I was on another whirlwind trip back in July, this time to a bunch of spots in the US which included Chicago where Pluralsight has one of their offices. The last time I was there I'd recorded a "Play by Play" course which is video recorded rather than a screen cast like so many of my others. It meant myself and someone else (in this case, Gary Eimerman [https://twitter.com/GaryEimerman] who's part of the Pluralsight team) actually sitting in front of the camera talking about security as well as...

Exactly 7 years ago today, I wrote my first blog post titled Why online identities are smart career moves [https://www.troyhunt.com/why-online-identities-are-smart-career/]. That's a pretty self-explanatory title and I wrote it while gainfully employed in a job I'd been in for 8 years at the time, but it's worth a quick read as it sets the scene for this post. I may have had a steady job, but I knew I wouldn't always be there... I won't go into all the background here, if you want the details o...

I've had this idea in mind for a while to start capturing some video on a weekly basis about things that are topical and interesting but that I'm probably just not going to get around to blogging into detail. Writing is massively time consuming plus I reckon there's a bit more candour that comes across in video. As I say in the intro, see if you like it. If it's good, let me know. If it's not, well, you probably should also let me know or at least tell me how to improve it. I'm about to head ba...

I wrote recently about how Have I been pwned (HIBP) had an API rate limit introduced and then brought forward [https://www.troyhunt.com/content-images-2016-09-a-one-week-traffic-snapshot-1-png/] which was in part a response to large volumes of requests against the API. It was causing sudden ramp ups of traffic that Azure couldn't scale fast enough to meet and was also hitting my hip pocket as I paid for the underlying infrastructure to scale out in response. By limiting requests to one per every...

I have a love-hate relationship with ads, whether they be on my blog or anywhere else for that matter. I get that they're a necessity for many news outlets to keep providing the free information that we all want, but I also can't stand the way advertising has descended into the sleazy, risky, slow and all-round negative experience it so frequently is today [https://www.troyhunt.com/its-2016-already-how-are-websites-still/]. I've had ads on this blog for years and they've been provided by Develo...

Last week Google announced some changes to Chrome [https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html], specifically that come January 2017, practices like this [https://www.troyhunt.com/thank-you-waitrose-now-fix-your/] are going to start resulting is browser warnings: That's just one of many such examples I've called out in the past and frankly, I have about zero sympathy for those who are doing this in the first place so a browser warning is only right. But here's...

Edit: A day and a half after publishing this post, the source of the data was eventually identified and a statement issued. Do see the updates at the end of this post. I see a lot of data breaches. I see a lot of legit ones and I see a lot of fake ones and because of that, I always verify them [https://www.troyhunt.com/heres-how-i-verify-data-breaches/] before making any claims that an organisation has been hacked. Usually I'll verify and then in conjunction with journalists I know and trust, t...

Three weeks ago today, I wrote about implementing a rate limit on the Have I been pwned (HIBP) API [https://www.troyhunt.com/the-have-i-been-pwned-api-rate-limiting-and-commercial-use/] and the original plan was to have it begin a week from today. I want to talk more about why the rate limit was required and why I've had to bring it forward to today. As I explained in the original post, there were multiple reasons for the rate limit including high volumes of API calls impacting system performan...

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked [http://motherboard.vice.com/read/hackers-stole-over-60-million-dropbox-accounts] . Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records. Very shortly after, a supporter of Have I been pwned [https://haveibeenpwned.com] (HIBP) sent over the data which o...

Let's start with a quick quiz: Take a look at haveibeenpwned.com [https://haveibeenpwned.com/] (HIBP) and tell me where the traffic is encrypted between: You see HTTPS which is good so you know it's doing crypto things in your browser, but where's the other end of the encryption? I mean at what point is the traffic decrypted? Many people would say it's at the web server but it's not, it's upstream of there at Microsoft's appliances that sits in front of the web application PaaS offering. You...