2015 retrospective

I don’t normally do the year in review thing, but then I don’t normally have a year like this either. Whilst it may not seem like it to the casual observer, life changed in so many significant ways in 2015, more so than any time in probably the last 15.

The other day I was having a spin back through my tweets with media and I realised just how nuts things had been, so I thought I might capture a bunch of them here as they really tell the story. This is as much for me to reflect on the year as it is for other people to see what I’ve been up to; I hope you find it interesting.

Speaking at Ignite 2015


Each year I’ve blogged more. Starting in last 2009 it was 10, the next year was 40 then 50, 59, 78, 81 and this one makes 89 for the year. In addition, I wrote 37 pieces for my Security Sense column on Windows IT Pro which I began writing for early in the year. That’s a lot of writing in one year!

I expected Ashley Madison to be the top rating content of the year, and it was. My post on Here’s how I’m going to handle the Ashley Madison data was the number one with about a half million views. In fact, the four posts I wrote on the topic were the four top-rated posts of the year and accounted for almost a third of all traffic which goes to show just how significant the event was. Having said that, my Shellshock post of 2014 remains the most viewed ever and certainly there was some crazy hysteria around that at the time.

In terms of the blog itself, I finally lost patience with Blogger and am now planning a full move over to Ghost Pro (hosted Ghost). I set Kylie up there earlier this year and was really impressed on many different fronts. One of the final straws for me with Blogger has been the total lack of support for HTTPS on custom domains (they’ve added it if you want to use their TLD) which in this era, is becoming increasingly difficult to justify. I’ve got someone helping me out with an all new design which I hope will be out early next year.

Speaking and travel

This year was a big one. 23 events in total according to my publicly listed schedule and that doesn’t include a bunch of private workshops in various other countries beyond what’s listed there. According to TripIt, I spent quite some time getting around:


In fairness, I did do my best to travel comfortably but as I’ve written before, I justify that expense by using the space very productively and ensuring I get enough rest to be able to keep the travel pace up:

Admittedly, there are aspects of air travel I enjoyed quite a bit this year as well:

Not all of those 108 days were away at events and as crazy as the travel can look, I balance it out where possible. For example, I spent some time with Pluralsight in Utah last Feb and March at the author summit:

That really was awesome, not least of which because Kylie joined me after that we went snowboarding with our 6 year old for a week which was pretty epic:

Same again in August albeit down here in Aus (not recorded in TripIt) so as hard as the travel has been at times, the play has been pretty full on as well:

Highlights for me was spending time back in the Netherlands where I’d lived as a teenager:

And then again a couple of months later:

My first trip to Sweden (they also have some nice buildings, but holy shit, it’s a 918 at the Gumball!):

My first trip to Finland:

Good food in Singapore on the way home:

I did a bunch of smaller events too, for example chairing an F-Secure panel with Mikko Hypponen in Sydney:

One of the great things about living down here though – and I know I joke about this a lot but I’m genuinely serious now – is that there really is no place on earth I’d rather live:

Next year starts out with a week at home followed by four weeks in the UK and Norway. Why I’d leave the best time of year here to visit those locations at the worst time of the year is purely a scheduling thing. That’s a lot of travel early on and I don’t want to emulate 2015 volumes in 2016, but things just seem to have kicked off that way. Part of the problem is that everywhere is a long way from Australia so by the time I get somewhere else, I try and maximise the time there:

One of the most enjoyable and valuable parts of travel and conferences in general is the connections you make. Not just one-off encounters either, rather relationships you build that then pervade over many trips to various corners of the world. It was great seeing Mikko in Sydney early on in the year, then in Helsinki in May and finally back in my home town the following month:

Or guys like Niall Merrigan who mysteriously appears when good whiskey turns up (or perhaps that’s the other way around… I forget):

I did also ensure I took time out to see some rather awesome sights, for example in Monterey:

And shortly after in San Francisco:

Is that not a spectacular sight?! There was also a bridge.

It seemed to be a year of speaker cruises too, firstly in Oslo:

Then San Fran:

And finally, much closer to home:

However, this remains the trickiest part of travel and it really doesn’t get any easier:

Fortunately, we FaceTime extensively while I travel, but yeah, it’s hard.

Profile and publicity

I have this running joke with Kylie where I say “Don’t you know I’m famous now?” and she retorts with “Yeah, on the internet!” which is, well, half true I guess. Having a public profile is a funny thing that whilst mostly positive, can also be a mixed blessing. Whilst I didn’t have any really serious harassment incidents this year as I’ve had in the past, there were still multiple occasions of impersonation to deal with along with, well, people just being pricks sometimes. There’s something that happens in some people’s brains when they get behind a keyboard that seems to turn the basic human decency filter off. This year, I’ve started simply muting people who are clearly looking for a fight or being outright abusive for no apparent reason.

But I’ve also found that as I’ve gained more exposure and a larger following, I simply can’t respond to every tweet and every email. A significant portion of my day was going towards an “inbox zero” objective (or Twitter mention equivalent) that just wasn’t sustainable. I don’t have a good answer as to how to deal with this – I don’t like ignoring people but I can’t spend all day replying either. It’s something I’ll need to give some proper thought to and I’d really like to hear your views on it if you have them.

On the plus side though, publicity is great for building a public profile and there were a heap of things that happened this year along those lines. For example, there was car hacking:

Kids hacking:

Kids being hacked courtesy of VTech:

And in a very meta way, my own kid appearing on a piece about kids being hacked:

I also joined the Lenovo Insiders group and spent some time with them in Sydney and yes, we spoke about SuperFish:

During the Ashley Madison saga, I was doing a heap of interviews each day which by coincidence, occurred whilst snowboarding with the family. One memorable one was with CNN where I was just about to hit the mountain and they wanted a Skype call. No problem… until they asked me to turn my camera on – “You want to interview me about hackers and I’m wearing a hoodie and a beanie whilst not having shaved for a week?!”. Fun times.

Have I been pwned (HIBP)

This was a very big year for HIBP in many ways. The obvious metric for this is the data breaches loaded into the system. Of the 67 that are in there today, 33 of them were added in 2015 and they included everything from rather obscure, small breaches such as Lizard Squad’s DDoS service with 13k accounts exposed all the way through to what remains one of the most significant breaches in history IMHO – Ashley Madison.

Ashley Madison really took HIBP to a new level not because of the 31M accounts exposed, but rather because of the nature of the data and the exposure it got. It was unprecedented in so many ways, not least of which was the press it got and the resultant traffic:

I touched on the incident earlier on when I talked about blog traffic too and it really was a crazy time. One of the things I’m proudest of is the stats I shared in the blog post breaking down how it performed. The headline figures were a 58,000% increase in traffic in the space of a day, dead flat transaction times when the load hit, an average of 8.5k simultaneous users searching 200M+ records in the busiest hour and the really neat bits: 100.00% uptime and a total spend of $130 over normal operating costs for the crazy period.

Subscribers to the free notification service also went through the roof. On the first of Jan I had a mere 100k people monitoring their addresses and that figure has now exploded to 320k. That’s verified users too – individuals who have received the verification email after subscribing and clicked on the link to confirm they genuinely want to opt in (there’s another 70k that never confirmed).

The other big thing numbers wise is the commercial offering I announced back in July. I’ve deliberately kept this pretty low key in order to ensure it remains something I can do in amongst other commitments, yet it’s still grown to many, many tens of millions of accounts being monitored by subscribers. These are subscribers such as identity theft companies who have been entrusted by their customers to monitor their online exposure and it means that every single email that goes into the system from a breach or a paste gets assessed against a huge database of monitored addresses. Given how it’s gone this year, I suspect this will be an area I’ll start to focus on a lot more in 2016.

Oh – I also got my first call from the FBI. Yes, the American one of much infamy and to be completely fair, the discussion was nothing but courteous, ethical and in this particular context, necessary. I won’t share the details (not “can’t”, but “won’t” of my own free volition), as I suspect there remains an ongoing investigation, but I will say that it wasn’t due to any issue related to either myself or HIBP and was more about support I could provide in relation to a particular data breach. But I will take a moment to share some sage advice: if you’re going to get involved in dealings with data breaches, conduct yourself in a way that you’d be happy to share openly with the authorities at a later date. I spoke with multiple law enforcement agencies this year and living by that mantra avoids all sorts of uncomfortable situations later on (such as I suspect this guy will shortly be experiencing). To add to that, we want there to be an FBI and an Aussie Federal Police and other forms of law enforcement, these guys do an absolutely essential job and it’s unfortunate that the times they’ve overstepped the mark mean everyone is now wary of agencies that for the most part, only aim to do good. At least that’s been my experience.


The penny only really dropped the other day when I saw this slide of Adrian Cockroft’s at the Yow conference. Actually, it was really only after I saw how re-tweeted it was that the resonance really hit me:

This was precisely the problem at Pfizer – it was an environment where I wasn’t able to be the best I could be. There were many reasons for that which I suspect I’ll delve into in a later blog post, but the bottom line was that there was simply no future there for driven, technical people. The writing had been on the wall for several years now and had become extra apparent last year with a change of leadership that was on a very different wavelength to myself and others in Australia. I actually came very close to walking out mid-2014 and the only thing that stopped me was the redundancy provisions – I’d get paid a lot if they asked me to walk instead. And they did – one week back into my return from Xmas holidays this year it was all over for myself and a few others down under which left us all very well looked after and very happy. I wrote more about it once everything settled in How I optimised my life to make my job redundant.

Following my departure, I did admittedly give this hashtag somewhat of a workout:

Here’s some context though that doesn’t always come through in light-hearted tweets: this was while on the other side of the country at a speaking event. Literally while sitting by the pool, I was editing whatever Pluralsight course it was I was working on then, planning for the next one, lining up speaking engagements and generally doing whatever I could to keep the momentum going.

In fairness though, that phase and my independence since then has given me more time with the family too:

What the departure from Pfizer really did was give me a lot more flexibility in how I spend my time. Without doubt, I work harder (and certainly more passionately) than what I did in corporate land, but I do it on my terms which makes all the difference. Of course most of that time these days is with the folks I genuinely respect and admire, which brings me to these guys:


I was very close to leaving Pfizer before the redundancy kicked in, primarily because Pluralsight was such an attractive alternative. It was paying me multiple times more already and I actually wanted to do it! I can’t speak highly enough of the culture and the people there, they just “get it” and there’s never any politics or bureaucracy or frankly, any of the bullshit I used to wade through on a daily basis at a big corporate like Pfizer. I’m hugely more productive now as my time goes on getting stuff done rather than continually greasing the wheels that get stuff done.

With my focus now very firmly on Pluralsight, it meant taking every opportunity to spend more time with the folks there:

This was at CeBIT in Sydney with a couple of the local Pluralsight girls. It was genuinely interesting to help them out at the stand and see the sorts of questions people were asking. In fact, I did the same thing at a number of different events around the world this year and I must say, it was a very fulfilling exercise. The love for Pluralsight (as cheesy as that sounds) is really strong and it’s awesome hearing all that great feedback.

Focusing primarily on a self-paced activity you do remotely can be very isolating but fortunately there were a heap of opportunities to see Pluralsight folks at various times and places:

That includes down here in Aus too (incidentally, there are now four full time staff down here):

That’s reciprocal as well – I had some great visitors from Pluralsight over the course of the year:

In short, this style of work suits me very well. I don’t have it perfect yet – it’s still hard balancing family life and committing time to actually deliver courses – but it’s such a fantastic position I now find myself in with Pluralsight.


Almost 12 months ago to the day, Kylie and I sat down by the water on the Gold Coast where we’d spent so much time since we first met there in ‘99. We were fed up – fed up with my job at Pfizer, fed up with living in Sydney and fed up with that remaining to be the status quo for the foreseeable future unless we took action. Mind you, this was at a time when many of the positive things I wrote about above were really taking off – Pluralsight in particular – but it still wasn’t the life we wanted to live.

And then suddenly everything came together. Pfizer paid me out, Pluralsight rocketed ahead, lots of companies started asking me to do workshops and to top it all off, the Aussie dollar was sinking against the US where most of my income was coming from. So we did what we’d been planning to do for 16 years – we moved somewhere nice:

This was the culmination of many of the things I’ve written about above as well as Kylie having a lot of wins in her professional career and both of us investing smartly when we were younger (I’ve got a draft blog post going about financial tips for techie people). The timing worked out perfectly and yes, it’s awesome here!

We take the kids to all new playgrounds:

But the best ones don’t have any equipment at all:

I mix up my working environment a lot more:

We sometimes catch our own dinner:

It’s an awesome way of life but it begs the question – what next? I’ve always been very goal-driven and love working towards tangible objectives. I’ve got some pretty awesome stuff in mind, 2016 will be fun :)

Annual Retrospective
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals