Dan Kaminsky's Blog

In December of 2009, Bill Brenner from CSO Magazine asked me what to expect from 2010.  I’d actually never done one of these “predict the future” writeups before, but I took a shot at it.  Bill ended up posting the more CxO of these.  Here’s (roughly) the full set:

1. Economics will cause a few members of the “Old and Hoary Prediction Club” to finally come true.

One of the defining laws of security in general can be thought of as:  “What could possibly go wrong is much more than what actually does.”  Most bad things do not happen because they’re prevented.  They don’t happen because “the bad guys” simply do not choose to do them.  But this is truly the first major economic recession of the Information age, and whatever the numbers say, a *lot* of people are struggling.  That’s motive.  People who struggle get creative, by which I mean “start doing creative and profitable things they heard about”.  Not everything that’s been predicted in previous years will come true, but at the end of 2010, look back to predictions for 2007, 2008, and 2009.  Some of the wrong ones will have happened.  One in particular is number two on this list:

2. Cyber extortion will finally enter the public consciousness.

There’s no good data on — wait, this is security.  There’s not much in the way of good data on *anything*.  But, facing a credible threat to a downtime sensitive, computer driven infrastructure, extortion demands do in fact get paid.  Sometimes the system is large, like a public utility or a manufacturing facility.  Sometimes it’s not exactly on the side of angels, like an online gaming establishment.  And sometimes it’s just some random mom and pop, or even citizen, being told to spend $50 if they ever want to see their documents again.  There’s no good way of knowing how big a problem this has been, but this may be the year that extortion, like credit card fraud and even more like identity theft, becomes part of the national conversation.  Expect stock filings to start having to disclose unexpected expenses, some truly ill-advised marketing campaigns by security vendors, backlash (not at all entirely undeserved) that the threat is being wildly overblown, and continuing aggression towards the channels by which the extortionists get paid.

3. Prosecution for cybercrime will begin in earnest, starting with the sloppy rich.

Albert Gonzalez, one of the hackers behind the Heartland and 7/11 attacks, reportedly spent over $75,000 on a birthday party.  The worst of the worst know to have far lower profiles, but what that party should tell you is that there’s a lot of low hanging fruit for law enforcement to scoop up, with some serious ill-gotten gains to recover.

As a corrolary to this, the international jurisdiction problem that has stymied prosecutions in the past will be dealt with — possibly by agreement, maybe by treaty, and maybe even (if you will forgive me speaking about things I truly know little about) the application of anti-terrorist compacts to cybercriminal activity.  Put simply, there aren’t enough terrorists, and the ones there are, are political hot potatoes of the first order.  The cybercriminals will have far less baggage.

4. Data sharing will struggle, but will actually begin — driven by compliance requirements and the push for “public/private partnership”

One of the great challenges of security is operationalization:  Sure, there are small cadres of attackers and defenders who know how this field works, but spreading them thin across the industry as consultants doesn’t scale.  To make a real difference, the knowledge of a few must be pushed into process for many.  Existing efforts along these lines — involving compliance regimes — have actually achieved more penetration than they’re given credit for.  People are actually doing what the rules say.  But the rules, without naming names, can leave something to be desired.  In the face of deep compromises of fully compliant systems, the standards bodies will lay the blame on insufficient data sharing between victims.  Right or wrong (and, given the terrible state of data in security, more the former than the latter), this will lead to American legislation centered on funding a LE clearing house for, and a yearly report on, attacks seen against American cyber assets.  Compliance standards, by in large, will compel participation in this regime.  (There’s a small chance this effort will be fast-tracked by end of 2010, but only in the face of a front-page-news scale attack — if I was to predict an example, electronic interference with military-related logistics within a civilian supplier.  Otherwise, it will be a program that is well underway, but not operational by end of year.)  Europe will follow.

5. Ineffective security technologies will finally get called out as such, but not without cost

Many cyber defense technologies do not work.  Specifically, given a large sample of environments with the defense, and a large sample without, differences in infection rates in the former and the latter will not in fact be statistically significant.  Some that do work, only work through the multicultural effect:  The defense simply doesn’t haven’t enough market share to spawn evolution in attackers.  Figuring what doesn’t work, what won’t work in the long term, and what’s a genuine defensible security boundary will become a major driver for the next generation of compliance standards.  Given the money at stake, expect this process to be brutal and politicized.

6. The Cloud will get worse before it gets better.  But it will get better.

The Cloud is *going to win*.  I don’t know how else to say this:  It’s faster.  It’s better.  It’s cheaper.  But there are security issues, and they’re not simply the sort of problems that can be worked out by taking a CIO out to golf and promising everything’s going to be OK.  Genuine, technical security faults in cloud technology will garner a huge amount of attention.  It may appear to some that all is lost.  But the faults will be addressed, because existing investments are so very high.  And anyway, it’s not like the status quo is anything to be proud of.

7. DNSSEC will continue its inexorable progress towards replacing X.509.

According to Verizon Business, 61% of compromises can be traced back not to vulnerabilities, but to failures in authentication.  Technically impressive attacks are fun and all, but no passwords, bad passwords, default passwords, and shared passwords are the bread and butter of real world exploitation.  (That, and SQL injection.)  PKI was supposed to eliminate this password problem, ages ago, but it didn’t exactly work out.  We built PKI on X.509 — but X.509-based PKI was obviously a scalability non-starter in 2002.  That it’s still the best we have going into 2010 is an embarassment.  2010 will see major DNS TLD’s — and yes, I predict .com will get something up early, alongside the July 2010 signing of the root — spin up DNSSEC operations.  And then…no, the Internet will not become safe overnight, and there will be some snarking about “well, what now?”.

By end of year, we’ll see what:  A stream of security products, previous unable to scale due to their dependency on X.509, will transition their trust systems over to DNSSEC.  And then the race in 2011 will be for much larger suppliers to adapt to the architectural shift their scrappier competitors have shown to be viable.

That being said, there’s at least a 25% politics will scutttle all of this, and we’ll be stuck with our auth-driven 61% (which I don’t see getting better anytime soon, compliance or not).

8. “Personalized Prices” — price discrimination via identity-discovery technology already deployed for targeted advertising — will become a fundamental battleground in the privacy wars.

Lets be honest:  The Web knows who you are.  For over a decade, identity discovery technologies have been deployed on major websites simply to better target advertising.  Beyond banner ads, major e-commerce sites like Amazon have discovered that the right product shown to the right user at the right time will significantly improve sales.  But in 2010, expect to see discovery of something much deeper:  A major e-commerce site will be discovered to have significantly altered prices based on prior, disturbingly detailed knowledge of the particular user browsing their site  Put simply, different users have different sensitivity to prices, but traditional retail has always had too high friction to exploit this efficiently — a price tag is a price tag, for everybody.  But online, everybody can technically receive a “personalized price”, tuned precisely to the likelihood that they’ll buy.
There’s been some rumblings in this direction already — witness the recent claims (apparently inaccurate) regarding a retailer raising their prices in the presence of Bing’s Cashback scheme (http://bountii.com/blog/2009/11/23/negative-cashback-from-bing-cashback/) — but nothing compared to what will be unambiguously proven in 2010.  Small guys will use IP Geolocation and ZIP Code databases to apply a “rich buyer” tax (and perhaps a “high fraud rate” tax) to incoming purchases, but at least one large organization will be found to have thrown serious quantitative analysis against databases of buyer names, addresses, credit scores, average bank balances, previous shopping history (long term and recent), and presence or absence of comparison shopping *for that particular product*.  Even social network data may get involved — if one of your friends just bought a Nikon camera, yours may become more expensive since it’s statistically likely you’ve received a word of mouth vouch.  If your family is having a wedding (an inelastic demand if there ever was one), your plane tickets could become much more expensive.

The discovery of Personalized Pricing in 2010 will be fascinating to watch.  The geeks will immediately start pushing privacy enhancing technologies like Tor, which will suddenly become the cheapest way to shop online — at least, when they successfully block identification, which they won’t always or even often.  The marketers, having invested heavily in this technology (and having made ridiculous amounts of money with it), will push an enormous PR campaign, arguing that “Personalized Prices” (get used to it, it’s going to be given a cutesy name like this) mean better deals for consumers.  (Indeed, businesses have long since operated under this reality, though some troubling variants re: internal email hacking may be discovered.  However, businesses have an entire negotiation class to deal with this reality.  Consumers do not.)

Where it will all go wrong, are in two places.  First, the quants will ultimately have charged protected classes more in some non-zero number of instances.  Maybe it’s females, maybe it’s African Americans, maybe it’s just residents of a ZIP code that has been historically “redlined”.  The political hay to be made from this, especially going into the American November 2010 elections, will be extensive.  Second, it will be realized that e-commerce sites have much more interesting data to steal than even credit card numbers.  Significant personal information will show up on Wikileaks, and the question will become:

How the heck did all this data get collected in the first place?

Some will have been provided in previous transactions, though not necessarily with that particular company.  But a disturbing amount will have been pulled from deep packet inspection engines at ISPs — and what won’t have come from them, will be sourced to toolbars pushed into people’s browsers.  This will change the nature of the Net Neutrality debate entirely…