Financial Cryptography

2008 -- The Year of the Raven!

What lies in store for us next year?

• More security gloom. There has to be a turn-around in process to make it stop going down, or fraud has to reach an economic limit or balance. Neither is yet in sight. So, no change: fraud up. Gloom up. Panic up. Only thing down is confidence, faith and the already tattered reputation of the security industry.

• Lies and deception are an issue. It's routine in business it seems, and it is a fascinating game theory question why this has become prevalent.

  "Well, if they want to try to manipulate, I can play that game too. [I] gave every known body signal there is telling of lies ... covered my mouth, scratched my elbow, looked away and so on."

  At the notable DigitalIdForum.com in London, I heard one statistic that stuck out: the correlation between CVs and capabilities is 0.3, in Britain at least. For those who forget their statistics, this puts the Curriculum Vitae closer to rubbish (0.0) than to value (1.0). Look for the correlation to turn negative, and we'll all have to play the game of guessing which employee skills are precisely the reverse...

  Seriously though, the CV is the core tool in the search for jobs; what does that tell you about the employment industry? And what does that tell you about the employees that you already have?

  My prediction for the year to come: more attention to just why deception and lies are so much a part of our business relationships. I therefore dub this the Year of the Raven, although the real reasons for this are too deceptive to be revealed.

• Last year, we saw the realisation that the security profession was in the problem space, not the solution space. I predict there will be some soul-searching in the academic world as well. How many papers have you read this year that fail to come close to the problem space, let alone the solution space? Some of them are just plain case studies in what's wrong with academia.
• Bad news for the academic credibility of security conferences, but good news for their attendance. Good news for related fields, and indeed there will be a rush to introduce other things.

  There will be more attention on psychology (I saw an excellent presentation on the psychology of deception at DigitalIdForum. Did you know that adults deceive around twice per day? Tricked again, dammit!). Also, economics is in full fashion, alongside user interface and usability studies. In around 2 years, I predict that people will start to think of Open Governance, and end up discovering where FC was 10 years ago. Or could have been.

• Mozilla created a new business framework around the Thunderbird email client. This might pay dividends if it creates the incentives to add some usability to the thing they call S/MIME. Or maybe not, we'll see. This could be good, as the potential to turn Thunderbird into a viral security agent for the user is definately there, but it does require some opportunistic thinking. It has all the code in it, just a woefully old and tired security model that should have been trashed the day after Christmas of 1994, like all the other toys from the 1970s.
• Europe is in the early skirmishing phase of a "war on cash." Expect a cassus belli sometime in 2008. Like all wars these days, it is totally bogus. In this case, it can been seen as simply another request for another subsidy from the banks, or more complexly, an exchange of the SEPA political favour for the monopoly payments franchise.

  So far, the competition people in the EU haven't worked it out, and the central banks and other "payments authorities" are tripping over themselves to present the "costs of cash" with no thought as to the "cost of bank subsidies." As always, the people will lose this war, but at least it is limited to the European peoples.

• Macs will still be the better alternative for security for another year. The cracks are showing, and some attacks will bite, but in the pure comparison sense, it still makes sense to buy a Mac. Expect a few actual breaches and viruses, etc, and much trumpetting of how Macs are insecure. Don't be fooled, it takes more than a year to get from 0% of windows insecurity to 100%.
• As predicted last year, Vista failed to make the difference. This means that Microsoft has given it their best shot, and failed. So they now have to think out of the box and make major structural changes to the model. Which means: rewrite the OS. Look for signs of operating systems research, on both how to do it, and what's available to snaffle. Normally Microsoft would not pick up other people's work in such a sensitive area, but this time it's different, *iff* there is anything that will help. Anyone got a caps OS handy?
• OLPC could not have picked a better time. Their new OS (with caps and all that good stuff in it) will inspire many of the research / geek sector, and therefore we predict it will become a credible alternative to the OS menu (at least as credible as Minix and the experimental linuxii, etc, and more credible than Next, etc). We might not know for 5 years whether it will storm the barricades, but this year will see its steady rise.
• Which means we are seeing the slow but steady regularisation of the OS market. Once it was just MS Windows. Slowly, Unix is clawing back, with Mac and with Linux. Unlike with the CPU market which saw the dramatic turnaround from monster to duopoly over the only 4 years, this will be slow. Watch for signs of increasing annoyance from PC sellers and switching to non-MS-installed sales.
• News in pure FC is likely to be pretty much limited. Again, complexity slows it down, so it is the same old story: great opportunities are missed because the people who are doing them have ignored all the academic advice (good) and thus lose the big picture (bad).
• Don't expect much change in the Certificate Authority world. EV succeeded so Verisign++ is further entrenched. CAcert continues to prove the pros & cons of an open source organisation: it is easier for the open source world to create a broad techie organisation than a deeply governed organisation. Because of audit impositions, the old bazaar trick that worked for Linux, Mozilla, Apache, the BSDs, etc, just doesn't work for CAs.

  However, the fundamentals are still good for an open CA, so we'll plough on. Prediction: by the end of 2008 we'll know whether CAcert can make it or not as a serious CA, and whether there is any hope for the browser/email security models to start delivering crypto to the users. (Audit-wise, that is, being the only language that matters to the big vendors.)

• Online banking still lurches along, caught in the trap of user-confidence and an inability to deploy another channel. The result of course is user deception, self-deception and more losses. As there are no competitive forces in sight to inspire some change, we are looking at a slow race developing between attackers and the banks, where both will be counting the losses on both sides of their balance sheets. The only comprehensive loser is again, the user.
• e-gold will likely have to be restructured over the next year. So many blows, so much loss of confidence; still, my record of predictions with e-gold is not good so I'll refrain from further speculation. WebMoney and Goldmoney should have a good year, and as they are in different application spaces, they'll not bump head to head.
• the blog will remain quiet, partly because a lot of the interesting stuff has already been written, and partly because at least one blog (Dave's digital money) now covers a lot more of the classical fc news & views.

  The formula for a popular blog has also affronted: lots of lightweight posts, many divergent authors, stick to something everyone can happily disagree with, make it part of a spectrum of marketing, not a lone voice. Has the blog craze run its course? I think so, but the replacement isn't clear (podcasts have been tried, but they don't appeal. Video is ok for mass market, but it is more costly to make the grade in the serious market).

Enough is enough! Enjoy your year, and even if you find your industry in turmoil, try and create the sense of space needed to reflect on the real things that went wrong. The good news is that we rarely get to live in interesting times, the bad news is that there will be 100 opinions on why, and only a statistically insignificant portion of them will be close. So sayeth the Raven!