What’s the subject, Kenneth?

The band R.E.M. released a song on their 1994 album Monster inspired by an odd attack one night by two well-dressed individuals who physically assaulted TV news anchor Dan Rather on his way home while they demanded he answer a question:

“Kenneth, what is the frequency?

Luckily, Rather was not seriously harmed in the attack.

The question made absolutely no sense.

(Though the album made a lot of money!)

When it comes to ethical review of research involving computer security, there are some situations that similarly seem to make no sense.

https://twitter.com/_argp/status/1385133843452243969

Ethics in academic research

The following statement was released on April 21, 2021:


Or, “How I integrated python-secrets with Splunk’s Attack Range framework, and how you can do the same for your open source project!”

Photo by Michael Dziedzic on Unsplash

In this article, I want to do three things. (1) point out a couple of what I consider to be pervasive fundamental computer security problems, (2) provide my own proposed solution to them, and (3) show you how you can implement that solution in your own open source project (or as a Pull Request to someone else’s open source project).

I will provide you with a way to simultaneously accomplish all the following goals:

  1. Decrease the time it takes to consistently and repeatably configure and stand up a small-scale distributed system.
  2. Decrease the chance of the user making a mistake…


Saying “PCAP, or it didn’t happen!” is all well and good but if you can’t see into the PCAP, how do you know what happened?

Photo by Nina Ž. on Unsplash

This article is aimed at those wanting to learn how to leverage network traffic capture and analysis tools as part of the digital forensics and incident response (DF/IR) processes. These disciplines involve analyzing the network communications associated with remotely controlled malicious software installed on your organization’s computer systems.

  • Those hoping to become a security operation center (SOC) analyst need to know what is behind the alerts their network monitoring or end-point detection systems produce.
  • Those seeking to advance in their career doing more detailed DF/IR tasks, including creating new signatures for detection and reporting on new capabilities in malware, need…


Looking for malware in all the right places (with the right tool!)

A screen image captured from a computer infected with NotPetya ransomware, extorting the user for Bitcoins to decrypt files.
NotPetya screenshot from CTU-Malware-Capture-Botnet-289–1

I’m sure at some point you’ve received a report or alert from some entity — US-CERT, DHS, someone on Twitter retweeting a security researcher or an anti-virus company, maybe even your bank or credit union? — about a specific threat actor and the malware they may wield against your organization’s network. You know, like the malware in the screenshot above.

What do you do if you want to learn how that malware works so you can prepare to respond?

If I were to give you a free software tool to help you search through hundreds of network packet captures to…


Advancing ethical thinking regarding responses to cyber crime

Photo by Nathan Dumlao on Unsplash

It is common for professional societies and membership organizations to have a Code of Ethics intended to guide their members. Professionals working in the field of information security (INFOSEC) are often members of one or more of these entities, as are academic cyber security researchers and students desiring to enter the INFOSEC field.

In this article I will focus on three such entities: The IEEE and the Association for Computing Machinery (ACM), which are general professional societies with broad membership across many disciplines, and the Forum of Incident Response and Security Teams (FIRST), who “cooperatively handle computer security incidents and…


Respect, beneficence, and justice must be universal or else they are meaningless.

Photo by Louis Reed on Unsplash

I was listening to the news on August 29, 2019, when I heard the story of Maria Isabel Bueso and the demand letter she received ordering her to leave the United States by the middle of September or be deported.

I heard her doctor struggling to find a way to resolve this situation and save Isabel from what he called a “death sentence.”

When I learned of Isabel’s participation in a high-priority medical research study, I knew I had something to contribute based on my own experience. I hope that what I have to say here helps people understand how…


How I became the first person to describe the advent of a new class of computer network attack tools.

The University of Minnesota was kept off-line for three days, and I was kept busy for weeks.

20 years ago today — August 17, 1999 — started as a normal day. But that wouldn’t last very long. Little did I know the University of Washington was about to be inundated with a flood of known compromised computers that had to be remediated as quickly as possible.

Photo by Kelly Sikkema on Unsplash

It turned out I was more prepared for this flood than I knew at the time. That preparation would prove quite valuable to me, as you will see. If you are a digital forensic and incident response (DFIR) professional, I think you might learn something from my story.

Good morning?

I have a…


How I became the first person to describe the advent of a new class of computer network attack tools.

Something is happening, but what?

20 years ago today — August 5, 1999 — I rode my mountain bike across the University of Washington campus to work like every other workday. Early mornings in the summer in Seattle can be pretty nice. Sunny, a little cool with dew on the grass.

Before there were signs requiring that bike riders walk their bikes, I could cruise across campus, bunny-hopping the small 2–3 foot flights of stairs in the Quad, entering Red Square heading south, and — at just the right speed — take the two flights of ten steps each on the south-west corner Suzzallo Library…


Eradicating an Intruder from a Network

Photo by Jakob Owens on Unsplash

“Hacking back” doesn’t always mean going outside your own network. In fact, it is best done quietly, inside your own network where you have home field advantage, and both slowly and deliberately so as to deliver a definitive enough blow to someone’s activities that they leave your network and don’t come back. This is a story of how I did it, and how you can, too.

This story (excerpted from a book in progress) centers on a hacker who I will refer to by the nick “G0by” (spelled with a Zero, and not his real nick.) G0by was part of…


How I became the first person to describe the advent of a new class of computer network attack tools.

Part 0: The Build Up to Distributed Denial of Service

Photo by Taskin Ashiq on Unsplash

I was inspired to start a series of articles on the early history of DDoS by a few recent events. Rik Farrow interviewed me for a forthcoming issue (Fall 2019 Vol. 44, No. 3) of Usenix ;login: magazine while I was also writing up a history of the early days of the Honeynet Project, which refreshed my memory on a number of events in 1999-2000. I also read this MIT Technology Review article on the 20th anniversary of the “first DDoS attack” on the University of Minnesota:

It took me a little while to remember that July 22 was not

Dave Dittrich

Information Security Researcher, Consultant

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store