Mastodon

2016 retrospective

01 January 2017

I never used to do these "year in review" style things, but 2015 was a really foundational year for me in many ways so I wrote a 2015 retrospective. Thinking about it over the last few weeks as we approached the end of 2016, a bunch of stuff really stuck out in my mind and I think it's healthy to look back at what you've done and take a moment to reflect. Here are the things that were highlights for me:

I launched a new blog

One of the best things I did in 2016 was to re-launch my blog on a brand-new platform with a new theme and wrap Cloudflare around it all. 8 months on, I'm still enormously happy with Ghost Pro in conjunction with Cloudflare caching everything upstream; it just works beautifully. The old Blogger site is now a distant memory, in fact writing this post just reminded me that I could now go and permanently delete it which I've just done so farewell to Blogger!

I got rid of traditional ads

This was another one of the best things I did during the year - I got rid of traditional ads in favour of sponsorship instead. No more trackers, no more other-people's-script-running-on-my-site, no more shitty experiences around flashy ads. The sponsorship messages are just text from 1:1 relationships I have with orgs I respect and they pay significantly more than ads ever did - many times more. So everyone should be happy, right?

Except for ad blockers that strip the sponsor out. I'm still enormously frustrated about this not because of any loss of exposure, but because it's just wrong. Even more wrong are the ignorant comments about "well I as a viewer should be in total control of your content and choose what loads regardless of the consequences". That only works because those people are (fortunately) in the minority. I'm digressing, but it's still a major issue and per the title in the link above, ad blockers are part of the problem.

The Dropbox post went massive

In August, I wrote a post with the simple title of The Dropbox hack is real. It was a simple post where I verified that my wife's 1Password generated very unique, very strong password was stored as a bcrypt hash in the alleged Dropbox breach. The post went massive and was the biggest of the year by an almost five-fold factor:

Top posts of 2016

Not only that, it's almost the biggest post I've ever written accounting for 3.91% of all page views ever (my Shellshock Bash bug post is up the top with 4% of all views).

I had a surprisingly impactful blog post on Ubiquiti

The most surprising post of the year was the one on the Ubiquiti networking gear. This one was quite popular not just in terms of numbers of people viewing it (partly due to hitting the top of Hacker News weeks after writing it), but people then following through and buying the gear. I've had dozens of messages from people that have parted with quite a bit of money to upgrade their networks and I never expected that to happen:

And no, I'm not on the payroll and in fact, I'd never even spoken to the folks there before deciding it was gear I should buy then loved it enough to write about it. That's the sort of post I love writing!

I started doing weekly update videos (and a podcast)

This was an idea I'd toyed with a bit as a means of trying to add some more candour and emotion to a lot of what I was writing each week. My mate John Sonmez gave me a bit of a push and that was it - I was off - and I published the 15th edition just a couple of days ago. Since I began, there's been thousands of people a week either watching the video or listening to the podcast which I'm enormously happy with.

These are easy for me to do (other than the difficulty of uploading 1080p video on a connection that barely gets 2Mbps up on a good day...) and I genuinely enjoy them. The feedback I'm getting is that people like the ability to consume this information in the background which was one of the reasons many people asked for a podcast version. I honestly think I can do a number of things better, but it's early days and I'm pretty happy with how it's going so far.

Have I been pwned (HIBP) grew enormously in size

It grew in every measurable way:

  1. The total number of breaches in the system went from 67 to 178
  2. The data went from 256 million breached records to over 2 billion
  3. The number of verified subscribers to the service tripled from 316k to 942k
  4. The Alexa rankings took it from 60,000th most popular site on the web to about 36,000th today (it peaked at about 20,000th)
  5. The Twitter followers grew from about 7.5k to almost 21k today

But the really big numbers were around the traffic...

The HIBP traffic got big - real big!

One of the biggest changes this year in terms of traffic was the emergence of large volumes of requests that could be equally classified as abusing the API, malicious or in some cases, outright attempted DDoS. It meant traffic patterns like this:

That gives you a good idea of the distribution of the traffic across a day (i.e. it can be concentrated within certain hours), but that was far from the busiest day too:

Wrapping Cloudflare around HIBP was one of the smartest thing I've ever done with the service. A combination of that and the way I'm using Azure Functions to control firewall rules has made a hell of a difference. I'm writing up a detailed post on how I dealt with malicious traffic and how everyone else can plan for it, suffice to say that without Cloudflare in front of it I just couldn't have done it without making some major concessions.

But big traffic wasn't always malicious either; there was the case of The Martin Lewis money Show causing a massive spike:

That was a great learning experience actually and again, Cloudflare made a big impact on the traffic volumes I could handle:

What all of this means is that whilst visitor numbers (both good and bad ones) have gone through the roof, my underlying infrastructure costs haven't changed which makes me enormously happy!

I spent a third of the year travelling

This is the one that really dominated in terms of total effort and the stats tell the story better than words can:

Air travel in 2016

When I saw those numbers, I thought "wow, that's a lot" then I checked back on 2015 and it had been 240 hours in the air across 48 flights, but it just felt harder this year. This figure from TripIt explains why:

119 days travelling

Almost one third of the year was spent away from home. Now in fairness, that wasn't all hard work; I had a week in Oslo with my wife (although we were both at NDC speaking) and a week snowboarding with the family, but it was still a hell of a year. I wrote about how much effort goes into an international trip after my last one and frankly, that's probably the hardest one I've done. The next one in a couple of weeks will be a similar length, albeit only 3 countries with one uninterrupted week in each which makes a lot more sense.

I went to a lot of conferences

Speaking wise, I got around a bit this year:

Event badges

I keep track of all these on the events page for the year and I also publicly share all my evals too. I did a lot of events, but the highlight was doing the opening keynote at NDC in Oslo in front of thousands of people:

It's a special event for me because NDC Oslo was my first international speaking appearance back in 2014, a talk that topped the ratings and has had me coming back to every NDC event ever since.

Another 9 Pluralsight courses down

It was a big year Pluralsight wise, not least of which because I finally finished off the epic Ethical Hacking series. That was a mammoth task, not just in terms of writing 8 courses over 2015 and 2016, but writing them to the CEH syllabus so people can then go out and get their Ethical Hacking cert. The link above explains more and I'm enormously proud of what we've created there.

I also found myself doing a bunch of "Play by Play" courses, that is courses where myself and someone else are video'd working through a technology. I did one in London, then Chicago and finally a couple in Sydney, not all on security either. I've got another couple to do in London in a couple of weeks' time too, neither of them about security and you may well see me diversifying a little bit more there in the coming year too.

I did a heap of workshops

I'm not actually sure how many workshops I did in 2016. Probably 20 events of 2 days each? I'm not sure but what I do know is that I'm enormously happy with how they've been going. I'm now doing a number of repeat events for the same organisations as they expand their security training or even dive deeper with the same participants who've been to previous events.

I also love that many of the organisations I visit have already invested a lot in Pluralsight. Very often, those who attend the workshops have seen many of the courses I've written but they want to augment online learning with a classroom environment. It surprised me at first, but when I see how these organisations run their training and how they draw from the strengths that both on-demand remote learning and in-person events offer, it makes a lot more sense.

I'll be doing a heap more events in 2017. I got overbooked by 4 events on the trip I'm about to do and will shortly be sharing plans to pick up that overflow (and a lot more) on a subsequent trip so stay tuned for that.

The Microsoft Regional Director thing happened

A very unexpected outcome of 2016 was becoming a Microsoft Regional Director. Because it wasn't already confusing enough that I don't actually work for Microsoft, I obtained a title that leaves people even more confounded by the whole thing!

The RD title is something I'm enormously proud to have received and it's something that along with being a nice recognition, opens doors. Particularly in corporate scenarios, it carries a weight with it that goes a long way in terms of credibility and from a personal career growth perspective, it's a great thing to be able to say I've achieved.

Social media continued to be enormously important to me

In very unexpected circumstances, I posted my most ever favourited and RT'd tweet:

All those years with all that work actually building software and writing about constructive things yet it's an off-chance photo I snapped which gets the popular vote!

I've had many enormously positive experiences by way of social media and arguably Twitter in particular has had a huge impact on my career. It's not just in terms of reach on the internet either, it's been a great way of connecting with people that's led to in-person meetups which I've been doing more and more when I travel.

Particularly in my independent life these days, the ability to reach people is enormously important and Twitter in particular has been invaluable for that. People often ask how I promote what I do, for example how I book commercial workshops, and the answer is simple - I tweet about it. That is all. Seriously, that has been more valuable to me than just about anything, but it only makes sense off the back of a good reputation...

My profile grew (and the trolls continued to circle)

Profile is always a bit of a funny one because it's a little bit frog-in-boiling-water; it happens gradually so that you don't notice it yourself. Every now and then you get a wake-up call (such as people wanting to take selfies at conferences) and it's honestly a very strange feeling to be "famous", even if it is just within certain circles.

I put a huge amount of thought into how I curate my profile and each year it becomes more and more important. In 2016 I thought a lot about the balance of how I can both use the profile to my advantage (i.e. by offering the blog sponsorship) and keep it down to earth and, as we'd say here, fair dinkum. I don't want to erode what it is that's helped me build that profile in the first place, namely being approachable, ethical and remaining very practical and hands on (at least I think they're the things that led to where I am today). That's not always easy though and a perfect example is that I got to the realisation this year that I simply can't reply to all emails or tweets or other communication channels people reach out by. I added a contact page to my new blog where I literally had to say "here's a bunch of things I either may not or will not reply to", and that includes some very genuine enquiries from people.

It hasn't all been roses though and a few months ago, I wrote about online abuse. I still find it hard to fathom that as an adult, you can be subject to what I can only describe as playground taunts. And really, that's what a lot of this is - things I teach my kids not to do - yet here we are with everything from name calling to slanderous comments to actual threats. Even since I wrote that post there have been incidents; never in person, mind you, because the weak mettle of those involved keeps them firing barbs from a distance, even when the opportunity has been there to look me in the eye. I think what's bugged me more than any hurt feelings is just the frustration that people like this walk among us and seem to be oblivious of their own behaviour, yet here we are.

On balance though, I wouldn't have it any other way. Building profile had brought so many wonderful experiences and new connections with people and places I just never dreamed of. I love that there are no limits to it - you can grow as big as your own hard work permits - and that's a key factor that keeps driving me forward.

Looking forward to 2017

The trick for me this year more than ever is juggling priorities. There's Pluralsight courses, HIBP, workshops and, of course, speaking events. As of today - the first day of the year - there's already 26 events I've either declined or put on ice:

Declined events

I won't show you precisely what they are as I don't know how many of the organisers would like to share that information, but obviously that's a fair number. It's hard because I genuinely want to get to many of these but I also like actually seeing my family!

Speaking of which, just today I booked my family to come to Europe for a couple of weeks in June around the time I'll be there anyway for the NDC conference in Norway. I'm going to make a bigger trip out of it than usual and both spend some time with them (mostly in Oslo, Amsterdam and London) as well as try and do more events. I'm already starting to book things in for that time period so if you're in Europe and are interested in your company having me over for a private workshop, speak up now!

Lastly, for 2016 and for all the years to come, I'm enormously appreciative of everyone who reads what I write, watches my courses and listens to what I have to say. That's what makes it possible for me to do what I do and have the wonderful opportunities I touched on above. Thanks everyone!

Annual Retrospective
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Troy Hunt

Hi, I'm Troy Hunt, I write this blog, run "Have I Been Pwned" and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Upcoming Events

I often run private workshops around these, here's upcoming events I'll be at:

Must Read

Don't have Pluralsight already? How about a 10 day free trial? That'll get you access to thousands of courses amongst which are dozens of my own including:

  1. OWASP Top 10 Web Application Security Risks for ASP.NET
  2. What Every Developer Must Know About HTTPS
  3. Hack Yourself First: How to go on the Cyber-Offense
  4. The Information Security Big Picture
  5. Ethical Hacking: Social Engineering
  6. Modernizing Your Websites with Azure Platform as a Service
  7. Introduction to Browser Security Headers
  8. Ethical Hacking: SQL Injection
  9. Web Security and the OWASP Top 10: The Big Picture
  10. Ethical Hacking: Hacking Web Applications