So someone sent me this on the weekend: They asked me to censor the Bitcoin address because as you can see above, it’s unique to them and quite understandably, they don’t want anything that can tie this blackmail attempt back to them going public. Except that the address is a perfect match with this one: > Looks like some people are attempting to capitalize on the @Patreon [https://twitter.com/Patreon] hack/leak. @Troyhunt [https://twitter.com/troyhunt]. Kinda funny to me. pic.twitter.com/8...

I did a security workshop in a faraway land recently. I’ll not say which one because I want to ensure there’s an appropriate level of anonymity for this story as it could be rather inconvenient for the subject of it otherwise. Anyway, I do my usual thing of showing attendees how to hack their own things. We do SQL injection and XSS and a whole bunch of other really hands on stuff targeted at developers. The niche I find myself filling these days is security content that talks to folks who actua...

As I wrote recently, somehow I have found myself over in Europe at the cold end of the season [https://www.troyhunt.com/2015/10/troys-uk-and-bit-of-norway-tour-dates.html] , including in Oslo which as I understand it is both cold and dark in Jan. But the invite to do what I‘m doing was just too tempting to say no so let me outline it here for those who may be able to get along. Hack Yourself First Workshop: Wed 20 and Thu 21 Jan I’ve written about this workshop many times before in various pl...

If you’re reading this, it’s possible I directed you here with little more than a mere URL in my reply to you. It’s likely that you asked for data that has been breached from an online system. Perhaps it was your data you asked for, perhaps it was other people’s data you were seeking but regardless, the response is the same. No, I cannot. In running Have I been pwned? [https://haveibeenpwned.com/] (HIBP) I obviously come across a lot of data breaches with a lot of sensitive data. I understand t...

It’s a bit hard to even know where to begin with this one, perhaps at the start and then I’ll try and piece all the bits together as best I can. As you may already know if you’re familiar with this blog, I run the service Have I been pwned? [https://haveibeenpwned.com/] (HIBP) which allows people to discover where their personal data has been compromised on the web. When a breach hits the public airwaves, I load in the email addresses and those who subscribe to the service (it’s free) get noti...

So the Ethical Hacking series marches on, this time with my third course in the series, Ethical Hacking: Hacking Web Applications [http://www.pluralsight.com/courses/ethical-hacking-web-applications]. As a quick recap of why we’re doing this series, Ethical Hacking material remains the number one requested content on Pluralsight’s course suggestion list [http://support.pluralsight.com/forums/127919-new-course-suggestions]. It’s more in demand than all the new shiny Microsoft .NET bits or fancy c...

So a few months ago I wrote about having a little visit to London [https://www.troyhunt.com/2015/07/its-time-to-visit-london.html] in Jan and offered to do a workshop or two while I’m there. Anyway, one thing lead to another and now I’m away for four weeks. In Jan. When it’s cold there. And hot here. But seriously, it’s wonderful there’s been so much interest in my “Hack Yourself First” workshops. I’m spending time with some really interesting organisations who are getting their developers trai...

This must have seemed like a good idea at the time: > We're LIVE! Tweet your cyber crime questions in using #cybercrimensw [https://twitter.com/hashtag/cybercrimensw?src=hash] — NSW Police (@nswpolice) October 14, 2015 [https://twitter.com/nswpolice/status/654084466600644608] The idea of a hashtag campaign is to drum up social support where anyone can chime in with their 2 cents worth and all going according to plan, you get all this nice warm and fuzzy community engagement. Problem is though...

This is somewhat of a perplexing acquisition, but apparently LastPass is now owned by LogMeIn [https://blog.lastpass.com/2015/10/lastpass-joins-logmein.html/]. I get it in the-big-publicly-traded-company-gobbling-up-the-smaller-one kinda way, but it’s an odd marriage for a company that builds remote desktop software to buy one that builds a password manager. People aren’t real happy either when you look at the comments they’ve left on that post. Why aren’t they happy? I touched on it here: >...

I’m a big proponent of the content security policy paradigm (CSP) supported by modern browsers. In fact I’m so keen on them I even wrote a Pluralsight course: Introduction to Browser Security Headers [http://www.pluralsight.com/courses/browser-security-headers]. (Sidenote: I’m enormously happy with how well this course has been received, seems there’s an appetite for securing our things after all!) Now if you’re not sure what all the fuss is about, have a quick read of my launch blog post for...