There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I figured I’d share.
With minor formatting changes, the following is from my email of April, 2010.
Regulation E style accountholder liability limitation will be extended to commercial accountholders with assets below some reasonably large value by 12/31/2010. Why: ACH and wire fraud are an increasingly large, and increasingly public, problem. Financial institutions will accept regulation in order to preserve confidence in on-line channel.
An episode of "state-sponsored SSL certificate fraud/forgery" will make the public press. Why: There is insufficient audit of the root certs that browser vendors innately trust, making it sufficiently easy for a motivated attacker to "build insecurity in" by getting his untrustworthy root cert trusted by default. The recent Mozilla kerfuffle over CNNIC is an harbinger of this. Similarly, Chris Soghoian's recent work will increase awareness of this issue enough to result in a governmental actor who has done it being exposed.
But only because for this one I forgot to put in a date (I meant to also say “by 12/31/2010”, which makes this one
I was motivated to make this post because I once again came across Soghoian’s paper just the other day (I think he cited it in a blog post I was reading). He really nailed it. I predict he’ll do so again in 2012.