Mastodon

Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Weekly Update 173

I really should have started the video about 3 minutes earlier. Had I done that, you'd have caught me toppling backwards into the frangipani tree whilst trying to position my chair and camera which frankly, would have made for entertaining viewing. Instead, this week's update is focused primarily on a completely different epic fail, namely Surebet247's handling of a breach impacting their customers. I chose those words carefully as it now seems almost certain the breach was actually of BtoBet an...

The Difficulty of Disclosure, Surebet247 and the Streisand Effect

This is a blog post about disclosure, specifically the difficulty with doing it in a responsible fashion as the reporter whilst also ensuring the impacted organisation behaves responsibly themselves. It's not a discussion we should be having in 2020, a time of unprecedented regulatory provisions designed to prevent precisely the sort of behaviour I'm going to describe in this post. Here you're going to see - blow by blow - just how hard it is for those of us with the best of intentions to deal w...

Weekly Update 172

I couldn't get 2 days into the new decade without having to deal with ridiculous password criteria from Tik Tok followed by my phone automatically associating with what it thought was my washing machine whilst in a grocery store on the other side of the world (yep, you read that correctly). It somehow seems to just be reflective of how crazy online security is becoming in the modern era. On the plus side, Chrome is making some really positive changes to how it handles cookies so it's not all bad...

Promiscuous Cookies and Their Impending Death via the SameSite Policy

Cookies like to get around. They have no scruples about where they go save for some basic constraints relating to the origin from which they were set. I mean have a think about it: If a website sets a cookie then you click a link to another page on that same site, will the cookie be automatically sent with the request? Yes. What if an attacker sends you a link to that same website in a malicious email and you click that link, will the cookie be sent? Also yes. Last one: what if an attacker di...

Weekly Update 171

Sitting down to do this one today I thought it would be brief, turns out a bit more ended up on the agenda than I expected. The GoGetSSL bit in particular was unfolding as I recorded and to their credit, they later apologised for their "rude messages" [https://twitter.com/gogetssl/status/1210842825992085506] which is a good sign. I still intend to finish writing up the blog post because the issues they've raised need tackling, but as with the Sophos example I also talk about, it's good to see a...

When Is Data "Public"? (And 2.5M Public Factual Records in HIBP)

When is data "public"? And what does "public" even mean? Does it mean it's merely visible to the public? Or does it mean the public can do anything they like with it? This discussion comes up time and time again as it did with the huge leak of PDL data only last month [https://www.troyhunt.com/data-enrichment-people-data-labs-and-another-622m-email-addresses/] . For the most part, the impacted data in this incident came from LinkedIn, a service where by design we (including myself) publish perso...

Weekly Update 170

Monday: 40C and lapping up the Gold Coast sunshine. Wednesday: -8C and lapping up... Juicy IPA [https://www.klokkco.no/en/beers/juicy-ipa/]! I'm back in Oslo and catching up with the locals including running a roundtable discussion for CSOs at Microsoft, visiting the Norwegian National Cyber Security Centre ( recently onboarded to HIBP [https://www.troyhunt.com/welcoming-the-norwegian-government-to-hibp/]) and chatting with Forbrukerrådet, the Norwegian Consumer Counsel. Plus, there's an all new...

Still Why No HTTPS?

Back in July last year, Scott Helme and I shipped a little pet project that tracked the world's largest websites not implementing HTTPS by default [https://www.troyhunt.com/why-no-https-heres-the-worlds-largest-websites-not-redirecting-insecure-requests/] . We called it Why No HTTPS? [https://whynohttps.com/] and it gave people a way to see the largest websites not taking transport layer security seriously. We also broke the list down on a country-by-country basis and it quickly became a means o...

Weekly Update 169

I recorded this right before heading out for my final conference talk of the year at YOW! Melbourne where I was due to do the closing keynote of the event. That's now done, questions answered and beers drunk and I left the event feeling great. One of the things I get the most pleasure out of at conferences is hanging around talking to people so a big thanks to everyone who made the time today to stay back on a Friday evening and cap a very busy year of conferences off in this fashion. I'm going...

Generated Passwords, UX and Security Absolutism

Last month, Disney launched their new streaming service Disney+ [https://www.disneyplus.com/]; "The best stories in the world, all in one place", apparently. The service was obviously rather popular because within days the tech (and mainstream) headlines were proclaiming that thousands of hacked Disney+ accounts were already for sale on hacking forums [https://www.zdnet.com/article/thousands-of-hacked-disney-accounts-are-already-for-sale-on-hacking-forums/] . This is becoming an alarmingly regul...