Two of the things you'll have found me most frequently writing about on this blog are "cloud" and "security". Whilst the latter seems to have been what I've gravitated towards most in recent years, the former is something I'm very heavily involved in, particularly with my work on Have I been pwned [https://haveibeenpwned.com/] (HIBP). I'm enormously happy to see the very last course in the Ethical Hacking series [https://www.pluralsight.com/blog/tutorials/learning-path-ethical-hacking] I've been...

Data breaches can be shady business. There's obviously the issue of sites being hacked in the first place which is not just shady, but downright illegal. Then there's the way this information is redistributed, the anonymous identities that deal with it and the various motives people have for bringing this data into the public eye. One of the constant challenges with the spread of data breaches is establishing what is indeed data hacked out of an organisation versus data from another source. We'...

Let us start with what's wrong with the world today, and that's certificate authorities. Just take a look at the trusted root CAs running on a Windows 10 machine: The very premise of having these root CAs on your machine is that they ultimate get to decide which websites your browser will consider to have a valid SSL certificate. The root CAs serve other purposes too, but that's what I'm especially interested in here. Edit: As Tom points out below [https://www.troyhunt.com/everything-you-nee...

I've had this post in mind for a while now. It's a little tangential to the sort of stuff I'd normally write, yet it's something I'm passionate about and has become more topical in the last few days. The catalyst for finally completing this piece came after last week's reporting of the first death in a Tesla operating under "auto pilot" [http://www.apnewsarchive.com/2016/As-the-National-Highway-Traffic-Safety-Administration-investigates-the-first-American-death-involving-a-car-in-self-driving-mo...

Some days, it just feels like the world is working against you or in the case of today, like it's all just going to metaphorical security hell. As much as we like to keep pushing the needle further around the "strong security dial" with things like security headers, strong HTTPS implementations and robust hashing algorithms, every now and then we need to take a moment to remember just how low the bar still remains and that frequently, we can't even get the basics right. Here's a bunch of exampl...

I've been using Evernote for about 6 years now. Nothing heavy duty, just basic notes that I collect around things like conference talk ideas, code snippets some recipes I often make and other rather mundane things. Anything sensitive goes into 1Password, this is just everyday notes about things I want easy access to across devices. For me, "devices" means my iPhone, iPad, desktop PC and a couple of laptops. The ability to simply fire up a device and have access to everything is important to me b...

I just had an absolutely sensational trip over to Europe which kicked off with my favourite event of the year - NDC Oslo [http://ndcoslo.com/]. I first came to this event two years ago and talked about How I Hacked my Way to Norway [https://www.troyhunt.com/ndc-2014-vikings-passwords-and/] which was the first big international talk I'd done. Per the link to that blog post, the talk went sensationally well, topping the charts for the event with 100% positive feedback (there's a green / yellow /...

It's been a crazy time for data breaches and as I wrote yesterday, we've seen a very distinct pattern of historical mega breaches lately [https://www.troyhunt.com/the-emergence-of-historical-mega-breaches/]. Fling in 2011, LinkedIn in 2012, tumblr in 2013 and the mother of them all, MySpace in, well, we don't quite know. There's been no information forthcoming from anyone about when this breach actually occurred and there's no explicit indicators in the data dump either (sometimes there are time...

Over the period of this month, we've seen an interesting trend of data breaches. Any one of these 4 I'm going to talk about on their own would be notable, but to see a cluster of them appear together is quite intriguing. For example, just yesterday I loaded the Fling database (you probably don't want to go to fling dot com until you're in a private setting). That was over 40 million records and the breach dates back to 2011 [http://motherboard.vice.com/read/another-day-another-hack-passwords-an...

Last week there was no escaping news of the latest data breach. The LinkedIn hack of 2012 which we thought had "only" exposed 6.5M password hashes (not even the associated email addresses so in practice, useless data), was now being sold on the dark web [https://motherboard.vice.com/read/another-day-another-hack-117-million-linkedin-emails-and-password] . It was allegedly 167 million accounts and for a mere 5 bitcoins (about US$2.2k) you could jump over to the Tor-based trading site, pay your Bi...