TaoSecurity Blog

  Oh snap. My single most important cybersecurity metric deteriorated again.  In the M-Trends report for calendar year 2024, Mandiant’s global median dwell time metric worsened from 10 to 11 days. In the newest report, released today, for calendar year 2025, that metric worsened again, from 11 to 14 days.  In other words, organizations are taking even longer to detect and respond to intrusions. 10 days was already still too much, in a world where teams need to detect and contain in an hour to be effective.  I’m not a doomer. We made amazing progress since 2011, when median global dwellers time was over 400 days. But, two bad years in a row has never happened. Before last year, the metric had always improved! It’s possible Mandiant is just dealing with ever tougher cases. I have to dig into the full report. 

  Happy birthday TaoSecurity Blog, born on this day in 2003! The best way to digest the key lessons from this site is to browse my four volume Best of TaoSecurity Blog book series , published in 2020. It's available in print as seen here, or as a properly formatted HTML-based digital book -- none of that PDF-based fixed format nonsense. Each book is a theme-centric collection of posts with new commentary for each entry. Some of what I wrote stood the test of time, and some did not. See what you think. Or, just scroll backwards through this site. Thank you to Blogspot and Google for hosting this blog for the last 23 years! This is post number 3,094 by the way.    

  Houston, we have installed #FreeBSD 15.0-REL with KDE Plasma 6.4.5 on a Lenovo ThinkPad X1 Carbon Gen 6 laptop. I have come full circle. I used to daily drive FreeBSD 5.x on a Thinkpad a20p in the early 2000s. Today I used the "technology preview" method for pkg installation, too. I posted this from the laptop, of course!! Thanks to everyone who made this possible, including the parties who made the script to install KDE with one command.

  I'm hosting a new podcast for Corelight. Check out my first episode with our field CTO, Vince Stoffer. Expect new episodes every two weeks. This is no buddy cop discussion -- max content, minimum banter, in about 15 minutes!  https://open.spotify.com/episode/0SD2gUvIuB65YFmjjtXfTR https://podcasts.apple.com/us/podcast/corelight-defendrs/id1843154362 https://www.youtube.com/watch?v=IgmZxV2OP9k

In March I created a Windows Application Using Visual Studio Code, Cline, OpenRouter, and Claude . This was a program that created square screen captures. The user doesn't need to manually ensure the dimensions are a square. The program makes the window grow and shrink while keeping the length equal to the height.      In June I created an equivalent program on Linux using VSCodium, Cline, OpenRouter, and Claude.   I provided this prompt, which I derived from the last project.   ==    Create a graphical Linux application to take screen captures with the following features: Square Region Selection: Enforces a 1:1 aspect ratio during region selection 1:1 Aspect Ratio: Ensures all captures are perfectly square PNG Output: Saves high-quality images in PNG format Preview: Shows the captured image before saving Dark Mode by Default: Toggle to light theme if desired Square Interface: The application window itself uses a square ratio Default Save Location:...

Do you remember the story of the UK-based logistics company that closed due to ransomware and laid off 730 workers?  Today in an article about a warning to UK businesses about cyber incidents, their “director” said they “were throwing £120,000 a year at [cyber-security] with insurance and systems and third-party managed systems.” That’s the cost of one cyber FTE, and it sounds like they didn’t employ ANY cyber people. This is what I mean by the “security 1%.”  https://taosecurity.blogspot.com/2020/10/security-and-one-percent-thought.html This company was in the 99%, and intruders put them out of business, despite apparently having $100 million in annual revenue?  I never blame victims of intrusions, but the underinvestment in security is appalling. Refs: https://www.bbc.com/news/articles/ced61xv967lo and https://www.northantstelegraph.co.uk/news/people/kettering-haulage-company-knights-of-old-group-goes-into-administration-with-730-redundancies-4349040# ...

When someone cites one of my works, I get a notice from Research Gate. Today I got one, from an article from the "IEEE Open Journal of the Communications Society." It cited my first book, which is 21 years old.     The PDF was available.    I noticed the article referenced Prelude, a project I talked about in my first book.        This project has been dead for YEARS. If you visit the link for Prelude in the paper, supposedly visited for research in Feb 2025, it redirects to a gambling site.    If you go to the original Prelude IDS site, it's a disguised gambling site.     I checked with Archive.org and the site was not serving useful content in the timeframe the researchers claimed.   I don't understand how this happens. Stop shoddy academic "research."

I just created another Windows 10/11 application using AI. This is a follow-up to the SquareCap program I posted about a few weeks ago .   The problem I was trying to solve this time was opening and searching extremely large text files.   I used to use the old Mandiant Highlighter program for this, but it was last updated in 2011 and couldn't handle the 26 GB text file I wanted to open.   If you're wondering what that file is, it's a dump of the contents of the main Starfield.esm file from the Bethesda Game Studios game called Starfield. I use the xdump64 program bundled with xEdit.   You can try this program for yourself if you like. It's a stand-alone Windows C# .NET 9 application that runs on Windows 10 and 11.  Like my last program, all I did was work with the model for about 3 hours to get it to where it is now.   I tried for an hour or so to implement a "highlight all search matches" function but could not get that to work.    The screen cap...

I just created a Windows 10/11 application that takes square screen captures. I did zero coding myself but used Visual Studio Code, Cline, OpenRouter, and Claude.   I got the idea by watching a video on so-called Vibe programming by a YouTuber named Memory . I have zero Windows programming experience although I have recently been playing with simple video game development.   After creating the application I was able to use Cline to help me commit it to GitHub. You can find it at https://github.com/taosecurity/SquareSnap/ . Note that if you download the .exe Windows will complain because it is unsigned. If you worry about back doors just look at the code yourself -- or have your own LLM read it!   This was just an experiment to see how these tools work. I decided to try creating a screen capture program that only takes captures in a square or 1:1 format because it's useful for social media, and especially YouTube posts.   I had not found anything prior to this. This i...

Happy birthday TaoSecurity Blog, born on this day in 2003! The best way to digest the key lessons from this site is to browse my four volume Best of TaoSecurity Blog book series , published in 2020. It's available in print as seen here, or as a properly formatted HTML-based digital book -- none of that PDF-based fixed format nonsense. Each book is a theme-centric collection of posts with new commentary for each entry. Some of what I wrote stood the test of time, and some did not. See what you think. Or, just scroll backwards through this site. Thank you to Blogspot and Google for hosting this blog for the last 22 years! This is post number 3,086 by the way.

Probably once a week, I see posts like this in the r/Ubiquiti subreddit. Ubiquiti makes network gear that includes an "IDS/IPS" feature. I own some older Ubiquiti gear so I am familiar with the product. When you enable this feature, you get alerts like this one, posted by a Redditor: This is everything you get from Ubiquiti.   The Redditor is concerned that their system may be trying to compromise someone on the Internet. This is my answer to how to handle these alerts.   == This is another example of this sort of alert being almost worthless for most users. The key is trying to understand what COULD have caused the alert to trigger. CVEs, whatever, are irrelevant at this point. Here is one way to get SOME idea of what is happening. Go to https://rules.emergingthreats.net/open/suricata-7.0.3/rules/ Download the file that is named as the first part of the alert. Here that is EXPLOIT. https://rules.emergingthreats.net/open/suricata-7.0.3/rules/emerging-exploit.rules Find the r...

On this day in 2004, Addison-Wesley/Pearson published my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection . This post from 2017 explains the differences between my first four books and why I wrote Tao .  Today, I'm always thrilled when I hear that someone found my books useful.  I am done writing books on security, but I believe the core tactics and strategies in all my books are still relevant. I'm not sure that's a good thing, though. I would have liked to not need the tactics and strategies in my book anymore. "The Cloud," along with so many other developments and approaches, was supposed to have saved us by now. Consider this statement from a report describing CISA’s red team against a fed agency:  “[A]ttempts to capture forensic data via packet captures occurred directly on the compromised Solaris and Windows hosts, where the red team observed the data being collected and therefore had the opportunity to disrupt collection, tam...

When I was a sophomore in high school, from 1987 to 1988, my friend Paul and I had Commodore C64 computers. There was a new graphical user interface called GEOS that had transformed the way we interacted with our computers. We used the C64 to play games but also write papers for school. One day Paul called me. He was clearly troubled. He had somehow dragged his newly completed term paper into the trash bin instead of the printer. If I recall correctly, back then they were right next to each other (although the screen shot above shows them separate).  Paul asked if I knew any tricks that could retrieve his paper. There was no undelete function in GEOS. I subscribed to a magazine called Compute's Gazette, for Commodore owners. I remembered seeing an article in the magazine that included code for undeleting files dropped in the GEOS "Waste Basket." All I had to do was type it in by hand, save it to a 5 1/4 inch floppy, drive to Paul's house, and see if the program would ...

  In the fall of 1998 I joined the AFCERT. I became acquainted with the amazing book TCP/IP Illustrated, Volume 1: The Protocols  by W. Richard Stevens. About a year later I exchanged emails with Mr. Stevens. Here is the last exchange, as forwarded from my AFCERT email address to my home email. From "Capt Richard Bejtlich - Real Time Chief" Mon Sep  6 18:27:35 1999 X-Mozilla-Keys:                                                                                  Received: from kinda.csap.af.mil (kinda.csap.af.mil [192.203.2.250])           by mw4.texas.net (2.4/2.4) with SMTP   id RAA22116 for <bejtlich@texas.net>; Mon, 6 Sep 1999 17:27:38 -0500 (CDT) Received: by kinda.csap.af.mil (Smail3.1.29.1 #7) id m11O7Ee-000NcwC; Mon, 6 Sep 99...

This is unusual. I found this "skills and interest radar" diagram I created in July 2005. It looks like my attempt to capture and prioritize technical interests. At the time I was about to start consulting on my own, IIRC.

  I wrote this on 7 December 2018 but never published it until today. The following are the "key network questions" which "would answer many key questions about [a] network, without having to access a third party log repository. This data is derived from mining Zeek log data as it is created, rather than storing and querying Zeek logs in a third party repository." This is how I was thinking about Zeek data in the second half of 2018. 1. What networking technologies are in use, over user-specified intervals?    1. Enumerate non-IP protocols (IPv6, unusual Ethertypes)    2. Enumerate IPv4 and IPv6 protocols (TCP, UDP, ICMP, etc.)    3. What is the local IP network topology/addressing scheme? 2. What systems are providing core services to the network, over user-specified intervals?    1. DHCP    2. DNS    3. NTP    4. Domain Controller    5. File sharing    6. Default gateway (via DHCP inspection...

Cybersecurity is a social and policy problem, not a scientific or technical problem. Cybersecurity is also a wicked problem. In a landmark 1973 article, Dilemmas in a General Theory of Planning , urban planners Horst W. J. Rittel and Melvin M. Webber described wicked problems in these terms: “The search for scientific bases for confronting problems of social policy is bound to fail, because of the nature of these problems. They are ‘wicked’ problems, whereas science has developed to deal with ‘tame’ problems. Policy problems cannot be definitively described. Moreover, in a pluralistic society there is nothing like the undisputable public good; there is no objective definition of equity; policies that respond to social problems cannot be meaningfully correct or false; and it makes no sense to talk about ‘optimal solutions’ to social problems unless severe qualifications are imposed first. Even worse, there are no ‘solutions’ in the sense of definitive and objective answers.” Other wicke...

I want to make a note of the numbers of words and pages in my core security writings. The Tao of Network Security Monitoring / 236k words / 833 pages Extrusion Detection / 113k words / 417 pages The Practice of Network Security Monitoring / 97k words / 380 pages The Best of TaoSecurity Blog, Vol 1 / 84k words / 357 pages The Best of TaoSecurity Blog, Vol 2 / 96k words / 429 pages The Best of TaoSecurity Blog, Vol 3 / 89k words / 485 pages The Best of TaoSecurity Blog, Vol 4 / 96k words / 429 pages The total is 811k words and 3,330 pages.

Happy 20th birthday TaoSecurity Blog , born on 8 January 2003 .  Thank you Blogger Blogger (now part of Google) has continuously hosted this blog for 20 years, for free. I'd like to thank Blogger and Google for providing this platform for two decades. It's tough to find extant self-hosted security content that was born at the same time, or earlier. Bruce Schneier's Schneier on Security is the main one that comes to mind. If not for the wonderful Internet Archive , many blogs from the early days would be lost. Statistics In my 15 year post I included some statistics, so here are a few, current as of the evening of 7 January: I think it's cool to see almost 29 million "all time" views, but that's not the whole story. Here are the so-called "all time" statistics: It turns out that Blogger only started capturing these numbers in January 2011. That means I've had almost 29 million views in the last 12 years.  I don't know what happened on 2...

  I'm running a #BlackFriday #CyberMonday sale on my four newest #Kindle format books. Volumes 1-4 of The Best of TaoSecurity Blog will be half off starting 9 pm PT Tuesday 22 Nov and ending 9 pm PT Tueday 29 Nov. They are here .   There also appears to be a daily deal right now for the paperback of Volume 2, 45% off at $8.96.