It’s the last regular working weekday of 2022 (in the UK and the US, at least), in the unsurprisingly relaxed and vacationistic gap between Christmas and New Year…

…so you were probably expecting us to come up either with a *Coolest Stories Of The Year In Review* listicle, or with a *What You Simply Must Know About Next Year (Based On The Coolest Stories Of The Year)* thinly-disguised-as-not-a-listicle listicle.

After all, even technical writers like to glide into holiday mode at this time of year (or so we have been told), and nothing is quite as relaxed and vacationistic as putting old wine into new skins, mixing a few metaphors, and gilding a couple of lilies.

So we decided to do something almost, but not quite, entirely unlike that.

## Those who cannot remember history…

We are, indeed, going to look forward by gazing back, but – as you might have guessed from the headline – we’re going to go further back than New Year’s Day 2022.

In truth, that mention of 33 1/3 is neither strictly accurate nor specifically a tribute to the late Lieutenant-Sergeant Frank Drebin, because that headline number should, by rights, have been somewhere between 34.16 and 34.19, depending on how you fractionalise years.

We’d better explain.

Our historical reference here goes back to 1988-11-02, which anyone who has studied the early history of computer viruses and other malware will know, was the day that the dramatic Internet Worm kicked off.

This infamous computer virus was written by one Robert Morris, then a student at Cornell, whose father, who also just happened to be called Robert Morris, was a cryptographer at the US National Security Agency (NSA).

You can only imagine the watercooler gossip at the NSA on the day after the worm broke out.

In case you’re wondering what the legal system thought of malware back then, and whether releasing computer viruses into the wild has ever been considered helpful, ethical, useful, thoughtful or lawful… Morris Jr. ended up on probation for three years, doing 400 hours of community service, and paying a fine of just over $10,000 – apparently the first person in the US convicted under the Computer Fraud and Abuse Act.

The Morris Worm is therefore within a year of 33 1/33 years old…

…and so, because 34.1836 common years is close enough to 33 1/3, and because we rather like the number 33 1/3, apparently a marketing-friendly choice of rotational speed for long-playing gramophone records nearly a century ago, that is the number we chose to sneak into the headline.

Not 33, not 34, and not the acutely factorisable and computer-friendly 32, but 33 1/3 = 100/3.

That’s a delightfully simple and precise rational fraction that, annoyingly, has no exact representation either in decimal or in binary. (1/3 = 0.333…_{10} = 0.010101…_{2})

## Predicting the future

But we’re not really here to learn about the frustrations of floating point arithmetic, or that there are unexceptionable, human-friendly numbers that your computer’s CPUs can’t directly represent.

We said we’d make some cybersecurity predictions, so here goes.

We’re going to predict that in 2023 we will, collectively, continue to suffer from the same sort of cybersecurity trouble that was shouted from the rooftops more than 100001.010101…_{2} years ago by that alarming, fast-spreading Morris Worm.

Morris’s worm had three primary self-replication mechanisms that relied on three common coding and system administration blunders.

You might not be surprised to find out that they can be briefly summarised as follows:

**Memory mismanagement.**Morris exploited a*buffer overflow vulnerability*in a popular-at-the-time system network service, and achieved RCE (*remote code execution*).**Poor password choice.**Morris used a so-called*dictionary attack*to guess likely login passwords. He didn’t need to guess*everyone’s*password – just cracking*someone’s*would do.**Unpatched systems.**Morris probed for email servers that had been set up insecurely, but never subsequently updated to remove the dangerous remote code execution hole he abused.

Sound familiar?

What we can infer from this is that we don’t need a slew of new cybersecurity predictions for 2023 in order to have a really good idea of where to start.

In other words: we mustn’t lose sight of the basics in a scramble to sort out only specific and shiny new security issues.

Sadly, those shiny new issues are important, too, but we’re also still stuck with the cybersecurity sins of the past, and we probably will be for at least another 16 2/3 years, or even longer.

## What to do?

The good news is that we’re getting better and better at dealing with many of those old-school problems.

For example, we’re learning to use safer programming practices and safer programming languages, as well as to cocoon our running code in better behaviour-blocking sandboxes to make buffer overflows harder to exploit.

We’re learning to us password managers (though they have brought intriguing issues of the their own) and alternative identity verification technologies as well or instead of relying on simple words that we hope no one will predict or guess.

And we’re not just getting patches faster from vendors (responsible ones, at least – the joke that *the S in IoT stands for Security* still seems to have plenty of life in it yet), but also showing ourselves willing to apply patches and updates more quickly.

We’re also embracing TLAs such as XDR and MDR (*extended* and* managed detection and response* respectively) more vigorously, meaning that we’re accepting that dealing with cyberattacks isn’t just about finding malware and removing it as needed.

These days, we’re much more inclined than we were a few years ago to invest time not only for looking out for known bad stuff that needs fixing, but also for ensuring that the good stuff that’s supposed to be there actually is, and that’s it’s still doing something useful.

We’re also taking more time to seek out potentially bad stuff proactively, instead of waiting until the proverbial alerts pop automatically into our cybersecurity dashboards.

For a fantastic overview both of *cybercrime prevention* and *incident response*, why not listen to our latest holiday season podcasts, where our experts liberally share both their knowledge and their advice:

*Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.*

*Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.*

Thanks for your support of the Naked Security community in 2022, and please accept our best wishes for a malware-free 2023!

## Tim Boddington

All those 1980s problems? Well I was there trying to cope with them in a big commercial environment. How depressing it is to see the same problems still giving trouble today, 40 years later. The reality is that it remains the people that are the problem, less the technology.

Many thanks for the interesting reads, Paul, and a very happy New Year to you and all the team.

## Paul Ducklin

Thanks… glad you have been enjoying the content!

## Cassandra

Am I slow to get into the year, but what is the significance of 100010.010101 (base2)?

## Paul Ducklin

Errr, sorry… typo :-) Should be 100001.010101…, which is equivalent to 33.333… in decimal, which is 33 1/3.

To decode, the number shown has 5 “1” digits, and three repetitions of the fractional digits “01”, and comes out as:

1 0 0 0 0 1 . 0 1 0 1 0 1

-----------------------------------------------------------------------------------------------------

1x32 + 0x16 + 0x8 + 0x4 + 0x2 + 1x1 + 0x(1/2) + 1x(1/4) + 0x(1/8) + 1x(1/16) + 0x(1/32) + 1x(1/64)

= 32 + 1 + 1/4 + 1/16 + 1/64

= 33.328125

For more iterations and thus ever-greater accuracy within the the 53-bit (or 16 decimal digit) precision of the IEEE 754 binary “double” floating point format:

-- Run with any recent version of Lua:

rpm = 33

frac = 1

for i = 2,40,2 do

frac = frac * 4

rpm = rpm + (1/frac)

print('fractional digits:',i,'rpm:',rpm)

end

---Output:

fractional digits: 2 rpm: 33.25

fractional digits: 4 rpm: 33.3125

fractional digits: 6 rpm: 33.328125

fractional digits: 8 rpm: 33.33203125

fractional digits: 10 rpm: 33.3330078125

fractional digits: 12 rpm: 33.333251953125

fractional digits: 14 rpm: 33.333312988281

fractional digits: 16 rpm: 33.33332824707

fractional digits: 18 rpm: 33.333332061768

fractional digits: 20 rpm: 33.333333015442

fractional digits: 22 rpm: 33.33333325386

fractional digits: 24 rpm: 33.333333313465

fractional digits: 26 rpm: 33.333333328366

fractional digits: 28 rpm: 33.333333332092

fractional digits: 30 rpm: 33.333333333023

fractional digits: 32 rpm: 33.333333333256

fractional digits: 34 rpm: 33.333333333314

fractional digits: 36 rpm: 33.333333333328

fractional digits: 38 rpm: 33.333333333332

fractional digits: 40 rpm: 33.333333333333