I got a lot of requests after launching HIBP for an API and I saw some great ideas come up in terms of how it might be used for very constructive purposes. Truth be told, there was an API from day one insofar as this was precisely what the web UI was hitting every time you searched for an email address anyway, I just hadn’t published any docs on it or promoted its existence. That said, I did give it a bit of tweaking to make it more “RESTful” (this, apparently, is what all APIs must be these da...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]I’m one of these people that must learn by doing. Yes, I’m sure all those demos look very flashy and the code appears awesome, but unless I can do it myself then I have trouble really buying into it. And I really want to buy into Azure because frankly, it’s freakin’ awesome. This...

I often write up analyses of the passwords disclosed in website breaches. For example, there was A brief Sony password analysis [https://www.troyhunt.com/2011/06/brief-sony-password-analysis.html] back in mid-2011 and then our local Aussie ABC earlier this year where I talked about Lousy ABC cryptography cracked in seconds as Aussie passwords are exposed [https://www.troyhunt.com/2013/02/lousy-abc-cryptography-cracked-in.html]. I wrote a number of other pieces looking specifically at the nature...

It may sound like a Tintin adventure, but the Crystal Microphone is far from make believe and as it turns out, one of the fabled awards now adorns my desk: The engraving is self-explanatory and I’m enormously proud of the success of Hack Yourself First: How to go on the Cyber-Offense [http://pluralsight.com/training/Courses/TableOfContents/hack-yourself-first]. It went to the top 10 very quickly at a time when there were 700 other courses vying for eyeballs and several months on it’s rated 4...

I’m frequently amused by the sort of stuff my Facebook friends “like”. For example: The more salacious content you find around Facebook often has a hidden agenda, for example the classic She did WHAT in school [https://www.troyhunt.com/2012/10/she-did-what-in-school-mechanics-of.html] scam I wrote about last year. Snapchat [http://www.snapchat.com/] allows you to take a pic or a video and set an expiry date after which it’s “theoretically” destroyed, just the sort of stuff that appeals to sex...

Last month I had a great couple of days at Web Directions South in Sydney. Great on the first day because I got to kick back and watch messages like this popping up on the Twitters: And then great on the second day because I got to talk to everyone about what it means to your app security to have your wifi hijacked. The video of that talk has just gone up on YouTube and IMHO, it’s come up rather well: I also wrote in more detail about how I used the Pineapple at Web Directions and what data...

I’ve been working on a little project recently that involves handling hundreds of millions of email addresses from various sources. More on that in a later post, but for now let’s just assume that I want to have a reasonable degree of confidence that each of these addresses from an untrusted source is valid. Indeed many of them are just rubbish – beyond the obvious “does it have an @ symbol”, a bunch of them don’t have dots in the domains or contain illegal characters in places where they just s...

I had bit of feedback on my last post I hadn’t seen in the past. For example, this one on Twitter [https://twitter.com/couchsecurity/status/400212134480470016]: > 0% of this page renders with Ghostery turned on. I'm not sure if this is irony, or which... And then reinforced by Mikko Hypponen [https://twitter.com/i/connect]: > I noticed the same thing. Troy, you might want to check out your blog against Ghostery's default settings. And repeated on Hacker News [https://news.ycombinator.co...

Adobe had a little issue the other day with the small matter of 150 million accounts being breached and released to the public. Whoops. So what are we talking about? A shed load of records containing an internal ID, username, email, encrypted password and a password hint. Naked Security did a very good write up on Adobe’s giant-sized cryptographic blunder [http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/] in terms of what they g...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" So I had this plan: I was going to download the (very unfortunate) Adobe data breach, suck it into SQL Server, do the usual post-import data clean up then try and draw some insightful conclusions from what I saw. Good in theory and something I’ve done many times before after other breaches, problem is it’s abso-freaking-lutely massive. The data itsel...