The notebook is thirteen years old today. There is nothing especially significant about thirteen except that it is the second prime in a row I have crossed without thinking, and that I am sitting at the same kitchen table where I wrote the first post in 1998 with a different kettle and considerably better coffee. What follows is the usual indulgence of looking at the year just ended and making some notes about what I want to do this year.
2010 was, on balance, the year I stopped being able to pretend that defensive computing was a discipline that could be cleanly separated from the rest of the world. Three things put paid to that. Stuxnet — properly understood once Symantec's dossier landed — was the moment the field stopped being able to say that nation-state cyber-weapons were a theoretical category. Whoever built it, and at this point I am inclined to agree with the people who think the answer is two countries rather than one, had spent person-years on a piece of malware whose only goal was to break specific centrifuges in a specific facility. The implication for the rest of us is that the engineering capability for that kind of precision now demonstrably exists, which means the engineering effort to defend against the diluted commercial-cybercrime version of it has to start now, and will be, by definition, behind. Aurora earlier in the year made the same point on the espionage side. Stuxnet is the one I expect to write about most through 2011 because the analysis is still emerging — Ralph Langner's reverse-engineering work in particular keeps producing things I had not understood the previous week.
The second thing was WikiLeaks and the response to it, which in late November and December escalated from a publishing operation into something stranger: a financial blockade by US payment processors, an Anonymous-driven volunteer-DDoS counter-blockade, the shutdown of WikiLeaks' EveryDNS account, and a global mirror-and-replicate response that meant the cable archive was, by Christmas, more available rather than less. This is not how I expected to spend December. The cyber dimension is small but instructive. The volunteer-DDoS work using LOIC was, technically, trivial. Politically it was the first time hundreds of thousands of people who do not normally think of themselves as part of internet infrastructure decided to express a political view by directing traffic. Whatever shape that finds in 2011, it is going to colour some part of my client conversations.
The third thing is Tunisia, which I write this looking at because the Sidi Bouzid demonstrations are now in their third week and Mohamed Bouazizi is still in critical condition in the Ben Arous hospital outside Tunis. Anonymous announced something they are calling Operation Tunisia in the last forty-eight hours. I do not yet know whether this becomes anything, but a mid-sized Arab state with an authoritarian regime and a substantial educated population on Facebook is exactly the kind of test of last December's pattern that I would have predicted needed to happen in 2011, and here we are on day two of the year. I will write more when the shape is clearer.
The discipline I am bringing into 2011 is sharper than 2010's. Three things. First, privacy and encryption — and I mean these as engineering disciplines rather than as policy positions. Stuxnet and Aurora point to the same defensive answer in different shapes: get the cryptographic state out of places where attackers can read it, get the credentials off the wire, and stop pretending that "internal network" means anything when sufficiently motivated outside actors can join it. I am going to write more about TLS deployment in earnest, about how shaky the certificate-authority infrastructure still feels, and about the particular mess of practitioner-grade OpenPGP key management. Second, penetration testing — both because the consultancy work has shifted that way and because the engagements I am running through Hedgehog continue to find the same five categories of issue across very different clients, which suggests a methodology piece is overdue. Third, TTPs as a research focus. Most of what is published as malware analysis is the analysis of one sample, which is what tooling produces. The interesting work is across samples and across campaigns: where do the same tradecraft choices appear, what do they tell you about the operator behind them. I want to spend more time on this in 2011 than I spent on it in 2010.
For Hedgehog, year three is the year scaling stops being abstract. I have been single-handed since April 2009, and although the secondment portfolio means the practice has more reach than it would otherwise, the actual delivery capacity is one me. I have been talking on and off through the autumn with two people about whether either or both come in this year. I do not know yet whether that resolves into hires, into partnerships, or into deferred-again. I would like to have decided by Easter.
For the notebook, the discipline has been weekly for thirteen years and I am not minded to change it. The cadence will continue. The reading is denser than it was; the writing is sharper than it was; the correspondence is, on a good week, the best part of the work.
The first technical post will probably be Stuxnet, depending on whether anything immediately breaks elsewhere. Happy 2011 to anyone reading.