This year was a very interesting one from my perspective. Many (including just yesterdays CCC MD5 hack) big vulnerabilities were discovered (Kaminsky DNS) or proven this year. The funny thing is that these vulnerabilities and attacks were not against new systems or systems that we thought were secure. I think the big lesson from 2008 is that it isn’t the new thing that will kill you, it is not securing the old and heavily used protocols, applications, etc.