2019: ?G?r?e?a?t? Grim Expectations - Update
It's time to review my predictions for 2019! See https://www.dhirubhai.net/pulse/2019-omg-we-all-doomed-rob-baskerville for the predictions.
Quantum Computing will continue to have exactly the same impact as it did last year, ie absolutely none.
SCORE: Spot on! A few wild claims, nothing substantive. Lots of hype.
Prepare Now For 2038: It sounds like a long way off, but this month we reach a mere 19 years to the 32-bit Unix Clock Rollover (03:14:07 UTC on Tuesday, 19th January 2038). If you are building systems now in, say, Public Cloud, it would be a good idea to specify 64-bit archtecture all round because some of these systems are likely to still be around by 2038, and you don't want your systems to suddenly think it's 13th December 1901.
SCORE: A few actual wins here, so awarding myself 100%. Notably, tested out the full stack involved in AWS CloudHSM which, for interesting reasons one should probably set up with a really long life TLS Certificate from a really long life CA. Passes with flying colours, so it looks like TIME_T is 64-bit all the way though the command line client, the Linux AMIs, and the CloudHSM itself.
Crypto: No major new crypto algorithm breaks will become public. Plenty of code, key handling, and procedural errors will result in specific crypto failures though. Plus ?a change, plus c'est la même chose….
SCORE: Good call, 100%. Interestingly, the lack of reliable auditability in some of the major breached systems means that the assertions published by the organisations concerned are really just so much smoke & mirrors. You need to not only log activities in detail, but have that log located somewhere that is still protected should the system itself get compromised. This is not difficult IF you think of it in advance.
Key management and generation continue to cause widespread problems because they are really easy to mess up even if you know what you are doing!
Blockchain: Greater understanding of blockchain technology and its appropriateness to various solutions should result in the collapse of the market for blockchain solutions by end of 2019.
SCORE: Well I'll give myself half-marks here, 50%. Whilst the market has not collapsed, it remains full of more hype than real live implementations (excluding Bitcoin, the one thing to which Blockchain is actually reasonably well-suited), is not growing (if one sensibly ignores the pilots and test implementations which don't actually go anywhere), and are unlikely to make anyone rich except a few salespersons. It still suffers from the >50% problem (a bit like UK Politics).
Here are some handy flow-charts to help you decide whether or not you need Blockchain.
Crypto Mining: the cost/benefit ratio will mostly kill off attempts to steal compute power for mining, except maybe for one or two companies who fail either to protect or to monitor their Public Cloud usage who will find that they have rather large bills. In many cases, these organisations will be alerted by the Cloud Provider, since the major players are now monitoring for anomalous usage patterns.
SCORE: Pretty high, say 90% correct. I've not seen any significant compute power stealing for mining. Public cloud providers all now seem to monitor for anomalous demand, which is good.
Targeted Phishing Attacks: will become more numerous. Mass untargeted attacks have a poor return rate and are increasingly filtered out by automated systems pooling detections across communities.
SCORE: Spot on. Significant amounts of this are taking place. Strong Form Impersonation is becoming more prevalent, and this is making things more difficult for end-users. Consider technologies like Tessian to undertake the heavy-lifting on this.
NCSC now recommends that commercial (not just government) organisations should use transformation of data via simple formats to defeat malicious content. No one will actually do this though, because even in government organisations this is not done at the OFFICIAL tier, and not often even at higher tiers (SECRET/TOP SECRET). But if you want to break ranks and actually try it out you could do worse than try Deep Secure[0]; simple formats work - they keep complex threats at bay.
SCORE: Almost spot on. Most organisations do not bother, UK Govt systems are doing better in this respect though. But the NCSC recommendation is for non-Govt organisations, so that has failed to have much impact thus far, so giving myself 100%.
Cloud Threats: an unexpected cloud threat will catch some organisations unawares; the inability to restrict many SaaS offerings to specific sources on a per-customer basis means that systems and data previously accessible only by using corporately owned & managed devices can unexpectedly be accessed, with the user’s credentials, from any device on the Internet. This opens up extensive new risks to the confidentiality and integrity of corporate data. Note that there are some SSO solutions which can be used to reduce or even eliminate this risk.
SCORE: A good call, say 80%. Many organisations seem to be struggling with secure Container configuration. Kubernetes in particular is often being configured without controls on traffic source. Databases have been left exposed to the Internet without even requiring any credentials, much like the now-less-common issue with S3 Buckets in AWS. Many organisations, even ones which have got to grips with management of privileged access for on-prem systems, seem to have forgotten the basics in this regard when they dive into Public Cloud - allowing shared privileged accounts, and giving third parties highly privileged access.
Brexit: the problems around this will be resolved through Quantum Computing Blockchain Public Cloud Crypto Mining Freight ROROROFerry Take-Away Delivery processes. Simples!
SCORE: Well kind of wrong - NOTHING has resolved any problems around this yet. Don't hold your breath, so 0%.
Total: 7.2 out of 9, which is 80%. A fair pass, methinks!