• Main Page
• CV
• Photos
• netnea.com
• LinkedIn
• Xing
• Twitter @ChrFolini
• Facebook
• Company of St. George

• Christian Folini
  Ringstrasse 2
  CH–3629 Kiesen

• ☎ +41 (0)31 301 60 71 (H)
• christian.folini@time-machine.ch

 

 

• “As secretary of the Company,
  Christian Folini was effective leader of a group whose reputation for hardcore medieval authenticity was familiar to re-enactors around the world.”
  Tim Moore, I Believe in Yesterday

 

• “Reserve your right to think,
  for even to think wrongly is better
  than not to think at all.”
  Hypatia of Alexandria

 

• “The purpose of computing is insight
  not numbers.”
  Richard W. Hamming

Christian Folini

Welcome to my website. I am a Swiss webserver engineer and security consultant working at netnea.com. I studied History and Computer Science and graduated with a PhD in Medieval History in 2004. I continue this interest with my commitment to the Company of St. George, a medieval reenactment group, which I run together with European friends.

On this website, you will find links to my work in information technology and also texts and publications around history. Outside of that, there are also two or three items about me.

I hold an LPIC-3 certification from the Linux Professional Institute and I have been specialised in Apache Security for more than ten years now. In 2006, I started to work with ModSecurity. I am an active contributor / committer of the OWASP ModSecurity Core Rules project. If you are looking to hire a contractor in this field, then please get in touch.

Publications on webservers and security

2020

• Curated link list to live tweets of the Usenix Enigma 2020 conference (30/January/2020)
• CRS Project News for the month of January 2020 (14/January/2020)
• Blogpost about empty HTTP headers with libcurl / pycurl (13/January/2020)

2019

• Slides of a extended introduction to ModSecurity and CRS in front of the British ComputerSociety’s DevSecOps group (27/November/2019)
• Slides of a presentation about E-Voting in front of the alumnis of the CAS Data Privacy at ZHAW (14/November/2019)
• Article about ModSecurity and CRS in ITNow, the magazine of the British Computer Society (1/October/2019)
• Video of my presentation about ModSecurity / Core Rule Set at the OWASP AppSec Global conference in Amsterdam (26/September/2019)
• Blog Post about the second half of the Swiss Cyber Storm program of 2019 (13/September/2019)
• CRS Project News August 2019 A blog post for coreruleset.org (24/August/2019)
• Blog Post about the first half of the Swiss Cyber Storm program of 2019 (12/August/2019)
• Blog Post about the Swiss Cyber Storm motto of 2019: Embracing the Hackers (16/May/2019)
• CRS Project News May 2019 A blog post for coreruleset.org (1/May/2019)
• Response to the proposed new law about the political rights in Switzerland. I co-wrote this public statement with a security angle. (26/April/2019)
• Blogpost about Regular Expression Denial of Service weaknesses in the CRS project. (25/April/2019)
• Video of my keynote about Medieval Castles and Modern Servers at the Insomni’Hack conference 2019 (22/March/2019)
• Video of my presentation about E-Voting security in front of the Datenschutzforum Schweiz (14/March/2019)
• Slides of my keynote about Medieval Castles and Modern Servers at the Insomni’Hack conference 2019 (22/March/2019)
• Slides of my presentation about E-Voting with the Datenschutz-Forum Schweiz (14/March/2019)
• CRS Project News February 2019 A blog post for coreruleset.org (28/Febraury/2019)
• Guest article with arguments for E-Voting in Swiss newspaper Tagesanzeiger (25/February/2019)
• Video of my E-Voting presentation at the Switch Domainpulse conference (19/February/2019)
• Slides of my E-Voting presentation at the Switch Domainpulse conference (19/February/2019)
• Video Statement with key arguments in favor of E-Voting in Switzerland the the Switch Domainpulse conference (19/February/2019)
• CRS Project News January 2019 A blog post for coreruleset.org (24/January/2019)
• Interview in the Cyber Security Dispatch podcast touching on my career, E-Voting, OWASP and WAFs (3/January/2019)

2018

• CRS Project News December 2018 A blog post for coreruleset.org (27/December/2018)
• Article on the blog of SATW about Trust at this year’s Swiss Cyber Storm conference (13/December/2018)
• Article in magazine SocietyByte about poor reporting on Swiss TV about an E-Voting security issue (20/November/2018)
• Blogpost on the technical background about bad reporting on Swiss TV (20/November/2018)
• CRS Project News November 2018 A blog post for coreruleset.org (14/November/2018)
• Video of my BlackAlps 2018 presentation about DDoS and an alternative defense method (8/November/2018)
• Slides of my BlackAlps 2018 presentation about DDoS and an alternative defense method (8/November/2018)
• Article in magazine Netzwoche about the Swiss Cyber Storm conference that I moderated (31/October/2018)
• Blogpost introducing SCS speaker Oliver Simonnet (18/Oct/2018)
• Blogpost introducing SCS speaker Nicolas Vernaz (11/Oct/2018)
• Blogpost introducing SCS speaker Robert Rogenmoser (10/Oct/2018)
• Blogpost at SATW, introducing the program of the upcoming Swiss Cyber Storm conference (8/Oct/2018)
• Interview with me about Trust in Swiss online magazine Influence (German) (28/Sep/2018)
• Blogpost introducing SCS speaker Ivan Ristić (27/Sep/2018)
• CRS Project News September 2018 A blogpost for coreruleset.org (27/Sep/2018)
• Blogpost introducing SCS speaker Moonbeom Park (25/Sep/2018)
• Blogpost introducing SCS speaker Katharine Jarmul (20/Sep/2018)/
• Blogpost introducing SCS speaker Nick Sullivan (11/Sep/2018)
• Blogpost introducing SCS speaker Lydie Ngo Nogol (30/Aug/2018)
• Article about Security in E-Voting and paper based Voting in Switzerland (German). This appeared in Society Byte (Bern University of Applied Sciences) (29/Aug/2018)
• Blogpost introducing SCS speaker Oliver Spycher (28/Aug/2018)
• Blogpost introducing SCS speaker Jérémy Matos (23/Aug/2018)
• Interview with me on the AppSec Podcast covering the OWASP ModSecurity Core Rule Set and our plans for the project (7/Aug/2018)
• Blogpost introducing SCS speaker Marie Moe Marie Moe (7/Aug/2018)
• Blogpost introducing SCS speaker Mark Burgess Mark Burgess (2/Aug/2018)
• Blogpost reporting from the CRS community summit in London (12/Jul/2018)
• CRS Project News July 2018 A blogpost for coreruleset.org (7/Jul/2018)
• Announcement of the CRS community summit program (26/Jun/2018)
• Blogpost with news about the CRS community summit (7/Jun/2018)
• Blogpost introducing SCS speaker Grzegorz Milka (28/Jun/2018)
• Blogpost introducing SCS speaker Astha Singhal (26/Jun/2018)
• Blogpost introducing SCS speaker Lilly Ryan (14/Jun/2018)
• Blogpost introducing SCS keynote speaker Cory Doctorow (7/Jun/2018)
• Blogpost about SCS focus theme “Trust” (5/May/2018)
• Article on E-Voting and Phishing on a blog of Swiss Post (25/Apr/2018)
• Contribution to a Responsible Disclosure. A new type of XSS was found and I described how to prevent this with ModSecurity (3/Apr/2018)
• Announcing a CRS community summit (20/Mar/2018)
• Blogpost introducing CRS With the Geneva based Swiss Cybersecurity association (13/Mar/2018)
• O’Reilly article about ModSecurity on NGINX and how to tune false positives for ModSecurity on NGINX (20/Feb/2018)
• Report from the Usenix Enigma conference. An article that appeared in Linux Weekly News (14/Feb/2018)
• Interview with me on CNN Money Switzerland about Cyber Security. (31/Jan/2018).
• Slides for the O’Reilly webcast about ModSecurity on NGINX (15/Jan/2018)
• O’Reilly webcast about ModSecurity and CRS on NGINX. (This demands registration) (8/Jan/2018)
• Article about the Security Industry for the online news site E-Financial-Careers (German) (3/Jan/2018)

2017

• Blogpost about CRS development on the OWASP blog summing of the evolution of the CRS project through the years (20/Dec/2017)
• ictk.ch reporting about CRS winning German OSBAR award. This also covers my contribution to the project (German; note: this is about me, not by me) (7/Dec/2017)
• Blogpost about ftw and how we use it for unit testing with CRS (14/Dec/2017)
• Netzwoche reporting about CRS winning German OSBAR award. This also covers my contribution to the project (German; note: this is about me, not by me) (8/Dec/2017)
• Blogpost about ModSec courses (7/Dec/2017)
• Blogpost about CRS winning German OSBAR award (7/Dec/2017)
• Blogpost about CRS and OWASP Top 10 (21/November/2017)
• Blogpost reporting about the E-Voting focus at the Swiss Cyber Storm conference on the E-Voting blog of Swiss Post (6/Nov/2017)
• Blogpost reporting about the Swiss Cyber Storm conference on the SATW blog (30/Oct/2017)
• Blogpost introducing SCS speakers Antonio Barresi and Matthias Ganz (10/Oct/2017)
• Blogpost introducing SCS speaker Bryan Ford (6/Oct/2017)
• Blogpost covering the nomination of the CRS project for the Swiss DINACon awards (3/Oct/2017)
• Blogpost introducing SCS speakers Harald Reisinger and Aldo Frick (1/Oct/2017)
• Blogpost introducing SCS speaker Jordi Puiggali (26/Sep/2017)
• Blogpost introducing SCS speaker Raphael Reischuk (24/Sep/2017)
• Blogpost introducing SCS speaker Thomas Hofer (18/Sep/2017)
• Blogpost introducing SCS speaker Anthony Vance (14/Sep/2017)
• Blogpost inviting new people to join the CRS project (3/Sep/2017)
• CRS Project News September 2017 (7/Sep/2017)
• Video with a brief spot how to make a push for security in companies (9/Oct/2017) Fabasoft
• Video with a brief spot about security blind spots (9/Oct/2017) Fabasoft
• Blogpost with Core Rule Set project news (15/Aug/2017)
• FIXME FIXME (3/Aug/2017)
• FIXME FIXME (FIXME/XXX/2017) OWASP London
• FIXME FIXME (27/Jul/2017)
• FIXME introducing SCS speaker FIXME (25/Jul/2017)
• FIXME introducing SCS speaker FIXME (18/Jul/2017)
• FIXME introducing SCS speaker FIXME (11/Jul/2017)
• FIXME introducing SCS speaker FIXME (29/Juni/2017)
• FIXME introducing SCS speaker FIXME (6/Jun/2017)
• FIXME introducing SCS speaker FIXME (7/Jun/2017)
• FIXME FIXME (FIXME/XXX/2017) OWASP AppSecEU Belfast
• FIXME FIXME (20/May/2017)
• FIXME introducing SCS speaker FIXME (30/May/2017)
• FIXME introducing SCS speaker FIXME (23/May/2017)
• FIXME introducing SCS speaker FIXME (15/May/2017)
• FIXME introducing SCS speaker FIXME (13/Apr/2017)
• FIXME FIXME (6/Apr/2017)
• FIXME FIXME (24/Februar/2017)
• FIXME FIXME (3/Feb/2017)
• FIXME FIXME (1/Feb/2017)
• FIXME FIXME (31/Feb/2017)
• FIXME FIXME (13/Jan/2017)

2016

• Article in Linux Weekly News about the OWASP ModSecurity Core Rule Set 3.0 (21/Dec/2016)
• Article in Linux Weekly News about ModSecurity (14/Dec/2016)
• FIXME FIXME (12/April/2016)
• FIXME FIXME (26/Apr/2016)
• FIXME FIXME (20/Jun/2016)
• FIXME FIXME (10/Jul/2016)
• FIXME FIXME (26/Jul/2016)
• FIXME FIXME (1/Oct/2016)
• FIXME FIXME (14/Oct/2016)
• FIXME FIXME (22/Nov/2016)

• FIXME FIXME (29/November/2016)

• German Tutorial showing options for visualisation of logfiles in the shell with the help of gnuplot (12/Feb/2016).
• Blogpost proposing the mechanics of a new OWASP ModSecurity Core Rules Paranoia Mode (04/Feb/2016).
• German Tutorial presenting an efficient workflow for apache configuration in multiple terminals (29/Jan/2016).
• Blogpost covering the over most frequent OWASP ModSecurity Core Rules false positives (17/Jan/2016).

2015 and before

• OWASP ModSecurity Core Rules: Comparing 2.2.x and 3.0.0-dev. A blogpost that compares the next version of the core rules to the former release (19/Dec/2015).
• German Tutorial explaining the various configuration options of an apache reverse proxy (12/Dec/2015).
• Don’t let 981172 and 981173 disappear from the Core Rules! A blogpost lobbying for two individual core rules, bound to be removed from the OWASP ModSecurity Core Rules Set (25/Nov/2015).
• German Tutorial about OWASP ModSecurity Core Rules tuning (17/Nov/2015).
• Cyber Risks Switzerland 2015 conference organised by MELANI in Bern. A blog post reporting about the event. (05/Nov/2015).
• SIGS Talk in Berne, about Practical ModSecuriy Tuning. An “After Work Event” of the Security Interest Group Switzerland with my talk as main topic. (10/Mar/2015).
• Cyber Risks Switzerland 2014 conference organised by MELANI in Bern. A blog post reporting about the event. (22/Nov/2014).
• Malware Workshop focusing on live traffic inspection and adjacent topics. A blog post about a workshop I hosted. (18/Nov/2014).
• Summary of OWASP Talk in Zurich covering core topics and the discussion. A blog post about my presentation. (18/Nov/2014).
• OWASP Talk in Zurich presenting advanced ModSecurity concepts. A standard OWASP Chapter meeting with my talk as main topic. (12/Nov/2014).
• German Report about a Cybersecurity workshop at the Swiss Federal Office for Civil Protection (Bundesamt für Bevölkerungsschutz). The second national Swiss Cyberattack Workshop examining a DDoS attack on national infrastructures (2/Sep/2014).
• Big Data - Eine Einführung. A German introductory speech on Big Data at an evening conference of Swiss Privacy Advocates. (06/May/2014).
• German Tutorial with a step by step guide to integrate the OWASP ModSecurity Core Rules (13/Aug/2013).
• German Tutorial explaining the integration of ModSecurity into the Apache webserver configuration (03/Jul/2013).
• 1 + 2 Backup Procedure is a simple backup method that works for people without technical background (11/Jun/2013).
• German Report about a Cybersecurity workshop at the Swiss Federal Office for Civil Protection (Bundesamt für Bevölkerungsschutz). The first national Swiss Cyberattack Workshop examining a DDoS attack on national infrastructures (14/Oct/2012).
• German Tutorial explaining how to extend the Apache access log in a useful way. A German step by step guide (5/Feb/2012).
• Video about practical defense against application layer DDoS attacks: “Sniping Slowloris and Friends”. The video was taken at Swiss Hashdays Conference October 2011 (27/Jan/2012).
• Video about defense concepts against application layer DDoS: “Hunting Slowloris and Friends”. The video was taken at Swiss Cyberstorm Conference May 2011 (23/Juni/2011).
• German Tutorial about simple and effective ssl/tls configuration on apache. A German step by step guide (21/Jan/2012).
• Flying-Frog Script. A ruby network monitoring script that is able to detect slowloris / request delaying attacks (15/Oct/2011).
• German Tutorial about the setup of a php application server in an external fast-cgi-daemon. A German step by step guide (11/Oct/2010).
• German Tutorial about minimalistic Apache configuration without sacrificing security. A German step by step guide (6/Nov/2010).
• German Tutorial on apache compilation. A German step by step guide (21/Oct/2010).
• Sein Kampf für das Teilen. A German article in the Bernese magazine Unilink about a visit of Richard Stallman (April/2010).
• Linux Weekly News Article on Slowloris. This is an article explaining slowloris type / request delaying DoS attacks on the application layer (24/Juni/2009).
• OWASP Europe Training Files about ModSecurity. A one day training I gave at OWASP Europe in Kraków (May/2009).
• Presentation at OWASP Europe about REMO, a positive Rule Editor for ModSecurity. A graphical user interface and rules generator with a whitelisting / positive approach. (May/2008).
• REMO - The Rule Editor for ModSecurity. A graphical user interface and rules generator with a whitelisting / positive approach. (2007/2008).
• How2Forge Article - Introducing REMO - An Easy Way to Secure an Insecure Online Application with ModSecurity. (6/Jun/2007).
• Tutorial about graphical visualisation of logfiles with graphviz. A very simple introduction (Jun/2006).
• Article on database design in historical research. History and Computing Volume 12 (2000).

 

Publications in the historical field

• German opinion piece about producing your reenactment equipment yourself. Miroque Edition 6 : I/2013 (15/Apr/2013).
• The Ursula Shrine Linnen Armour (Padded Jack Series I) is a blogpost about the recreation of a historical piece of textile armour. On the Company of St. George website (Apr/2013).
• German interview with me about the Company of St. George. Karfunkel Combat 9 (12/Mar/2013).
• Video of a book presentation I participated in Nishny Novorod, Russia.
  The book presented is the first Russian book on the medieval history of Switzerland (23/Sep/2012).
• News program on Swiss TV interviewing me briefly. With the Company of St. George (19/Jul/2012).
• Blogpost about a juridical trial in a historical reenactment setting. On the Company of St. George website (Jul/2012).
• Blogpost about the upcoming reenactment event in Lenzburg, Switzerland. On the Company of St. George website (30/May/2012).
• Johannes Kummer (+1444). An article in the Historical Dictionary of Switzerland about an Abbot of Engelberg (6/Nov/2011).
• Blogpost about the way how religion can be reenacted. On the Company of St. George website (5/Jul/2011).
• Blogpost on crucial questions for reenactors. On the Company of St. George website (6/Jun/2011).
• Blogpost and video about the military in Medieval Chillon. On the Company of St. George website (23/May/2011).
• Blogpost and video about the daily life in Medieval Chillon. On the Company of St. George website (2/May/2011).
• Rohrmoos, von. An article in the Historical Dictionary of Switzerland about a noble family (23/Nov/2010).
• Blogpost on the idea of taking the visitor by the hand. On the Company of St. George website (15/Nov/2010).
• Ried, von. An article in the Historical Dictionary of Switzerland about a noble family (20/Oct/2010).
• Blogpost about castles, queens and bombards. On the Company of St. George website (27/Sep/2010).
• Schlacht bei Murten (1476). An article in the Historical Dictionary of Switzerland about the Battle Of Morat (2/Sep/2010).
• Blogpost about the medieval goat game. On the Company of St. George website (30/August/2010).
• Blogpost about interesting books for reenactors. On the Company of St. George website (9/August/2010).
• Blogpost about a leather sheath to protect a set of carving knives. On the Company of St. George website (2/August/2010).
• Blogpost about a new set of carving knives. On the Company of St. George website (28/Jun/2010).
• Blogpost about medieval dishes like “Tripe disguised as omelette balls”. On the Company of St. George website (21/Jun/2010).
• Blogpost about the upcoming reenactment event in Nykøbing, Denmark. On the Company of St. George website (31/May/2010).
• Rüediswil, von. An article in the Historical Dictionary of Switzerland about a noble family (19/May/2010).
• Blogpost on the creation of a whitelist of medieval foods. On the Company of St. George website (15/May/2010).
• Langspiess. An article in the Historical Dictionary of Switzerland about the soldier’s pike (3/Mar/2010).
• Johann von Eych (+1464). An article in the Historical Dictionary of Switzerland about a Bishop of Eichstätt (21/Sep/2009).
• Rudolf von Liebegg (+1332). An article in the Historical Dictionary of Switzerland about a scholar and writer (27/Nov/2008).
• Johannes Kreutzer (+1468). An article in the Historical Dictionary of Switzerland about a Dominican doctor in Theology and prior (4/Nov/2008).
• Konrad von Mure (+1281). An article in the Historical Dictionary of Switzerland about a Canon Regular and Writer (28/Oct/2008).
• Konrad Menger (+1501). An article in the Historical Dictionary of Switzerland about a Humanist and supposedly an Italian spy (24/Oct/2008).
• Josset (14th century). An article in the Historical Dictionary of Switzerland about a doctor (14/Feb/2008).
• Johannes von Lare (+1481). An article in the Historical Dictionary of Switzerland about a Franciscan guardian (14/Feb/2008).
• Libri confraternitatum / Libri memoriales. An article in the Historical Dictionary of Switzerland about memorial books (22/Jan/2008).
• Liebegg, von. An article in the Historical Dictionary of Switzerland about a noble family (21/Jan/2008).
• Johannes von Winterthur (+ ~1348). An article in the Historical Dictionary of Switzerland about a priest and writer (20/Jan/2008).
• Laupenkrieg (1338/39). An article in the Historical Dictionary of Switzerland about the Battle of Laupen (4/Dec/2007).
• Heinrich von Klingenberg (+1306). An article in the Historical Dictionary of Switzerland about a remarkable bishop of Constance (20/Aug/2007).
• Leonhard Mair (+ ~1455). An article in the Historical Dictionary of Switzerland about a Franciscan guardian (6/Aug/2007).
• Morgenstern. An article in the Historical Dictionary of Switzerland about the morning star (24/July/2007).
• Gutleben (+1406). An article in the Historical Dictionary of Switzerland about a Swiss doctor (13/Mar/2007).
• Katharinental und Töss. Zwei mystische Zentren in sozialgeschichtlicher Pespektive. The publication of my thesis (May/2007).
• Johannes I. An article in the Historical Dictionary of Switzerland about a bishop of Constance (12/Feb/2007).
• Ludwig Jäger. An article in the Historical Dictionary of Switzerland about a professor in Theology and Abbot (8/Feb/2007).
• Johannes Keck (+1450). An article in the Historical Dictionary of Switzerland about a doctor in Theology (5/Oct/2006).
• Johannes II (+782). An article in the Historical Dictionary of Switzerland about a bishop of Constance (7/Sep/2006).
• Hartmut (9th century). An article in the Historical Dictionary of Switzerland about an abbot of St. Gall (8/Aug/2006).
• Albrecht von Hohenberg (+1359). An article in the Historical Dictionary of Switzerland about a Bishop of Freising (21/Jul/2005).
• Magazine Article. A German event review of a reenactment gathering in Daaden, Germany, in Karfunkel Magazine (5/August/2002).
• German Article on historical research with databases. This article also appeared in English. See above (2000).
• German Article on Katharinental and Töss. A scholarly article in the German book “Lesen, Schreiben, Sticken und Erinnern” (2000).

 

Publications about me

• Interview in the Cyber Security Dispatch podcast touching on my career, E-Voting, OWASP and WAFs (3/January/2019)
• Interview with me on the AppSec Podcast covering the OWASP ModSecurity Core Rule Set and our plans for the project (7/Aug/2018)
• Interview with me on CNN Money Switzerland about Cyber Security. (31/Jan/2018).
• News program on Swiss TV interviewing me briefly. With the Company of St. George (19/Jul/2012).
• German portrait of my activities in reenactment. Der Bund (14/Aug/2003).
• French portrait of my activities in reenactment. La Liberté (27/Jul/1998).