Two years ago today I opened a new file and wrote a few hundred words about why I was starting a notebook in public. The premise was that writing for an imagined reader would force me to finish thoughts I would otherwise leave half-formed. Two years later, with the rollover successfully behind us and a fresh year ahead, the experiment has produced enough data to assess.
What worked
The discipline of writing has worked better than the discipline of publishing. The act of sitting down once a week and making myself put a coherent piece of prose together has been, by some distance, the single most valuable thing I have done for my own learning over these two years. It has not made me a better writer in any visible sense. It has made me think more rigorously about the things I claim to understand.
The gap between believing you understand a topic and being able to explain it on paper turns out to be the gap that matters. I have written enough posts now where the act of writing forced me to admit, somewhere around paragraph four, that I did not actually understand the thing as well as I had thought. Each time, the response was to stop, go and read the source, run an experiment on my own machine, and only then continue. The posts produced this way are the ones I am still proud of.
What surprised me
The correspondence. I had not expected anyone to read this seriously. The first emails arrived in summer 1998 and the trickle has not stopped. Over the past two years I have ended up in regular conversation with about a dozen people who I have never met but whose technical thinking I now value highly. Several have become friends. One is now a regular collaborator on small projects. The notebook turned out to be a way of finding people, which was not the point but is now the most valuable side effect.
The other surprise is the durability of the topic. When I started in 1998 I assumed I would run out of things to write about within a year. Instead, the topic has expanded faster than I have. Distributed denial of service did not exist as a real phenomenon when I started the blog. Mass-mailing worms were a curiosity. Honeypots were an academic idea. Two years later all three are operational realities I write about routinely. The supply of material does not look like running out.
What I want to do this year
Three concrete things, as a target to score myself against at year-end.
The honeypot v2 project, finished. I described the design in October. I have made progress over the holiday — the network containment is built, the structured logging is feeding a remote host I do not run any other service on, and the realistic-installation work is started. By midyear I want to be writing about specific captures, not specific design choices.
Wider technical depth. Reading the kernel network stack was the highest-leverage thing I did in 1999. This year I want to do the same kind of careful reading of three more substantial codebases. Top of the list: netfilter, the new firewall framework that will replace ipchains when the 2.4 kernel ships. Below that: a serious read of OpenSSH and a serious read of one well-regarded TCP/IP implementation other than Linux's.
Conferences and meeting people. I have been writing in a fairly closed loop. Most of my technical conversation is over email and on lists. A few of the regular correspondents have suggested I should be turning up at conferences. The smaller UK gatherings probably make most sense for someone like me. Let us see whether I can get to one this year.
What I am not going to do
A few things I want to deliberately avoid.
More predictions. The year-ahead post I wrote in January 1999 was useful as a discipline. The year-end review showed I scored about half right, which is a useful calibration. I am not going to do another full predictions post now — partly because the field is moving fast enough that twelve-month forecasts are getting harder, partly because I prefer to work on the calibration of certainty rather than the volume of predictions.
Reorganising the archive. The notebook has accumulated about eighty posts now. The temptation to retroactively impose categories, tags, an index, would be substantial. I am going to resist it. The chronological order is the order in which I learned the things, and that order has its own pedagogical value.
Writing about Y2K. Other people will be writing about Y2K all month. The final notes I wrote are sufficient from my end. I have one wash-up post planned about what actually broke on my own infrastructure, and after that the topic is closed.
A small operational note
Midnight at the keyboard turned out to be uneventful. The tcpdump ran without surprises. The mail relay continued accepting and forwarding mail. The DNS server did not produce a single anomaly in the logs around the rollover. The DSL modem displayed the slightly mangled date in its line-quality reports that the manufacturer had warned about, and otherwise behaved.
For anyone whose own rollover was eventful, my sympathies and good luck. For everyone else, welcome to the new year.
Notebook continues. Eight more posts a month, on the standard cadence, for a year. See where we are at the end of it.