Troy Hunt

This is an online reproduction of the letter sent to First State Super today. I was disturbed to read about First State Super’s response to the ethical disclosure of a serious vulnerability in your financial software by Patrick Webster last month. As a fellow Australian software security professional, I’m worried by the dangerous precedent that this sets. As you’d be aware by now, this incident has gained worldwide attention and as you’d also be aware, the public response hasn’t exactly been i...

I just had a call from a very nice women who appeared to be from the subcontinent and wanted to help me remove viruses from my computer. Normally I’d dispense of such callers in a pretty quick, ruthless fashion but given the nature of this one I thought it was worth recording and sharing. It all unravels and the gig is finally up at the 23 minute mark. Enjoy! TL;DR: Here are the steps they wanted followed: 1. Open the event viewer then establish there are errors and warnings (there as v...

Back in part 1 of Birth of a UX [https://www.troyhunt.com/2011/09/birth-of-ux-asafaweb-gets-identity-part.html] I talked about identifying styles that I liked, the head start the default MVC 3 template gives you, the eternal battle of Photoshop first versus CSS first, CSS resets then actually making a start on styling one central element of ASafaWeb and making it all play nice across browsers. And that was it – phew! This time around it’s about debugging the markup, building the nav and then co...

Consider this guidance now deprecated! The membership provider stored passwords as a salted SHA1 hash which is insufficient by today's standards and easily cracked [https://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html]. Refer instead to ASP.NET identity [http://www.asp.net/identity] which is a sufficient stronger and more modern implementation. -------------------------------------------------------------------------------- Often times I’ll have a discussion with a softwa...

Last week I wrote about Gootkit’s futile attack on ASafaWeb [https://www.troyhunt.com/2011/09/gootkits-futile-attack-on-asafaweb.html] and then a funny thing happened: Suddenly my Google Analytics keyword results become very Gootkit-centric: I see this as meaning either there is a lot of interest in Gootkit at the moment or there is not a lot of information available on what it is. Or both. Interestingly though, the activity appears to have ramped up right about the time of my initial post. T...

With the private beta testing of ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html] having gone quite nicely and a good whack of time then dedicated to both fixing stuff and implementing new features, it’s time to do something about this ugly duckling. I truly believe that the user experience is an absolutely fundamental factor in the success of a site and it really deserves some serious attention so rather than just hack it out, I’m going to approach it quite meth...

On Saturday morning I woke up to 120 emails from ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html], not because it really likes me but because it was in pain! One thing I did very early on with the project was to implement elmah [http://code.google.com/p/elmah/] and make sure I get an email notification when anything happens that shouldn’t. It won’t stay this way (for reasons you’re about to see), but it’s a good way of keeping an eye anything that goes wrong very...

When news came through recently about the Bondi Westfield shopping centre’s new “Find my car” feature, the security and privacy implications almost jumped off the page: “Wait – so you mean all I do is enter a number plate – any number plate – and I get back all this info about other cars parked in the centre? Whoa.” If that statement sounds a bit liberal, read on and you’ll see just how much information Westfield is intentionally disclosing to the public. Intended use Let’s begin with how the...

Here’s a new entry for the “stupid things on my part which weren’t obvious because of obscure error messages” book. Actually, the error message makes some sense in retrospect but then again, everything is always a lot clearer after the fact. The scenario in this instance relates to the following three tables in ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html]: What these guys are describing is that when a log entry of a scan is created, it may have many entr...

When I wrote about Building a safer web with ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html] earlier in the week, I talked about using the process to share some experiences. This one made me go a bit cross-eyed and it’s a combination of an idiosyncrasy within ASP.NET routing and a more philosophical question about the semantic intent of a route. The situation was that I needed to construct a URL on the ASafaWeb website which contained the address of the site to...