I speak and write about information security topics, with an emphasis on cryptography and distributed denial-of-service (DDoS) attacks. I've written for DarkReading, SC Magazine, and Network World. But most people know me from my monthly column at SecurityWeek.
Click the selectors in the Content pane to filter the content.
My *love letter* to version 14.0 of the F5 product suite. These Top Ten articles are always popular with the engineers in the field, many of whom send directly to their customers. These are always a ton of work for me, as I have to get the giant list of requirements, understand them, rank them, and write copy (and jokes) about them. Even as I complain, I must admit that these were also my favorite articles for F5 :)
I've been talking about this problem for years (it seems), but there's been an update. Toward the end.
Here's the second edition of the TLS Telemetry report. This is my ongoing research into worldwide cryptographic trends, covering such topics as protocol preference, forward secrecy adoption, SSL security headers and more. Really like the tasteful cover on this one. Beautiful!
My recommendations on how to spot cryptocurrency mining malware on your network and what to do when you spot it.
My latest piece for SecurityWeek is an analysis of the ROBOT attack against TLS stacks. Check out how many of these I've done now, it's crazy.
Debbie Walkowski interviewed me about my 'Post-Quantum' report. Consider this the cliff notes to that larger paper.
I've been a cryptocurrency skeptic for years. Much of that skepticism comes from hundreds of hours of talking with real CISOs and directors of security about how they can better protect real (not virtual) currency. Even with the resources of enormous budgets and huge security teams they can barely keep the hackers from stealing all the monies. When F5 Labs asked me to write up my opinions about Bitcoin, I threw this together. Not a bad little piece.
I'd like to take credit for this one, I really would. We had a fascinating email discussion at work and our primary SSL/TLS engineer wrote this great email about the nuances of the asymmetric algorithm, RSA, and how it might be affected by computing advances in the future. I told him it would make a nice little article, and we tried to put his name on it but he didn't want the attention, and he asked me to put my name on it. So we did. Sometimes that happens.
After a conversation with a chip-maker, I did a bunch of research into Quantum Computing, and collected my notes into this pretty cool report.
My response, representing the vendor community, to US-CERT's warning about SSL interception products.
Ladies and Gentlemen! Gamers and Cryptoheads! Have you ever wondered which major gaming console has the best message encryption? Well, I’m going to reveal the clear winner in my own recent personal test.
Took me three years to compile the data for this report. It started out as a personal project that I wrote in a hotel room in Cologne Germany over a weekend. But hundreds of hours and millions of computer scans later... this report. It's all about global encryption trends over a three year period, with some analysis about why each trend is going the way it is. Warning: usual doses of Holmes humor contained within.
I wrote, starred in, or was mentioned in 48 pieces last year. A new record. Here's the best of them.
In this piece, yours truly evaluates the SWEET32 cryptographic attack relative to other SSL cryptographic attacks such as DROWN and BEAST.
We commissioned the analyst firm IDC to do an encryption survey. They asked questions that I always wanted to know the answer to. So what does that have to do with goat parkour? Read on and find out.
David Holmes clarifies how the SSL Orchestrator makes outbound SSL faster and more resilient
I've been coming to this hacker con since Defcon 7. So that's 17 years! DC24 was a good one, with some interesting talks. Here's a recap I did for SecurityWeek.
SecurityWeek reported that Microsoft disabled the RC4 cipher in Edge and Internet Explorer 11, and referenced David Holmes’ byline column from last year about the simplicity of RC4 being its greatest appeal.
Here's a recap I did for SecurityWeek of some of the more interesting talks at the 2016 Black Hat security conference.
F5 commissioned the analyst firm IDC to survey hundreds of infosec professionals. The goal was to find out exactly how much enterprise traffic is encrypted. Their answers? Between 25-50% in 2016. That's a lot! Read the survey to find out how infosec is dealing with all the encrypted traffic, and the malware that hides within.
Here's a more technical version of my article that came out of a customer visit to Oslo. This has to do with Dan Bernstein's elliptic curve 25519, and how its unexpected deployment threw off a competitor's inspection.
You’ve been having trouble sleeping because of the SSL visibility problem with all the fancy security tools that don’t do decryption. Put down that ambien, because this Lightboard Lesson solves it. In episode, David Holmes diagrams the Right Way (tm) to decrypt and orchestrate outbound SSL traffic, improving SSL visibility, decreasing failures and improving network performance.
I heard about this problem with a customer in Oslo, Norway. It has to do with an advance in cryptography throwing surveillance devices into darkness.
This year's high-profile battle of wills between Apple and the US Federal Bureau of Investigation (FBI), which sparked worldwide discussions about the propriety of security 'back doors', was eventually resolved when the FBI found another…”We're seeing more and more Internet traffic encrypted over time, particularly after Edward Snowden came out and told everyone that people are watching them,” David Holmes, worldwide security evangelist with F5 Networks, recently told CSO Australia…
I get lucky sometimes. This was one of those times. I ran into a member of CERT.be, and he told me of an interesting report about a cyberespinage case in Europe. Made for a great SecurityWeek article.
A SecurityWeek article quotes me about SSLv3 and RC4.
It took me 23 hours to write this! But people LOVED IT. Continuing my tradition of the top security features of each F5 BIG-IP release.
During my last visit to Australia, I talked with some customers who were running into some fascinating problems trying to secure multiple components across different public clouds. Wrote it up for SecurityWeek.
Should you panic about the DROWN SSL vulnerability? Is it cute and kid-friendly, or is it a monster vulnerability coming to expose your most sensitive data? This piece I did for SecurityWeek builds upon the "Stack Ranking SSL Vulnerabilities" article I'd written the year before.
THE Richard Chirgwin of the Register once interviewed me while I was deliriously excited after talking with some customers in Australia. I gave a wide-ranging interview on all kinds of topics, stuff was just coming out of my mouth. Richard loved it. Later he told my bosses "this was the perfect interview - exactly what I want to hear when I talk with people in the industry!"
SecurityWeek quotes me about strict transport security.
I know it sounds like I pick on Let's Encrypt, the free, open CA. And I guess I do kinda. Not in a mean way, because what they are doing is pretty freaking cool. But in a skeptical way, because so often the road to hell is paved with good intentions. On the other hand, there are altruistic endeavors that I would have said would never work, like Wikipedia, and um, well that's about it. Anyway, this piece is a more measured look at the early public stages of Let's Encrypt.
SecurityWeek article quotes me about my favorite algorithm of all time, RC4.
Another of the famous top ten lists for F5. Selecting the best of over 100 security features is a daunting task. I had considered using the darts-against-printed-spreadsheets approach, but ultimately just went through them all, one by one, and selected the best, just for you. Remember, these are the hardcore security doodads, of interest to network operators, security engineers and the paranoid.
Here's the complete list of everything authored by yours truly in 2015. Except the NC-17 stuff, which I've been told should remain unpromoted. Actually, this website you're reading right now is basically my greatest hits, but this blog post gather just a single, awesome year of it.
This is is one of my favorite articles. There was a crazy rumor going around after the Paris attacks that the terrorists were using Sony PlayStations to communicate with each other. And that the PS4 encryption was hiding their communications from Europol. So I decided to find out what kind encryption the PS4 uses. And how resistant would it be to surveillance.
East-west data center traffic needs to be secured. Here's the easy way to do it with the load balancers you already have.
SecurityWeek article quotes me about entropy.
My love letter to my favorite algorithm of all time, RC4.
Strict Transport Security is a simple but very powerful security fix. So why does no-one use it? I explore the topic in this piece for SecurityWeek.
My third piece in the trilogy of articles I've written about the open CA "Let's Encrypt" for SecurityWeek. This one is a more measured look at how LE might impact Internet Security.
Here's one that came right from the field - we knew that iOS9 was coming, and was going to include changes for cryptography. Here's my write-up of what knobs everyone was going to have to turn to be compatible.
When the POODLE vulnerability came out in 2014, it was hailed as the death knell for SSL version 3. In the quarter just prior to POODLE, 98% of Internet sites supported SSLv3, but a year later that support had dropped to just 33%. Here's an article that shows you how to tell how much of your traffic is still SSLv3.
Cryptography has been a passion of mine since I was 9. NINE. I used to write code books to encrypt messages as a kid. So of course I gravitated to internet encryption, and spent a lot of time working with the Secure Sockets Library (SSL), which is now TLS. Here's a 50+ page magnum opus I wrote about the proper ways to use F5's SSL capabilities. Great stuff in here.
Not all SSL vulnerabilities are the same. Some are way worse than others, but often the media doesn't know that. My attempt to provide a relative scale based on quantifiable cryptographic assets. Also uses a cute Japanese Monster Alert level.
Banki coraz cz??ciej atakowane przez hakerów
Ataki na banki zdarzaj? si? wsz?dzie. Banki na ca?ym ?wiecie s? zaniepokojone hakerami i kradzie?? pieni?dzy.
Here's a 3 minute interview with yours truly in Warsaw, Poland. They have a polish guy talking over my audio track, which is neat if you know Polish. I don't.
An in-depth piece about the SSL Logjam vulnerability. How vulnerable are you, and here's how to mitigate it if you are.
LOGJAM was an exploit against SSL published in 2015. Here's me picking it apart and showing how to mitigate it with F5. I wrote this in a hotel room in Glasgow. Can't remember why I was there. Just killing time between engagements I think.
A tiny blog explaining this awesome graphic.
This was a great interview, got lots of coverage. Good chemistry between myself and the awesome Pete Silva. F5 Worldwide Security Evangelist, David Holmes, talks about why the internet is going SSL Everywhere. He explains why there’s been a surge in encrypted traffic and reveals some interesting statistics from his ongoing research on the SSL protocol. Always an engaging guest, David takes us through Forward Secrecy, Strict Transport Security and SSL v3. What they solve and how they are being used in the wild.
F5 launched a new web application firewall (WAF) in the cloud service. Here's my take on why it will succeed.
I submitted this piece with multiple possible titles. This was one that got chosen - the most inflammatory. But hey, strong opinions sell, I get it. Read the piece and see if it stands on its own, title notwithstanding.
I was born to write this article. It was floating around in my head for years and years, and finally came together. I've delivered a talk about the topic of RNG to dozens of audiences around the world, and the best parts of that talk are summarized in this SecurityWeek piece.
I've been scanning the SSL universe since the summer of 2014, so I was able to see the effects of the POODLE vulnerability. Here's the writeup I did on both for SecurityWeek.
This is wicked important, and you should read it right now. This could improve your entire cryptographic security posture. For free. You're welcome!
An article I did for DataCenterKnowledge. A look back at 2014 and all the ShellShock and Heartbleed fallout for Data Center Knowledge. Nice, crisp piece. License for the xkcd image: https://xkcd.com/license.html
Here's an article where I compare Bitcoin (and other blockchain fintech) to another virtual currency, the one promoted and used by tens of millions in Africa: m-pesa.
I still get questions about this SecurityWeek piece, which is good because I'm quite proud of this one. It's a look at three different systems that tried to patch one of the nagging security "holes" in the Internet and why they all failed.
"The giraffe was probably dead." LOL that is the best line I've ever used to start an article. This SecurityWeek piece about Twitter security came out of a trip I did to Africa.
Here's where the Top Ten really started to get funky. Check out the mood music while you read this. It's David Holmes.
This is almost top secret stuff. I probably shouldn't even be writing about it, but other's have, so if someone were to weaponize this, well I can't be held responsible. And at least I provided a defense.
This is the one that started it all! Okay so that means it was the worst, and yeah I hadn't figured out to do the top ten in reverse order yet.
My technical piece about the Heartbleed vulnerability. Also includes my own rant about OpenSSL. And how to scan your own network for it. And other cool stuff related to it.
The malware analysis team at F5 put together a great report on the Dridex malware. Here is me summarizes and mansplaining it.
“Is it possible to quantify your own security posture as it relates to denial-of-service? “ That’s the question a customer of ours has been asking themselves, and they came up with plan to measure exactly that. They’re going to DDoS their own production systems. And here's how they're going to do it.
The famous US patriot hacker, Th3J35t3r, posted his recipe for holiday cupcakes. I made them but it turned out they were full of malware.
Here's an old DevCentral video podcast featuring yours truly! Talking about security stuff of course
Written in 2012, this was a new way to think about Data Center Firewalls. Written with the amazing Lori MacVittie.
Here's an update to the SSL Renegotiation DoS article. This iRule is tighter and more performant, if that's even a word.
This is one of the articles that launched my career as a technical evanglist. I worked on this blog article in my spare time (waiting for builds) as a developer. It hit at just the right time and got a few mentions in the right places. And now here I am, doing this for a living.