2014 Prognostications

I stopped evaluating my previous prognostications year to year. It just wasn’t worth it when some troll wanted to argue over whether something happened 80 percent or 65 percent. So I’ll let the reader judge my 2013 prognostications and see whether I did ok or not.  For 2014 I am writing this piece and a companion piece about how to change history for people to consider.  For 2014 I have the following prognostications.

1) The resurgence of free and open source software in a big way. This isn’t the standard Linux open source tirade. It is quite simple. I think Android is going to take over a large market share and be adapted to the lap top. I see that Android will fork again and that Google will lose some of the control it has left. The end result will either be chaos or a fairly robust system with very few deviations from a standards. I think corporate developers at a variety of companies are going to drive this forward in a consortium.

2) Information security is the same old same old and nothing new to see here. I think and have a suspicion that regulation will be a big issue, but I also see that there are faction gaining traction to actually secure the end user in ways never before seen. I expect to see Apple and Microsoft generate a tool that will reach in and secure you current system to some gold standard. I am thinking script but the application will basically turn off all the unnecessary services. The tools will be derided by the hacker community for the “toy” nature of them. There will be hacker community criticisms that the tool doesn’t do enough, or doesn’t do the right things, but the corporates will do it so they can keep selling to the Internet and user space.  The commercial world is about trust, branding, and cost sensitivity.

3) The concept of risk management of information security is likely one of the few models that has realistic expectations for information security results. The area that gives the practice clay feet is evidence based decisions. As such each of the past major breaches have shown examples of compliance to standard but still breached due to assumption of risk outside of the norm. In other words they wrote of the difficult things through their risk management program but didn’t really understand what they were writing off. I think we will see binary compliance regimes take hold. I’m already hearing chatter about the death of high, medium, low risk categories. A practice I thought was poor and had little evidence to back it up. What we will see in 2014 is compliant or not and the audit practice abandon documentation trails for evidence derived audits. In other words the auditors are coming to your running firewall rules and system configs this year.

4) I expect that I won’t be invited to key note at any hacker conferences and any that I put into for regular slots will be rejected. If I did speak I would likely talk about hacker communities addressing their strategic, operational, and tactical choices. There are a few groups out there that are starting to talk about strategic diplomacy of the hacker community. A few groups are just getting into the idea of using public affairs officers and creating narrative based policy mechanisms (looking at you TOR). This is a good thing. I think in 2014 there will be several well attended discussions on aligning community goals to foster the collective results.  The anarchism movement is dead in the hacker community or the hacker community will suffer. Many have said this over the last few decades. They’ve all been wrong. I’m willing to be wrong too. I just really wish I could be right.

Finally, I’m not sure about a few things being relevant in the new year. I think that if you look at the past 40 years you’ll see lots of optimism and very little results. We’ve made previous generations of products more secure and released fairly insecure products. With the 2013 revelations we know that national governments are breaking into systems (pending evidence we’ll say alleged). We know that intellectual property theft is pretty high. What we don’t know is ways to stop that, with the juggernaut of innovation flailing at the willow wisp of security, just how to fix it. That will be the next piece.



Leave a Reply