Christmas-week again. The end of three years of writing this notebook. Time for the quieter end-of-year post — not the structured retrospective and not the predictions list, but the more reflective end-of-year notes.
What the notebook has become
Three years ago I started this on my birthday with the explicit purpose of forcing myself to finish thoughts I would otherwise leave half-formed. The discipline of writing for an imagined reader was supposed to produce better thinking on my part, not better content for an audience.
The discipline has done what I hoped. The thinking is, on the available evidence, better calibrated than it would have been otherwise. The writing is clearer than my private notes from before the discipline started. The cumulative archive is something I find myself referring to when I want to remember how I thought about something at a particular point in time.
The surprises are several:
The audience. I had not expected one. The first emails arrived in summer 1998 and the trickle became a stream. By now I have ongoing correspondence with several dozen people whose technical thinking I value. Some have become friends. One is now a regular collaborator on small projects.
The topic durability. Three years on, I am writing about topics that did not exist when I started. Distributed denial of service; mass-mailing worms; practical wireless attacks. The supply of material has expanded, not contracted. By 2003 I expect to be writing about categories I cannot currently anticipate.
The cumulative pattern recognition. Three years of writing has produced a personal archive that lets me notice patterns I would not see year-by-year. The same categories of vulnerability recurring; the same architectural mistakes appearing in different products; the same defensive techniques compounding. The compound view is informative in a way each individual post is not.
The community of practice. I wrote in October about discovering the smallness of the UK security community. The community of thoughtful, patient, careful practitioners is a small fraction of the broader security industry, and the notebook has been one of my routes into it. I had not appreciated, when I started, how much the writing would substitute for in-person network-building.
What the notebook has not produced
A short honest list.
A coherent intellectual position. I do not have, on reflection, a single thesis that the notebook is arguing. Each post is its own thing; the cumulative argument is more like an attitude — calibrated humility, structural over heroic interpretations, layered defence over silver bullets — than a thesis. This is, I think, fine. Not every body of work needs a thesis.
A career path. I work for the same employer I have for several years; the notebook has not produced job offers, speaking opportunities (yet), or substantial commercial consequences. This is also, on reflection, fine — I started the notebook for non-career reasons and it has served those reasons well.
Influence on the platform vendors. Despite writing repeatedly about the platform-level fixes that the major vendors should ship, I have no evidence that anything I have written has influenced any vendor. The platform-level conversation is mostly happening elsewhere; my contribution to it is small and indirect.
Original research. The notebook has not produced novel security research. What it has produced is sustained analysis of other people's work — applying it, criticising it, integrating it, occasionally extending it incrementally. The research community would not consider me a peer; the practitioner community treats me as a peer for reasons that have nothing to do with original research.
None of this is a complaint. The notebook has done what I asked of it. The things it has not produced are not things I expected it to produce.
What I am doing for Christmas
Nothing dramatic. The infrastructure is humming along quietly. The honeypot caught one moderately interesting capture last week — a careful enumerator, similar to Capture A from the spring — that I will probably write about properly in January when I have time to sanitise it.
The family is visiting for Boxing Day. The notebook is closed for the rest of the week. The Linux kernel is compiling something in the background; if it is interesting, I will write about it next week.
This is the right shape of Christmas, in my view. Quiet, modest, with the ordinary discipline of operations continuing in the background.
What I want to say to readers
A few things.
Thank you for reading. The notebook is sustainable for me regardless of whether anyone reads. The fact that some people do read makes it more rewarding. The conversations the notebook has started are the year's best surprise, every year.
Disagree with me publicly. Several of the corrections that have most improved my thinking have come from readers who disagreed with something I wrote and explained why in detail. The space of helpful disagreement is large; please use it.
Write your own notebook if you have not. The discipline is sustainable; the cost is modest; the benefits compound over years. The quality of the writing matters less than the consistency of the writing. A notebook with eighty mediocre posts is more valuable, on average, than a notebook with three excellent posts.
Let me know about the small-business piece I owe. The gap I identified at the Manchester gathering — that the notebook serves people already in the field, not the people who could benefit most — is real. I have not yet written the complementary piece for less-technical readers. If anyone reading this knows what the audience for that piece would actually want, your input would be more useful than my guesses.
What 2001 looks like from here
The predictions are written down. The discipline is in place. The infrastructure is healthy. The community is supportive.
The specific year ahead is going to be characterised, I expect, by the maturation of trends that started in 2000. Worms; DDoS; home-computer-as-attack-vector; wireless. All of these will continue to evolve. None of them will resolve into clean categories.
The defensive infrastructure will continue to slowly improve. The vendors will continue to ship inadequate fixes at slow timescales. The operators will continue to do the unglamorous work of patching, monitoring, and segmenting. The cumulative effect, as always, will be invisible from outside the work.
The notebook will continue. The thinking will continue. The community will continue.
New year, new notebook continues, on the standard cadence. I will be at the keyboard at midnight on the 31st as usual, for old times' sake. The systems are quiet. The week between now and then is for closing out the year's open threads and for starting the year ahead's reading list.
See everyone in 2001. Have a quiet, safe end of the year.