BIND 9 first impressions
BIND 9 has been released. After a fortnight of running it on my secondary nameserver, the architectural improvements are real and the operational migration is manageable. A first writeup.
Notes from the field
Writing
Long-form thinking on cyber defence, detection, and resilience — from Slackware-era honeypots through to AI-driven SOC analytics.
Showing posts tagged operations — 11 results.
Snort 1.7 ships
Snort 1.7 has been released as stable. Three months of using the beta on my own sensor has given me confidence to deploy. A short note on the upgrade and on what is now operationally feasible.
Forensic readiness — what I learned from a friend's incident
A friend at a small consultancy had a serious compromise this month. Helping them with the response taught me three lessons about forensic readiness that I have not been applying to my own infrastructure. Time to fix that.
BIND 8.2.3 and the discipline of yet another patch
ISC has released BIND 8.2.3 with another set of security fixes. The catalogue of BIND advisories now reads as its own small genre. A short note on what is new and on what the steady drumbeat of advisories implies.
Y2K wash-up: what actually broke
A week into the new year. The reports of what actually broke on the night, and what is breaking quietly now. The story is not what the press is telling.
Final Y2K notes: what I am doing on the night
Two weeks out. The systems are patched. The plans are written. Here is what I am actually doing on the 31st, and the small list of things I am still slightly worried about.
Proper backups, with examples
After two years of running my own infrastructure, my backup discipline has gone through three iterations. The third one, I think, is finally adequate. A walk through what changed at each stage, and why.
Why patching isn't enough
After a year of advisories and patches, the gap between 'we patched the bug' and 'we are not vulnerable' is wider than I had appreciated. A walk through the failure modes that survive any patching regime.
Writing structured logs for analysis
After a year of wrestling with grep against unstructured Apache logs, I have started building applications that produce structured logs by design. The exercise has changed how I think about what a logfile is for.
Vulnerability assessment, penetration testing, and the gap between them
Vulnerability assessment and penetration testing are different activities. The gap between them is where most operational security actually lives. A walk through the difference, and what each is good for.
MRTG and the discipline of graphing what you measure
MRTG, the Multi Router Traffic Grapher, is the simplest graphing tool I have ever used and the one I now reach for first. The discipline it forces — write down what 'normal' looks like for everything that matters — is more useful than the graphs.