Root Causes 349: 2023 Lookback - Overall Trends

Tim Callan

So, ‘tis the season and as we do near the end of the year, we do a lookback for the previous year. So, we are doing our 2023 lookback. We already did one episode that was just on shortening certificate lifespans and if you haven’t listened to that, it’s definitely worth listening to. Here, we want to cover other things other than that topic but, uh, what you and I want to do this year, which is a new thing – this was your suggestion – is let’s look at the predictions we made last year and see how we did. I’m scared. You wanna do that?

Jason Soroko

I’m less scared. I think we did pretty good.

Tim Callan

I think we did fine. So, I looked back through our episodes, and I found two episodes where we made predictions. It was our Episode 262, The Continuing Erosion of Online Identity, which was a lookback episode and there was our Episode 264, Cryptoagility for 2023, which was a look forward. And the big thing that we talked about with the Continuing Erosion of Online Identity was that really, we predicted that deepfakes would really take off. That 2023 was gonna be the year of the deepfake. We didn’t say it in those words but that was our idea and that definitely proved to be the case for sure.

Jason Soroko

Tim, was that ever the case. I remember the date that we actually recorded that podcast and then soon after, the media caught up to that very unfortunately. And we were so right that it was a little spooky. I didn’t want to be that right. I didn’t want you to be that right on that one. That as terrible.

Tim Callan

And we really saw 2023 is where deepfakes, especially of audio just became part of the spear phisher’s toolkit in a real basic way and we saw fake ransom, we saw spear phishing attacks with fake voicemails and this just sort of got built in as part of how that whole process ran and so that was one of the big things that happened in 2023 and we did predict that. The other thing when we look at crypto agility for 2023 we had - - I mean, here, I’ll rattle off. Here’s the four things we predicted.

Crypto agility for public cloud increases in visibility. I would say, yeah, that happened.

Public CA independence increases in importance. I would say, yeah, that happened.

Consume adoption of WebAuthn begins. Definitely happened. For sure. That one was big. There were a couple big announcements in that regard.

And then, post quantum cryptography shows up on the enterprise’s radar. And this last one I want to unpack because not even 2023 but the latter half of 2023 all of the sudden this PQC story just opened up. Like you and I have been talking about this for four years and suddenly in the last four months, it’s all over the place.

Jason Soroko

Yeah. I gotta say, I gotta credit Bruno Couillard, one of our guests on Root Causes Podcast. He was one of the folks who has said, look, it’s been sitting around as a topic for a long time, but the U.S. Government has put this into a higher gear and a next level and, boy, was he ever right because after he said that you started reading about all of those things that were related.

Tim Callan

Yeah. And it’s all over now. Like lots of just ordinary IT professionals who are not cryptographers, who are not quantum computer people who are not focused on this, suddenly are aware of it and aware that it’s coming and aware that something is going to be done. Right? And that really has occurred. Again, not just even in the last year but in the last half of the year and so we really saw that happen.

Now, what’s the big thing we missed?

Jason Soroko

Hit me.

Tim Callan

AI baby. AI.

Jason Soroko

I gotta tell you though, I gotta tell you, we definitely hit the topic. We definitely covered some interesting things about it, you know, in terms of a large language model part of AI. We talked about topics very, very early on such as prompt injections. But, I think where you are going, Tim, is the sheer scope and scale of how AI - -

Tim Callan

Absolutely.

Jason Soroko

I don’t know if anybody could have seen that.

Tim Callan

Nobody. I mean we are in very good company for not understanding the way that was gonna absolutely explode and how it was gonna affect everything. So, I’m not beating myself up too bad about that one but that would be the big one I don’t think that we really covered and that obviously was the story of the year. So, with that, you want to segue to our lookback on what actually happened?

So, I’ve got a list of eight bullets here and the first one is, it’s all about AI, right? You and I talked after RSA. Right? We did our post-RSA Conference wrap-up which we always do, and I commented on the fact that there was almost no mention of artificial intelligence on the show floor at RSA. It wasn’t in the programs. It wasn’t in the speeches. It wasn’t in the booths. And at the time, I speculated that that’s because RSA is a long lead event. You know. You are putting in your calls for presentations almost a year ahead of the event. Like 10 months ahead of the event. You are putting together your booth a solid six months ahead of the event. Like AI was just moving too fast for the industry to keep up with it at that event. I am predicting that in 2024 at RSAC, which I plan on going to, that it will be everywhere.

Jason Soroko

I doubt you will see a booth without the word somewhere.

Tim Callan

Absolutely. Right. And we talked about this in certain years like it was passwordless, another year it was Zero Trust, where it’s just like that’s the hot buzzy term and you literally can’t look around without that word being in your field of vision. 2024, that is gonna be AI. For sure. Artificial intelligence 100%.

Jason Soroko

Maybe just a couple extra words on that, Tim. I also do think though, especially for large language models and some other things. I think machine learning has a long way to go but for some aspects of AI, and especially within security, we also might be entering a bit of a trough of disillusionment as well as people realize that they were late but then also realize that they might not be ideally suited to adopting it other than in really simplistic ways and people might end up getting disappointed. So, it could be interesting just to see how things progress.

Tim Callan

I mean the prediction to make about AI – and this is our look forward episode and we’ll do that in a separate episode – but the prediction to make about AI is that a year from now it will have surprised us. Like in one way or another it’s not going to be what anybody thinks it is right now. Just as a year ago, today it’s not what anybody thought it was going to be a year ago. Right? And exactly what form that takes, we don’t know because that would actually be a useful prediction if we did. But we know that this is early days and it’s not worked out yet and that it’s going to warp and snake around and slide in ways that we didn’t expect and the technology is gonna look very different in a year than it looks now.

Jason Soroko

Sure.

Tim Callan

So everything is about AI. That’s kind of an obvious one. Alright. Other lookbacks.

We talked about deepfakes. Right? Deepfakes are indeed part of the toolkit for spear phishing and social engineering in a real basic way and in a way that it wasn’t a year ago. Like in one year it’s just normal.

Jason Soroko

It actually is a subset of the AI story as far as I’m concerned, Tim.

Tim Callan

Absolutely. We talked about PQC. And again, industry and security professionals really woke up to PQC in a big way. And we already covered that one, but they really did wake up in a big way and I believe, again, we’ll see more of that in 2024.

Ok. New ones.

Enterprises begin to take crypto agility seriously. I’m gonna contend – and note the word begin – I think many, many, many enterprises still don’t take crypto agility seriously, but I think that a year ago or two almost nobody did. Unless you were a major global bank or the Pentagon, you weren’t taking crypto agility seriously. And now, we are seeing many more just large companies that are well-resourced with a lot of stakes where everything is purely digital and if it’s not working right, their whole business is gonna shut down saying we’ve gotta look at automation, we’ve gotta be able to change out our algorithms, we understand that we can’t just sit on something for 40 years anymore and I feel like there was a lot of progress in that regard in 2023 and I think that’s healthy.

Jason Soroko

I think, Tim, that I almost want to say that as a 2024 prediction, the term crypto agility, people’s understanding of it and people’s actual adoption of it is gonna be much larger than it ever has been, and I think that that’s fantastic. The underlying piece of that is gonna be just the ubiquity and availability of automation technologies and certificate lifecycle management providing visibility and things like discovery tools. This is important.

Tim Callan

And let me tell you what I wish there was more of, and this is kind of picking up what you just threw down there is I wish there was more recognition of the fact that crypto agility most of the time is controlled by certificate agility. That certificates do gate our cryptography most of the time and therefore, pragmatically in the real world if you want to have a robust, visible crypto agile environment what that means is you have to have a robust visible certificate agile environment and I think that connecting of the dots still – - much more of that must be done.

Jason Soroko

I think, Tim, there’s a lot of people out there who still haven’t locked onto the mantra of you cannot manage what you don’t know you have. Like, crypto agility, that’s Star Trek compared to that topic. Right?

A lot of people are still at that basic level of getting out of the spreadsheet type of maintenance of their certificates. You’ve gotta get out of that mode. You’ve gotta get into automating. You’ve gotta have visibility. You gotta be discovering things that you don’t know you have on a continuous basis. Those are the things that you - - you have to have those things before you can even begin to think about crypto agility.

Tim Callan

For sure.

Alright. Next one on the list – the move away from OCSP.

Jason Soroko

Interesting topic, Tim. You know, it’s one of those things you would’ve thought was gonna be there forever.

But, hey, it has a lot to do with shortening certificate lifespans which is from the previous topic we covered.

Tim Callan

Yeah. And also there’s a lot of concerns about OCSP. And that falls into two main camps. Number one is there’s a definite potential harm in terms of privacy problems. Definite potential harm and there’s a variety of scenarios and we’ve done a whole episode on this so I’m not gonna belabor it here but there’s definitely scenarios where OCSP can give away the privacy of somebody who is navigating to sites or servers but then the second thing connecting to that is that it is dubiously helpful. OCSP has been described as the seatbelt that breaks when you get in an accident. That, you know, OCSP - - that a reasonably informed attacker can essentially circumvent OCSP at will at which point why it is helping us? Right? The only time we need OCSP is when somebody is committing some kind of exploit and under those circumstances they can circumvent OCSP. So, how does OCSP actually help? And when you put those two things together, it’s actually a pretty damning case against OCSP.

And so what have we seen in the last year? We’ve seen movement away from OCSP. Not just thought but actual movement. We have the CA/Browser Forum ballot that makes OCSP optional. We have a telegraphed intention from the Chromium Moving Forward Together page to say that they would like to get away from OCSP. We’ve got statements from other major root programs and browsers saying they would like to get away from OCSP. So, the tide has turned against OCSP in a pretty big way to the point where I think this is a fait accompli. I think OCSP is a dead man walking and it’s just a matter of time.

Jason Soroko

Tim, I’ll put it in real simple terms – revocation is hard.

And OCSP as a technology around revocation for checking is one of those things where if you really put it under scrutiny, it starts to fall apart. As you said, the only way to solve the revocation problem really and truly move away from OCSP completely is shortened certificate lifespans.

Tim Callan

Yep. There it is. And I think that’s gonna come about.

Now, that won’t be a done deal in 2024 but we are gonna see definite progress in 2024 and I think in the next few years, we are gonna see OCSP all but disappear.

Jason Soroko

Incredible statement. Yep.

Tim Callan

Ok. The next one.

What I’m calling PKI everywhere. Now this isn’t just a 2023 thing, but this is a trend that we’ve seen in recent years and it’s continuing and it’s just basically the idea that there’s really nothing digital occurring at all anywhere that shouldn’t be governed by PKI. And we’ve seen just real ubiquitous coverage of that. If you look at a large modern architecture enterprise, they don’t have internal servers that don’t have certs on them. They don’t do that. They don’t have data in motion even inside of their environment that isn’t encrypted. They don’t do that. They don’t have data at rest that isn’t encrypted. They don’t do that. Right? Like, that’s what a modern architecture looks like. And we see it in all kinds of aspects, and I think the headline in this regard for 2023 was really WebAuthn. FIDO2. Right? Where the - - and what Apple called a passkey and I forget – there’s a name for it on Android. I don’t remember what it is. But the idea is that this concept of PKI-based authentication and identity really on its way to being truly ubiquitous.

Jason Soroko

Tim, a couple words on this. We’ve been calling for stronger locks on people’s doors forever. Since the beginning of this podcast. And you are right to say enterprises know it and enterprises are continuously improving to put better locks on their doors compared to say username and passwords. The authentication use case needs to get better and better and better and the last mile, right, the really tough one to crack was the consumer-level authentication.

And I gotta give credit to the folks at FIDO who have been chugging away for years and finally things culminated into WebAuthn because there’s so many standards. There’s a handful of standards that really developed into this and then the adoption by the big tech companies is then what put it over the top. Because I’ve now used Apple’s passkeys. I’ve now used Google’s version as well and I’ll tell you what – we’ve always said, Tim, once you’ve implemented better door locks, better authentication, stronger authentication, it also makes the user experience better and sure enough, it did. Bravo, guys. You did a great job.

Tim Callan

Agreed on that. Alright. Two more. So, second to the last. You ready?

Jason Soroko

Let’s do it.

Tim Callan

The continued deterioration of passwords and MFA.

Jason Soroko

Geez. It’s almost a follow up of what we just talked about. Right?

Tim Callan

I said continued. Right? So, yeah. Passwords and MFA obviously are weak. They’ve been weak for a long time, but I think we saw more new blows being dealt to passwords and MFA in 2023. Part of it is WebAuthn. Is FIDO2 implementations. But also, like we’ve seen new categories of attacks. We saw an AI-based audio password attack where literally there’s an attack now where if you can take over the microphone, you can record the audio of people typing and you can interpret those keystrokes into what they are based on the audio. Right? And so they can use that to steal a credential.

Jason Soroko

Geez. Yeah. That was a good episode we did. Yeah.

Tim Callan

I mean holy Moses. Yeah. Go listen to that one. MFA, we saw more problems and attacks with MFA. We saw additional MFA failures and I’d say an increase in the awareness and the idea that multi-factor authentication, sure, it’s better than nothing but it isn’t the armor-plated authentication method that people use to think it was.

Jason Soroko

No. In fact, it’s far from it. It’s gotten to the point where - - we saw articles this year, Tim, and in fact, we reported on this, where multifactor authentication was actually seen as a detriment. In the case of the attacks. And so, therefore, folks, it’s over. It’s over.

Tim Callan

Right. Because it leads to a false sense of security. People think they have MFA in place and therefore they don’t think they need to be vigilant. Users stop being vigilant and they fall for spear phishing attacks, IT teams stop being vigilant because they think this is covered and they don’t plug their holes, they don’t strive to be better and this is one of the things that we’ve seen. It is misleading in terms of the amount of strength people attribute to it and that leads to suboptimal decision making.

Jason Soroko

Yes. We were right on that one, Tim. We gotta give ourselves a point.

Tim Callan

Yeah. Awesome. I didn’t include that in the report card, but we’ll add that to the report card.

Alright. Ready for the last one?

Jason Soroko

Let’s do it.

Tim Callan

One of my high horses, Jay. One of my favorite topics. Government versus the internet. Once again. Every year government versus the internet. Governments going to war against the internet or the subcategory of that – government versus crypto. And governments going to war against the internet and against cryptography and it’s always the same thing. It’s governments trying to control how tech works inside of their physical borders with a lack of recognition of the fact that tech is bigger than their physical borders.

Jason Soroko

So many examples. Geez. I think you and I just recorded a topic on this even just very, very recently. Two or three of them. My favorite, of course, from the blast from the past, when the Australian Prime Minister said that the laws of physics were nothing compared to the laws of Australia. Wow. Wow.

Tim Callan

The laws of mathematics are all well and good; however, they don’t match up to the laws of the land. Well, no – they do. They’re the laws of mathematics. They actually do. That was a big one.

You know, what did we see? We’ve seen governments like Australia and Canada trying to control or somehow regulate what sites you visit or how people link. We’ve seen Canada try to control and regulate how you publish content and then, of course, there are more nefarious things in other governments where they are trying to actually do things like man-in-the middle of the cryptography and this sort of thing just goes on and on and on with no end in sight. It’s been a theme that goes all the way to the birth of cryptography and the birth of the internet, and it has never let up and I think 20 years from now if you and I are still doing this podcast, we will still be talking about this.

Jason Soroko

Well, stay tuned because the eIDAS-2.0 fiasco - -

Tim Callan

There you go. There’s another one.

Jason Soroko

And Apple having to side load and, oh my goodness, things that are just getting nasty out there. This is a big topic, folks. You are gonna see more in 2024.

Tim Callan

Yeah. Government versus the internet for sure needs to be on our 2024 predictions. So, if it’s not, we will add that because that’s one for sure.

So that’s it. That’s what I thought were the main themes of the last year. Do you want to add anything, Jay?

Jason Soroko

No. That was a good list, Tim. I think we did pretty well. So continue to listen to this podcast for very accurate predictions.