Here's everything I've created in a professional capacity.

139 bylines, whitepapers, blogs, interviews and video appeareances.

Oct. 11, 2017 tags:  ddos in-the-news

IoT Attacks: India no. 2 source country

Had a long, fun, wide-ranging interview with India Economic Times.

Oct. 9, 2017 tags:  in-the-news infosec

Shadow Cloud Apps Pose Unseen Risks

CSO Online picked up the Maria Korolov's interview did with me and republished it. That's pretty awesome!

Sept. 29, 2017 tags:  SSL-TLS in-the-news security-week

Google Expands HSTS Preload List

SecurityWeek mentions an old column of mine about HTTP Strict Transport Security (HSTS).

Sept. 25, 2017 tags:  infosec

The Top Three Tips for IoT Consumer Security Hygiene

I promised some really nice reporters in Singapore that I would get them my top three safety tips for IoT. So I put together this little blog and posted it on LinkedIn. I think we might expand it for an cyber site somewhere.

Sept. 13, 2017 tags:  cryptography hackers

Five Reasons the CISO is a Cryptocurrency Skeptic

I've been a cryptocurrency skeptic for years. Much of that skepticism comes from hundreds of hours of talking with real CISOs and directors of security about how they can better protect real (not virtual) currency. Even with the resources of enormous budgets and huge security teams they can barely keep the hackers from stealing all the monies. When F5 Labs asked me to write up my opinions about Bitcoin, I threw this together. Not a bad little piece.

Sept. 11, 2017 tags:  infosec

Anticipate! F5 Security Keynote Singapore

Here's the keynote I did for F5's security event in Singapore in June. I teach the audience how to threat model the internet of things (iot),

Sept. 10, 2017 tags:  in-the-news infosec hackers

Malware Grows, Goes After Data Centers

Maria Korolov interviewed and quoted me extensively for a Data Center Knowledge piece on WannaCry. I had no time to prepare for this interview, and was surprised when it got published. Sometimes I prepare a LOT and nothing comes of it. You never know, I guess. Just keep doing them.

Aug. 8, 2017 tags:  hackers

Was DC25 My Last DEF CON?

My writeup of the 25th annual DEF CON, the world's premiere hacker conference in Las Vegas, Nevada. I've been going since DEF CON 7. What has changed? You'd be surprised at what has, and what hasn't.

Aug. 4, 2017 tags:  hackers security-week

The Coolest Talk at Defcon 25 That No One is Writing About

Three researchers, two from Bastille Networks, gave a fantastic talk about reverse engineering the Comcast and Time Warner home networks. Really well done! I was surprised no one was writing about it, so here you go!

Aug. 1, 2017 tags:  security-week

Threat Modeling the Internet of Things: A Real World Example

Part 3 of my "Threat Modeling IoT" series. This one looks at a real world example (smart parking meters) and shows you might run a real threat model against it.

Aug. 1, 2017 tags:  hackers

Black Hat at 20 – A Quick Recap

Can you believe The Blackhat Briefings (now just Blackhat USA) have been going on for 20 years now? I've submitted talks a few times, but have always been turned down. I'm still hopeful for the future though. Here are my impressions of Blackhat 20.

Aug. 1, 2017 tags:  cryptography

RSA in a "Pre-Post-Quantum" Computing World

I'd like to take credit for this one, I really would. We had a fascinating email discussion at work and our primary SSL/TLS engineer wrote this great email about the nuances of the asymmetric algorithm, RSA, and how it might be affected by computing advances in the future. I told him it would make a nice little article, and we tried to put his name on it but he didn't want the attention, and he asked me to put my name on it. So we did. Sometimes that happens.

July 20, 2017 tags:  in-the-news infosec hackers

Cybersecurity talent, spending, regulations to mitigate IoT risks

In Singapore I did a media event espousing F5's original IoT research. Here's a write-up from Networks Asia (or Security Asia) not such which.

July 19, 2017 tags:  hackers

Profile of Hacker - The Real Sabu [condensed]

Cool - DarkReading published a condensed version of my Profile of a Hacker piece. There's a huge backstory behind this that I can't really talk about publicly, but buy me a beer sometime and I'll tell you.

July 13, 2017 tags:  SSL-TLS cryptography

How Quantum Computing will Change Browser Encryption

After a conversation with a chip-maker, I did a bunch of research into Quantum Computing, and collected my notes into this pretty cool report.

July 5, 2017 tags:  ddos in-the-news infosec

Hunting for IoT devices to be used for massive botnet

Had a fantastic, wide-ranging interview with Malaya Business Insight reporter Raymond Gregory.

June 29, 2017 tags:  infosec

Top Security Findings from the F5 State of Application Delivery Report

This article summarizes the security findings contained with the F5 state of application delivery report. Are attacks getting more sophisticated? Are employees more or less of a secure challenge than last year? Some of the findings surprise me.

June 12, 2017 tags:  ddos in-the-news

Ten steps for combating DDoS in real time

Hey look, IT News Africa reprinted my ten-step guide to combating DDoS in real time. This is basically a shortened, texty version of the DDoS playbook.

May 17, 2017 tags:  infosec

The Intel AMT Vulnerability - Silent Bob

The Intel Active Management Technology (AMT) vulnerability (now referred to by many as “Silent Bob”) is one of those truly brutal, ugly ones that make you queasy to even think about. Like Heartbleed or Venom. Here's how to scan for it on your network. And what ports to block.

May 4, 2017 tags:  security-week

Threat Modeling the Internet of Things

Here is Part 0 (or part 1) of a series on threat modeling the Internet of Things. Here I introduce these two topics: Internet of Things and Threat modeling and suggest that maybe we need to spend more time putting them together. I like the intro and extro for this piece :)

May 2, 2017 tags:  hackers

Hacker Profile: The Real Sabu Part 2 of 2

The explosive second half of the profile of famed hacker Sabu.

April 18, 2017 tags:  hackers

Hacker Profile: The Real Sabu Part 1 of 2

Sabu was such a rock star in his time. His character and his exploits were legendary at the time and his downfall even more so. I really enjoyed writing this one. I actually had more information on this but couldn't publish it to due privacy concerns. But buy me a beer sometime and ask me about it.

April 13, 2017 tags:  in-the-news infosec

CSO Perspectives Interview with David Holmes

Here's a 7 minute interview that CSO's Anthony Caruana did with me at the CSO Perspectives roadshow; this one was in Sydney. He asks about the new National Mandatory Breach Notification law, the Internet of Things, and where did I get that awesome shirt? Belgium.

March 29, 2017 tags:  SSL-TLS cryptography security-week

US-CERT's Warning on SSL Interception vs. Security is a False Dichotomy

My response, representing the vendor community, to US-CERT's warning about SSL interception products.

March 1, 2017 tags:  SSL-TLS cryptography security-week

Encryption Smackdown: PlayStation 4 vs. XBox One!

Ladies and Gentlemen! Gamers and Cryptoheads! Have you ever wondered which major gaming console has the best message encryption? Well, I’m going to reveal the clear winner in my own recent personal test.

Jan. 27, 2017 tags:  SSL-TLS cryptography

The 2016 TLS Telemetry Report

Took me three years to compile the data for this report. It started out as a personal project that I wrote in a hotel room in Cologne Germany over a weekend. But hundreds of hours and millions of computer scans later... this report. It's all about global encryption trends over a three year period, with some analysis about why each trend is going the way it is. Warning: usual doses of Holmes humor contained within.

Jan. 4, 2017 tags:  SSL-TLS cryptography ddos

David Holmes Greatest Hits 2016 Edition

I wrote, starred in, or was mentioned in 48 pieces last year. A new record. Here's the best of them.

Dec. 28, 2016 tags:  infosec security-week

Five New Year's Resolutions for the Security Community

Here's a funny little piece I wrote about my drinking. No, I mean about making predictions. I mean resolutions. The backstory is that the PR firm always wants a prediction piece, but I think prediction pieces are terrible! Because if I could predict the future I would be way richer than I already am. So instead we disguise these pieces as "resolutions" LOL.

Dec. 7, 2016 tags:  hackers security-week

Hacking Europe's Smart Cities

A young hacker came up to me after a talk in Belgium and told me this story. Made for a great article for SecurityWeek.

Dec. 6, 2016 tags:  in-the-news

Protecting the future at Anticipate 2016

CSO Australia recaps my visit down under last month. Video interviews to come.

Nov. 28, 2016 tags:  infosec security-week

Evaluating Risks to Identity and Access When Moving to the Cloud

A fine article about evaluating the risks and creating sound strategy around moving to Office365. In the article I briefly mention 5 threats you should add to your threat modeling for cloud collaboration. Threat modeling for cloud could, and should, be its own article or even series of articles. Remind me to write that! :)

Nov. 24, 2016 tags:  ddos in-the-news security-week

This Web-based Tool Checks if Your Network Is Exposed to Mirai

“Regulation will likely be the fix for IoT security,” F5 Networks evangelist David Holmes notes in a SecurityWeek column, citing Mikko Hypponen, Chief Risk Officer of F-Secure. However, he also explains that Internet security cannot be regulated like other manufacturing processes. Increasing awareness among users could also help resolve this issue, with the IoT Defense scanner being a small step in this direction.

Nov. 13, 2016 tags:  ddos in-the-news

The Internet Of Things, DNS Weaknesses, Or Trump: Which Will Sink The Internet?

Got quoted by a Forbes article. “Nearly all clients rely on DNS to reach their intended services, making DNS the most critical—and public—of all services,” explains David Holmes... and “This single point of total failure…makes DNS a very tempting target for attackers,” Holmes continues. The pic is Jon Postel, who I consider a father of the Internet.

Oct. 31, 2016 tags:  ddos hackers

Mirai Strikeback - an iRule to kill IoT Bot Processes from your F5

Wrote this cool script to kill Mirai bots that are attacking your website. Use at your discretion!

Oct. 28, 2016 tags:  ddos hackers security-week

What's the Fix for the IoT DDoS Attacks?

Here is an early reaction to the Dyn DNS DDoS attack of Friday, Oct 21. I spent about 8 hours working on an article about the Brian Krebs attack from an airplane over the Atlantic. About halfway through, the Dyn attack happened, and I had to rewrite the article! It was a long day, but at least when I got down there was a decent article ready to go :)

Oct. 27, 2016 tags:  ddos hackers

Making Sense of the Krebs / OVH / Dyn DDoS Attacks

The right guy at the right time. Here's my take on the huge DDoS attacks of September and October 2016. Had to rush this one to release as an official company position on the attacks. I like how it came out.

Oct. 14, 2016 tags:  infosec hackers security-week

Another Potential Victim of the Yahoo! Breach: Federated Login

User federation is absolutely the best way to provide user authentication in the cloud. But the recent Yahoo! breach may have dimmed enthusiasm for federated Yahoo! logins, which is a shame because reasons. The reasons in this piece :)

Oct. 12, 2016 tags:  SSL-TLS ddos infosec hackers

SecureLink Belgium Interview

Q: Explain who you are and what you do

Thank you. Before we start, I need you to promise me something. You can only ask me one question about Donald Trump, okay? No more than that.

Q: How long have you been at F5?

I’ve been at F5 for 16 years, which is an eternity in the tech world. I was the last person hired during the so-called dot-com bust, during which time a hiring freeze was put in place. On my first day, there were already rumors of layoffs, and I thought “oh no, I am the new guy, of course they will eliminate my position!” So I worked day and night to show my value but I six months later I was still “the new guy”. One day the police sent us a picture of a dead body in an F5 T-shirt and I thought “oh no, the reduction in workforce is really starting!” But it turned out to be a homeless man who had gotten the shirt from the local food bank. Anyway…

Q: Many people know F5 from their ADC solutions, why the increased focus on security these days?

Yes, many people know F5 as the world’s most-expensive, I mean the world’s best load balancer, but what they don’t realize is that we’ve spent the last 10 years moving into Security. There are two reasons for this.

First, the reason it is called an ADC and not just a LB is because it naturally consolidates adjacent functions, such as caching or acceleration but now security functions like firewalls as these technologies become commodities.

Second, F5 is the number one commercial SSL termination device. If someone is paying to decrypt SSL, they are most likely deploying F5 devices. As more and more of the world’s traffic goes encrypted, it makes the F5 the first device in the network that can do layer 7 security controls. And that means attaching WAF functionality, or doing cookie inspection, or passing through to devices like FireEye.   Q: You travel the globe as part of your job – do you see that security has a different place on the agenda here in Europe than North America for instance?

This is my 13th country, and fourth continent visited in 2016. So I do get to see a bit of how businesses are dealing with security around the world. What I can say about Europe is that continually impressed at the technical depth of the security professionals here. In my opinion, Europe has the best defensive security expertise in the world. There are so many excellent security conferences here, such as the CCC in Germany, RSA Europe and Hack-in-the-box in Amsterdam. The level of security awareness among everyday operations people is excellent as well.

Belgium functions as a hub in Europe. Many organisations have European headquarters here and you have institutions like the European Parliament and NATO. Naturally the security demands of these organisations are extremely high. Perhaps this is also one of the reasons the security expertise in EMEA is so high and organisations like Securelink are instrumental in maintaining the security at the highest level.

I remember one conversation I had with a customer in eastern Europe, and then first thing he said was <accent here> “David, ve will not put our data in Amerikan cloudt.”

Q: What about Australia or New Zealand?

Australia is the opposite. They are SUPER friendly with public cloud. In 2012 one of the CIOs of their four banks gave a keynote where he announced that his bank was aggressively adopting a “cloud first” strategy. Now there are telcos there that are trying to re-sell “multi-cloud” solutions but it’s tricky. Multi-cloud might seem like the ultimate availability solution, but I think we’re years away from consistent, reliable APIs.

Q: What about Africa?

Africa has its own challenges. In Nigeria, distributed denial of service is getting to be a thing, so of course we try to sell them our DDoS service. This service is classified as “Insurance” but nobody in Nigeria believes in insurance and even if they did, they want the premium to be approximately 0 euros.

Also, a big security thing in Africa right now are little plastic physical locks that you put on your Ethernet ports. They are locked with a key. [ aside: they keep the key taped under the desk ]. That’s Africa.

Q. We see many organisations looking at their cloud strategy, public vs private etc. How do you think organisations should handle their security when moving to a hybrid or public cloud scenario?

Let me give you three short cuts for cloud security, whether that’s public, private or hybrid.

For users, deploy federated logins using SAML assertions. You get SSO and don’t have keep your passwords in the cloud. And if you do it right, you can even prevent your passwords from ever transiting to the cloud and back. There’s a trick to it and we’re helping a lot of people right now who are transition to Office 365 and don’t want the CXO passwords going to Microsoft.

Second, for applications, when possible, embed your application security policy into your applications! So if you move them to the cloud, the policy goes with them. Or if they burst here and there or jump clouds, the policy goes with them too.

Lastly, if you’re considering moving to the cloud, leave your really old legacy stuff behind. If an app isn’t based on a recent Windows or Linux suite, it’s often not worth moving it to the cloud. The analyst firm Securois has an interesting term for people who try to move their really old apps to the cloud: cloud tourists. They visit the cloud, look around, start to spend some money, realize that it’s a sunk cost and not going to get them any value, and they go back home.

Q. Let’s talk about so-called Hacktivism. You track Anonymous, right? What is Anonymous doing?

I love anonymous. They used to have a brilliant leader named Sabu (expand). But lately they’ve been somewhat floundering – not a real central figure since then ( e.g. Anonymous story).

However, they have launched their own political party in the United States called The Humanity Party, or ThuMP for short. It has three main tenants, the first of which is to establish a single, united one-world Government (the United Kingdom has already voted out of it). The other two are social equality and um, free WiFi for everyone. Can’t say I disagree with that last one. Instead of donations they invite you to Like their Facebook page.

Q. Let’s talk a moment about cryptography and SSL. What is new there?

Ivan Ristic, the author of the book “Bulletproof SSL/TLS”, runs an SSL scoring service over at Qualys SSL Labs. The scoring uses the grading system, A, B, C, D, F, which is nice because I can remember that.

So for the last five years, half the SSL administrator’s I’ve worked with are trying to get an A+ on their website. And it’s not just pride because people are writing articles basically “SSL shaming” entire industries. It started in Australia where Troy Hunt (the owner of the HaveIBeenPwnd website) posted the scores of all the banks in Australia.

But I’ve seen that done in Poland and even here Belgium as well. In the states, someone posted the SSL scores for all of the presidential candidates. Wouldn’t it be cool if that’s how we actually choose our presidential leaders? By their cryptographic security posture? That would be much better than how we’re doing it now, because apparently whatever we are doing isn’t working very well.

Would you like to know what Hillary Clinton gets?

She gets an A, but it’s actually a private server in her laundry room.

Q. What do you see as the most serious security threat?

There are rumors of the Russian’s hacking our election and trying to throw it to Donald Trump. Why they would do this, other than as the ultimate party joke, is sort of beyond me. But it is quite concerning. Security professionals have been warning about the dangers of automated voting systems for years, and I worry that people aren’t taking it as seriously as they should. I would imagine that you’ve been doing it here for years, and it’s working?

But if you meant “what are the most serious threats to the Enterprise” I’d have to say Malware. It has been the number one threat this year, and the last five years running. That’s why FireEye was such a security darling. The biggest problem with malware, at least in the states, is that all the malware authors know that they need to hide their malware inside SSL connections so it won’t be detected.

In the States we can decrypt that traffic (if the customer wants) and clone it over to FireEye or an IDS. You can’t do that in many places here in Europe, and I’m interested to see how that works out.   Q. To what extent is IoT the next driver for increased security risks?

Do you know what an oxymoron is? Two words that don’t go together, like ‘military intelligence’ or ‘found missing’ or ‘Microsoft Works’. Well ‘IoT Security’ is like that. It used to be a joke until about 2 weeks ago, when someone launched a 620 Gbps attack using (at least partly) a new IoT botnet. That was the largest DDoS attack I’m aware of, though the record has possibly been broken since then.

Most IoT devices connect one-way up to a cloud module, so that’s good. I think IoT security is going to be a huge issue for a long, long time because that’s basically a brand new industry. I mean, the Internet has been around for 30 years and it’s still far from secure even with every researcher in the world trying to fix it, so why would anyone assume the IoT universe won’t be anything but suboptimal?

I think for Europe this is a real challenge and opportunity. Germany is still the economic powerhouse of Europe, and they rely on manufacturing. They absolutely have to get IoT security right as they build their internet-connected cars and airplane engines.

Q. How can do you provide protection against multi-faceted DDoS attacks?

I just wrote a whitepaper called the 2016 DDoS Trend analysis, and buried within that paper are 8 references to Huey Lewis. I mention that because no one has been able to locate them all yet and I have gift card I need to give away.

But in our paper we note that we now see the majority of DDoS attacks as comprising multiple attack vectors and they’re getting more sophisticated, too. For example, stateful TCP floods are way up, and on some days they are outnumbering stupid UDP floods.

So we have some customers who don’t want to deal with any of it at all and just contract us to handle all their attacks for them 24/7. But many other customers are going for a blend of cloud-protection and on-premises DDoS.

For on-premises, if you have an F5, there’s a LOT you can do. We have a best practices document that shows you how to handle every DDoS attack type we’ve ever seen. Just google ‘David Holmes DDoS Recommended Practices’ and you’ll find it.

Q. Looking in a crystal ball, where do you think the security threats will come from in 5 to 10 years?

First, let me say that I think people are terrible at predicting the future. Just awful. With that said, let me um, try to predict the future.

I think finding sufficient entropy will continue to be a source of frustration among security professionals. Computers today are awful at getting real random data from which to generate keys or other cryptographic material, so everyone cheats at this. Professor Nadia Heninger from the University of Michigan has done some amazing work here [talk a little about her work]

Time synchronization is going to be another sore point. Real authentication and authorization systems require at least some kind of crude but secure time synchronization. The Internet has always been terrible about this so both Microsoft and Google are coming up with their own secure time mechanisms.

Lastly, as I get older, I am really hopeful that we will achieve The Singularity before I expire.

Sept. 28, 2016 tags:  SSL-TLS cryptography infosec security-week

I Got 99 Problems, But SWEET32 Isn't One

In this piece, yours truly evaluates the SWEET32 cryptographic attack relative to other SSL cryptographic attacks such as DROWN and BEAST.

Sept. 16, 2016 tags:  SSL-TLS cryptography security-week

You Can't Find What You're Not Looking For Because of Goat Parkour

We commissioned the analyst firm IDC to do an encryption survey. They asked questions that I always wanted to know the answer to. So what does that have to do with goat parkour? Read on and find out.

Sept. 15, 2016 tags:  ddos infosec

2016 DDoS Attack Trends

Here's an awesome whitepaper I wrote in the fall of 2016. I embedded eight references to Huey Lewis and the News. Can you find them all?

Aug. 24, 2016 tags:  SSL-TLS cryptography

SSL Orchestration: Making outbound SSL inspection faster and more resilient

David Holmes clarifies how the SSL Orchestrator makes outbound SSL faster and more resilient

Aug. 17, 2016 tags:  cryptography infosec hackers security-week

Dispatches from DEFCON 24

I've been coming to this hacker con since Defcon 7. So that's 17 years! DC24 was a good one, with some interesting talks. Here's a recap I did for SecurityWeek.

Aug. 12, 2016 tags:  SSL-TLS cryptography in-the-news

Microsoft Disables RC4 for Edge and IE

SecurityWeek reported that Microsoft disabled the RC4 cipher in Edge and Internet Explorer 11, and referenced David Holmes’ byline column from last year about the simplicity of RC4 being its greatest appeal.

Aug. 8, 2016 tags:  cryptography infosec hackers security-week

Dispatches from Blackhat USA 2016

Here's a recap I did for SecurityWeek of some of the more interesting talks at the 2016 Black Hat security conference.

Aug. 1, 2016 tags:  SSL-TLS cryptography infosec hackers

IDC Survey - The Blind State of Rising SSL Traffic

F5 commissioned the analyst firm IDC to survey hundreds of infosec professionals. The goal was to find out exactly how much enterprise traffic is encrypted. Their answers? Between 25-50% in 2016. That's a lot! Read the survey to find out how infosec is dealing with all the encrypted traffic, and the malware that hides within.

July 11, 2016 tags:  SSL-TLS cryptography

New Elliptic Curve X25519 Trips Up ProxySG

Here's a more technical version of my article that came out of a customer visit to Oslo. This has to do with Dan Bernstein's elliptic curve 25519, and how its unexpected deployment threw off a competitor's inspection.

July 6, 2016 tags:  SSL-TLS cryptography

SSL Outbound Visibility Lightboard Lesson

You’ve been having trouble sleeping because of the SSL visibility problem with all the fancy security tools that don’t do decryption. Put down that ambien, because this Lightboard Lesson solves it. In episode, David Holmes diagrams the Right Way (tm) to decrypt and orchestrate outbound SSL traffic, improving SSL visibility, decreasing failures and improving network performance.

June 29, 2016 tags:  SSL-TLS cryptography infosec security-week

New X25519 Cipher Throws Enterprise Surveillance for a Loop

I heard about this problem with a customer in Oslo, Norway. It has to do with an advance in cryptography throwing surveillance devices into darkness.

June 7, 2016 tags:  travel

Five Podcasts to Put You to Sleep

Years ago I lost the ability to fall asleep in silence. I require consistent background noise in order to drift off. I’m not alone here; many people can’t get to sleep without some kind of ambient sound in the room. My son uses a fan for this purpose. An old girlfriend of mine (number three, for those keeping track) showed me her standby, the sleep timer button. “All hotel TV remotes have a sleep timer button,” she informed me one night. “How do you not know that?” She could get mouthy. I don’t use a fan or television to fall asleep. I use podcasts on my iPhone. And here are my five favorite podcasts for that purpose.

June 2, 2016 tags:  SSL-TLS cryptography in-the-news

CSO Australia - Redefining the Application security perimeter

This year's high-profile battle of wills between Apple and the US Federal Bureau of Investigation (FBI), which sparked worldwide discussions about the propriety of security 'back doors', was eventually resolved when the FBI found another…”We're seeing more and more Internet traffic encrypted over time, particularly after Edward Snowden came out and told everyone that people are watching them,” David Holmes, worldwide security evangelist with F5 Networks, recently told CSO Australia…

June 2, 2016 tags:  cryptography travel infosec hackers security-week

Cyber Espionage Report: APT at RUAG

I get lucky sometimes. This was one of those times. I ran into a member of CERT.be, and he told me of an interesting report about a cyberespinage case in Europe. Made for a great SecurityWeek article.

May 29, 2016 tags:  SSL-TLS travel infosec

Cloud Security Crucibles: Australia and New Zealand

I’ve just returned from a long tour of Australia and New Zealand (ANZ), where some exciting developments are worth capturing. Both countries are island nations, and one thing Darwin noted in “On the Origin of Species” is that islands can become crucibles of evolution. Australia is evolving a new way to leverage cloud, and New Zealand is evolving a new efficiency model for government security services. Both countries share one aspect with the rest of the world: challenges around encryption.

May 21, 2016 tags:  travel infosec hackers

APAC Security: 2 Opportunities for business, 1 for Hackers

After I came back from my 50 days in Asia, I wrote up three observations about how infosec is different there. Some good analogies. Kinda proud of this piece.

May 18, 2016 tags:  infosec hackers security-week

Mysteries of the Panama Papers

When asked for Comment on the Panama papers, I said heck yeah, there are so many questions. So I put them into a SecurityWeek byline, and then answered them. Most of them. Even the one about Simon Cowell.

May 17, 2016 tags:  SSL-TLS cryptography in-the-news infosec

Google to Soon Kill SSLv3, RC4 Support in Gmail

A SecurityWeek article quotes me about SSLv3 and RC4.

May 16, 2016 tags:  SSL-TLS cryptography ddos

The Top Ten Hardcore F5 Security Features in BIG-IP 12.1

It took me 23 hours to write this! But people LOVED IT. Continuing my tradition of the top security features of each F5 BIG-IP release.

April 29, 2016 tags:  infosec hackers security-week

New Dridex Malware Campaign Shifts to U.S.

A look at how a Dridex malware campaign is shifting around the globe.

April 25, 2016 tags:  in-the-news infosec

Healthcare Was Most Attacked Industry in 2015: IBM

A SecurityWeek article quotes me about breaches.

April 13, 2016 tags:  in-the-news infosec

Open CA Let’s Encrypt Comes Out of Beta

A SecurityWeek article quotes me about the Open CA "Let's Encrypt"

April 13, 2016 tags:  SSL-TLS cryptography infosec security-week

Is Multi-Cloud the Ultimate Use Case for the Zero Trust Model?

During my last visit to Australia, I talked with some customers who were running into some fascinating problems trying to secure multiple components across different public clouds. Wrote it up for SecurityWeek.

April 1, 2016 tags:  travel in-the-news infosec

ARN: Application Security is Primary

A piece written from an interview I did while in Australia. I remember doing this interview from the passenger seat of David Arthur's car while we were driving to lunch in Canberra. The things you remember.

March 23, 2016 tags:  SSL-TLS cryptography infosec security-week

Is DROWN a 'Hello Kitty' SSL Vulnerability?

Should you panic about the DROWN SSL vulnerability? Is it cute and kid-friendly, or is it a monster vulnerability coming to expose your most sensitive data? This piece I did for SecurityWeek builds upon the "Stack Ranking SSL Vulnerabilities" article I'd written the year before.

March 21, 2016 tags:  in-the-news infosec hackers

Manila Business Mirror Interview

Not every day you get on the front page of the local paper! Was in the Philippines immediately after the first SWIFT banking theft: $81M had been stolen (by the Lazarus group, probably) and laundered through local casinos. I happened to be there speaking with the media about bank fraud anyway, so that's how country manager Oscar Visaya and I ended up on the front page of the paper.

March 18, 2016 tags:  SSL-TLS cryptography in-the-news infosec

95% of HTTPS Servers Vulnerable to Trivial Connection Hijacking

SecurityWeek quotes me about strict transport security.

March 9, 2016 tags: 

Let's Encrypt Issues More Than 1 Million Digital Certificates

A SecurityWeek article quotes me about the Open CA "Let's Encrypt"

Feb. 29, 2016 tags:  infosec security-week

Should Application Security Become its Own Discipline?

A great piece that came from looking at how the different top tier analysts look at the discipline of Application Security.

Feb. 19, 2016 tags:  infosec hackers

What keeps white hat hackers from turning to the dark side?

The idea for this, my favorite article, had been rattling around my head for years. "Why don't you use your knowledge for evil?" I surveyed over three dozen of my friends and colleagues to find out what their prices were, if any. Some illuminating results.

Feb. 4, 2016 tags:  ddos

Firewall Roundtable Discussion

Here's a fun virtual roundtable that Brian McHenry and me did for the DevCentral guys, Jason Rahm and John Wagnon. Over a half hour we discuss the F5 advanced firewall module. We chat about the market, the history and some of the things that differentiate the product.

Feb. 4, 2016 tags:  SSL-TLS cryptography infosec security-week

Let's Encrypt's Public Beta--Panacea or Placebo?

I know it sounds like I pick on Let's Encrypt, the free, open CA. And I guess I do kinda. Not in a mean way, because what they are doing is pretty freaking cool. But in a skeptical way, because so often the road to hell is paved with good intentions. On the other hand, there are altruistic endeavors that I would have said would never work, like Wikipedia, and um, well that's about it. Anyway, this piece is a more measured look at the early public stages of Let's Encrypt.

Feb. 1, 2016 tags:  infosec hackers

Cloud and the Security Skills Gap

F5 Network security evangelist David Holmes offers concrete advice about how cloud outsourcing can help companies with a talent shortfall solve three enterprise security problems: application security, penetration testing, and bug bounties.

Jan. 27, 2016 tags:  SSL-TLS cryptography in-the-news infosec

Firefox 44 Drops RC4, Gets Push Notifications

SecurityWeek article quotes me about my favorite algorithm of all time, RC4.

Jan. 25, 2016 tags:  SSL-TLS cryptography ddos

The Top Ten Hardcore F5 Security Features in BIG-IP 12.0

Another of the famous top ten lists for F5. Selecting the best of over 100 security features is a daunting task. I had considered using the darts-against-printed-spreadsheets approach, but ultimately just went through them all, one by one, and selected the best, just for you. Remember, these are the hardcore security doodads, of interest to network operators, security engineers and the paranoid.

Jan. 13, 2016 tags:  infosec hackers security-week

Was 2015 the Year of Breach Fatigue?

A look back at the mega breaches of 2015: Ashley Madison, the OPM hack, Kaspersky, and more.

Jan. 11, 2016 tags:  SSL-TLS cryptography ddos infosec

David Holmes Greatest Hits, 2015 Edition

Here's the complete list of everything authored by yours truly in 2015. Except the NC-17 stuff, which I've been told should remain unpromoted. Actually, this website you're reading right now is basically my greatest hits, but this blog post gather just a single, awesome year of it.

Jan. 6, 2016 tags:  infosec security-week

New Year's Resolutions for the Security Minded

A cute little piece celebrating the new year, infosec style.

Dec. 9, 2015 tags:  SSL-TLS cryptography infosec security-week

Paris Attacks: What kind of Encryption Does the PlayStation 4 Use, Anyway?

This is is one of my favorite articles. There was a crazy rumor going around after the Paris attacks that the terrorists were using Sony PlayStations to communicate with each other. And that the PS4 encryption was hiding their communications from Europol. So I decided to find out what kind encryption the PS4 uses. And how resistant would it be to surveillance.

Dec. 8, 2015 tags:  SSL-TLS cryptography infosec

Implementing Light-Weight East-West Firewalls with F5

East-west data center traffic needs to be secured. Here's the easy way to do it with the load balancers you already have.

Nov. 30, 2015 tags:  cryptography in-the-news infosec

Predictable SSH Host Key Flaw Affects Raspberry Pi Devices

SecurityWeek article quotes me about entropy.

Nov. 12, 2015 tags:  SSL-TLS cryptography infosec security-week

In Memoriam: Goodbye to RC4, an Old Crypto Favorite

My love letter to my favorite algorithm of all time, RC4.

Oct. 28, 2015 tags:  SSL-TLS cryptography infosec security-week

What's the Disconnect with Strict Transport Security?

Strict Transport Security is a simple but very powerful security fix. So why does no-one use it? I explore the topic in this piece for SecurityWeek.

Sept. 24, 2015 tags:  SSL-TLS cryptography infosec security-week

How "Let's Encrypt" Will Challenge The CA Industry

My third piece in the trilogy of articles I've written about the open CA "Let's Encrypt" for SecurityWeek. This one is a more measured look at how LE might impact Internet Security.

Sept. 15, 2015 tags:  in-the-news infosec

IT Teams Question Security of App Containers: Survey

A mention in SecurityWeek article about container security.

Sept. 15, 2015 tags:  SSL-TLS cryptography

Preparing your F5 for new TLS requirements in Apple iOS 9 and OS X 10.11

Here's one that came right from the field - we knew that iOS9 was coming, and was going to include changes for cryptography. Here's my write-up of what knobs everyone was going to have to turn to be compatible.

Sept. 15, 2015 tags:  SSL-TLS cryptography infosec

How much of my traffic is still SSLv3?

When the POODLE vulnerability came out in 2014, it was hailed as the death knell for SSL version 3. In the quarter just prior to POODLE, 98% of Internet sites supported SSLv3, but a year later that support had dropped to just 33%. Here's an article that shows you how to tell how much of your traffic is still SSLv3.

Sept. 9, 2015 tags:  infosec hackers security-week

Should You Be Worried About BGP Hijacking your HTTPS?

A BGP route monitoring firm, Qrator, released a paper at Blackhat 2015 titled “Breaking HTTPS with BGP Hijacking.” Here's my take on it.

Sept. 1, 2015 tags:  SSL-TLS cryptography infosec

The SSL Recommended Practices Guide

Cryptography has been a passion of mine since I was 9. NINE. I used to write code books to encrypt messages as a kid. So of course I gravitated to internet encryption, and spent a lot of time working with the Secure Sockets Library (SSL), which is now TLS. Here's a 50+ page magnum opus I wrote about the proper ways to use F5's SSL capabilities. Great stuff in here.

July 30, 2015 tags:  SSL-TLS cryptography infosec security-week

Stack Ranking SSL Vulnerabilities for the Enterprise

Not all SSL vulnerabilities are the same. Some are way worse than others, but often the media doesn't know that. My attempt to provide a relative scale based on quantifiable cryptographic assets. Also uses a cute Japanese Monster Alert level.

July 8, 2015 tags:  infosec hackers security-week

Hacker Search Engine Becomes the New Internet of Things Search Engine

I first ran into the hacker search Shodan engine at Defcon over a decade ago. It's still around; I saw its creator, John Matherly, giving a talk about it in Amsterdam's Hack-in-the-Box conference. My summary for SecurityWeek.

June 15, 2015 tags:  SSL-TLS cryptography travel in-the-news

Polish TV: Hackers and Banks and Stuff

Banki coraz cz??ciej atakowane przez hakerów

Ataki na banki zdarzaj? si? wsz?dzie. Banki na ca?ym ?wiecie s? zaniepokojone hakerami i kradzie?? pieni?dzy.

Here's a 3 minute interview with yours truly in Warsaw, Poland. They have a polish guy talking over my audio track, which is neat if you know Polish. I don't.

June 13, 2015 tags:  SSL-TLS cryptography infosec

Remediating Logjam: an iRule Countermeasure

An in-depth piece about the SSL Logjam vulnerability. How vulnerable are you, and here's how to mitigate it if you are.

June 4, 2015 tags:  ddos infosec hackers security-week

Three Reasons Mobile DDoS Never Materialized

A deeper dive in to the theoretical topic of mobile malware.

June 3, 2015 tags:  in-the-news infosec

InfoSecurity Europe 2015 - David Holmes

TechWeekEurope's Michael Moore speaks to David Holmes, Senior Security Evangelist for F5 Networks, at InfoSecurity Europe 2015

June 1, 2015 tags:  ddos

F5 DDoS Protection Volume 2 - Recommended Practices

This may be the most significant document I've ever written. Customers used to ask me if we a a Best Practices document around DDoS and I got tired of telling them we didn't. So I wrote it. It took my close to 9 months to birth this baby. It documents every single kind of DDoS we've ever seen and how to combat them. My magnum opens for DDoS.

May 24, 2015 tags:  ddos hackers

F5 SilverLine DDoS

A launch blog for the SilverLine DDoS Protection service.

May 19, 2015 tags:  infosec

My Three Favorite Security Podcasts

It takes effort to stay informed about the information security industry. The #infosec landscape changes incredibly fast. Security researchers and adversarial attackers generate a constant stream of vulnerabilities and other threat vectors. Keeping abreast of it all is a constant challenge. One great way to stay informed is to listen to a selection of security-themed podcasts. Podcasts keep your brain engaged when you’re multitasking some menial physical task like cleaning or driving or walking Roy, the Wonder Dog. Here are three security-themed podcasts that provide a pulse on infosec.

May 17, 2015 tags:  ddos infosec security-week

Where is the Android DDoS Armageddon?

I won a long-standing bet with my colleague, Pete Silva, about the Android Armageddon. Here's my write-up where I claim to win!

May 6, 2015 tags:  SSL-TLS cryptography

BIG-IP SSL Cipher History

A tiny blog explaining this awesome graphic.

April 23, 2015 tags:  SSL-TLS cryptography

RSA2015 – SSL Everywhere

This was a great interview, got lots of coverage. Good chemistry between myself and the awesome Pete Silva. F5 Worldwide Security Evangelist, David Holmes, talks about why the internet is going SSL Everywhere. He explains why there’s been a surge in encrypted traffic and reveals some interesting statistics from his ongoing research on the SSL protocol. Always an engaging guest, David takes us through Forward Secrecy, Strict Transport Security and SSL v3. What they solve and how they are being used in the wild.

April 15, 2015 tags:  infosec security-week

Disrupting the Disruptor: Security of Docker Containers

In 1897, physiologist René Quinton completely replaced the blood of a live, abandoned dog with seawater in an experiment to prove the theory that the chemistry of mammalian blood is formulated from ocean water, with which it shares many properties including salinity and acidity. Sound interesting? It is! A friend of mine called me recently: "Hey man, I was looking up the security of docker containers and read this article and lo-and-behold it was my old buddy Dave who wrote it!"

April 10, 2015 tags:  SSL-TLS cryptography infosec

Generational Whitehat Deficit will drive Silverline WAF

F5 launched a new web application firewall (WAF) in the cloud service. Here's my take on why it will succeed.

March 17, 2015 tags:  ddos infosec hackers security-week

Why do Bulldozers Incite DDoS Attacks?

Three different reasons why tractor companies find themselves in the crosshairs of DDoS attackers.

Feb. 24, 2015 tags:  infosec

Is the Security Skills Shortage Real?

A deeper look into the security skills shortage. What can be done?

Feb. 17, 2015 tags:  SSL-TLS cryptography security-week

Why "Let's Encrypt" Won't Make the Internet More Trustworthy

I submitted this piece with multiple possible titles. This was one that got chosen - the most inflammatory. But hey, strong opinions sell, I get it. Read the piece and see if it stands on its own, title notwithstanding.

Feb. 15, 2015 tags:  SSL-TLS cryptography infosec security-week

How to Tap the Hardware Random Number Generator in Your Load Balancer

I was born to write this article. It was floating around in my head for years and years, and finally came together. I've delivered a talk about the topic of RNG to dozens of audiences around the world, and the best parts of that talk are summarized in this SecurityWeek piece.

Feb. 10, 2015 tags:  SSL-TLS cryptography hackers security-week

Was SSL3 killed by a POODLE? Surveys says…Maybe!

I've been scanning the SSL universe since the summer of 2014, so I was able to see the effects of the POODLE vulnerability. Here's the writeup I did on both for SecurityWeek.

Feb. 9, 2015 tags:  SSL-TLS cryptography infosec

Why You Should Tap the Hardware Random Number Generator (RNG) in your BIG-IP

This is wicked important, and you should read it right now. This could improve your entire cryptographic security posture. For free. You're welcome!

Jan. 30, 2015 tags:  in-the-news infosec

DarkReading: How the Skills Shortage is Killing Defense-in-Depth

One of my favorite pieces, and one of the most high-profile as well. Lots of great discussion around this.

Jan. 25, 2015 tags:  SSL-TLS infosec

The Expectation of SSL Everywhere

Here's a whitepaper I did on the expectation of SSL everywhere and what it means for business today. Topics covered include Forward Secrecy, Privacy, advanced key management and how to protect everything with an "always on" architecture.

Jan. 9, 2015 tags:  SSL-TLS cryptography infosec

2014: The Year of the Infrastructure Vulnerability?

An article I did for DataCenterKnowledge. A look back at 2014 and all the ShellShock and Heartbleed fallout for Data Center Knowledge. Nice, crisp piece. License for the xkcd image: https://xkcd.com/license.html

Jan. 7, 2015 tags:  ddos infosec security-week

The Real Story Behind the Kate Upton Nude DDoS Attack

This is the most-read article I've ever written. A true-story about a cyberattack that supposedly involved the nude pictures of Jennifer Lawrence and Kate Upton.

Dec. 18, 2014 tags:  SSL-TLS cryptography travel infosec security-week

The Virtual Currency Taking Over the World isn’t the One You Think

Here's an article where I compare Bitcoin (and other blockchain fintech) to another virtual currency, the one promoted and used by tens of millions in Africa: m-pesa.

Dec. 14, 2014 tags:  ddos

The F5 DDoS Protection Reference Architecture

Here is one of the most important papers I ever wrote. The description of a proper DDoS-resistant network architecture. The real meat of the knowledge lies with the recommended practices document, but this whitepaper outlines it pretty well and makes its case.

Dec. 2, 2014 tags:  SSL-TLS cryptography infosec security-week

Convergence Replacement Throwdown! DANE vs. TACK vs. CT

I still get questions about this SecurityWeek piece, which is good because I'm quite proud of this one. It's a look at three different systems that tried to patch one of the nagging security "holes" in the Internet and why they all failed.

Nov. 6, 2014 tags:  cryptography travel infosec security-week

When Encryption isn't Enough

"The giraffe was probably dead." LOL that is the best line I've ever used to start an article. This SecurityWeek piece about Twitter security came out of a trip I did to Africa.

Nov. 3, 2014 tags:  SSL-TLS cryptography ddos

The Top Ten Hardcore F5 Security Features in BIG-IP 11.6

Here's where the Top Ten really started to get funky. Check out the mood music while you read this. It's David Holmes.

Oct. 9, 2014 tags:  travel

5 Ways to Make Back the American Express Platinum Annual Fee

For the first few years, I had to talk myself into paying the $450 annual fee for American Express Platinum card. This little piece is me getting talking myself into it on paper, as it were. The math checks out. And if anyone is keeping score, I still get the platinum card every year, and it pays for itself.

Sept. 14, 2014 tags:  ddos

F5 DDoS Protection Architecture Overview

Not one of my favorite videos, but hey, it was real. Later I learned to take my glasses off, which brings you closer to the audience.

Sept. 8, 2014 tags:  infosec hackers

Dynamic Perimeter Security with IP Intelligence

The reputation of IP addresses is can be used to create intelligent security controls. Here's a white paper for how to leverage that control.

June 1, 2014 tags:  SSL-TLS infosec

F5 Secure Web Gateway Services

Caught between high-profile security breaches, APTs, and “millennial” employees who expect 24/7 Internet access, forward-looking IT organizations can consolidate web access and security into a highperformance, strategic point of control: F5 Secure Web Gateway Services.

June 1, 2014 tags:  ddos infosec

The F5 DDoS Playbook: Ten Steps for Combating DDoS in Real Time

After many discussions with some of the most high profile brands in the world, I've consolidated their feedback into this single playbook. These are the ten steps you need to do when you get attacked with a distributed denial-of-service. It's basically vendor agnostic, with just the F5 logo on it.

May 17, 2014 tags:  SSL-TLS cryptography infosec hackers

Mitigating sslsqueeze and other no-crypto, brute force SSL handshake attacks

This is almost top secret stuff. I probably shouldn't even be writing about it, but other's have, so if someone were to weaponize this, well I can't be held responsible. And at least I provided a defense.

May 5, 2014 tags:  infosec hackers

See what IP Reputation has to say about your firewall traffic

As you would imagine, being a security and networking professional, I ran a pretty sophisticated home network. One time I plugged our partner Webroot's IP reputation tool in front of my home router to see what kind of malicious traffic it was flagging. Here are the results.

April 30, 2014 tags:  SSL-TLS cryptography ddos

The Top Ten Hardcore F5 Security Features in BIG-IP 11.5.0

This is the one that started it all! Okay so that means it was the worst, and yeah I hadn't figured out to do the top ten in reverse order yet.

April 25, 2014 tags:  in-the-news

Cincinnati User Group Road Trip

Jason Rahm's version of the events that involved this mini pony on a great roadshow we did in 2014.

April 14, 2014 tags:  SSL-TLS cryptography

Heartbleed: Network Scanning, iRule Countermeasures

My technical piece about the Heartbleed vulnerability. Also includes my own rant about OpenSSL. And how to scan your own network for it. And other cool stuff related to it.

March 14, 2014 tags:  ddos

Why massive DDoS attacks are here to stay

Cyber journalist Byron Acohido interviewed me about DDoS attacks in 2014. I predicted ever larger ones, and I was right :)

Feb. 21, 2014 tags:  cryptography hackers

Malware Analysis Report: Cridex Cross-device Online Banking Trojan

The malware analysis team at F5 put together a great report on the Dridex malware. Here is me summarizes and mansplaining it.

Feb. 15, 2014 tags:  travel

How to fix your hotel TV when it won’t accept your HDMI input

This is by far the most popular thing I've ever written. It consistently gets over 1000 views every month. That means since I wrote it, over 50,000 people have read it. Maybe it goes to show you that people want problems solved!

Jan. 9, 2014 tags:  travel

What Does a Security Evangelist Actually Do?

Worldwide Security Evangelist. Great title, huh! So what does a Security Evangelist do? This article explains it all.

Dec. 12, 2013 tags:  cryptography hackers

True DDoS Stories: Nine Steps to DDoS Yourself

“Is it possible to quantify your own security posture as it relates to denial-of-service? “ That’s the question a customer of ours has been asking themselves, and they came up with plan to measure exactly that. They’re going to DDoS their own production systems. And here's how they're going to do it.

Dec. 10, 2013 tags:  ddos

The DDoS Reference Architecture

Peter Silva meets with David Holmes to get the scoop on F5's DDoS Reference Architecture. David has circled the globe talking to customers about their security concerns and shares some of that insight along with explaining how F5 can mitigate those attacks.

Nov. 25, 2013 tags:  cryptography hackers

True DDoS Stories: Black Friday DDoS Cupcakes

The famous US patriot hacker, Th3J35t3r, posted his recipe for holiday cupcakes. I made them but it turned out they were full of malware.

July 3, 2013 tags:  ddos infosec

ComputerWorld: How Can We Get Out of the DNS DDoS Trap?

I wrote a piece about the UDP-based distributed denial of service (DDoS) attack involving Spamhaus and CyberBunker. It was published in ComputerWorld in 2013.

Jan. 30, 2013 tags:  SSL-TLS cryptography

DevCentral Video Podcast - 20130130

Here's an old DevCentral video podcast featuring yours truly! Talking about security stuff of course

March 26, 2012 tags:  ddos infosec

The DDoS Threat Spectrum

Here's a great paper I wrote about how to categorize different DDoS attacks by type and by threat. Not a lot of discussion about mitigation, just classification and examination of the different attacks.

Jan. 27, 2012 tags:  SSL-TLS cryptography ddos infosec

The New Datacenter Firewall Paradigm

Written in 2012, this was a new way to think about Data Center Firewalls. Written with the amazing Lori MacVittie.

May 16, 2011 tags:  SSL-TLS cryptography ddos

SSL Renegotiation DOS iRule - Updates

Here's an update to the SSL Renegotiation DoS article. This iRule is tighter and more performant, if that's even a word.

May 3, 2011 tags:  SSL-TLS cryptography ddos

SSL Renegotiation DOS Attack - an iRule Countermeasure

This is one of the articles that launched my career as a technical evanglist. I worked on this blog article in my spare time (waiting for builds) as a developer. It hit at just the right time and got a few mentions in the right places. And now here I am, doing this for a living.