For a couple of days I see a new wave of attacks hitting our WP installation. Hundreds of IPs hitting /wp-login.php. Like 10 times the normal amount of requests despite fail2ban blocking them really fast. The best defense (and there are many layers of defense) has been installing WP in a subfolder.

I'm exploring new engagements! If your team needs expertise in cybersecurity, risk assessment, tech policy, regulations (GDPR, etc.), tech standards, strategic insight, or Comms/PR, let's talk! Open to contract, or flexible roles. DM/email at [email protected].

On a Saturday night I stumbled across something on the internet that made me feel like ****** my pants. A giant dataset of real surveillance operations targeting 1000s of people across nearly every country. Unraveling it and the mysterious company behind it has consumed 1.5 years of my life

Later today, I'll be hosting a ModSecurity / CRS community call luma.com/8yc1p543 We'll be talking about success metrics, WAF testing and other integration questions.

“E-ID explained, Teil 1: Wieso und wie? - #dnip” https://dnip.ch/2025/08/27/e-id-explained-teil-1-wieso-und-wie/

In der heutigen Freitagskolumne für #dnip habe ich mich der #eID gewidmet. Dabei untersuchte ich die Argumente der Gegner:innen und unterzog sie einem Faktencheck. Die meisten davon ziehen nicht, weil sie die Vorlage gar nicht betreffen. Von mir gibt's ein "Ja" am 28.9. dnip.ch/2025/08/15/v...

An Open Source sustainability story in two slides. (for a coming talk of mine) Slide 1: car brands using #curl Slide 2: car brands sponsoring or paying for #curl support

Guess who's going to the circus tonight.

Do I know anyone near Bern Switzerland that I can meet up with in Vegas next week, to take a book to my friend? I mailed him one months ago and it never arrived. I don't want him to wait 3 more months. Let me know!

Die NZZ ist einer der grössten Datenhändlerinnen der Schweiz. Dark Patterns at its worst. Stell Regler auf off bei Standort-Weitergabe und IMMER NOCH sind gewisse Advertising Tech-Firmen auf ON eingestellt. Das sind alles übelste Datenschutzverstösse. Der EDÖB hat leider aufgegeben bei dem Thema.

Switzerland is starting a project test #ECollecting / the electronic collection of signatures for referendums. The Federal Chancellery launched a public participation process and they recruited me to moderate this dialogue. www.news.admin.ch/de/newnsb/vy...

The final two parts of my blog series about delivering training at conferences have now been released! You can check them out on the @BounceSecurity website now!

#pastpuzzle 345 🟩🟩🟩🟩 (0) ▪️▪️▪️▪️ ▪️▪️▪️▪️ ▪️▪️▪️▪️ 1/4 🥇 www.pastpuzzle.de The question is always whether historians have advantages in trivia quizzes - like pastpuzzle. Today: yes

Another hour and we're ready. Deer shank on a spit.

OWASP awarded me with a distinguished lifetime member award last week. I am deeply thankful for this recognition and the support by the OWASP CRS team that made this possible.

On my way to the @owasp.org WAF day and the OWASP AppSec EU conference in Barçelona. If you're around, please come and say hello!

I'm coming to Switzerland! Join me at the Microsoft Azure Zürich User Group in only a few weeks from now: www.meetup.com/de-DE/micros...

Pope Francis wanted to ensure that a new pope yielded the same result. This means the papacy is idempontiff

I spend a chunk of my time explaining how open-source, when you do it on purpose and have a publicly available code repository, strongly disincentivizes you from taking these silly and dangerous shortcuts. We should not underestimate the power of shame and public oversight.

What I find intriguing about hiring disguised North Koreans is that they excel in their job since you hired an entire team.

Digital integrity mit der #digiges und Jörg Mäder im #lichtspiel in Bern.

Andrew Kochura shared a very simple WAF smoke test with 15 diverse payloads that can serve as a simple indicator of the baseline quality of a WAF. I like the simplicity of this. Furthermore, I like that CRS covers 90% of the payloads by default and 100% at PL2. gist.github.com/kochuraa/fb3...

Dr @lukaszolejnik.bsky.social explores the evolving threat of Russian cyberwarfare & its impact on European security. "Disinformation does not aim for instant change. The real deal is gradual influence including delicate shifts in narratives and fostering divisions." 📖Read: bit.ly/3Gbjgsg

The problem with most machine-based random number generators is that they’re not TRULY random, so if you need genuine randomness it is sometimes necessary to link your code to an external random process like a physical noise source or the current rate of US tariffs on a given country.

A lot of people are tired of democracy and they are flirting with the thought of a strong autocrat at the helm. They dream of a wise Caesar like Augustus, but I think Augustus was an outlier and history tends to head straight for Nero.

Got my new sticker in the mail today. Here we go!

I'm sure somebody wrote a screenplay involving a "Houthi PC small group", but it got rejected as highly unrealistic.

I like the design on this "Houthi PC small group" sticker. #HouthiPC #SmallGroup

quick guide to Signal's disappearing messages settings

There are only very few reasons to prefer Signal over Threema. Now, there is an additional reason: You're only invited to join top secret military planning meetings as a Signal user. While the 🇨🇭 Army uses Threema for communication, I have never heard of a similar breach of rules in Switzerland.

This is going to blow up badly for @springernature.com, the Universities involved and especially Nanasheb Thorat, PhD. cc @ruthwdiamonds.bsky.social

When #LLM hallucinations hit real people and the GDPR. arstechnica.com/tech-policy/...

I'll be hosting a @owasp.org CRS project community call later today / tonight (20:30 CET). It's open for everyone and it would be great to see a lot of faces, old and new to talk about CRS. coreruleset.org/20250203/fir...

After my take on Swissoms claim about 200M attacks per month, it's now @rvgt.ch challenging that statement.

The @swisscom.bsky.social CEO reported 200M monthly attacks on its infrastructure. This can't be true. It's either much more or much less. But certainly not 200M. Here is a German guest piece I wrote for @inside-it.ch that discusses this number. www.inside-it.ch/gastkommenta...

Mathias Peter kicking off @1ns0mn1h4ck.bsky.social 2025 conference today. #INSO25

Switzerland adopts mandatory reporting of significant attacks on critical infrastructures as well as the fixing of reported security vulnerabilities within a basic deadline of 90 days. Coordinated disclosure becomes the standard, enforced by the Swiss NCSC. www.ncsc.admin.ch/ncsc/en/home...

Next Tuesday is Security Meetup at Schiffbau/Zürich …and for our Insomnihack friends, we do a special warm up on Wed 12th next to EPFL - start the con the fun way🤗 @insomnihack.bsky.social #BoT www.beerontuesday.ch?page_id=19

Francis Fukuyama "The End of History" my ass.

The world is going crazy and the motto for this year's @swisscyberstorm.bsky.social conference is "Resilience in a mad, mad world" Tuesday, October 28, 2025, Bern, Kursaal Introducing the topic and opening keynote speaker #MarkBarwinski: www.swisscyberstorm.com/2025/02/27/r...

Ganz starker Auftritt von @philippburkhardt.bsky.social zur VBS-Situation im Echo der Zeit heute Abend. Das fehlt nicht mehr viel zur PUK (wohl v.a. politischer Wille).

Brilliant but devastating editorial in the Financial Times. “In the past 10 days, he [Trump] has all but incinerated 80 years of postwar American leadership. If you are not at the table, you are on the menu. America has turned.”

Nonsense headline by @watson.ch. "Lavabit is believed to be the first technology firm that has chosen to suspend or shut down its operation rather than comply with an order from the United States government to reveal information or grant access ..." en.wikipedia.org/wiki/Lavabit

This a welcome and not unexpected move from Apple. Weakening encryption for one government ultimately weakens it for everyone, particularly given the current geo-political challenges the world is facing

If the US administration destroys existing initiatives and re-prioritizes the resources to new goals, this will invariably affect the global cyber security situation. @lukasmaeder.bsky.social has a thoughtful scenario what might happen in @nzz.ch. A few highlights. 1/n www.nzz.ch/pro/trump-bi...

There are few Swiss politicians I respect as much as @meretschneider.bsky.social. I do not necessarily support her policies, but she is considerate, funny and she has no fear to stand up against power. What I miss are many other Swiss politicians supporting her in this shitstorm in public.

After years of searching I finally found it.

This fictional scenario in @inside-it.ch draws on patient data manipulation in the course of an attack na hospital. Do we have any evidence this has happened in the wild as the author suggests?

This was never really about free speech, was it? The NSA being ordered to purge its websites from pages containing words like "privilege" is a troubling blow to cyber security. "Privilege escalation" will probably continue in darkness. #AlzheimerPolitics popular.info/p/the-nsas-b...

This explains a lot. #SBB