Showing posts from June, 2023

My Last Email with W. Richard Stevens

  In the fall of 1998 I joined the AFCERT. I became acquainted with the amazing book TCP/IP Illustrated, Volume 1: The Protocols  by W. Richard Stevens. About a year later I exchanged emails with Mr. Stevens. Here is the last exchange, as forwarded from my AFCERT email address to my home email. From "Capt Richard Bejtlich - Real Time Chief" Mon Sep  6 18:27:35 1999 X-Mozilla-Keys:                                                                                  Received: from ( [])           by (2.4/2.4) with SMTP   id RAA22116 for <>; Mon, 6 Sep 1999 17:27:38 -0500 (CDT) Received: by (Smail3.1.29.1 #7) id m11O7Ee-000NcwC; Mon, 6 Sep 99 17:27 CDT Received: from by kinda via smap (V1.3) id sma014865; Mon Sep  6 17:27:36 1999 Received: from by with smtp (Smail3.1.29.1 #6) id m11O7Ed-000VruC; Mon, 6 Sep 99 2

Bejtlich Skills and Interest Radar from July 2005

This is unusual. I found this "skills and interest radar" diagram I created in July 2005. It looks like my attempt to capture and prioritize technical interests. At the time I was about to start consulting on my own, IIRC.

Key Network Questions

  I wrote this on 7 December 2018 but never published it until today. The following are the "key network questions" which "would answer many key questions about [a] network, without having to access a third party log repository. This data is derived from mining Zeek log data as it is created, rather than storing and querying Zeek logs in a third party repository." This is how I was thinking about Zeek data in the second half of 2018. 1. What networking technologies are in use, over user-specified intervals?    1. Enumerate non-IP protocols (IPv6, unusual Ethertypes)    2. Enumerate IPv4 and IPv6 protocols (TCP, UDP, ICMP, etc.)    3. What is the local IP network topology/addressing scheme? 2. What systems are providing core services to the network, over user-specified intervals?    1. DHCP    2. DNS    3. NTP    4. Domain Controller    5. File sharing    6. Default gateway (via DHCP inspection, other?)    7. Web and cloud services 3. What tunnel mechanisms are in us

Cybersecurity Is a Social, Policy, and Wicked Problem

Cybersecurity is a social and policy problem, not a scientific or technical problem. Cybersecurity is also a wicked problem. In a landmark 1973 article, Dilemmas in a General Theory of Planning , urban planners Horst W. J. Rittel and Melvin M. Webber described wicked problems in these terms: “The search for scientific bases for confronting problems of social policy is bound to fail, because of the nature of these problems. They are ‘wicked’ problems, whereas science has developed to deal with ‘tame’ problems. Policy problems cannot be definitively described. Moreover, in a pluralistic society there is nothing like the undisputable public good; there is no objective definition of equity; policies that respond to social problems cannot be meaningfully correct or false; and it makes no sense to talk about ‘optimal solutions’ to social problems unless severe qualifications are imposed first. Even worse, there are no ‘solutions’ in the sense of definitive and objective answers.” Other wicke

Core Writing Word and Page Counts

I want to make a note of the numbers of words and pages in my core security writings. The Tao of Network Security Monitoring / 236k words / 833 pages Extrusion Detection / 113k words / 417 pages The Practice of Network Security Monitoring / 97k words / 380 pages The Best of TaoSecurity Blog, Vol 1 / 84k words / 357 pages The Best of TaoSecurity Blog, Vol 2 / 96k words / 429 pages The Best of TaoSecurity Blog, Vol 3 / 89k words / 485 pages The Best of TaoSecurity Blog, Vol 4 / 96k words / 429 pages The total is 811k words and 3,330 pages.