Have I Been Pwned

I imagine this is what it’s like when one of your kids gets old enough to finally beat you at something you’ve poured your heart into teaching them. Yes, I’m proud and it’s awesome that it has turned out so well, but I was still a little disappointed to get this the other day: This came totally out of the blue for me which, of course, is exactly how it’s meant to work. If all this is unfamiliar to you, this is the paste monitoring feature of “Have I been pwned?” (HIBP) which I launched last m...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]This is not what you want to see on your Azure website: Ok, so what are we looking at here? CPU goes up and up and up and then… dramatically down. There are even some additional coloured lines in the middle of that graph indicating that there were more instances put on just to d...

I’ve got 174,451,409 breached accounts in Have I been pwned? [https://haveibeenpwned.com/] (HIBP) as of today which probably sounds like a lot, but it’s not. Why is it not a lot? Because whilst that list spans a lot of the big breaches I could get my hands on, as of the middle of this year (now a couple of months ago already), there were over half a billion accounts breached in just six months [https://www.riskbasedsecurity.com/2014/08/hacking-exposed-78-of-all-records-compromised-in-first-half-...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]This is the traffic pattern that cloud pundits the world over sell the value proposition of elastic scale on: This is Have I been pwned? [https://haveibeenpwned.com] (HIBP) going from a fairly constant ~100 sessions an hour to… 12,000 an hour. Almost immediately. This is what h...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]Almost without exception, every week I will have one if not both of the following two discussions: Discussion 1: Illusory superiority of website scale The whole idea of illusory superiority [http://en.wikipedia.org/wiki/Illusory_superiority] is that people get around overestimati...

For some years now, one of the first things I’ve dropped into any new project has been ELMAH [https://code.google.com/p/elmah/]. Grab it from NuGet, provision yourself a SQL database table and watch magic happen as every unhandled error gets dumped into the DB and is reviewable via a handler which exposes the original stack trace amongst other info such as server variables and POST data. In theory, you also secure this. In practice, many people don’t [https://www.google.com/search?q=inurl%3Aelma...

So we were about halfway through watching the Wolf of Wall Street at the local cinema the other day and the iPhone starts buzzing like a mad thing. It’s on silent, of course, but you get that sense that something important is happening just by virtue of the frequency of the thing randomly jumping around in your pocket every few seconds. But it’s a night out with my wife – a rare night out – and I’m not about to risk a sneaky glance at the phone. Now this is a long movie (as awesome as it was),...

As prophesised, it has happened – Tesco has had a serious security incident [http://www.bbc.co.uk/news/technology-26171130]. The prophecy, for new readers, was my piece on Lessons in website security anti-patterns by Tesco [https://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html] from a couple of years back. The catalyst for that post was this now infamous tweet in response to my pointing out that they had mixed content on an otherwise secure page: [https://twitter.com/Tesco/sta...

In the end, I decided the fairest, most balanced way was to piss everyone off equally. Of course I’m talking about API versioning and not since the great “tabs versus spaces” debate have I seen so many strong beliefs in entirely different camps. Imagine this: HTTP GET: https://haveibeenpwned.com/api/breachedaccount/foo Response: ["Adobe","Gawker"] This was just fine. When I built Have I been pwned? [https://haveibeenpwned.com] (HIBP) in late November, it was intended to be a simple, fas...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure] Yesterday I wrote part 1 of this 2 part series [https://www.troyhunt.com/2014/01/azure-will-save-you-from-unexpected.html] and explained the Godzilla redundant approach of storage in Azure. Each bit of data you put into Azure storage gets replicated multiple times over within the...