Cross site request forgery is one of those attacks which remains enormously effective yet is frequently misunderstood. I’ve been running a bunch of security workshops for web developers around the globe recently and this is one of the topics we cover that often results in blank stares when I first ask about it. It usually unfolds that the developers have multiple resources at risk of a CSRF attack and if it’s not a classic web form style resource, then it’s frequently an API somewhere (you’re pa...

Working on Have I been pwned [https://haveibeenpwned.com/] (HIBP), I come across a lot of interesting things. Interesting people dealing in data breaches, interesting vulnerabilities in systems which have been compromised and interesting requests from people wanting the data. In fact, I was getting so many requests for data I ended up writing No, I cannot share data breaches with you [https://www.troyhunt.com/2015/10/no-i-cannot-share-data-breaches-with-you.html] where I very explicitly laid out...

I get a lot of people popping up with data breaches for Have I been pwned [https://haveibeenpwned.com/] (HIBP). There’s an interesting story in that itself actually, one I must get around to writing in the future as folks come from all sorts of different backgrounds and offer up data they’ve come across in various locations. Recently someone sent me a list of various data breaches they’d obtained, including this one: > InstantCheckmate 2015 - 80M entries On the surface of it, that’s a phenom...

I actually thought that once I didn’t bother connecting a landline after moving house recently, it would be the end of scam calls. I used to get them all the time – the ones where they’d call up and say you had viruses on your PC – and my recordings of those turned out to be rather popular [https://www.youtube.com/watch?v=kjKjyMKj3n4]. But today I had another call, although this one went a bit differently. First off, I missed a call in the morning from a Sydney landline number which was 02 6064...

This was not what I was expecting earlier this week: > I am delighted to welcome you to the Microsoft Regional Director program! [https://lh3.googleusercontent.com/-4LX7MFBmD2M/VtgQGXTimKI/AAAAAAAAI5g/TAhUk372Arw/s1600-h/msrd-logo-192px-alpha2.png] More specifically, the nomination I received some weeks back was not what I expected and this week’s message was what I’d dared not get my hopes up too much about. A bit of context first – I’m not going to work for Microsoft and despite the ti...

Last week I published the first post of Kids and Code [https://www.troyhunt.com/2016/02/kids-and-code-simple-programming-on.html] where I started recording the process of teaching my six-year-old son to code. We used code.org [https://code.org/] which is just awesome, specifically the Minecraft game which has just the right balance of difficulty, engagement and entertainment. It’s mostly dragging and dropping blocks which represent procedures, but it’s a great way of getting kids to think about...

I spend a lot of time on Have I been pwned [https://haveibeenpwned.com/] (HIBP) which consists of both maintaining and building out the software with new features as well as obviously sourcing new data for it on a regular basis. I make it freely available to the community and some time ago at the suggestion of some of those who’d found it useful, I stood up a donations page [https://haveibeenpwned.com/Donate]. Whilst the service is cheap to run courtesy of Azure being pretty cost efficient, it’s...

Last month I was over in Norway doing training for ProgramUtvikling, [http://programutvikling.no/] the good folks who run the NDC conferences I've become so attached to. I was running my usual “Hack Yourself First” workshop [https://www.troyhunt.com/2016/02/more-europe-even-more-again-and-more.html] which is targeted at software developers who’d like to get up to speed on the things they should be doing to protect their apps against today’s online threats. Across the two days of training, I cov...

There are few more valuable skills for kids these days than knowing their way around technology. In fact, I’d argue that you could say the same for adults but particularly when you consider the skills that are going to be most valuable in the future for our children, understanding how the connected world functions is key. Their existence is fundamentally different to ours and if you were born in the 70’s like me (or even earlier), just think about how fundamentally different their education and...

There was a piece in the news the other day on how a high school teacher videod his sexual exploits then stored them on Dropbox, after which it was summarily compromised. The video was then posted to the school’s faculty page which obviously caused him enormous embarrassment then to top it off, the school fired him. This is a newsworthy story with regards to privacy and security and was worth sharing: > Probably don't put these in Dropbox: "Teacher’s sex tape stolen from hacked Dropbox, posted...