Six months into 2002. Time for the midyear reflection.
How the predictions are doing
From the January list, with status:
1. Auto-propagating worm comparable to Nimda. 85% probability. Status: not yet. Klez continues but is not new; nothing of Nimda's scale has appeared.
2. SMB-based worm. 70% probability. Status: not yet.
3. Mass-mailing worms continue. 90% probability. Status: AFFIRMATIVE — Klez variants continue at substantial volume.
4. Significant DDoS attack. 70% probability. Status: in progress; nothing of Mafiaboy scale yet.
5. WPA-attacking tool. 25% probability. Status: not yet (and unlikely).
6. Chain-compromise incident. 65% probability. Status: not yet.
7. Trustworthy Computing memo. 75% probability. AFFIRMATIVE — published 15 January.
8. Microsoft Windows pause. 70% probability. AFFIRMATIVE — completed in spring.
9. IIS deployment reduction. 60% probability. Status: trending toward affirmative; data is patchy.
10. WPA / 802.11i progress. 65% probability. Status: in progress; standardisation continuing.
11. Honeynet cross-operator paper. 85% probability by 30 June. AFFIRMATIVE — paper published.
12. Snort 2.0 development. 75% probability. Status: discussions active; no formal branch yet.
What has happened
The major events of H1 2002:
- Trustworthy Computing memo and pause.
- Patch Tuesday cadence becoming routine.
- OpenSSH challenge-response vulnerability.
- BIND 9.2, Snort 1.8, OpenSSH 3.4.
- Klez long tail.
- Honeynet Project paper.
- A relatively quiet worm landscape — the H1 2001 explosion has been followed by a quieter H1 2002.
What surprised me
No major worm in H1. I had been expecting at least one Code-Red-class event by midyear. The defensive response from operators (faster patching, better filtering) and from Microsoft (Trustworthy Computing) appears to have raised the bar enough that the simple worms have been less effective. This is encouraging.
Microsoft is delivering more than I had predicted. The visible improvements — Patch Tuesday, more thorough advisories, the Windows pause — are at the high end of what I had thought possible.
OpenSSH had a serious bug. I had assessed the OpenSSH codebase as careful; the discovery of CVE-2002-0639 is a reminder that even careful codebases have bugs. The structural defences continue to matter.
What I want to focus on for H2
Three things.
Continued Microsoft tracking. Windows Server 2003 is in development; IIS 6 is in development; the test of Trustworthy Computing's substance is what these products ship with.
Honeynet contribution. I committed to contributing to the cumulative analysis; the sanitisation work for my data is the bulk of what remains.
The genuinely-difficult writing piece. I committed to one in 2002; I have not yet produced one. Topic still to be determined.
More as H2 develops.