Tuesday, August 12, 2014

Hello World, this is Troy

Tuesday, August 12, 2014

How did you get started in this industry? I mean what made you go “Hey, sitting it a keyboard day in day out whilst focussed on screens and not seeing much sunlight sounds awesom…” – wait, it doesn’t sound quite so awesome when you think of it like that.

In fact that was my original view of computers in general but as I told Shawn Wildermuth on his latest Hello World podcast, that view of the world soon changed. The change of heart was more than helped along by making some rather obscene amounts of money writing code while very young, then consequently watching it all disappear (and then some) as the dodgy “horseracing identities” I was writing it for went down in spectacular fashion.

That’s just part of the story I told Shawn, here’s the rest of it:

Friday, August 8, 2014

Migrating from Subversion to Git with svn2git on Windows (the tricky bits explained)

Friday, August 8, 2014

This is one of those “I keep doing this and it hurts each time and there’s never a good concise resource that explains it well so I’m writing one” posts. Yes, yes, I know it’s easy – if you have Ruby installed. Or you’re living in a *nix world. Or you have a reasonable understanding of Git. Or you get pleasure from pain.

However, if you’re living on Windows and you just want to get the damn thing done, it can be painful. I keep setting up new machines and having to remember how to do this from scratch so this time, I’m writing it all down. Here geos:

Read more

Thursday, August 7, 2014

Too much soft cheese may directly impact your health insurance premiums

Thursday, August 7, 2014

We’ve become accustomed to the whole idea of us being electronically tracked based on our various personal habits. In fact just the other day I was asking online about Bose headphones, did a couple of searches then next thing I knew, my own blog was plugging them to me:

Bose headphones being promoted on my blog

But again, we’ve got a bit of a sense of tracking cookies now and that the same ad networks operate across seemingly independent websites therefore providing the ability to track and target information.

Read more

Wednesday, July 30, 2014

DDD Melbourne, hackers and gentlemen's parts

Wednesday, July 30, 2014

A couple of Saturdays back I spent a day down in Melbourne at DDD doing the usual combination of showing people some of the ridiculous stuff we’re doing on the net in relation to privacy, how we as developers are building some woefully insecure apps and generally making everyone depressed about the state of web. I do mean that in a constructive way though and indeed that’s the entire premise behind the Hack Yourself First courses I’ve been writing; see what it is we’re doing wrong, understand how it’s exploited – I mean actually exploit it yourself – then learn the secure patterns.

I did a workshop in the morning which went off just great. A few dozen people got to pick up some fundamental security concepts and experience things first hand which may have been familiar acronyms yet foreign concepts, at least in terms of actually understanding the mechanics and being able to execute it themselves.

DDD Workshop

Read more

Thursday, July 10, 2014

Web security on .NET Rocks!

Thursday, July 10, 2014

Did I mention already that NDC was totally awesome? Pretty sure I said something along those lines (many, many times) and as you’ll see from the presentations I did in that link, I had a heap of fun while I was there. Actually, I had so much fun that I’ve already committed to go back in 2015. That’s it, I’m there!

While I was there, I finally got to catch up in person with Carl and Richard of .NET Rocks fame. I’ve been on the show a few times now but it was great to actually get together in person in “The Fishbowl”, that is their glass enclosure in the centre of the event from where they churned out non-stop podcasts for three days on end (and I’ve been very much enjoying listening to them too thanks guys!)

Anyway, I stopped by on the last day and did an episode with them just before I went on stage to do my second talk. We covered a bunch of stuff in terms of how some recent hacks had gone down, where the big risks in web security are these days and various other things that by Richard’s admission, left him “curled up in a closet sobbing at the end”. (Incidentally, don’t believe a word of that, what Richard doesn’t know isn’t worth knowing!)

The podcast is up on the .NET Rocks site here and directly streamable below:

Enjoy!

Tuesday, July 1, 2014

Scaling a standard Azure website to 380k queries per minute of 163M records with loader.io

Tuesday, July 1, 2014

Almost without exception, every week I will have one if not both of the following two discussions:

Discussion 1: Illusory superiority of website scale

The whole idea of illusory superiority is that people get around overestimating positive attributes as compared to the norm. How well they drive, how good looking they are and how popular their website will be. By extension, the fact that their website is so awesome naturally means that they will need power. Heaps of power.

Specifically, the discussion usually comes down to how their website need 4 cores and 24GB of RAM and other fancy bits they saw on a PowerPoint deck or read about in CIO mag. Often the recommendation of the aforementioned scale will come from vendors whose approach to capacity planning can best be described as “How much money ya got?”

I rarely see pragmatic approaches to real capacity planning, you know, the kind that’s done with science. In a modern cloud world you can kinda get away with insufficient capacity planning to a degree as it’s easy to scale up or down or out, although of course that also has a pricing impact that most people like to have a sense of up front.

Ultimately though the point I want to make is this: people don’t appreciate just how far modern web servers can scale. Of course this is also predicated on there being well-designed apps, but particularly a modern incarnation of IIS running on Azure can scale a hell of a long way and that’s what I’m going to show you here today.

Discussion 2: Can the “Have I been pwned?” API support our scale?

This is a very well intentioned question and I get it all the time as people jump on board the free API for HIBP. (Remember, this is my little project that enables you to search for your email address across various breaches where data was dumped publicly.) They’re worried that if they enumerate through tens or hundreds of thousands of accounts that the thing will start puffing smoke or begin somehow adversely impacting other users. No, it won’t, not by a long shot!

Of course it’s an understandable question, after all I’m now supporting queries against 163M records and that must be a pretty resource intensive process, right? As I’ve said before, these queries are executing in as little as only 4ms so actually no, in fact it’s an extremely efficient process. Plus the response size is tiny – only 964 bytes when I search for my email address and that includes the response header which is a third of that. I could get that down even further but at that size the vast majority of the time goes in network latency rather than response size anyway.

Yes, I pay for those responses but consider this: for that response size, if I was to pay as much for Azure bandwidth as what I do to buy 2 coffees each day I could support 76,141,871 queries. That’s right – over 76 million queries. Per day. And that’s if all of them return a result – if an account hasn’t been pwned then HIBP just responds with a 404 which is only 225 bytes so less than a quarter of the size.

Let’s see just how far we can push an Azure website searching through a pretty freakin’ big set of data.

Read more

Friday, June 20, 2014

Moving from GoDaddy to DNSimple – an illustrated journey

Friday, June 20, 2014

I just moved all my DNS things from GoDaddy to DNSimple. The reasons are self-evident; here’s the visual journey.

The public face

Danica Patrick: Model, racing driver who can go fast in circles and attractive promo face:

Danica Patrick - pretty face, but does she know her way around a zone file? Doubtful...

Anthony Eden: Coder, open source contributor, founder of DNSimple and rocks a mean beard and pipe:

Anthony Eden - he has a beard so you know he knows networks

Read more

Wednesday, June 18, 2014

Lessons in insecure SSL courtesy of Hoyts cinemas

Wednesday, June 18, 2014

Why do we bother with SSL? I mean what’s the risk that we’re trying to protect against by using certificate authorities and serving up traffic over HTTPS? Usually it’s men (or possibly even women) in the middle or in other words, someone sitting somewhere between the client and the server and getting their hands on the data. Do we all agree with this? Yes? Good, then why on earth would you possibly say this?

@slaneyrw @troyhunt Hi Robert, thanks for reaching us! We can confirm that all payment details are all sent via a API which is secured.

Read more

Tuesday, June 17, 2014

Error logging and tracking done right with Raygun.io

Tuesday, June 17, 2014

For some years now, one of the first things I’ve dropped into any new project has been ELMAH. Grab it from NuGet, provision yourself a SQL database table and watch magic happen as every unhandled error gets dumped into the DB and is reviewable via a handler which exposes the original stack trace amongst other info such as server variables and POST data. In theory, you also secure this. In practice, many people don’t.

To get a sense of what ELMAH does, check it out on my sample insecure website “Supercar Showdown”. It’s neat stuff, but it’s also an absolute firehose of exceptions. The same stuff is there over and over again; there’s no triaging or flagging of exceptions rather it’s just page after page of the same issues. At certain times in the lifecycle of certain projects, I’ve used the automated email notification to be told when an exception is raised then been flooded with noise. Oh – and the logging to the DB won’t work if the exception it’s trying to capture is that the DB can’t be reached!

But this isn’t intended to be an ELMAH-bashing session as indeed its served me very well for many years, rather it’s to look at the next evolution of error logging and that’s what brings us to Raygun.io:

Raygun.io branding

With branding like this it must be awesome, right?! Actually yes, it is. Let me explain how this is working for me and the problems it’s solved.

Read more

Monday, June 9, 2014

NDC 2014, Vikings, passwords and pineapples (and session videos)

Monday, June 9, 2014

Here was the original plan: propose two talks for NDC, travel over to the other side of the world and do them both then make the long trek home (each trip taking about 33 hours, thank you very much). That was pretty much how it went except that only one of the proposed talks made the cut (I later learned that they seemed too similar which is a perfectly reasonable assessment). So I did the only sensible thing and took the very best parts out of the talk that didn’t make the cut and rolled them into the one that did. And then the week before the event, they asked me to do them both. Uh…

With the originally rejected talk now cannibalised, I fell back to another recent one that had been very successful in webinar format for Pluralsight – my Builders versus Breakers talk. This goes through 10 online attacks, how they happened and how they could have been prevented. I find it a good talk for contextualising security risks by walking through real world attacks with real world impacts. I did this talk on the first day of the event and you can watch it now right here:

"Builders versus Breakers" video

Read more