I've been gradually coming to this conclusion of my own free will, but Phil Schiller's comments last week [https://www.cultofmac.com/518009/phil-schiller-says-face-ids-competitors-stink/] finally cemented it for me: Face ID stinks. I wrote about the security implementations of Face ID [https://www.troyhunt.com/face-id-touch-id-pins-no-id-and-pragmatic-security/] just after it was announced and that piece is still entirely relevant today. To date, we haven't seen practical attacks against it th...

As many followers know, I run a workshop titled Hack Yourself First [https://www.troyhunt.com/workshops/] where I spend a couple of days with folks running through all sorts of common security issues and, of course, how to fix them. I must have run it 50 times by now so it's a pretty well-known quantity, but there's one module more than any other that changes at a fierce rate - HTTPS. I was thinking about it just now when considering how to approach this post launching the new course because le...

Home. The US Congress trip was an epic experience but man it's nice to be back! I got home early Monday morning after a 34-hour door-to-door commute and have spent the last 4 days trying to readjust which means being dead tired by 8pm then up at 4am. Fun times. Anyway, this week is all about British politicians sharing their passwords. Yeah, I know, but it turns out it's actually a thing. I'm still not sure if it's for productivity purposes, to hide the odd porn habit or just a symptom of ignor...

Yesterday I had a bunch of people point me at a tweet from a politician in the UK named Nadine Dorries [https://twitter.com/NadineDorries]. As it turns out, some folks were rather alarmed about her position on sharing what we would normally consider to be a secret. In this case, that secret is her password and, well, just read it: > My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews [https://twitter.com/BBCNews?...

Last week, I was sitting next to a croc-infested river in the middle of nowhere (relatively speaking). This week, I'm in front of the United States Capital having just spoken to the very people who create the laws that govern not just the US but let's face it, have a significant impact on the rest of the world. Today was just one of those moments that make you go... whoa. But it was an awesome day. Everything went smoothly, I said all the major things I wanted to say and everyone seemed happy f...

Last week I wrote about my upcoming congressional testimony [https://www.troyhunt.com/im-testifying-in-front-of-congress-in-washington-dc-about-data-breaches-what-should-i-say/] and wow - you guys are awesome! Seriously, the feedback there was absolutely sensational and it's helped shape what I'll be saying to the US Congress, including lifting specific wording and phrases provided by some of you. Thank you! As I explained in that first blog post, I'm required to submit a written testimony 48...

This is going to be a couple of weeks of polar opposite updates: This week I'm in Rockhampton, a regional centre in my home state where I'm surrounded by gum trees, chirping birds and a croc-invested river. Next week will be Washington DC where I'll have just finished testifying in front of US Congress. Whoa. That's the big story this week. This year. This career. It's both a massive thing and a walk in the park, the former because it's testifying in front of freakin' congress and the latter be...

Edit: I'm putting this up front as a lot of people are asking for it - the hearing will be live-streamed on YouTube and there's already an embedded video on the hearing page [https://energycommerce.house.gov/hearings/identity-verification-post-breach-world/] . There's a title I never expected to write! But it's exactly what it sounds like and on Thursday next week, I'll be up in front of US congress on the other side of the world testifying about the impact of data breaches [https://energycomme...

A bit of a "business as usual" week this one, but then this business is never really "usual"! I start out with a talk at McAfee's MPOWER conference in Sydney and a bit of chatter about some upcoming ones (including the one I still can't talk about... but will next week!) In terms of new things, I've now got my hands on an iPhone X so I spend a bunch of time talking about that. It only arrived yesterday so I'm still learning and forming opinions, but early feedback is that I love this phone! Wel...

I run a workshop titled Hack Yourself First [https://www.troyhunt.com/workshops/] in which people usually responsible for building web apps get to try their hand at breaking them. As it turns out, breaking websites is a heap of fun (with the obvious caveats) and people really get into the exercises. The first one that starts to push people into territory that's usually unfamiliar to builders is the module on XSS. In that module, we cover reflected XSS which relies on the premise of untrusted dat...