I speak and write about information security topics, with an emphasis on cryptography and distributed denial-of-service (DDoS) attacks. I've written for DarkReading, SC Magazine, and Network World. But most people know me from my monthly column at SecurityWeek.
Click the selectors in the Content pane to filter the content.
Bucket list item achieved. I was interviewed on live TV in the Philippines on the ANC Early Edition news program about consumer internet safety and how Filipinos view it through the lens of convenience vs. security. There were likely millions of people watching and but it was just so much fun! Would do it again :)
The idea for this, my favorite article, had been rattling around my head for years. "Why don't you use your knowledge for evil?" I surveyed over three dozen of my friends and colleagues to find out what their prices were, if any. Some illuminating results.
You’ve been having trouble sleeping because of the SSL visibility problem with all the fancy security tools that don’t do decryption. Put down that ambien, because this Lightboard Lesson solves it. In episode, David Holmes diagrams the Right Way (tm) to decrypt and orchestrate outbound SSL traffic, improving SSL visibility, decreasing failures and improving network performance.
This may be the most significant document I've ever written. Customers used to ask me if we a a Best Practices document around DDoS and I got tired of telling them we didn't. So I wrote it. It took my close to 9 months to birth this baby. It documents every single kind of DDoS we've ever seen and how to combat them. My magnum opens for DDoS.
Took me three years to compile the data for this report. It started out as a personal project that I wrote in a hotel room in Cologne Germany over a weekend. But hundreds of hours and millions of computer scans later... this report. It's all about global encryption trends over a three year period, with some analysis about why each trend is going the way it is. Warning: usual doses of Holmes humor contained within.
One of my favorite pieces, and one of the most high-profile as well. Lots of great discussion around this.
Ladies and Gentlemen! Gamers and Cryptoheads! Have you ever wondered which major gaming console has the best message encryption? Well, I’m going to reveal the clear winner in my own recent personal test.
I was born to write this article. It was floating around in my head for years and years, and finally came together. I've delivered a talk about the topic of RNG to dozens of audiences around the world, and the best parts of that talk are summarized in this SecurityWeek piece.
This is by far the most popular thing I've ever written. It consistently gets over 1000 views every month. That means since I wrote it, over 50,000 people have read it. Maybe it goes to show you that people want problems solved!
Here is one of the most important papers I ever wrote. The description of a proper DDoS-resistant network architecture. The real meat of the knowledge lies with the recommended practices document, but this whitepaper outlines it pretty well and makes its case.
F5 Network security evangelist David Holmes offers concrete advice about how cloud outsourcing can help companies with a talent shortfall solve three enterprise security problems: application security, penetration testing, and bug bounties.
TechWeekEurope's Michael Moore speaks to David Holmes, Senior Security Evangelist for F5 Networks, at InfoSecurity Europe 2015
The Malay Business Insight newspaper has a circulation of over 80,000 in the Philippines. After an Interview I did on our recent volume 4 of the Hunt for IoT thingbots, Sir Raymond Gregory Tribdino published these two articles, one on IoT and one on how I look like Tony Stark. The resemblance usually escapes me, but I hear it all the time. Like about 10 times a year.
This is the most-read article I've ever written. A true-story about a cyberattack that supposedly involved the nude pictures of Jennifer Lawrence and Kate Upton.
This is is one of my favorite articles. There was a crazy rumor going around after the Paris attacks that the terrorists were using Sony PlayStations to communicate with each other. And that the PS4 encryption was hiding their communications from Europol. So I decided to find out what kind encryption the PS4 uses. And how resistant would it be to surveillance.
I wrote a piece about the UDP-based distributed denial of service (DDoS) attack involving Spamhaus and CyberBunker. It was published in ComputerWorld in 2013.
Here's the complete list of everything authored by yours truly in 2015. Except the NC-17 stuff, which I've been told should remain unpromoted. Actually, this website you're reading right now is basically my greatest hits, but this blog post gather just a single, awesome year of it.
My *love letter* to version 14.0 of the F5 product suite. These Top Ten articles are always popular with the engineers in the field, many of whom send directly to their customers. These are always a ton of work for me, as I have to get the giant list of requirements, understand them, rank them, and write copy (and jokes) about them. Even as I complain, I must admit that these were also my favorite articles for F5 :)
Here's a fun virtual roundtable that Brian McHenry and me did for the DevCentral guys, Jason Rahm and John Wagnon. Over a half hour we discuss the F5 advanced firewall module. We chat about the market, the history and some of the things that differentiate the product.
Worldwide Security Evangelist. Great title, huh! So what does a Security Evangelist do? This article explains it all.
Here's a 7 minute interview that CSO's Anthony Caruana did with me at the CSO Perspectives roadshow; this one was in Sydney. He asks about the new National Mandatory Breach Notification law, the Internet of Things, and where did I get that awesome shirt? Belgium.
Not every day you get on the front page of the local paper! Was in the Philippines immediately after the first SWIFT banking theft: $81M had been stolen (by the Lazarus group, probably) and laundered through local casinos. I happened to be there speaking with the media about bank fraud anyway, so that's how country manager Oscar Visaya and I ended up on the front page of the paper.
Omg these are so popular. I've been writing these "borderline outrageous" top ten series for three years now and it they are a HUGE amount of work. I have to understand all of the security features in order to sort and prioritize them, and then think of a joke for each one. But they're everyone's favorite content, so I'll keep writing them :)
Here's an essay I wrote about what I think are the data privacy concerns around the Philippine National ID system (PhilSys). Having a national identification system is a good thing; this essay contains my advice to the implementors of PhilSys, so that they can most properly secure their citizen's data.
When asked for Comment on the Panama papers, I said heck yeah, there are so many questions. So I put them into a SecurityWeek byline, and then answered them. Most of them. Even the one about Simon Cowell.
I still get questions about this SecurityWeek piece, which is good because I'm quite proud of this one. It's a look at three different systems that tried to patch one of the nagging security "holes" in the Internet and why they all failed.
"The giraffe was probably dead." LOL that is the best line I've ever used to start an article. This SecurityWeek piece about Twitter security came out of a trip I did to Africa.
For the first few years, I had to talk myself into paying the $450 annual fee for American Express Platinum card. This little piece is me getting talking myself into it on paper, as it were. The math checks out. And if anyone is keeping score, I still get the platinum card every year, and it pays for itself.
“Is it possible to quantify your own security posture as it relates to denial-of-service? “ That’s the question a customer of ours has been asking themselves, and they came up with plan to measure exactly that. They’re going to DDoS their own production systems. And here's how they're going to do it.
After many discussions with some of the most high profile brands in the world, I've consolidated their feedback into this single playbook. These are the ten steps you need to do when you get attacked with a distributed denial-of-service. It's basically vendor agnostic, with just the F5 logo on it.
The right guy at the right time. Here's my take on the huge DDoS attacks of September and October 2016. Had to rush this one to release as an official company position on the attacks. I like how it came out.
Here is Part 0 (or part 1) of a series on threat modeling the Internet of Things. Here I introduce these two topics: Internet of Things and Threat modeling and suggest that maybe we need to spend more time putting them together. I like the intro and extro for this piece :)
Here's the second edition of the TLS Telemetry report. This is my ongoing research into worldwide cryptographic trends, covering such topics as protocol preference, forward secrecy adoption, SSL security headers and more. Really like the tasteful cover on this one. Beautiful!
I get lucky sometimes. This was one of those times. I ran into a member of CERT.be, and he told me of an interesting report about a cyberespinage case in Europe. Made for a great SecurityWeek article.
Strict Transport Security is a simple but very powerful security fix. So why does no-one use it? I explore the topic in this piece for SecurityWeek.
My third piece in the trilogy of articles I've written about the open CA "Let's Encrypt" for SecurityWeek. This one is a more measured look at how LE might impact Internet Security.
After I came back from my 50 days in Asia, I wrote up three observations about how infosec is different there. Some good analogies. Kinda proud of this piece.
As you would imagine, being a security and networking professional, I ran a pretty sophisticated home network. One time I plugged our partner Webroot's IP reputation tool in front of my home router to see what kind of malicious traffic it was flagging. Here are the results.
My technical piece about the Heartbleed vulnerability. Also includes my own rant about OpenSSL. And how to scan your own network for it. And other cool stuff related to it.
I wrote, starred in, or was mentioned in 48 pieces last year. A new record. Here's the best of them.
Sabu was such a rock star in his time. His character and his exploits were legendary at the time and his downfall even more so. I really enjoyed writing this one. I actually had more information on this but couldn't publish it to due privacy concerns. But buy me a beer sometime and ask me about it.
I've been a cryptocurrency skeptic for years. Much of that skepticism comes from hundreds of hours of talking with real CISOs and directors of security about how they can better protect real (not virtual) currency. Even with the resources of enormous budgets and huge security teams they can barely keep the hackers from stealing all the monies. When F5 Labs asked me to write up my opinions about Bitcoin, I threw this together. Not a bad little piece.
Here's the keynote I did for F5's security event in Singapore in June. I teach the audience how to threat model the internet of things (iot),
Never thought I'd see this day! THE Steve Gibson of the Security Now! podcast really liked the REAPER piece that Justin Shattuck and I wrote. He liked it so much he basically read it over the air on podcast episode 635 (toward the end). Still can't believe it, how cool is that?
All, all those branded SSL vulnerabilities. True to my word, I've continued writing articles comparing them to each other so you can have some idea about how much to freak out. This article adds two more; the DUHK and ROCA vulnerabilities.
Debbie Walkowski interviewed me about my 'Post-Quantum' report. Consider this the cliff notes to that larger paper.
Slightly explicit content here. Was talking with my colleague Justin, and he was saying how the latest list of command-and-control hostnames for the Mirai botnet contained some hilarious examples like "cnc.smokemethallday.tk". We thought it would be a good for a laugh to do some analysis on the names where the servers are hosted from.
What's the difference between DarkWeb and DarkNet? That's just one of the questions that my colleague, Ray Pompon, and I answered in this wide ranging interview. Really liked how this one came out.
My love letter to my favorite algorithm of all time, RC4.
In this piece, yours truly evaluates the SWEET32 cryptographic attack relative to other SSL cryptographic attacks such as DROWN and BEAST.
A young hacker came up to me after a talk in Belgium and told me this story. Made for a great article for SecurityWeek.
We released an original report showing a spike in SIP protocol attacks against Singapore during the Trump / Kim summit there. Singapore Today interviewed me about the article.
Here's an awesome whitepaper I wrote in the fall of 2016. I embedded eight references to Huey Lewis and the News. Can you find them all?
My response, representing the vendor community, to US-CERT's warning about SSL interception products.
The explosive second half of the profile of famed hacker Sabu.
Hey look, IT News Africa reprinted my ten-step guide to combating DDoS in real time. This is basically a shortened, texty version of the DDoS playbook.
After a conversation with a chip-maker, I did a bunch of research into Quantum Computing, and collected my notes into this pretty cool report.
Maria Korolov interviewed and quoted me extensively for a Data Center Knowledge piece on WannaCry. I had no time to prepare for this interview, and was surprised when it got published. Sometimes I prepare a LOT and nothing comes of it. You never know, I guess. Just keep doing them.
CSO Online picked up the Maria Korolov's interview did with me and republished it. That's pretty awesome!
My recommendations on how to spot cryptocurrency mining malware on your network and what to do when you spot it.
THE Richard Chirgwin of the Register once interviewed me while I was deliriously excited after talking with some customers in Australia. I gave a wide-ranging interview on all kinds of topics, stuff was just coming out of my mouth. Richard loved it. Later he told my bosses "this was the perfect interview - exactly what I want to hear when I talk with people in the industry!"
Here's an audio interview I did at the Australian CyberSecurity Conference at Canberra in April of 2018. About 10 minutes. A little background noise, because we just did it in a quietish corner of the conference.
My six month Hiatus from SecurityWeek is over! Here's a fun little piece that mostly wrote itself, about all the ways I've seen SMS being bypassed as a 2nd factor of authentication. Cute insider note, when I asked the designers for an image of an older guy looking at his phone, they sent this one, with the caption "there's a sale on adult undergarments!"
We commissioned the analyst firm IDC to do an encryption survey. They asked questions that I always wanted to know the answer to. So what does that have to do with goat parkour? Read on and find out.
This is one of the articles that launched my career as a technical evanglist. I worked on this blog article in my spare time (waiting for builds) as a developer. It hit at just the right time and got a few mentions in the right places. And now here I am, doing this for a living.
Here is an early reaction to the Dyn DNS DDoS attack of Friday, Oct 21. I spent about 8 hours working on an article about the Brian Krebs attack from an airplane over the Atlantic. About halfway through, the Dyn attack happened, and I had to rewrite the article! It was a long day, but at least when I got down there was a decent article ready to go :)
Here's a whitepaper I did on the expectation of SSL everywhere and what it means for business today. Topics covered include Forward Secrecy, Privacy, advanced key management and how to protect everything with an "always on" architecture.
A fine article about evaluating the risks and creating sound strategy around moving to Office365. In the article I briefly mention 5 threats you should add to your threat modeling for cloud collaboration. Threat modeling for cloud could, and should, be its own article or even series of articles. Remind me to write that! :)
“Regulation will likely be the fix for IoT security,” F5 Networks evangelist David Holmes notes in a SecurityWeek column, citing Mikko Hypponen, Chief Risk Officer of F-Secure. However, he also explains that Internet security cannot be regulated like other manufacturing processes. Increasing awareness among users could also help resolve this issue, with the IoT Defense scanner being a small step in this direction.
The Intel Active Management Technology (AMT) vulnerability (now referred to by many as “Silent Bob”) is one of those truly brutal, ugly ones that make you queasy to even think about. Like Heartbleed or Venom. Here's how to scan for it on your network. And what ports to block.
Had a fantastic, wide-ranging interview with Malaya Business Insight reporter Raymond Gregory.
I promised some really nice reporters in Singapore that I would get them my top three safety tips for IoT. So I put together this little blog and posted it on LinkedIn. I think we might expand it for an cyber site somewhere.
Had a long, fun, wide-ranging interview with India Economic Times.
Here's the podcast of an interview I gave for Data Breach Today and Info Risk Today to Suparna Goswami of ISMG. This is basically the podcast version of the stump speech I give about securing IoT.
Someone asked me what I thought about the recently passed Singapore Cybersecurity Statute. So I did some research and turned it into an article for SecurityWeek.
IT Pro wrote an article based on our media briefing in HK. I don't actually know what it says, but I think it's something like "44% of Telnet scans (or attacks) coming from China". Google Translate doesn't work for cantonese?
ISMG's Suparna Goswami interviewed me about my thoughts on IoT Security. 12 minutes of David Holmes braindumping IoT security at you.
I've been talking about this problem for years (it seems), but there's been an update. Toward the end.
This is basically me channelling a series of emails with Marc LeBeau. He gave me permission to submit it as an article and I really like the way it came out. BTW can you guess the racy password that my editors didn't want me to write about?
Here's a video interview of me talking about multi-cloud security. I don't honestly remember what I said it was so long ago but I'm sure it was dripping with profundity.
After receiving some media inquiries around the Philippines national ID system, I put together an essay, with the help of my indispensible personal assistant in the islands, on data privacy and the Philippine National ID system (PhilSys). Back End Systems quoted me from the essay in this article. See F5 Labs for the main essay.
Got quoted by a Forbes article. “Nearly all clients rely on DNS to reach their intended services, making DNS the most critical—and public—of all services,” explains David Holmes... and “This single point of total failure…makes DNS a very tempting target for attackers,” Holmes continues. The pic is Jon Postel, who I consider a father of the Internet.