Take a look at these Google search terms people use to locate my site.  Securitycurmudgeon.com, is appropriate.  Traffic lights, makes sense since I had an article about hacking traffic lights.  Think outside the keyboard, getting colder.  Null, freezing cold.  People searching for null find my site?  Seems more believable it’s a Google search or Blogger bug.  Hum, what can we do with this?


Interesting article, “People With Bad Credit Get Surveilled Cars With Remote-Kill Switches“, by Kashmir Hill of Forbes describes new techniques creditors use to creatively secure their debt.  Technology impacts us in ways that are difficult to predict or imagine.  I would not be surprised to see a kill switch legislated into every new car someday in the future.  California has already done so with smart phones.


I have been blogging for about two years now and written one-hundred published posts on all matter of security and privacy subjects.  In fact, this is post one-hundred.  I enjoy writing on the side so I took up blogging mostly as an experiment.  If your interested to learn more about my experiences security blogging please read on.

Following are some of my top articles over the last two years, some figures related to readership, and some lessons learned along the way you may find useful for your blogging.  Feel free to send me any of your lessons learned or ideas for improvement.  Any lessons I don’t have to learn painfully on my own are welcome, i’m serious.

Top 5 Pageviews

Following are the top blog articles with the highest number of pageviews and a small synopsis for those interested.

1) Tracking Aircraft on Raspberry PI
Hardware and software project combining Raspberry Pi micro-controller, RLT software defined radio, and dump1090 software into an ADS-B commercial aircraft receiver

2) So You Want to be a Security Professional?
Information about the security profession those exploring a new career in security.  Various roles in security and challenges common throughout the profession are covered

3) The Most Difficult Thing About Raspberry Pi
My experience building a Raspberry Pi micro-controller with 2.8″ TFT

4) Measuring Internet Connection Throughput
Java program to measure Internet connection bandwidth over time

5) Google Hacking — Blast from the Past
Use of Advanced Google commands to find information of interest.  Has helpful implications in day to day searching but I also provide some thoughts and examples what Internet adversaries can do.

Chart: securitycurmudgeon.com pageviews permo

Monthly Pageviews

The chart (on left) shows the pagesviews since July 2010.  I think the chart is not entirely accurate for a few reasons, 1) I didn’t start blogging about security until a couple of years ago, 2) I moved the site to WordPress for a short period (gap in coverage), 3) pagesviews in last 30-days top almost 6000.  Still it’s useful to get some idea for an overall trend.

Lessons Learned

There are many lessons learned about building an operating a web site and I will share some of them.
Link Allergies
Readers don’t like to navigate too deeply for content.  The lesson learned, if you want readers to see something then place all the content on a single page.  Pageviews drop precipitously with each degree of separation from the primary post.

Cross-Referencing Related Content
Often readers may not know about other related content.  Including a link or two to other related articles or follow-ups is sometimes helpful to readers.  Everything must be considered from the readers perspective.

Small Posts Published Regularly
Most people prefer small regular posts as opposed to massive multi-page articles.  It makes sense given the amount of competition for reader attention.  Sometimes a post of only a few sentences at the right moment in time can have tremendous positive impact.
More Posts = More Views = More Readers
You may think that readers read only the new content but you would be surprised.  Readers also read older content.  With search engines, readers can land on any of your posts and often do.  Each post developed is one more reason readers have to visit your site.  Consider each post an asset with a long shelf life.

Do Something
Personal opinion is great but reader attention is a precious commodity.  Readers like news, technical articles, projects that have practical value or at least interesting to them.  Some amount of personal opinion provides style for your site but too much is perceived as fluffy, not useful, and perhaps even a waste of reader time.
SEO & Promotion
Promotion sucks but it’s unfortunately absolutely essential.  Without some promotion even the best articles in the world will go completely unnoticed.  Promotion is messy business, especially self-promotion, since it’s a complete turn-off to readers.  Expanding your reach by providing presentations, articles, and books is an investment since content may be long lasting and boost pageviews to your blog.  You need to be concerned with SEO or the search engines will forget about your site.  Yoast makes a SEO plugin for WordPress but they also provide some information information about SEO in general.  It’s worth educating yourself.

If you have a passion for security and like to write then blogging is a powerful tool.  If your mostly interested in fame and fortune and driving Ad revenue to pay your bills you will need to choose a subject with broader appeal or at least it would be safer bet to do so.

At almost 6000 pageviews per month and growing, securitycurmudgeon.com is far better than I ever expected for a defensive blog on application security.  Outside of the world largest security conferences like RSA, Blackhat, DEFCON, Gartner, etc.  Many security conferences have less than 2000 attendees and many even less than that.  I try to image everyone at a conference like that reading this blog, phew, crazy.  Of course, pageviews is not the same thing as number of readers.  Some readers read more than a single page so the 6000 pageviews is definitely less readers.  Still even if number of monthly readers is half the number of pageviews it’s far more readers than I ever thought would be interested in security and privacy.

The only reason I care about pageviews is that it’s a rough gauge of reader interest in securitycurmudgeon.com.  It’s every writers desire to craft content readers find interesting and relevant.  Security and privacy is a passion of mine and likely yours if your reading.  Thanks for following along over the years and I look forward to continue for many more.  It’s been a pleasure to write for you, sincerely!


This years OWASP AppSec 2014 USA was held in Denver, Colorado.  The downtown Denver metro was a great location.  Plenty of stores, restaurants, and great evening walks for the adventurous.

In one of the conference sessions, Static Analysis for Dynamic Assessments presented by Greg Patton with HP Fortify, he describes a new process for reviewing dynamic web app data with static analysis tools.  Patton developed a security tool, RIPSA, which he uses for downloading dynamic web site content.  Tools like SiteSucker have been around for awhile but they are limited usefulness when working with dynamic content.  RIPSA bridges the gap and allows downloading dynamic content to a local working directory.  Once the content dynamic content is downloaded traditional static analysis tools may be leveraged.

Patton mentions the top vulnerability they usually find with the approach is DOM based XSS.  I don’t think RIPSA tool is necessarily too special but the idea of using static analysis on dynamic content is impressive and opens up a completely new way to use static analysis tools.  Apologize in advance, I don’t have a RIPSA link.  I contacted Patton but he did not respond in time for this post.  Patton’s approach is creative, rock on!

Another session, Reverse Engineering a Web App, described the process of reverse engineering web applications and perimeter WAF detection techniques.  The session was more or less what I would expect except a tool was presented that was new to me, OSSEC.  OSSEC is open source host IDS.  If you are in need you may wish to investigate.  I always like new tools.

Photo: Skycure threats for San Jose, CA

At the event, Skycure provided an innovative product demonstration.  The following photo shows a real-time display of threats from their web site.  There is also a companion application that runs on the mobile device and likely uploads intelligence data to their central service.  Skycure describes the overall advantages for customers broadly as: seamless, cross-platform, built for enterprise, visibility, device protection, and crowd wisdom.  The web site is a little short on technical detail so it’s not clear exactly which threats are included in the analysis or mitigated but I’m assuming rogue AP’s at a minimum.

Photo: Iron-Clad Java book

Signing my first copy of Iron-Clad Java at the conference was a reality moment for me.  The only time my autograph was previously requested is signing Visa receipts at the cash register.  At the conference we discussed and agreed to start another book project.  The new Iron-Clad book project team is Jim Manico (Twitter: @manicode), August Detlefsen (Twitter: @codemagi), Eoin Keary (Twitter: @EoinKeary), and myself.

We all enjoyed working together on the last project and thought Eoin would make an interesting addition to the team.  No idea about publisher or content still working out the details.  More on that later.

Now that AppSec USA is past it’s back to JavaOne.  JavaOne starts next week.


In my post, The Home Depot Letter of Shame, I mentioned the, “I told you so’s” we would hear from former employees.  It’s unusual I receive such instant gratification after I post an article but nevertheless following is a report from the The New York Times,  Ex-Employees Say Home Depot Left Data Vulnerable.

“But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees.”

Apparently Home Depot ex-employees had a wealth of information,

“Some members of its [The Home Depot] security team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data. One went so far as to warn friends to use cash, rather than credit cards, at the company’s stores.”

Ignored warnings from security staff was also noted in the Target incident.  Target ex-security staff warned management long in advance but management refused to acknowledge concerns.  In both these cases, the companies had advanced knowledge security weaknesses existed, willfully refused to improve, and even ousted outspoken security staffers to the peril of cardholders.


The letter sent by The Home Depot to customers (on left, click to enlarge) about their recent security incident.  I can only think of 56 million reasons why this letter is unacceptable.  Offering free identity services is helpful but it’s entirely irrelevant to the top concern – poor security.  A more satisfying plan would be additional transparency around security efforts, communicate an improvement plan, and regular public reports of progress against the plan.  In testimony to Congress Target provided several assurances and the first item on the list,

“First, we are undertaking an end-to-end review of our entire network and will make security
enhancements, as appropriate.”  [Target to Congress]

The Home Depot seems to be following Target’s game plan.  However, due to the lack of transparency at the The Home Depot it’s not clear the actions taken address the security concerns.  Perhaps as the investigation progresses more communications are forthcoming.

I’m seeing a trend, a public weary of excuses around poor security and lack luster responses.  If this incident takes a similar trajectory to the Target incident, I would not be surprised to to see some executive turn over, finger pointing, and “I told you so’s” from ex-security staffers, in the coming months.  Given the magnitude of this incident, we may even see renewed enthusiasm from Congress on security.