Sponsored by:

Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Weekly update 11

A bit of a quieter week this time blog wise, but a very busy week in terms of HIBP traffic. It went pretty nuts on Tuesday with a spike the scale I'd never seen before which made things, well, "interesting". I also put the word out about an "ask me anything" live stream event I'm going to do early next week which should be a lot of fun. Oh - and the Indian pathology results exposed to the world - that's unfolding as I write this but the position from the lab exposing things like patient HIV results to the world right now is "we'll get around to it in Jan". The latest is that BuzzFeed has just written about...

Brief lessons on handling huge traffic spikes

Earlier today, Have I been pwned (HIBP) appeared on a British TV show called The Martin Lewis Money Show. A producer had contacted me about this last week: I Just wanted to get in contact to let you know we're featuring 'have I been pwned?' on the programme next week (Monday 28 Nov, 8pm, ITV) saying it's a good way to check if your data has been compromised. I thought it best to let you know in case you need to put extra resources onto it, we do have a tendency to crash websites with traffic! I get this a bit - people saying the site will be featured or that they'll be hitting the API a lot or...

It's Have I been pwned's birthday and I'm doing a live streamed AMA

It's hard to believe it, but Sunday 4 December will mark 3 years since I launched Have I been pwned. A huge amount has happened in that time, not just for HIBP but for the industry and indeed for me personally. I certainly didn't expect it to become what it is, not in terms of the amount of data or the number of people visiting and subscribing and certainly not the media attention it's drawn from all over the world. That's posed some really unique challenges but been enormously rewarding too. To celebrate, I thought I'd do a live streamed "Ask Me Anything" next week. I want to stream it so that I can answer questions verbally and show things...

Weekly update 10

This has been a mega week with a couple of pretty contentious blog posts which frankly, are the best kind! It gets so boring when everyone just nods and agrees... But seriously, the one on ad blockers in particular shows just what a mess we've gotten ourselves into and the "ban all the ads (or anything that has even a sniff of an ad)" proponents are a big part of the problem. I talk about it in detail in the video though so here it is, along with all the podcasts too: iTunes podcast | Google Play Music podcast | RSS podcast (And yes, that's a mic bottom left of frame, I recorded with my good boom mic this time and totally...

Get "The Information Security Big Picture" on Pluralsight now!

If you're here reading this then it probably won't come as a big surprise but brace yourself anyway - we have a security problem. Yes, yes, I know, it's all very terrifying and not a day goes by where someone isn't getting cyber-something'd. As best I can tell from the news, it's pretty much all to do with guys in hoodies sitting at green screens pwning all our things. I'm quite sure that's the case, I even did a quick check on Google to confirm: I talk about these crazy hacker perceptions in the intro of my new Pluralsight course and despite the sensationalist and inaccurate imagery in the reporting, security genuinely is a big problem. In my view, much...

Have I been pwned and spam lists of personal information

One of the things I'm finding with running Have I been pwned (HIBP) is that over time, my approach is changing. Nothing dramatic thus far, usually just what I'd call "organic" corrections in direction and usually in response to things I've learned, industry events or changes in the way people are using the service. For example, the Ashley Madison hack led to the concept of a sensitive breach which meant ensuring that data from certain incidents is not publicly searchable. More recently I introduced API rate limiting as I was seeing the service being used in ways that worried me. Times change, things move on. Recently, I came across a massive spam list with a bunch of personal data and...

Handling people's personal data is sensitive business

Last week I wrote about how 8 million GitHub profiles were leaked from GeekedIn's MongoDB which is always a risk when you expose a DB with no auth whatsoever! For any other website, this would be a typical data breach scenario in that info that was meant to remain private was made public. However, GeekedIn lost publicly accessible GitHub data so whilst yes, there was a breach, no, it wasn't anything you couldn't get publicly anyway. So what's the big deal? I expected there'd be people in both camps on this issue - those who couldn't care less and those who were upset - but I was surprised at both how passionate each side was and how biased the vast...

Ad blockers are part of the problem

Earlier this year, I wrote about bad user experiences on websites and foremost among these were the shitty things some sites do with ads. Forbes' insistence that you watch one before manually clicking through to the story, full screen and popover ads and ads that would take over your screen after you started reading the article were all highlighted. Unanimously, we hate this experience. Because the aforementioned experiences are shit, people run ad blockers and I get the rationale: if ads are going to do crap like this then let's ban them. Except then you get the likes of Forbes denying access to their content if you run them and you get into this nasty cycle of advertisers trying to...

Weekly update 9

Lots on this week and I'm very happy to have finally got myself organised and set up an audio podcast feed. It's getting a heap of downloads already so obviously, people did actually want it and frankly, I'm sorry I didn't get it organised earlier! That and much more in this week's update iTunes podcast | Google Play Music podcast | RSS podcast Get these weekly updates as a podcast! (it's been requested since day 1 and I finally got around to doing it) Niall and I did a Pluralsight course on Exploring the Internet of Vulnerabilities (this is the one that should make people scared to go online...) Disqus screwed up and served mixed content so I fixed it with a...

8 million GitHub profiles were leaked from GeekedIn's MongoDB - here's how to see yours

Let me make it crystal clear in the opening paragraph: this incident is not about any sort of security vulnerability on GitHub's behalf, rather it relates to a trove of data from their site which was inappropriately scraped and then inadvertently exposed due to a vulnerability in another service. My data. Probably your data if you're in the software industry. Millions of people's data. On Saturday, a character in the data trading scene popped up and sent me a 594MB file called geekedin.net_mirror_20160815.7z. It was allegedly a MongoDB backup from August belonging to a site I'd not heard of before, one called GeekedIn and they apparently do this: A bit of searching around suggested...