How safe is GnuCash?

GWB gwb at 2realms.com
Sat Jan 14 02:12:03 EST 2017


Kaj,

I did not mention Bitcoin.  Buddha Buck did, with the insight that the
use of a block chain might be what you were looking for, that is, an
audit trail to verify that the data file had not been tampered with.
Now that I see the background to your question, I would suggest you
not use GnuCash.  You might consider going back to the Windows program
you mentioned, or, from your original post, a spreadsheet.  You
mention in your first post that you have seen software that comes
close to the manual method of correction.  I would be interested in
knowing more about those programs, so if you could list them, it would
help.

Once we know what those programs are, then it might be easier to
answer the question you pose.  But without knowing this, I would
venture to say you should not use GnuCash.  It won't do that.

Gordon

On Fri, Jan 13, 2017 at 5:25 PM, Kaj <70147persson at telia.com> wrote:
> Hi, again,
>
> Well, this thread has at least shown one thing, GnuCash by itself is not
> safe in the sense I set up with my initial question.
>
> A couple of you also pointed out that it is impossible, since anyone with
> enough knowledge and enough resources, can change any file. Yes of course,
> the same you can say about the thief trying to break into your house. You
> have locks for every door and every window, but if he is using dynamite...
> The same with the manual bookkeeping in a paper book, which I started by
> saying it is the most safe method. But if the criminal is a highly skilled
> material specialist, he maybe can find out a way to remove the archive safe
> ink. So once again, you can never lock a thief out, if you give him enough
> time and enough resources.
>
> Jean-David Beyer has an interesting view on the problem with certificates.
> Well, I am not conversant enough to see all the consequences for the
> accountant. Do you for instance have to transport the whole accounting file,
> maybe log files too, via internet to this stamper web site? If so, also
> confidential aspects are to consider. Moreover we must assume that she/he is
> not very skilled in handling computers. And most often  it also deals with a
> Microsoft windows system, as this is what ordinary people use today. Might
> be a  Macintosh but Linux, very, very seldom. This also means that the file
> system is NTFS, you do not have that choice.
>
> Even the thoughts from Gordon regarding BitCoin are very interesting to
> follow, but also points out the difficulties.
>
> Regarding the suggestion about git, a presumption for the version management
> system to work satisfactory, is that you switch off the compress facility in
> GnuCash, isn't it? Well, this is of course not a big thing.
>
> Now, at last, I think it is time to say a few words about the background to
> my initial question. I am a member, not an accountant, of an economic
> association looking for a suitable bookkeeping program. Many years ago I was
> an accountant in another association, that was in my Microsoft windows
> epoch, and then got in touch with a bookkeeping (proprietary) program which
> contained much of those qualities I mentioned with logging etc. But since I
> have change domicile, and am now running Debian. For many years I have also
> been using GnuCash for my private bookkeeping, and found it very valuable
> for that purpose. I therefore got the idea to investigate if this program
> could be used in the association. However I found that those properties so
> valuable for me private, e.g. the whole file in XML in plain language, also
> is its biggest disadvantage in a more professional context. So my question
> was if, after all, it contains qualities which I have not yet come in
> contact with, which will make it that safe tool an auditor can accept.
> Tracing is one such.
>
> Many thanks to you all. Your thoughts and aspects to the question have been
> very valuable.
>
> Kaj
>
>
> On 2017-01-13 kl. 12:51,  wrote:
>>
>> On 01/13/2017 12:29 AM, GWB wrote:
>>>
>>> Would snapshots of the file system accomplish what the original poster
>>> is after?  That's pretty much what I do, but maybe my setup is odd.  I
>>> use Ubuntu with both zfs and btrfs file systems.  Both can make
>>> snapshots; zfs snapshots are read only by default, and require cloning
>>> to a new file system to become writable.  btrfs makes writeable
>>> snapshots by default, but you can specify read only snapshots.  Like
>>> the burnable DVD option (which I like, by the way) snapshots freeze an
>>> entire file system in time.
>>
>> I am not an accountant, but I doubt snapshots would be much use.
>>
>> There seems to me to be a way to accomplish this, that might satisfy a
>> real accountant.
>>
>> At the intervals required, digitally time-stamp the file
>> (_not using your own system's clock_ that is easily falsified)l and then
>> digitally signing that. The purpose of digitally signing the file is
>> that any change to the file after that, be it deliberate tampering, or
>> even just a machine or media error, would be instantly detected.
>>
>> Software such as this will digitally sign a file in a most secure
>> manner. Only the person in possession of the secret key can sign a file
>> with this. It is a public key encryption system, and the secret key is
>> never divulged to others. The public key can by publicized.
>>
>> https://gnupg.org/
>>
>> A web site that can time stamp software is this one:
>>
>> Stamper is a service provided free of charge to Internet users.
>>
>> You are very welcome to use Stamper, but you may only do so if
>> you have first read our Terms of use, which exclude liability on
>> our part and which provide for you to indemnify us against any
>> potential liability arising from your use of Stamper.  By using
>> Stamper you warrant that you have read and accept the Terms.
>>
>> The Terms of use are available by sending email to
>> info at stamper.itconsult.co.uk or from the web page
>> http://www.itconsult.co.uk/stamper.htm.
>>
>> These are meant to work together to time-stamp e-mails. This is not
>> exactly what is required, but it might be possible to combine them. As
>> you can see, I have not fully thought this through, nor have I put
>> together a system to support it. But perhaps something of this kind
>> might satisfy the auditors that some may be exposed to.
>>
>
> _______________________________________________
> gnucash-user mailing list
> gnucash-user at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-user
> -----
> Please remember to CC this list on all your replies.
> You can do this by using Reply-To-List or Reply-All.


More information about the gnucash-user mailing list