The first post in this blog ended with a question: is there something worth hearing? I did not know the answer when I wrote it. I still do not know the full answer, but I have more data than I did, and the discipline of writing publicly and regularly has done something to the research that I did not predict.

What I planned, in the spring, was one post. A test of the form — could I write about security research in a voice that was mine rather than the blog-voice that the field has standardised on? The voice that is measured in severity ratings and CVSS scores and lists of affected versions, accurate and functional and completely devoid of the thing that makes the work interesting, which is the thinking, the false starts, the 2am sessions in Whitby, the moment when something resolves into meaning and you understand not just that there is an issue but why it was always waiting to be found.

One post became two, because there was more to say. Two became five because the discipline of writing one thing clearly revealed three others that needed the same clarity. By post ten I had stopped counting.

What regular writing does to research

The most useful thing the blog has done is create a forcing function for explanation. Research that I understand well enough to do is not always research I understand well enough to explain. The gap between those two kinds of understanding is significant, and writing for a reader who does not already share your mental model surfaces it in a way that purely private note-keeping does not.

Several posts in this collection started as explanations I found I could not give clearly. The unveil(2) discussion. The NFC handshake. The difference between a CMAC verification and the other things people sometimes want it to prove. In each case, writing the post required understanding the subject at a level of precision that the original research notes did not reflect. The posts are better than the notes. The research that produced the posts is better understood than when I started writing.

What it left open

Thirty-five posts is not a complete account of anything. The NFC work has more threads than two posts can hold. The kernel reading series could run to ten without exhausting the subject. The personal history — the CityReach years, the University College Scarborough year, the Oracle honeynet — is compressed to the point that the interesting details are absent. These are not criticisms of what was written; they are descriptions of what was not. The blog is a set of entry points, not a textbook.

The SANS 2001 ICMP paper is not in these posts. The OpenBSD contributions are mentioned but not examined. The TfL work is present in the NFC posts only as context. There is more to write, and the writing will happen, at odd hours, in Whitby, when the conditions are right.

What came back

The blog's name is a question: are you there? It comes from the PING primitive — the packet sent into the dark to see if anything answers. I expected silence, or something close to it. What I received was more varied: corrections from people who knew the subject better than I did, questions from people learning the subject, recognition from people who had been in the same environments at the same time and remembered them differently. The dark is not empty. The packets come back.

Thirty-five posts. One question, asked in different registers: is there something here worth finding? The PING went out. Some answers returned. The interesting ones were the ones I did not expect. That is, in the end, what research is for.