Slashdot Mirror
Book Review: Burdens of Proof
benrothke writes "When the IBM PC first came out 31 years ago, it supported a maximum of 256KB RAM. You can buy an equivalent computer today with substantially more CPU power at a fraction of the price. But in those 31 years, the information security functionality in which the PC operates has not progressed accordingly. In Burdens of Proof: Cryptographic Culture and Evidence Law in the Age of Electronic Documents, author Jean-François Blanchette observes that the move to a paperless society means that paper-based evidence needs to be recreated in the digital world. It also requires an underlying security functionality to flow seamlessly across organizations, government agencies and the like. While the computing power is there, the ability to create a seamless cryptographic culture is much slower in coming." Keep reading for the rest of Ben's review.
Burdens of Proof: Cryptographic Culture and Evidence Law in the Age of Electronic Documents
author
Jean-François Blanchette
pages
288
publisher
MIT Press
rating
9/10
reviewer
Ben Rothke
ISBN
978-0262017510
summary
Excellent overview and history of using cryptography to build a trust framework
The so called Year of the PKI has been waiting for over a decade, and after reading Burdens of Proof, it is evident why a large-scale PKI will be a long time in coming. More than that, getting the infrastructure in place in a complex environment that exists in the USA with myriad jurisdictions and technologies may prove ultimately to be impossibility.
The irony is that an effective mechanism for digital authentication would seem to be an indispensable part of the digital age. The lack of such an authentication infrastructure may be the very reason that fraud, malware, identity theft and much more, are so pervasive on the Internet.
The premise of this fascinating book is that the slow decline from the use of paper from a legal and evidentiary perspective has significant consequences. For the last few hundred years, paper has been ubiquitous in modern life; from legal and health records, school, employment and everything in between.
The book details the many challenges that businesses and governments face in moving from a paper-based record society and the underlying trust mechanisms that go along with it, to a new digital-based record system, and how a new framework is needed for such a method. The book details part of that new framework.
The book opens with an observation on the authenticity of President Obama's birth certificate. While Blanchette is not a birther, he does note that if the moral authority of paper records has diminished, then the electronic documents replacing them, which are what the Obama administration provided, appear to be even more malleable. And that is precisely the issue that he addresses.
Blanchette details a compelling story and writes it as an insider. He was a member of a task force appointed in 1999 by the French Ministry of Justice to provide guidance on the reform of the rules governing the admissibility of written evidence in French courts, into a digital format.
The first few chapters provide an excellent overview of the history of cryptography. Chapter 3 – On the Brink of a Revolution– gives an excellent summary of cryptography from 1976 on, starting with seminal research that was done by Diffie and Hellman, and Rivest, Shamir and Adleman (RSA).
In chapter 5, Blanchette details his narrative about how France embraced and moved to a more digital governmental framework. He notes that the challenge was that France was the country that gave bureaucracy its name, and is a place where citizens must carry at all times their papers d'identite and is a society enmeshed in paper. Blanchette writes of the many French bureaucracies that had to let go of their protectionist stances as they moved down the path to letting electronic documents have legal validity.
Blanchette writes that in France, one of the biggest impediments to moving to a digital framework were the French civil-law notaries or notaire. French notaries are much more powerful than a notary public in the US, and are closer to being what a paralegal does in the US.
The French notaire are a wealthy and powerful monopoly when it comes to issues of purchases, sales, exchanges, co-ownerships, land plots, leases, mortgages and the like. A notaire can form a corporation prepare commercial business leases and much more. The entire French notary profession had been dependent on its monopoly to grant authenticity, and no definition of electronic authenticity could emerge and succeed if it did not meet its criteria.
While paper trust may be intuitive now, Blanchette writes that it wasn't always the case. When documents were first created (whenever that may have been), they did not immediately inspire trust. As with other innovations, there was a long and complex period of evolution needed to gain accepted levels of trust.
In chapter 6, the books notes that many people assumed cryptography would be the mechanism that would inspire trust in the digital world. Blanchette writes that the mistake cryptographers made and sometimes continue to make; is that they often assumed that the properties of cryptographic objects will translate transparently into the complex social and institutional setting in which they are deployed in.
This was incisively noted in Why Johnny Can't Encrypt, which was a usability evaluation of PGP by Whitten and Tygar. The author's observed that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. While the paper was written in 1999, most of its findings are still relevant.
Chapter 6 provides 3 fascinating case studies that show have different approach to security technology and cryptographic deployments are imperative in ensuring that they work.
In just under 200 pages, the books 7 chapters provide both a fascinating overview of the history of cryptography, in addition to showing how cryptography can be effectively used to authenticate digital documents. The book also has a high-level framework (a comprehensive framework would require at least 5 times as many pages) for an effective cryptographic framework for digital trust.
As Blanchette notes many times in the book, the challenge with getting digital signatures to work is not with the technology; rather it is with the underlying societal infrastructure in which to make it work. France was brought kicking and screaming into the age of electronic authentication, and is one of the few countries that have had such widespread success.
The book is a fascinating read that details how frustrating difficult it has been to create a comprehensive mechanism for digital authentication. The book raises many beguiling questions, and Blanchette is smart enough to notes that there are no simply answers to these multifaceted problems.
Burdens of Proof: Cryptographic Culture and Evidence Law in the Age of Electronic Documents is both a fascinating overview of the history of paper and electronic authentication, in addition to providing a synopsis of what it will take to make create a cryptographic culture, where digital evidence will be as accepted in the courtroom, as its antique paper cousin.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Burdens of Proof: Cryptographic Culture and Evidence Law in the Age of Electronic Documents from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The irony is that an effective mechanism for digital authentication would seem to be an indispensable part of the digital age. The lack of such an authentication infrastructure may be the very reason that fraud, malware, identity theft and much more, are so pervasive on the Internet.
The premise of this fascinating book is that the slow decline from the use of paper from a legal and evidentiary perspective has significant consequences. For the last few hundred years, paper has been ubiquitous in modern life; from legal and health records, school, employment and everything in between.
The book details the many challenges that businesses and governments face in moving from a paper-based record society and the underlying trust mechanisms that go along with it, to a new digital-based record system, and how a new framework is needed for such a method. The book details part of that new framework.
The book opens with an observation on the authenticity of President Obama's birth certificate. While Blanchette is not a birther, he does note that if the moral authority of paper records has diminished, then the electronic documents replacing them, which are what the Obama administration provided, appear to be even more malleable. And that is precisely the issue that he addresses.
Blanchette details a compelling story and writes it as an insider. He was a member of a task force appointed in 1999 by the French Ministry of Justice to provide guidance on the reform of the rules governing the admissibility of written evidence in French courts, into a digital format.
The first few chapters provide an excellent overview of the history of cryptography. Chapter 3 – On the Brink of a Revolution– gives an excellent summary of cryptography from 1976 on, starting with seminal research that was done by Diffie and Hellman, and Rivest, Shamir and Adleman (RSA).
In chapter 5, Blanchette details his narrative about how France embraced and moved to a more digital governmental framework. He notes that the challenge was that France was the country that gave bureaucracy its name, and is a place where citizens must carry at all times their papers d'identite and is a society enmeshed in paper. Blanchette writes of the many French bureaucracies that had to let go of their protectionist stances as they moved down the path to letting electronic documents have legal validity.
Blanchette writes that in France, one of the biggest impediments to moving to a digital framework were the French civil-law notaries or notaire. French notaries are much more powerful than a notary public in the US, and are closer to being what a paralegal does in the US.
The French notaire are a wealthy and powerful monopoly when it comes to issues of purchases, sales, exchanges, co-ownerships, land plots, leases, mortgages and the like. A notaire can form a corporation prepare commercial business leases and much more. The entire French notary profession had been dependent on its monopoly to grant authenticity, and no definition of electronic authenticity could emerge and succeed if it did not meet its criteria.
While paper trust may be intuitive now, Blanchette writes that it wasn't always the case. When documents were first created (whenever that may have been), they did not immediately inspire trust. As with other innovations, there was a long and complex period of evolution needed to gain accepted levels of trust.
In chapter 6, the books notes that many people assumed cryptography would be the mechanism that would inspire trust in the digital world. Blanchette writes that the mistake cryptographers made and sometimes continue to make; is that they often assumed that the properties of cryptographic objects will translate transparently into the complex social and institutional setting in which they are deployed in.
This was incisively noted in Why Johnny Can't Encrypt, which was a usability evaluation of PGP by Whitten and Tygar. The author's observed that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. While the paper was written in 1999, most of its findings are still relevant.
Chapter 6 provides 3 fascinating case studies that show have different approach to security technology and cryptographic deployments are imperative in ensuring that they work.
In just under 200 pages, the books 7 chapters provide both a fascinating overview of the history of cryptography, in addition to showing how cryptography can be effectively used to authenticate digital documents. The book also has a high-level framework (a comprehensive framework would require at least 5 times as many pages) for an effective cryptographic framework for digital trust.
As Blanchette notes many times in the book, the challenge with getting digital signatures to work is not with the technology; rather it is with the underlying societal infrastructure in which to make it work. France was brought kicking and screaming into the age of electronic authentication, and is one of the few countries that have had such widespread success.
The book is a fascinating read that details how frustrating difficult it has been to create a comprehensive mechanism for digital authentication. The book raises many beguiling questions, and Blanchette is smart enough to notes that there are no simply answers to these multifaceted problems.
Burdens of Proof: Cryptographic Culture and Evidence Law in the Age of Electronic Documents is both a fascinating overview of the history of paper and electronic authentication, in addition to providing a synopsis of what it will take to make create a cryptographic culture, where digital evidence will be as accepted in the courtroom, as its antique paper cousin.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Burdens of Proof: Cryptographic Culture and Evidence Law in the Age of Electronic Documents from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The security, the protocol, the encryption, BUT, as you already guessed, our sweat government does not want us to have secure and secret documents, without the ability to spy on them, whenever they want to, and for whatever funny reason.
a minute late and a post short.
i can assume this was written by a moderate person by is qualification of "substantially".
Awesome comment! Even more awesome that via anon coward...you really should out yourself...
EVERYTHING related to PC's is still, after 30 years, a clumsy bolt-on. Hell, networking and printing still have to be added, tweaked and configured and VPN is still a mess. As long as we tolerate companies like MS shoveling Windows 8 at us while the guts under the covers are garbage, this is what we'll get. I mean with a multicore processor there's no way to make one of those cores a security specific ASIC that does all the heavy lifting for security across the board in hardware. But we'll never get that because it's more important to have live tiles and 12 different apps that all do photo filters the same way. Hoo ray.
I should begin crowdsourcing a slew of form documents, in the style of "here is why your spam solution won't work".
Beginning with "So you wrote up a cyber law. It won't work. Here's why it won't work."
NOTHING can be saved if it can't be freely copied by anyone from anywhere. Most documents won't survive anyway, lacking interest in making copies for all of the time they're available.
The one and only way to keep a document is to have it freely copyable by everyone everywhere forever, end of story. Everything else is on reprieve.
Making laws based on opinions that stem up from false informations leads to witch hunts.
Amazon "search inside this book" has no results for "NP" as in P vs. NP. How can that be? The book doesn't draw the connection to this major relevant open question on one hand, but has "burden of proof" in the title on the other hand?
http://stephan.sugarmotor.org
some stupid little Anonymous Coward.....
And 64KB on the motherboard. I know, I had one.
I think many future political activists who were very 'open' on the net when young and stupid will end up paying for it hugely down the line when they mature and want to change the world for the better and then find out your political enemies goons know about things that could discredit you in the public eye.
Part of the problem is that there's this expectation that everyone be squeaky clean, and never have had made a mistake. It shouldn't matter all that much if someone did something stupid when they were young (or old, for that matter). Almost 1/2 of the male population in the UK has a (non-driving) criminal record by the time they are 40. Soon those with a record will outnumber those without, probably.
In the paper world you have to invest significant resources to forge each paper document. In the digital world if you can forge one document with a free tool you can forge as many as you want. To raise the cost of being able to forge a digital document beyond what an attacker is willing to pay the cost of legitimate use becomes greater than the benefit.
One possible solution is a hierarchy of security where the higher layers increase both the cost of forgery and the cost of legitimate use and let the market decide how much risk to bear. The SSL world tried to do that with extended validation certificates (the green address bar) but I'm not convinced it actually improved overall security since the problem is almost always at the user level. Maybe if they started selling extended validation hardware clients whose components were fixed in epoxy and ran highly secure firmware and software it would actually work. Trusted Computing is the obvious parallel in the PC world but it fails because the cost of developing software aimed at general purpose computers to rigorous security standards is too high. It's possible that as Moore's Law shoves hardware prices through the floor banks will just send relatively cheap secure hardware home with their new customers.
Jean-François Blanchette
When TFA text is managed by Slashdot's encoding you know something is wrong. I know Unicode has its problems but it really should be a priority at this point.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
The original 64KB 5150 motherboard (4 banks of 16KB each) supported 512KB AST and other 3rd-party option cards, but carried ROMs that had a total system limit less than 640KB. The second gen motherboard supported 4x 64KB, of 256 KB on the motherboard, and 640KB of main memory overall. My recollection is of some number like 512KB + 32KB, for a total of 544KB, but it could have been 512KB+64KB, or 576KB; STILL not 640KB. I remember this because I once had to replace ROMs from gen 1 motherboards so I could get some machines up to the full 640KB memory available.
What I remember more, however, was how fast IBM's original expectations for the PC were surpassed by people using its relatively open architecture to do far more with it than IBM had planned (or anticipated). In 1980-81, few at IBM (or anywhere apparently) could conceive why one would want a PC with more than 128KB (64+64). By being open to change, the PC went quickly from that early 8-bit kind of view to one that would lead to a revolution in business and home computing. You can say what you want about PCs and Windows, but this is being typed on a garden variety home built PC vastly more powerful in every way that that distant ancestor. It has also had RAM, storage, and P/S upgraded over its lifetime (5 1/2 years thus far). Still useful, and more importantly, still usable with new OS versions (started on XP, moved to Win 7 when stable); and while I like having long HW and SW lifecycles, the point is I am not stuck with it as it was - like I am with my DVR (which is just a specialized Linux appliance really).
Thus I do wonder what the last 30+ years would have been like if the "Apple appliance computing" model had been adopted by IBM in 1980-85 instead of the more open one used for the PC / XT / AT? Even though it came out in 1984, the first gen Mac was ridiculous - a completely closed Moto 68K-based mini-workstation with an "8-bit machine" memory limit. It **could** have been built with a removable bottom plate and enough memory sockets for 4x 64KB - but only 1/2 populated (an expansion capability similar to what is now available for its distant descendant, the Mac Mini). But it wasn't - you had to physically upgrade your 1st gen MAc to get decent memory: to 512KB, aka the "Fat Mac", and then upgrade again to get a hard drive in the Mac Plus. Or you had to resort to strategies that would void your warranty (e.g., the hardware equivalent of a "jailbreak"). This Jobsian approach to evolution - via sales of more hardware - should sound familiar to Apple fanbois everywhere at this point (and why I opted not to buy this year's version of the iPad Mini, but wait for - GASP - the one with the proper CPU, camera, RAM, and screen).
Ancient history? Not really. At least two current trends (1) "wirecutters' and (2) cloud computing are going to see this "open architecture versus closed appliance/service" competition played out yet again. (A third may be iOS versus Android smartphones.) Overall I am still optimistic that on balance openness will lead to innovation that will be beneficial and also not necessarily anticipated by those who want everything tightly controlled for their own profit. This doesn't mean however that appliance advocates won't put up a good fight.
>>>We sure have a lot to worry Actually ZERO to worry about. dont sweat the small stuff.
good point...but at the end of the day....the NSA gets more via clueless and stupid end users, who make security mistakes, then by all their mainframes.
There seems to be a /. tradition in some cases that the first poster wins...irrespective of its content.
can the /. historian clairfy?