Pro-Forma ‘06 Punditry Results

Thomas Ptacek | January 3rd, 2007 | Filed Under: Industry Punditry, Uncategorized

Our ‘07 predictions will arrive shortly, better late then never. In the meantime, I now have a track record to defend. I made 5 predictions for ‘06:

  1. A Windows Vulnerability Drought

    I predicted that Microsoft’s (substantial) investment in Secure Development Lifecycle practices and outside security review would pay off.

    Result: Partial Credit

    Anyone who reads DailyDave knows that the trend away from trivial Windows vulnerabilities built momentum during 2006; Halvar even posited that Asian Organized Crime would start dumping clientsides into malware, now that the writing is on the wall for reliable exploits. But while I think I hit the letter of this prediction, I missed the spirit, which is that there would be drastically fewer Windows vulnerabilities in 2006. If there were fewer, it wasn’t drastically so.

  2. A B-List Business Fatality Due To Identity Theft

    I predicted that a second or third tier company would go out of business due to compromised inside information.

    Result: No Credit

    What happened instead? A continuing stream of disclosures from large organizations about massive losses, no apparent business impact, and a gradual desensitization to announcements about stolen social security numbers. The Payment Card Industry (PCI) standards did get tougher, though, so there may have been D-list fatalities owing to small businesses not managing to get certified.

  3. .NET, Managed Code, and CAS Don’t Make A Dent

    I predicted that managed code and high-level languages weren’t going to have a real impact on security.

    Result: Full Credit

    This was a lay-up, but just to rub it in: 2006 seems to have been a debacle year for the security of deployed web applications, most of which are built in “safe” languages. There are plenty of holes to be found in Java apps; they’re just different holes. I promise not to cheat and make this prediction again.

  4. A Credible Open-Source SIM

    I predicted that, just as SourceFire commoditized and co-opted the IDS market, a nascent open source project would challenge SIM products like ArcSight and Cisco MARS.

    Result: No Credit

    What’s taking you guys so long? Getting spooked that all the money seems to be going to log management? That’s exactly the dynamic Snort charged in to! Get with the program!

  5. Side-Channel and Timing Attacks Go Mainstream

    I predicted that side-channel attacks on crypto algorithms would become a standard tool in the attacker arsenal in 2006, much as John the Ripper was in the ’90s.

    Result: Partial Credit

    Yeah, so it was a banner year for side-channel findings on popular crypto implementations. I said, “we’re approaching a point where localhost ‘nobody’ will equate to key recovery”. And, yep! On the other hand, the spirit of my prediction was that we were going to start seeing popular tools like Crack and JtR to steal RSA keys. We don’t, yet. But we will, soon. And this is a problem that virtualization —- an inexorable trend in IT and application hosting —- exacerbates: localhost nobody on your own Xen image can probably get you keys off your neighbor’s Apache SSL image.

If you give me -1 points for “No Credit”, 0 for “Partial”, and 1 for “Full”, I came out at -1: just slightly untrustworthy! Keep watching for this year’s predictions, which I predict will be a 50/50 bet for this time in 2008.

Viewing 10 Comments

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus