(Apologies for being behind on the routine end-of-year predictions, but I was AFI -- away from Internet -- and too depressed with predictions to make the journey. Still, duty calls!)
- More depression for those who believe that security is important per se, and more profits for those who correctly balance risks with costs. We've pretty much buried the idea that security is a science and a business; the question is, can we integrate business and security?
- This is allied with ongoing confusion as to what is illegal and what is not on the net.
- KPMG shows that you can be too big to be criminal.
- Online Gambling: you can do it but you can't pay for it. 'It' in this case is sports betting, but not poker, and only if you are listed on the London bourse, but not if three quarters of a year have passed...
- Encrypted disks are great if are in the employ of the USG (see in boring link on crypto bakeoff), but not so great if you're hit with RIP. What does the US Ambassador to Great Britain do with his private emails?
- Or online payments are another; if we don't like you we'll accuse you of supporting child pornography and let you argue it before the judge. Closer to Financial Cryptography -- e-gold is the issuer that refuses to die. The real dirty secret is that the Feds are so deep into e-gold at this stage they won't kill it, even as they are trying to kill it. This is -- I can reveal from first hand -- something that the founder predicted. Unfortunately under this scenario, the integrity of gold, the privacy of the user base, and the founder are all optional; something that I predicted. Sometimes it is annoying to be right, but it downright sucks if you are still part of the scenario.
In echoes of the Sony versus Cuthbert mess of 2005, it all adds up to: "it's OK if you can get away with it," a message much reinforced by politics. There are no rules you can rely on, and everyone struggles to keep up with the results.
For this reason, I dub 2007 the year of the platypus! What more confabulated animal is there than our world?
- I think it is time to predict a boost in human integrity products. It can't have escaped the world's notice that much of our current strife is based on deception being so deeply institutionalised that it's now come around to bite us. There's a market waiting to be developed: how to cut down the deception in the process.
The crying direct need is for such a product or process in employment processes. That's old news given Michael Spence's seminal work on signals about 30 years back, but what is curious is why nobody has really stepped in to look at it? A serious idea for b-school types or economists? How do we get away from Spencarian Signalling and put integrity back into employment interviews?
- Phones will continue to evolve and also become much more open. Currently, what holds them back is the closed architecture and infrastructure, but more signs are that emerging that this will be challenged. Good news, as it keeps the major players honest and fresh to have at least some "leakage."
Some evidence: an open phone, this phone called me on Skype, a Cordless phoneset delivered with Skype, and today's news: Apple's iPhone does wifi and runs OSX.
Expect cellphone cross-over to wifi as routine by the end of 2007. The ability to redirect calls to the net dramatically changes the competitive position of the telcos, and the open platforms make software development a low cost reality.
- Payments and Chat. The one to watch is Skype, forget the rest as they don't have the security base. If Skype succeeds, they will change the scene, and even if they fail, but others might get the idea as to why it is good to secure the infrastructure.
Why do I say that? "Been there, done that!" Chat goes with payments like Molotov with cocktails, Eddy with Patsy, Blue with Danube, but to see that you have to see the full design. The blue touchpaper has been lit, stand well back.
- Any Company An Issuer. Well, actually this happened in 2006 and before, but it is now time to realise the core lesson here: all companies can now be issuers of money. They do this by the expediency of pre-paid gift cards.
This is very significant, historically. Very Very Signficant: it is the end of the central bank monopoly on the control of issuance of money. As CBs are no longer the only issuers of money, we can historically mark the 20th century as the century of central banking, and the future is now refreshingly open.
Of course, we will see much hand-wringing and bemoaning of the lack of control. Also a stream of pointless and annoying regulations, audits requirements, quasii-bank statii and what-have-you. But the genie is out of the bottle.
- Which leads to a resurgance of local community currency issues. This can now be clearly demonstrated as something that is quite reasonable to do. That is, if a company can sell you a gift card, then a community can, too.
And, it is also important to remember one of last year's very significant events, something so awesome that I never wrote it up on the blog: the Nobel Prize for Peace was awarded to Mohammad Yunus and the Grameen Bank. The significance of that event to financial cryptography is simple: their work is FC work, they just did it without our help.
The reason I know this is because around 2001-2003 I was involved in a company that tried to do it. The application epitomised by Grameen Bank, financial lending from large western sources to small 3rd world borrowers, is pure FC at its finest. (As RAH would say, of course, you can only do it with a system that shows 2 orders of magnitude savings in costs.)
- In 2007, we finally accept that we lost the battle to keep the world secure by ethical anonymity; the safety of the masses can no longer rely on their relative obscurity. What convinces me is not the biometric passport, the headline breaches of public trust in the name of war on today's bogeyman, but the gullibility of the average parent Sure there's always a good reason, but aren't all suppressions of liberty for good reasons?
- The DRM wars have been won and lost. We will see a string of stories about how hollywood is selling alongside pirates and how piracy suppliers don't recommend piracy. The majors have got the message; they can't beat this thing, and they may as well evolve.
This doesn't mean the end of RIAA raids and other dirty tricks. The war goes on, and battles will still be fought to keep the lid on territorial submissions. It also doesn't mean the end of cash cow economics. But it does mean lots of experiments ... on both sides ... as IP owners loosen their control on their property and p2p entrepreneurs get to grips with business models.
- AES will suffer a big embarrassment. Switch to AES256 as Pareto-secure, and re-invigorate the research for Pareto-complete algorithms. The reason for this? When an encryption algorithm breaks, the mere sniff of weakness destroys all trust. Expect that odor to waft around in 2007.
- Hashes will limp along under a cloud but nobody much will care, except the cryptobureaucrats. Mostly, this is because of implementation issues, where protocols implementors ignored the signs and did not switch forward to longer hashes. The reason for this? It ultimately doesn't matter, even when a hash algorithm is suspect, it still works well enough. Hashes don't smell, they are Pareto-secure for most applications.
- Vista will "fail". Not in obvious, journalistic terms, but in long term trend market share. The reason? Not because they didn't try, they tried really hard, with feeling this time. I award them full points for effort. But...
a. It's because Microsoft didn't understand the core weakness of security: marketing comes first. There is now sufficient evidence that they've allowed marketing to take over and drive fundamental architectural decisions which clash with security requirements we were promised. Specifically, they prayed to the false god of DRM, and the god took them for a ride. It is also the god of perpetual mirth, notching out Bachanus for hilarity. Contrast with Apple's approach, if you still aren't seeing it.
b. It's because the industrial criminal sector migrated through the easy ones and are now adept at the sophisticated ones. They can now take on new opportunities faster than responses. MITB is "game over" unless Vista is more secure than the market place will accept. Microsoft is stuck between a rock and a hard place; BCG says "cash cow."
c. It's because the economics of the OS has shifted. The third world cannot afford those prices, so they will go Vista if they can steal it, or Linux of they can't (which means they can switch easily to Mac when they can afford it). Given that most all growth is in non-1st world markets, that's kind of important to the overall game plan. Again, another rock and hard place for Microsoft.
- Hence, the operating system market will continue to migrate to a more "regular" market.
z.b. Mac OSX and Macs will continue to acquire "all" real growth in marketshare in the 1st world, where people can afford it. Microsoft may see a buzz of pent-up activity burst through on the release in Vista, but with discouraging real take up, where it counts.
z.c. Linux up. *BSD stable or down, but up if we include OSX. Better if they can keep up their reputation as being the serious man's free Unix, the professional's alternative to Linux. Worse if they don't keep up with the application install blues; perhaps they should look at stealing Apple's pkg system.
z.d This will add costs to software developers as they are forced to support more platforms, but will also improve the overall security through diversity and also the recovery of competition. This might become the way consumers pay for security, who knows?
- On that old hobby horse: Phishing:
- The certificate market is moribund and distracted. Notwithstanding the basic economic flaws, the major and minor cert providers will dance around the Extended Validation certs until they all realise the game, and they all realise that all realise the game, and they all realise that they all realise that ...
- And still no concentration on the underlying systemic issues of the faulty operating system and the faulty browser... That really can't happen until certain unnamed manufacturers get their teeth kicked in by courts, press, or phishers. I do not predict this, because I have a perfect record of getting that one wrong.
- Real retail payments security is now to be done by analysing the transactions at the backend. "In the interim, we'll look more closely." Until the secure terminal market shakes out (cellphones? PDAS? they're trying them all) there isn't much choice; and to be fair, this is how credit cards built their success, so why change something that works?
That's it, folks! Have a happy if confused year, evolutionarily speaking.