2010: A Review

Originally I wasn’t planning on reviewing this year, didn’t think that much had happened, but during some end of year house keeping came across the InfoSanity review of 2009 and wanted to keep the trend going. In keeping with last years review. I’ll start with the non-technical (again on pain of death 😉 ); wedding plans going strong so I should be a married man early 2011.
Back to the technical: Despite my initial concerns; the site, blog and research environment are still here and still growing. To all those who’ve read, contributed and (most importantly) told me I’m wrong over the past year (you know who you are), thank you.
Lab Environment(s): To complement the home lab established in 2009, 2010 saw the introduction of a hosted virtual lab which has provided the opportunity to easily try new (and old) technologies in the real world. As part of this InfoSanity has setup (and in some cases also removed) instances of honeyd, Dionaea, Amun and Kippo. These systems have also resulted in some new utilities being developed and released as I worked through various findings.
Whilst standing on the shoulders of giants (thanks Markus), some of the findings from the InfoSanity environment are now available publically. Although I really must complete both automating the process and including findings from other systems, 2011’s to-do list is already growing.
Public Speaking: For some reason I’ve still been asked to talk in public about topics I find fascinating; so thanks to the Disaster Protocol team for having me on the show. I felt it was a great discussion of honeypot technologies and infosec in general, and from feedback I’ve had others seem to agree.
Trying new things: Whilst trying to grow and mature over the year InfoSanity tried a few different themes and topics, some worked, like basic ssh hardening guidelines (potentially more to come in new year) and some didn’t, like the ‘Infosec Triads’ series. But if you don’t stretch yourself you’ll stop learning, so expect more posts that don’t quite work in 2011.
Friends, contact and groups: As with last year, the best part of 2010 has definitely been the people I’ve either continued talking to and/or working with and those I’ve met for the first time. 2010 saw a growth spurt in local and online groups I’ve been involved in, including the start of NEBytes, ToonCon and the Kippo User Group. There are also a huge number of awesome groups which I don’t get as much time to get involved with as I’d like; EH-Net, Group51, DissectingTheHack, Exotic Liability…the list goes on.
2011?: Who knows? Every time I try to make plans or predictions the Sky Fairies and Flying Spaghetti Monsters mock me, so I won’t try to make any. But whatever the outcome, I’m not expecting a letup in the pace, and can already see some exciting new opportunities on the horizon.
Another decade down, and a new year of opportunity ahead. See you all in 2011.
–Andrew Waite

Join the conversation

3 Comments

  1. Hi!
    I find your evaluation of dionaea and the stats quite interesting. I wonder if you have any recent runs of the mimic-netstats script on your dionaea installation available. I’d be interested if dionaea offers the intended performance advantage over nepenthes and by how much.
    Kind regards
    Friedrich Delgado

    1. Hi Friedel,
      thanks for the comment.
      I need to be honest, real world work and social life has left my honeyfarm out of action for the last few weeks so I have no recent runs of the mimic-stats util for my environment.
      If you’re looking for publicaly available stats and results I’m assuming you’ve seen carnivore.it’s ore interface? (http://ore.carnivore.it/).
      Comparing Nepenthes to Dionaea; I currently (did) run both, but when I get the time to refactor my own environment I’ll be dropping Nepenthes entirely as the functional expansions (like the carniwwwore interface behind Ore) make Dionaea vastly superior (imho).
      Hope this helps, let me know if I’ve missed anything
      –Andrew Waite

      1. Hi Andrew!
        Yes, I’ve seen the ore interface and the statistics look interesting, but I didn’t read the documentation yet so some of it doesn’t make sense to me. I’m going to do that soonish.
        And so far I haven’t found an evaluation about the number of attacks/downloads seen by nepenthes and dionaea installations running in comparably sized/placed subnets.
        Good to know that you find dionaea vastly superior to nepenthes. That definitely sounds like it’s meeting its design goals already.
        Thanks for your assessment and best of luck with the real world! 😉
        Friedel

Leave a comment

Leave a Reply to Andrew Waite Cancel reply

Your email address will not be published. Required fields are marked *