One post left…
I know people have a few questions about the remaining fate of the site, so I decided to write a little FAQ prior to my last post:
Q: Are you planning on keeping ha.ckers.org up for reference at least?
Yes. There’s a very small chance (read near zero) that I will be making any updates though.
Q: Are you going to keep comments open on the blog?
The short answer is no. I’ve already been shutting down comments on some of the older posts to reduce the volume of comment spam. I’ll probably leave comments in place for a few months and then close it up, just to reduce the maintenance. So if you have anything you want to say about any of the recent posts, please say it now.
Q: Are you planning on keeping sla.ckers.org up?
For the foreseeable future, yes. I do want to encourage people to keep researching, and innovating, even if I’m not directly a part of it. So yes, there’s no plans on taking sla.ckers.org offline, and I still encourage people to visit and ask “dumb” questions. You have to get started somewhere, and it all starts with intense curiosity. For those who are starting, don’t be afraid to approach people who know what they’re talking about. If they blow you off, they’re jerks, but a lot of times they’ll be patient and help. It never hurts to try. Update: sla.ckers.org and ha.ckers.org both suffered a massive RAID and simultaneous backup failure on December 17th 2010 related in part to an exhaust system failure in our redundant cooling system. So some dates are messed up on comments over the last few months of posts, some files and directories (like hashmaster) are gone, and sla.ckers.org suffered some loss of posts because we had to go back to an old backup. Sorry about that. It’s hard to predict so many failures at once.
Q: I still want to read what you’re writing, are you posting anywhere else?
I may post in lots of places regarding various topics and for various reasons, but no, my days of WebAppSec blog posting a la ha.ckers.org are over. It’s time for others to pick up where I left off. But if you just want to read 300+ more pages of RSnake content, please check out Detecting Malice.
Q: Why 1,000 posts and not 10,000 or 100,000 posts?
Because I made a promise to myself to make it to 1,000 posts. That’s it. Simple enough. It was really easy to get to 100 posts, and even easier to get to 250. After that, it got harder and harder. I was thinking about stopping at 500, but one day I checked and I had accidentally gotten to over 550… so then I made another promise that I’d stop at 1000. And here we are, my friends - one post remaining.
Q: Someone mentioned to me something about a “Dread Pirate RSnake”. What is that?
A year or so ago I was thinking that rather than shutting down the blog outright I would find a talented person to take my place. Like the character in the Princess Bride, the Dread Pirate Roberts, they could take on the Dread Pirate RSnake persona, and pass that along to others once they got tired of the name. I talked with several people about that who seemed interested in taking up the cause, but after thinking about it longer I decided it was a bad idea. Ultimately I decided the blog was fun while it lasted, but it’s over for me, and my handle doesn’t need to live on. The research is the important part and others have long ago taken over those reigns anyway.
Q: Will you continue to be part of security?
In short, yes, I’ll still be working in security. I’ll always be available by email, but no, my time in the spotlight is thankfully coming to a close. It’s time for other people to get their moment in the sun. Having already made a few commitments I will remain somewhat visibly involved in the security world, but otherwise I’m trying to do less and less in the public eye. I’m definitely not leaving security altogether though. SecTheory will continue to operate, and I have a number of security ideas in the works that will no doubt see the light of day at some point, but that’s about it. And Jer seems to think I may twitter more now than ever. Who knows? Only time will tell. I really dislike twittering though, so the forecast does not look good.
Q: What about any other vulns you find?
Ah, the hardest question of all. I haven’t made up my mind. Some issues will no doubt get disclosed to the appropriate parties. Some may end up in a friend’s lap for them to disclose under their name. The remaining issues… who knows? To be honest, like a lot of researchers these days, I’ll probably just sit on them.