By Year: 2015 - 35 items
This is is one of my favorite articles. There was a crazy rumor going around after the Paris attacks that the terrorists were using Sony PlayStations to communicate with each other. And that the PS4 encryption was hiding their communications from Europol. So I decided to find out what kind encryption the PS4 uses. And how resistant would it be to surveillance.
East-west data center traffic needs to be secured. Here's the easy way to do it with the load balancers you already have.
SecurityWeek article quotes me about entropy.
My love letter to my favorite algorithm of all time, RC4.
Strict Transport Security is a simple but very powerful security fix. So why does no-one use it? I explore the topic in this piece for SecurityWeek.
My third piece in the trilogy of articles I've written about the open CA "Let's Encrypt" for SecurityWeek. This one is a more measured look at how LE might impact Internet Security.
When the POODLE vulnerability came out in 2014, it was hailed as the death knell for SSL version 3. In the quarter just prior to POODLE, 98% of Internet sites supported SSLv3, but a year later that support had dropped to just 33%. Here's an article that shows you how to tell how much of your traffic is still SSLv3.
Here's one that came right from the field - we knew that iOS9 was coming, and was going to include changes for cryptography. Here's my write-up of what knobs everyone was going to have to turn to be compatible.
A mention in SecurityWeek article about container security.
A BGP route monitoring firm, Qrator, released a paper at Blackhat 2015 titled “Breaking HTTPS with BGP Hijacking.” Here's my take on it.
Cryptography has been a passion of mine since I was 9. NINE. I used to write code books to encrypt messages as a kid. So of course I gravitated to internet encryption, and spent a lot of time working with the Secure Sockets Library (SSL), which is now TLS. Here's a 50+ page magnum opus I wrote about the proper ways to use F5's SSL capabilities. Great stuff in here.
Not all SSL vulnerabilities are the same. Some are way worse than others, but often the media doesn't know that. My attempt to provide a relative scale based on quantifiable cryptographic assets. Also uses a cute Japanese Monster Alert level.
I first ran into the hacker search Shodan engine at Defcon over a decade ago. It's still around; I saw its creator, John Matherly, giving a talk about it in Amsterdam's Hack-in-the-Box conference. My summary for SecurityWeek.
Banki coraz cz??ciej atakowane przez hakerów
Ataki na banki zdarzaj? si? wsz?dzie. Banki na ca?ym ?wiecie s? zaniepokojone hakerami i kradzie?? pieni?dzy.
Here's a 3 minute interview with yours truly in Warsaw, Poland. They have a polish guy talking over my audio track, which is neat if you know Polish. I don't.
An in-depth piece about the SSL Logjam vulnerability. How vulnerable are you, and here's how to mitigate it if you are.
A deeper dive in to the theoretical topic of mobile malware.
TechWeekEurope's Michael Moore speaks to David Holmes, Senior Security Evangelist for F5 Networks, at InfoSecurity Europe 2015
This may be the most significant document I've ever written. Customers used to ask me if we a a Best Practices document around DDoS and I got tired of telling them we didn't. So I wrote it. It took my close to 9 months to birth this baby. It documents every single kind of DDoS we've ever seen and how to combat them. My magnum opens for DDoS.
A launch blog for the SilverLine DDoS Protection service.
It takes effort to stay informed about the information security industry. The #infosec landscape changes incredibly fast. Security researchers and adversarial attackers generate a constant stream of vulnerabilities and other threat vectors. Keeping abreast of it all is a constant challenge. One great way to stay informed is to listen to a selection of security-themed podcasts. Podcasts keep your brain engaged when you’re multitasking some menial physical task like cleaning or driving or walking Roy, the Wonder Dog. Here are three security-themed podcasts that provide a pulse on infosec.
I won a long-standing bet with my colleague, Pete Silva, about the Android Armageddon. Here's my write-up where I claim to win!
A tiny blog explaining this awesome graphic.
This was a great interview, got lots of coverage. Good chemistry between myself and the awesome Pete Silva. F5 Worldwide Security Evangelist, David Holmes, talks about why the internet is going SSL Everywhere. He explains why there’s been a surge in encrypted traffic and reveals some interesting statistics from his ongoing research on the SSL protocol. Always an engaging guest, David takes us through Forward Secrecy, Strict Transport Security and SSL v3. What they solve and how they are being used in the wild.
In 1897, physiologist René Quinton completely replaced the blood of a live, abandoned dog with seawater in an experiment to prove the theory that the chemistry of mammalian blood is formulated from ocean water, with which it shares many properties including salinity and acidity. Sound interesting? It is! A friend of mine called me recently: "Hey man, I was looking up the security of docker containers and read this article and lo-and-behold it was my old buddy Dave who wrote it!"
F5 launched a new web application firewall (WAF) in the cloud service. Here's my take on why it will succeed.
Three different reasons why tractor companies find themselves in the crosshairs of DDoS attackers.
A deeper look into the security skills shortage. What can be done?
I submitted this piece with multiple possible titles. This was one that got chosen - the most inflammatory. But hey, strong opinions sell, I get it. Read the piece and see if it stands on its own, title notwithstanding.
I was born to write this article. It was floating around in my head for years and years, and finally came together. I've delivered a talk about the topic of RNG to dozens of audiences around the world, and the best parts of that talk are summarized in this SecurityWeek piece.
I've been scanning the SSL universe since the summer of 2014, so I was able to see the effects of the POODLE vulnerability. Here's the writeup I did on both for SecurityWeek.
This is wicked important, and you should read it right now. This could improve your entire cryptographic security posture. For free. You're welcome!
One of my favorite pieces, and one of the most high-profile as well. Lots of great discussion around this.
Here's a whitepaper I did on the expectation of SSL everywhere and what it means for business today. Topics covered include Forward Secrecy, Privacy, advanced key management and how to protect everything with an "always on" architecture.
An article I did for DataCenterKnowledge. A look back at 2014 and all the ShellShock and Heartbleed fallout for Data Center Knowledge. Nice, crisp piece. License for the xkcd image: https://xkcd.com/license.html
This is the most-read article I've ever written. A true-story about a cyberattack that supposedly involved the nude pictures of Jennifer Lawrence and Kate Upton.