2022

• URL filtering vulnerabilities in lxml
• Preventing (and fixing) parser mismatch vulnerabilities
• What is a parser mismatch vulnerability?
• The surprising complexity of interpreting X-Forwarded-For safely

2017

• An informal security assessment of Imzy (part 2)
• An informal security assessment of Imzy (part 1)
• Curl, unquoted URLs, and LANGSEC
• Securing my Clojure photo gallery: Let’s Encrypt certs on NFSN

2011

• How to move personal publishing to the desktop

2010

• Force SSL for Wikipedia (for advanced users)

2008

• Webapp security: Different DB permissions for different requests

2007

• Of LED art, suspicion, and a girl named Star
• When torrents bite back
• Open surveillance to the public

2006

• Using Tor correctly: Anonymous browsing edition
• Upgrade Tor to TRUE latest version (in Ubuntu)
• Use your home computer from work (VNC over SSH)
• Why not to click on links in unexpected email
• Because even terrorists blog, apparently
• Anti-filming system will fail
• Arbitrary code execution – why?
• Of security seals and window screens
• Google redirection on public WiFi