Sponsored by:

Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Streamlining Data Breach Disclosures: A Step-by-Step Process

I don't know how many data breaches I'm sitting on that I'm yet to process. 100? 200? It's hard to tell because often I'm sent collections of multiple incidents in a single archive, often there's junk in there and often there's redundancy across those collections. All I really know is that there's hundreds of gigabytes spread across thousands of files. Sometimes - like in the case of the recent South Africa situation - I could be sitting on data for months that's actually very serious in nature and needs to be brought public awareness. The biggest barrier by far to processing these is the effort involved in disclosure. I want to ensure that any incidents I load into Have I...

Weekly Update 69 (Boat Edition)

It's my last day in the sun ☹️ Well, at least it's my last day in the sun for a couple of weeks so today I've gone to the sunniest place I know. It's "the boat edition" of my weekly update and I apologise up front for the rocking motion, the occasional wind noise (I lost the fluffy bit off my smartLav mic) and the gratuitous amount of sunshine and beach. This week is all about heading off on travels again and the Indian Aadhaar system which is making big headlines over that way lately. Plus, I show you a little of what it's like down my way on yet another glorious summer day 😎 (And yes, I'm aware I...

Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

India's Aadhaar implementation is the largest biometric system in the world, holding about 1.2 billion locals' data. It's operating in an era of increasingly large repositories of personal data held by both private companies and governments alike. It's also an era where this sort of information is constantly leaked to unauthorised parties; last year Equifax lost control of 145.5 million records on US consumers (this started a series events which ultimately led to me testifying in front of Congress), South Africa had data on everyone living in the country (and a bunch of deceased folks as well) leaked by a sloppy real estate agent and data from Australia's Medicare system was being sold to anyone able to come...

Weekly Update 68

It's 2018! All new year and already someone has gone and broken our computer things courtesy of the Meltdown and Spectre bugs. I only touch briefly on them in this week's update and I refer people to my Twitter timeline for good coverage I've shared. However, there's one resource which stands out above the others and it's this thread from Graham Sutherland. If you want to get a good overview quickly, start there. In other news, I talk about all the NDC events I have coming up: Just been planning my @NDC_Conferences events for 2018, talks and workshops at:London, 15 Jan: https://t.co/Sx8JuWouUyOslo, 22 Jan: https://t.co/XTA8ItnRKTGold Coast, 25 Apr: https://t.co/xIyzZcd6a9Oslo,...

2017 Retrospective

I look back a lot more than what I suspect people realise. Not in a reminiscent way, but rather because I find it helps me put things in perspective. A lot of people like to set personal goals or objectives so that there's something specific they're setting out to achieve but for me personally, I just want to see progress. I want to be able to do these retrospectives - not just on Jan 1 but every day - and say to myself "yeah, I'm happy with how far I've moved ahead". And believe me when I say that not a day goes by where I don't reflect on the last few years and think "yeah, this...

Weekly Update 67

It's Xmas! Well, it was Xmas but I (and hopefully you too) am still in that Xmas period haze where it's hard to tell one day from the next. Apparently, it's also hard to remember to hit record before talking about this week's updates so yeah, good one Troy! But I did eventually record a full update and in an otherwise slow news week, I thought I'd talk a little bit about Xmas down under in Australia. About 93% of visitors to my blog this year have been from other parts of the world (most notably the US and UK) so the idea of a sunny Xmas is foreign to most. I share a bit about what it's like down...

New Pluralsight Course: Care and Maintenance of Development VMs

Regular readers will know I create a lot of Pluralsight courses. It's now 5 years ago I started writing my first one which incidentally, is still my highest rated course every month (apparently the OWASP Top 10 as it relates to ASP.NET is still a big thing). Most of the time, the courses I create are on topics I know well, primarily on security but occasionally with a bit of cloud and development practices sprinkled in for variety. This one, however, is different. Per the title of this blog, my latest course is on using virtual machines for development and the main reason it's "my" course is because Orin Thomas has done all the work! This is...

Weekly Update 66

This week, it's all about fixing data breaches. Following on from my Congressional testimony last month, I committed to writing about how we can address the root causes which has led to the 5-part epic that was this week's posts. These posts consumed a huge amount of time this week which is why the weekly update is going up a day late, but it's here now and it's a whopper! iTunes podcast | Google Play Music podcast | RSS podcast References Fixing Data Breaches Part 1: Education (let's do a better job of not having these incidents in the first place) Fixing Data Breaches Part 2: Data Ownership and Minimisation (give people control of their data and try to collect less of...

Fixing Data Breaches Part 5: Penalties

In the first 4 parts of "Fixing Data Breaches", I highlighted education, data ownership and minimisation, the ease of disclosure and bug bounties as ways of addressing the problem. It was inevitable that we'd eventually end up talking about penalties though because the fact remains that although all the aforementioned recommendations make perfect sense, we're still faced with data breaches day in and day out from companies just not getting the message. This part of the series is also the hardest to implement. It requires regulatory changes, can be highly subjective and poses all sorts of cross-border challenges. But it's important, so let me do my best articulating it. Are Organisations Actually Paying Attention? Here's what really strikes...

Fixing Data Breaches Part 4: Bug Bounties

Over the course of this week, I've been writing about "Fixing Data Breaches" which focuses on actionable steps that can be taken to reduce the prevalence and the impact of these incidents. I started out by talking about the value of education; let's do a better job of stopping these incidents from occurring in the first place by avoiding well-known coding and configuration flaws. I went on to data ownership and minimisation where I talked about giving people back control of their data and collecting less of it in the first place. And then yesterday, I encouraged people to make disclosure easier because there are way too many cases where serious issues go unreported. Today's post extends on...