Thursday, August 28, 2014

Security Insanity with RunAs Radio

Thursday, August 28, 2014

I know I’ve shared this a number of times now, but no matter how much I see it, it still cracks me up:

Twitter: @troyhunt Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail.

Make sense? Of course it doesn’t and therein lies the insanity of it all! But let us not single out Tesco alone, there are plenty of British companies that construct responses like this (sorry English people, I don’t know why, they just seem to feature disproportionately to the rest of the world). In fact earlier this week I wrote about the new Twitter account I’d set up called @InfoSecInsanity which is sharing heaps of this kind of nuttiness, not just the stuff from the UK!

I was inspired in part when Richard Campbell asked me to do another RunAs Radio show on the subject and I realised I didn’t have a good list of the crazy on hand. Anyway, InfoSec Insanity is now a thing and Richard and I recorded the show earlier this week. It’s now out for your listening pleasure here or you can play it directly below. Enjoy!

Monday, August 25, 2014

InfoSec Insanity: Sharing the crazy for the betterment of online security

Monday, August 25, 2014

I was getting a little fed up with the craziness I kept seeing on the web when it comes to security, so I created this:

Logo

That’s right, a great big freakin’ padlock with a straightjacket or more to the point, I created the Twitter account @InfoSecInsanity.

Read more

Tuesday, August 12, 2014

Hello World, this is Troy

Tuesday, August 12, 2014

How did you get started in this industry? I mean what made you go “Hey, sitting it a keyboard day in day out whilst focussed on screens and not seeing much sunlight sounds awesom…” – wait, it doesn’t sound quite so awesome when you think of it like that.

In fact that was my original view of computers in general but as I told Shawn Wildermuth on his latest Hello World podcast, that view of the world soon changed. The change of heart was more than helped along by making some rather obscene amounts of money writing code while very young, then consequently watching it all disappear (and then some) as the dodgy “horseracing identities” I was writing it for went down in spectacular fashion.

That’s just part of the story I told Shawn, here’s the rest of it:

Friday, August 8, 2014

Migrating from Subversion to Git with svn2git on Windows (the tricky bits explained)

Friday, August 8, 2014

This is one of those “I keep doing this and it hurts each time and there’s never a good concise resource that explains it well so I’m writing one” posts. Yes, yes, I know it’s easy – if you have Ruby installed. Or you’re living in a *nix world. Or you have a reasonable understanding of Git. Or you get pleasure from pain.

However, if you’re living on Windows and you just want to get the damn thing done, it can be painful. I keep setting up new machines and having to remember how to do this from scratch so this time, I’m writing it all down. Here geos:

Read more

Thursday, August 7, 2014

Too much soft cheese may directly impact your health insurance premiums

Thursday, August 7, 2014

We’ve become accustomed to the whole idea of us being electronically tracked based on our various personal habits. In fact just the other day I was asking online about Bose headphones, did a couple of searches then next thing I knew, my own blog was plugging them to me:

Bose headphones being promoted on my blog

But again, we’ve got a bit of a sense of tracking cookies now and that the same ad networks operate across seemingly independent websites therefore providing the ability to track and target information.

Read more

Wednesday, July 30, 2014

DDD Melbourne, hackers and gentlemen's parts

Wednesday, July 30, 2014

A couple of Saturdays back I spent a day down in Melbourne at DDD doing the usual combination of showing people some of the ridiculous stuff we’re doing on the net in relation to privacy, how we as developers are building some woefully insecure apps and generally making everyone depressed about the state of web. I do mean that in a constructive way though and indeed that’s the entire premise behind the Hack Yourself First courses I’ve been writing; see what it is we’re doing wrong, understand how it’s exploited – I mean actually exploit it yourself – then learn the secure patterns.

I did a workshop in the morning which went off just great. A few dozen people got to pick up some fundamental security concepts and experience things first hand which may have been familiar acronyms yet foreign concepts, at least in terms of actually understanding the mechanics and being able to execute it themselves.

DDD Workshop

Read more

Thursday, July 10, 2014

Web security on .NET Rocks!

Thursday, July 10, 2014

Did I mention already that NDC was totally awesome? Pretty sure I said something along those lines (many, many times) and as you’ll see from the presentations I did in that link, I had a heap of fun while I was there. Actually, I had so much fun that I’ve already committed to go back in 2015. That’s it, I’m there!

While I was there, I finally got to catch up in person with Carl and Richard of .NET Rocks fame. I’ve been on the show a few times now but it was great to actually get together in person in “The Fishbowl”, that is their glass enclosure in the centre of the event from where they churned out non-stop podcasts for three days on end (and I’ve been very much enjoying listening to them too thanks guys!)

Anyway, I stopped by on the last day and did an episode with them just before I went on stage to do my second talk. We covered a bunch of stuff in terms of how some recent hacks had gone down, where the big risks in web security are these days and various other things that by Richard’s admission, left him “curled up in a closet sobbing at the end”. (Incidentally, don’t believe a word of that, what Richard doesn’t know isn’t worth knowing!)

The podcast is up on the .NET Rocks site here and directly streamable below:

Enjoy!

Tuesday, July 1, 2014

Scaling a standard Azure website to 380k queries per minute of 163M records with loader.io

Tuesday, July 1, 2014

Almost without exception, every week I will have one if not both of the following two discussions:

Discussion 1: Illusory superiority of website scale

The whole idea of illusory superiority is that people get around overestimating positive attributes as compared to the norm. How well they drive, how good looking they are and how popular their website will be. By extension, the fact that their website is so awesome naturally means that they will need power. Heaps of power.

Specifically, the discussion usually comes down to how their website need 4 cores and 24GB of RAM and other fancy bits they saw on a PowerPoint deck or read about in CIO mag. Often the recommendation of the aforementioned scale will come from vendors whose approach to capacity planning can best be described as “How much money ya got?”

I rarely see pragmatic approaches to real capacity planning, you know, the kind that’s done with science. In a modern cloud world you can kinda get away with insufficient capacity planning to a degree as it’s easy to scale up or down or out, although of course that also has a pricing impact that most people like to have a sense of up front.

Ultimately though the point I want to make is this: people don’t appreciate just how far modern web servers can scale. Of course this is also predicated on there being well-designed apps, but particularly a modern incarnation of IIS running on Azure can scale a hell of a long way and that’s what I’m going to show you here today.

Discussion 2: Can the “Have I been pwned?” API support our scale?

This is a very well intentioned question and I get it all the time as people jump on board the free API for HIBP. (Remember, this is my little project that enables you to search for your email address across various breaches where data was dumped publicly.) They’re worried that if they enumerate through tens or hundreds of thousands of accounts that the thing will start puffing smoke or begin somehow adversely impacting other users. No, it won’t, not by a long shot!

Of course it’s an understandable question, after all I’m now supporting queries against 163M records and that must be a pretty resource intensive process, right? As I’ve said before, these queries are executing in as little as only 4ms so actually no, in fact it’s an extremely efficient process. Plus the response size is tiny – only 964 bytes when I search for my email address and that includes the response header which is a third of that. I could get that down even further but at that size the vast majority of the time goes in network latency rather than response size anyway.

Yes, I pay for those responses but consider this: for that response size, if I was to pay as much for Azure bandwidth as what I do to buy 2 coffees each day I could support 76,141,871 queries. That’s right – over 76 million queries. Per day. And that’s if all of them return a result – if an account hasn’t been pwned then HIBP just responds with a 404 which is only 225 bytes so less than a quarter of the size.

Let’s see just how far we can push an Azure website searching through a pretty freakin’ big set of data.

Read more

Friday, June 20, 2014

Moving from GoDaddy to DNSimple – an illustrated journey

Friday, June 20, 2014

I just moved all my DNS things from GoDaddy to DNSimple. The reasons are self-evident; here’s the visual journey.

The public face

Danica Patrick: Model, racing driver who can go fast in circles and attractive promo face:

Danica Patrick - pretty face, but does she know her way around a zone file? Doubtful...

Anthony Eden: Coder, open source contributor, founder of DNSimple and rocks a mean beard and pipe:

Anthony Eden - he has a beard so you know he knows networks

Read more

Wednesday, June 18, 2014

Lessons in insecure SSL courtesy of Hoyts cinemas

Wednesday, June 18, 2014

Why do we bother with SSL? I mean what’s the risk that we’re trying to protect against by using certificate authorities and serving up traffic over HTTPS? Usually it’s men (or possibly even women) in the middle or in other words, someone sitting somewhere between the client and the server and getting their hands on the data. Do we all agree with this? Yes? Good, then why on earth would you possibly say this?

@slaneyrw @troyhunt Hi Robert, thanks for reaching us! We can confirm that all payment details are all sent via a API which is secured.

Read more