December 14, 2005

2005 in review - The Year I lost my Identity

In the closing weeks of 2005, we can now look back and see how the Snail slithered its way across the landscape.

1. Banks failed to understand phishing at any deep level. They failed in these ways:

  • Pushing out websites that offered Login boxes on unencrypted pages opens the door to phishing attacks and gets them the bank on Amir's Hall of Shame.
  • Rollout of two-factor authentication tokens -- a.k.a. SecureIds as promoted by RSADSI, as ordered by the FDIC, and as jumped on by the banks desperate to be seen to do something -- devices which only address one easily 'fixed' issue in phishing: realtime access. Yet, even as the bandwaggon was exceeding the speed limit, we already saw the first realtime atacks. I predicted that we'll see the first fully perfect attacks by the end of the year.
  • Banks experienced a wave of chill when Lopez sued Bank of America. Although they knew that they were in the right, they also knew this case would probably be lost. Or, at least, it was the beginning of the end of the easy risk separation.

2. Browser manufacturers have moved slightly faster than your average glacier. Microsoft moved forward by announcing that phishing was a browser problem (Mozilla and KDE followed 8 months later), and again by putting some tools into the IE7 release. Another big step forward was announcing the switch-off of SSL v2.

But Microsoft also moved backwards one step IMO by going for the "shared database of phishing alerts" idea pioneered by Netcraft. Computer scientists and security gurus are still scratching their heads over how that is ever going to work, given that it never worked the other several hundred times we tried it. And another step backwards was announced as Microsoft went for an upgraded super-authentication concept for CAs. Those CAs that pass their upgraded rules will get rewarded by the CA's name on the browser, and the site will appear in green. Unfortunately, this confirms Microsoft in the position of super-CA, as they've now taken a position of judgement. Worse, it probably won't do anything to address the security problems we have now. As James Donald says, "the revenue model [for certificates] is based on sprinkling holy water over communications, rather than actually providing security. Hence the proposal to address phishing by providing higher priced grades of holy water."

3. Data hacking blew American innocence away when Choicepoint revealed that they'd lost about 150,000 data sets to a guy with a stolen credit card. That's identities, to the plebians. Instead of doing the right thing and looking sorry, they ducked and weaved. Unfortunately, the underlying spark was the California law that said you had to notify the victims. (Check out the full gory history at Adam's Choicepoint category)

Within a month there were something like 6-8 large-scale copy cat victim companies. The sudden knowledge of actual public attention and actual duty of care and actual potential for damages electrified the corporates like they'd received the other famous sentance from California - deathrow. The year rolled on, and by the time it hit 50,000,000 sets of data -- people, identities, you but not me -- analysts got bored and stopped counting. Basically, all of them or as many as you'd ever need.

4. Keylogging and malware and spyware slipped in and ruined -- totally and utterly destroyed -- any notion that *your Windows PC* was safe. It's a bit darn unfair as Microsoft did manage to improve the security of their most famous and most hackable platform, but to little avail.

Underground rumour has had it for some time that corporates were also playing the same game using weaknesses deliberately left in by the manufacturer, and we got some great evidence when Sony was caught in the act. In order to protect some 32 or so of their CDs, they installed root kits across millions of machines (it's not really clear what it means see half a million DNS servers).

What's the significance of this? It totally destroys our cosy concept that the attacker is the bad guy and we are the good guys. If I had been caught putting a root kit on someone's machine, I'd have gone to jail, but apparently for Sony, that's not an issue. Security observers are learning the doublethink of one rule for Cuthbert and another rule for Sony.

5. Although we saw the first signs of trouble for Mac OSX in late 2004, it failed to germinate. Macs reached 5% of the market, better than they'd done for a long time. Mac users had peace - in our time, their time and if things keep going as they are, in their children's time.

6. Security observers exhibited surprise at how phishing had emerged. SANS still doesn't list it as a threat, but they did decide the Apple OS X was one, primarily because it now has 5% of the market. It's an odd way to do security - punish for popularity - but SANS is popular with its members and training courses sell well. Expect them to list phishing as a threat when the phishers have also reached 5% of the market.

7. In the good news section, Apple's music sales boomed. Primarily, their great business achievement was managing to walk a line between the cash cow mentality of the music owners and the chinashop bull attitude of Internet mp3 users. Also, not to be underestimated as a core driver of their success, they got the interface and technology right enough such that it is relatively seamless - rumour has it, it just works.

8. Although Apple's tune was heard loud and clear, file sharing systems continued to romp. Growth continued unabated, and by some estimates, 30% of all bandwidth on the net is consumed by these systems. That's success! But it also means that they are now facing limits to growth themselves. Prosecutions continued, but seemed to do nothing towards growth of file sharing or growth of music sales (either on or off net).

9. Firefox continued to grow, reaching about 10% of the market by the end of the year. Riding on a complete new build, some solid software engineering and some adroit choices not to follow the Microsoft "innovations" in insecurity like ActiveX, their growth was joyously exponential. Being the one compatible browser across all major platforms did no harm either - corporates now find that they can install it everywhere, and Linux, BSD, OSX *and* Windows users are happy together at last.

Oh, and I forgot to mention - Mozilla went commercial.

10. Another slow year in Financial Cryptography. Paypal grew, but fractured more and more along jurisdictional lines. e-gold survived. Actually that's unfair, they survived in 2004 and grew in 2005, but still nobody knows how. Goldmoney surpassed in total value under management, but kept mum about transactions. Industry scuttlebut has it that the bell doesn't ring much. Exchange traded funds are now routine, as model copies of DGCs within the stock market regime.

11, The surprise entry is WebMoney. This Russian based company keeps popping up above the radar with solid report after solid report. They seem to have adopted many of the lessons of actual real financial cryptography and are even market leaders in some areas. They are the _only ones with low cost arbitration_ -- a development we've been praying for for about 5 years now, in the forum of LexCybernatoria conferences -- and rumour has it that they've actually moved into the distributed issuance space, something that I bet the farm on in 1995 or so.

How did they do all this? By following Iang's rule number one of market growth, I'd guess: shut the f*** up and work for your customers. Or maybe it was simply because all their press releases are in Russian and only Dany has the time to translate them.

12. The year of the smart card was not announced. The year of RFIDs was announced. Neither seemed to make any difference, as yet.

13. Grid became commonplace in the news, as did Virtualisation. The latter has security connotations in that you can now partition off all those dodgy PHP apps on the net. But wait, there's a catch - once you virtualise, they are really separate machines! So it is not clear to me yet how this does any more than firewall and contain the insecurity of webapps. OTOH, I'm impressed by the buzz, and I argue we should be doing the same thing within Apache - sharing multiple SSL servers over one IP# (still not practical...).

14. In cryptography, the big news was that Skype romped into being the altime world champion at spreading crypto to the masses, only to be bought by eBay. The drums of cryptowar continue to murmur with today's news that the NSA now spies domestically, so expect the NSA to negotiate a pass with Skype. Also, message digests continue to be all messed up, but it doesn't effect us in app space yet. NIST has still not announced a path forward in message digests nor the venerable Digital Signature Algorithm / Standard.

15. My predictions back in 2005 - The Year of the Snail weren't so bad. Predictions for next year coming up, if there is time before it hits us.

Thanks all to the readers!

Addendum: Some other predictions I've seen:

  •">tqbf's Pro-Forma '05-'06 Punditry Results
Posted by iang at December 14, 2005 02:25 PM | TrackBack

Why there is no vested interest in security? The users of computers on the internet really hate dealing with people and love dealing with their computer. So finding a vested group of abused and battered users to rally behind the battle flag and charge is like trying to mate two porcupines with reproductive systems designed by Rube Goldberg. Even if it could be done it wouldn’t be pretty or very effective. The plain old truth is we need a Canada a place where it is OK to delay success and claim victory somewhere south of the border as an overnight wonder. I suggest massive attacks might be launched on the society of abused porcupines by groups of hacker leveling everything they have. The victory is all but won by the hackers, scam artist, and other methods used to separate porcupines from their love one. This method will allow a repository of information to be developed that the porcupines will not share with others and when the world is leveled by the ultimate threat the secret army of Doctor Zin and his take out specialist the only thing standing between destruction of the free world and the Evil Army of Dr. Zin will be porcupines who could care less what happens to anyone. The secret weapon of the porcupine is ignoring everything. Many claim to be porcupines but are really wolves in porcupine clothing. I suggest testing be conducted to determine the nature of the porcupine and embed an insurgent force within the ranks of the porcupines altering the nature of the beast so that when Zin arrives and we all grab our ankles we have porcupines to rest our head on.

Posted by: Jim Nesfield at December 16, 2005 06:45 AM

> But Microsoft also moved backwards one step IMO by going for the
> "shared database of phishing alerts" idea pioneered by Netcraft.
> Computer scientists and security gurus are still scratching their heads
> over how that is ever going to work, given that it never worked the
> other several hundred times we tried it.

Hasn't stopped google from trying it either :)

Posted by: Duane at December 16, 2005 09:37 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.