Root Causes 462: Crypto War 3.0

Tim Callan

Jason, what is Crypto War 3.0?

Jason Soroko

Let's talk about Crypto War 1.0 and 2.0 first. You and I on this podcast, and it happened organically, it’s not something we planned. It's just a reaction to government versus encryption. For those of you who are not aware of the story, let's talk about Crypto War 1.0 and 2.0.

Tim Callan

This is your constructs.

Jason Soroko

I think other people are using this. This is not my invention. I'm not gonna claim this one. So, Crypto War 1.0 was - - encryption back in the earliest days was kind of like an extension of state power. Only nation states had encryption of any kind.

Tim Callan

It was a weapon. There was a munition. It was like a cannon.

Jason Soroko

Yes. In fact, really not different than holding a gun or transporting a gun, encryption was one of those things that you protected. Like a munition. The Enigma machine was in the era of Crypto War 1.0.

The wars were between nation states themselves. Alan Turing, big part of the story. In fact, we had a great story about This Podcast Is Not About Alan Turing because it really what was to emphasize the point that - - you go listen to that episode. So Crypto War 1.0, I think if you were to categorize it was, there was a scarcity of encryption. It was not in the average person's hands, and, in fact, even - -

Tim Callan

Controlled by a small number of specialists, it was difficult, it was expensive to implement news.

Jason Soroko

And it was entirely a state power. Crypto Wars 1.0. That's before a lot of us were around. Crypto Wars 2.0 had a pretty clear demarcation point where encryption had continued on, and in fact, started to become quite ubiquitous, had already started to become in people's hands. So there was this change where it wasn't just about state power, it was about transactional dealings between people.

Tim Callan

So it was now about the enterprise.

Jason Soroko

The enterprise. Big finance.

Tim Callan

So this would have its first roots in the late 70s, but it would really blossom with the World Wide Web, I would say.

Jason Soroko

100%. And so, which existed in the 1980s but it was very scarce and I remember going to university in the 1990s, which tells you how old I am, and all of a sudden it's like no even I remember in the 1990s first using text-based browsers, graphical-based browsers, looking at my first HTTPS-based website, very encrypted session between the browser and web server and but Tim, there's a very clear demarcation point, and that's the advent of the clipper chip. So government backdooring encryption is really what this is all about. That to me, the Clipper chip and the attempts to create back doors to encrypted systems, to me, is the definition of the beginning of Crypto Wars 2.0.

Tim Callan

So surrogated cryptography. The protocol that allowed a 40-bit encrypted RSA session across the World Wide Web to step up to 128, that would be kind of a last relic of Crypto Wars 1.0.

Jason Soroko

Perfect. I would say that the next stages of Crypto Wars 2.0 were Phil Zimmerman and PGP. We will eventually do a podcast about PGP. But this is the era of HTTPS. This is the era of SSH. This is the era of S/MIME. This is the era of accessibility. So if we had scarcity in 1.0, 2.0 was wow, everybody had encryption in their lives somewhere.

Tim Callan

Trending upward to eventually what we have now, which is, I won't say ubiquity but should be ubiquity. And near ubiquity.

Jason Soroko

I'll go as far as to say ubiquity, near ubiquity, and because of the fact that it became accessible, it became personal. You and I just did a podcast on the fact that cellular data networks can't be trusted anymore. And that's personal, Tim.

Tim Callan

Personal is a big part of it. Like when you're talking about back in the day of Crypto Wars 1.0, what's the secret that we're trying to protect? It's what are our troop movements? What are our plans? When are we doing the invasion? Now, the secret we're trying to protect is our PII or our personal calendar or our home address. Yes. It’s very personal.

Jason Soroko

For those of you who have children, multiply that by many, all of us have family that we care about and so personal as all heck. So Tim, Crypto Wars 3.0. I think we've just entered it. You and I have done a lot of episodes about the encroachment of I don't think there's any one of the five eyes who hasn't said, oh, we need to ban encryption of some kind. Remember our Australia episode? Australia said that the laws of physics didn't mean anything compared to the laws of Australia. I love my Australian friends. You guys are the best, because nobody else could have come up with that. But, but I think we've just entered Crypto Wars 3.0 and so that's not about a trend of government still not wanting back doors, government still wanting to ban encryption outright, government saying, oh my God, the bad, really, truly bad people using encryption is hampering police efforts. Like it’s all the anti-privacy things that we've seen. Mass surveillance.

Tim Callan

You and I covered Moxi Marlinspike deciding he couldn't live in the United States because he wanted to maintain sovereignty of the signal system over US control. Like, that's Crypto Wars 2.0.

Jason Soroko

That is Crypto Wars 2.0 cranked right up to the reality that it is in. We just did a podcast, as I said, about the collapse of any kind of trust in our everyday cellular data networks. To me, Salt Typhoon, the FBI report about don't use RCS across the cellular data network and the FBI and the five eyes, the very same entities who have said encryption is bad, bad, bad are not saying, oh my God, you've got to encrypt because cellular data networks being wide open is insanely dangerous. To me, something changed. Crypto Wars 3.0.

Tim Callan

That's a bellwether moment then you're saying. If I'm hearing you right, the transition from 2.0 to 3.0 is ultimately where the stakes on weak encryption being exploited by non-five eyes foreign actors, if you will, are so high that we're beginning to see a change in attitude from those five governments.

Jason Soroko

In other words, Tim, I think you're onto it, which is let's define what the 3.0 is. It’s basically, it was all fine when we had the back doors. It was all fine.

Tim Callan

When we were exploiting it, it was ok but now someone's exploiting it against me.

Jason Soroko

When it was us doing the mass surveillance, and nobody else, that’s 2.0.

Tim Callan

What's a little bit of data in the NSA? Who really cares? Yes.

Jason Soroko

3.0 is now, no. Everybody’s got your data including nation state adversaries.

Tim Callan

So, is this limited to nation state adversaries? I would think that they would the same worries about a lot of APT’s.

Jason Soroko

No. In fact, I'm gonna say you should just assume everybody is watching everything, we're approaching Wild West. So, that sounds scary, but let me make it scarier. Because that's what Jason Soroko loves to do. Bruno Couillard. We just had a look back, and we had described some of what he had said in 2024 and let's paint the picture of, we now have the FBI and the five eyes saying, wow, you've all got to use your VPN you've got to use WhatsApp. You gotta to use Signal. Imagine the FBI saying use Signal. It still blows my mind.

So imagine though that we've only got a few years left Tim, where RSA and ECC are worth a damn. And we are going to enter a world, we are going to enter a world soonish, where we're going to have operational, but insecure systems. Therefore we're gonna now reenter the stage where it's inevitable. And Bruno is the one that painted the vision of there's just no way that everybody will be ready. Y2K is not a good analogy.

Tim Callan

Not only is there no way that everybody will be ready, but I'm gonna contend there's no way that anybody will be 100%.

Jason Soroko

If you add that to the fact that not only do you have Salt Typhoon as the biggest wakeup call in networking history, to me, where we went from only the good guys could do – “good guys” - could do mass surveillance.

Now it's everybody can do mass surveillance. We're going to enter an age where, oh crap. Now we, for 20 years, 30 years, had most of our enterprise systems secure. RSAs. Right now, secure. It won’t be forever, and you will still be operating those RSA and ECC systems and wow. So in other words, multiply the current Salt Typhoon effect to now all systems.

Nothing can be trusted. Those Microsoft CA servers you guys love to hug in your server rooms, you might as well throw it out in the street. That's the reality we're going to be living with.

Tim Callan

The good news there is, we’ve been preparing for this moment for a long time. For decades. We ultimately know what we have to do, which is rigorous implementation of things that are well understood. It's not like we have to invent a new solution. We have to ZTNA everything. We have to segment our networks. We need to put digital IDs on everything. We need to encrypt everything. If you do that, you have gone most of the way. I mean, you're never 100% of the way because there’s new attacks and whatnot, but you've gone most of the way of protecting yourself in the Crypto world's 3.0 world.

Jason Soroko

There are a lot of extremely creative PKI trust model things. I'll say things loosely, because there's a lot of great ideas that will allow us to limp along with deprecated cryptographic algorithms that are protected because maybe they're offline and if you absolutely need that legacy route, you can maintain that legacy route and in secure ways - isolating it, turning it off, and have post-quantum-based issuing CAs doing the hard work. There's more than one answer to all of this. There's more than one answer to all this. Hybrid certificates are a piece of it, and, in fact, there's a lot of other good ideas, but I think that Bruno painted the picture of the lack of traditional HSM hardware. But what Bas Westerbaan told us about, is that the difficulty in retrofitting legacy systems with post-quantum because of the fact that it seems to break everything because of large signature sizes. That's Crypto Wars 3.0, Tim.

Tim Callan

Just as the other ones, 1.0 and 2.0 were multi decade phases, I feel like this is going to be going on for a while.

Jason Soroko

I think we're in this one now for 10-20 years.

Tim Callan

I hear you. I think it's good to identify that and think about in those terms. I'm gonna stand by what I said before. At least, I think there is a pretty well-defined roadmap to how to deal with this new world order.

Jason Soroko

It's not hopeless. In fact, it's far from hopeless. You're dead right.

Tim Callan

We just have to, like, prioritize it and do it and do it rigorously, and do it well. The challenge is going to be there's going to be laggards. There's going to be errors. There's going to be corner cases. There's going to be unforeseen situations, and all of that will cause individual collateral damage, and that damage is going to suck. That's kind of unavoidable, but the best recipe is still to move forward, like I said least privileges fully digital ID, fully encrypted, fully authenticated world and the closer and the faster we get there, and the more completely we get there, the better off we are.

Jason Soroko

100% Tim. There's a lot of classical thinking that has yet to be implemented that will solve a lot of these and make legitimate, hard effort for the bad guy. But I will tell you, this is something Bruno alluded to and spoke about very eloquently - If you're a young person right now, holy cow, there's gigantic problem sets for you. For the rest of your career.

Tim Callan

Absolutely. You and I have talked about how there are people retiring now who only had to do RSA their entire career. Now that's not going to be true moving forward. I think if you're a young person getting into the IT game today, it's almost the opposite. It's like you are a crypto agile native. You're starting in a world that demands complete crypto agility and take advantage of that. Make that into part of your DNA.

Jason Soroko

I'm going to compare and contrast that Tim to what you just said. If you're agile native - I love that term. I'm going to use that again. If you're agile native. Compare and contrast that Tim to people who were screaming on Reddit with their caps on against shortened certificate lifespan.

Tim Callan

You've obviously never been a sys admin. You have no idea what you need to do. Nobody wants it to be this way. It's been forced on us, and we're taking the actions we have to take.

Jason Soroko

Don't take it from us. What the heck do Tim and I know? Take it from Dr. Dustin Moody. You will never ever again live in a stable crypto agile era.

Tim Callan

You will never again live in a stable era, like cryptographic era, just get used to it. Cryptography is going to be updated on a regular basis and sometimes quickly, in response to unforeseen events and that's the new normal, and we need to get used to it intellectually and emotionally. We also need technology and procedures that are tolerant. Like one of the main excuses that we get for delayed revocation - sorry to go back to that topic that I discuss so much - is the CA claiming that the subscriber has an approval process that does not allow replacement of the certificate within the revocation period. This is a purely arbitrary manmade bureaucratic barrier to crypto agility. Unfathomable. And that kind of thing - Organizations that can't wake up to the fact that when they do that, they're putting themselves at unacceptable levels of risk, are unfortunately going to figure it out the hard way - when they're owned, when they're ransomwared, when their data is published, when their secrets are stolen. That is how they are going to have the wake up. That is not the way we want it to happen. We want the wake up to happen before those events occur.

Jason Soroko

Tim, we had a fallacies episode almost four years ago, I know there's some of you listening right now, going, how the heck does it apply to me? Jay, I heard you on Salt Typhoon. I got to use my VPN. But beyond that, what are you telling me here? Here’s what I'm telling you. In Crypto Wars 3.0, my smart toaster, my smart television, my smart whatever is not a target for anything. Why would anybody? Let me tell you why, Tim. There are a lot of people who would love to use your toaster as a bitcoin miner. There are a lot of people who would love you to use your toaster to DDoS somebody.

Tim Callan

You and I a little under a year ago, did an episode where we explained that this story that was floating around about a massive botnet made of IoT toothbrushes was actually not true. It was not true. But the point I want to make here is everyone thought it was true. It was entirely credible, even though it turned out not to be true. Absolutely. If you don't want your fridge to be part of a botnet, like, kind of as a high end, high minded, idealistic thing, that's great. Now you could turn around and you could say, well, what do I care if my fridge is part of a botnet? How about this? Do you care if someone can figure out whether or not your burglar alarm is turned on? Do you care if someone can turn it off? Do you care if somebody can see whether or not your refrigerator has been opened in the last 48 hours? Because if the answer is no, you're probably out of town. And now you care.

Jason Soroko

Yes. A lot of people who are listening to Tim and I right now might be saying, guys, you're veering right off. This is supposed to be about Crypto Wars 1.0, 2.0 and 3.0. What you and I are doing right now is we're characterizing Crypto Wars 3.0 because that's the near Wild West kind of world that we're going to be in. I think that's going to be a characteristic of it, and a lot of this underdog fallacy, which is what it is, you're gonna learn the hard way about nobody's an underdog. Nobody's too small to fail. I think we're in for one heck of a show in the next 20 years.

Tim Callan

I do. You want to talk about oh there's a lot of work to do. You start getting into this small, like, small target, small business, down to individual, down to individual IT device kind of attacks, we got almost nothing. No education. We got no security systems in place. We got no systems and procedures. We don't have best practices. I mean, you want to talk about, a target rich environment, this is damn near everybody.

Jason Soroko

This is Wild West. And if 2.0 was personal, 3.0 becomes hyper personal. We're gonna have a whole episode on this but if agentic AI, God, imagine we live in a world simultaneous where agentic AI exists, and we have people who don't want to renew their certificates automatically. At the same time, these are same people in the same world. My God. Never mind your toothbrush and your Smart TV and all that good stuff. What about everything you're doing to automate things within your enterprise in this new and exciting way? And there hasn't even been anything with regards to talking about how we defend against that, because guess what? There really is no super smart Zero Trust built up around that yet. We're not there yet.

Tim Callan

You're well defined hierarchical organization, like a company or a government or even a school. Yes. School not as much, but enough. When you get to what we're talking about now, which is, how do I target individuals? Well, it could be high wealth individuals, could be low wealth individuals, but lots of them, and it's cheap and easy. They’re just running an AI on a server somewhere, and it's just giving me money. Even if it's not a lot of money, it's out harvesting it. If you talk about other kinds of attacks, things that are threats to health and safety, there's nothing in place to protect this.

Jason Soroko

So the back door of 2.0, Crypto Wars 2.0, became a barn door, front and back, for anybody to walk through in 3.0 and we're there now. Sorry. Exciting though for those of you who are defenders and want to do things right. There's a lot of opportunity for you.

Tim Callan

Think about it the other way, which is, don't think of this as a gloom and doom downer. Think of this as a call to action.

Jason Soroko

Something had to happen anyway. The bad guys were winning. The bad guys were winning in Crypto Wars 2.0. It's just that things just got worse, and now it's almost like it's in double overtime, and we've got to score a goal.