Shostack + Friends Blog Archive

 

Niels Bohr was right about predictions

There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I figured I’d share.

With minor formatting changes, the following is from my email of April, 2010.

Prediction 1

Regulation E style accountholder liability limitation will be extended
to commercial accountholders with assets below some reasonably large
value by 12/31/2010.

Why:  ACH and wire fraud are an increasingly large, and increasingly
public, problem.  Financial institutions will accept regulation in order
to preserve confidence in on-line channel.

WRONG!

Prediction 2

An episode of "state-sponsored SSL certificate fraud/forgery" will make
the public press.

Why: There is insufficient audit of the root certs that browser vendors
innately trust, making it sufficiently easy for a motivated attacker to
"build insecurity in" by getting his untrustworthy root cert trusted by
default.  The recent Mozilla kerfuffle over CNNIC is an harbinger of
this[1].  Similarly, Chris Soghoian's recent work[2] will increase
awareness of this issue enough to result in a governmental actor who has
done it being exposed.

Right!

But only because for this one I forgot to put in a date (I meant to also say “by 12/31/2010”, which makes this one WRONG! too.

I was motivated to make this post because I once again came across Soghoian’s paper just the other day (I think he cited it in a blog post I was reading). He really nailed it. I predict he’ll do so again in 2012.

One comment on "Niels Bohr was right about predictions"

  • Dave Birch says:

    “But only because for this one I forgot to put in a date (I meant to also say “by 12/31/2010?, which makes this one WRONG! too.”

    I’m not so sure that it didn’t happen before the end of 2010 but was unreported. So give yourself 5/10 at least!

Comments are closed.