Skip to content

Cheating in Single-Player Freemium Games

About 15 days ago I bought the game Muffin Knight for $2.99 from the Android Market. Muffin Knight is a freemium game. Maybe that's not a completely precise label due to the $2.99 upfront cost but the point is that there is an in-game currency that players can purchase more of with real dollars. This in-game currency, stars, is used to level up your characters, to acquire new skills, and to increase your health points. Usually you get 1 star for each level you reach. A back-of-the hand calculation reveals that you would need about 150 stars to unlock everything. That's quite a lot of levelling.

About 15 years ago I was young and very interested in cheating in computer games. In fact - and literally nobody who reads this blog post knows this - the first app I wrote for public consumption was a cheat database. Its competitive advantage over other cheat databases was that mine had a save game patching engine. It allowed you to patch save game files for games included in the database and it allowed you to extend that engine with your own save game cheats. The commercial success of this program was $10, a pity buy from a friend. It's social success was worse, as one of my school teachers commented in my website guestbook. This was considered deeply uncool at the time. Later I also wrote a few game trainers (the ones where you get extra money by pressing certain key combinations) for Windows games.

Nowadays, while playing Muffin Knight, I am starting to feel an old itch again that I have not felt in a while. I am now a level 62 Muffin Knight with most expensive things unlocked. I need about 50 more stars to unlock the rest just to reach the feeling of having beaten the game completely. 50 stars go for $4.99 if I buy them the official way or they go for nothing if I modify the save game. I have not actually looked into modifying Muffin Knight save games yet but according to http://forum.xda-developers.com/archive/index.php/t-1395221.html save games can be traded so I don't see why they could not be modified. And even if they could not be modified, I have plenty of means to change the program code of Muffin Knight or modify the memory of the running process. In the end, I am sure that I could get the 50 stars for free using some sort of cheat technique.

I am wondering what the moral implications of this are. Back in the old days, I only wrote cheats and trainers for single-player games. Using such cheats never hurt anybody. The game developers had already been paid. The lack of other players meant that only the player who chooses to cheat is affected. Everything is morally in the clear here. But what about freemium single player games like Muffin Knight? I already paid $2.99 to get the game. Does that make it OK to use cheats to access in-game content?

Let's separate things out a bit. There are freemium games like Muffin Knight and there are freemium games like Paradise Island and Tap Fish. Their freemium mechanics are very similar with one significant difference. Muffin Knight is structured kind of like Diablo 2. Getting everything in these games is an unbearable grind but it's possible. Getting everything in Paradise Island or Tap Fish is basically not possible unless you reach a biblical age or punch your credit card number into the right form. I call games from the second category 'unsafe for children scam apps'. They are really just wallet openers hiding behind pretty colors. If anybody cheats in games of this category I am not going to shed a single tear.

Now I am wondering what the closest analogy of freemium content to games of 15 years ago is. I think an optionally purchasable piece of in-game content is closest to an expansion pack. It's a tiny expansion pack but it is one. You pay money to add something to the game. Think of the purchased stars in Muffin Knight as less of an in-game currency and more of what you can get for them: three extra classes and more health points. From this point of view I would have a problem cheating in Muffin Knight. The developers offer an expansion pack for purchase and just because I could cheat my way into having it is no different than downloading an old PC game expansion pack off some torrent site.

I think for now I will keep grinding Muffin Knight but I am interested in what other people think about this.

I have also noticed a disturbing lack of cheats for Android games which might tie in with the general theme of this topic. What's the deal here? Lack of tools, lack of interest, problems with morality of stealing freemium content? Tools are available, Dalvik is easy to understand. It's been a long time since getting into game cheating has been so easy.

Release of SWFRETools 1.3.0

It's only been two weeks since I released version 1.2.0 of my SWF reverse engineering tools collection SWFRETools and here is already the next version. This new version 1.3.0 focuses primarily on allowing users to pass command line arguments to Flash Dissector to do useful things like unpack compressed SWF files or dump the content of SWF files to stdout. The latter is very useful because it is easier to understand disassembled ActionScript code when you have it in a real code editor instead of the (still) crude GUI of Flash Dissector. Here is an example of what the output of such a dump looks like.

The official list of changes:

  • Feature: It is now possible to dump the content of a SWF file to stdout by doing 'dissector.jar -dump <input file>'.
  • Feature: It is now possible to decompress SWF files by doing 'dissector.jar -decompress <input file> -o <output file>'.
  • Feature: It is now possible to open files in SWF Dissector from the command line doing 'dissector.jar <file1> <file2> ... <filen>'.
  • Feature: Function bodies defined by the ActionScript 2 functions DefineFunction and DefineFunction2 are now aligned better in the GUI to improve readability of the code.
  • Feature: Individual elements of a SWF file can now be dumped to a new file by right-clicking on the elements in the main tree of the GUI.
  • Bugfix: Fixed a bug in the Minimizer that prevented it from working with compressed SWF files.

As usual you can download the SWFRETools from GitHub. If you find bugs or want features to be added to the SWFRETools, please open issues on GitHub. I am thankful for any kind of feedback I get.

Release of SWFRETools 1.2.0

I have just made version 1.2.0 of my SWF reverse engineering tools collection SWFRETools available for download. This release focused on improving the disassembly quality of ActionScript 2 code after a user reported some issues last Friday. Specifically the changes I made are:

- Feature: Made parsing of files more robust. This became necessary after the recent spike in obfuscated ActionScript code malware.
- Feature: Unknown ActionScript 2 instructions are now shown in the GUI with their action code.
- Feature: In ActionScript 2 code, the jump target of ActionIf instructions shown in the GUI is now the adjusted address instead of the raw relative address. This makes it easier for the user to find out where a jump is going.
- Feature: In ActionScript 2 code, the jump target of ActionJump instructions shown in the GUI is now the adjusted address instead of the raw relative address. This makes it easier for the user to find out where a jump is going.
- Feature: Strings defined in ActionScript 2 ConstantPool actions are now surrounded by quotes to make them more readable.
- Feature: When ActionScript 2 code is shown in the GUI, registers pushed by ActionPush are now easily distinguished from pushed integers.
- Feature: When ActionScript 2 code is shown in the GUI, constants pushed by ActionPush are now easily distinguished from pushed integers.
- Feature: When ActionScript 2 code is shown in the GUI, strings pushed by ActionPush are now easily distinguished from pushed integers.
- Bugfix: In previous versions, the ActionScript 2 actions belonging to a DoAction tag were not shown in the Flash Dissector tree. This has been fixed.
- Bugfix: In previous versions, the ActionScript 2 actions belonging to a DoInitAction tag were not shown in the Flash Dissector tree. This has been fixed.
- Bugfix: The constant list defined by an ActionScript 2 ConstantPool instruction is now better formatted for improved readability.
- Bugfix: ActionScript 2 Push instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 PushDuplicate instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 Pop instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 Play instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 PreviousFrame instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 RandomNumber instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 RemoveSprite instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 Return instructions were previously not shown in the GUI.

Happy using and please use GitHub to open tickets for problems or feature requests you encounter. Or alternatively shoot me an email. 

Release of SWFRETools 1.1.0

Two weeks ago I gave a presentation at SOURCE Boston where I released a new collection of open-source tools for Adobe Flash SWF file reverse engineering. I am developing these tools, called SWFRETools, to help reverse engineers like vulnerability researchers and malware analysts that have to deal with SWF files regularly. Today I have published version 1.1.0 of the SWFRETools on GitHub for everyone to download.

As of right now, the SWFRETools package contains three different tools. The most advanced tool is called Flash Dissector. It is a Java-based GUI tool you can use to inspect the binary content of SWF files. The second tool is a Java-based command-line tool called Minimizer. This tool is useful for vulnerability researchers that have a SWF file that crashes Flash Player and now they want to get rid of all parts of the SWF file that are not related to the crash. The third tool is a primitive Python-based debugger that can be used to hook and trace the Flash Player executable.

Flash Dissector hex view showing the binary content of a SWF file

Flash Dissector code view showing ActionScript 3 code in a SWF file 

Data mining H-1B salary data

Recently I became aware that all H-1B salary data is is publicly available on the Internet. You can get a very detailed Access database of the salary information and there is even a very nifty web application that allows you to quickly search for whatever salary data you are interested in. Now, these figures are probably the best available resource for figuring out how your salary compares to that of your peers. Unlike salary information from sites like Glassdoor, this salary data is not self-reported but directly taken from H-1B visa proceedings making the salary figures much more truthful.

I had already played around with the web application a few weeks ago and uncovered a few interesting pieces of data (mostly related to information security jobs, the field I am working in) which I posted on my Twitter but until today I had not had time to actually do further analysis with the Access database.

The first thing I tried was to search for the highest average salaries in the database. I applied additional filters like only counting job titles for each company that had at least three granted H-1B visas for each listed position (to remove outliers like CEOs on H-1B visas making millions of dollars, for example). I also aggregrated all statistics over the minimum salary specified for each position in the database. Originally I wanted to work with the maximum salary field but apparently this field is optional and not many positions have it listed. Still, I know that at least for my position (I am in the database too) the maximum salary field gives the amount of money I am really making. To make things simpler for me I also only considered salaries given per year and discarded those given per hour.

Continue reading "Data mining H-1B salary data"

CanSecWest 2011 - Day 3

The third and last day of CanSecWest 2011 is over. Once again we started with talks at 9:00 AM after a breakfast that was actually better than yesterday's (ask me about eating 8 slices of banana bread). As the official CanSecWest party was yesterday, it was no surprise that only about half of the chairs were occupied for the first talk. Fighting hard to get out of bed, I nearly missed the first talk myself.

Chris Eng and Brandon Creighton of Veracode were first to go up on stage. In the third CanSecWest talk about an Adobe product, they exposed many security issues in ColdFusion web applications. At first they talked about the usual suspects like XSS and SQL injection and what these attacks look like in ColdFusion code. Then they went through a few other issues that are specific to ColdFusion and not existant in other web application frameworks. For me, the funniest part was the incredible amount of variables that are supposed to be server side read-only but still writable by web applications. This has plenty of potential for all sorts of unintedend havoc.


The second talk was about automated pointer analysis by my former co-worker Vincenzo Iozzo and his friend Giovanni Gola. They talked about doing interprocedural pointer analysis with the goal of automatically finding bugs like double-frees. After about five minutes in I got a work-related call that occupied me for the next half an hour. Shortly after I had headed back into the conference room, the fire alarm went off. I already had ReCon 2010 flashbacks but fortunately it turned out to be a false alarm. I can't say I saw a lot about that talk, but I am sure it was good.


The fourth and last talk about an Adobe Product came from Richard Johnson of Sourcefire. He described some of the internals of the Acrobat Reader sandbox, that abstraction layer that was introduced in Acrobat Reader 10 to mitigate the effects of Acrobat Reader exploits. He also talked about some of the potential weaknesses in the sandbox, for example how the networking code and the filesystem code is not properly sandboxed, potentially allowing attackers to send file information over the network.


More work-related issues made me miss much of the talk about fuzzing by Dan Kaminski, Adam Cechetti, and Mike Eddington. From what I saw they set their fuzzers on applications like MS Office, OpenOffice, and Acrobat Reader and tried to draw conclusions about improvements in products security from the number of exploitable crashes (as determined by !exploitable) they got. The talk itself was pretty entertaining but the methodology they used to draw the conclusions did not always seem to be solid. Several people asked very good question during the discussion after the talk. In the end, the speakers made their raw fuzzing results data available to everyone in the form of a SQL dump.


I did not see any more talks today as I had seen the Microsoft talk about fuzzing last week at Microsoft already. I also skipped the last talk because I really don't care enough about fuzzers to see another one of these talks.

So, that is the end of CanSecWest. The line-up this year was pretty fantastic and most of the usual suspects were there. As usual many people are heading up to Whistler again this evening for the post-conference party weekend. Not me, though. Having done this in the last two years already, I actually want to see more of Vancouver now.

CanSecWest 2011 - Day 2

Alright, I am back from day 2 of CanSecWest. Even though we started right at 9:00 AM today, surprisingly many people made it to the conference room at the Sheraton Wall Centre on time. I am detecting disturbing lacks of party dedication there. Or maybe all these people were just like me hoping for a free breakfast. Unfortunately, the free food provided by the hotel gets worse from year to year. Anyway, let's take a quick look at the talks today as the line-up was amazingly strong today.

The day started off with a talk about malware on gaming consoles and mobile devices by DongJoong Ha and KiChan Ahn. They talked about what kind of network attacks are possible by owning some kind of always-connected gaming consoles. They also showed how malicious code can be injected in pirated software to build up botnet capabilities with the help of people that really, really need to get the latest Super Mario game for free. I really enjoyed the talk even though they did not really present new ideas. Rather, they ported known techniques from older devices to game consoles. Still, you can never be wrong talking about game consoles in front of a crowd of nerds.


The second talk was called Dynamic Cryptographic Trapdoors by Eric Filiol. That was the only talk I skipped. Eric is a pretty smart guy and when he talks about cryptography it will fry my brain. I did not need this again. Rather, I went outside to hack away for an hour on my Flash RE tools.

After Eric's talk I went back inside to see Haifei Li's talk about ActionScript 3 vulnerabilities in Flash. He focused on type confusion in the ActionScript virtual machine caused by mismatches between what the ActionScript code verifier verifies and what the ActionScript JIT compiler compiles and executes. Due to my day job I have seen exactly that kind of bug roughly a million times already. Still, Haifei's talk was interesting and it is good to see what kind of work other people do on Adobe stuff.

After lunch (my food quality complaint still applies), Andrea Barisani and Daniele Bianco of Inversepath talked about Chip & PIN cards which are very popular in Europe. The talked a bit about the Chip & PIN standard, its weaknesses, and potential attack vectors. They also brought some surprisingly small skimming devices to show to the audience. Even though this is not my kind of topic, the talk was the most interesting talk of the day. As part of their presentation, Andrea and Daniele produced a short movie that can only be described as legendary. I have already asked them to upload the video to YouTube but unfortunately they did not warm up to that idea.


The next talk was by Ilja van Sprundel. Oh no, wait. When it was time for Ilja's talk he was not to be found anywhere. Instead, Graeme Neilson went on stage to give his talk first. Graeme talked about different network devices like switches and how to install rootkits on them. As part of his research he took a look at 10 devices from different vendors like Cisco, Juniper, Checkpoint, and others. He then gave three live demos of how fast he can put his own code onto those devices because of lacking code integrity checks by the network devices.


Afterwards it was finally Ilja's time on stage. Unlike the other speakers, he was not content with water. If the man wants beer, the man gets beer. He talked about iPhone security issues but unlike many other researchers he did not focus on iOS but rather on security vulnerabilities on the application level and the iPhone standard library. Stuff like cross-site scripting in default HTML components, format string vulnerabilities, or the misuse of the C-string functions. Unfortunately, Ilja was confused and surprised by the order and content of his own slides once in a while (see photo).

Then it was time for Michael Ossmann to give his talk about Bluetooth hacking. I do not know anything about Bluetooth or hardware hacking in general, so I can not comment on the content of the presentation. However, his slide set design was one of the best I have ever seen at a security conference and his speaking style was very pleasant too. The audience seemed entertained.

The last talk of the day belonged to Marc Schoenefeld. It was a talk about finding font parser bugs with his fuzzer. Most of the time when someone speaks about his awesome fuzzer at a con, he will not talk about the exploitable bugs he has found with it (because he has not found any). Marc did the opposite. He described bug after bug he found in the font parsing engines of the major browsers and operating systems. I have never seen anybody give his talk as tiefenentspannt as he did. It was great. I can only come up with one word to summarize his talk: Telephone.

And now I am off to the Tron-themed conference party!

Random observations of the day:

- Apple and Blackberry tried to game the Pwn2Own rules by releasing OS updates for their devices only days before the contest. Then they sent their biggest nitpickers to the Pwn2Own people to make sure that new OS version was used in the contest. This caused endless delays and much eye-rolling in the audience. All crocodile tears proved useless in the end and both the Blackberry phone and the iPhone fell as usual. No surprises there. More investment in security and less investment in Lincoln-Douglas courses might have helped.
- Google apparently does not have a single PR person here. Why bother if your browser always survives Pwn2Own?
- This is the first conference ever I am attending where my presence has literally no purpose. I am not giving a talk. I am not trying to connect with anyone. I am not giving product pitches or demos. I feel like I am a bum loitering around there.
- Did I mention the food quality already?

CanSecWest 2011 - Day I

It's CanSecWest time again. How do I know? This morning I woke up in a hotel room and when I looked outside it was pouring cats and dogs. Usually when I wake up in a hotel room it is in a warm and sunny place. Anyway, once again about 400 (I guess) people interested in computer security gathered in the Sheraton Wall Centre in Vancouver, Canada to meet with friends, listen to amazing talks and make fun of HBGary.

The conference started off very unusual. The agenda was on time. That's quite a change compared to the last few years. Admittedly, the organizers moved the first talk to noon this year to make sure that everybody manages to recover from yesterday's conference dinner and karaoke bar. I had arrived early, at around 8 hoping to score some free breakfast which unfortunately did not happen today. I used the four hours to chat with old friends, some of which I was very surprised to meet here.

At noon the talks started. The first talk was by Brad Woodberg of Juniper. He talked about network application level firewalls. Admittedly I know absolutely nothing about application firewalls, so I can not comment on the content of the talk. He is a pretty decent public speaker though. I enjoyed the talk.

The second talk was by Aaron Portnoy and Logan Brown of Hewlett-Packard. They talked about their blackbox reverse engineering approach to the Adobe Shockwave player. They described what they did to triage crashes in fuzzed Shockwave files having no knowledge at all about the Shockwave file format. Using binary instrumentation and a combination of WinDbg and Python, they described how they were able to figure out the custom memory allocator of Shockwave and other important Shockwave internals. At 90 minutes, the talk was unusually long for CanSecWest but worth every minute. They have also promised to make their tools available if people are interested. I will definitely follow up with them to make that happen.

After this talk we had a lunch break and then Pwn2Own began. For the third year in a row, I ventured up to the Pwn2Own room to see what's going on. As usual, this is what happened: Some guy sat down on a computer, pressed a few buttons on the computer, and then the Hewlett-Packard people declared him a winner and there was a round of applause. That's it. You don't get to see more if you are in the audience. If you have never been there and think the whole contest is more amazing, I am sorry to disappoint there. I only stayed for the Apple Safari ownage.

The next talk I saw was about runtime firmware integrity checking by Yves-Alexis Perez and Loic Duflot. This was a continuation of their talk they gave at CanSecWest last year but this time they focused on the defensive side of firmware attacks. Unfortunately both are not very good at public speaking. I left halfway through the talk to work on some things and talk to people outside the conference room.

Alright, now I am heading out to the conference party. The second day of CanSecWest unfortunately starts at 9:00 in the morning.

Random observations of the first day:

Of all the vendor booths, Google was by far the most popular one. It was packed with people stopping the whole day. Only Amazon managed to keep up with them. Maybe it's because both companies gave away really quirky swag and their booths were staffed by people who looked like engineers. The opposite happened at the Rapid7 booth which was pretty deserted for literally the whole day. That's what you get if you put two suits up there who could not look more like used car salesmen if they tried and you have marketing cards with dollar signs on your table instead of quirky swag.

Alex Sotirov did live reviews of the talks he saw at http://research.phreedom.org/2011/cansecwest/ . I remember how he told me about this idea at PH-Neutral last year but I never thought he would actually ever start doing it.

Google Chrome survived the first day of Pwn2Own, much to my dismay.

Writing file format parsers for reverse engineering tools: Insights from someone who does it too often

During the last year I have implemented quite a few file format parsers for a variety of reverse engineering tools, some in the context of malware detection and others in the context of vulnerability analysis. I wrote file parsers for complex modern file formats like SWF and PDF and for obscure file formats that are older than I and some that are nearly as old as my parents! In total I have written file format parsers for probably around 15 file formats and I have made some observations about the whole process I would like to share. Continue reading "Writing file format parsers for reverse engineering tools: Insights from someone who does it too often"

Data sent home by µtorrent

Last Friday I was debugging random programs I found on my hard drive when I saw this:

Apparently µtorrent is sending lots of unrelated data back to the µtorrent servers when checking for program updates. I wanted to know what. Google was not very helpful. A thread in the official forum was all I found and that thread did not exactly have a lot of information. Apparently I had to figure out things myself.

Unfortunately it turned out that µtorrent is sending a lot more data than can be seen in the screenshot so this little project took longer than originally planned. In fact I am only 90% done but I don't want to put any more time into this. One weekend is already too much time spent on this. So, here's what I figured out.

Continue reading "Data sent home by µtorrent"

San Francisco

I'll be on vacation in San Francisco between November 4th and November 17th. If anybody wants to meet up there, please contact me in some way (see the side bar on the right hand side of this page). Possible reasons for hanging out with me include but are not limited to:

  • You work for a cool company and feel like showing me around your office.
  • You work on a cool product/technology and feel like I should see it.
  • You think I work on cool stuff and want to talk about it.
  • You want to talk about reverse engineering, binary code analysis, hacking NES games or anything related to that.
  • You want to get a BinNavi product pitch.
  • You want me to see some special place or event in San Francisco.

A flurry of Web 2.0

A few months ago my friend Rolf Rolles created the Reverse Engineering reddit. It's pretty awesome. It focuses on random reverse engineering related articles and lots and lots of academic papers, mostly for static code analysis. The submission quality is pretty high (or the moderators reject a lot of submissions, I don't really know). So just in case you are not aware of this reddit yet, I suggest you hop over there and subscribe to it.

While we are at it, for those of you stalking me already. I have a Twitter account now. That should make your job easier.

Continue reading "A flurry of Web 2.0"

CanSecWest 2009

In a bit less than two weeks I will be attending CanSecWest 2009. If anybody wants to meet me there to talk about reverse engineering, static code analysis, BinNavi, or why Sierpinski triangles are tools of the devil please contact me. You can find my contact information on the right side of this website.

If you do not want to talk about any of the above, you can still watch my talk and tell me your opinion about it. This would be much appreciated. Thank you.

FRHACK organizers are now threatening to sue me

A few days ago I complained about the incredibly awkward IT Security Girl of the Year award that will be dished out later this year at the French IT security conference FRHACK. Apparently the FRHACK organizers did not like what I wrote because they are now threatening to sue me if I do not remove the screenshot of the incredibly inappropriate photos they used to advertise the IT Sec Girl award. The following sentence is from an email I received from one of the FRHACK organizers.

We just ask you to remove this picture http://www.the-interweb.com/bdump/misc/itsec_girl.jpg because these pictures are copyrighted. Thanks to delete your screenshot or we will take legal action.

After I received this email I was incredibly annoyed. It's less about them requesting me to take down the screenshot though. I was more annoyed with their reply in general. In no way did they even bother to address the issue I complained about. This would have been the perfect time to show some character. They could have discussed their point of view. They could have apologized for their mistakes. They could have told me to stuff it (in case they think their point of view is correct; which apparently they don't because they changed their website). All of these (and more) would have been perfect ways to show some personal responsibility and the whole issue would be finished from my point of view.

But that's not what happened. Instead they sent me this incredibly limp-dicked legal threat which I believe to be more about removing evidence that documents their failures than about any legit copyright issues. The passive-aggressive vibes I am getting from this (and the fact that I am allergic to legal threats) piss me off so much that I need to complain about this publicly. I hope I will never have the displeasure to meet any of the FRHACK organizers in real life.

Now the thing is, I do not have the time or the resources to fight their legal threat. I will take down the screenshot in the next few days (probably at one point between now and next Wednesday; whenever I feel like it).

Update: Looks like the screenshot stays on my website. See the end of the original post for a detailed update.

Update 2: Please check out the comments made by the FRHACK team in response to this post. This should clear some things up.

IT Security Girl of the Year

Today I am going to break with the spirit of this website. This entry is not about Programming Stuff as advertised in the title of my blog. Today I am going to complain about something which is only very casually related to Programming Stuff. In some way it is kind of similar to when CmdrTaco used the Slashdot front page to complain about Blizzard making him change his WoW name. It's my website and I post what I want. So if you came here expecting new Programming Stuff you can hit the Back button of your browser now.

Anyway, let's start. I woke up this morning and saw that someone I know will attend the French IT Security conference FRHACK. I began to browse the FRHACK website. I checked out the Events section. I came across something called Best IT Security Girl of the Year. For a split-second I was amused about this obvious little satirical reflection about the role of women in IT and especially IT Sec. I quickly scrolled around to find the IT Security Boy of the Year. There was no such award. It dawned on me that the IT Sec Girl of the Year award is actually a serious award and I started to feel sick.

Continue reading "IT Security Girl of the Year"