Sponsored by:

Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

576 posts

Weekly update 39 (Oslo edition)

This has probably been the most relentless week I've had in one place since... I dunno. Forever? It was all in Oslo and all centred around the NDC event but it meant kicking off with a massive 2 day workshop (50 people - a record!), then an OWASP user group (followed by much beer), then workshop Tuesday, family arriving, social NDC event, event kick-off Wednesday, family sightseeing, a Pluralsight recording, shrimp cruise that night, NDC talk on Thursday, a short "how I failed talk" that night followed by the event party, another talk Friday morning then eventually, PubConf Friday night. And this is why my weekly update is a day late! But seriously, it's been a sensational week and I...

Weekly update 38 (Trondheim edition)

It's week 2 of my 6-week European summer tour and I'm in Trondheim Norway which frankly, is a pretty awesome place: Awesome spot 😎 pic.twitter.com/wBAYGShQNH— Troy Hunt (@troyhunt) June 9, 2017 Being busy with workshops and talks means I'm always going somewhere or doing something so time is a bit limited, but I still managed to get out my Security Sense column this week. I also give some updates on some observations from yesterday's workshop whilst recording from a very nice little spot next to the river, complete with a bunch of guys cruising down it on inflatable kid's boats drinking beers. And this is why I like recording outdoors - ad hoc stuff that's just kinda...

Weekly update 37 (Leuven edition)

I'm in Belgium! After 35 hours of travel to Porto in Portugal then 2 days of workshop plus a user group there, I'm now in Leuven which is in the home of epic Belgium beer. I'm now into day 2 of another workshop here after having done a user group on Azure last night so it's turning into a very long week. Not a lot of new stuff to talk about blog wise, but I share what it's like doing these events and some of the things I learn along the way. iTunes podcast | Google Play Music podcast | RSS podcast References Here's where I'll be over the coming weeks (heaps of events in Europe plus upcoming things in the US...

Weekly update 36

I've been at the AusCERT conference this week and whilst I scored a nomination for "Individual Excellence in Information Security", it wasn't meant to be this year (or the last 2 times!) but I did get a shiny certificate :) It was a great event and I really enjoyed meeting a heap of very cool people and doing a brand new talk on responsible disclosure. I'll share that once it's publicly accessible, AusCERT usually put these out to the world and I was really happy with how it went. Beyond that, this week I'm talking about how fragile the internet is and most excitingly, sharing my brand new - and totally free - course on GDPR that I wrote for Varonis....

Free course: The GDPR Attack Plan

You know what people really like? Government regulation! ...crickets... Ok, maybe not so much, but this one is actually really important. The General Data Protection Regulation is an EU reg that kicks in on 25 May 2018 so we've got bang on a year to get organised. It's important within the EU because it relates to how data of their citizens and residents is handled and it's important outside the EU because the regulation can impact non-EU organisations too. I've been interested in GDPR for some time on a couple of fronts. For one, I like the idea of a regulation having some serious teeth when it comes to issuing penalties. This means up to €20M or 4% of annual...

Weekly update 35

Hang on - where did my week go?! WannaCry came out of the blue and accosted a big whack of my time starting first thing Saturday. And then, just as it was quietening down, I go and write about not turning off Windows Update and holy shit, did people come out of the woodwork to complain about that! Seriously, just read some of the comments there and the anger directed towards what (in my experience) is usually a pretty seamless process is palpable. More than the objections to updates themselves, it was the basis on which many of the points were made that stunned me; philosophical arguments about software being "free" (no, not as in price), claims of NSA collusion,...

Don't tell people to turn off Windows Update, just don't

You know what really surprised me about this whole WannaCry ransomware problem? No, not how quickly it spread. Not the breadth of organisations it took offline either and no, not even that so many of them hadn't applied a critical patch that landed a couple of months earlier. It was the reactions to this tweet that really surprised me: Why is malware effective? Because of idiotic advice like this: "Stop Windows 10 from automatically updating your PC" https://t.co/cRygHYMPNh— Troy Hunt (@troyhunt) May 13, 2017 When you position this article from a year ago next to the hundreds of thousands of machines that have just had their files encrypted, it's hard to conclude that it...

Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware

I woke up to a flood of news about ransomware today. By virtue of being down here in Australia, a lot happens in business hours around the world while we're sleeping but conversely, that's given me some time to collate information whilst everyone else is taking a break. The WannaCry incident is both new and scary in some ways and more of the same old stuff in others. Here's what I know and what the masses out there need to understand about this and indeed about ransomware in general. The ransomware problem Firstly, if ransomware is a foreign enough concept and you genuinely want to understand what it's about, I made a free course for Varonis last year titled "Introduction...

Weekly update 34

The big news this week has been dealing with that massive volume of data I loaded into HIBP a week ago. A combination of the mechanics of getting it loaded, the flood of feedback once I did and actually trying to prepare myself for upcoming talks has made it a bit of a crazy week. If I'm honest, I'm feeling a bit run down from it all and need to take it a bit easier before heading away in a couple of weeks' time. Be that as it may, this has been a full-on week and I've captured the highlights below: iTunes podcast | Google Play Music podcast | RSS podcast References Here's some guidance from the Aussie government on GDPR (my...

Here are all the reasons I don't make passwords available via Have I been pwned

Over the last few days, I've loaded more than 1 billion new records into Have I been pwned(HIBP). As I describe in that blog post, this data was from two very large "combo lists", that is email address and password pairs created by malicious parties in order to help them break into other accounts reusing those credentials. In all, I sent about 440k email notifications and saw hundreds of thousands of people come to HIBP and search for their data. From a personal security awareness perspective, loading the data has been enormously effective. But there's a question I got over and over again via every conceivable channel: How can I see the password on my record? I want to...