The Best of TaoSecurity Blog Volume 1

Milestones Philosophy and Strategy

Risk and Advice 1st Edition Richard
Bejtlich
Visit to download the full and correct content document:
https://textbookfull.com/product/the-best-of-taosecurity-blog-volume-1-milestones-phil
osophy-and-strategy-risk-and-advice-1st-edition-richard-bejtlich/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

The Best Advice Ever Given Steven Price

https://textbookfull.com/product/the-best-advice-ever-given-
steven-price/

Laparoscopic Colon Surgery: Milestones, Education, &

Best Practice Gregory Kouraklis

https://textbookfull.com/product/laparoscopic-colon-surgery-
milestones-education-best-practice-gregory-kouraklis/

Implicit bias and philosophy. Volume 1, Metaphysics and

epistemology 1st Edition Brownstein

https://textbookfull.com/product/implicit-bias-and-philosophy-
volume-1-metaphysics-and-epistemology-1st-edition-brownstein/

The Routledge Handbook of Evolution and Philosophy 1st

Edition Richard Joyce (Ed.)

https://textbookfull.com/product/the-routledge-handbook-of-
evolution-and-philosophy-1st-edition-richard-joyce-ed/
Milestones in analog and digital computing vol 1 3rd
Edition Herbert Bruderer

https://textbookfull.com/product/milestones-in-analog-and-
digital-computing-vol-1-3rd-edition-herbert-bruderer/

Information and the World Stage: Volume 1. From

Philosophy to Science, the World of Forms and
Communications 1st Edition Bernard Dugué

https://textbookfull.com/product/information-and-the-world-stage-
volume-1-from-philosophy-to-science-the-world-of-forms-and-
communications-1st-edition-bernard-dugue/

Tribe of Hackers Cybersecurity Advice from the Best

Hackers in the World 1st Edition Marcus J. Carey

https://textbookfull.com/product/tribe-of-hackers-cybersecurity-
advice-from-the-best-hackers-in-the-world-1st-edition-marcus-j-
carey/

Essential University Physics: Volume 1 (4th Edition)

Richard Wolfson

https://textbookfull.com/product/essential-university-physics-
volume-1-4th-edition-richard-wolfson/

Cyber Strategy: Risk-Driven Security and Resiliency 1st

Edition Carol A. Siegel

https://textbookfull.com/product/cyber-strategy-risk-driven-
security-and-resiliency-1st-edition-carol-a-siegel/
The Best of TaoSecurity Blog,
Volume 1
 The Best of TaoSecurity Blog, Volume 1
Milestones, Philosophy and Strategy, Risk, and
Advice

Richard Bejtlich

TaoSecurity Press
 Copyright © 2020 Richard Bejtlich and TaoSecurity Press

Trademarked names may appear in this book. Rather than use a trademark symbol
with each occurrence of a trademarked name, names are used in an editorial fashion with
no intention of infringement of the respective owners’ trademarks.

This is a book about digital security and network monitoring. The act of collecting network
traffic may violate local, state, and national laws if done inappropriately. The tools and
techniques explained in this book should be tested in a laboratory environment, separate
from production networks. None of the tools or techniques should be tested with network
devices outside of your responsibility or authority.

Suggestions on network monitoring in this book shall not be construed as legal advice.

The author has taken care in the preparation of this book, but makes no expressed or
implied warranty of any kind and assumes no responsibility for errors or omissions.

No liability is assumed for incidental or consequential damages in connection with or arising

out of the use of the information or programs contained herein.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval
system, or transmitted, in any form, or by any means, electronic, mechanical,
photocopying, recording, or otherwise, without the prior consent of the publisher.

ISBN: 978-1-952809-00-2
I dedicate this book to my family.
I propose to fight it out on this line, if it takes all summer.

General Ulysses S. Grant, Spotsylvania campaign, 11 May 1864

 Contents

The Best of TaoSecurity Blog, Volume 1

Title Page
Copyright
Dedication
Epigraph
Preface
Chapter 1. Milestones
Introduction
First Post and Review of BGP Posted
Sguil User Six
Trying New Martial Arts School
Five Years Ago Today...
The Tao of NSM Is Published!
TaoSecurity Visits the Pentagon
Security Responsibilities
Bejtlich Joining General Electric as Director of Incident Response
Bejtlich Cited in Economist
TaoSecurity Blog Wins Best Non-Technical Blog at RSA
Inside a Congressional Hearing on Digital Threats
Become a Hunter
TaoSecurity Blog Wins Most Educational Security Blog
Bejtlich Books Explained
Latest Book Inducted into Cybersecurity Canon
Twenty Years of Network Security Monitoring: From the AFCERT
to Corelight
Conclusion
Chapter 2. Philosophy and Strategy
Introduction
Prevention Always Fails
What is the Ultimate Security Solution?
Thoughts on Digital Crime
Further Musings on Digital Crime
How to Misuse an Intrusion Detection System
Soccer Goal Security
Further Thoughts on Engineering Disasters
More on Engineering Disasters and Bird Flu
Thoughts on Patching
Why Prevention Can Never Completely Replace Detection
Analog Security is Threat-Centric
Control-Compliant vs Field-Assessed Security
Of Course Insiders Cause Fewer Security Incidents
National Digital Security Board
Security Is Not Refrigeration
Response to Daily Dave Thread
Incorrect Insider Threat Perceptions
How Many Spies?
What Do I Want
Proactive vs Reactive Security
Taking the Fight to the Enemy
Threat Deterrence, Mitigation, and Elimination
FISMA Dogfights
Fight to Your Strengths
Vulnerability-Centric Security
Threat Model vs Attack Model
Kung Fu Wisdom on Threats
Change the Plane
Does Failure Sell?
Security: Whose Responsibility?
Response: Is Vulnerability Research Ethical?
On Breakership
Humans, Not Computers, Are Intrusion Tolerant
Speaking of Incident Response
Defender's Dilemma vs Intruder's Dilemma
Offense and Defense Inform Each Other
The Centrality of Red Teaming
The Problem with Automated Defenses
Incident Detection Mindset
Protect the Data Idiot!
Protect the Data from Whom?
Protect the Data -- Where?
Protect the Data -- What Data?
Cyberwar Is Real
Over Time, Intruders Improvise, Adapt, Overcome
Redefining Breach Recovery
Forcing the Adversary to Pursue Insider Theft
Know Your Limitations
Seven Security Strategies, Summarized
Conclusion
Chapter 3. Risk
Introduction
The Dynamic Duo Discuss Digital Risk
Calculating Security ROI Is a Waste of Time
Ripping Into ROI
SANS Confuses Threats with Vulnerabilities
Risk, Threat, and Vulnerability 101
Cool Site Unfortunately Miscategorizes Threats
BBC News Understands Risk
Organizations Don't Remediate Threats
Return on Security Investment
Risk Mitigation
Three Threats
Security Is Still Loss Avoidance
No ROI for Security or Legal
Are the Questions Sound?
Bank Robber Demonstrates Threat Models
No ROI? No Problem
Security ROI Revisited
Glutton for ROI Punishment
Is Digital Security "Risk" a Knightian Uncertainty?
Vulnerabilities in Perspective
More Threat Reduction, Not Just Vulnerability Reduction
Unify Against Threats
 Risk Assessment, Physics Envy, and False Precision
Attack Models in the Physical World
Conclusion
Chapter 4. Advice
Introduction
CISSP: Any Value?
My Criteria for Good Technical Books
What the CISSP Should Be
Answering Penetration Testing Questions
No Shortcuts to Security Knowledge
Starting Out in Digital Security
Reading Tips
Security in the Real World
What Should the Feds Do
Why Digital Security?
US Needs Cyber NORAD
Controls Are Not the Solution to Our Problem
Answering Reader Questions
Getting the Job Done
Is Experience the Only Teacher in Security?
Why Blog?
Defining the Win
Advice to Bloggers
How Much to Spend on Digital Security
Partnerships and Procurement Are Not the Answer
Everything I Need to Know About Leadership I Learned as a
Patrol Leader
Stop Killing Innovation
All Reading Is Not Equal or Fast
Answering Questions on Reading Tips
Five Qualities of Real Leadership
I Want to Detect and Respond to Intruders But I Don't Know
Where to Start!
Understanding Responsible Disclosure of Threat Intelligence
Don't Envy the Offense
How to Answer the CEO and Board Attribution Question
My Federal Government Security Crash Program
Notes on Self-Publishing a Book
Managing Burnout
COVID-19 Phishing Tests: WRONG
When You Should Blog and When You Should Tweet
Conclusion
Afterword
Books By This Author
About The Author
Version History
 Preface
The purpose of this book is to extract and highlight my favorite
posts from the TaoSecurity Blog, from 2003 to mid-2020. While all of
these posts are available for free online, without advertising, they
have become increasingly difficult to find. As of mid-2020,
TaoSecurity Blog features over 3,050 posts, and despite being
hosted by Google’s Blogspot property, lacks sufficient search
capability for the average visitor. When I know that I’m having
trouble finding posts, then I expect readers are suffering the same
limitations.

In the course of doing research for one of my personal hobbies,

namely the Martial History Team (martialhistoryteam.org), I’ve
realized that books possess a permanence not found in blogs or
other digital media. I’ve enjoyed looking at scans and other
representations of books published in the late 19th and early 20th
centuries. I’ve looked for books through the global WorldCat
database and learned only a few copies exist, according to that
repository. Nevertheless, they do exist, and in some cases I can
request them via the InterLibrary Loan system. Long after blogs and
other social media content has disappeared, books will remain in
someone’s library, waiting to tell their story.

I posted my first blog entry on January 8, 2003. (I normally

provide dates in military format, e.g., 8 January 2003, but Blogger
uses the Month Day, Year format. Rather than change them all
manually, I’ve adopted that convention here.) I had already been
reviewing cybersecurity books from my personal library, having read
and reviewed 24 books on Amazon in 2002. I decided to try
promoting those reviews via a blog, which was a new form of
communication in the early 2000s.
 In early 2003 I was a consultant for Foundstone’s incident
response team, working for Kevin Mandia. Foundstone encouraged
its consultant to write, speak, teach, and otherwise get the message
out about our cybersecurity capabilities. The company had
essentially been launched by one of the best-selling, if not *the*
best-selling, cybersecurity books of all time: Hacking Exposed, first
published in the fall of 1999. In 2002 I had contributed a case study
on network security monitoring (NSM) for the fourth edition of
Hacking Exposed, published in early 2003. Soon thereafter I began
research for my first book, The Tao of Network Security Monitoring:
Beyond Intrusion Detection, which Addison-Wesley (Pearson)
published in the summer of 2004.

During the next 17 years I changed companies and roles but

continued blogging. After McAfee bought Foundstone I moved to
ManTech, where I worked on a team supporting a national offensive
mission. From there I became a full-time independent consultant,
offering NSM via TaoSecurity LLC. A blog post (featured in the
Milestones chapter) in 2007 attracted the attention of my next boss,
Grady Summers, who hired me to create and lead the General
Electric Computer Incident Response Team (GE-CIRT). In 2011 I
migrated to Mandiant, reunited with friends from Foundstone, and
served as its first and only Chief Security Officer. After FireEye
acquired Mandiant, I stayed for a few years, but eventually left and
more or less took a break from the security scene for a year. My
blogging suffered as I was burned out and felt that I had already
written what I needed to say. I included my blog post about burnout
in this compendium. After joining Corelight as a strategist in mid-
2018, I began blogging for them, and as a result did not often write
for TaoSecurity Blog.

I composed this book by reviewing all 3,050+ blog posts on

TaoSecurity blog, tagging the “top candidates” for inclusion in this
book with the “topcan” label. (That label is reachable at
https://taosecurity.blogspot.com/search/label/topcan and applies to
over 370 posts, approximately 12% of the total.) I then manually
copied each post to a Google document and sorted them according
to twelve categories, which form the chapters of the three volumes
in this series of books. Roughly speaking, those posts consist of
192,000 words, which, if they are a representative sample of the
overall posts in the blog, would equate to about 1.6 million words in
the entire TaoSecurity Blog corpus. I believe that is an exaggerated
amount, as many of my early posts were much shorter, before the
age of Twitter.

Furthermore, I’ve omitted many of the technical posts, as I don’t

believe that command line output or packet captures are
representative of true “words” authored by me. Therefore, I
estimate that I’ve probably written about 1 million words for
TaoSecurity Blog over the 17 years of its existence.

This book, by and large, only incorporates the text from the
selected posts. There are many cases where I originally linked to
material created by others, and I did not want to violate any
copyright holders in a commercial work such as this. I’ve also
omitted all of the URLs mentioned in the posts. Given the age of the
source material, most original URLs point to dead links, and I was
not interested in tracking down replacements in the remote
expectation that a reader might want to follow a source. If that is
the case, however, each entry in this book includes a URL for the
original blog post. Duly motivated readers can begin their research
there, should they be so inclined.

In reproducing the posts in this format, I’ve chosen to fix some

typos and make other minor obvious fixes. However, I have not
altered my point of view from earlier posts, however cringe-worthy
they might appear to me now. It’s clear that in my early days in the
security world, I was heavily influenced by the so-called “hacker
mentality,” and did not moderate my views until I had spent more
time working for the victims of various intrusions. My point of view
changed substantially after spending time with under-resourced,
under-staffed, politically outmaneuvered security teams, whether I
helped as a consultant or as a member of an enterprise security
function. I’ve concluded that too many people, especially on the
offensive side of the security equation, would be better served if
they were responsible for the digital assets they seem so intent on
breaking. Too many so-called “hackers” lack sympathy for the lives
affected by their desire to break software.

Blog comments are not reproduced here either. While a few posts
over the years featured thoughtful commentary, most did not. At
some point during the blog’s history I had to enable comment
moderation. I was shocked by those who submitted comments that
exhibited foul and racist language, personal attacks, and other
disgusting content. The world is better off without a platform for
their idiocy, although most of them have unfortunately migrated to
Twitter. If for some reason you’re wondering if a post in this book
had comments, please follow the cited link.

I’ve added commentary to all of the blog posts. These comments

indicate how I feel about the material, looking back from 2020. In
some cases I note with despair the attitude I previously projected.
In other cases I augment the message that I first promoted.

TaoSecurity Blog is one of the oldest cybersecurity blogs still

around. Bruce Schneier’s Crypto-Gram newsletter began in 1998,
and adopted the blog format a few years later. I can’t think of
another author who began back then and is still publishing blog
format material at this point. I’m almost in that category, as I blog
mostly for Corelight these days, but once in a while an issue bothers
me enough to require expression through a blog post at TaoSecurity
Blog.

Expression is the key theme of my blog and this book. The

purpose of my blogging, writing, and speaking has largely been to
capture my thoughts on a topic. If others benefitted from the
content, then that was a bonus. I was usually more interested in
codifying my thoughts into a form worth reading in the future. Many
times over the years I’ve referred back to my own material in order
to learn how to accomplish a task or how to think about a certain
problem. I was happy to see the Security Bloggers association give
TaoSecurity Blog the “Best Non-Technical Blog” award for 2009 and
the “Most Educational Security Blog” award for 2012. The blog has
also been featured in various lists over the years, but that is not
something I’ve tracked.

As of April 2020, the five most popular posts, since January 2011
when Blogger began offering native statistics, are as follows:

60,622: Five Reasons I Want China Running Its Own Software

(Mar 23, 2017)
58,225: Cybersecurity Domains Mind Map (Mar 21, 2017)
52,276: A Brief History of the Internet in Northern Virginia (Dec
23, 2015)
50,540: The Missing Trends in M-Trends 2017 (Mar 15, 2017)
49,448: Domain Creep? Maybe Not. (Dec 10, 2015)

Of those, only the first and fourth appear in my catalogue of

selected posts. Popularity isn’t everything! I do not write to be
popular, but I am pleased that some people find my blog helpful.
Since January 2011, the blog has had over 15 million views, but I
imagine the bulk of that audience has never read the earlier posts,
many of which are foundational elements of my thinking not present
in my published texts.

Some of the content has aged well, and some of it has not. I’ve
tried to preserve material in this book that is useful, regardless of
when it was written. For that reason, much of the “technical”
material has been omitted. For example, the online TaoSecurity Blog
features over 430 posts with the label “FreeBSD,” meaning they have
something to do with that Unix-like operating system. Early in my
career I was a keen FreeBSD user, and I often wrote about how to
accomplish various tasks using that software. When I stopped
writing about FreeBSD, some of my readers complained. I didn’t
care. I wrote for myself and if the complainers wanted that content,
they could try their hand at writing. At this point, much of that
material is no longer relevant, and if it might be to some readers, it
remains a Google search or blog URL away.

In the process of assembling this volume and writing the

commentary, I realized that there was far too much material for a
single, big book. I therefore split the material into three volumes. In
this book, I cover milestones, philosophy and strategy, risk, and
advice. Future volumes will include network security monitoring,
technical notes, research, China and the APT, current events, law,
wise people, and history, with some degree of appendices and
references as well.

And now, before turning to the blog, I leave the introduction with
the immortal words attributed to Steve Jobs:

“Real artists ship.”

-- Attributed to Steve Jobs,

https://quoteinvestigator.com/2018/10/13/ship/

Richard Bejtlich
Northern Virginia, 2020
Chapter 1. Milestones
 Introduction
This chapter contains posts which represented various moments
where the course of my blogging life changed, usually for the better.
It also contains entries which I felt marked a noteworthy moment for
the blog, and perhaps did not strictly belong in another category.
 First Post and Review of BGP Posted
Wednesday, January 08, 2003
Welcome to my blog! The main new content will be news of book
reviews that I've had published at Amazon.com. In 2002 I read and
reviewed 24 books on computer security topics. Most recently, these
included The Art of Deception: Controlling the Human Element of
Security by Kevin Mitnick and The Hacker Diaries: Confessions of
Teenage Hackers by Dan Verton.

My first published review of 2003 is a four star review of BGP

(O'Reilly, Sep 2002) by Iljitsch Van Beijnum.

You can see my book reading (and reviewing) schedule by

visiting www.bejtlich.net/reading.html. I will no longer try to review
every security book which hits the shelves! That was a pipe dream,
even when I started reading these sorts of books in 1998. The books
I add to my schedule either address a topic about which I need to
know more, or offer original content by an interesting author.

Thank you for visiting!

Richard Bejtlich

https://taosecurity.blogspot.com/2003/01/welcome-to-my-blog-
main-new-content.html

Commentary
This was my first blog post. I had very modest plans when I
started, concentrating on promoting the book reviews I was writing
on Amazon.com. I eventually became a top 500 book reviewer for
that site. I used to read and review dozens of technical books per
year (17 in 2000, 42 in 2001, 24 in 2002, 33 in 2003, 33 in 2004, 26
in 2005, 52 in 2006, 25 in 2007, 20 in 2008, 15 in 2009, 31 in 2010,
22 in 2011 -- 340 in total). In mid-2012 I decided that technical
books no longer captured my interest, and I focused on books about
history, strategy, policy, and martial arts. The archive.org repository
of pages for www.bejtlich.net/reading.html shows what I used to
read. The link is no longer active.
 Sguil User Six
Tuesday, February 18, 2003
According to my friend Bamm Visscher, I just became user
number six of Sguil, an interface for the Snort intrusion detection
engine. It's in early alpha stages but it smokes everything else
available. It's built BY an analyst FOR an analyst. I spent a chunk of
the weekend writing this 4 MB installation guide pdf for it. The 13
MB sguil_complete_17_feb_03.tar archive I mention in the
installation guide can be downloaded here, for now. There is also a
Sourceforge site. Enjoy!

https://taosecurity.blogspot.com/2003/02/according-to-my-
friend-bamm-visscher-i.html

Commentary
I am very proud to have been associated with the Sguil project,
even though my code contribution was one or two lines that I
believe Bamm rejected anyway! I still use Sguil to this day, as it is
the most information-dense way to review alerts generated by an
intrusion detection engine like Suricata, and it provides right-click
access to full content data access via Wireshark. At this time I was
working as an incident response consultant for Kevin Mandia at
Foundstone, and I believe I may have used Sguil during some
engagements where I had to build my own network security
monitoring sensors.
 Trying New Martial Arts School
Monday, April 28, 2003
I finally joined a new martial arts school in northern Virginia. It's
been two years since I broke my wrist and stopped formal training,
and about seven months since my last organized martial arts activity.

https://taosecurity.blogspot.com/2003/04/i-finally-joined-new-
martial-arts.html

Commentary
I was surprised to find this entry. At this point in the blog’s
progression, I had not yet instituted the fairly strict rules I would
later follow, namely keeping the blog on topic. I recommend this
strategy for anyone trying to organize their thoughts in written form
in a public-facing medium. To this day I have TaoSecurity Blog for
cyber security, intelligence, and military history; Rejoining the Tao
Blog for my martial arts journey; and Martial History Team for
promoting sound evidence and sourced research on martial arts
topics.
 Five Years Ago Today...
Tuesday, September 23, 2003
Five years ago today I left the information warfare planning
directorate at Air Intelligence Agency and joined the Air Force
Computer Emergency Response Team at then-Kelly Air Force Base in
San Antonio, Texas. Back then we were part of the Air Force
Information Warfare Center, tasked with monitoring all of the
intrusion detection systems deployed inside border routers at Air
Force's installations. I was a new captain and had voluntarily
attended some UNIX training after work hours while deployed to RAF
Molesworth in late 1997.

Just yesterday I was asked how to get into the computer security
field. Here's how I did it. I looked at the AFCERT's manning roster
for the network security monitoring teams and put myself on the
schedule. Wherever I saw an opening -- usually between 2 and 10
pm or 10 pm and 6 am -- I added my name. I sat next to people
who seemed to understand the alerts they were analyzing and asked
a lot of questions. Six months later I was in charge of the real-time
NSM team, and a year later I was in charge of all NSM operations. I
wrote my first white paper in late 1999 and spoke at my first SANS
conference on 25 Mar 00. Currently I'm writing Real Digital Forensics
and The Tao of Network Security Monitoring, both to be published in
2004.

https://taosecurity.blogspot.com/2003/09/five-years-ago-
today.html

Commentary
This was the first of several posts that look back on my time in
the Air Force. Writing now in 2020, it’s stunning to remember a time
when I had only five years of hands-on technical security
experience. I notice that I also mentioned the publication process for
my first two books, the Tao of Network Security Monitoring,
published in 2004, and Real Digital Forensics, co-authored with Keith
Jones and Curtis Rose, published in 2005.
 The Tao of NSM Is Published!
Friday, July 16, 2004
My wife found a copy of my book left in our garage today by the
UPS or Fedex delivery person! I'm very happy to see it in print.

Four years ago Karen Gettman from Addison-Wesley approached

me about writing a book. Initially I wanted to write "Intrusion
Detection and Incident Response Illustrated," but I decided to wait
until I felt I was ready.

At Black Hat last year, I met my editor Jessica Goldstein from

Addison-Wesley. I presented the proposal I had worked on all of the
previous night. About a month later I signed a contract, and by
March of this year submitted my draft of the text.

Now, less than a year after that Black Hat meeting, I have a copy
of my book in hand. Thank you to every who assisted -- you're all in
the preface!

Some of you will be getting review copies soon. I expect to see

the book available from online booksellers next week, and in stores
before the end of the month. Please send feedback to blog at
taosecurity dot com.

Update: I asked my publisher why Amazon.com isn't currently

selling my book at a discount. She wrote:

"Amazon is having a data feed problem, and that is why your

book isn't discounted. Many new books on Amazon are showing for
list price, which is incorrect. They are working with the vendor who
is sending them the bad data and are trying to get it fixed."

Expect to see the price drop at Amazon.com shortly.

 https://taosecurity.blogspot.com/2004/07/tao-of-nsm-is-
published-my-wife-found.html

Commentary
The Tao remains my magnum opus, despite any attempt to
create something better. It was the right book at the right time. I
decided to write it in 2001 when Bamm and I were acting as
technical leads and managers for a team of 12 analysts at Ball
Aerospace & Technologies Corporation (BATC). I wrote a training
course for them to take before serving as event analysts. I realized
that there was no text that I could hand to a new analyst that
taught them what I hoped they should know. I decided to as
thoroughly as possible investigate many aspects of network security
monitoring (NSM). When the book exceeded an 800 page count, my
publisher said that I needed to stop. That’s why I quickly published a
sequel, Extrusion Detection. I’ve likened Tao to the Constitution and
Extrusion to the Bill of Rights! I remain very proud of Tao to this day
-- especially the appendix on NSM intellectual history. That’s a
timeless historical section that is relevant forever, regardless of what
the Amazon.com reviewers might think.

One of my favorite memories associated with the book involves

the reaction of my co-workers. At the time I was working as a
technical director at ManTech International Corporation, having
joined that company after McAfee acquired Foundstone. At ManTech
I worked with the offensive team and was also building a
commercial NSM offering. Anton Chuvakin reviewed my book on
Slashdot.org, which was a prominent technology site in the early
2000s. When Anton’s review appeared on the site, a crowd of my
colleagues entered my office to congratulate me. Thanks ladies and
gentlemen, and thanks for the review Anton!
 TaoSecurity Visits the Pentagon
Tuesday, April 19, 2005
This morning I was pleased to speak at the Pentagon on behalf
of the Network Security Services-Pentagon section of the US Army
Information Technology Agency. (I would like to provide a URL, but
there's no point linking to sites that return "403.6 Forbidden: IP
address rejected" errors!) Doug Steelman invited me to discuss
network security monitoring at their Pentagon Security Forum. Last
month Erik Birkholz and Steve Andres from Special Ops Security
spoke on assessments. Next month Kevin Mandia of Red Cliff
Consulting will discuss incident response. Doug and his colleague
Mark Orlando were kind enough to take me on a tour of the building
and share some of their approaches to detecting intrusions on the
Pentagon's networks.

While I will not outline specifics here, I will say I was impressed
by the variety of network traffic the Pentagon collects. They are not
a single-solution shop that can be beaten by evading one variety of
intrusion detection system deployed at the perimeter. Rather, they
gather alert, session, and statistical data and have the capability to
collect some full content data. I will not name tools, but I was
surprised by some of their choices. By this I mean they seemed
genuinely interested in novel approaches to identifying and
validating security events.

As far as the Pentagon network is concerned, they are literally an

ISP in their own right. They have multiple Autonomous Systems
(AS') and they connect to the DISA backbone with 100 Mbps ATM
links. After September 11th 2001 they decided to reengineer their
network to be more disaster-resilient, and they are now deploying a
MPLS-based routing design to facilitate this goal. I look forward to
meeting and working with this team in the future, and I thank Doug
and Mark for being great hosts today.
Another random document with
no related content on Scribd:
Mississippi river. We can now look across a gorge from the coaches
of the Pennsylvania Railroad, beyond Altoona, and see the grade of
the old Portage Railway.

Fig. 28. Broad Street Station, Philadelphia: Pennsylvania

Railroad
The canal almost put out of business the Conestoga wagons on
the dusty pike which had seen so much travel by way of Carlisle and
Bedford. But the people did not stop with a canal. Like the men of
New York, they wanted something even better than that. They
wished to have a railroad all the way, and in 1846 the Pennsylvania
Railroad Company was incorporated. By this time it was very well
known that railroads were successful both in America and in
England, and that steam was better than horses.
 Over the Allegheny Front a route was found where the grades
were not too steep for locomotives. The grade, of course, had been
the one great hindrance to the whole project, and when this difficulty
was overcome there was no reason why passengers should not be
carried from Philadelphia to Pittsburg, or a load of iron from Pittsburg
to Philadelphia, without changing cars. In the year 1854 the
Pennsylvania people triumphed, for they had conquered the
mountains and could run trains from the banks of the Delaware to
the Ohio river.
If we leave Philadelphia by the great Broad street station of the
Pennsylvania Railroad, we shall pass out among the pleasant homes
of West Philadelphia and through the fine farms of the Pennsylvania
lowlands, until we come, in about an hour and a half, to the staid old
city of Lancaster. We have been here before, to learn of turnpikes
and Conestoga freighters.
The next stop, if we are on an express train, will be at
Harrisburg, a little more than a hundred miles from Philadelphia. We
have now come from the Delaware to the Susquehanna, and are
close to the mountains. Before we go in among them let us see
Harrisburg. It is a city of fifty thousand people, and lies along the
east bank of the Susquehanna, which here is a great river a mile
wide, having gathered its tribute of waters from hundreds of
branching streams in Pennsylvania and New York.

Fig. 29. Bridge, Pennsylvania Railroad, above Harrisburg

 Not far to the east a small stream runs parallel to the main river,
and the larger part of Harrisburg is on higher ground between the
two. On the highest part of this ridge is the state capitol, a great
building but recently finished. Harrisburg is at the right point for the
state government. It is not in the center of the state, to be sure, but it
is at the rear of the lowlands which reach in from the sea, and is just
outside the great gateway where roads from all the northern,
western, and central uplands come out on the plain. It is a
convenient center for coal and iron, and hence one sees along the
river below the city many blast furnaces, rolling mills, and factories.
To the northeast rich, open lands stretch along the base of Blue
mountain, and railroads join Harrisburg to Reading, Allentown,
Bethlehem, and Easton. To the southwest bridges cross the
Susquehanna, and roads run to Carlisle, Hagerstown, and other
cities of the Great Valley (Chapter XI).
Thus the Pennsylvania Railroad, running northwest from
Philadelphia, crosses at Harrisburg other roads that run to the
southwest. As hamlets often gather about “four corners” in the
country, so cities grow up where the great roads of the world cross
each other.

Fig. 30. Pennsylvania

Railroad Shops, Altoona
 Leaving Harrisburg behind, we pass the splendid new bridge of
the Pennsylvania Railroad, across the Susquehanna (Fig. 29), and
go through the gap in Blue mountain. Soon we turn away from the
main river and enter the winding valley of the Juniata. The grades
are easy, the roadbed is smooth, and by deep cuts through the rocks
the curves have been made less abrupt. It is only when one looks
out of the car window that the land is found to be rugged and
mountainous.
All the greater valleys and ridges of the mountain belt of
Pennsylvania run northeast and southwest. The last of these to be
crossed on our journey is Bald Eagle valley, from which the
Allegheny Front rises to the northwest.
In this valley, near the place where the Portage Railway began to
scale the heights, and a little more than a hundred miles from
Pittsburg, the Pennsylvania Railroad Company in 1850 founded a
town and called it Altoona. Here they started shops, which have now
grown to notable importance. The town became a city eighteen
years after it was begun, and has to-day about forty thousand
inhabitants. In the railway shops alone may be found nine thousand
men repairing and building locomotives, passenger coaches, and
freight cars. The Pennsylvania Railroad Company is now founding a
great school in Altoona, where young men may be taught to become
skillful and efficient in railway service.

Fig. 31. Horseshoe Curve, Pennsylvania Railroad

Altoona looks new, and with its endless freight yards, its noisy
shops, and its sooty cover of smoke from burning soft coal, it is very
different from quiet Lancaster, which was old when forests covered
the site of Altoona.
On our way to Pittsburg we are soon pulling up the Allegheny
Front by a great loop, or bend, which enables the tracks to reach the
summit more than a thousand feet above Altoona. Nestling within the
great bend is a reservoir of water to supply the houses and shops of
the city lying below. Passing the highest point, we find ourselves
descending the valley of the Conemaugh river to Johnstown, and
surrounded by the high lands of the Allegheny plateau.
Johnstown is much older than Altoona, for it was settled in 1791,
but it has not grown so fast, and has only about as many inhabitants
as the city of railroad shops. Most people know of Johnstown
because of the flood which ruined the place in 1889. Several miles
above the town was a reservoir more than two miles long and in
several places one hundred feet deep. After the heavy rains of that
spring the dam broke on the last day of May, and the wild rush of
waters destroyed the town. Homes, stores, shops, and mills were
torn away and carried down the river. Clara Barton of the Red Cross,
who went to Johnstown as soon as she could get there, says that the
few houses that were not crushed and strewn along the valley were
turned upside down.
More than two thousand men, women, and children lost their
lives, and those that were left were in mourning and poverty. The
whole land sent in its gifts of money, clothing, and food, and the town
was built up again into a prosperous city. Near the city are found
coal, iron, limestone, and fire clay, and these things make it easy to
establish iron works. The Cambria Steel Company gives work to ten
thousand men in its shops, mines, and furnaces.
The main line of the Pennsylvania Railroad runs down the
rugged Conemaugh valley through Johnstown, and is its chief
means of traffic. As we go on to the west we near Pittsburg, but first
we pass through a number of stirring towns. At one place fire bricks
are made, and the clay for molding them and the coal for burning
them are found in the same hill. In another town there are coal mines
and glass works. Farther west the Pennsylvania road has more
repair shops, and Braddock is the great Carnegie town. We shall see
why many thriving young cities have grown up in this region when
we take up Pittsburg, about which they are all clustered.
At Pittsburg we pull into one of the finest railway stations in the
United States. We may stop in the city of coal and iron, or we may
go on to the west, over one of the main arms of the Pennsylvania
Railroad system. If we take the northern branch, it will carry us
across Ohio to Fort Wayne in Indiana and to Chicago. If we board a
train on the southern arm, we shall go through Columbus and
Indianapolis, and be set down on the farther side of the Mississippi
river at St. Louis.
North and south from the great east and west trunk lines run
many shorter roads, or “spurs.” On the east there is a network of
short roads in New Jersey, and one of the busiest parts of the whole
system is that which joins Washington to Baltimore, Philadelphia,
and New York.
 Fig. 32. Rock Cut, along the Line of the Pennsylvania
Railroad
West from Philadelphia for a long distance there are four tracks,
and on either side may be seen neat hedges, such as one finds
along the railways of England. In the mountains it is often hard to
make a roadbed wide enough for four tracks, and hence there may
be only three or even two in some places. No doubt four will in time
be built through to Pittsburg, for many millions of dollars are spent in
improving the road. Instead of having a long circuit around the hills,
tunnels and vast cuts in the bed rock are made so as to straighten
the line. Thus both passenger and freight trains are able to make
better time, and the road can carry the stores of iron and coal which
are found in the lands on either side.
 Some of the freight yards are always crowded with cars, and at
Harrisburg the company is building separate tracks around the city,
so that through freight trains need not be delayed.
At New York the Pennsylvania Railroad now has its station on
the New Jersey side of the Hudson river, but it is building a tunnel
under the river. The company has already bought several city blocks
and has torn away the buildings. Here it will build one of the greatest
passenger stations in the world. The tunnel will run on to the east,
under the streets and shops of Manhattan, and under the East river.
Thus under New York and its surrounding waters trains can go to the
east end of Long Island.
Pennsylvania has told us the same story that we learned from
New York. We read it again: first, how the Indian’s path was beaten
deeper and wider by the hoofs of the pack horse, bearing goods to
sell and barter in the wilderness; then how strips of forest were cut
down to make room for the Conestoga wagons and the gay stages
that swept through from Philadelphia to Pittsburg. These in their turn
became old-fashioned when the canal and Portage Railway were
done, and now we sit in a car that is like a palace, and think canals
and Conestogas very old stories indeed. In future generations swift
air ships may take the wonder away from the Empire State Express,
and make us listen unmoved when a man, standing in the station at
Philadelphia, calls the limited train for Pittsburg, Cincinnati, and St.
Louis.
 CHAPTER VIII
THE NATIONAL ROAD

The sea reaches inland almost to the northeast corner of the

state of Maryland. This long, wide arm of the ocean receives many
rivers and is known as Chesapeake bay. Near its north end is
Baltimore, one of the four great cities of our Atlantic coast. It is one
hundred and fifty miles from the open sea. If, instead of sailing up
the bay, we should turn toward the west, we could go up the
Potomac river, which is deep and wide. On our way we should pass
Washington’s estates at Mount Vernon, the old city of Alexandria,
and the national capital, Washington. We could not sail much farther
because there are falls in the Potomac which ships cannot pass. The
Potomac runs so close to Chesapeake bay that it is only forty miles
from Washington across to Baltimore.
Chesapeake bay is much like Delaware bay and the tidal
Hudson river, only it is larger than either. Baltimore is at a greater
distance from the open sea than Philadelphia is, and Philadelphia is
farther inland than New York, but each of these cities tried to get as
much of the western trade as it could.
The natural way for the men of Baltimore and Alexandria to go
across to the west was up the Potomac river and through its passes
in the mountains. But before they tried this they had settled much of
the low, flat land along the Potomac and about the Chesapeake in
Virginia and Maryland. This was often called “tide-water country,”
because the beds of the rivers are below sea level, and the streams
are deep enough for boats of some size.
 Fig. 33. Tollhouse West of Brownsville, Pennsylvania
When the land was first settled and the colonists found that they
could go almost everywhere by boat, they paid small heed to making
roads. They could visit their neighbors on other plantations and they
could load their tobacco and take it to market by the rivers. Many
plantations were beside rivers of such great depth that sailing
vessels bound for London could come up to the farmer’s wharf and
get his crop of tobacco.
In early days the members of the legislature were not always
given so much per mile to pay the stage fares between their homes
and the capital, but they were allowed the cost of hiring boats
instead. Many ferries were needed, and laws about them were made
before rules were laid down for bridges and roads. Several
lawmakers at one time would have been fined for their absence from
the legislature of the colony had they not been excused because
there was no ferry to carry them over the river which they would
have had to cross.
Around Annapolis “rolling roads” were made. These were wide
paths made as smooth as possible, in order that large hogsheads of
tobacco might be rolled, each by two men, to the market in that old
town.
 After a time the lowlands of the coast region began to fill up and
the people were pushing westward, just as they did in Pennsylvania
and New York. No man had so great a part in this westward
movement as the young surveyor, George Washington. In 1748 he
was sixteen years old, a tall, strong lad, full of courage and energy.
Lord William Fairfax, a rich English gentleman who had settled in
Virginia, had bought great tracts of forest land up the Potomac
behind the Blue Ridge mountains, and he was eager to have them
surveyed. Knowing that Washington had studied surveying, Fairfax
asked him to undertake the task. The boy consented; he went
beyond the Blue Ridge into the country along the Shenandoah,
camped in the woods, swam the rivers, toughened his muscles,
learned the ways of the red men, and three years later came back, a
grown man, ready for great things.
While Washington was getting his practice as a surveyor the
Ohio Company was formed to take up lands along the Ohio river,
and to keep the French from settling there. Lawrence, Washington’s
elder brother, was one of the chief men of this company. In 1753
Washington himself went west to the Ohio river. Day by day the
French were taking a firmer hold of that country, and Dinwiddie, the
old Scottish governor of Virginia, looked about for some one to carry
a warning letter to the commander of one of their new forts. The
messenger was also to keep his eyes open and report what the
French were doing on the upper waters of the Ohio. He chose
Washington, saying, “Faith, you’re a brave lad, and, if you play your
cards well, you shall have no cause to repent your bargain.”
Washington did not wait, but left on the day he received his
commission, late in October, 1753.
Christopher Gist, a famous frontiersman, was secured as guide,
and we can have no doubt that he and Washington formed a team,
ready to meet Frenchmen, red men, and the dangers of river and
forest. They made up their little party where the city of Cumberland,
Maryland, now stands. It is far up the Potomac, in the heart of the
mountains,—a long way beyond the Blue Ridge and the lands where
Washington had been surveying.
 At this place a large stream called Wills creek cuts through one
of the mountain ridges by a deep gorge and enters the Potomac. On
a hill, where these streams come together, was Fort Cumberland,
the great outpost of Virginia and Maryland. A fine church now stands
on the ground of the old fort, in the heart of the busy city of
Cumberland. This was the starting point for Washington’s expedition
and for many later ones into the western wilderness.
Washington made his dangerous journey with success. He
brought back a letter from the French commander, but of much
greater value was the story of all that he had seen. The colonists
now knew just what they would have to do to keep possession of the
Ohio lands.
It was not long before Washington went again as commanding
officer of a small army, and in 1755 he served under General
Braddock in the famous battle which resulted in the defeat of the
English and the death of their general. Washington, as we know,
brought off the troops with honor to himself. In each of these
expeditions something was done toward cutting away the trees and
grading a road from Fort Cumberland to the head of the Ohio river at
Pittsburg.
 Fig. 34. Milestone on the
Line of Braddock’s
Road, near Frostburg,
Maryland

On the line of Braddock’s road, a dozen miles west of

Cumberland, is a milestone, set up about a hundred and fifty years
ago. A photograph of it is shown above. It is a rough brown stone,
standing in a pasture half a mile outside the city of Frostburg, in
western Maryland. The stone was once taken away and broken, but
it has since been set up again and cemented into a base of concrete.
The view shows how it has been split up and down. On one side are
directions, and on the other are the words, “Our Country’s Rights We
Will Defend.”
Braddock’s journey from Alexandria to Fort Duquesne was an
uncomfortable one, to say nothing of its disastrous end. He bought a
carriage to ride in, but the road was not suited to a coach, as were
the roads he knew in old England. Beyond Cumberland, especially,
in spite of all the work his men could do upon it, it was so bad that he
was forced to take Washington’s advice and change the baggage
from wagons to pack horses.
 Gradually, as time went on, these rough paths were beaten down
into smoother thoroughfares. The same causes that led to the
development of the North were working also at the South. Along the
Potomac, as in New York and in Pennsylvania, the stream of colonial
life flowed westward. First the pioneers settled the lowlands around
Chesapeake bay and along the deep rivers; then as their strength
and courage reached beyond the mountains they found the forests
and fertile soil behind the Blue Ridge. Farther within the rugged
highlands they built Fort Cumberland and sent out discoverers and
armies to the Ohio river. When the woods were cleared and towns
and states grew up on the Ohio, there was frequent occasion to
cross the mountains for trade, for travel, and to reach the seat of
government, which in 1801 was moved to Washington on the
Potomac.

Fig. 35. Old Road House, Brownsville, Pennsylvania

These glimpses of colonial journeys will help us to understand
why the National Road came to be built. About one hundred years
ago the government began to take a great interest in opening roads,
especially across the Appalachian mountains, to Ohio, Kentucky,
and other parts of the Mississippi valley. Washington, who died in
1799, had said much about this work, for he not only wanted western
trade to come to Virginia instead of going to New Orleans, but he
also felt that so long as the mountains kept the East and the West
apart we should never have one common country, held together by
friendly feelings.
The people of Baltimore, like those of New York and
Philadelphia, were eager to have the best road to the West, that their
business might be benefited. Not far from Baltimore is an old place
called Joppa, and several roads are still known as “Joppa roads.”
The town is older than Baltimore and was once the chief trading
town in the northern part of Maryland; but Baltimore was well
situated on an arm of the great bay, and by this time had gone far
ahead of its old rival.
A number of good roads had been built in Maryland, among
them a famous one leading out westward to Frederick. This was in
the direction of Hagerstown, and still farther west was Cumberland.
The United States government decided to build a great road to Ohio,
beginning at Cumberland. To get the benefit of this, the men of
Baltimore went to work to push the Frederick pike westward to the
beginning of the National Road.
So it came about in 1811 that the first contracts were let for
building parts of the National Road. We remember that the Erie
canal was not started until six years later. The act of Congress which
ordered the making of the road provided that a strip four rods wide
should be cleared of trees, that it should be built up in the middle
with broken stone, gravel, or other material good for roads, and that
all steep slopes should be avoided. The road was opened to the
public in 1818, one year after the Erie canal was begun. The original
plan was to make it seven hundred miles long, reaching from
Cumberland to the Mississippi river, but it was never carried out.
The Maryland roads, as we have seen, ran west from Baltimore
and Washington to Frederick, east of the Blue Ridge; to Hagerstown,
in the Great Valley; and to Cumberland, in the mountains.
Cumberland is a stirring town of about twenty thousand people, and
with its great business in coal, iron, and railroads it seems like a
larger city. Thence the National Road runs through the gap in Wills
mountain (Fig. 36) to Frostburg, a dozen miles west and fifteen
hundred feet higher. The road soon bears northward into
Pennsylvania and crosses the Monongahela river at Brownsville,
about forty miles south of Pittsburg. Coal is mined here, and boats
were running in those early days, as coal barges and steamboats
run to-day, down to the great iron city.
From Brownsville the pike leads over the hills and comes down
to the Ohio river at Wheeling, West Virginia. It then passes on
through Ohio, touching Columbus, the capital, on the way to Indiana
and the Mississippi.
We sometimes admire the cars marked with the sign of the
United States post office, which we see drawn by a swift locomotive
at a speed of sixty miles an hour; but when the government put its
mail coaches on the National Road from Washington to Wheeling, no
doubt they seemed quite as wonderful to the people of that time. And
it was only twenty-five years since the people of Utica had thought it
so remarkable that six letters had come to them in one mail! Soon
passenger coaches were rushing along at ten miles an hour, and
sometimes even faster. There were canvas-covered freight wagons,
each of which carried ten tons, had rear wheels ten feet high, and
was drawn by twelve horses. In those days life was full of stirring
interest on the National Road.
 Fig. 36. Cumberland and the Gap in Wills Mountain
There were rates of toll for all sorts of animals and wagons. The
toll was higher for hogs than for sheep, and more was charged for
cattle than for hogs. If the wagons had very wide tires, no toll was
demanded. Drivers sometimes lied about the number of people in
their stages, so as to pay less toll. The stages were not owned by
the drivers but by companies, which bid for travelers and freight, as
railways do now. There were penalties for injuring milestones or
defacing bridges, showing that some people then were like some
people now. The companies had interesting names. There were the
“Good Intent,” “Ohio National Stage Lines,” the “Pilot,” “Pioneer,”
“June Bug,” and “Defiance.” Not one of them cared for mud or dust,
for horses or men, if only it could be the first to reach its destination.
There must have been dust enough, for twenty coaches with their
many horses sometimes followed one another in a close line.
 Fig. 37. Bridge and Monument, National Road, near
Wheeling, West Virginia
Henry Clay was one of the chief advocates of this road, and a
monument built in his honor may be seen near the bridge, shown in
Fig. 37. It is a few miles east of Wheeling. At Brownsville a small
stream called Dunlap’s creek flows into the Monongahela from the
east. Over it is an iron bridge on the line of the National Road.
According to a story told in Brownsville, Henry Clay was once
overturned as he was riding through the creek before the bridge was
built. As he gathered himself up he was heard to say, “Clay and mud
shall not be mixed here again.” The story goes that he went on
immediately to Washington and got an order for the building of the
bridge.
Whether this be true or not, it is certain that he and many other
statesmen traveled over the National Road. They could not have
private cars, nor did they go in drawing-room coaches, as we can if
we choose. Anybody might chance to sit beside these men of
national fame, as day after day they rode through the valleys and
over the mountains, stopping at the wayside hotels for food and rest.
Some of the old hotels, tollhouses, and bridges, as they look to-
day, are shown in the illustrations in this chapter. The road itself was
long ago given up to the different states and counties through which
it runs, but it still tells to the traveler who goes over it many a story of
the life of a hundred years ago.
 CHAPTER IX
THE BALTIMORE AND OHIO RAILROAD

Even after the Erie canal was built and long lines of boats were
carrying the grain and other products of the West to New York, the
men of Virginia and Maryland did not give up the notion of still
making the trade of the western country come their way. They
planned the Chesapeake and Ohio canal, to reach the Ohio river,
and thought that other canals across the state of Ohio would let them
into lake Erie. By the Ohio river they would connect with New
Orleans and the upper Mississippi river, and through lake Erie they
could reach the towns and farms that border lake Huron, lake
Michigan, and lake Superior.
A canal along the Potomac valley had been talked of several
years before the Revolution, when Richard Henry Lee laid a plan for
it before the Assembly of Virginia. Doubtless others thought of it too,
as of the Erie canal, long before it was made. At the end of the War
of the Revolution Washington made a long journey into the wild
woods of New York. He went to the source of the Susquehanna at
Otsego lake, visited the portage between the Mohawk and Wood
creek, and saw for himself that New York had a great chance for
navigation and trade. But he had a natural love for his own Virginia,
and he did not intend to let New York go ahead of his native state.
His journeys across the mountains as a surveyor and as a soldier
gave him a knowledge of the Ohio country, and as he had himself
taken up much good land there, he wished to have an easy way, by
land or water, from the sea to the rich Ohio valley. So he thought
much about a canal to run by the side of the Potomac, and he joined
with others who felt as he did to form the Potomac Company. They