Featured Content

They call me the content machine. I write about information security topics, with an emphasis on cryptography and distributed denial-of-service (DDoS) attacks. I've written for DarkReading, SC Magazine, and Network World. But most people know me from my monthly column at SecurityWeek.

Click the selectors in the Content pane to filter the content.


Jan. 30, 2015 tags:  in-the-news infosec

DarkReading: How the Skills Shortage is Killing Defense-in-Depth

One of my favorite pieces, and one of the most high-profile as well. Lots of great discussion around this.


Jan. 7, 2015 tags:  ddos infosec security-week

The Real Story Behind the Kate Upton Nude DDoS Attack

This is the most-read article I've ever written. A true-story about a cyberattack that supposedly involved the nude pictures of Jennifer Lawrence and Kate Upton.


Dec. 9, 2015 tags:  SSL-TLS cryptography infosec security-week

Paris Attacks: What kind of Encryption Does the PlayStation 4 Use, Anyway?

This is is one of my favorite articles. There was a crazy rumor going around after the Paris attacks that the terrorists were using Sony PlayStations to communicate with each other. And that the PS4 encryption was hiding their communications from Europol. So I decided to find out what kind encryption the PS4 uses. And how resistant would it be to surveillance.


Feb. 19, 2016 tags:  infosec hackers

What keeps white hat hackers from turning to the dark side?

The idea for this, my favorite article, had been rattling around my head for years. "Why don't you use your knowledge for evil?" I surveyed over three dozen of my friends and colleagues to find out what their prices were, if any. Some illuminating results.


July 6, 2016 tags:  SSL-TLS cryptography

SSL Outbound Visibility Lightboard Lesson

You’ve been having trouble sleeping because of the SSL visibility problem with all the fancy security tools that don’t do decryption. Put down that ambien, because this Lightboard Lesson solves it. In episode, David Holmes diagrams the Right Way (tm) to decrypt and orchestrate outbound SSL traffic, improving SSL visibility, decreasing failures and improving network performance.


June 1, 2015 tags:  ddos

F5 DDoS Protection Volume 2 - Recommended Practices

This may be the most significant document I've ever written. Customers used to ask me if we a a Best Practices document around DDoS and I got tired of telling them we didn't. So I wrote it. It took my close to 9 months to birth this baby. It documents every single kind of DDoS we've ever seen and how to combat them. My magnum opens for DDoS.


Jan. 27, 2017 tags:  SSL-TLS cryptography

The 2016 TLS Telemetry Report

Took me three years to compile the data for this report. It started out as a personal project that I wrote in a hotel room in Cologne Germany over a weekend. But hundreds of hours and millions of computer scans later... this report. It's all about global encryption trends over a three year period, with some analysis about why each trend is going the way it is. Warning: usual doses of Holmes humor contained within.


March 1, 2017 tags:  SSL-TLS cryptography security-week

Encryption Smackdown: PlayStation 4 vs. XBox One!

Ladies and Gentlemen! Gamers and Cryptoheads! Have you ever wondered which major gaming console has the best message encryption? Well, I’m going to reveal the clear winner in my own recent personal test.


Feb. 15, 2015 tags:  SSL-TLS cryptography infosec security-week

How to Tap the Hardware Random Number Generator in Your Load Balancer

I was born to write this article. It was floating around in my head for years and years, and finally came together. I've delivered a talk about the topic of RNG to dozens of audiences around the world, and the best parts of that talk are summarized in this SecurityWeek piece.


Feb. 15, 2014 tags:  travel

How to fix your hotel TV when it won’t accept your HDMI input

This is by far the most popular thing I've ever written. It consistently gets over 1000 views every month. That means since I wrote it, over 50,000 people have read it. Maybe it goes to show you that people want problems solved!


Dec. 14, 2014 tags:  ddos

The F5 DDoS Protection Reference Architecture

Here is one of the most important papers I ever wrote. The description of a proper DDoS-resistant network architecture. The real meat of the knowledge lies with the recommended practices document, but this whitepaper outlines it pretty well and makes its case.


Feb. 1, 2016 tags:  infosec hackers

Cloud and the Security Skills Gap

F5 Network security evangelist David Holmes offers concrete advice about how cloud outsourcing can help companies with a talent shortfall solve three enterprise security problems: application security, penetration testing, and bug bounties.


June 3, 2015 tags:  in-the-news infosec

InfoSecurity Europe 2015 - David Holmes

TechWeekEurope's Michael Moore speaks to David Holmes, Senior Security Evangelist for F5 Networks, at InfoSecurity Europe 2015


July 3, 2013 tags:  ddos infosec

ComputerWorld: How Can We Get Out of the DNS DDoS Trap?

I wrote a piece about the UDP-based distributed denial of service (DDoS) attack involving Spamhaus and CyberBunker. It was published in ComputerWorld in 2013.


Jan. 11, 2016 tags:  SSL-TLS cryptography ddos infosec

David Holmes Greatest Hits, 2015 Edition

Here's the complete list of everything authored by yours truly in 2015. Except the NC-17 stuff, which I've been told should remain unpromoted. Actually, this website you're reading right now is basically my greatest hits, but this blog post gather just a single, awesome year of it.


Feb. 4, 2016 tags:  ddos

Firewall Roundtable Discussion

Here's a fun virtual roundtable that Brian McHenry and me did for the DevCentral guys, Jason Rahm and John Wagnon. Over a half hour we discuss the F5 advanced firewall module. We chat about the market, the history and some of the things that differentiate the product.


Jan. 9, 2014 tags:  travel

What Does a Security Evangelist Actually Do?

Worldwide Security Evangelist. Great title, huh! So what does a Security Evangelist do? This article explains it all.


April 13, 2017 tags:  in-the-news infosec

CSO Perspectives Interview with David Holmes

Here's a 7 minute interview that CSO's Anthony Caruana did with me at the CSO Perspectives roadshow; this one was in Sydney. He asks about the new National Mandatory Breach Notification law, the Internet of Things, and where did I get that awesome shirt? Belgium.


March 21, 2016 tags:  in-the-news infosec hackers

Manila Business Mirror Interview

Not every day you get on the front page of the local paper! Was in the Philippines immediately after the first SWIFT banking theft: $81M had been stolen (by the Lazarus group, probably) and laundered through local casinos. I happened to be there speaking with the media about bank fraud anyway, so that's how country manager Oscar Visaya and I ended up on the front page of the paper.


May 18, 2016 tags:  infosec hackers security-week

Mysteries of the Panama Papers

When asked for Comment on the Panama papers, I said heck yeah, there are so many questions. So I put them into a SecurityWeek byline, and then answered them. Most of them. Even the one about Simon Cowell.


Dec. 2, 2014 tags:  SSL-TLS cryptography infosec security-week

Convergence Replacement Throwdown! DANE vs. TACK vs. CT

I still get questions about this SecurityWeek piece, which is good because I'm quite proud of this one. It's a look at three different systems that tried to patch one of the nagging security "holes" in the Internet and why they all failed.


Nov. 6, 2014 tags:  cryptography travel infosec security-week

When Encryption isn't Enough

"The giraffe was probably dead." LOL that is the best line I've ever used to start an article. This SecurityWeek piece about Twitter security came out of a trip I did to Africa.


Oct. 9, 2014 tags:  travel

5 Ways to Make Back the American Express Platinum Annual Fee

For the first few years, I had to talk myself into paying the $450 annual fee for American Express Platinum card. This little piece is me getting talking myself into it on paper, as it were. The math checks out. And if anyone is keeping score, I still get the platinum card every year, and it pays for itself.


Dec. 12, 2013 tags:  cryptography hackers

True DDoS Stories: Nine Steps to DDoS Yourself

“Is it possible to quantify your own security posture as it relates to denial-of-service? “ That’s the question a customer of ours has been asking themselves, and they came up with plan to measure exactly that. They’re going to DDoS their own production systems. And here's how they're going to do it.


June 1, 2014 tags:  ddos infosec

The F5 DDoS Playbook: Ten Steps for Combating DDoS in Real Time

After many discussions with some of the most high profile brands in the world, I've consolidated their feedback into this single playbook. These are the ten steps you need to do when you get attacked with a distributed denial-of-service. It's basically vendor agnostic, with just the F5 logo on it.


Oct. 27, 2016 tags:  ddos hackers

Making Sense of the Krebs / OVH / Dyn DDoS Attacks

The right guy at the right time. Here's my take on the huge DDoS attacks of September and October 2016. Had to rush this one to release as an official company position on the attacks. I like how it came out.


May 4, 2017 tags:  security-week

Threat Modeling the Internet of Things

Here is Part 0 (or part 1) of a series on threat modeling the Internet of Things. Here I introduce these two topics: Internet of Things and Threat modeling and suggest that maybe we need to spend more time putting them together. I like the intro and extro for this piece :)


June 2, 2016 tags:  cryptography travel infosec hackers security-week

Cyber Espionage Report: APT at RUAG

I get lucky sometimes. This was one of those times. I ran into a member of CERT.be, and he told me of an interesting report about a cyberespinage case in Europe. Made for a great SecurityWeek article.


Oct. 28, 2015 tags:  SSL-TLS cryptography infosec security-week

What's the Disconnect with Strict Transport Security?

Strict Transport Security is a simple but very powerful security fix. So why does no-one use it? I explore the topic in this piece for SecurityWeek.


Sept. 24, 2015 tags:  SSL-TLS cryptography infosec security-week

How "Let's Encrypt" Will Challenge The CA Industry

My third piece in the trilogy of articles I've written about the open CA "Let's Encrypt" for SecurityWeek. This one is a more measured look at how LE might impact Internet Security.


May 21, 2016 tags:  travel infosec hackers

APAC Security: 2 Opportunities for business, 1 for Hackers

After I came back from my 50 days in Asia, I wrote up three observations about how infosec is different there. Some good analogies. Kinda proud of this piece.


May 5, 2014 tags:  infosec hackers

See what IP Reputation has to say about your firewall traffic

As you would imagine, being a security and networking professional, I ran a pretty sophisticated home network. One time I plugged our partner Webroot's IP reputation tool in front of my home router to see what kind of malicious traffic it was flagging. Here are the results.


April 14, 2014 tags:  SSL-TLS cryptography

Heartbleed: Network Scanning, iRule Countermeasures

My technical piece about the Heartbleed vulnerability. Also includes my own rant about OpenSSL. And how to scan your own network for it. And other cool stuff related to it.


Jan. 4, 2017 tags:  SSL-TLS cryptography ddos

David Holmes Greatest Hits 2016 Edition

I wrote, starred in, or was mentioned in 48 pieces last year. A new record. Here's the best of them.


April 18, 2017 tags:  hackers

Hacker Profile: The Real Sabu Part 1 of 2

Sabu was such a rock star in his time. His character and his exploits were legendary at the time and his downfall even more so. I really enjoyed writing this one. I actually had more information on this but couldn't publish it to due privacy concerns. But buy me a beer sometime and ask me about it.


Nov. 12, 2015 tags:  SSL-TLS cryptography infosec security-week

In Memoriam: Goodbye to RC4, an Old Crypto Favorite

My love letter to my favorite algorithm of all time, RC4.


Sept. 28, 2016 tags:  SSL-TLS cryptography infosec security-week

I Got 99 Problems, But SWEET32 Isn't One

In this piece, yours truly evaluates the SWEET32 cryptographic attack relative to other SSL cryptographic attacks such as DROWN and BEAST.


Dec. 7, 2016 tags:  hackers security-week

Hacking Europe's Smart Cities

A young hacker came up to me after a talk in Belgium and told me this story. Made for a great article for SecurityWeek.


Sept. 15, 2016 tags:  ddos infosec

2016 DDoS Attack Trends

Here's an awesome whitepaper I wrote in the fall of 2016. I embedded eight references to Huey Lewis and the News. Can you find them all?


March 29, 2017 tags:  SSL-TLS cryptography security-week

US-CERT's Warning on SSL Interception vs. Security is a False Dichotomy

My response, representing the vendor community, to US-CERT's warning about SSL interception products.


May 2, 2017 tags:  hackers

Hacker Profile: The Real Sabu Part 2 of 2

The explosive second half of the profile of famed hacker Sabu.


June 12, 2017 tags:  ddos in-the-news

Ten steps for combating DDoS in real time

Hey look, IT News Africa reprinted my ten-step guide to combating DDoS in real time. This is basically a shortened, texty version of the DDoS playbook.


July 13, 2017 tags:  SSL-TLS cryptography

How Quantum Computing will Change Browser Encryption

After a conversation with a chip-maker, I did a bunch of research into Quantum Computing, and collected my notes into this pretty cool report.


Sept. 16, 2016 tags:  SSL-TLS cryptography security-week

You Can't Find What You're Not Looking For Because of Goat Parkour

We commissioned the analyst firm IDC to do an encryption survey. They asked questions that I always wanted to know the answer to. So what does that have to do with goat parkour? Read on and find out.


May 3, 2011 tags:  SSL-TLS cryptography ddos

SSL Renegotiation DOS Attack - an iRule Countermeasure

This is one of the articles that launched my career as a technical evanglist. I worked on this blog article in my spare time (waiting for builds) as a developer. It hit at just the right time and got a few mentions in the right places. And now here I am, doing this for a living.


Oct. 28, 2016 tags:  ddos hackers security-week

What's the Fix for the IoT DDoS Attacks?

Here is an early reaction to the Dyn DNS DDoS attack of Friday, Oct 21. I spent about 8 hours working on an article about the Brian Krebs attack from an airplane over the Atlantic. About halfway through, the Dyn attack happened, and I had to rewrite the article! It was a long day, but at least when I got down there was a decent article ready to go :)


Jan. 25, 2015 tags:  SSL-TLS infosec

The Expectation of SSL Everywhere

Here's a whitepaper I did on the expectation of SSL everywhere and what it means for business today. Topics covered include Forward Secrecy, Privacy, advanced key management and how to protect everything with an "always on" architecture.


Nov. 28, 2016 tags:  infosec security-week

Evaluating Risks to Identity and Access When Moving to the Cloud

A fine article about evaluating the risks and creating sound strategy around moving to Office365. In the article I briefly mention 5 threats you should add to your threat modeling for cloud collaboration. Threat modeling for cloud could, and should, be its own article or even series of articles. Remind me to write that! :)


Nov. 24, 2016 tags:  ddos in-the-news security-week

This Web-based Tool Checks if Your Network Is Exposed to Mirai

“Regulation will likely be the fix for IoT security,” F5 Networks evangelist David Holmes notes in a SecurityWeek column, citing Mikko Hypponen, Chief Risk Officer of F-Secure. However, he also explains that Internet security cannot be regulated like other manufacturing processes. Increasing awareness among users could also help resolve this issue, with the IoT Defense scanner being a small step in this direction.


May 17, 2017 tags:  infosec

The Intel AMT Vulnerability - Silent Bob

The Intel Active Management Technology (AMT) vulnerability (now referred to by many as “Silent Bob”) is one of those truly brutal, ugly ones that make you queasy to even think about. Like Heartbleed or Venom. Here's how to scan for it on your network. And what ports to block.


July 5, 2017 tags:  ddos in-the-news infosec

Hunting for IoT devices to be used for massive botnet

Had a fantastic, wide-ranging interview with Malaya Business Insight reporter Raymond Gregory.


Nov. 13, 2016 tags:  ddos in-the-news

The Internet Of Things, DNS Weaknesses, Or Trump: Which Will Sink The Internet?

Got quoted by a Forbes article. “Nearly all clients rely on DNS to reach their intended services, making DNS the most critical—and public—of all services,” explains David Holmes... and “This single point of total failure…makes DNS a very tempting target for attackers,” Holmes continues. The pic is Jon Postel, who I consider a father of the Internet.