Christmas-week again. The end of four years of writing this notebook. Time for the quieter end-of-year post — not the structured retrospective and not the predictions list, but the more reflective notes.
What the year has been
A hard one, in ways I had not anticipated when I started writing.
The events of 11 September shaped the autumn in a way that had nothing to do with the technical work. Several people in my correspondence circle were directly affected. The technical writing felt small for some weeks afterwards.
The operational tempo has been substantially higher than any previous year. Code Red and Nimda alone produced months of cleanup work for the people I help. The cumulative cost of staying current has been visibly larger than 2000.
The writing discipline has held. Fifty-some posts, mostly on the planned cadence, with the September quietness reflecting the broader context. The notebook continues to do what I asked of it.
What the work has become
Four years in, the work is genuinely different from what it was when I started.
The audience has continued to grow slowly. The correspondence has become a substantial part of the work — answering questions, having conversations, occasionally helping directly with someone's problem. The notebook is no longer just a private discipline.
The community of practice is real. Several of the people I correspond with are now genuine friends. The conferences I attend are reunions in addition to learning events.
The writing has become more careful, more calibrated, more honest about uncertainty. The discipline of scoring predictions has fed back into the writing in ways that improve everything else. I am, on the available evidence, a slightly better thinker than I was four years ago.
The conference speaking is an addition I would not have predicted in 1998. The format is different from writing; the practice has been valuable.
What the year did to my mental model
Three things have shifted.
The economic infrastructure of cybercrime is now visible. The compromised-host market, the persistent-backdoor reuse, the professional phishing operations — these are not future trends. They are operational realities. The threat model has structurally changed.
The vendor side is not hopeless. The Microsoft signals are the most serious vendor security commitment I have seen in this notebook's lifetime. The probability that 2002-2005 will produce visibly more secure mainstream products is higher than I had expected.
The defensive coordination is improving slowly. The Honeynet Project, the SANS Internet Storm Center, informal carrier coordination, BCP 38 deployment — each is incremental. The cumulative trajectory is positive.
What I want to say to readers
A few quiet things, similar to last year.
Thank you for reading. The conversations the notebook has produced have been the year's best surprise, every year. The notebook would be sustainable for me regardless; the readers make it more rewarding.
Disagree with me. Several of this year's most useful corrections came from readers who pushed back on specific posts. The space of helpful disagreement is large; please continue to use it.
Take care of yourselves. The pace of this year has been hard for many people, in this field and outside it. The work matters; the people doing it matter more.
What I am doing for Christmas
Nothing dramatic. The infrastructure is humming along quietly. The honeypot caught one moderately interesting capture last week — a careful enumerator, similar pattern to others I have seen. I will write it up properly in January.
The family is visiting for Boxing Day. The notebook is closed for the rest of the week. The Linux kernel is compiling something; if it is interesting, I will write about it next year.
What 2002 looks like from here
The predictions are written down. The discipline is in place. The infrastructure is healthy. The community is supportive.
The specific year ahead will be characterised, I expect, by responses to 2001's events. Microsoft's structural commitments will or will not materialise. The next worms will or will not exceed Nimda's scale. The defensive-coordination work will continue to slowly improve.
The notebook will continue. The thinking will continue. The community will continue.
New year, new notebook, on the standard cadence. I will be at the keyboard at midnight on the 31st as usual, for old times' sake. The systems are quiet. The week between now and then is for closing out the year's open threads.
See everyone in 2002. Have a quiet, safe end of the year.