December again. Time for the year-end review post. Looking back at 2000, the year is harder to summarise than 1999 was — more events, more shifts, more categories that emerged or matured.
This post is the structured retrospective. What happened, what changed, what I got right and wrong, what to expect next.
The major events
In rough chronological order, the things from 2000 that I expect to remember:
The Mafiaboy attacks (February). Yahoo, eBay, Amazon, CNN, Buy.com, ZDNet, E*TRADE all hit by distributed denial of service over a one-week period. The largest sustained DDoS campaign in internet history to that point. Public consciousness of "distributed denial of service" as a real phenomenon dates from these attacks.
ILOVEYOU (May). The most damaging single piece of malware to date. $5-15 billion in cleanup. Demonstrated that the Melissa category was permanent and would scale.
The Honeynet Project formalised (June). Research community organising itself; first major papers published; toolkit becoming usable for non-specialists.
MS00-078 (October). IIS Unicode directory traversal. Mass exploitation within hours. Confirmation that the IIS-vulnerability cycle is the new normal.
The Microsoft compromise (October-November). Microsoft's own corporate network compromised through a QAZ trojan on an employee's home computer. The home-as-attack-vector pattern formalised in public.
Stacheldraht and successors continuing. DDoS toolkits continued to mature throughout the year. The defensive infrastructure response is still incomplete.
The Y2K rollover (1 January). Anticlimactic in the moment; structurally significant in retrospect for the security regressions the rushed remediation produced.
Beyond these specific events, structural shifts I observed:
- Wireless networking emerged as a real concern.
- Linux 2.4 development progressed substantially.
- BIND 9 shipped, beginning the migration from BIND 8.
- HTTPS deployment reached operational ubiquity for major commercial sites.
- The Honeynet Project tooling lowered the barrier to deception research.
- SSH-2 displaced SSH-1 for most serious deployments.
How I scored on my January predictions
From my predictions for 1999 in late December — I had explicitly avoided full predictions for 2000 in my opening post, so the comparison is partial.
What I did predict, scattered through the year:
"Distributed denial of service becomes a thing people have heard of." Right. Specifically right: the press coverage of Mafiaboy made DDoS a household phrase by mid-year.
"Honeypots become a category." Right. The Honeynet Project formalisation makes this clearly true; even the small UK gathering I attended had a honeynet talk.
"Y2K teaches us something other than what people are saying — security regressions from rushed remediation." Right, but earlier than I expected. The wave of remediation-induced advisories is materialising in 2001 as I had thought, but several specific incidents I have heard about already trace to Y2K patches.
"The conversation about disclosure intensifies." Roughly right. The conversation has matured; some norms are forming; full consensus has not emerged but the trajectory is clear.
"The Snort ruleset matures and rule count grows." Right. The community ruleset is now thousands of rules; the engine has improved to handle them; the deployment baseline has shifted.
Additional predictions I had made through the year:
"A major commercial site DDoSed publicly." Right (Mafiaboy attacks, February).
"Stacheldraht-class tools in the wild within months of disclosure." Right; Mafiaboy used variants of these tools in February, just six weeks after the Stacheldraht analysis.
"Trojans become a real category." Roughly right; Sub7 and BO2K matured and the Microsoft compromise via QAZ demonstrated the impact.
"Wireless attacks emerge as a category." Partially right; the technical work has progressed but operational attacks are still rare. The category is forming; the emergence is taking longer than I had expected.
Net score: of about a dozen specific predictions, I was right on most directionally and got the timing approximately right for the ones that resolved. I was over-confident in a few cases (wireless attacks, specifically). I was under-confident in others (the speed at which DDoS infrastructure would be deployed against commercial targets).
What surprised me
Three things, in increasing order.
The platform-level inertia is more substantial than I had appreciated. I had been writing all year about specific vendor security failures and structural fixes the vendors should ship. The vendors, on the available evidence, are barely shifting. Microsoft has done some work; Cisco is iterating; but the fundamental defaults are largely unchanged. The pace of platform security improvement is much slower than the pace of attack evolution.
The threat-actor population is more economically motivated than I had assumed. The cumulative honeypot data shows clearly that most attackers are now operating commercially — installing spam relays, building botnet infrastructure, harvesting credentials for sale. The romantic-curious-attacker model from the 1990s is largely obsolete. We are in a period where most compromise activity is industrial.
The defensive infrastructure is genuinely improving. BCP 38 deployment is accelerating; open-source security tools are maturing; coordinated response infrastructure is forming. The improvements are slow and incremental; they are real. By 2003 or so I expect the cumulative effect to produce visibly different baseline security than we have today.
What I want to do differently in 2001
For the year ahead, a few specific things.
Write more about internal-network defence. The Microsoft compromise and the consultancy incident both reinforced that lateral-movement defence is undervalued. I have been writing too much about perimeter security and not enough about internal defences.
Engage more with the broader community. The Manchester gathering was valuable enough that I should be doing it quarterly. The notebook-in-isolation pattern is sustainable but is leaving value on the table.
Consider speaking at one of these events. I have been thinking about it; I should probably commit to doing it once in 2001.
Write the small-business-oriented piece I have been thinking about. The conversation with the small-business owner at the Manchester gathering suggested a real gap. The notebook does not serve everyone who could benefit from defensive guidance.
Build out the honeypot to a small range rather than a single IP. The Honeynet tooling makes this feasible; the data quality improvement should be substantial.
Continue the patching-and-monitoring discipline. Boring, important, ongoing.
What I expect for 2001
A short list, written down for end-of-2001 scoring:
An automatically-propagating worm targeting IIS. The combination of exploitable IIS bugs, large vulnerable population, and mature scanning infrastructure makes this very likely. Probably in the second half of 2001.
A major commercial-site DDoS that exceeds Mafiaboy's scale. The toolkits continue to evolve; the substrate of compromised hosts continues to grow. Within the year, I expect a sustained campaign with bandwidth in the gigabit-per-second range against a household-name target.
WEP attacks reach practical tooling. The cryptographic weaknesses are sufficient; what remains is engineering of a practical attack tool. By midyear I expect a publicly-available tool that recovers WEP keys from passive captures.
Significant Linux-targeted attacks emerging. As Linux's deployment grows, the attacker focus expands. I expect to see specific Linux-targeted worms or exploit kits in 2001.
Cloud-style hosting starts becoming a deployment pattern. The infrastructure for outsourced computing is forming. By year-end, smaller organisations will start running services on third-party platforms in larger numbers. The security implications are substantial.
Network-segmentation becomes standard advice for non-trivial deployments. The structural argument is now visible enough that the recommendation will become mainstream.
The Honeynet Project publishes its first "cumulative" analysis paper. Multiple operators contributing data, analysed together, with statistical findings about the global threat landscape that no single operator has produced.
Trustworthy Computing-style initiatives at major vendors. Microsoft is rumoured to be planning something significant; other vendors will follow if Microsoft commits.
A closing reflection
Three years of this notebook now. The original purpose — writing for my own learning, with an imagined reader to keep me honest — continues to deliver. The unexpected purpose — being part of a community of practice that has formed slowly through email and the occasional meeting — has become as valuable as the original.
The field is moving fast. The notebook is, in some real sense, my way of staying oriented. The discipline of writing weekly forces me to think about each week's events; the discipline of reviewing annually forces me to think about each year's trajectory. Without these I would be drifting.
For anyone reading this who has been following the notebook: thank you. The correspondence and conversations have been the year's best surprise. I expect to keep doing this in 2001 and onward, on the same weekly cadence, for as long as the topic and the discipline continue to teach me things.
More in the new year.