Happy 20th Birthday TaoSecurity Blog
Happy 20th birthday TaoSecurity Blog, born on 8 January 2003.
Thank you Blogger
Blogger (now part of Google) has continuously hosted this blog for 20 years, for free. I'd like to thank Blogger and Google for providing this platform for two decades. It's tough to find extant self-hosted security content that was born at the same time, or earlier. Bruce Schneier's Schneier on Security is the main one that comes to mind. If not for the wonderful Internet Archive, many blogs from the early days would be lost.
In my 15 year post I included some statistics, so here are a few, current as of the evening of 7 January:
I think it's cool to see almost 29 million "all time" views, but that's not the whole story.
Here are the so-called "all time" statistics:
It turns out that Blogger only started capturing these numbers in January 2011. That means I've had almost 29 million views in the last 12 years.
I don't know what happened on 20 April 2022, when I had almost 1.5 million views?
Top Ten Posts Since January 2011
Here are the top ten all time posts:
I'm really pleased to see posts like Security and the One Percent: A Thought Exercise in Estimation and Consequences and Digital Offense Capabilities Are Currently Net Negative for the Security Ecosystem in this list. We've had some discussion on these topics since I posted them in the fall of 2020, but not enough. The 99% continue to suffer at the hands of adversaries and those in the security 1% who ignore them.
The Monetization Experiment
I ran an advertising experiment from April 2021 through December 2022. I "earned" $116.96 by February 2022 and $104.39 by December 2022. I don't have view numbers for that whole period, but for calendar year 2022 I attracted a little over 7.5 million views. You can see that I earned about 1.4 x 10^-5 dollars per view. I disabled ads at the end of December.
From Twitter to Mastodon
One big change I can discern since my 15 year post is that I have now abandoned Twitter and migrated to Mastodon. You can find me at infosec.exchange/@taosecurity. My current Twitter follower count is about 59.7k, down from just over 60k. My current Mastodon follower count is 1.9k. I don't really care about followers, but I figured I would capture these numbers to see if there is any change in the next five years.
The Latest Books
I spent the early years of the pandemic collecting my 3,000 or so favorite blog posts into a four volume set called The Best of TaoSecurity Blog. I'm really pleased with these books, available via Amazon in print or digital format. They include original posts, but each receives commentary with modern thoughts on the original content. The fourth volume includes material not found in the blog, such as unpublished writings from my abandoned War Studies PhD program or Congressional testimonies.
It looks like Amazon is randomly running a promotion on volume 2 of The Best of TaoSecurity Blog while I am writing this post. The print edition is regularly $19.95, but it's currently priced at $7.89. I don't know how long it will last, but if you're interested please check it out.
I also co-wrote and published a book on stretching with a subject matter expert -- Reach Your Goal: Stretching & Mobility Exercises for Fitness, Personal Training, & Martial Arts.
Thanks to ARB for taking the excellent photos!
I have been working at Corelight since August 2018. Our Corelight network security monitoring platform is really amazing and I suggest everyone check it out. We continue to have big plans for the future.
Since 2018 I have assumed the communications role for the Zeek network security monitoring project. Besides posting announcements to Mastodon and LinkedIn, I also share interaction and admin duties for our Slack, Discourse, and YouTube sites. I'm working with the leadership team on strategies for growing community size and involvement in 2023 and beyond.
During the last five years, I earned a black belt equivalent in Krav Maga Global (the system uses patches, not belts) and a blue belt in Brazilian Jiu-Jitsu (helping me to survive grappling with Jeremiah Grossman at the 2019 BJJ Smackdown during Black Hat). I've retired from practicing martial arts, for now at least. However, my Martial History Team project continues, with plans through June 2025.
I read a ton of books every month, but almost none have to do with technical security topics. My interests include US Civil War history, general military and nation state strategy, unidentified aerial phenomena, airpower, science, intelligence, and other topics. I have a strict monthly schedule and thus far have been able to stick to it for the last 16 months. I don't write reviews anymore, but I do write surveys for the martial arts books -- 36 so far.
Finally, in 2022 I returned to one of my childhood hobbies, first begin in the fall of 1982 -- tabletop roleplaying games. I've been informally studying science fiction RPGs since the beginning of last year, potentially to begin another PhD program. I think it would be interesting to research a history PhD involving science fiction RPGs. I don't say much publicly about this, although I do have a Mastodon account for Science Fiction TTRPGs. I've also been playing in an online Star Frontiers campaign with a group scattered throughout the US.
As you might discern, I'm expressing myself in many different venues. As a result, I don't feel the need or desire to post here, at least not that often. In 2003, most of the platforms mentioned in this post didn't exist. Blogs were the hot new communication medium. Prior to that, security people published "white papers" in text form to sites like Packet Storm! (Check out two of my entries here. Those are the PDF versions.)
As far as security goes, I mostly care about the operational/campaign and higher levels of conflict, e.g.:
In my opinion, the tactics used by intruders and defenders, and even most of the tools, have not really changed in the last 10 years, and definitely not since 2018. The operations/campaigns and strategies used by both sides haven't really changed either.
There are a few exceptions, like the massive SolarWinds supply chain compromise Mandiant discovered and published in December 2020. Ransomware has definitely ramped up to gross levels since 2018. However, there haven't been any game-changers as far as how offense and defense interact.
Sure, way more processing is done in the cloud, and just about everything is running a vulnerable computer. However, no one on the offensive or defensive sides has significantly innovated to alter the way the two parties interact. Until that changes, security for me is largely a less interesting, but still unsolved, wicked problem.
Thank you to everyone who has been part of this blog's journey since 2003!