Featured Content

I speak and write about information security topics, with an emphasis on cryptography and distributed denial-of-service (DDoS) attacks. I've written for DarkReading, SC Magazine, and Network World. But most people know me from my monthly column at SecurityWeek.

Click the selectors in the Content pane to filter the content.


Aug. 1, 2018 tags:  in-the-news hackers

David Holmes: On the trade-off between security and convenience in technology

Bucket list item achieved. I was interviewed on live TV in the Philippines on the ANC Early Edition news program about consumer internet safety and how Filipinos view it through the lens of convenience vs. security. There were likely millions of people watching and but it was just so much fun! Would do it again :)


Feb. 19, 2016 tags:  infosec hackers

What keeps white hat hackers from turning to the dark side?

The idea for this, my favorite article, had been rattling around my head for years. "Why don't you use your knowledge for evil?" I surveyed over three dozen of my friends and colleagues to find out what their prices were, if any. Some illuminating results.


July 6, 2016 tags:  SSL-TLS cryptography

SSL Outbound Visibility Lightboard Lesson

You’ve been having trouble sleeping because of the SSL visibility problem with all the fancy security tools that don’t do decryption. Put down that ambien, because this Lightboard Lesson solves it. In episode, David Holmes diagrams the Right Way (tm) to decrypt and orchestrate outbound SSL traffic, improving SSL visibility, decreasing failures and improving network performance.


June 1, 2015 tags:  ddos

F5 DDoS Protection Volume 2 - Recommended Practices

This may be the most significant document I've ever written. Customers used to ask me if we a a Best Practices document around DDoS and I got tired of telling them we didn't. So I wrote it. It took my close to 9 months to birth this baby. It documents every single kind of DDoS we've ever seen and how to combat them. My magnum opens for DDoS.


Jan. 27, 2017 tags:  SSL-TLS cryptography

The 2016 TLS Telemetry Report

Took me three years to compile the data for this report. It started out as a personal project that I wrote in a hotel room in Cologne Germany over a weekend. But hundreds of hours and millions of computer scans later... this report. It's all about global encryption trends over a three year period, with some analysis about why each trend is going the way it is. Warning: usual doses of Holmes humor contained within.


Jan. 30, 2015 tags:  in-the-news infosec

DarkReading: How the Skills Shortage is Killing Defense-in-Depth

One of my favorite pieces, and one of the most high-profile as well. Lots of great discussion around this.


March 1, 2017 tags:  SSL-TLS cryptography security-week

Encryption Smackdown: PlayStation 4 vs. XBox One!

Ladies and Gentlemen! Gamers and Cryptoheads! Have you ever wondered which major gaming console has the best message encryption? Well, I’m going to reveal the clear winner in my own recent personal test.


Feb. 15, 2015 tags:  SSL-TLS cryptography infosec security-week

How to Tap the Hardware Random Number Generator in Your Load Balancer

I was born to write this article. It was floating around in my head for years and years, and finally came together. I've delivered a talk about the topic of RNG to dozens of audiences around the world, and the best parts of that talk are summarized in this SecurityWeek piece.


Feb. 15, 2014 tags:  travel

How to fix your hotel TV when it won’t accept your HDMI input

This is by far the most popular thing I've ever written. It consistently gets over 1000 views every month. That means since I wrote it, over 50,000 people have read it. Maybe it goes to show you that people want problems solved!


Dec. 14, 2014 tags:  ddos

The F5 DDoS Protection Reference Architecture

Here is one of the most important papers I ever wrote. The description of a proper DDoS-resistant network architecture. The real meat of the knowledge lies with the recommended practices document, but this whitepaper outlines it pretty well and makes its case.


Feb. 1, 2016 tags:  infosec hackers

Cloud and the Security Skills Gap

F5 Network security evangelist David Holmes offers concrete advice about how cloud outsourcing can help companies with a talent shortfall solve three enterprise security problems: application security, penetration testing, and bug bounties.


June 3, 2015 tags:  in-the-news infosec

InfoSecurity Europe 2015 - David Holmes

TechWeekEurope's Michael Moore speaks to David Holmes, Senior Security Evangelist for F5 Networks, at InfoSecurity Europe 2015


March 7, 2018 tags:  in-the-news iot

David Holmes: Yes, Tony Stark, He Could Be

The Malay Business Insight newspaper has a circulation of over 80,000 in the Philippines. After an Interview I did on our recent volume 4 of the Hunt for IoT thingbots, Sir Raymond Gregory Tribdino published these two articles, one on IoT and one on how I look like Tony Stark. The resemblance usually escapes me, but I hear it all the time. Like about 10 times a year.


Jan. 7, 2015 tags:  ddos infosec security-week

The Real Story Behind the Kate Upton Nude DDoS Attack

This is the most-read article I've ever written. A true-story about a cyberattack that supposedly involved the nude pictures of Jennifer Lawrence and Kate Upton.


Dec. 9, 2015 tags:  SSL-TLS cryptography infosec security-week

Paris Attacks: What kind of Encryption Does the PlayStation 4 Use, Anyway?

This is is one of my favorite articles. There was a crazy rumor going around after the Paris attacks that the terrorists were using Sony PlayStations to communicate with each other. And that the PS4 encryption was hiding their communications from Europol. So I decided to find out what kind encryption the PS4 uses. And how resistant would it be to surveillance.


July 3, 2013 tags:  ddos infosec

ComputerWorld: How Can We Get Out of the DNS DDoS Trap?

I wrote a piece about the UDP-based distributed denial of service (DDoS) attack involving Spamhaus and CyberBunker. It was published in ComputerWorld in 2013.


Jan. 11, 2016 tags:  SSL-TLS cryptography ddos infosec

David Holmes Greatest Hits, 2015 Edition

Here's the complete list of everything authored by yours truly in 2015. Except the NC-17 stuff, which I've been told should remain unpromoted. Actually, this website you're reading right now is basically my greatest hits, but this blog post gather just a single, awesome year of it.


Oct. 9, 2018 tags:  SSL-TLS cryptography hackers

The Top Ten Hardcore F5 Security Features in BIG-IP 14.0

My *love letter* to version 14.0 of the F5 product suite. These Top Ten articles are always popular with the engineers in the field, many of whom send directly to their customers. These are always a ton of work for me, as I have to get the giant list of requirements, understand them, rank them, and write copy (and jokes) about them. Even as I complain, I must admit that these were also my favorite articles for F5 :)


Feb. 4, 2016 tags:  ddos

Firewall Roundtable Discussion

Here's a fun virtual roundtable that Brian McHenry and me did for the DevCentral guys, Jason Rahm and John Wagnon. Over a half hour we discuss the F5 advanced firewall module. We chat about the market, the history and some of the things that differentiate the product.


Jan. 9, 2014 tags:  travel

What Does a Security Evangelist Actually Do?

Worldwide Security Evangelist. Great title, huh! So what does a Security Evangelist do? This article explains it all.


April 13, 2017 tags:  in-the-news infosec

CSO Perspectives Interview with David Holmes

Here's a 7 minute interview that CSO's Anthony Caruana did with me at the CSO Perspectives roadshow; this one was in Sydney. He asks about the new National Mandatory Breach Notification law, the Internet of Things, and where did I get that awesome shirt? Belgium.


March 21, 2016 tags:  in-the-news infosec hackers

Manila Business Mirror Interview

Not every day you get on the front page of the local paper! Was in the Philippines immediately after the first SWIFT banking theft: $81M had been stolen (by the Lazarus group, probably) and laundered through local casinos. I happened to be there speaking with the media about bank fraud anyway, so that's how country manager Oscar Visaya and I ended up on the front page of the paper.


Feb. 23, 2018 tags:  SSL-TLS ddos

The Top Ten Hardcore F5 Security Features in BIG-IP 13

Omg these are so popular. I've been writing these "borderline outrageous" top ten series for three years now and it they are a HUGE amount of work. I have to understand all of the security features in order to sort and prioritize them, and then think of a joke for each one. But they're everyone's favorite content, so I'll keep writing them :)


Sept. 27, 2018 tags:  infosec policy

Data Privacy and the 2018 Philippine Identification System Act

Here's an essay I wrote about what I think are the data privacy concerns around the Philippine National ID system (PhilSys). Having a national identification system is a good thing; this essay contains my advice to the implementors of PhilSys, so that they can most properly secure their citizen's data.


May 18, 2016 tags:  infosec hackers security-week

Mysteries of the Panama Papers

When asked for Comment on the Panama papers, I said heck yeah, there are so many questions. So I put them into a SecurityWeek byline, and then answered them. Most of them. Even the one about Simon Cowell.


Dec. 2, 2014 tags:  SSL-TLS cryptography infosec security-week

Convergence Replacement Throwdown! DANE vs. TACK vs. CT

I still get questions about this SecurityWeek piece, which is good because I'm quite proud of this one. It's a look at three different systems that tried to patch one of the nagging security "holes" in the Internet and why they all failed.


Nov. 6, 2014 tags:  cryptography travel infosec security-week

When Encryption isn't Enough

"The giraffe was probably dead." LOL that is the best line I've ever used to start an article. This SecurityWeek piece about Twitter security came out of a trip I did to Africa.


Oct. 9, 2014 tags:  travel

5 Ways to Make Back the American Express Platinum Annual Fee

For the first few years, I had to talk myself into paying the $450 annual fee for American Express Platinum card. This little piece is me getting talking myself into it on paper, as it were. The math checks out. And if anyone is keeping score, I still get the platinum card every year, and it pays for itself.


Dec. 12, 2013 tags:  cryptography hackers

True DDoS Stories: Nine Steps to DDoS Yourself

“Is it possible to quantify your own security posture as it relates to denial-of-service? “ That’s the question a customer of ours has been asking themselves, and they came up with plan to measure exactly that. They’re going to DDoS their own production systems. And here's how they're going to do it.


June 1, 2014 tags:  ddos infosec

The F5 DDoS Playbook: Ten Steps for Combating DDoS in Real Time

After many discussions with some of the most high profile brands in the world, I've consolidated their feedback into this single playbook. These are the ten steps you need to do when you get attacked with a distributed denial-of-service. It's basically vendor agnostic, with just the F5 logo on it.


Oct. 27, 2016 tags:  ddos hackers

Making Sense of the Krebs / OVH / Dyn DDoS Attacks

The right guy at the right time. Here's my take on the huge DDoS attacks of September and October 2016. Had to rush this one to release as an official company position on the attacks. I like how it came out.


May 4, 2017 tags:  security-week

Threat Modeling the Internet of Things

Here is Part 0 (or part 1) of a series on threat modeling the Internet of Things. Here I introduce these two topics: Internet of Things and Threat modeling and suggest that maybe we need to spend more time putting them together. I like the intro and extro for this piece :)


April 15, 2018 tags:  SSL-TLS cryptography

The 2017 TLS Telemetry Report

Here's the second edition of the TLS Telemetry report. This is my ongoing research into worldwide cryptographic trends, covering such topics as protocol preference, forward secrecy adoption, SSL security headers and more. Really like the tasteful cover on this one. Beautiful!


June 2, 2016 tags:  cryptography travel infosec hackers security-week

Cyber Espionage Report: APT at RUAG

I get lucky sometimes. This was one of those times. I ran into a member of CERT.be, and he told me of an interesting report about a cyberespinage case in Europe. Made for a great SecurityWeek article.


Oct. 28, 2015 tags:  SSL-TLS cryptography infosec security-week

What's the Disconnect with Strict Transport Security?

Strict Transport Security is a simple but very powerful security fix. So why does no-one use it? I explore the topic in this piece for SecurityWeek.


Sept. 24, 2015 tags:  SSL-TLS cryptography infosec security-week

How "Let's Encrypt" Will Challenge The CA Industry

My third piece in the trilogy of articles I've written about the open CA "Let's Encrypt" for SecurityWeek. This one is a more measured look at how LE might impact Internet Security.


May 21, 2016 tags:  travel infosec hackers

APAC Security: 2 Opportunities for business, 1 for Hackers

After I came back from my 50 days in Asia, I wrote up three observations about how infosec is different there. Some good analogies. Kinda proud of this piece.


May 5, 2014 tags:  infosec hackers

See what IP Reputation has to say about your firewall traffic

As you would imagine, being a security and networking professional, I ran a pretty sophisticated home network. One time I plugged our partner Webroot's IP reputation tool in front of my home router to see what kind of malicious traffic it was flagging. Here are the results.


April 14, 2014 tags:  SSL-TLS cryptography

Heartbleed: Network Scanning, iRule Countermeasures

My technical piece about the Heartbleed vulnerability. Also includes my own rant about OpenSSL. And how to scan your own network for it. And other cool stuff related to it.


Jan. 4, 2017 tags:  SSL-TLS cryptography ddos

David Holmes Greatest Hits 2016 Edition

I wrote, starred in, or was mentioned in 48 pieces last year. A new record. Here's the best of them.


April 18, 2017 tags:  hackers

Hacker Profile: The Real Sabu Part 1 of 2

Sabu was such a rock star in his time. His character and his exploits were legendary at the time and his downfall even more so. I really enjoyed writing this one. I actually had more information on this but couldn't publish it to due privacy concerns. But buy me a beer sometime and ask me about it.


Sept. 13, 2017 tags:  cryptography hackers

Five Reasons the CISO is a Cryptocurrency Skeptic

I've been a cryptocurrency skeptic for years. Much of that skepticism comes from hundreds of hours of talking with real CISOs and directors of security about how they can better protect real (not virtual) currency. Even with the resources of enormous budgets and huge security teams they can barely keep the hackers from stealing all the monies. When F5 Labs asked me to write up my opinions about Bitcoin, I threw this together. Not a bad little piece.


Sept. 11, 2017 tags:  infosec

Anticipate! F5 Security Keynote Singapore

Here's the keynote I did for F5's security event in Singapore in June. I teach the audience how to threat model the internet of things (iot),


Oct. 31, 2017 tags:  in-the-news infosec

Security Now! Reads our entire REAPER article on their podcast

Never thought I'd see this day! THE Steve Gibson of the Security Now! podcast really liked the REAPER piece that Justin Shattuck and I wrote. He liked it so much he basically read it over the air on podcast episode 635 (toward the end). Still can't believe it, how cool is that?


Nov. 3, 2017 tags:  SSL-TLS security-week

Stack Ranking SSL Vulnerabilities: DUHK and ROCA

All, all those branded SSL vulnerabilities. True to my word, I've continued writing articles comparing them to each other so you can have some idea about how much to freak out. This article adds two more; the DUHK and ROCA vulnerabilities.


Nov. 7, 2017 tags:  SSL-TLS cryptography in-the-news

What happens to Encryption in a Post Quantum World?

Debbie Walkowski interviewed me about my 'Post-Quantum' report. Consider this the cliff notes to that larger paper.


Jan. 4, 2018 tags:  infosec hackers

MIRAI IS ATTACKING AGAIN, SO WE’RE OUTING ITS HILARIOUS, EXPLICIT C&C HOSTNAMES

Slightly explicit content here. Was talking with my colleague Justin, and he was saying how the latest list of command-and-control hostnames for the Mirai botnet contained some hilarious examples like "cnc.smokemethallday.tk". We thought it would be a good for a laugh to do some analysis on the names where the servers are hosted from.


Feb. 5, 2018 tags:  in-the-news hackers

Is the Philippines ready for the Internet's Dark Side?

What's the difference between DarkWeb and DarkNet? That's just one of the questions that my colleague, Ray Pompon, and I answered in this wide ranging interview. Really liked how this one came out.


Nov. 12, 2015 tags:  SSL-TLS cryptography infosec security-week

In Memoriam: Goodbye to RC4, an Old Crypto Favorite

My love letter to my favorite algorithm of all time, RC4.


Sept. 28, 2016 tags:  SSL-TLS cryptography infosec security-week

I Got 99 Problems, But SWEET32 Isn't One

In this piece, yours truly evaluates the SWEET32 cryptographic attack relative to other SSL cryptographic attacks such as DROWN and BEAST.


Dec. 7, 2016 tags:  hackers security-week

Hacking Europe's Smart Cities

A young hacker came up to me after a talk in Belgium and told me this story. Made for a great article for SecurityWeek.


June 18, 2018 tags:  in-the-news hackers iot

Singapore top cyber attack target during Trump Kim Summit

We released an original report showing a spike in SIP protocol attacks against Singapore during the Trump / Kim summit there. Singapore Today interviewed me about the article.


Sept. 15, 2016 tags:  ddos infosec

2016 DDoS Attack Trends

Here's an awesome whitepaper I wrote in the fall of 2016. I embedded eight references to Huey Lewis and the News. Can you find them all?


March 29, 2017 tags:  SSL-TLS cryptography security-week

US-CERT's Warning on SSL Interception vs. Security is a False Dichotomy

My response, representing the vendor community, to US-CERT's warning about SSL interception products.


May 2, 2017 tags:  hackers

Hacker Profile: The Real Sabu Part 2 of 2

The explosive second half of the profile of famed hacker Sabu.


June 12, 2017 tags:  ddos in-the-news

Ten steps for combating DDoS in real time

Hey look, IT News Africa reprinted my ten-step guide to combating DDoS in real time. This is basically a shortened, texty version of the DDoS playbook.


July 13, 2017 tags:  SSL-TLS cryptography

How Quantum Computing will Change Browser Encryption

After a conversation with a chip-maker, I did a bunch of research into Quantum Computing, and collected my notes into this pretty cool report.


Sept. 10, 2017 tags:  in-the-news infosec hackers

Malware Grows, Goes After Data Centers

Maria Korolov interviewed and quoted me extensively for a Data Center Knowledge piece on WannaCry. I had no time to prepare for this interview, and was surprised when it got published. Sometimes I prepare a LOT and nothing comes of it. You never know, I guess. Just keep doing them.


Oct. 9, 2017 tags:  in-the-news infosec

Shadow Cloud Apps Pose Unseen Risks

CSO Online picked up the Maria Korolov's interview did with me and republished it. That's pretty awesome!


March 1, 2018 tags:  cryptography infosec security-week

Where to Look for Mining Malware and How to Respond

My recommendations on how to spot cryptocurrency mining malware on your network and what to do when you spot it.


March 22, 2016 tags:  cryptography in-the-news infosec

Cloud Security is harder than Encrypt Everything

THE Richard Chirgwin of the Register once interviewed me while I was deliriously excited after talking with some customers in Australia. I gave a wide-ranging interview on all kinds of topics, stuff was just coming out of my mouth. Richard loved it. Later he told my bosses "this was the perfect interview - exactly what I want to hear when I talk with people in the industry!"


April 21, 2018 tags:  infosec iot

Australian CyberSecurity Magazine - IoT, DDoS and Threat Modeling

Here's an audio interview I did at the Australian CyberSecurity Conference at Canberra in April of 2018. About 10 minutes. A little background noise, because we just did it in a quietish corner of the conference.


Sept. 16, 2016 tags:  SSL-TLS cryptography security-week

You Can't Find What You're Not Looking For Because of Goat Parkour

We commissioned the analyst firm IDC to do an encryption survey. They asked questions that I always wanted to know the answer to. So what does that have to do with goat parkour? Read on and find out.


May 3, 2011 tags:  SSL-TLS cryptography ddos

SSL Renegotiation DOS Attack - an iRule Countermeasure

This is one of the articles that launched my career as a technical evanglist. I worked on this blog article in my spare time (waiting for builds) as a developer. It hit at just the right time and got a few mentions in the right places. And now here I am, doing this for a living.


Oct. 28, 2016 tags:  ddos hackers security-week

What's the Fix for the IoT DDoS Attacks?

Here is an early reaction to the Dyn DNS DDoS attack of Friday, Oct 21. I spent about 8 hours working on an article about the Brian Krebs attack from an airplane over the Atlantic. About halfway through, the Dyn attack happened, and I had to rewrite the article! It was a long day, but at least when I got down there was a decent article ready to go :)


Jan. 25, 2015 tags:  SSL-TLS infosec

The Expectation of SSL Everywhere

Here's a whitepaper I did on the expectation of SSL everywhere and what it means for business today. Topics covered include Forward Secrecy, Privacy, advanced key management and how to protect everything with an "always on" architecture.


Nov. 28, 2016 tags:  infosec security-week

Evaluating Risks to Identity and Access When Moving to the Cloud

A fine article about evaluating the risks and creating sound strategy around moving to Office365. In the article I briefly mention 5 threats you should add to your threat modeling for cloud collaboration. Threat modeling for cloud could, and should, be its own article or even series of articles. Remind me to write that! :)


Nov. 24, 2016 tags:  ddos in-the-news security-week

This Web-based Tool Checks if Your Network Is Exposed to Mirai

“Regulation will likely be the fix for IoT security,” F5 Networks evangelist David Holmes notes in a SecurityWeek column, citing Mikko Hypponen, Chief Risk Officer of F-Secure. However, he also explains that Internet security cannot be regulated like other manufacturing processes. Increasing awareness among users could also help resolve this issue, with the IoT Defense scanner being a small step in this direction.


May 17, 2017 tags:  infosec

The Intel AMT Vulnerability - Silent Bob

The Intel Active Management Technology (AMT) vulnerability (now referred to by many as “Silent Bob”) is one of those truly brutal, ugly ones that make you queasy to even think about. Like Heartbleed or Venom. Here's how to scan for it on your network. And what ports to block.


July 5, 2017 tags:  ddos in-the-news infosec

Hunting for IoT devices to be used for massive botnet

Had a fantastic, wide-ranging interview with Malaya Business Insight reporter Raymond Gregory.


Sept. 25, 2017 tags:  infosec iot

The Top Three Tips for IoT Consumer Security Hygiene

I promised some really nice reporters in Singapore that I would get them my top three safety tips for IoT. So I put together this little blog and posted it on LinkedIn. I think we might expand it for an cyber site somewhere.


Oct. 11, 2017 tags:  ddos in-the-news

IoT Attacks: India no. 2 source country

Had a long, fun, wide-ranging interview with India Economic Times.


Jan. 30, 2018 tags:  infosec iot

IoT: Moving to Security by Design

Here's the podcast of an interview I gave for Data Breach Today and Info Risk Today to Suparna Goswami of ISMG. This is basically the podcast version of the stump speech I give about securing IoT.


March 22, 2018 tags:  infosec security-week policy

5 Fun Facts about the Singapore Cybersecurity Statute

Someone asked me what I thought about the recently passed Singapore Cybersecurity Statute. So I did some research and turned it into an article for SecurityWeek.


March 23, 2018 tags:  in-the-news infosec iot

44% of Telnet Scans come from China

IT Pro wrote an article based on our media briefing in HK. I don't actually know what it says, but I think it's something like "44% of Telnet scans (or attacks) coming from China". Google Translate doesn't work for cantonese?


March 25, 2018 tags:  in-the-news infosec iot

IoT: Moving to Security by Design

ISMG's Suparna Goswami interviewed me about my thoughts on IoT Security. 12 minutes of David Holmes braindumping IoT security at you.


May 22, 2018 tags:  SSL-TLS cryptography security-week

Fitting Forward Security into Today's Security Architecture

I've been talking about this problem for years (it seems), but there's been an update. Toward the end.


May 2, 2018 tags:  infosec hackers security-week

Spring 2018 Password Attacks

This is basically me channelling a series of emails with Marc LeBeau. He gave me permission to submit it as an article and I really like the way it came out. BTW can you guess the racy password that my editors didn't want me to write about?


May 17, 2018 tags:  infosec

Managing Security in a Multi-Cloud Era

Here's a video interview of me talking about multi-cloud security. I don't honestly remember what I said it was so long ago but I'm sure it was dripping with profundity.


Aug. 15, 2018 tags:  infosec iot

F5Agility18: Application security and evolving threats

Here's a video interview done by none other than F5's Calvin Rowland himself. He and I are both 17-year veterans of F5 Networks, and we're both good (or at least energetic) on video. He's interviewing me for our Agility Live series, and I'm discussing some of our security research at F5 labs.


Aug. 21, 2018 tags:  in-the-news infosec policy

National ID Systems and Data Privacy

After receiving some media inquiries around the Philippines national ID system, I put together an essay, with the help of my indispensible personal assistant in the islands, on data privacy and the Philippine National ID system (PhilSys). Back End Systems quoted me from the essay in this article. See F5 Labs for the main essay.


Nov. 13, 2016 tags:  ddos in-the-news

The Internet Of Things, DNS Weaknesses, Or Trump: Which Will Sink The Internet?

Got quoted by a Forbes article. “Nearly all clients rely on DNS to reach their intended services, making DNS the most critical—and public—of all services,” explains David Holmes... and “This single point of total failure…makes DNS a very tempting target for attackers,” Holmes continues. The pic is Jon Postel, who I consider a father of the Internet.