A friend with photoshop is all you need

by javvad Malik with no comments

Jimmy is a good guy – I like him, he works in security and trains MMA. Which means if he can’t gain access to your server, he’ll simply beat the password out of you.

Then he posted this picture on twitter in a cowboy hat. Ridiculous cowboy hat

As they say, a little photoshop is a dangerous thing – and the temptation was too great to not take advantage of the opportunity.

1 brokeback

Which led to the birth of Jimmy Sozé

2 usual suspects

This got Jimmy a bit worked up, so I challenged him to a duel.

3 duel

He said he’d kill me – to which I said that’s a crime punishable by hanging till he’s dead, dead, dead!

4 hang em high

The subsequent barrage of messages proved that Jimmy was indeed unchained. Read the rest of this entry »

filed under blog, Uncategorized

RSA & BSides SF 2014

by javvad Malik with no comments

For the times you feel like the ball inside a pinball machine.



filed under Video

Here’s full disclosure – now no disclosure

by javvad Malik with 2 comments

Full disclosure has announced it’s shutting down. Even people far more capable than me are trying to comprehend why. One of the key grievances cited by John as to why Full Disclosure is being shut down was the constant battling against trolls – even from within the security community.

It raises a number of interesting questions about the state of security, the trends and the meaning of life. I think in summary it comes down to trolls. The day the internet was created, all trolls celebrated – for it signified the day they would be able to hide behind their keyboards and spout venom indiscriminately. It’s a very sad – but undeniable part of the internet as a whole. Whoever has been a victim of hate mail, mean comments or even an ‘unlike’ on a youtube video can tell you that despite how thick-skinned you are, it all eventually takes its toll. I cannot imagine how stressful running something like Full Disclosure could be in the long run – hell, I still carry a chip on my shoulder from the time Reed Exhibitions legal team got their panties in a twist over my use of the word Infosec.


The question of the ‘security community / scene / industry / freak show’, what it is,  where it’s going, or even if it actually exists is one that could fill several volumes – but it’s at times like this I am reminded of a quote from the movie “Young Guns II”

“You remember the stories John use to tell us about the the three chinamen playing Fantan? This guy runs up to them and says, “Hey, the world’s coming to an end!” and the first one says, “Well, I best go to the mission and pray,” and the second one says, “Well, hell, I’m gonna go and buy me a case of Mezcal and six whores,” and the third one says “Well, I’m gonna finish the game.” I shall finish the game, Doc.” – William H. Bonney

Will the security community finish the game? Are we even playing the same game? Or is Haroon Meer right when he says, “When we win, it’s with small things, and the victory itself makes us small.


PS: If the title didn’t make any sense:

filed under blog

The Cyber Security Skills Gap

by javvad Malik with 2 comments

Monday morning and RSA 2014 has not even properly started but there I was up on stage in front of a rather packed room. Feeling jet-lagged and wishing I had more caffeine in my system, I was glad that I was simply moderating a panel which included Dwayne Melancon, Andy Ellis, Jane Lute and Mike Assante.

The topic – “Closing the cyber security skills gap” where conversation flowed extremely well. I threw out a few questions and sat back and watched the show. TripWire had commissioned an artist to draw a visual representation of the conversation which turned out to be fantastic.

Most of the conversation escapes me because I was too worried about keeping the conversation flowing and staying on track to end on time. But luckily twitter captured most of the sentiments which are collated below:





Read the rest of this entry »

filed under blog

Bug Bounty

by javvad Malik with 2 comments

A bug bounty is a reward handed out by companies to people who disclose bugs or vulnerabilities to them in a responsible manner. Think of it like the wild west where anyone is deputised with powers to chase after the Kid and claim the reward dead or alive.

Traditionally companies like Google and Facebook offered bounties, but seeing the potential benefits, more and more smaller companies have been getting in on the act with companies like BugCrowd offering a brokerage service to bring together testers and companies.

After years of ‘will they, won’t they’ Microsoft jumped into the bounty-offering scheme with whooping $100k being paid out for cool windows 8 hackery. What is even more interesting about Microsofts bounty offering, as described by its Senior Security Strategist Katie Moussouris, was that it was designed to disrupt the vulnerability and exploit markets.

In other words, if an unsavoury person finds a vulnerability they would rather not disclose because they’d rather try to use it to make illicit gains, then any one of their associates can do a “Huggy Bear” and hand in the vulnerability whilst making off with the cash.

Wild west indeed – as J4vv4D and Girl Cynic found out.

filed under Video

Security Dialectic: Kaspersky Industry Analyst Summit

by javvad Malik with 4 comments

A tropical Island paradise, a Russian millionaire and hackers may sound like the plot of a James Bond movie, but they are actually references to Kaspersky’s industry analyst event in Punta Cana, Dominican Republic, where the company was expected to divulge its plans, aspirations and research to analysts from around the world.

Four of 451 Research’s finest analysts – Daniel Kennedy, Chris Hazelton, Adrian Sanabria and Javvad Malik – attended the event.

To read an interview with Adrian and Javvad – visit 451 Research Information Security Blog.

filed under Video

Phishing prevention

by javvad Malik with no comments

The folks at Information Security Buzz were asking a bunch of people for their tips in how to avoid phishing scams. I responded in the form of a video.

filed under Video

Breaking news – Lemonade compromised

by javvad Malik with 1 comment

Lemonade is big business – lemonade made from natural ingredients even more so… but what happens when your lemonade isn’t quite what you thought it was? We bring you this special report.

filed under Video

2013 roundup with friends

by javvad Malik with 3 comments

If 2013 was a movie… these are the end credits.


filed under Video

APT Predator

by javvad Malik with no comments

When I was an intern, we found a database. It looked like – like, butchered. The old mainframe women in the basement crossed themselves… and whispered crazy things, strange things. “El Diablo cazador de hombres.” Only in the hottest years this happens. And this year the cooling system failed. We find data servers sometimes without data… and sometimes, much, much worse. “la amenaza más avanzado que el hombre” means the threat that is more advanced than man.

filed under Video