Writing this at 22:00 GMT on the 31st of December 1999, with two hours to go before midnight. The Slackware box is humming in the corner. The tcpdump is running. The logs are tailing on a separate terminal. The kettle is on.
A few short notes, mostly to mark the moment.
The year that was
Looking back, I have written 51 posts on this notebook in 1999. The cadence has settled into something close to one a week, with occasional doubles when a news story demanded it (Melissa, the Minnesota DDoS, this week's Stacheldraht), and a few off-cadence reflective ones that I would not be embarrassed to reread.
The topics have tracked, broadly, the year's actual threat landscape. Email worms became routine. Distributed denial of service emerged. BIND and wu-ftpd had punishing years of advisories. Snort became a real project. The Honeynet conversation coalesced into something serious. Y2K, looming through the whole year, is about to resolve, one way or the other, in two hours.
The predictions I wrote at the start of the year were mostly right in direction, mostly understated in pace. The Snort ruleset has matured faster than I expected. The DDoS evolution has been faster than I expected. The Y2K security implications I am only just starting to see. The disclosure conversation has moved less than I expected. The honeypot category is forming, slowly.
The reflection on humility I wrote in June still feels right. I have tried, since then, to write with more honest uncertainty. Some posts have been better for it. Others have been over-hedged. The calibration is a slow improvement.
What I have learned, broadly
A short list, off the top of my head, sat at the keyboard with the kettle still boiling.
The structural problems of the field — monoculture, default configurations, patching latency, asymmetric economics — are larger than any individual technical problem. The field's progress is bottlenecked on coordination, not on technique.
Defenders cannot win on technique alone. The discipline is to contribute to the structural improvements while doing the unglamorous patching, monitoring, and segmentation that holds the line in the meantime.
The gap between knowing what to do and reliably doing it is bigger than I had thought. Most operators, including me, are doing 60% of the right things on 80% of the days. The aggregate effect is the threat landscape we have.
The open-source security tool ecosystem has matured into something genuinely useful. The commercial tools are no longer obviously better. For an individual operator, the open-source stack is now competitive with anything I could buy.
Reading is, dollar-for-dollar, the highest-leverage activity I do. Bugtraq every day. Phrack when it appears. The kernel source when something is unclear. Two hours of reading is worth a week of guessing.
What I am going to do in the new year
The honeypot project is the largest single thing I want to make progress on. It is going to take months to set up properly. I want to be writing about specific captures by midyear.
The SSL deployment is something I want to actually finish — meaning, every public service I run is over HTTPS by the end of January. The Personal CA setup made this easy; what is left is mostly the discipline of doing it.
The structured logging discipline needs to expand to every service I run. Most are now structured. A few still produce prose. By March, all of them should be uniform.
The writing itself: I want to keep doing it. The cadence has worked for me. The discipline of writing has clarified my thinking enough that I will keep writing whether or not anyone reads. That is the right relationship between writer and notebook.
To anyone reading
If anyone has been reading this regularly, thank you. Some posts have prompted email correspondence that has been the year's best surprise. People I have not met have written with corrections, suggestions, links to things I should have read. Several have become regular correspondents.
I started writing 24 months ago, on my birthday, partly as a discipline and partly as a hope that someone might find it useful. The discipline has been useful to me whether or not anyone has read. That anyone has read at all is a bonus, and I want to acknowledge it.
Closing
The kettle has boiled. The tcpdump is still running. The logs are still tailing.
In 1 hour and 56 minutes the year ends. In about 2 hours and 1 minute, depending on how careful Y2K bugs have been, my systems will or will not be the same systems they have been all year.
I am going to make a cup of tea and watch what happens.
New year, new decade, possibly new century. New notebook starts on the second of January, on schedule, on my birthday again, two years on.
Thank you all. See you in 2000.