Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« PCI Lawsuit | Main | Tor Opsec »
January 17, 2012
The Importance of Good Backups
Thankfully, this doesn't happen very often:
A US man who had been convicted on a second-degree murder charge will get a new trial after a computer virus destroyed transcripts of court proceedings.
Posted on January 17, 2012 at 7:31 AM • 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Lucky that it just destroyed them - not altered them unoticed
Posted by: Nobodyspecial at January 17, 2012 7:47 AM
In the UK the Government has been pushing for "all electronic courts" with one of the "show case courts" being Kingston Crown Court in Southwest London (it's where many of the celebrity cases are held).
Suffice it to say it has had teething problems and the technology does not appear to be as robust or reliable as one would hope.
Interestingly that although the court has microphones etc and records what is said they still don't allow independent recordings to be made.
This means that a defendant would have to pay for their own court certified stenographer, which is a very significant cost that as far as I'm aware would not be covered by the usuall relief (legal aid in the UK) available to defendant's of criminal proceedings.
Thus a significant hole appears to be opening up that could alow for "records to be unverifiably" changed whether by accident or design. And in the latter case by those in power or those unknown.
However one thing to note, if the basic "digital audio" records are kept, then they will have traces of "mains hum" on them thus finding any changes from two different recordings should be relativly easy, and as in the case of the UK a forensic copy of the mains frequency is kept, then it should be fairly easy to identify which recording had been tampered with.
Posted by: Clive Robinson at January 17, 2012 8:04 AM
I wonder if anyone has ever done a study comparing a human stenographer to recording/voice recognition accurancy.
Posted by: nub at January 17, 2012 9:20 AM
At the very least, they should keep away from Windows (seriously!) and even standard Linux dists, and only use something like OpenBSD on the computers, use secure hardware (did you know that Intel processors often have HUNDREDS of HARDWARE DESIGN bugs that affect their functionality?), etc.
This is basically what I would demand at the very least for this to be trustable:
Multiple recording devices for audio with completely different architectures, all designed to be secure. All audio are signed with secure RSA keys that are stored on tamper proof hardware, any attempt to access them will destroy the hardware and them too. Every device have unique keys, and they are replaced at least once a year.
If any recordings are altered, the digital RSA signatures will break, making it obvious that the audio can't be trusted.
This can be done for videos as well.
The judges should have their own secured computers with their own keypairs, protected with several means of authentication (such as password + hardware dongle + whatever; they'll be stored encrypted and can only be decrypted by those means), and so will secretaries, etc.
For each court case, multiple people sign each and every document involved in it, after verifying that they are unaltered.
To fake or alter a document, you have to get ALL of the keys from each of these people and decrypt them.
Any less than the above, and I would never trust any single one of the documents.
The hardware must also be stored securely (preferably in guarded vaults).
Posted by: Natanael L at January 17, 2012 9:44 AM
Absolutely splendid example of Murphy's Law biting back.
This could become a very sour pil if the man gets a lower (or no) sentence in the retrial.
"monumental screw-up" indeed.
On an equal note: How did the virus get on the PC that contains records that could be designated as confidential? There are plenty of closed-door trials. Such computers should not be allowed on the internet.
Posted by: Chris at January 17, 2012 9:58 AM
For something that small print the transcript off as a hardcopy... in *real-time*:
Bailiff: "Do you swear to tell the truth the whole truth and nothing but the truth?"
Printer: "Bzzzzzzzzzzzzzzzzzzzzzz"
Wittiness: "I do"
Printer: "Bzzzz"
I wonder what kind of effect that would have on long winded speeches?
Posted by: bcs at January 17, 2012 11:15 AM
bcs: that's the traditional "court stenographer" technique, using a special typewriter that is very quiet. IIRC, it has special keys to help the stenographer keep up to speed (like a typewritten version of shorthand?)
The result was to give the stenographer a bit of a racket on producing copies trial transcripts, since it required more of a translation than just copying a file.
Posted by: Snarki, child of Loki at January 17, 2012 11:28 AM
And there's now an Oracle database vulnerability that in the worst case requires you to restore all affected, linked, servers from backups *simultaneously*
Posted by: Greg A at January 17, 2012 12:00 PM
From the Miami Herald:
http://www.miamiherald.com/2012/01/01/2569743/...
---------
Afterward, Cowart [the stenographer] erased the data from the stenography machine’s memory disc, but not before transferring it to her computer. But then a virus struck her computer, wiping out all her notes.
---------
So this is a case of:
1 - an employee not following proper procedures. (not enough paper)
2 - An employee putting sensitive data on her personal computer.
3 - An employee being careless. (erasing the original data before she could do whatever needed to be done).
This isn't even a case of BYOD (Bring your own device), this is flat out ignoring the rules.
As a followup, she was fired for this and "other" transgressions.
Posted by: Ari E-B at January 17, 2012 12:01 PM
On an equal note: How did the virus get on the PC that contains records that could be designated as confidential? There are plenty of closed-door trials. Such computers should not be allowed on the internet.
These are humans using these machines. Average humans treat computers as Giant Magical Boxes, rather than the machines that they are. Therefore, why NOT use the Giant Magical Box to access the Internet to read e-mail, play Flash games, catch up on FaceBook, or observe interesting pictures of clothing-averse people? (Possibly even during proceedings, but how many average people can resist using company hardware during "downtime" on the job?)
As to why the connection was there in the first place? Probably to allow for remote maintenance, or because judges/court officials don't care and just want to be able to access their e-mail NOW. It isn't as though the court system necessarily understands the need for use and security policies (and enforcement thereof.) It's certain they didn't hire competent IT staff to do it for them.
Posted by: LinkTheValiant at January 17, 2012 12:06 PM
I'm an attorney. I routinely attend depositions and court hearings that are recorded by court reporters. When I have control over the proceeding (e.g., a deposition), I record everything in two different formats: a court reporter typing the words and a videographer taking video. Also, I have a streaming connection between the court reporter's computer and mine, so I leave the proceeding with a rough copy of the transcript. If there are problems in the future, I have multiple points of recovery.
When I don't have control over the proceedings (e.g., a court hearing), often there is only a court reporter, and I often don't have a streaming connection. One point of failure (though, many reporters simultaneously create both a printed and electronic copy of the transcript).
Robustness lies not is encryption or check sums. It comes for having multiple ways to recover the transcript. When the different methods conflict, however, you end up fighting in front of a judge over which is correct.
As for calls to use secure operating systems, that's not a practical suggestion for the courts, reporters, or attorneys. Court reporter software is a limited industry, and it's pretty much all Windows. Given the licensing fees reporters pay to the software companies (you don't want to know how much a reporter has to pay in licensing fees every time they make an electronic copy), I imagine that choices available to reporters are very, very limited. In close to a decade of practicing in Silicon Valley, I've never seen a court reporter using a non-Windows machine.
Posted by: Q at January 17, 2012 2:56 PM
It's a pity, Q, because the whole mess could be replaced with a glorified tape recorder at a fraction of the cost.
Posted by: Szn at January 17, 2012 3:52 PM
Q: As I noted, there should be *many* recording devices, which means pretty much the same thing as what you said. Cryptographical signatures is just another layer of integrity protection.
These devices could essentially just spit out a recording on a file (MP3, AVI, etc...) together with a verifiable .asc signature file on a USB drive.
If all you need is to write, browse the internet and record stuff, OpenBSD will work for you. But you did mention some form of licensing, maybe Wine can run that licensed Windows software? Then you're at least a bit more secure.
Posted by: Natanael L at January 17, 2012 4:37 PM
"It's a pity, Q, because the whole mess could be replaced with a glorified tape recorder at a fraction of the cost."
Well, yes, a fraction of the cost for the reporter. But, if I want to use the transcript, I'll need it transcribed. Listening to a tape at $400-750/hr (typical attorney rate) quickly erases any cost savings. So, each side gets the tape transcribed. Then, when there are differences, both sides have to fight in front of a judge. Suddenly a savings of $5K turns into a cost of $50K.
That said, I expect that court reporters will be a thing of the past. Soon, a video with automatic transcription will be standard. Hopefully there will be a separate audio recording as backup in case the video fails. If the automatic transcription isn't right, a judge can easily just watch the video at the relevant portion.
Hopefully, the automatic transcription is printed out and added to the court records. Imagine trying to overturn a 20 year old conviction by having to use video for which codecs don't exist anymore! Paper may be annoying and slow, but at least you know it's going to work in 20 years.
"If all you need is to write, browse the internet and record stuff, OpenBSD will work for you. But you did mention some form of licensing, maybe Wine can run that licensed Windows software?"
Court reporter software is highly specific. They don't use a word processor. Maybe it would run under Wine, I don't really know. But, they have a lot of custom hardware and drivers that (I believe) enforce licensing. Think dongles from the 80s. I imagine (though have no experience) that the drivers may have difficulty working under Wine.
Posted by: Q at January 17, 2012 5:08 PM
I forgot to mention, there are in-place tamper resistant mechanisms for transcripts. In general, though, reporters are considered trusted individuals. Eliminate the reporter and you'll need to devise a new system for authenticating the transcript. Perhaps it's a digital signature, but you'll need a system that will work for decades and that judges can understand.
Posted by: Q at January 17, 2012 5:11 PM
> I've never seen a court reporter using a non-Windows machine.
Juge: Mr court reporter, do you agree to tell the truth, all the truth, nothing but the truth?
Reporter: I do.
Juge: Did you agree to the Windows EULA?
Reporter: Yes.
Juge: Did the witness say "XXX"?
Reporter: Please wait, I have to consult my windows PC...
Posted by: ATN at January 18, 2012 5:51 AM
I've said for decades that all-electronic legal or medical recordkeeping with no piece of paper at the root is a disaster waiting to happen. Unfortunately I didnt die before it occurred but that may be self-correcting.
And as more and more "civil servants" just become mindless overpaid automata with that blank stare that they aim at you while spouting some ridiculous rubbish that would make a thinking person go "..wait; what?" and cut you off from lifesaving drugs because someone clicked a box wrong on a form, its just going to get perpetually worse until either an asteroid, nuclear war or global warming gives us a fresh start by rebooting the planet.
Posted by: bob at January 19, 2012 2:33 PM
@ Bob
The "automata", "blank stare", "spouting" are signs of dissociation. They know it is "ridiculous rubbish", which is to say "lies". They wish not to be associated with it, but they like to eat. They don't know for sure your life needs saving; but they do know their own is endangered, and their own is more important anyway, to them.
Posted by: Otter at January 21, 2012 8:27 AM
Regarding stenographers, there is a very interesting OpenSource project that allows the use of steno on consumer computer keyboards: Plover This enables real-time transcription at 200+ words per minute.
Posted by: Eli at January 21, 2012 4:00 PM
"If all you need is to write, browse the internet and record stuff, OpenBSD will work for you."
oh yeah?
FB1 accused of planting backdoor in OpenBSD 1PSEC stack
http://arstechnica.com/open-source/news/2010/12/...
Posted by: keymaster at January 21, 2012 4:33 PM
@ keymaster,
FBI accused of planting backdoor in OpenBSD IPSEC stack
This allegation was made privately to a member of the OpenBSD team well over a year ago and appeared even then to be somewhat odd. The member of the team despite that chose to release the allegation into the public arena. Since then many many eyes have studied the code and little has come of it.
SSH/SSL in the meanwhile has been found to have a number of design / protocol errors.
And this realy is the point, how do you know if a design / protocol error is a deliberate "back door" or an unintentional mistake?
It's safest to assume that although they may be unintentional they are / will be exploited and thus in any complex system there are in effect backdoors.
Thus you need a different design criterion to mitigate this assumption, and all the popular / commodity OS's currently use the wrong design criteria with their monolithic kernels and ring 0 device drivers and other long historic design choices.
As Nick P has pointed out on the odd occasion there are OS's that are more secure by design.
However that said, the battle has realy moved from the OS space to the Application space. I've been saying for many years that the likes of web browsers are totaly insecure by design because of the wrong viewpoint early on in their design.
This is because they use(d) a single process space all at the same privilege level and under a single process / user ID to do work on seperate and often unrelated tasks (ie one window open to say a Web Admin interface on one service whilst another is reading posts on a blog, and another accessing Email etc etc).
Which traditionaly was done by seperate (terminal) programs which would have been done running in seperate process spaces with different process IDs and sometimes even under different user IDs thus leveraging not bypassing the OS security mechanisms.
For all it's faults the design of the Chrome Browser was a step in the right direction all be it small and somewhat hesitant as it needs to go one heck of a sight further to even get back to the same level of security that the old style working methods had.
And arguably it may not be possible, the whole point of an OS is that it is intimate with the underlying hardware for task switching and importantly addressing the MMU whilst also by the use of kernel buffers etc provides a vanilla interface to programs. Thus in the general case the usual userland program cannot setup seperate work spaces from within it's own resources and have them arbitrated by the hardware.
The solution for commodity OSs is to setup seperate process spaces through the OS and use IPC mechanisms for communication between them. However this is difficult to set up has many many awkward limitations and is usually "two legged dog slow" and does not stop rouge behaviour in a process from insecure behaviour across the IPC mechanisms.
Which brings us to a fundemental issue of computer security of segregation-v-usability. To be secure you need very strong segregation at all levels to stop information leaking between processes. However to be usable for user "multi task" work you usually need minimal segregation of user directed information flow between tasks.
Thus you need very strong segregation between processes which is relatively straight forward to achive, but you then need to have communications across the segregation that in turn needs to be secure at all levels. And secure communications at even the simplest levels is very difficult if not impossible to do. Because covert channels can dribble information across and are difficult if not impossible to find and stop as their visability is often related to their bandwidth. And as a generalised rule of thumb you can only find an illicit communications path if you are aware of the general class it falls into or if you can prove illicit information is being transferred.
Posted by: Clive Robinson at January 22, 2012 12:41 AM
As much as this sucks for everybody involved, it seems that giving this guy a new trial is the only legal option. Obviously, an appeals court can't proceed without a written record.
Hopefully new protocols will be put in place to ensure that this never happens again.
Posted by: SFJD at January 30, 2012 5:44 PM
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Blog Menu |
SearchBlog Home Page
Archives by Date2012 J F
  |
| Latest Book |
more books by Bruce Schneier |
| Syndication |
|
Full Text Feed
Excerpts Feed |
| Translations |
|
German
Italian |
| Crypto-Gram Newsletter |
|
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more |
Comments