Update: 17 Feb 2014: Sanity has prevailed and the service has now been pulled [http://www.zdnet.com/linkedin-dumps-intro-in-services-overhaul-7000026123/]. -------------------------------------------------------------------------------- LinkedIn Intro [https://intro.linkedin.com] has already become known by many names: A dream for attackers [http://www.theverge.com/2013/10/25/5027334/linkedin-intro-security-concerns-bishop-fox-mandiant] , A nightmare for email security and privacy [http://ven...

So I’ve just wrapped up another Web Directions [http://webdirections.org/wds13] presentation where the Pineapple has featured. The what now?! You know, the WiFi Pineapple [https://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html], that little guy with the ability to do all sorts of nasty things to wireless traffic. Now I’ve Pineappled before, but I’ve never Pineappled quite like this and that’s all down to the Mark V [http://hakshop.myshopify.com/products/wifi-pineapple] w...

It’s here! Visual Studio 2013 has just hit with an announcement here [http://blogs.msdn.com/b/somasegar/archive/2013/10/17/visual-studio-2013-available-for-download.aspx] and downloads here [http://www.microsoft.com/visualstudio/eng/downloads] plus a launch in four weeks [http://events.visualstudio.com/]. No, I don’t quite understand what a launch next month means when you can grab it now either but the important thing is that the new software has landed. In times gone by I’ve written my own...

I’m a security minded guy, that probably comes as no surprise. Other people – not always so much and as a result you inevitably see a lot of unattended, unlocked Windows desktops around the place. Naturally the responsible thing to do when seeing such risky behaviour is to help the victi.. uh, I mean “individual” understand the risky nature of such behaviour. Having recently observed such a situation I thought I’d reach out and ask for some guidance on how one might deal with it: [https://tw...

It’s been a while since I last spoke to Carl and Richard on .NET Rocks [https://www.troyhunt.com/2012/01/net-rocks-talks-security-with-carl.html] where it was all about the OWASP Top 10 and the provisions available in ASP.NET to keep yourself on the happy side of getting hacked. I had a chance to catch up with the guys again a couple of weeks ago to record a new episode all around “Hacking Yourself First” which ties in neatly to much of the writing I’ve been doing lately and my Pluralsight cour...

There are few things more frustrating than trying to make other peoples’ code work; broken references, missing dependencies, extraneous and useless files – it’s all part of the joy of sharing the project love around. This is often tricky enough for people on the same team but throw in distance, culture and varying levels of expertise and things get ugly pretty quickly. I come across these issues pretty frequently and the pattern is constant enough that I reckon it deserves just a little bit of...

I’m sorry to be the one to break this to you, but, well, your company network is compromised. I know, I know, you thought you had firewalls and antivirus and Dropbox is blocked but somehow the nasties got in. Unfortunately that also means that all the web apps you have behind your corporate firewall are, for all intents and purposes, now public. Now you may not even be aware of the hacked state of the network you spend your nine to five hours in, many of these intrusions go entirely undetected....

One of the things people often ask me about in regards to software security is “Are there any standards that these people should be following? Any governing bodies? Any recourse for screwing things up?” Ok, that’s three things but you get the idea and people are usually pretty surprised when they learn that for the most part, no. No standards, no governing bodies, no recourse. You can go and create a new website today storing everyone’s credentials in the clear, send them around willy nilly via...

Remember view state? For that matter, do you even remember web forms?! I kid because although MVC is the new hotness in the world of building ASP.NET websites, web forms remains the predominant framework due to both the very long tail of sites already built on it and the prevalence of developers with skills in this area who haven’t made the transition to MVC (indeed some people argue that they can happily cohabit, but that’s another discussion for another day). Anyway, back to view state. When...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]Note: In this blog post I show how to load a certificate from StartCom into Azure. They've subsequently had some pretty serious issues related to WoSign [https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/] and I would not recommend getti...