Wednesday, 15 April 2015

</pfizer>

Wednesday, 15 April 2015

Today marks two important milestones for me – it’s the first time I’ve ever mentioned Pfizer on this blog and after 14 years, it’s my last day working for them. Both those milestones are significant and in their own ways, mark a pivotal point in my career. For those that are interested, I’d like to tell you what I’ve been doing in recent years and give a hint of what will come next.

Troy Hunt - Line Architect - Solution Delivery

Read more

Monday, 13 April 2015

Orchestrating massive parallelisation of Azure WebJobs for fun and profit

Monday, 13 April 2015

I’ve been having a few sleepless nights lately worrying about the big one. The big “what”, you ask? I mean another massive data breach the scale of Adobe back in 2013, you know, the one where they had a 153 million user accounts wander out the door. If I had to load those into Have I been pwned? (HIBP), frankly I’m not sure how I’d do it. Or at least I wasn’t sure.

When I first wrote about how I built the system, I talked about a very rudimentary console app implementation that I used to bulk load data into Azure Table Storage. I started with the Adobe breach and then batched that data into storage at the maximum rate of 100 rows per transaction. The problem, however, is that I couldn’t batch subsequent breaches as for each row I needed to check if the account existed in the system already then either update the existing record or insert a new one. It’s explained more in that original post, but because I want the service to be super-fast when querying it, I want one row in one partition for each email address and that has a massive impact on the speed with which I can insert new data.

After toiling away with the easiest short-term solution I could find for loading new breaches, I came to the following conclusion about the efficiency of the process:

However at that speed, another Adobe at 153 million records would still take a month.

Ouch! And this is for pretty time-critical data too because much of the value proposition of HIBP is that people get to know about a breach fast, not a month later! I needed a better mousetrap, and here’s how I built it.

Have I been pwned? logo

Read more

Friday, 10 April 2015

How to get your SSL for free on a Shared Azure website with CloudFlare

Friday, 10 April 2015

As you may be well aware by this, Microsoft’s Azure gets me rather excited. That’s not without merit IMHO, it’s a sensational product for all the reasons you can read about in the blog posts at the end of that link. Almost without exception, when I get a question about Azure I have an awesome answer ready to go. Almost…

The one question that throws me is the one I was once again asked just recently:

I can only justify paying for a Shared Azure website but I need SSL – what do I do?

I have not had a good answer for this, including the one I usually give – “Maybe Azure is not for you”. Now that’s sad because Azure does many wonderful things and with the increasing ubiquity of SSL, offering a service tier which explicitly denies it is really unfortunate. Here’s where the problem lies:

Azure website service tiers

Thing is though, that Shared tier is less than $10 a month and if you have to go to Basic you’re looking at $56 a month which is a hell of a mark-up. One thing worth mentioning is that you can host unlimited websites on that Basic plan for your $56 (assuming the logical machine underneath it can handle the load, of course), but you’ve got to have a handful of sites before you can justify that and then you still need to pay for SSL on top of that. The bottom line is that you’re looking at nearly a seven-fold increase in cost over Basic and that simply rules it out for many people. Or does it?

Read more

Thursday, 9 April 2015

Building a better Pluralsight recording rig

Thursday, 9 April 2015

I didn’t think there was much wrong with my existing recording setup, but it turned out to be one of those “You don’t know what you don’t know” kind of things. It was only whilst over at the Pluralsight author summit last month that I talked to people who actually knew what they were doing and then I realised what was wrong!

As a result of that visit, I’ve just finished totally revamping my recording setup. New mic. New boom. New stuff I didn’t know existed or that I even needed! But I’m enormously happy with the result and I thought I’d share the bits here. Here’s the video explaining it followed by all the bits and prices:

Read more

Wednesday, 8 April 2015

To the cloud! Learn about Microsoft Azure “from the trenches” on Pluralsight

Wednesday, 8 April 2015

Let’s just get this out of the way early – Azure is awesome. No really, I am continually blown away by the stuff you can do with it, how cheaply you can do it and just how much it changes the conversation you can have with those you’re delivering solution to using Microsoft’s cloud. This is not an endorsement based on my affinity for Microsoft nor is it constructed from what I read or see at talks, it’s based on my own firsthand experiences delivering real world software on the platform.

I’ve been writing a lot about Azure over the last 18 months as I’ve built out Have I been pwned? (HIBP). This has been an excellent test case for Azure (indeed that’s one of the reasons I built the service in the first place) and it’s demonstrated a number of cloud attributes that Azure does so well. For example, I’ve had to deal with very rapid scale changes that go from almost zero traffic to 12,000 visitors in just over an hour. That’s just organic traffic too – people with browsers – sometimes it gets properly busy and I see 8,000 requests per minute courtesy of just one consumer hammering the API. Another example of cloud-like behaviour is the ability to deliver on a budget – I don’t make anything beyond donations out of this thing so I run it on an absolute shoestring and still support the scale when there are many millions of hits in a day.

But there’s a lot of work I’ve been doing with Azure behind the scenes too, work I don’t always get to talk about publicly. What I will say though is that there have been some great opportunities to really transform the way software runs on the web not just by moving it into Azure but specifically by using Azure’s Platform as a Service (PaaS) facilities, namely web sites (which changed to web apps before I finished creating the course, thanks for that guys…) and the Azure SQL database service. This has led to some really serious cost savings (did you know you can put as many sites as you like on one basic or standard website service?) and massive reductions in management and people overhead.

In fact I reckon Azure is so awesome, I made a course on it – a proper course:

Modernizing Your Websites with Azure Platform as a Service

Read more

Tuesday, 7 April 2015

Fail fast when the cloud fails you

Tuesday, 7 April 2015

It’s never real nice waking up to something like this:

Azure having almost total outage since about 03:40

This was Have I been pwned? (HIBP) first thing my Saturday morning. The outage was accompanied by a great many automated email notifications and manual reminders from concerned citizens that my site was indeed, down. Having my Azure showcase site down at the very same moment as my Pluralsight course on Azure was launched – Modernizing Your Websites with Azure Platform as a Service – only served to rub salt into the wound.

But as I’ve written before, the cloud does actually go down. If anyone tells you it doesn’t, they fundamentally misunderstand the mechanics which underlie what is ultimately still just a bunch of computers running [something] as a service. Whilst you can certainly get much higher degrees of resiliency against outages, you don’t get 100% uptime and indeed that’s why the SLAs in the aforementioned blog post exist.

Read more

Saturday, 4 April 2015

The unabating cold call virus scams

Saturday, 4 April 2015

Update: Literally an hour after posting this, I had another call running the same scam. As suggested earlier, I broadcast this one via Periscope and you can can go back and watch it via the app. I’ll be more organised next time and have a special machine ready for them :)

These things just don’t stop. I had my first seriously nasty one a few years ago which I summarily recorded, annotated and published for amusement and education. 817k views later and, well, clearly these are both entertaining and unabating so I keep capturing them.

I actually hadn’t received any for quite some time then I had one a few days ago from “Telstra” (a large local Telco down here in Australia) which quickly descended into rampant abuse from the operator. In fact it got so derogatory that I elected not to publish it (much of it was directed at my wife). Then would you believe it, I get another one just today. Naturally I recorded it and gave him enough rope to see the mechanics of the scam and just like they were with LogMeIn years ago, they’re abusing TeamViewer and Ammyy Admin, both to take remote control of the target after which a variety of nasty things usually happen.

Warning: By the end it all descends into “creative” suggestions of how I can better enjoy my own company. If you still want to see it, here’s the video in its unedited entirety:

Tags:

Read more

Thursday, 2 April 2015

Microsoft MVP again, year five!

Thursday, 2 April 2015

Last year was rather busy. I pushed out 78 blog posts. I had lots of millions of page views with over half a million on the Shellshock bug post alone (and mostly just in September). There were a bunch of conferences both down here in Australia and overseas, a few national TV spots and another 5 Pluralsight courses. And the ultimate endorsement of online success, abusive trolls. It was a very good year :)

So per the title of the post, I was honoured to receive my fifth Microsoft Most Valuable Professional award today. The award recognises the things that people like myself have gotten up to over the previous year as it relates to community contributions and of course, doing really useful stuff with Microsoft things. My award continues to be in the Developer Security space and inevitably that’s where the majority of my focus goes, but I’ve also enjoyed spending a whole heap of time in Azure this last year as well. In fact there were 15 blog posts bearing the Azure tag in 2015, mostly due to writing on Have I been pwned? There’s also a Pluralsight course on how to modernise your web things with Azure that’ll hit the air any day now.

MVP logo

I have nothing but positive things to say about the MVP program. The four years since I was first awarded have gone by very quickly and being an MVP has brought some absolutely wonderful opportunities. As a professional endorsement it has been invaluable and the renewal comes at a particularly poignant time for me. I’ll write more about that in the next couple of weeks, but for now I will say that the MVP program has been a very important part of establishing credibility, independence and opportunities I could only dream of when I started being “public” five and a half years ago. I sincerely hope the opportunities the award has given me have benefited those of your reading this and that it continues to do so for many years to come.

Tags:

Tuesday, 31 March 2015

Deconstruct websites, get hired: hiding recruitment messages in source code

Tuesday, 31 March 2015

The other day I did a security workshop at a firm here in Sydney and one of the things we did was a proxy a bunch of traffic and inspect what was going on behind the scenes. Among the expected hilarity that always ensues from these sorts of exercises (you can find heaps more of this in my Hack Your API First course), one of the guys at the event found this in the response headers of Airbnb:

X-Hi-Human: The Production Infrastructure team added this header. Come work with us! Email kevin.rice+hiring@airbnb.com

Awesome – an HTTP response header designed for humans! Of course it’s only special humans that actually go to the trouble of reading response headers behind mobile APIs (although it looks like any requests to airbnb.com return it), special humans the likes of which may actually have the chops to work at a place like Airbnb building software. It seems that Kevin is a genuine bloke at Airbnb too and not just a HR contact, but an Engineering Manager. Nice.

I didn’t think much more about it the time, then the other day I was peeking through how Microsoft’s Azure portal is put together and came across this:

Microsoft recruitment ad in the HTML source of the Azure portal

Read more

Friday, 13 March 2015

On being a Pluralsight author

Friday, 13 March 2015

I’ve just come back from spending some time over in Utah with Pluralsight and a bunch of fellow authors and as I was last year, I’m all excited and full of great ideas. A bunch of people asked me what it was all about and what it means to be a Pluralsight author so rather than continually giving short responses to individuals, I thought I should articulate things a little more clearly because frankly, it’s all rather exciting. Let me explain.

Entry to the Authors Summit

Read more