Six months into a year I expected to be busy. Time to take stock at midyear — what the past six months have actually held, what has surprised me, and what I want to do with the second half.
What has happened
A short list of things from the first half of 2000 that I will probably remember:
The Mafiaboy attacks. Yahoo, eBay, Amazon, CNN all hit by distributed denial of service in February. The category change has been comprehensive. "Distributed denial of service" is now a phrase that ordinary newspapers use without explanation. The defensive infrastructure is being built; it is not yet adequate.
ILOVEYOU. The May 4 worm. Globally, by some distance, the most damaging single piece of malware to date. Fifteen billion dollars of cleanup, mostly in productivity loss. The structural fixes Microsoft would need to ship are not yet shipping.
The Honeynet Project went public. After a year of operating as a private mailing list, the formal organisation announced this month. The first papers are imminent.
Wireless became a real concern. 802.11b deployment has accelerated; my own first capture experiments were sobering. WEP is being shown to have weaknesses; full operational breakage is probably 12-18 months away.
Linux 2.4 progressing. The development tree has matured to the point of imminent release. Netfilter is the new firewall framework; the transition from ipchains will dominate the next year of Linux deployment work.
What has surprised me
Three things, ranked by how much.
The pace of platform change is glacial. I predicted in May that Microsoft would ship structural fixes against mass-mailing worms over the next several years. I underestimated how slow the industry actually moves. Even after ILOVEYOU's $15-billion cleanup, the default Outlook configuration still allows unrestricted scripting, the default Windows shell still hides extensions, the structural fixes are still in the future tense.
The gap between what would help and what gets shipped is wider than I had appreciated. The vendor incentives that produced the gap are not changing fast.
The DDoS response is more coordinated than I expected. I predicted in February that coordinated industry response would emerge. It has, faster than I expected. Several major US carriers have started enforcing source-address validation in peering agreements. The major DDoS-mitigation companies (which have appeared this year — these are new companies) are operating at scale. The capacity-based defence is being deployed rapidly.
This is slightly heartening. The structural problem of DDoS is not solved, but the operational defence is forming faster than the offensive evolution of toolkits like Stacheldraht.
The honeypot data is more interesting than I had hoped. I had expected to capture mostly automated probes and the occasional moderately-skilled session. The actual capture mix has included a careful weeks-long compromise sequence that surprised me with its discipline. The third-quintile of attacker is more capable than I had assumed.
What I have done
For the discipline I committed to at the start of the year:
The honeypot project: largely on track. Five months of running, multiple meaningful captures, integration with the structured-logging infrastructure is working. The Honeynet Project's tooling will, I expect, let me upgrade my own setup later in the year.
Wider technical depth: partially on track. I have read Snort 1.7 source and the netfilter design carefully. I have not yet got to OpenSSH source or to a non-Linux TCP/IP implementation. Both are still on the list.
Conferences and meeting people: not on track. I have not attended a single conference this half. The honest reasons are that they cost money I had not budgeted, and that I have been busy with other things. I am going to try to fix this in the second half — even one event would change my pattern of disconnection from the broader community.
What has changed for me, professionally
A quiet thing that has been happening over the past six months: I am increasingly being asked for help by people I have only encountered through the blog. The forensic-readiness post about my friend's incident is one example; the friend is a long-time reader. Several similar conversations have happened.
This is a shift from the blog being a one-way notebook to being something more interactive. The shift has been gradual and I am not sure how I feel about it yet. The technical conversations are good — the help I am giving is genuine and the people receiving it are competent practitioners with specific operational problems. The time cost is real — answering a serious technical question by email or phone takes hours, and the inbound rate has grown.
For the second half of the year I am going to be slightly more deliberate about how I respond. The criterion I am going to apply: questions that produce a post are valuable for both the asker and for the broader audience. Questions that are purely private — though I am happy to answer briefly — get less attention than questions that suggest a piece of writing.
This is partly a self-protection measure and partly a preference. The publishing discipline is, on the available evidence, my highest-leverage way of being useful.
What I want to do over the next six months
A short list, written down for end-of-year scoring.
Linux 2.4 deployment in production. Once 2.4.0 ships and stabilises, I will migrate at least my home firewall and one production host to the new kernel. The netfilter migration is the most consequential change.
A serious read of OpenSSH source. Especially the new SSH-2 protocol implementation. The cryptographic code is critical infrastructure; understanding it at source level is overdue.
Honeypot analysis at the cumulative level. Five months of captures is a useful corpus. I want to write a structured analysis of what the captures show — patterns of attacker behaviour, distributions of skill levels, common command sequences. This is the kind of writing the Honeynet Project will be doing publicly, and I want to do my own version for my own data.
At least one conference. Even a small UK gathering. The point is to break out of the writing-in-isolation pattern.
Wireless attacks in detail. I expect to be writing about specific WEP attacks by year-end. The research is converging on practical tools; I want to be ready to write about them when they appear.
What I have learned that I did not know in January
Three things, in increasing order of generality.
The threat actor population is more economically motivated than I had appreciated. The third honeypot capture showed me an attacker installing a spam relay. This is not espionage; it is commercial use of compromised hosts. The cybercrime economy is forming, with attackers as a paid workforce rather than ideologically-motivated individuals. The dynamics of this economy will dominate the next several years.
Operational discipline matters more than technique. I have spent a lot of time writing about specific techniques — rule writing, log analysis, kernel reading. The single biggest determinant of how a real organisation responds to an incident is whether they have a discipline — written procedures, named roles, off-host evidence. The technique is necessary; the discipline is what makes the technique useful in the moment.
The notebook continues to teach me more than anything else. The act of writing for an imagined reader, week after week, has shaped my thinking more than any other single activity. The shape is not toward more confidence; it is toward more calibration — clearer distinctions between what I know, what I have read, what I am guessing, and what I do not know. The discipline is one I would recommend to any practitioner. It is also one I expect to continue, indefinitely.
More in the second half. The year is shaping up to be substantial enough that the year-end review will have plenty to report.