I hate being proven right – mass pwnage

Seriously. When will people (even security pros) ever learn? This is the IRC log between a few security pros who are involved in w00w00.org and BlackOps.org from an insanely long tour de force brag post that seemingly showed up folks from the big guns like Google, through security ISVs such Core Security through several security […]

Security trends for 2012

Folks will continue to use abc123 as their password. They will then be surprised when they’re completely pwned. Folks will continue to not patch their apps and operating systems. They will then be surprised when they’re completely pwned. Folks will continue to use apps as administrator or god like privileges. They will then be surprised when they’re […]

Resurrecting the wife’s laptop – Asus hates you and you and you

At Christmas last year, I bought a new laptop for the wife, an Asus K52DR with 4 GB of RAM and 500 GB hard drive. I quote from then: […Asus should…] supply a real copy of Windows 7 installation media, so you can clean install the OS easily instead of wasting hours and hours and […]


One of my favorite TV shows is the Gruen Transfer, a show deconstructing advertising. Don’t laugh, it’s the ABC’s #1 TV show. A few weeks back, one of the panelists revealed that there are two fundamental ways to sell things – fear, as in: Late 1980\’s Anti-AIDS advert    and hope, as in: Durex condom […]


Recently, RSA was attacked by adversaries who targeted their two factor authentication fobs. These devices have known MITM issues, but folks still used them because there was so little information out there to say that a better choice is required. RSA liked it that way. RSA chose not to discuss the details of the attack, […]

Upcoming speaking engagements – AusCERT and iTSMF

I am scheduled to talk or give tutorials at a couple of places so far this year. AusCERT I am giving a two day Secure Coding tutorial using OWASP’s Application Security Verification Standard. This course is different to most security training courses you’ll ever take. It teaches architects, lead developers and developers how to design […]

OWASP Podcast 82 – Authorship of OWASP Top 10 2007

Dave Wichers* appears in the latest OWASP Podcast (go get it!). In the podcast, he goes through the huge number of OWASP projects he’s been involved in. There’s no doubt Dave’s massive investment in time, intellectual property, and money have been instrumental to OWASP’s success. Without Jeff and Dave’s leadership and contributions, OWASP would be […]

Need a secure code review? We have slots available

I don’t normally pimp my employer, but I’d rather be doing secure code reviews than pen tests any day of the week. 🙂 We have open slots in our schedule for secure code reviews starting from mid March 2011. We perform our code reviews against the OWASP Application Security Verification Standard Level 2B – Automated […]