December again. Time for the year-end retrospective. 2001 has been the most operationally significant year of this notebook's lifetime. The structural shifts are large enough to deserve a careful retrospective.
The major events
In rough chronological order:
- Ramen — first major Linux worm (January).
- AnnaKournikova — third mass-mailing worm (February).
- Lion — second Linux worm, more capable (March).
- OpenSSH 3.0 with privilege separation (February).
- BIND 9.1 (April).
- AirSnort and the breaking of WEP (summer).
- Code Red I (July).
- Code Red II (August).
- SirCam (mid-year).
- 9/11 attacks (September).
- Nimda — multivector worm (September).
- Klez — auto-execution mail worm (October).
- Microsoft signalling Trustworthy Computing (autumn).
- Phishing maturation (continuous).
A dozen significant events. Operationally, the cadence has been roughly one per month — substantially higher than 2000.
How my predictions did
From my January 2001 predictions list:
1. Auto-propagating Windows worm in 2001. 85% predicted. Resolved AFFIRMATIVE (Code Red, Nimda).
2. The worm targets HTTP or SMB. 75% predicted. Resolved AFFIRMATIVE (HTTP — IIS).
3. Major commercial-site DDoS exceeding Mafiaboy. 70% predicted. UNRESOLVED. No specific incident clearly exceeded Mafiaboy. The bar may have been wrong.
4. Practical public WEP-key recovery tool. 75% predicted. Resolved AFFIRMATIVE (AirSnort).
5. Mass-mailing worms continue at one-per-quarter. 80% predicted. Resolved AFFIRMATIVE (AnnaKournikova, SirCam, Nimda's email vector, Klez — five major).
6. A specific Linux worm beyond script-kiddie level. 55% predicted. Resolved AFFIRMATIVE (Ramen, Lion).
7. Microsoft default attachment blocking. 65% predicted. Resolved AFFIRMATIVE (Outlook 2002).
8. Microsoft Trustworthy Computing-style initiative. 50% predicted. PROVISIONALLY AFFIRMATIVE. Public memo expected early 2002, but the substance has been signalled.
9. BCP 38 peering norm at major US carriers. 60% predicted. UNRESOLVED. Some movement; no clear public commitment.
10. Honeynet Project major cross-operator paper. 80% predicted. AFFIRMATIVE (Know Your Enemy series progressed substantially).
11. Linux 2.4 mainstream production. 90% predicted by 30 June. Resolved AFFIRMATIVE.
12. Snort 2.0 public development. 70% predicted. UNRESOLVED. Discussions happening; no formal 2.0 branch yet.
Net score: 8 affirmatives, 0 negatives, 4 unresolved. The under-confident ones (Linux worm at 55%, mass-mailing worms at 80% which now looks too low given the actual cadence) are calibration data.
Personal predictions
17. Four conferences. Two attended in H1 (Manchester Dec 2000, Birmingham March). One attended in H2 (Leeds where I spoke). Three rather than four; close enough that I count this as borderline-affirmative.
18. Speak at one conference. Resolved AFFIRMATIVE (Leeds).
19. Honeypot expanded to /28. Resolved AFFIRMATIVE (March).
20. Small-business piece. Done in November. Resolved AFFIRMATIVE.
21. Notebook continues weekly. Resolved AFFIRMATIVE.
Net personal score: 5/5 with one borderline. The conferences target was ambitious; the others were achievable.
What surprised me
Three things.
Code Red and Nimda were faster than I had imagined. I had predicted IIS-targeted worms; the speed of saturation surprised me. Hours rather than days. The worm-propagation arithmetic I had done was right; the operational reality was still surprising.
Microsoft is responding more substantively than I had expected. The Trustworthy Computing signals are stronger than I had predicted in October. My probability has shifted up from 60% to 75% real.
The personal speaking commitment was easier than I had feared. The talk in Leeds went better than I had expected. The barrier was psychological; the actual experience was rewarding.
What is structurally new
Four things from 2001 that I will be writing about going into 2002.
Multivector worms. Nimda demonstrated that multiple propagation vectors in one attack are now operationally viable. Future worms will use this technique by default.
Chain-compromise patterns. Nimda using Code Red II's backdoors showed that incomplete cleanup of one incident produces vulnerability to subsequent ones.
The compromised-host market. The economic infrastructure around compromised hosts is forming; persistent backdoors are now traded resources.
The structural Microsoft shift. Trustworthy Computing signals real change in vendor security posture, with multi-year impact ahead.
What I will write about in 2002
The specific predictions will go in next week's post. The themes:
- Continued worm and malware coverage.
- The Microsoft response, as it develops.
- The maturation of my honeypot setup.
- More work on internal-network defence.
- More writing for non-technical audiences.
- Continued conference attendance and speaking.
The broad thrust is the same as 2001 but with more emphasis on the structural-defence side.
More as the year wraps up.