Have I Been Pwned

If I’m honest, the success of Have I been pwned? (HIBP) [https://haveibeenpwned.com] took me by surprise. It started out as an intriguing exercise to look at how the same accounts were being compromised across multiple data breaches and morphed into something well beyond that in pretty short order. The unexpected success of the service made for some really intriguing technology challenges and provided me with an excellent opportunity to push Microsoft’s Azure to the limits, not just in terms of...

Over the last week, the Hacking Team story has absolutely exploded. It’s dominated the security news, featured heavily in tech publications and regularly appeared in the mainstream press. The 400GB of data leaked has been extensively torrented, mirrored and reproduced then of course commentated on at length in various articles and social media pieces. In terms of public breaches, this is as exposed as data gets. Clearly, this incident is also highly controversial. Hacking Team has long been und...

During my travels over recent weeks I’ve been doing a quick demo that works like this: First, I open up the dev tools in Chrome and select the network tab. Second, I load up americanexpress.com [http://americanexpress.com] and show the network requests: I point out how the first one goes out over HTTP because this is what browsers do when you don’t explicitly enter a scheme such as “https://”. The server responds to this request with an HTTP 301 “Moved Permanently” and a “location” header w...

There’s been a huge amount of activity on Have I been pwned? [https://haveibeenpwned.com/] (HIBP) in recent weeks, particularly in the wake of the Adult Friend Finder breach [http://time.com/3893946/adultfriendfinder-data-breach/] which drew a lot of attention. The activity has comprised of organic browser-based traffic as well hits to the API [https://haveibeenpwned.com/API/v2]. The latter in particular is interesting as you can see a steady rate of traffic (or a steady increase of traffic) sud...

The other day my receiver for the home audio setup completely died. Kaput. So I go out to get another one and given a receiver is no larger than a couple of shoeboxes in size, I decide to drive the GT-R [https://www.troyhunt.com/2013/07/gt-r-technology-of-speed.html] instead of taking the family estate. I love the GT-R because it’s enormous fun and I smile every time I drive it so given my requirements were well within the capacity allowance of the GT-R’s supercar proportions, it was the natural...

I love it when a whole bunch of different bits play really nice together, especially when it’s making things more secure. Today I decided to properly implement a content security policy (CSP) on Have I been pwned? (HIBP) and managed to tie in a whole bunch of nice bits to create what I reckon is a pretty neat implementation. Firstly, if CSP is new to you, go and read Scott Helme’s overview [https://scotthelme.co.uk/content-security-policy-an-introduction/] which is excellent. The tl;dr version...

I’ve been having a few sleepless nights lately worrying about the big one. The big “what”, you ask? I mean another massive data breach the scale of Adobe back in 2013, you know, the one where they had a 153 million user accounts wander out the door. If I had to load those into Have I been pwned? [https://haveibeenpwned.com/] (HIBP), frankly I’m not sure how I’d do it. Or at least I wasn’t sure. When I first wrote about how I built the system [https://www.troyhunt.com/2013/12/working-with-154-mi...

It’s never real nice waking up to something like this: This was Have I been pwned? [https://haveibeenpwned.com] (HIBP) first thing my Saturday morning. The outage was accompanied by a great many automated email notifications and manual reminders from concerned citizens that my site was indeed, down. Having my Azure showcase site down at the very same moment as my Pluralsight course on Azure was launched – Modernizing Your Websites with Azure Platform as a Service [http://www.pluralsight.com/c...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]How much capacity will you need for your app? Or asked another way if wearing the vendor hat, how much money ya got? We’re generally lousy at estimating infrastructure capacity requirements and even when a more scientific approach is taken (and it’s frequently not), we’re still l...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]I was helping out a consumer of Have I been pwned? [https://haveibeenpwned.com/] (HIBP) earlier today as they were trying to build up a profile of the pwnage state of their client base. This mean firing a heap of requests at the API [https://haveibeenpwned.com/API/v2] so that they...