There's a lot of people getting themselves worked up about the Australian census [https://en.wikipedia.org/wiki/Census_in_Australia] whose five-yearly cycle falls due today. For the most part, it's like any other normal census we've done ever since I can remember, but what's changed this year is the duration for which names and addresses will be retained against the census answers. There are some good reasons to question the whole thing, plus some good reasons why it's really a non-event. Let m...

You know the best way to sell security products? Scare the shit out of people. I mean make them really genuinely fearful that if they don't have the thing you're pushing that a bunch of nasty stuff will happen to them. It's the Donald Trump school of winning hearts and minds. Which brings me to CUJO [https://www.indiegogo.com/projects/cujo-the-smart-way-to-fight-hacking-security#/] , an Indiegogo campaign for a "security in a box" product. Strap yourself in and watch the video: Are we terrifie...

I tweeted this the other day, and the internet was not pleased: > HTTPS is slow. No - wait - is it HTTP that's slow?! https://t.co/T49GG7oCaK pic.twitter.com/cfnYOpXMWc [https://t.co/cfnYOpXMWc] — Troy Hunt (@troyhunt) July 8, 2016 [https://twitter.com/troyhunt/status/751317949349130240] In fact, a bunch of the internet was pretty upset. "It's not fair!", they cried. "You're comparing apples and oranges!", they raged. No, it's not fair, the internet is not fair. But that's just how the web i...

This question in the title of this post comes up after pretty much every data breach I load so I thought I'd answer it here once and for all then direct inquisitive Have I been pwned (HIBP) users when confusion ensues in the future. Let me outline a number of different root causes for the "why is my data on a site I never signed up to?" question. You forgot you signed up Let's start with the simplest explanation because it's often the correct one - you've simply forgotten you signed up. We leav...

If you follow my Twitters, you may have noticed I can be a bit, well, "despondent" about the climate in Europe. No, not the whole Brexit political climate situation, I mean more like this: > Crowds of people in Birmingham waiting for summer before they go outside: pic.twitter.com/7ImjmCt4Bf [https://t.co/7ImjmCt4Bf] — Troy Hunt (@troyhunt) June 16, 2016 [https://twitter.com/troyhunt/status/743339389481189376] Yet I keep ending up back there so either it's my poor judgement or... I secretly en...

Two of the things you'll have found me most frequently writing about on this blog are "cloud" and "security". Whilst the latter seems to have been what I've gravitated towards most in recent years, the former is something I'm very heavily involved in, particularly with my work on Have I been pwned [https://haveibeenpwned.com/] (HIBP). I'm enormously happy to see the very last course in the Ethical Hacking series [https://www.pluralsight.com/blog/tutorials/learning-path-ethical-hacking] I've been...

Data breaches can be shady business. There's obviously the issue of sites being hacked in the first place which is not just shady, but downright illegal. Then there's the way this information is redistributed, the anonymous identities that deal with it and the various motives people have for bringing this data into the public eye. One of the constant challenges with the spread of data breaches is establishing what is indeed data hacked out of an organisation versus data from another source. We'...

Let us start with what's wrong with the world today, and that's certificate authorities. Just take a look at the trusted root CAs running on a Windows 10 machine: The very premise of having these root CAs on your machine is that they ultimate get to decide which websites your browser will consider to have a valid SSL certificate. The root CAs serve other purposes too, but that's what I'm especially interested in here. Edit: As Tom points out below [https://www.troyhunt.com/everything-you-nee...

I've had this post in mind for a while now. It's a little tangential to the sort of stuff I'd normally write, yet it's something I'm passionate about and has become more topical in the last few days. The catalyst for finally completing this piece came after last week's reporting of the first death in a Tesla operating under "auto pilot" [http://www.apnewsarchive.com/2016/As-the-National-Highway-Traffic-Safety-Administration-investigates-the-first-American-death-involving-a-car-in-self-driving-mo...

Some days, it just feels like the world is working against you or in the case of today, like it's all just going to metaphorical security hell. As much as we like to keep pushing the needle further around the "strong security dial" with things like security headers, strong HTTPS implementations and robust hashing algorithms, every now and then we need to take a moment to remember just how low the bar still remains and that frequently, we can't even get the basics right. Here's a bunch of exampl...