Bio

David Harley

David Harley

Senior Research Fellow

Education? Academic background in modern languages, social sciences, and computer science.

Highlights of your career? I was a late starter (1986) as an IT professional, beginning at the Royal Free Hospital, then with the Human Genome Project (1989), then at Imperial Cancer Research Fund (1991-2001), where I wrote/co-wrote/edited a number of Internet FAQs and my first articles on programming and security. I presented my first conference papers in 1997 (at Virus Bulletin and SANS). In 2001 Osborne published Viruses Revealed (co-written with Robert Slade and Urs Gattiker): VR and the later AVIEN Malware Defense Guide (Syngress) – to which Andrew Lee also contributed – are probably the best known of my books. When I rejoined the UK’s National Health Service in 2001, I ran the Threat Assessment Centre and was the go-to person nationally for malware issues. I left to work as a freelance author and consultant in 2006, which is also when I began to work with ESET.

Position and history at ESET? Senior Research Fellow at ESET N. America. Primarily, I’m an author and blogger, editor, conference speaker, and commentator on a wide range of security issues. Like the rest of the industry, they put up with me because I’ve been around so long.

What malware do you hate the most? Malware is just code. It’s malicious people I detest. While I’ve no love of scammers, I can see that it’s easier to be honest in a relatively prosperous environment – if there is such a thing anymore – and that cybercrime can be driven by an economic imperative. But I have nothing but contempt for those sociopaths who cause harm to others for no reason except that they can.

Favorite activities? The guitar (I still gig and record when time allows), other people’s music. I love opera but don’t attempt to sing it. Photography, art, poetry, country walking – well, ambling is about as much as I can manage at my age – good food and wine, good television when I can find it...

What is your golden rule for cyberspace? Scepticism is a survival trait: don’t assume that anything you read online is gospel truth, even this adage.

When did you get your first computer and what kind was it? Amstrad PCW (primarily a word-processor) in 1986. What else would you expect a not-very-rich author to buy in 1986? :)

Favorite computer game/activity? Extra-curricular writing (blogging, verse and lyrics, articles). Digital photography and miscellaneous artwork.

Articles by author

Win32/Duqu: It’s A Date

For the last few days, much malware research time has been devoted to the brand-new malware that ESET calls Win32/Duqu. One of the features that makes this kind of malware particularly interesting is that it very closely resembles Stuxnet, one of the most sophisticated worms of recent years. Last year we performed in-depth analysis of

A little light relief

Recently I've been collecting examples of comment spam. Essentially, this is for a research project that is somewhere fairly low on my to-do list. However, it does have a more positive aspect: whenever I feel at a loss for words and losing faith in my own wordsmithing ability, I scroll down to see what nice

Testing presentation slides: old whine in new bottle

The slides from an AMTSO-oriented presentation by Larry Bridwell and myself at this year's Virus Bulletin conference, on "'Daze of whine and neuroses (but testing is FINE)" are now available on the Virus Bulletin site are now available here (along with some other excellent presentations). The paper on which the presentation is based is on the ESET white papers

Facebook, the natural home of the hoax

You may have noticed a lot of excitement about Facebook's latest attempts to prune your privacy, and you'll probably see more commentary on this blog. Here's something a little different: a good old-fashioned chainletter that seems to be flourishing despite all its logical flaws. The story is at SC Magazine's Cybercrime Corner, to which I

California Healthcare Breaches

Sadly, I’m now back in not-so-sunny England, but one of my colleagues forwarded me an item about security breaches reported by healthcare organizations. On January 1st it became mandatory in California for such organizations to report incidents where non-anonymized patient data may be been intentionally or unintentionally disclosed to someone unauthorized. In the first five months,

Orwell, Double‑Think, and Anti‑sec

Full Disclosure (the concept, not just the mailing list): apparently, it’s all the fault of the security industry. Well, most things are. Still, this is a bizarre little story. (Tip of the hat to the entirely normal Rob Slade for calling my attention to it.) Apparently an individual or group calling itself The Anti-sec Movement replaced every image

Nothin’ tweet about me

I’m still getting the occasional request to follow on my most obscure Twitter account, which is protected (meaning that I have to approve requests to follow me on there). Sorry, but if I don’t know who you are, you won’t get approved on that one. Even if I do know who you are, you won’t

Statistical Accuracy and the Gullibility Gene

SC Magazine in the UK picked up on our Global Threat Report for June, based on statistics that derive from our ThreatSense.Net® threat-monitoring technology. Thanks, Dan: when you do as much writing as I do, it’s comforting to know that someone is reading it. ;-) I thought, though, I’d develop some thoughts on a topic arising

Waledac, VirusTotal and some AV fallacies

[Since the owner of the blog described below interpreted this blog as a personal attack and marketing BS, I’ve removed information that identifies his blog. Which is a pity, because his blogs on the topic actually include useful information. I’m not withdrawing the whole blog, because it isn’t marketing and it isn’t about our product:

Waledac: after the fireworks

I’d like to thank the City of San Diego for welcoming me with a firework display last night. It was just what I needed after 22 hours in planes and airports. :-) Maybe just a little quieter next time? (London did much the same thing to me with its Millennium celebration.) It did look pretty

June ThreatSense Report

We’ve just finished working on our monthly Threat Report. There aren’t many surprises in the top ten threats for June. Conficker has taken over the “top spot”, relegating INF/Autorun to second place. It’s difficult to say for sure what the significance is, given the relatively small percentage point involved: minor fluctuations in proportions from month

Blackberry Sundae

Having worked quite a lot in recent years in the public sector in the UK, I’m not at all surprised that RIM (Research in Motion) is bullish about being assessed by CESG as suitable for use with restricted government data. However, it’s not altogether clear from the documentation published by RIM what this actually means.

Popularity and Spurious Statistics

I’ve just been observing a slightly bizarre email thread about the whatdoestheinternetthink?net site, which is apparently aiming to be the place to go if you want a global enquiry tool to find out what the online world thinks about any given subject. You enter a search term, it submits to one or more search engines, and it

Sex and the e‑City

It’s often claimed that men think about sex very seven seconds. Sorry, where was I? Oh yes… I’m not sure where that pseudo-statistic comes from: apparently not from the Kinsey report as is often claimed, and a more recent poll, while reflecting perhaps more liberated views about sexuality than could be admitted to in the

Microsoft Beta Than ESET?

I really didn’t think that Microsoft’s beta AV product would necessitate three blogs: it is, after all, just a beta release. However, I was surprised just now to read an article by Mark Mayne of SC Magazine that claims the product is “going head-to-head with a range of AV vendors, from Symantec and McAfee through

Microsoft AV Revisited

Alex makes a couple of interesting points in his comment on Randy’s blog yesterday about Microsoft’s “Security Essentials” antivirus (as does Randy, of course, but there’s no surprise there.) Alex is suggesting, I think, that Security Essentials isn’t so much a freebie as a value-add to something you’ve already paid for (i.e. Windows). That’s a pretty interesting,

Mugs and Muggings, Scams and Facebook

The estimable Gadi Evron has posted an article at DarkReading about a dialogue he was caught up in on Facebook. One of his contacts popped up in a Facebook Chat window and told him how she’d been been held at gunpoint and robbed in London, losing her credit card, cash and mobile phone. Well, having

Blog Spam? No Comment….

I’d like to say thanks to Sean, who commented on my first blog on Orbasoft blog spam (don’t miss the later blog!) as follows: “These people are still not telling the truth. This software has been tested several times in the last few days and has been verified as a Rogue. It is on average detecting

Orbasoft Comment Spam Revisited

Many thanks to Jens in Denmark, who commented on my previous blog about Orbasoft comment spam. Jens says: “Orbasoft is a real company, situated in Denmark. But they hired an Indian company to spam blogs with comments on their products (“search engine optimization”)…[they] wrote 300 positive comments – for the price of $900. ” Well,

Nine Ball: Juggling with VirusTotal

There’s been some media interest in an alert from WebSense about something they call Nine Ball (he, said, trying to keep his sense of humour in check). It has some pretty interesting characteristics. I’d like to pick up, though, one point that the reports I’ve seen have rather overstated. WebSense mentioned that vendor detection is low on

Orbasoft Comment Spam

Comment spam is one of those nuisances that career bloggers see a lot of: at least, we would if we didn’t use filters to control most of it before it gets to us. In general, these either overtly advertize something which has nothing whatsoever to do with the blog topic, or say something that add

Cloud Computing and the Psychology of Security

OK. No dubious metaphors about clouds and stormy weather. Maybe. We all know, because we’ve been told so many times, that cloud computing, whatever that is, is going to be the salvation of not only the anti-malware industry, but the rest of the software industry. NIST (National Institute of Standards and Technology, whose Computer Security Division

Facebook: Computeracy by Degrees

When I first went to university at the end of the 1960s (yes, I really am that old, though not quite old enough to be of that generation that only remembers that decade through a haze of psychedelic phenomena), my choice of social sciences was regarded as somewhat fluffy. It was the age of “the

Data Protection: not a priority?

Data protection in the UK and Europe may mean something a little different to the way most Americans would understand it. The UK’s Data Protection Act is, like other local legislation in EC countries enacting the EU directive Data Protection Directive 95/46/EC, concerned less with the security mechanisms you use (or don’t use) to protect your