Last month I had a great couple of days at Web Directions South in Sydney. Great on the first day because I got to kick back and watch messages like this popping up on the Twitters: And then great on the second day because I got to talk to everyone about what it means to your app security to have your wifi hijacked. The video of that talk has just gone up on YouTube and IMHO, it’s come up rather well: I also wrote in more detail about how I used the Pineapple at Web Directions and what data...

I’ve been working on a little project recently that involves handling hundreds of millions of email addresses from various sources. More on that in a later post, but for now let’s just assume that I want to have a reasonable degree of confidence that each of these addresses from an untrusted source is valid. Indeed many of them are just rubbish – beyond the obvious “does it have an @ symbol”, a bunch of them don’t have dots in the domains or contain illegal characters in places where they just s...

I had bit of feedback on my last post I hadn’t seen in the past. For example, this one on Twitter [https://twitter.com/couchsecurity/status/400212134480470016]: > 0% of this page renders with Ghostery turned on. I'm not sure if this is irony, or which... And then reinforced by Mikko Hypponen [https://twitter.com/i/connect]: > I noticed the same thing. Troy, you might want to check out your blog against Ghostery's default settings. And repeated on Hacker News [https://news.ycombinator.co...

Adobe had a little issue the other day with the small matter of 150 million accounts being breached and released to the public. Whoops. So what are we talking about? A shed load of records containing an internal ID, username, email, encrypted password and a password hint. Naked Security did a very good write up on Adobe’s giant-sized cryptographic blunder [http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/] in terms of what they g...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" So I had this plan: I was going to download the (very unfortunate) Adobe data breach, suck it into SQL Server, do the usual post-import data clean up then try and draw some insightful conclusions from what I saw. Good in theory and something I’ve done many times before after other breaches, problem is it’s abso-freaking-lutely massive. The data itsel...

There’s this whole idea of “the creepy line” when it comes to the way our personal data is collected and reused without our permission. Eric Schmidt of Google fame reckons they get right up to it without crossing it [http://blogs.telegraph.co.uk/technology/shanerichmond/100005766/eric-schmidt-getting-close-to-the-creepy-line/] or in other words, they push the boundaries as far as society will tolerate without getting too pissed off. Thing is though, how you define “creepy” is a very personal th...

Update: 17 Feb 2014: Sanity has prevailed and the service has now been pulled [http://www.zdnet.com/linkedin-dumps-intro-in-services-overhaul-7000026123/]. -------------------------------------------------------------------------------- LinkedIn Intro [https://intro.linkedin.com] has already become known by many names: A dream for attackers [http://www.theverge.com/2013/10/25/5027334/linkedin-intro-security-concerns-bishop-fox-mandiant] , A nightmare for email security and privacy [http://ven...

So I’ve just wrapped up another Web Directions [http://webdirections.org/wds13] presentation where the Pineapple has featured. The what now?! You know, the WiFi Pineapple [https://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html], that little guy with the ability to do all sorts of nasty things to wireless traffic. Now I’ve Pineappled before, but I’ve never Pineappled quite like this and that’s all down to the Mark V [http://hakshop.myshopify.com/products/wifi-pineapple] w...

It’s here! Visual Studio 2013 has just hit with an announcement here [http://blogs.msdn.com/b/somasegar/archive/2013/10/17/visual-studio-2013-available-for-download.aspx] and downloads here [http://www.microsoft.com/visualstudio/eng/downloads] plus a launch in four weeks [http://events.visualstudio.com/]. No, I don’t quite understand what a launch next month means when you can grab it now either but the important thing is that the new software has landed. In times gone by I’ve written my own...

I’m a security minded guy, that probably comes as no surprise. Other people – not always so much and as a result you inevitably see a lot of unattended, unlocked Windows desktops around the place. Naturally the responsible thing to do when seeing such risky behaviour is to help the victi.. uh, I mean “individual” understand the risky nature of such behaviour. Having recently observed such a situation I thought I’d reach out and ask for some guidance on how one might deal with it: [https://tw...