David Harley
davidharley copy 2
David Harley
Senior Research Fellow
Go to latest posts

Education? Academic background in modern languages, social sciences, and computer science.

Highlights of your career? I was a late starter (1986) as an IT professional, beginning at the Royal Free Hospital, then with the Human Genome Project (1989), then at Imperial Cancer Research Fund (1991-2001), where I wrote/co-wrote/edited a number of Internet FAQs and my first articles on programming and security. I presented my first conference papers in 1997 (at Virus Bulletin and SANS). In 2001 Osborne published Viruses Revealed (co-written with Robert Slade and Urs Gattiker): VR and the later AVIEN Malware Defense Guide (Syngress) – to which Andrew Lee also contributed – are probably the best known of my books. When I rejoined the UK’s National Health Service in 2006, I ran the Threat Assessment Centre and was the go-to person nationally for malware issues. I left to work as a freelance author and consultant in 2006, which is also when I began to work with ESET.

Position and history at ESET? Senior Research Fellow at ESET N. America. Primarily, I’m an author and blogger, editor, conference speaker, and commentator on a wide range of security issues. Like the rest of the industry, they put up with me because I’ve been around so long.

What malware do you hate the most? Malware is just code. It’s malicious people I detest. While I’ve no love of scammers, I can see that it’s easier to be honest in a relatively prosperous environment – if there is such a thing anymore – and that cybercrime can be driven by an economic imperative. But I have nothing but contempt for those sociopaths who cause harm to others for no reason except that they can.

Favorite activities? The guitar (I still gig and record when time allows), other people’s music. I love opera but don’t attempt to sing it. Photography, art, poetry, country walking – well, ambling is about as much as I can manage at my age – good food and wine, good television when I can find it...

What is your golden rule for cyberspace? Scepticism is a survival trait: don’t assume that anything you read online is gospel truth, even this adage.

When did you get your first computer and what kind was it? Amstrad PCW (primarily a word-processor) in 1986. What else would you expect a not-very-rich author to buy in 1986? :)

Favorite computer game/activity? Extra-curricular writing (blogging, verse and lyrics, articles). Digital photography and miscellaneous artwork.

Password Practice Revisited

A few months ago Randy and I put together a white paper on password "good practice" (  In it, I quoted the following table of The Ten Most-Used Passwords (sourced from 1 123456 2 password 3 12345678 4 1234 5 pussy 6 12345 7 dragon 8 qwerty 9 696969 10 mustang  Today, I came

Shortened URLs

Now here's a useful link (thanks to Mikko Hypponen for the tweet that brought it to my attention). I've made the point several times here about being cautious about URLs shortened by, tinyurl and the many others. Which is why when I flag our blogs and papers on twitter, I normally use tinyURL or

Paedophilia and the “Trojan Defence”

This is a follow-up of sorts to Jeff Debrosse's thoughtful post recently on the problem of possible conviction for the possession of illegal paedophiliac material of individuals who had no knowledge of its presence. More recently, a tweet by Bob McMillan drew my attention to an article by Geoff Liesik on "Authorities scoff at 'child porn

Thanksgiving and Cyber Monday revisited

 With Thanksgiving and the start of the holiday shopping season almost upon us, I notice that quite a few sites are giving safe surfing advice. Since we already covered that a few days ago, I'll just post these pointers to those blogs. :) Is Cyber Monday the End of Shopping as We Know it?

IBot revisited (briefly)

I don't want to flog (or blog) this iPhone bot thing to death: after all, the number of potential victims should be shrinking all the time. However, having updated my previous blog (  on the topic a couple of times, I thought I'd actually go to a new blog rather than insert update 3. So here are the update bits

Qinetiq Energy: A Patent Leathering

[Update: Michael St Nietzel also pointed out that there's an issue with installers that verify a checksum before installation. In fact, this is a special case of an issue I may not have made completely clear before: unless this approach is combined with some form of whitelisting, there has to be some way of reversing the modification

iBot Mark 2: Go Straight To Jail Do Not Pass Go

[Update, courtesy of Mikko: this worm targets at least one Dutch bank, and activates when users go to the online bank with an infected iPhone ] [Update 2, courtesy of Paul Ducklin: how to change the password of an infected phone. I could just tell you what the password is, but you might want to read

And talking of Cyber Monday…

Even in Europe, we have a rough idea of what Thanksgiving is about, though we don't celebrate it at the same time or in the same way. However, Black Friday and Cyber Monday are rather less well known outside the US. Since Randy has already blogged on Cyber Monday and its security implications at, I took the

Great Hoax From Little Acorns…

I learned a new word today. "Glurge", according to, an essential resource when checking the validity of dubious chain letters, glurge is the sending of inspirational (and supposedly true) tales … that often … undermine their messages by fabricating and distorting historical fact in the guise of offering a "true story". I came across

The Honour’s All Mine

(Much) earlier this year, Randy posted a blog on some email he received about his inclusion into the 2009/2010 Princeton Premier Honors Edition Registry ( I was reminded of it (yes, Randy, someone does read your blogs ;-)) when I got a couple of emails telling me I'd been nominated for an entry into the

Biting the Hand that Feeds You?

Verizon has just done something rather brave. The company has issued a report on "ICSA Labs Product Assurance Report" ( that talks about the difficulties that most products have in meeting the requirements of ICSA Labs certification. Why is it brave? Because those companies provide ICSALabs with a healthy income, and might therefore be a


Cyberwar, cyberterrorism, cybersigh…(gosh, that's almost a palindrome…) However, if you get past the cyberbuzzwords, there are some interesting articles around at the moment. On the Infosecurity Magazine, there's an article called "Cyberterrorism: A look into the future", contributed by the (ISC)2 US Government Advisory Board Executive Writers Bureau. More thoughtful than you might expect from

No Mule’s Fool

After a few years in the security business, it's easy to get a bit too used to the background noise, and forget that not everyone is familiar with concepts like phishing (see Randy's recent blog at, or botnets ("whatever they are", as my brother said to me quite recently), or money mules. I've written

What a performance!

 We came across an interesting test report at Symantec commissioned a comparative performance test from Passmark. That is, a test measuring performance in terms of speed and resource usage rather than looking at detection rates. Not surprisingly, Symantec came out very well overall, and deserves congratulations for demonstrating how far it's gone in addressing

Botnets, Complacency and the UK Government

Gadi Evron drew my attention in an article for Dark Reading to a piece in IT Pro by Asavin Wattanajantra. The piece quotes Dr. Steve Marsh, of the UK's Cabinet Office (the Office of Cyber Security, to be precise) as saying that botnet operators are interested in money-generating attacks on the private sector, not causing

AVIEN blog: Absolute Elsewhere

Strangely enough, I'm actually encouraged to contribute to other blog pages, perhaps in the hope that I'll stop cluttering this page with rubbish about iPhones. Today I've finally remembered that I'm supposed to contribute regularly to the AVIEN blog page at You might find these a little lighter in tone than I tend to

Is There A Lawyer In The Lab?

Now that the end-of-year security conference season is winding down, we're able to start making available some of the presentations and papers that we've been building up in the past few months, but haven't been able to make publicly available ahead of the events for which they were written. We've already made available a slide

When is a worm not a worm?

Will No-One Rid Me Of This Turbulent Hacker Tool? ( I was kind of hoping to have moved on from the iPhone data stealing hacker tool by now. While I do think it's a significant development (see, there comes a point where the sheer volume of discussion of the subject gives it more importance

iPhone Hack Tool: a Postscript

Update: there's more information on the Windows 7 exploit mentioned below in a Register article at Update 2: I keep seeing references to this as a virus or worm. However, the code I've seen does not contain any self-replicative functionality. It's not even a Trojan, as such. Following an extract from one of my

iPhone/Privacy.A: a bit more info

In my previous blog on this topic (, I said that I didn't know if this hacking tool worked under Windows as well as OSX/Unix and Linux. I've subsequently exchanged email with Philippe Devallois at Intego, who tells me (thanks, Philippe!) that in principle, it will work fine with Windows. It's written in Python (as

Follow us

Copyright © 2016 ESET, All Rights Reserved.