Privacy

Imagine you wanted to buy some shit on the internet. Not the metaphorical kind in terms of "I bought some random shit online", but literal shit. Turds. Faeces. The kind of thing you never would have thought possible to buy online until... Shitexpress came along. Here's a service that enables you to send an actual piece of smelly shit to "An irritating colleague. School teacher. Your ex-wife. Filthy boss. Jealous neighbour. That successful former classmate. Or all those pesky haters." But it woul...

When the Ashley Madison data breach occurred in 2015, it made headline news around the world. Not just infosec headlines or tech headlines, but the headlines of major consumer media the likes my mum and dad would read. What was deemed especially newsworthy was the presence of email addresses in the breach which really shouldn't have been there; let me list off some headlines to illustrate the point: 1. Ashley Madison Hack: 10,000 Gov’t Officials’ Email Addresses on Leaked Ashley Madison Li...

I want a "secure by default" internet with all the things encrypted all the time such that people can move freely between networks without ever needing to care about who manages them or what they're doing with them. I'm a massive proponent of Let's Encrypt's and Cloudflare's missions to secure the web and of browser paradigms such as HSTS [https://www.troyhunt.com/understanding-http-strict-transport/] and upgrade-insecure-requests via content security policies [https://www.troyhunt.com/the-6-st...

I've written a bunch about COVID-19 contact tracing apps recently as they relate to security and privacy, albeit in the form of long tweets. I'm going to avoid delving into the details here because they're covered more comprehensively in the resources I want to consolidate below, firstly the original thread from a fortnight ago as news of an impending app in Australia was breaking: > Ok folks, let's talk about the Coronavirus tracking app as news of Australia adopting Singapore's "TraceTogether...

I don't know exactly why the recent uptick, but lately I've had a bunch of people ask me if I've tried the Brave web browser [https://brave.com/tro914]. Why they'd ask me that is much more obvious: Brave is a privacy-focused browser that nukes ads and trackers. It also has some cool built-in stuff like the ability to create a new private browsing window in Tor rather than just your classic incognito window that might ditch all your cookies and browsing history but still connect to the internet...

This will be short, ranty and to the point: these warnings are getting ridiculous: I know, tell you something you don't know! The whole ugly issue reared its head again on the weekend courtesy of the story in this tweet: > I’m not sure if this makes it better or worse... “Cookie walls don't comply with GDPR, says Dutch DPA”: https://t.co/p0koRdGrDB — Troy Hunt (@troyhunt) March 8, 2019 [https://twitter.com/troyhunt/status/1104153598458396672?ref_src=twsrc%5Etfw] The reason I don't know if i...

When I launched Pwned Passwords in August [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/], I honestly didn't know how much it would be used. I made 320M SHA-1 password hashes downloadable and also stood up an API to query the data "as a service" by either a plain text password or a SHA-1 hash. (Incidentally, for anyone about to lose their mind over SHA-1, read that launch post as to why that hashing algorithm is used.) But the service did become quite popu...

A little while back, I wrote about Website enumeration insanity [https://www.troyhunt.com/website-enumeration-insanity-how-our-personal-data-is-leaked/] and how our personal data was being mishandled. In a nutshell, an enumeration risk boils down to a feature on a website allowing anyone to "ask" if a user exists on the website with the site then returning a positive or negative response. For example, to this day you can go to Adult Friend Finder's password reset page [https://adultfriendfinder...

Last week we got news of the Rosebutt data breach [http://motherboard.vice.com/read/rosebuttboard-ip-board]. This is a very particular class of site and like many others we've recently seen compromised, it's highly likely that members would have preferred to keep their identities secret. It doesn't matter if you don't agree with the lifestyle choice of those on the site and certainly I myself am not one to look around the house at everyday items and think "I wonder if that could...". That's enti...

It’s now going on two and a half years since I launched Have I been pwned [https://haveibeenpwned.com/] (HIBP) and I’m continually amazed by how much has happened in that time. It started out with a “mere” 152M breached records and has now more than doubled in volume, I’ve added an API, notifications, domain searches, pastes and a heap of other things both visible to the public and behind the scenes. It’s also gone from a hobby project which I thought only a few curious technology people would v...