Troy Hunt

For the first time in about as long as I can remember, I’m at a conference and not actually presenting anything. It’s enormously liberating actually and it’s allowed me to soak up a heap of info without being preoccupied with actually, well, doing stuff. Mind you, I’m chairing half a dozen sessions at AusCERT 2015 but that amounts to introducing someone, sitting back to enjoy their talk then thanking them very much. Anyway, all this sitting around and watching other people talk about technology...

I get a lot of this sort of thing: “Hey, how come your site only gets a B grade on the SSL Labs test?” They’re referring to my Have I been pwned? [https://haveibeenpwned.com/] (HIBP) site and they’re right, it only scores a B grade [https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com]: [https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com] The killer blow here is highlighted in orange – RC4. It’s a weak cipher by today’s terms and evidently it’s capped my grade lo...

It’s the “Hack Yourself First” trilogy: Watch the talk [https://yow.eventer.com/yow-2014-1222/hack-yourself-first-go-on-the-cyber-offence-before-online-attackers-do-by-troy-hunt-1698] , take the Pluralsight course [http://www.pluralsight.com/courses/hack-yourself-first] and now you can spend a couple of days with me in Amsterdam next month on June 22 and 23 doing the workshop [https://training.xebia.com/developer-skills/hack-yourself-first-how-to-go-on-the-cyber-offence/] . I’ve teamed up with X...

So I’m at the DevSum conference in Stockholm [http://www.devsum.se/speaker/troy-hunt/] and yesterday afternoon was busily preparing for my talk, Hack Yourself First. It’s a talk I’ve done many times before and it always rocks not just based on the attendee feedback, but because frankly I just have a lot of fun doing it (you can watch a recording from Yow! in December [https://yow.eventer.com/yow-2014-1222/hack-yourself-first-go-on-the-cyber-offence-before-online-attackers-do-by-troy-hunt-1698]...

The other day my receiver for the home audio setup completely died. Kaput. So I go out to get another one and given a receiver is no larger than a couple of shoeboxes in size, I decide to drive the GT-R [https://www.troyhunt.com/2013/07/gt-r-technology-of-speed.html] instead of taking the family estate. I love the GT-R because it’s enormous fun and I smile every time I drive it so given my requirements were well within the capacity allowance of the GT-R’s supercar proportions, it was the natural...

I’ve long been a proponent of “hacking yourself first”, that is the idea of building up some offensive skills such that you can actually take a good shot at ethically breaking apps for the betterment of society. Whether they’re you’re own apps that you’ve built or ones you’re testing part of a dev team doesn’t really matter, it’s the same skills and the same end result – you find bad stuff before bad people do. What I can now share with everyone is that over the last few months, I’ve been work...

So the dust has finally settled. A month ago I wrote about </pfizer> [https://www.troyhunt.com/2015/04/today-marks-two-important-milestones.html] which marked my departure from the corporate world after spending the last 14 years building and managing their software things across a good whack of the world. With that chapter now formally closed, it’s time to talk about the next phase. It’s time to talk about Pluralsight [http://www.pluralsight.com/]. The path to Pluralsight It was 2012 when I...

I love it when a whole bunch of different bits play really nice together, especially when it’s making things more secure. Today I decided to properly implement a content security policy (CSP) on Have I been pwned? (HIBP) and managed to tie in a whole bunch of nice bits to create what I reckon is a pretty neat implementation. Firstly, if CSP is new to you, go and read Scott Helme’s overview [https://scotthelme.co.uk/content-security-policy-an-introduction/] which is excellent. The tl;dr version...

There was a bit of discussion down here recently about how the National Australia Bank (NAB) has requested their SSL stats be withheld from showing up in the SSL Labs test [https://www.ssllabs.com/ssltest] that which has become so popular in recent times. It’s a great way of identifying what’s good and what bad about an SSL implementation and indeed, it appears that NAB has pulled their stats: Which, of course, looks enormously suspicious. You don’t pull your stats when you have a good result...

Sometimes, good ideas take a while to materialise. The penny only dropped on just how long some of them take when I was going back through my Pluralsight notes just the other day and found this: That was March last year and an awful lot of water has gone under the bridge since then. But it seemed like a really good idea at the time and inevitably, it was. I’d find a willing “muse” with a suitable website then go to town on it, critiquing everything that could possibly we wrong with it. This w...