The pace of innovation is 30-plus years
May 29, 2012  

Gary Kasparov is one of a number of very smart folks who think that we are in an era of stagnating innovation. He says,

We feel that we literally have something new every month, but in fact it is progress that is proceeding from technological innovations and revolutionary inventions of the 1960s and 70s. For example, my iPod containst latest technology from 1981. In medicine there nothing similar to penicillin has been invented. If we talk about the Internet, then do not forget that the whole theoretical framework has been prepared in the 1960s in America, and the first communication session was 1969. A patent for mobile communications was registered in 1962, and the first call was made in 1973. The fact that the phones are smaller, thinner, more beautiful, does not change the fact that they are basically the same technology.

This is a good observation but the conclusion is completely wrong. Yes, the innovations that are rolling out today were invented 30 or 40 years ago, but that has always been the case. Whether you are trying to change the world or just get tenure, it’s good to keep this in mind.

Let me add a few examples to prove the point, from a talk I gave at Dagstuhl in 2009 (slides here).

  • Multiprocessing. Shared memory multiprocessors were invented in the early 1960s. They have only recently achieved widespread success (the first widely available multicore CPU was the Intel Core Duo in 2006).
  • Virtual memory. It was invented in late 1950s, but only achieved widespread use in 1995, with Windows 95.
  • Garbage collection in programming languages. This was invented in the late 1950s but only became acceptable and widely used with the introduction of Java, in 1995.

In my talk, I predicted that the next 30-year-old innovation to take hold would be public key encryption. In 2009, approximately no one used it. The only web sites commonly using encryption were banking web sites; this is really just a tiny fraction of the traffic on the Internet. Web mail was not encrypted by default by any of the big web mail providers. Since that time, most web mail providers have moved to encryption by default, so I think it was a pretty good prediction, though we still have a long way to go.

Quite recently I ran across another 30-year innovation: identity theft. I’ve seen two reports that show how this is taking off today. First, in April 2012 Brian Krebs reported that

cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts. The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules.

That is, in order to cash out without putting themselves at risk, thieves would transfer funds from compromised bank accounts to middlemen known as money mules, who would then transfer the money to the thieves, taking a cut. To avoid money mules, thieves have started to open prepaid debit cards using stolen identities. They can then transfer funds to the cards and cash them out at little risk.

Second, the New York Times now reports that thieves are using stolen identities to file for tax refunds. The IRS deposits the tax refunds directly to a prepaid card opened by the thief in the victim’s name, which is then promptly cashed out.

This criminal innovation was over 30 years in the making. I remember reading about the danger of giving out your Social Security number in The RISKS Digest back in the 1980s. Here’s just one example. It’s hilarious to go back in the archives and read about people who tried to resist bureaucrats who wanted their SSNs; they were essentially treated as the insane.

The best practical advice I can give to security researchers (or criminals) looking for the next big innovation coming in security (or cybercrime) is to look back in the early archives of RISKS.