The space between Christmas and New Year is good for thinking. I want to write down, briefly, what I expect to be reading and thinking about in 1999, so that this time next year I can come back and see how wrong I was.
The Snort wave
The most interesting thing in my own daily reading right now is the rate at which Snort rules are appearing. Eight weeks ago there were essentially none in public circulation. Today there is a nascent shared ruleset emerging on the mailing list. By summer 1999 I would expect this to be a substantial corpus of community-maintained signatures, with some kind of organised distribution mechanism.
The bigger and more interesting question is what happens when those rulesets get large. Today I run a few hundred rules and my Pentium 75 keeps up. Five thousand rules will not run on a Pentium 75. Ten thousand rules will not run on the 200MHz Pro that everyone is upgrading to. Performance is going to become a serious topic for the IDS world.
Honeypots becoming a category
I do not think honeypots are still going to be a curiosity twelve months from now. The Deception Toolkit was the start. There are mutterings of more sophisticated tools coming. Lance Spitzner has been writing about them at Sun. I would not be surprised to see a serious, well-maintained open source honeypot project by year-end, the way Snort has emerged in the last few months for IDS.
The interesting question is whether honeypots find a serious operational role, or remain primarily a research instrument. I think the operational case is going to make itself in time, but it is not yet obvious to most operators why they should run something whose only job is to be lied to.
The Y2K question
Everybody is going to write about Y2K next year, so I will keep this brief.
The scenario where every system breaks at midnight on the 31st of December 1999 is the one the press is selling. It is not going to happen. Most systems handle dates correctly. Most that do not handle dates correctly will produce wrong-but-survivable output.
The scenario I am more interested in is the security implication of the remediation work. There is enormous pressure right now to push Y2K patches into production systems on tight timelines, with reduced testing. That is exactly the environment in which security regressions sneak in. I expect 2000 and 2001 to see a steady drip of "this thing turned out to also have a security problem because of the rushed Y2K fix."
It is not a story you can write today. It is the kind of thing you can position yourself to spot when it shows up.
My own list
Three things I want to do.
First, write more rules for Snort and start submitting them to the public ruleset.
Second, build a small honeypot of my own using the things DTK has taught me, and see whether I can make it useful enough to write about.
Third, get serious about the C side of the toolchain. Reading Perl source has been fine but the things I want to look at next — Sendmail, Apache, the kernel itself — are all in C, and my C is rusty.
A short word of thanks
If anybody is reading this who I do not know personally, thank you. I started writing this because I thought it would help me remember. It has, but it has also forced me to actually finish thoughts that would otherwise have died as half-sentences in a margin. The notebook-in-public format has worked better than I thought.
New year. New kernel. New ruleset.
See you in 1999.