Half-year again. Time for the midyear reflection — what has happened, what has surprised me, where the predictions stand, what to focus on for the remainder of the year.
What has happened
A short list of significant events from H1 2001:
- Ramen and Lion Linux worms.
- AnnaKournikova mass-mailing worm.
- BIND TSIG vulnerability and the BIND 9 migration push.
- OpenSSH 3.0 with privilege separation.
- Honeyd matured to operational deployment.
- Sebek deployed in my honeynet.
- Continuing growth of spam and phishing.
The pattern: the threat trajectory continues to extend across more platforms and more methods. The defensive trajectory continues to slowly improve via tooling and discipline.
How my predictions are doing
From my January predictions list, with status at midyear:
1. Auto-propagating Windows worm in 2001. 85% probability. Status: in progress; Code Red and similar appear to be brewing in the public exploit space. Likely to resolve affirmative in H2.
2. The worm targets HTTP or SMB. 75% probability. Same status as 1.
3. Major commercial-site DDoS exceeding Mafiaboy. 70% probability. No specific incident yet; multiple campaigns continue at lower scale. Probably resolves in H2.
4. Practical public WEP-key recovery tool. 75% probability. AirSnort released in early summer, FMS-based attacks now public. Resolved affirmative.
5. Mass-mailing worms continue at one-per-quarter. 80% probability. Ramen and AnnaKournikova in Q1; nothing major yet in Q2. Track is broadly correct.
6. A specific Linux worm beyond script-kiddie level. 55% probability. Resolved affirmative (Ramen and Lion). The 55% was clearly under-confident.
7. Microsoft default attachment blocking. 65% probability. Outlook 2002 (Office XP, May 2001) ships with default attachment blocking for many extensions. Resolved affirmative. This is an important shift.
8. Microsoft Trustworthy Computing-style initiative. 50% probability. No public commitment yet. Probably H2.
9. BCP 38 peering norm at major carriers. 60% probability. No specific public commitment yet; ongoing operational pressure.
10. Honeynet major cross-operator paper. 80% probability. First papers shipped; cumulative analysis paper in progress.
11. Linux 2.4 mainstream production. 90% probability. Resolved affirmative. Major distributions shipped 2.4 as default.
12. Snort 2.0 public development. 70% probability. Discussions happening on the lists; not yet a formal 2.0 branch. Probably H2.
Net score so far: 4 affirmative, 0 negative, 8 in progress. The affirmatives are roughly on the predicted timing; one (WEP) is faster, three (Linux 2.4, Outlook attachments, Linux worm) are on track or slightly faster. No negative resolutions yet.
What has surprised me
Two things.
Microsoft shipped the Outlook attachment blocking faster than I expected. The 65% probability with year-end deadline was conservative; the actual ship was Q2. The pressure post-ILOVEYOU and post-AnnaKournikova produced visible change. This is encouraging for the structural-improvement hypothesis.
The wireless attacks reached practical tooling earlier than I expected. AirSnort makes my March 2000 wireless writeup operational reality. WEP is now broken in the deployment sense; new wireless deployments need to assume any WEP key is recoverable.
What I have done
17. Four conferences in 2001. Two so far (Manchester December 2000 and Birmingham March 2001). On track.
18. Speak at one conference. Not yet committed. Need to do this in H2.
19. Honeypot expanded to /28. Done in March, ahead of June deadline.
20. Small-business-oriented piece. Not yet started. The data classification post was a step toward it; the broader piece is still pending.
21. Notebook continues weekly. On track.
What I want to focus on for H2
Three things.
Continuing detection-and-response writing. The adversary-emulation engagement was particularly informative. More posts in this category would be valuable.
The IIS-targeted worm when it appears. I expect Code Red or similar to hit during H2. The writing-around-it will take attention; worth being prepared.
The small-business piece. I have been talking about it for too long. Time to actually write it.
More as H2 develops. The next regular post will be on structured logs at scale, which has been on my mind.