Writing

I have been writing non-fiction for as long as I can reminder, from popular science articles as a mathematics student to various kinds of music journalism in the late 1990s and early 2000s.

I started writing about digital security in 2007 next to my regular duties, with hundreds of blog posts published on Virus Bulletin’s blog. I also kept a popular weekly threat intelligence newsletter in 2018 and 2019.

This page contains a selection of my writing at Virus Bulletin and elsewhere on digital security, some of which can also be found on my Medium page. More personal writing can be found on my blog.


Field Guide to Incident Response for Civil Society and Media (with Internews, November 2023)

Global Trends in Digital Security: Civil Society and Media, as well as country threat landscape reports for Armenia, Brazil, Mexico, Serbia and Ukraine (with Internews and Afef Abrougui, November 2023)

Malware Campaigns Targeting Armenian Infrastructure and Users (with CyberHUB-AM, October 2023)

Privacy tools (not) for you (Silent Push, December 2021)

Chapter (on stalkerware) in 97 Things Every Information Security Professional Should Know (O’Reilly, September 2021; book edited by Christina Morillo)

97 Things Every Information Security Professional Should Know

IcedID Command and Control Infrastructure (Silent Push, March 2021)

David Epstein โ€” Range (book review) (Medium, January 2021)

Itโ€™s Always DNS โ€“ But Not in the Way You May Think (Tripwire, January 2021)

The promises of secure email (Medium, December 2020)

IoT Devices: Privacy and Security in Abusive Relationships (Tripwire, October 2020)

Article in Tripwire's The State of Security blog

PhantomLance Android malware highlights the complexity of the mobile threat (Civilsphere, May 2020)

Cybersecurity as a social science (Virus Bulletin, December 2019)

Stalkerware poses particular challenges to anti-virus products (Virus Bulletin, October 2019)

Threat intelligence teams should consider recruiting journalists (Virus Bulletin, January 2019)

The security industry is genuinely willing to help you do good work (Virus Bulletin, August 2018)

Brave Move Good For Tor And Privacy (Forbes, July 2018)

Turkish Twitter users targeted with mobile FinFisher spyware (Virus Bulletin, May 2018)

A crime against statistics that is probably worse than the cyber attacks faced in County Durham (Virus Bulletin, February 2018)

There is no evidence in-the-wild malware is using Meltdown or Spectre (Virus Bulletin, February 2018)

Book review: Serious Cryptography (Virus Bulletin, January 2018)

Tips on researching tech support scams (Virus Bulletin, January 2018)

Vulnerabilities play only a tiny role in the security risks that come with mobile phones (Virus Bulletin, November 2017)

The case against running Windows XP is more subtle than we think it is (Virus Bulletin, September 2017)

Patching is important even when it only shows the maturity of your security process (Virus Bulletin, September 2017)

By removing VPNs from its Chinese App Store, Apple turns its biggest security asset against its users (Virus Bulletin, August 2017)

WannaCry shows we need to understand why organizations don’t patch (Virus Bulletin, May 2017)

Why the SHA-1 collision means you should stop using the algorithm (Virus Bulletin, March 2017)

Security products and HTTPS: let’s do it better (Virus Bulletin, February 2017)

We shouldn’t forget those most vulnerable in our digital world (Virus Bulletin, February 2017)

To make Tor work better on the web, we need to be honest about it (Virus Bulletin, May 2016)

It’s fine for vulnerabilities to have names โ€” we just need not to take them too seriously (Virus Bulletin, April 2016)

Security vendors should embrace those hunting bugs in their products (Virus Bulletin, February 2016)

(How) did they break Diffie-Hellman? (Ars Technica, November 2015)

Op-ed in Ars Technica

โ€˜Why I fell victim to a LinkedIn scam โ€“ and why I would do so again tomorrowโ€™ (grahamcluley.com, September 2015)

You are your own threat model (Virus Bulletin, May 2015)

What would Cameron’s ‘anti-terrorism’ proposals mean for the UK? (Virus Bulletin, January 2015)

Book review: Countdown to Zero Day (Virus Bulletin, December 2014)

How the NSA cheated cryptography (Lapsed Ordinary, September 2013)

And the devil is six: the security consequences of the switch to IPv6 (Virus Bulletin February 2012)