Today is the seventh birthday of this notebook.
Following the convention I have established each January, this is a brief reflective post before the year proper begins. Brief in the sense of being shorter than my usual technical content; less brief than recent year-opening posts, because I want to be honest about where I am with the discipline and what I expect from the year ahead.
Seven years
It is, on reflection, slightly remarkable that I have sustained the discipline for seven years. When I started in 1998 I genuinely did not expect to still be writing every week in 2005. The original purpose — forcing myself to finish thoughts I would otherwise leave half-formed — has been fulfilled many times over. The notebook has produced more value for me than I had any reason to expect.
The specific things the discipline has produced:
A cumulative archive. Roughly 350 posts by my rough count. The archive is now substantial enough that I find myself referring to it more often than I refer to external sources. When I want to remember what I thought about a specific topic at a specific time, the post is usually there.
A community. The correspondence the notebook has generated is now, by any reasonable measure, a meaningful professional network. Several friendships have come from it; several collaborative projects have come from it; several pieces of advice I have received from correspondents have substantially shifted my own thinking on specific topics.
A discipline of calibration. The habit of explicit predictions with explicit probabilities has produced, slowly, better forecasting than I had before. The cumulative scoring across years is starting to be useful as a self-knowledge tool.
A platform for engaging with the field. The conferences I attend, the speaking I do, the operational discussions I participate in — all are facilitated by the notebook in ways they would not be without it.
What is changing this year
The operational landscape is different from what I expected when I started. The threat side has matured into a commercial-cybercrime ecosystem; the defensive side has matured into a structural-improvement programme; the conversation between them is more informed than it was.
My own focus continues to shift toward the structural defensive disciplines — internal segmentation, behavioural detection, forensic readiness, robust backup discipline. The reactive response disciplines that dominated my early writing are now necessary baseline; the structural disciplines are where the differentiation is.
For the year ahead, I expect to write more about:
- The phishing-as-commercial-enterprise maturation and what it means for defenders.
- Continued Microsoft Trustworthy Computing progress and the structural changes it produces.
- The mobile-platform threat category, which is starting to materialise after Cabir opened it last year.
- The DDoS-for-hire phenomenon, which has been growing without much public discussion.
- The Sony-rootkit-style boundary between commercial software and malware, if anything similar emerges.
What is the same
The weekly cadence. The British English. The internal links. The calibrated humility discipline. The willingness to be wrong publicly and explain it.
The quiet enjoyment of starting the year at the keyboard with a fresh notebook page open and a kettle on. The discipline that has, after seven years, become habit.
A request, again
If you have been corresponding with me, thank you. If you have not, consider doing so. The conversations have been the year's best surprise, every year. The technical questions are useful; the operational stories are useful; the disagreements are useful. Even short notes about specific posts that landed (or did not) help me calibrate.
The address is on the page. The signal-to-noise ratio of the inbox is good; I read everything that arrives.
What I want to do this year
Four specific things, marked as predictions to score at year-end:
Continue the weekly cadence. 95% probability. The discipline is now habit; nothing short of substantial life disruption is likely to break it.
Attend at least four conferences. 75% probability. The budget for travel is bounded but adequate; the value continues to justify the cost.
Speak at at least one conference. 70% probability. I have been doing this annually for several years now; the pattern should continue.
Write more for non-technical audiences. 65% probability. My small-business primer was useful; another piece in similar register would be valuable.
Expand the honeypot deployment. 60% probability. The current /28 setup has been stable; expanding to a /27 or beyond is the natural next step. Cost is modest; benefit is meaningful for research purposes.
A small note on operational rhythm
The past several years have been operationally busy. 2003 was the SQL Slammer / Blaster / Sobig year. 2004 was the MyDoom / Sasser year. The expectation that 2005 will be similarly busy is reasonable; the expectation that it might be busier is also reasonable.
I have been pacing myself for sustained operational work over years rather than for sprints between incidents. The burnout discipline I wrote about continues to apply. Sustainable productivity over years matters more than peak productivity in any specific month.
For anyone reading this who is in the field: take care of yourselves through the year. The work matters; the people doing it matter more. The notebook will continue; the patches will continue; the worms will continue. None of this is more important than your sustained capacity to do the work.
What I expect to remember about this year
Writing this on the 2nd of January, the new year is mostly unwritten. The headlines are unknowable; the specific incidents will arrive when they arrive; the structural shifts will be partially visible by year-end.
What I expect to remember about the year, when I write its end-of-year retrospective:
The specific worms and incidents that hit. There will be several major ones; the count of major ones each year has been roughly stable at 4-6.
The progression of the Microsoft structural improvement programme. Whether the trajectory continues at the current pace, accelerates, or stalls.
The phishing and DDoS-for-hire commercial-cybercrime developments. The economic infrastructure continues to mature; the operational impact will continue to grow.
The specific people I correspond with through the year. The community continues to be the most valuable thing the notebook produces.
More in a week. The first technical post of 2005 will be — depending on what happens this week — either about the spam-and-phishing trajectory or about something newly emerged.
A closing reflection
Seven years of writing has produced a body of work that I am, on balance, proud of. Not every post is equally good; not every prediction has been correct; not every framing has aged well. The cumulative archive is, however, more useful than any individual post and tells a coherent story about the past seven years of defensive computing.
For anyone considering starting their own discipline of regular writing: the value compounds. The first year is hardest; the cumulative benefit of years of practice is substantial. The cost is modest — perhaps two hours per week of actual writing time, plus reading time that I would do anyway.
The specific mechanics matter less than the consistency. Writing weekly, even modestly, produces more value than writing brilliantly but irregularly. The discipline is the thing.
More in time. Happy new year to anyone reading.
A longer reflection on the seven years
Let me extend this birthday post with a more substantive reflection on the cumulative effect of seven years of weekly writing. I have been thinking about this through the past few weeks; the writing-down forces clarity.
What seven years has actually produced
The most concrete output is the archive itself. Roughly 350 posts across all categories — technical, operational, reflective, predictions, retrospectives. The archive is searchable; each post links to others; the whole thing forms a connected body of work that I find myself referring to more often than I refer to most external sources.
The second concrete output is correspondence. I currently have ongoing email correspondence with somewhere between 40 and 60 individuals — an order of magnitude more than I had any reason to expect when I started. The conversations cover a range of topics, the most useful are the ones where someone disagrees with a specific post and explains why. The volume is bounded enough that I can keep up; the value is substantial.
The third concrete output is, I think, harder to describe but is the most important. The discipline of writing weekly has changed how I think about the work. The act of articulating a position publicly, with the awareness that someone might push back, forces a level of rigour that internal thinking alone does not produce. I am, by my own assessment, a better thinker than I was before the discipline.
What the discipline has cost
Not much. The weekly writing takes perhaps two hours of dedicated effort, plus reading time that I would do anyway. The cumulative time investment over seven years is, in absolute terms, significant — perhaps 700 hours — but distributed across years it is comfortable.
The specific costs that have been more substantial:
Some social costs. I have, on a few occasions, written things that produced friction with employers, clients, or specific individuals. Each instance was bounded; the cumulative cost has been small; I would make most of the same choices again. Writing publicly about technical practice involves saying things that some people find uncomfortable; the social cost of saying them is part of the discipline.
Some opportunity cost. Time spent writing is time not spent on other activities — reading research papers I could have read, side projects I could have built, family time I could have spent. The opportunity cost is real but bounded; the activities I am choosing not to do are not, on the whole, more valuable than the writing.
The weight of accumulated commitments. Each post produces small commitments — to follow up on specific topics, to score predictions, to revisit themes after some time has passed. The accumulated commitments are now substantial; tracking them is its own discipline; occasionally I miss commitments and have to acknowledge it publicly.
What I have learned about my own writing
Four specific things.
I am better at concrete cases than abstract argument. Posts with specific honeypot captures, specific incidents, specific configurations are stronger than posts that try to argue general points. The general points are usually correct but read worse.
My voice has stabilised. The early posts were less consistent — sometimes formal, sometimes casual, sometimes hedged, sometimes assertive. The voice has converged toward a stable register: technical, calibrated, British English, occasionally personal but rarely indulgent. The stability is a function of practice.
I am over-confident on threat-side predictions and approximately calibrated on defensive-side predictions. The pattern is visible across multiple years of scoring. I have been compensating for this in recent prediction lists; the compensation is producing better calibration.
I am better at structural arguments than at specific operational advice. Posts that frame structural patterns are more useful for me to write than posts that prescribe specific actions. The specific actions are situation-dependent; the structural patterns are generalisable.
The discipline I most want to keep
If I had to identify a single aspect of the writing discipline that I most want to sustain over the next decade, it would be the calibrated humility discipline — the willingness to be wrong publicly, to score predictions honestly, to update my views explicitly when evidence accumulates.
This discipline is, I increasingly think, the most valuable thing I have learned from the seven years. Most public writing in the security field is too confident; the calibration discipline is rare; the cumulative effect of being one of the few writers practising it is meaningful for trust-building over time.
For anyone reading this who is considering similar writing discipline: the calibration is the part to commit to. The technical content is necessary; the calibration is what produces durable value.
What I do not yet know about the next seven years
The specific topics will be unpredictable. The technologies will change; the threats will evolve; the operational practices will mature. The notebook will track these as they emerge.
The career trajectory will continue to evolve. The recent transition to consulting is the most substantial change in nine years; the next decade will probably include further transitions.
The community will continue to be the most rewarding aspect of the work. Specific relationships will deepen; new correspondents will appear; some current correspondents will move on. The cumulative network is more valuable than any individual relationship.
The discipline will, on the available trajectory, sustain itself. The cost-benefit favours continuation; the habit is firmly established; nothing currently visible would disrupt the cadence.
More in time. Happy new year again.
A note on what readers have meant
A fuller acknowledgement of what readers have specifically contributed to the work over seven years.
The first email I received was in summer 1998, three months after starting. It was a careful technical correction to a specific point I had made about Slackware boot scripts. The correction was right; the post was updated; the reader and I have been in correspondence ever since.
Most of the relationships have grown similarly. A specific post produces a specific email; the conversation continues; the relationship deepens over months and years.
The specific contributions readers have made to the writing:
Technical corrections. When I have got specific facts wrong, readers have told me. The corrections improve future writing; they also build my own understanding.
Operational stories. When I have written about general patterns, readers have shared specific operational stories that illuminate the patterns. The stories cannot always be public; the private knowledge informs my public writing.
Disagreements. When I have written something that other practitioners disagree with, the disagreements have produced better thinking on both sides. I have changed my mind on several substantive points based on careful disagreement from readers.
Calibration feedback. When my predictions or assessments turn out wrong, readers have helped me understand what I missed. The cumulative effect is better calibration over years.
Encouragement during hard periods. Burnout periods have been bounded partly because of readers' supportive engagement. The community matters in ways that go beyond the technical.
For anyone reading this who has corresponded with me over the years: thank you. The work is more rewarding because of the conversations.
For anyone who has not corresponded: consider doing so. Even short notes about specific posts that landed (or did not) help me calibrate.
The address is on the page. The signal-to-noise ratio of the inbox is good; I read everything that arrives.
More in time.
A practical reflection on cumulative writing
Let me close with practical observations for anyone considering similar long-form writing discipline.
The specific mechanics that have made the discipline sustainable for me:
A fixed weekly slot. Sunday evening, after dinner, before bed. The slot is reserved; the discipline does not compete with other priorities; the consistency comes from the time being protected.
A rolling list of topics. I maintain a small text file with topic ideas as they emerge through the week. When Sunday arrives, the topic is usually already chosen; the writing time is for writing, not for deciding what to write.
A modest word target. I aim for 800-1500 words per post in the standard register. Posts that demand more get more; posts that work in less get less. The target shapes the post structure.
Editing the next morning. Sunday-evening writing is not always best; Monday-morning editing catches awkward sentences, missing context, weak conclusions. The day-later perspective improves the writing.
Linking back to past posts. Each new post links to relevant past posts when natural. The cumulative archive becomes a connected body of work; readers can follow specific threads across years.
Resisting perfectionism. Sunday-evening writing produces good-enough posts most weeks. Some weeks the post is better than usual; some weeks it is worse. The consistency matters more than any individual post's quality.
For anyone considering similar discipline: the mechanics matter less than the consistency. Find a slot that works; protect it; sustain the cadence; the cumulative effect compounds.
The seven years of practice have made me a better writer than I would otherwise be. The specific posts vary in quality; the cumulative archive has value beyond any individual post; the network of relationships the discipline has produced is irreplaceable.
For anyone reading this who has been with the notebook for a long time: thank you for the consistency. The discipline is sustained, in part, by the awareness of readers who continue to engage. The work is collaborative even when the writing is solitary.
More in time. Happy new year again.