Last week I was contacted by someone alerting me to the presence of a spam list. A big one. That's a bit of a relative term though because whilst I've loaded "big" spam lists into Have I been pwned (HIBP) before [https://www.troyhunt.com/have-i-been-pwned-and-spam-lists-of-personal-information/], the largest to date has been a mere 393m records and belonged to River City Media [https://haveibeenpwned.com/PwnedWebsites#RiverCityMedia]. The one I'm writing about today is 711m records which makes i...

I'm at the snow! Yes, Australia has snow. No, it's not like the big mountain riding of Europe or North America, but the warmer weather means you can regularly sit outside in the sun during the day with a cold beer which is pretty awesome. I've got a couple of Security Sense columns to talk about this week which I hope will get people pondering this whole security thing a bit more. Also, as you may have noticed, I've pushed this out a day early. Friday will be a half-and-a-bit day on the snow be...

I've been in Sydney all week for the NDC conference here so it's been a pretty non-stop time. A 2 day workshop, 2 new Pluralsight courses, 2 talks and all the usual social things that go along with these. But regardless, I got that Ubiquiti UniFi course out and a blog post to go along with it. I'm keeping things brief here now as I prepare for (the always epicly fun) Pubcon [https://pubconf.io/], more next week from snowy Australia. Yes - snow! iTunes podcast [https://itunes.apple.com/au/podcas...

Last year, I got fed up with my wifi [https://www.troyhunt.com/ubiquiti-all-the-things-how-i-finally-fixed-my-dodgy-wifi/]. The coverage was patchy, the devices were unstable (my speed would regularly drop to less than 2Mbps until I restarted the router) and even though it was new gear, it felt just like the gear I'd had a decade ago. Same basic principle of an all-in-one device, same basic web interface and almost certainly, the same update cycle - I wasn't going to be seeing firmware updates o...

Last update before travelling again, but fortunately it's just a cruisy 9-hour drive down to Sydney for NDC then a week of snowboarding (yeah Australia has snow). I'll be doing a workshop at NDC and I'll also be doing one in Melbourne next month so check that out if you're around that way. This week, an SEO bloke wearing pyjamas talked about how HTTPS was unnecessary, attempted to silence any naysayers and then eventually recanted and deleted his original views. It's odd, because they were the...

As best I understand it, one of the most effective SEO things you can do is to repeat all the important words on your site down the bottom of the page. To save it from looking weird, you make the text the same colour as the background so people can't actually see it, but the search engines pick it up. Job done, profit! I think this is the way we did it in 1999. I don't know, I can't recall exactly, but I know I don't know and I'll happily admit to being consciously incompetent in the ways of SE...

This has been an insane week, not least because of spending the day yesterday installing a Ubiquiti network as part of my upcoming course. A heap of fun, but one little glitch threw my day out. Another glitch with my Pwned Passwords service threw my day today out so I'm going to sign off here, leave you with the vid and go grab a well-deserved ? iTunes podcast [https://itunes.apple.com/au/podcast/troy-hunts-weekly-update-podcast/id1176454699] | Google Play Music podcast [https://goo.gl/app/pla...

Edit 1: The following day, I loaded another set of passwords which has brought this up to 320M. More on why later on. Edit 2: The API model described below has subsequently been discontinued [https://www.troyhunt.com/enhancing-pwned-passwords-privacy-by-exclusively-supporting-anonymity/] in favour of the k-anonymity model [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/] launched with V2. Last week I wrote about Passwords Evolved: Authentication Guidance for the Modern E...

Over the weekend, a Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) subscriber contacted me after they found their Spotify credentials online. It turns out that this particular woman went searching for her specific password after finding "some guy listening to Mexican music from a foreign device on my acct". In the search results, she found a site hosted on Google's Blogger service with troves and troves of Spotify credentials, among others. Now I've seen a lot of lists of "hacked Spotify...

Only a couple of months ago, I did a talk titled "The Responsibility of Disclosure: Playing Nice and Staying Out of Prison". The basic premise was to illustrate where folks finding security vulnerabilities often go wrong in their handling of the reporting, but I also wanted to show how organisations frequently make it very difficult to responsibly disclose the issue in the first place. Just for context, I suggest watching a few minutes of the talk from the point at which I've set the video below...