I had a follower send me a curious question the other day which if I paraphrase, went like this: > Hi, I was worried about the security of the Waitrose login form so I contacted them about it. They sent me a response but I’m not sure if it’s correct – can you shed some light on it? Actually, yes, I can and frankly, it’s a bit of a comedy of errors. For those not familiar with Waitrose [https://en.wikipedia.org/wiki/Waitrose], they’re a large British supermarket chain bringing in somewhere ar...

One of the things I really enjoy about doing live events is the entirely random, unexpected things that can occur without any warning. In fact, I’m increasingly structuring my talks to present these opportunities, but this one was entirely unexpected: > When someone whacks XSS in the live question feed whilst you're answering security questions on a panel... pic.twitter.com/paLp7ECXHF [https://t.co/paLp7ECXHF] — Troy Hunt (@troyhunt) January 22, 2016 [https://twitter.com/troyhunt/status/69056...

I’ve been running “Have I been pwned?” (HIBP) for just over a couple of years now and to say that it’s exceeded my wildest expectations of what it might achieve is somewhat of an understatement. The volume of data it now holds is one thing, the many hundreds of thousands of notification subscribers is another and yet another again is the volume of traffic it serves, sometimes in the millions of visitors a day. But recently, the penny has dropped on something else it’s managed to achieve that I n...

I got a rather odd invoice via PayPal the other day, it looks like this: Naturally the first thing I did was to look for spoof email indicators, but none of the usual suspects were showing up: 1. It was from member@paypal.com.au 2. The mail headers were legit 3. The “View and Pay Invoice” button linked directly to https://www.paypal.com/ Which all struck me as quite odd so I tweeted it out [https://twitter.com/troyhunt/status/683386377904361472]. I suggested that it was spam because that...

We’re a few days into the new year and I’m sick of it already. This is fundamental web usability 101 stuff that plagues us all and makes our online life that much more painful than it needs to be. None of these practices – none of them – is ever met with “Oh how nice, this site is doing that thing”. Every one of these is absolutely driving the web into a dismal abyss of frustration and much ranting by all. And before anyone retorts with “Oh you can just install this do-whacky plugin which rewri...

I don’t normally do the year in review thing, but then I don’t normally have a year like this either. Whilst it may not seem like it to the casual observer, life changed in so many significant ways in 2015, more so than any time in probably the last 15. The other day I was having a spin back through my tweets with media and I realised just how nuts things had been, so I thought I might capture a bunch of them here as they really tell the story. This is as much for me to reflect on the year as...

I’ve had a couple of experiences recently where guests have come to stay and then requested to jump on my wifi. In each case, I’ve declined and in turn they have expressed some degree of shock and outrage. Because it will happen again and because I don’t want upset guests staying in my house, allow me to articulate clearly and objectively why my network is off limits and why perhaps you too want to think twice about allowing access to yours. It’s not that I don't trust my guests… Let’s start he...

Every now and then, a Pluralsight course completely defies the odds of what I expected it to do. Now it’s not that I don’t think this latest one [https://app.pluralsight.com/library/courses/play-by-play-ethical-hacking-troy-hunt/table-of-contents] is a good course, rather it’s that it’s a play-by-play which effectively went like this: Pluralsight: Hey, how about you hack Gary Eimerman [https://twitter.com/garyeimerman] and we record it? Me: You had me at “hack”! And that’s about it – now it’...

Pluralsight content remains enormously popular among a growing audience of technology pros not just because of the breadth of content (we’re talking about well over 4,000 courses now), but because it’s so cheap to get into. Less than a dollar a day and you’ve got access to some really top notch content that’s created by some of the best in the business then scrutinised and peer reviewed to ensure it’s right up there as the best possible training material you can find on the web. It’s amazing the...

Hey, did you hear about this new security risk? It’s called SQL injection and attackers can just suck all your datas out of your system if you screw it up badly enough. Allegedly there’s like, millions of websites at risk and even kids can easily break into them! Wait – this isn’t a new risk?! Well how come it’s all over the news and these seriously large companies keep getting pwned by it?! How is that even possible?! And here we are at that reality of today; SQL injection, whilst well unders...