Wednesday, July 30, 2014

DDD Melbourne, hackers and gentlemen's parts

Wednesday, July 30, 2014

A couple of Saturdays back I spent a day down in Melbourne at DDD doing the usual combination of showing people some of the ridiculous stuff we’re doing on the net in relation to privacy, how we as developers are building some woefully insecure apps and generally making everyone depressed about the state of web. I do mean that in a constructive way though and indeed that’s the entire premise behind the Hack Yourself First courses I’ve been writing; see what it is we’re doing wrong, understand how it’s exploited – I mean actually exploit it yourself – then learn the secure patterns.

I did a workshop in the morning which went off just great. A few dozen people got to pick up some fundamental security concepts and experience things first hand which may have been familiar acronyms yet foreign concepts, at least in terms of actually understanding the mechanics and being able to execute it themselves.

DDD Workshop

Read more

Thursday, July 10, 2014

Web security on .NET Rocks!

Thursday, July 10, 2014

Did I mention already that NDC was totally awesome? Pretty sure I said something along those lines (many, many times) and as you’ll see from the presentations I did in that link, I had a heap of fun while I was there. Actually, I had so much fun that I’ve already committed to go back in 2015. That’s it, I’m there!

While I was there, I finally got to catch up in person with Carl and Richard of .NET Rocks fame. I’ve been on the show a few times now but it was great to actually get together in person in “The Fishbowl”, that is their glass enclosure in the centre of the event from where they churned out non-stop podcasts for three days on end (and I’ve been very much enjoying listening to them too thanks guys!)

Anyway, I stopped by on the last day and did an episode with them just before I went on stage to do my second talk. We covered a bunch of stuff in terms of how some recent hacks had gone down, where the big risks in web security are these days and various other things that by Richard’s admission, left him “curled up in a closet sobbing at the end”. (Incidentally, don’t believe a word of that, what Richard doesn’t know isn’t worth knowing!)

The podcast is up on the .NET Rocks site here and directly streamable below:

Enjoy!

Tuesday, July 1, 2014

Scaling a standard Azure website to 380k queries per minute of 163M records with loader.io

Tuesday, July 1, 2014

Almost without exception, every week I will have one if not both of the following two discussions:

Discussion 1: Illusory superiority of website scale

The whole idea of illusory superiority is that people get around overestimating positive attributes as compared to the norm. How well they drive, how good looking they are and how popular their website will be. By extension, the fact that their website is so awesome naturally means that they will need power. Heaps of power.

Specifically, the discussion usually comes down to how their website need 4 cores and 24GB of RAM and other fancy bits they saw on a PowerPoint deck or read about in CIO mag. Often the recommendation of the aforementioned scale will come from vendors whose approach to capacity planning can best be described as “How much money ya got?”

I rarely see pragmatic approaches to real capacity planning, you know, the kind that’s done with science. In a modern cloud world you can kinda get away with insufficient capacity planning to a degree as it’s easy to scale up or down or out, although of course that also has a pricing impact that most people like to have a sense of up front.

Ultimately though the point I want to make is this: people don’t appreciate just how far modern web servers can scale. Of course this is also predicated on there being well-designed apps, but particularly a modern incarnation of IIS running on Azure can scale a hell of a long way and that’s what I’m going to show you here today.

Discussion 2: Can the “Have I been pwned?” API support our scale?

This is a very well intentioned question and I get it all the time as people jump on board the free API for HIBP. (Remember, this is my little project that enables you to search for your email address across various breaches where data was dumped publicly.) They’re worried that if they enumerate through tens or hundreds of thousands of accounts that the thing will start puffing smoke or begin somehow adversely impacting other users. No, it won’t, not by a long shot!

Of course it’s an understandable question, after all I’m now supporting queries against 163M records and that must be a pretty resource intensive process, right? As I’ve said before, these queries are executing in as little as only 4ms so actually no, in fact it’s an extremely efficient process. Plus the response size is tiny – only 964 bytes when I search for my email address and that includes the response header which is a third of that. I could get that down even further but at that size the vast majority of the time goes in network latency rather than response size anyway.

Yes, I pay for those responses but consider this: for that response size, if I was to pay as much for Azure bandwidth as what I do to buy 2 coffees each day I could support 76,141,871 queries. That’s right – over 76 million queries. Per day. And that’s if all of them return a result – if an account hasn’t been pwned then HIBP just responds with a 404 which is only 225 bytes so less than a quarter of the size.

Let’s see just how far we can push an Azure website searching through a pretty freakin’ big set of data.

Read more

Friday, June 20, 2014

Moving from GoDaddy to DNSimple – an illustrated journey

Friday, June 20, 2014

I just moved all my DNS things from GoDaddy to DNSimple. The reasons are self-evident; here’s the visual journey.

The public face

Danica Patrick: Model, racing driver who can go fast in circles and attractive promo face:

Danica Patrick - pretty face, but does she know her way around a zone file? Doubtful...

Anthony Eden: Coder, open source contributor, founder of DNSimple and rocks a mean beard and pipe:

Anthony Eden - he has a beard so you know he knows networks

Read more

Wednesday, June 18, 2014

Lessons in insecure SSL courtesy of Hoyts cinemas

Wednesday, June 18, 2014

Why do we bother with SSL? I mean what’s the risk that we’re trying to protect against by using certificate authorities and serving up traffic over HTTPS? Usually it’s men (or possibly even women) in the middle or in other words, someone sitting somewhere between the client and the server and getting their hands on the data. Do we all agree with this? Yes? Good, then why on earth would you possibly say this?

@slaneyrw @troyhunt Hi Robert, thanks for reaching us! We can confirm that all payment details are all sent via a API which is secured.

Read more

Tuesday, June 17, 2014

Error logging and tracking done right with Raygun.io

Tuesday, June 17, 2014

For some years now, one of the first things I’ve dropped into any new project has been ELMAH. Grab it from NuGet, provision yourself a SQL database table and watch magic happen as every unhandled error gets dumped into the DB and is reviewable via a handler which exposes the original stack trace amongst other info such as server variables and POST data. In theory, you also secure this. In practice, many people don’t.

To get a sense of what ELMAH does, check it out on my sample insecure website “Supercar Showdown”. It’s neat stuff, but it’s also an absolute firehose of exceptions. The same stuff is there over and over again; there’s no triaging or flagging of exceptions rather it’s just page after page of the same issues. At certain times in the lifecycle of certain projects, I’ve used the automated email notification to be told when an exception is raised then been flooded with noise. Oh – and the logging to the DB won’t work if the exception it’s trying to capture is that the DB can’t be reached!

But this isn’t intended to be an ELMAH-bashing session as indeed its served me very well for many years, rather it’s to look at the next evolution of error logging and that’s what brings us to Raygun.io:

Raygun.io branding

With branding like this it must be awesome, right?! Actually yes, it is. Let me explain how this is working for me and the problems it’s solved.

Read more

Monday, June 9, 2014

NDC 2014, Vikings, passwords and pineapples (and session videos)

Monday, June 9, 2014

Here was the original plan: propose two talks for NDC, travel over to the other side of the world and do them both then make the long trek home (each trip taking about 33 hours, thank you very much). That was pretty much how it went except that only one of the proposed talks made the cut (I later learned that they seemed too similar which is a perfectly reasonable assessment). So I did the only sensible thing and took the very best parts out of the talk that didn’t make the cut and rolled them into the one that did. And then the week before the event, they asked me to do them both. Uh…

With the originally rejected talk now cannibalised, I fell back to another recent one that had been very successful in webinar format for Pluralsight – my Builders versus Breakers talk. This goes through 10 online attacks, how they happened and how they could have been prevented. I find it a good talk for contextualising security risks by walking through real world attacks with real world impacts. I did this talk on the first day of the event and you can watch it now right here:

"Builders versus Breakers" video

Read more

Wednesday, May 28, 2014

The mechanics of the iCloud “hack” and how iOS devices are being held to ransom

Wednesday, May 28, 2014

If you’re an Aussie with an iPhone, there’s a chance you’ve been woken up in the middle of the night by this:

"Hacked" iPhone showing ransom message

Oh boy. What we’re looking at is an iPhone that has been remotely locked by “Oleg Pliss”. What we’re looking at is a modern incarnation of ransomware executed via Apple’s iCloud and impacting devices using the “Find my iPhone” feature. Perplexingly, this is predominantly impacting Aussie iCloud users and to date, there’s no clear reason why, rather we have 23 pages of reported hacks and general speculation on the Apple Support Community website.

I’ve been speaking to a bunch of people about this over the last couple of days about this attack so I thought I’d collate some info on how it works, what we know and what the possible sources of the attack may be

Read more

Tuesday, May 27, 2014

Why have security on a vBulletin forum? Because it’s none of your business, that’s why!

Tuesday, May 27, 2014

I’m used to seeing short-sighted responses on Twitter when it comes to security, but admittedly this one took me by surprise:

@troyhunt @m_chaud @realnzall @vBulletin What benefit does a site like mmoc gain from SSL logins?

This was from a vBulletin “Tech Support Guy” as part of a thread about the security profile of the website MMO Champion, a World of Warcraft discussion site. This is a site that allows you to register with a username and password, store your date of birth (and hide it from public view), communicate privately with other registered users via the messaging system and of course being a vBulletin site, partake in the usual public forum activities.

Read more

Monday, May 26, 2014

Get Up And Code (and stop sitting in front of the PC all day!)

Monday, May 26, 2014

Be honest now – how many of you are metaphorically shackled to your PCs day in and day out? Keeping in mind that I largely speak to an audience that earns a living by spending the majority of their day in front of screens, a great deal of people reading this just aren’t making enough time to literally see the light of day. Admittedly, I’m one of those screen-bound people that puts in a whole lot of hours coding, blogging, recording, emailing and partaking in all sorts of other byte-driven activity that frankly, isn’t real healthy for you.

On the flip side, I make a very conscious effort to stay active and balance all that sedentary programmer lifestyle with fresh air, physical exertion and activities which force my brain to turn off from the daily grind for a couple of hours. As non-stereotypical as this is for our industry, there are a number of us who approach life the same way and you can listen to them on John Sonmez’s Get Up And Code podcast. In fact you can listen to me on the podcast right here:

Read more