Troy Hunt

Hi, I'm Troy Hunt, I write this blog, run "Have I Been Pwned" and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Weekly Update 260

An early one today as I made space in the schedule to get out on the water 😎 I'm really liking the new Apple AirTags, I'm disliking some of the international media coverage about Australia's COVID situation, another gov onto HIBP and a blog post I've wanted to write for a long time on biometrics. That last one in particularly I felt was really important as time and time again, I hear these irrational statements from people about the perceived "risks" of biometrics and in particular, the belief that you can somehow how representations of your body parts "stolen" in such a way that they can circumvent modern day auth controls. Nope and nope! ReferencesThe AirTag "anti-stalking" feature is pretty cool...

You Don't Need to Burn off Your Fingertips (and Other Biometric Authentication Myths)

111 years ago almost to the day, a murder was committed which ultimately led to the first criminal trial to use fingerprints as evidence. We've all since watched enough crime shows to understand that fingerprints are unique personal biometric attributes and to date, no two people have ever been found to have a matching set. As technology has evolved, fingers (and palms and irises and faces) have increasingly been used as a means of biometric authentication. I'm writing this on a PC that uses a Verifi fingerprint reader. I'll probably continue to draft it from a comfy spot later on using my Lenovo laptop that has a built in reader. I'll also go backwards and forward between my iPhone and...

Welcoming the Czech Republic Government to Have I Been Pwned

For the last few years, I've been welcoming national governments to Have I Been Pwned (HIBP) and granting them full and free access to domain-level searches via a dedicated API. Today, I'm very happy to welcome the Czech Republic's National Cyber and Information Security Agency who can now query their government domains along with the 26 other nations that have come before them. Data breaches impact all of us in one way or another, and government agencies are no exception. My hope is that in supporting the agencies that help protect us online, they're better equipped to do their jobs and we create a safer internet experience for all....

Weekly Update 259

I'm  back from the most epic of holidays! How epic? Just have a scroll through the thread: I’m back! Went offline for most of the last week, pics and stories to follow 🐊 pic.twitter.com/hRUcKMwgGU — Troy Hunt (@troyhunt) September 2, 2021 Which the Twitter client on my iPad somehow decided to break into 2 threads: At times this felt like navigating through a scene from Jurassic Park, just with wallabies rather than velociraptors 🦖 pic.twitter.com/VHa4kJw6kb — Troy Hunt (@troyhunt) September 3, 2021 Holiday snaps aside, there was a heap of other stuff this week ranging from me actually reading a book to the impact of the Gun Trader breach to my personal favourite, Pwned Passwords...

Weekly Update 258

A really brief intro as this is my last key strokes before going properly off the grid for the next week (like really off the grid, middle of nowhere style). Lots of little things this week, hoping next week will be the big "hey, Pwned Passwords just passed 1 billion", stay tuned for that one 😊 ReferencesYou probably should have an OnlyFans account (no, not in the way it sounds like you should...)Is the silver lining of Brexit an end to inane cookie warnings? (queue arguing about whether this is a GDPR thing or not)Spammy thread hijacking - ugh! (looks like the offender's account is no longer public)Pwned Passwords is almost about to roll over past the 1B...

Weekly Update 257

It all feels a bit "business as usual" this week; data breaches, IoT and 3D printing. But what I'm most excited about is what I probably spent the least amount of time talking about, that being the work 1Password and I have been doing on our "Hello CISO" series. I love it because it's broadly relevant, easily consumable and totally, properly free. Feedback so far has been awesome, I hope you enjoy it too 🙂 ReferencesThe Fab365 3D models are amazing (this one is a SpaceX Falcon 9)My 11th MVP kit arrived this week (I'm at the point where I think I need to stop putting these up on a wall...)T-Mobile got seriously breached (a good Krebs write-up on...

Hello CISO - Brought to You in Collaboration with 1Password

Today I'm really excited to announce a big piece of work 1Password and I have been focusing on this year, a totally free video series called "Hello CISO". This is a multi-part series that launched with part 1 and when I say "free", I don't mean "give us your personal data so we can market to you", I mean here it is, properly free: This is intended to be a very practical, broadly accessible series and whilst it has "CISO" in the title, we expect it'll be relevant well beyond the pointy end of the infosec ladder. Part 1 on the downfall of on-prem security is a perfect example of that; all of us in the industry have heard the...

Weekly Update 256

Well this week went on for a bit, an hour and 6 mins in all. The 2 Apple things were particularly interesting due to the way in which both catching CSAM baddies and catching baddies who steal your things involves using technology that can be abused. Is it good tech because it can do good things? Bad tech because it can do bad things? Or is tech just morally neutral and we need to look at it more holistically? I argue the latter, but also acknowledge the views of both camps at either end of the argument. I think they're wrong (the extremes almost always are), but discuss them anyway 🙂 ReferencesApple will start looking for known Child Sexual Abuse Material...

Why No HTTPS? The 2021 Version

More than 3 years ago now, Scott Helme and I launched a little project called Why No HTTPS? It listed the world's largest websites that didn't properly redirect insecure requests to secure ones. We updated it December before last and pleasingly, noted that more websites than ever were doing the right thing and forcing browsers down the secure path. That's the good news, the bad news is that there are still some really wacky, unexplainable anti-HTTPS views out there, but those voices are increasingly less relevant as the browsers march forward: Beginning in M94, Chrome will offer HTTPS-First Mode, which will attempt to upgrade all page loads to HTTPS and display a full-page warning before loading sites that don’t...

Welcoming the Turkish Government to Have I Been Pwned

Today I'm very happy to welcome the national Turkish CERT to Have I Been Pwned, TR-CERT or USOM, the National Cyber ​​Incident Response Center. They are now the 26th government to have complete and free API level access to query their government domains. Providing governments with greater visibility into the impact of data breaches on their staff helps protect against all manner of online attacks. I'm looking forward to welcoming more national governments onto HIBP in the future....