December 15, 2007
2007: year in review...
So what happened in 2007? All doom and gloom, really. Here's a roundup of what I called the year of the platypus, for some mixed up reason to do with security in its own worse nightmare:
- Security went down, overall. Net Fraud went up, overall. Breaches kept on being reported. Software author liability was discussed. In other words, no news.
- One bright spot is that it is now considered wisdom that the security profession and/or industry has failed. I first wrote about the hypothesis of failure in mid-2004, and at that time, phishing, breaching and other industrial-scale crimes were considered ignorable problems. (I don't think I was necessarily the first, but perhaps the most outrageous.)
For this reason, I dubbed 2007 the year of the platypus. During that year, all of the major security commentators clicked into consensus on this hypothesis. This is good. Before, it was impossible to fix because all efforts at security amounted to the old medical practice of wrapping up battle wounds in bandages and not taking them off until the limb fell off. Now that those in the security field include themselves in the problem space, rather than the solution space, there is some hope to at least understand the spaces.
- My suggestion that every CSO needs an MBA went down like a lead balloon. Possibly because nobody fully groks the signal-economics of the CISPP, et al, and thus they are hardly capable of accepting a qualification that claims as its plus points nothing to do with security, an order-of-magnitude cost increase over popular alternatives, and, worse of all, you have to really work for it. No good can come of that! And to be fair, Spencian mathematics predict that this won't work in the Alice-in-wonderland world of signalling, because additional value-added is ignored beyond a minimum point that achieves stability in the market for silver bullets.
- OpenPGP went to RFC4880, after ten years of delay. In one sense this means little as those who don't use OpenPGP are not going to change, and those who do won't worry. In another sense, because it means that OpenPGP is now as solid ("got a standard") as its erstwhile PKI cousin(s), we can more clearly discuss a better model. Which helps, because it is the only infrastructure that is useful, economic and net-scaleable for human signing.
- The UK got a rude awakening, firstly when the government disagreed with the entire security industry's best efforts (Her Majesty's ministers are avid readers of FC?) and then when the self-same government lost its database. British security pundits are fleeing in droves down to their local comedy house, where they'll get more respect as stand-up comedians.
- Stormbot surged across the top of beyond to become the biggest threat to the popular mind since the Blight. I reported (with some level of respect) that this signalled a new phase: the arisal of a serious criminal mastermind, Moriarty-like, or better known as the systems architect in computing lingo.
Others reported with life-threatening degrees of hyperventilation how Stormbot swarmed into computer researchers minds and initiated fear and panic. Next, we'll be telling crypto-jokes about the fall of RSA. (These images brought to the nyour mind, courtesy of the Blight, from _A Fire Upon the Deep_. Death to Vermin.)
- I predicted that this year, Vista would fail to make a difference to the security game. Which leads to a need to redesign from scratch. Bruce Schneier thought so too:
Redesigning the Microsoft Windows operating system would work, but that's ridiculous to even suggest.
Or maybe not. Vista failed to make a diffference, so the logical conclusion is also the ridiculous one, to paraphrase Sherlock Holmes. I guess we'll see next year :)
- As predicted, Apple Macs enjoyed a year of protecting their users. So did Firefox.
- Practically zero news from Cardspace/Info???. This is a worry. Regardless of ones depressed feelings of another Microsoft security initiative, there were some good seeds sown in that design.
- All trust of any form was lost in the American government (called there "the administration"). So much so that they started pushing for reform on global warming. Where this leaves us in the FC field is counting the damage done to the governance of the spooks and cops. That might take decades, as a lot of the stuff was secret.
- In payments news, the e-gold guys got indicted, following a run of "brushes with the law". That was the end of an era, and sparked some sadness; it could have been different. In the end, it has made things much harder for the rest of the players as they now have deal with the overbearing and dirty image. Yet another innovation in finance has been sacrificed to ego, and we the people will lose another decade or two in getting competitive payments systems.
- In further and more serious payment news, the telco fascination took deep hold in the subconsciousness of many observers. No longer just the fantastical prediction (the Trotter observation of 1998), telcos are predicted to be the owner of the wave of the future of payments. Not so fast, I say: like banks, telcos are not stellar in the understanding of this field, and there is still plenty of room for the extraordinary losses, film-story bungles and outrageous claims.
- Curiously, gift cards and small issuers and the like slipped out of the observer's consciousness. (Curious here means, I predicted otherwise, and was wrong...) Rumour has it that the EU has decided to kill the digital money directive. Perhaps an act of kindness, as the banks made sure the thing was born crippled and insane from the beginning? And, it's ok because the EU still has SEPA, the mandated response to the failure in competition? Right?
- Small FC challengers such as zopa.com fight on, under the yes-it's-meant-to-kill-you suffocating blanket of regulation. Second Life lurches along, much like Paypal days of old; if it survives as a financial system it will be because of brutal survival skills. WebMoney continues to inhabit the spot of "the one I'd worry about if I was you."
- Open source established itself further as the credible alternate. It is now routine for groups I deal with to use Firefox, Thunderbird and share documents using OpenOffice. No matter how sensible that is... Mac share still grows in the meetings I go to, and I am beginning to be suspicious of claimed market share numbers.
- From the monetary economics department, the collapse of the US dollar was well established. Finally, the imbalance that started around 2000 became accepted as policy not anomaly. News from the underground indicated that Sir Alan initiated the process of dealing with the massive shift in value in 2003, but it took until this year that the mainstream realised that falling dollar prices signalled a long term shift based on the rise of the Euro, over-expenditure of the USG and a few petro-wars thrown in to provide a colourful backdrop.
- The big question that was on everyone's mind was finally answered: what happens when the world currency gets out of balance? meltdown? panic? blood in the streets? the answer was of course more simple and more sinister: the other central banks took half the value on the table. That is, where gold was indicating a 2-3 fold value collapse, Euros, Sterling, Aussies and others inflated their currencies in between the squeeze. Thus, housing booms maintained, currencies appreciated, and economic records maintained intact. But behind the mirrors, another story unfolds...
- The blog went quiet. Partly, it was because there was little or no news. Partly because I got more involved in the great certificates adventure.
- Predictions I got wildly wrong: AES stands strong, but I will say that 128 should be avoided. EV seems to have won out when Mozilla decided to add it, which probably will force the arisal of the two tier market (no bad thing in marketing terms but not a comfortable result, if you know what I mean).
Well, that's enough for me, and probably more than enough for any sane person! Enjoy Xmas, and maybe we can conjure up something better for the new year.
Posted by iang at December 15, 2007 08:29 AM
my two bits on some of the subjects
part of the payment issue is whether it is a transaction business or a risk management business.
if it is a transaction business ... then one might expect lots of efforts to make it more efficient and less risky.
if it is a risk management business ... then it might be construed that if all risk were to be eliminated ... there wouldn't be much to manage anymore.
for more than a decade there has been predictions that telcos would move in and take over the payment transaction business ... because they are already extremely efficient at managing call record transactions. there has been numerous claims that has yet to happen because telcos haven't figured out how to do the risk management end better.
some recent posts related to pdas/cellphones moving into payment transactions
http://www.garlic.com/~lynn/2007u.html#11 Public Computers
http://www.garlic.com/~lynn/2007u.html#47 folklore indeed
http://www.garlic.com/~lynn/2007v.html#37 Apple files patent for WGA-style anti-piracy tech
and for some cybercrime issues ... recent post
http://www.garlic.com/~lynn/2007v.html#35 Inside a Modern Malware Distribution System
There referenced modern malware articles make mention of the "new, 40+ yr old" technology ... however, my first exposure wasn't until the last week of jan68 as an undergraduate (a few weeks short of 40yrs). However, over the next two years ... as an undergraduate, I significantly redesigned and rewrote much of the original kernel.
The malware article is also somewhat related to the virus/trojan attacks on online banking systems ... which (with a little topic drift) raised in this post:
http://www.garlic.com/~lynn/aadsm27.htm#65 MITM spotted in Tor
there have been several ongoing themes that the "new 40+ yr old" technology will be the saving solution to all sorts of current computing ills
(and whether or not 2008 will be the year of virtual machines).
Hmmm... it's true! I never mentioned the rise and domination of the VM. Perhaps because it has little to do with FC? I don't see it as much more than a distraction, in that we have as many machines as we need, and VMs just give us more. Dunno...
I disagree on one point; just because IBM had virtualisation back in 1968 (how embarrassing...) doesn't mean that virtualisation is "old hat". Moving it from the stratospheric ranges of the IBM world to the $300 PC cheapie is still a big deal.
http://www.garlic.com/~lynn/aadsm27.htm#66 2007: year in review
some amount of new 40+ yr old technology is about server consolidation and being green
http://www.garlic.com/~lynn/2007s.html#0 Marines look for a few less servers, via virtualization
http://www.garlic.com/~lynn/2007v.html#13 Ageing data centers limiting benefits of new technologies
however other activities involve "virtual appliances" (what we use to call service virtual machines) ... which are much simpler and targeted monitors. they are considered somewhat more secure because they are less complex and KISS.
http://www.garlic.com/~lynn/2007o.html#3 Hypervisors May Replace Operating Systems As King Of The Data Center
http://www.garlic.com/~lynn/2007s.html#4 Why do we think virtualization is new?
http://www.garlic.com/~lynn/2007u.html#39 New, 40+ yr old, direction in operating systems
the new 40+ yr old technology is also being touted as addressing some of the existing cyber vulnerabilities. part of (simpler) virtual machine technologies ... is it can provide very strong partitioning (approaching "air gapping"). One of the major compromising vectors is via browser interaction on the internet. One of the internet browsing scenarios involves creating a brand new targeted browsing environment for each session ... which goes poof and evaporates (along with any compromises) when done.
http://www.garlic.com/~lynn/2007q.html#64 Virtual Browsers: Disposable Security
many of these virtualizing techniques date back nearly 40 yrs. some slight different topic drift (I disclaim knowledge of it at the time):
Now on the other hand ... given control of the machine ... virtual machine technology can hide in lots of ways that conventional compromises can't. The referenced malware discussion points out case where the bad guys are looking to see if they are in such an environment controlled by the good guys. However, there has also been discussions about potential for the reverse ... i.e. the bad guys in control ... for instance in machines located in public environments (and figure they can evade detection).
and somewhat back to 2007: year in review ... my first post of the year
http://www.garlic.com/~lynn/2007.html#0 Securing financial transactions a high priority for 2007
referencing article in late 2006 ... and a thread that continued thru much of 2007 mostly about how it hadn't happened.