J.M. Porup

Senior Writer

J.M. Porup has been a security geek since 2002, when he got his first job in IT. Since then he's covered national security and information security for a variety of publications, and now calls CSOonline home. He previously reported from Colombia for four years, where he wrote travel guidebooks to Latin America, and speaks Spanish fluently with a hilarious gringo-Colombian accent.

Does cyber insurance make us more (or less) secure?

Does cyber insurance make us more (or less) secure?

Underwriting cyber risk remains more art than science, but in the absence of regulation, cyber insurance might still be the best hope for improving cybersecurity practices across the board — at least for now.

Information security in a war zone: How the Red Cross protects its data

Information security in a war zone: How the Red Cross protects its data

The International Committee of the Red Cross faces unique and extreme security threats across the globe. Technology is not always the best defense.

What is Shodan? The search engine for everything on the internet

What is Shodan? The search engine for everything on the internet

Defenders find this simple tool valuable for finding vulnerable devices attached to the web that need to be secured.

Scapegoating security researchers harms society

Scapegoating security researchers harms society

Want your government to stop punishing the security community for its own lapses? Become a better teacher and advocate for what you do.

GreyNoise: Knowing the difference between benign and malicious internet scans

GreyNoise: Knowing the difference between benign and malicious internet scans

Used with Shodan, this "search engine that looks at people scanning the internet" can help you pick bad actors out of the noise.

Katie Moussouris: It’s dangerous to conflate bug bounties and vulnerability disclosure

Katie Moussouris: It’s dangerous to conflate bug bounties and vulnerability disclosure

“There are two extremes right now: no idea where to start or do a bug bounty,” says Moussouris, who built Microsoft's vulnerability disclosure program.

Georgia governor vetoes bill that would criminalize good-faith security research, permit vigilante action

Georgia governor vetoes bill that would criminalize good-faith security research, permit vigilante action

Veto comes in response to overwhelming criticism from industry. Georgia cybersecurity folks had been outraged about SB 315, and warned that it could cost the state jobs.

Online voting is impossible to secure. So why are some governments using it?

Online voting is impossible to secure. So why are some governments using it?

If you thought electronic voting machines were insecure, wait 'til you meet online voting. Dr. Vanessa Teague has twice demonstrated massive security flaws in online voting systems. Instead of fixes and support, she got official...

What is cross-site scripting (XSS)? Low-hanging fruit for both attackers and defenders

What is cross-site scripting (XSS)? Low-hanging fruit for both attackers and defenders

With XSS, attackers enter malicious code into a web form or web app URL to trick the application into doing something it's not supposed to do.

Voting machine vendor firewall config, passwords posted on public support forum

Voting machine vendor firewall config, passwords posted on public support forum

"This is gold" for a nation-state attacker that wanted to hack an election.

Want to hack a voting machine? Hack the voting machine vendor first

Want to hack a voting machine? Hack the voting machine vendor first

How password reuse and third-party breaches leave voting machine vendors vulnerable to attack.

1.4B stolen passwords are free for the taking: What we know now

1.4B stolen passwords are free for the taking: What we know now

The 2012 LinkedIn breach, along with other old third-party breaches, is still paying dividends for criminals, who now have free access to 1.4 billion previously exposed email addresses and passwords.

8 security tools and tips for journalists

8 security tools and tips for journalists

Journalists have a giant red target on their backs. How can we defend ourselves?

Insecure by design: What you need to know about defending critical infrastructure

Insecure by design: What you need to know about defending critical infrastructure

Patching is useless most of the time, industrial control systems (ICS) security expert tells Senate committee.

New Cyber Security Style Guide helps bridge the communication gap

New Cyber Security Style Guide helps bridge the communication gap

Poor communication is a security flaw. Time to patch.

Another massive DDoS internet blackout could be coming your way

Another massive DDoS internet blackout could be coming your way

A massive internet blackout similar to the Dyn DNS outage in 2016 could easily happen again, despite relatively low-cost countermeasures, according to a new study out of Harvard University.

What is SQL injection? This oldie but goodie can make your web applications hurt

What is SQL injection? This oldie but goodie can make your web applications hurt

SQL injection attacks are well-understood and easily preventable, and the priority for risk mitigation should be preventing SQL injection attacks in the first place. Listen to Little Bobby Tables and sanitize your database inputs.

Security lessons from the 2018 Pyeongchang Winter Olympics

Security lessons from the 2018 Pyeongchang Winter Olympics

Shiny buttons that go "ping!" considered harmful.

What does the GDPR and the

What does the GDPR and the "right to explanation" mean for AI?

Security teams increasingly rely on machine learning and artificial intelligence to protect assets. Will a requirement to explain how they make decisions make them less effective?

The Qubes high-security operating system gains traction in the enterprise

The Qubes high-security operating system gains traction in the enterprise

Qubes OS defends at-risk enterprise users from targeted attacks, as well as drive-by malware and the Meltdown exploit.

Load More