Sponsored by:

Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Weekly update 35

Hang on - where did my week go?! WannaCry came out of the blue and accosted a big whack of my time starting first thing Saturday. And then, just as it was quietening down, I go and write about not turning off Windows Update and holy shit, did people come out of the woodwork to complain about that! Seriously, just read some of the comments there and the anger directed towards what (in my experience) is usually a pretty seamless process is palpable. More than the objections to updates themselves, it was the basis on which many of the points were made that stunned me; philosophical arguments about software being "free" (no, not as in price), claims of NSA collusion,...

Don't tell people to turn off Windows Update, just don't

You know what really surprised me about this whole WannaCry ransomware problem? No, not how quickly it spread. Not the breadth of organisations it took offline either and no, not even that so many of them hadn't applied a critical patch that landed a couple of months earlier. It was the reactions to this tweet that really surprised me: Why is malware effective? Because of idiotic advice like this: "Stop Windows 10 from automatically updating your PC" https://t.co/cRygHYMPNh— Troy Hunt (@troyhunt) May 13, 2017 When you position this article from a year ago next to the hundreds of thousands of machines that have just had their files encrypted, it's hard to conclude that it...

Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware

I woke up to a flood of news about ransomware today. By virtue of being down here in Australia, a lot happens in business hours around the world while we're sleeping but conversely, that's given me some time to collate information whilst everyone else is taking a break. The WannaCry incident is both new and scary in some ways and more of the same old stuff in others. Here's what I know and what the masses out there need to understand about this and indeed about ransomware in general. The ransomware problem Firstly, if ransomware is a foreign enough concept and you genuinely want to understand what it's about, I made a free course for Varonis last year titled "Introduction...

Weekly update 34

The big news this week has been dealing with that massive volume of data I loaded into HIBP a week ago. A combination of the mechanics of getting it loaded, the flood of feedback once I did and actually trying to prepare myself for upcoming talks has made it a bit of a crazy week. If I'm honest, I'm feeling a bit run down from it all and need to take it a bit easier before heading away in a couple of weeks' time. Be that as it may, this has been a full-on week and I've captured the highlights below: iTunes podcast | Google Play Music podcast | RSS podcast References Here's some guidance from the Aussie government on GDPR (my...

Here are all the reasons I don't make passwords available via Have I been pwned

Over the last few days, I've loaded more than 1 billion new records into Have I been pwned(HIBP). As I describe in that blog post, this data was from two very large "combo lists", that is email address and password pairs created by malicious parties in order to help them break into other accounts reusing those credentials. In all, I sent about 440k email notifications and saw hundreds of thousands of people come to HIBP and search for their data. From a personal security awareness perspective, loading the data has been enormously effective. But there's a question I got over and over again via every conceivable channel: How can I see the password on my record? I want to...

Weekly update 33 (sunrise edition)

Wow, what a day! I got up at about 3:30 this morning and have been going non-stop dealing with the masses of feedback as a result of the billion-and-a-bit breached records I'm presently loading into HIBP. I talk about it in the blog post, but the "small" one of 458 million records is already loaded and as I type this, at about 17:30 Friday, the big one of almost 600M is still a long way off (probably mid-morning for me tomorrow). Anyway, between other commitments and the looong lead-time of uploading a couple of GB of video file over Aussie bandwidth, this week's update happened at sunrise out the back of my house. The lighting it far from...

Password reuse, credential stuffing and another billion records in Have I been pwned

The short version: I'm loading over 1 billion breached accounts into HIBP. These are from 2 different "combo lists", collections of email addresses and passwords from all sorts of different locations. I've verified their accuracy (including my own record in one of them) and many hundreds of millions of the email addresses are not already in HIBP. Because of the nature of the data coming from different places, if you're in there then treat it as a reminder that your data is out there circulating around and that you need to go and get yourself a password manager and create strong, unique passwords. And before you ask for your password from the data, read about all the reasons I don't...

Microsoft Flow + Azure Storage + WebJobs + MailChimp + Outlook

A few years back, I added a donations page to Have I been pwned (HIBP). Now as I explained at the time, I didn't particularly need them to cover my hard-cash outgoings because I run the thing on a shoestring, but as I explain on that page, it takes a massive amount of effort. If people want to fling me a coffee or some beers, that's just great and I appreciate it enormously. Problem is, it's hard to individually show that appreciation. Especially during a busy period, I can end up with a lot of coffee and I can't realistically reply to each and every person by email thanking them or I end up with exactly the problem I describe...

Reckon you've seen some stupid security things? Here, hold my beer...

My mate Lars Klint shared this tweet the other day: Your password is not unique. pic.twitter.com/ga4GwxtzrQ— Lars Klint (@larsklint) April 16, 2017 Naturally, I passed it on because let's face it, that's some crazy shit going on right there. To which the Twitters responded with equal parts abject horror and berating comments for not having already identified this as a joke circulating on Reddit. But here's the thing - it's feasible. No really, I've seen some very stupid security stuff out there the likes of which make the above example not just believable, but likely. Don't believe me? Here, hold my beer... Remember me Let's say you want to build a "remember me" feature, you know,...

Weekly update 32

Home again and blog wise, it was a quiet week. I've been working on some new material you'll see next month as well as preparing for upcoming Europe travels where I've got a heap of events to get to. I've got a new Lenovo to show you in this update plus I do talk quite a bit about that one blog post on building out a Ubiquiti network for my brother and his family which I'm now kinda jealous of! All that and a few other things in the update below, I've got a few extra things in the works for next week. iTunes podcast | Google Play Music podcast | RSS podcast References Here's the full specs on that Lenovo Yoga...