leichter_jerroldemc.com wrote:
> A similar issue occurs in a civilian context, sometimes
with fake
> employees, other times with fake bills.  Often, these
get found
> because they rely on the person committing the fraud
being there
> every time a check arrives:  It's the check sitting
around with no
> one speaking for it that raises the alarm.  The
long-standing
> policy has been to *require* people in a position to
handle those
> checks to take their vacation.  (Of course, with direct
deposit
> of salaries, the form of the fraud, and what one needs
to do to
> detect it, have changed in detail - but probably not by
much.)

multi-party operations were supposedly countermeasure to
single person
insider threads. the fraud response was collusion. so by at
least the 
early 80s you started seeing work on collusion
countermeasures. 25 years 
later, things have regressed to a pre-occupation with
intrusion threats 
and intrusion countermeasures; even tho insiders have
continued to be 
the major source of fraud through the whole period. insiders
may even 
leverage the pre-occupation with intrusion to obfuscate the
source of 
the exploit.

somewhat related issue with regard to sarbanes-oxley and
auditing 
assumptions about independent information sources looking
for 
inconsistencies.
http://www.
garlic.com/~lynn/2006h.html#58 Sarbanes-Oxley
http://www.g
arlic.com/~lynn/2006i.html#1 Sarbanes-Oxley

and a couple recent articles about current fraud
pre-occupation
SSL Trojans: The next Great Bank Heist

http://www.infoworld.com/reports/18SRsslmalware.html
Ripped Off: Identity Theft - A View from the Financial
Services
Industry
http://www.mondaq.com/article.asp?article_id
=39334&mostpopular=1

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com