Root Causes 457: 2024 Lookback - Guests

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  So Jason, we are doing 2024 lookbacks and one of the things that definitely was a big year for us was quality guests.

• 

  Jason Soroko

  I'll be so bold. This is called tooting your horn and if you weren't listening to our podcast, especially to some of our guest podcasts, you really, really missed out on some important things that were said this year.

• 

  Tim Callan

  Absolutely. I mean, and we had a couple cool things. One is, it was the year of real experts, like best in the world at what they know kind of experts. The second thing was, it was a year of repeat guests. People who had enough to say that they came back two, three, four times to really, really share their thoughts and ideas.

• 

  Jason Soroko

  When we're preparing with some of these guests, what we end up discovering, just in very short amount of preparation, is that there's a story arc that will not fit into a 10, 15, 20-minute podcast and it's great that we split them up. But one of the reasons we decided to look back on them was to kind of tell the whole story arc of what the guests were telling us. Maybe without any order to this let's talk about one of the big things that happened this year in the PQC world. We had Dr. Dustin Moody on. It was so cool. He's great guy. So smart and able to articulate himself really, really well. And he taught us all so much about what's going on at NIST and Tim, recap some of what he said.

• 

  Tim Callan

  Well, he went over how the whole how the whole thing started. The early days of just getting people to recognize that this really had to happen and one of the things I found fascinating was Dustin talking about, look, we'd never done this before. We didn't know what to expect. We didn't know how much uptick there would be and then to be very pleased that a whole lot of people sat up and took notice. The other thing that really came away, I think, and he told us about where they are, where they're going, we heard about the Round 3 results. We heard about Round 4, which is still ongoing. We heard about the Onramp, which is kind of Round 5. Probably call it Round 5, that's still going and part of what we took away from that – that I took away from that conversation - is there isn't really an end in sight.

  You should think of this as the new normal that we will probably forever be seeking and creating new cryptographic approaches and challenging the ones we have, and we should just expect to live in a world of agile, evolving, changeable cryptography in recognition of the fact that what we do have could be fundamentally challenged or defeated at any time.

• 

  Jason Soroko

  Multi-decades of the same one or two cryptographic algorithms. You’ll never see that again.

• 

  Tim Callan

  Never again. And so some of this is us synthesizing what Dustin said, but I really think that was the core of part of what we took from him is just expect this to be life from now on. That's a very important revelation.

• 

  Jason Soroko

  That is almost a perfect way to segue into Bas Westerbaan from Cloudflare. Bas taught us a couple things - a number of things, if you really listened. We celebrated with him Cloudflare's achievements, that he was instrumental in key exchange.

  A very large chunk of the human internet going through their traffic is on post-quantum cryptographic algorithms. Amazing. That was a great big celebration.

• 

  Tim Callan

  Well, and from a productization perspective, I would contend that Cloudflare is the most advanced company in the world in terms of actually using it and implementing it. They've done more earlier and have more experience and more knowledge than any other company.

• 

  Jason Soroko

  And they took the risk, which is rare amongst a lot of tech companies, especially ones that are so fundamentally important to infrastructure and the internet. But, you know, there's an episode that we already recapped it, but I'll do a quick recap here. Bas, it's so funny how when he was first talking to us he was like, all these new cryptographic algorithms, they're really difficult. They're really, of course. Then at the end of the podcast, he changed his tune, because he wanted, he's like, well, I don't want to make anybody feel bad because - - he’s such a nice guy.

• 

  Tim Callan

  I think the quote was, they're all terrible.

• 

  Jason Soroko

  They're all terrible. Here's what he really meant. Even some of the better cryptographic algorithms that are out there have very large signature sizes.

• 

  Tim Callan

  A big thing that I learned from Bas Westerbaan and I first learned this before he came to the podcast, which is part of why we invited him, was that every single viable PQC candidate that we have ever had does not work with our existing infrastructure. Every single one, without exception, requires massive retooling.

• 

  Jason Soroko

  Take what you just said and now let's talk about the next guest who really described that, which was Bruno Couillard.

• 

  Tim Callan

  Bruno Couillard. I think our winner for most repeats and I'm sure we're going to see more, because I think we love him, and he loves us. I think we'll see more of all of these people. I want them all back. Guys, we want you all back. But go on.

• 

  Jason Soroko

  So Bruno, he actually did, as you say, a few episodes. But what I wanted to key in on was, okay, we live in this world now where the technologies and the ubiquity of PKI, asymmetric secrets, how we do transactions, our entire human world is dependent on computer systems that are running these cryptographic algorithms. When he looks into the future - and don't forget, we didn't even have NIST 2030 line in the sand when he came on.

  He basically just said, look, there will be a point in time where, due to (a) the difficulties that Bas told us about in implementing cryptographic algorithms. In other words, you can't just retrofit what we have today. That's part of the key part of what he said, due to the non-ability for us to retrofit easily, and the fact that everybody is going to have a land rush at the last moment for PQC. We're going to live in this bizarro world where we might have operational, but non-secure systems. It's going to take his words.

• 

  Tim Callan

  Sure. There's going to be a stack racking exercise where you're going to say, these are the things I can update, and I can get this much work done, and it's going to be 7% of the work that has to get done, and what am I gonna pick? And that means, what am I gonna not pick? This should be - I hope it turns out to be - brutally pragmatic in its decision making.

• 

  Jason Soroko

  Tim, you and I had a podcast recently that we had recorded in here in Toronto. The name of the podcast is Microsoft's Certificate Authority Dead. Now that's a provocative title, because I know there's a lot of you out there who love your MS CA.

• 

  Tim Callan

  I like a good title. Come on.

• 

  Jason Soroko

  Well, here's the thing. I felt very empowered to put out that episode because of those three guests who gave us a vision of the world and so many of you are living in the trenches of having uptime in your enterprise, and that's what you're paid to do, and yet you're facing this now we have the NIST draft that says deprecation 2030. And you have a lot of your fundamental authentication systems are going to basically be operational but working on deprecated algorithms past 2030 and there you go.

  I think if you combine what, what Bruno said, with, you know, a vision of how many MS CA implementations - and I'm just using that as an example - how many other authentication systems are using classic algorithms. But I just choose MS CA because it's just so ubiquitous, and a lot of people know about it, and it really has no defined upgrade path to post-quantum. Therefore, I think there's a lot of you right now who are just on this glide path of the world will never change. IT will be the same after 2030. No, it won't, Tim.

• 

  Tim Callan

  Won’t be. No.

  Then let's just talk about guests in general. So you and I have struggled with guests, to be frank. We love guests. Guests are hard. There's calendar problems. There's production challenges. There's syncing up on what we want to talk about. I think we dialed it in in 2024 which is it's going to be a small number but the ones who are here are really gonna be worth it.

• 

  Jason Soroko

  Must listen episodes.

• 

  Tim Callan

  Some of the best ones we produced are our guest episodes, because it's the quality of the people we've recruited. I think for the audience, I think you would agree with me, this is a promise we’ll make. We are going to recruit the best quality guests and if someone's on, there's a good reason. I don't want to name some names, but we already have some people lined up coming up that you'll see in the next couple months that are, again, world class. Literally the very best human in the world at the thing they're talking about, I think that's going to be our theme. I think the quality guests that we've had in the past, certainly we're going to try to have them back, and I hope we'll see all of them back on this show again, and the new quality guests that we have lined up where we’re going to have them on, I hope that they turn into two repeat guests as well, because these are people who have a perspective and knowledge that is unsurpassed anywhere else.

• 

  Jason Soroko

  You won't get it filtered through technical journalism. You're not going to get it filtered through a sales pitch. You're going to hear it directly from those people, and that's important.

• 

  Tim Callan

  I'm really excited about how we how we worked out to deal with guests in 2024 and this is a going forward path, I think it adds a lot to this, to this adventure that you and I are going down and I'm just really excited that we've got some of those people on board.