Mastodon

The 5 Stages of Data Breach Grief

When you see something play out enough times, you start to notice patterns. I was reflecting on this today as I watched The AA rapidly digging themselves in deeper and deeper after publishing 13GB worth of customer data to the internet, including partial credit card data. Which they denied: > The AA Shop data issue is now fixed, No Credit Card info was compromised & an independent investigation is under way. We're sorry. — The AA (@TheAA_UK) July 3, 2017 [https://twitter.com/TheAA_UK/status/88...

Password Strength Indicators Help People Make Ill-Informed Choices

I watched a discussion unfold on Twitter recently which started like so many of the security related ones I see: > When website errors make no sense! @Argos_Online [https://twitter.com/Argos_Online] my password is more complex than your system can handle. What gives? @troyhunt [https://twitter.com/troyhunt] #insecurity [https://twitter.com/hashtag/insecurity?src=hash] pic.twitter.com/64VA7qINGP [https://t.co/64VA7qINGP] — Jon Carlos (@billywizz) June 10, 2017 [https://twitter.com/billywizz/sta...

MVP, year 7

Just over 6 years ago, I received my first Microsoft MVP award [https://www.troyhunt.com/accidental-mvp/]. It was unexpected, in part because I'd only started doing anything community facing 18 months earlier. But it rated - people were finding what I was doing genuinely useful and that award was an absolutely pivotal moment which helped define what I do today. This weekend, I got the (still) eagerly awaited email for the seventh time: > Giddy up! 7 years running ? pic.twitter.com/okTP6GTk5n [...

Weekly update 41 (Southampton edition)

Into week 5 of travel now and I'm in Southampton on the south coast of England. The family holidaying is over and it's back to workshops and user groups for the remainder of the trip both here in the UK then back in the Netherlands next week. Despite the schedule, I managed to pump out a quick blog post on what remains one of the most astoundingly insane security / privacy implementation I've seen - Strawberrynet. This has to be seen to be believed and the backstory I talk about in this week's...

Strawberrynet's privacy insanity

A little while back, I wrote about Website enumeration insanity [https://www.troyhunt.com/website-enumeration-insanity-how-our-personal-data-is-leaked/] and how our personal data was being mishandled. In a nutshell, an enumeration risk boils down to a feature on a website allowing anyone to "ask" if a user exists on the website with the site then returning a positive or negative response. For example, to this day you can go to Adult Friend Finder's password reset page [https://adultfriendfinder...

Weekly update 40 (Leiden edition)

Another week abroad, this time in the Netherlands and fortunately a combination of time out with the family and just a single workshop. Still, that workshop raised an interesting question around data retention in backups and how the right to erasure under GDPR will be handled. I discuss that from my tranquil little getaway in Leiden plus ponder what would happen if all my security decisions were one day put on public display. That and more in this week's update, then it's off to London! iTunes...

Weekly update 39 (Oslo edition)

This has probably been the most relentless week I've had in one place since... I dunno. Forever? It was all in Oslo and all centred around the NDC event but it meant kicking off with a massive 2 day workshop (50 people - a record!), then an OWASP user group (followed by much beer), then workshop Tuesday, family arriving, social NDC event, event kick-off Wednesday, family sightseeing, a Pluralsight recording, shrimp cruise that night, NDC talk on Thursday, a short "how I failed talk" that night f...

Weekly update 38 (Trondheim edition)

It's week 2 of my 6-week European summer tour and I'm in Trondheim Norway which frankly, is a pretty awesome place: > Awesome spot ? pic.twitter.com/wBAYGShQNH [https://t.co/wBAYGShQNH] — Troy Hunt (@troyhunt) June 9, 2017 [https://twitter.com/troyhunt/status/873060637735231488] Being busy with workshops and talks means I'm always going somewhere or doing something so time is a bit limited, but I still managed to get out my Security Sense column this week. I also give some updates on some obse...

Weekly update 37 (Leuven edition)

I'm in Belgium! After 35 hours of travel to Porto in Portugal then 2 days of workshop plus a user group there, I'm now in Leuven which is in the home of epic Belgium beer. I'm now into day 2 of another workshop here after having done a user group on Azure last night so it's turning into a very long week. Not a lot of new stuff to talk about blog wise, but I share what it's like doing these events and some of the things I learn along the way. iTunes podcast [https://itunes.apple.com/au/podcast/t...

Weekly update 36

I've been at the AusCERT conference [https://conference.auscert.org.au/] this week and whilst I scored a nomination for "Individual Excellence in Information Security", it wasn't meant to be this year (or the last 2 times!) but I did get a shiny certificate :) It was a great event and I really enjoyed meeting a heap of very cool people and doing a brand new talk on responsible disclosure. I'll share that once it's publicly accessible, AusCERT usually put these out to the world and I was really h...