Let us start with what's wrong with the world today, and that's certificate authorities. Just take a look at the trusted root CAs running on a Windows 10 machine: The very premise of having these root CAs on your machine is that they ultimate get to decide which websites your browser will consider to have a valid SSL certificate. The root CAs serve other purposes too, but that's what I'm especially interested in here. Edit: As Tom points out below [https://www.troyhunt.com/everything-you-nee...

I've had this post in mind for a while now. It's a little tangential to the sort of stuff I'd normally write, yet it's something I'm passionate about and has become more topical in the last few days. The catalyst for finally completing this piece came after last week's reporting of the first death in a Tesla operating under "auto pilot" [http://www.apnewsarchive.com/2016/As-the-National-Highway-Traffic-Safety-Administration-investigates-the-first-American-death-involving-a-car-in-self-driving-mo...

Some days, it just feels like the world is working against you or in the case of today, like it's all just going to metaphorical security hell. As much as we like to keep pushing the needle further around the "strong security dial" with things like security headers, strong HTTPS implementations and robust hashing algorithms, every now and then we need to take a moment to remember just how low the bar still remains and that frequently, we can't even get the basics right. Here's a bunch of exampl...

I've been using Evernote for about 6 years now. Nothing heavy duty, just basic notes that I collect around things like conference talk ideas, code snippets some recipes I often make and other rather mundane things. Anything sensitive goes into 1Password, this is just everyday notes about things I want easy access to across devices. For me, "devices" means my iPhone, iPad, desktop PC and a couple of laptops. The ability to simply fire up a device and have access to everything is important to me b...

I just had an absolutely sensational trip over to Europe which kicked off with my favourite event of the year - NDC Oslo [http://ndcoslo.com/]. I first came to this event two years ago and talked about How I Hacked my Way to Norway [https://www.troyhunt.com/ndc-2014-vikings-passwords-and/] which was the first big international talk I'd done. Per the link to that blog post, the talk went sensationally well, topping the charts for the event with 100% positive feedback (there's a green / yellow /...

It's been a crazy time for data breaches and as I wrote yesterday, we've seen a very distinct pattern of historical mega breaches lately [https://www.troyhunt.com/the-emergence-of-historical-mega-breaches/]. Fling in 2011, LinkedIn in 2012, tumblr in 2013 and the mother of them all, MySpace in, well, we don't quite know. There's been no information forthcoming from anyone about when this breach actually occurred and there's no explicit indicators in the data dump either (sometimes there are time...

Over the period of this month, we've seen an interesting trend of data breaches. Any one of these 4 I'm going to talk about on their own would be notable, but to see a cluster of them appear together is quite intriguing. For example, just yesterday I loaded the Fling database (you probably don't want to go to fling dot com until you're in a private setting). That was over 40 million records and the breach dates back to 2011 [http://motherboard.vice.com/read/another-day-another-hack-passwords-an...

Last week there was no escaping news of the latest data breach. The LinkedIn hack of 2012 which we thought had "only" exposed 6.5M password hashes (not even the associated email addresses so in practice, useless data), was now being sold on the dark web [https://motherboard.vice.com/read/another-day-another-hack-117-million-linkedin-emails-and-password] . It was allegedly 167 million accounts and for a mere 5 bitcoins (about US$2.2k) you could jump over to the Tor-based trading site, pay your Bi...

Last week we got news of the Rosebutt data breach [http://motherboard.vice.com/read/rosebuttboard-ip-board]. This is a very particular class of site and like many others we've recently seen compromised, it's highly likely that members would have preferred to keep their identities secret. It doesn't matter if you don't agree with the lifestyle choice of those on the site and certainly I myself am not one to look around the house at everyday items and think "I wonder if that could...". That's enti...

A couple of months ago I did a video titled Understanding CSRF, the video tutorial edition [https://www.troyhunt.com/understanding-csrf-video-tutorial/] which was a pretty raw run through of the mechanics and defences of cross site request forgery. It's content I often show in my workshops [https://www.troyhunt.com/workshops/] and I recorded the video pretty much as I present it in those sessions. Today I thought I'd do one on content security policies or as we otherwise know it, CSP. This is...