A quantum leap

Remember, that (not) a great many days ago I posted some bits on crypto ..? There’s a new twist to it all, after the venerable Bruce noted that some agency started a new, this time ’round bit more fundamental round, on crypto algorithms. And then, some notes on the approach of quantum computing. Well, the latter is still five to ten years off (current estimates; could be three, could be twenty, as such estimates go).
But impacting. So, the following flew by:
CryptographyChart-1-482x745
Which explains a lot, hence I just wanted to pass it on. Bye for now.

The end of blockchains ..?

Some thought on where ‘money’ is going.

On the one hand, there will still be the fear that the ultimate-spread of blockchain’s control could quite easily devolve into coalitions and cliques, if not worse, when the heavyweights out there put their (computing) power to it — and what damage would quantum computing do, or could that (be made to …!?) turn the tables in the absolute opposite direction ..?
We’d be back at square one, with the general public having to trust some ‘trusted’ third party/parties and how dismal is what we have produced in terms of ‘governments’ through the ages. Or, in the opposition, trust nirvana nears ..?

On the other hand, we have the (d!)evolution of money through the ages already, when after barter trade money was introduced as neutral intermediary — in the form of value-preserving, rare hence very difficult to (re)produce and hopefully hard to fake goods like gold. Then, we switched to more abstract money media, with an intellectual exchange-ability to back to gold through the gold standard. Then, even further off, that link was released and we ended up with thin air as cover for our ‘money’ as it stands today. The cover, convertibility, is some vague notion of some abstract constructs (and as said, very often failed before or slowly is, as we write) like ‘the government’ that would repay all ‘money’ lost with … drum roll … ‘money’!
And, with blockchain technology and trust, we’re moving even further off. Combine this with Graeber’s Debt, and we have an even thinner notion of where we are and are going with the whole concept. ‘Money’ being no zero-sum game as it is created by (almost) full-sum net debt increase to start with. No wonder other initiatives spring up, time and time again following the latest possibilities created by, e.g., decreases in transaction costs (including agency theory style) by the birth of the Internet. All focused on Trust in one way or another, to do business in order to satisfy one’s Maslovian needs. (Or not; see some previous posts e.g. here.)

Well, I’ll leave you to consider your sins, with:
20150911_173935
[Sheltering under bare money-making, for fun; Amsterdam]

Predictions 2014 the InfoSec edition


[DUO Groningen (couple of years ago), where a leak led to many a student’s funds were defrauded. Looks original, is just chasing outer effects]

So, some of you have seen my Predictions 2014 including the update or two, and other posts on developments in the Information world at large.
But what you desparately needed, awaited before even starting on the Christmas decorations (for those in the West), and held out any shopping for food or beverage for, I know, I know [Heh, that’s the opposite of Unk Unk’s ;-], is my completely and utterly unpretentious predictions for the Information Security arena of 2014.

Well, here we go then:

Advanced Persistent Threats will blossom like weeds (not wiet!) in 2014. APTs being the ultimate blended threats to confidentiality of information. There may be cases of government-on-government espionage, that highlight the ‘modern’ squared or cubed variant of traditional intrusion & spying (information exfiltration) work. But moreover, there will be incidents much publicised where business-on-business espionage, possibly helped by shady government agencies, is outed as more than a theoretical possibility. Of course, you all know that this is nothing new, but the general public will demand an answer from some Board members and State secretaries here and there (literally) of victims and perpetrators (denial becoming less if at all plausible). These answers will be the definition of lame. The infosec industry will rush to develop (maybe not yet fully utilise) the market; contra but hush-hush, also pro…

Certificate vulnerabilities will be shown to be a factor of import. Yesterday’s unprotected printer WiFi, will be the current certificates being stolen or manipulated. Bot victimisation of clients will be less by trojan planting and more by means of hijacking certificates (‘Certjacking’? You read it here, first! [Update to add: well, in this spelling …]) to do … sort of low-level ID / trust theft. This will not be explained nearly well enough to the general public to get them concerned, but with tech-savvy CIOs and IT managers, this will give a stir. And major sweeps through the own infra. And not much by means of future better cert management.

Crypto-failures. Cryptography, as far as actually implemented at all (some ‘implementations’ may embarassingly be found out to be done on paper only!), will show to have failures in at least two ways: procedural errors will lead to (much publicly visible) non-availability of information, e.g., when asymmetry isn’t implemented well due to lack of understanding of bureaucrat procedures writing committees mumbling and fumbling about; and by public demonstration of bad technical implementation, the coding being so shoddy that the strength of crypto will drop to n-day crackability (with 0 < n < 2 I guess).

Quantum computing, on the plus side, for crypto, will see its first practical proofs of concept. Where the PoCs are used to protect the most secret of some government’s information, but with that information having to be used by the most bumbling-about officials hence the overall end user -to- end user effectiveness being close to zero and helping any and all attackers (rogues, organised or not; state(-sponsored) organisations, etc.) to learn about tentative, among them maybe class-hack, attack vectors.

Methodological innovation in information security. As already discussed earlier, and here, and here, and with OSSTMM, and before that in quite some other posts as well. Now, also Docco joined the fray, advising SMEs from the accountancy side … Which shows this prediction for 2014 is already hatching.
On this item, we will see much improvement. E.g., combining the OSSTMM framework with SABSA. Combining the rebooted CIA with the fresh install of the (alternative to the) ‘15.5 risk’ management approach via the OSSTMM framework. And so on. Interesting! Want to contribute!

I’ll leave these here for you to follow up. When (not if) I’m right on any of the above: Yeah, see? Told you so! And if (not when) not all five are square-on: Hey, they’re only predictions! Don’t shoot the messenger that only conveyed the message of the Great Engineer Behind The Scene.
Though I would like to receive a bottle of good (I mean, really good) red Bourgogne for each prediction that shows to be somewhat right; at the good side of 50-50. Any takers?
The opposite, I can unfortunately not do as it would have way too many takers…

Maverisk / Étoiles du Nord