CDNs are good. You get to put your web things all over the world and then have them served to your global audience from a location close to them. For example, because this blog is served through CloudFlare and about two thirds of the requests to my site come direct from their cache, you're probably downloading all the images on this page from whichever point in the map below is closest to you:

But what's even better than CDNs when it comes to cost and performance is public CDNs. For example, on Have I been pwned (HIBP) I serve various CSS and JavaScript files that are public libraries. It's stuff like jQuery and Bootstrap and my files are in no way unique to me, they're just the garden variety libraries adorning millions of sites the world over. One of the lessons I learned very early on in the life of HIBP was that it didn't make sense to serve these libraries from my site. Not only were my visitors getting zero CDN benefits due it all being hosted in the one West-US location, but I was paying for the bandwidth. In that link I lamented how I'd paid for 16GB of bandwidth I didn't need to just because my site was serving the public libraries. So I changed it to this:

<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.3/jquery.min.js"></script>

Now I've got jQuery being served from CloudFlare's CDN which means firstly, I don't pay anything for it and secondly, users get the content served from somewhere locally and thirdly, if they've seen that script before on someone else's site then it may well be already cached anyway so they don't even have to download it. It's win-win-win, right?

And then the penny drops: "Hang on - so CloudFlare are now in control of the script that runs on my site?!". Yes, they are and they could change that script file to rewrite page contents, siphon off cookies or do any number of other really nasty things. Of course if they did it would be a massive story that would impact a huge number of websites (that is unless they tailored their "attack" to only focus on referrers from HIBP) and it would more likely be an issue if they themselves were to be compromised. This is not a hypothetical situation as precisely that happened to the Bootstrap CDN in 2013. It's a hell of a way to distribute an exploit when changing a single file can simultaneously push it out to a huge number of websites!

Delegating responsibility to others which in effect gives them control to run script on your website is understandably concerning, particularly for certain classes of web asset. But there's a way that lets you have your public CDN cake and eat it too, and that's subresource integrity, here forth referred to as SRI.

Let's imagine this: you decide you don't trust public CDNs so you decide to serve jQuery from your own site. Now let's assume that you have a jQuery file you actually trust because that in itself is pretty essential to this discussion. What we're going to do with SRI is tell the browser to load that version of the jQuery file from a public CDN but then, to make sure it's exactly the same as the one you know and trust. We're going to do this by generating a hash of the file then adding that as an attribute of the script tag that embeds it so that it looks like this:

<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.3/jquery.min.js" integrity="sha384-I6F5OKECLVtK/BL+8iSLDEHowSAfUo76ZL9+kGAgTRdiByINKJaqTPH/QVNS1VDb" crossorigin="anonymous"></script>

The only difference whatsoever with this script tag is the "integrity" attribute (oh - and the crossorigin one but I'll come back to that later). What this now means is that when the browser loads jQuery from CloudFlare it's going to calculate the hash of the file (a base64-encoded SHA384 hash in this case per the prefix in the attribute), compare it to the one described on the script tag and then only run it if it checks out. This works because you trust the script tag and it's attributes even if you don't trust the file served via the CDN. If the hash doesn't check out, the browser gets very upset:

I caused the browser to generate this error by using the hash for jQuery 2.2.3 then changing the file being loaded to request version 2.2.2. Different files, different hashes and this illustrates the point perfectly: the exact file I had told the web app to load courtesy of the integrity attribute wasn't loaded so the browser rejected it.

As for the "crossorigin" attribute, let's remove it and see what happens:

The CORS settings attribute is required for SRI when the request isn't from the same origin which of course it isn't when you're loading the JS off a public CDN. Setting the attribute to anonymous ensures no creds or identity info is sent with the request (i.e. basic auth or an auth cookie), which might seem redundant when the request is going off to another origin anyway, but in this case Chrome likes to be explicit.

In terms of actually generating the hash, you can choose to use a SHA256, SHA384 or SHA512 hash. You can trawl through the somewhat lengthy W3C recommendation for more details, but so long as you have one of these you should meet the browser requirement. One easy way of generating the hash is to do exactly what I did two screen caps further up - cause a failure. Chrome then kindly details the actual hash, this time of the SHA256 variety. Now you can take this value but you want to be confident you're using the hash of a file that you completely trust.

Another approach is to use openssl and point it at a local file, perhaps the one you've already been serving directly from your site that you completely trust. That would then look like this:

openssl dgst -sha384 -binary jquery.min.js | openssl base64 -A

Obviously that's passing in a jQuery file and while we're there, just one little gotcha: that's the minified version of jQuery and the hash will be different to the source file with all its whitespace glory so remember that when setting this up.

And finally, there's the SRI Hash Generator website:

I like this because you're simply giving it a URL such as the original file being served off CloudFlare's CDN then letting it work everything out for you. In this case, it responds like this:

But SRI doesn't just protect scripts from unexpected modification, you can use exactly the same integrity attribute (and crossorigin attribute) on style tags so CSS gets the benefit too. Here's a great demo of that: if you want to embed the Bootstrap CSS direct off their CDN, they'll even add the integrity attribute for you (probably a good move given their 2013 incident):

And jQuery does the same thing:

This is great, but remember this as it's pretty essential: you need to regenerate the hashes every single time you upgrade the library. If you're using jQuery or Bootstrap or any other resources you're protecting with SRI, you'll have to go back and use one of the approaches above to generate a new hash and whack it on your site or else stuff will break.

Now, a few things that often come up when I talk about SRI in my workshops: Firstly, this has nothing to do with SSL / TLS / HTTPS. That'll give you protection at the transport layer (stuff won't get modified while it's being sent) but it won't protect against the scenario where the source files on the CDN are maliciously modified. Secondly, if you're worried about someone modifying the hash that's added to your script tag on your server, you've got bigger problems! SRI isn't there to protect what's running on your back end. Thirdly, the performance impact of calculating the hash is so close to zero it doesn't even rate a mention (the only tangible figure I've ever heard is "about one millisecond").

So this is all good, right? I mean what's not to love?! Only really one little thing:

SRI simply doesn't feature on Microsoft's or Apple's browsers, not even the new ones or the upcoming ones. All good in Chrome, all good in Firefox but that's the extent of it (Opera doesn't count because their market share literally rounds to 0%). As much as I would like to see all these browsers get on board, there's a few things to remember here:

Firstly, SRI is presently in the "Recommendation" phase as you can see towards the top of that last image. The good news is that this phase is the last in the W3C's recommendation track which means the following:

A Recommendation reflects consensus within W3C, as represented by the Director's approval. W3C considers that the ideas or technology specified by a Recommendation are appropriate for widespread deployment and promote W3C's mission.

The bad news is that whilst it's "merely" a recommendation and not a ratified part of the spec, some browser manufacturers will play the waiting game. Obviously that's where Microsoft is at the moment and they've flagged SRI as "Under Consideration".

Secondly, SRI is still supported by more than half the browsers in global circulation at present, at least according to the "Can I use" image above. Now you'll get different stats from different sources and of course your own audience is going to differ again, but the point is that the Chrome and Firefox markets alone are significant and all those users can get the benefit of SRI right now. As for those that can't, that brings me to my next point:

Thirdly and finally, if the browser doesn't support SRI... nothing happens. I mean nothing different happens in that the browser still loads the script, it just simply ignores the integrity tag. If the file is modified at the source and the hash doesn't match up then Internet Explorer, Edge and Safari do exactly the same thing as they'd do without any SRI at all - they run the script. The point is that you don't lose anything by implementing SRI when your audience loads a site using it with an unsupported browser, but you may gain something significant when a browser that does support it loads your site.

If you're unsure about support for your browser, go and give the W3C's test page a run. If you want to see it in action first hand, I've just pushed it up to HIBP for jQuery and Bootstrap so check it out there. If you'd like to see Microsoft and Apple add support, get it into your site and show there's actually a demand for SRI by virtue of sites implementing it!

Edit 1: This is captured in one of my comments below but it's worth calling here in the main post as well: having a fallback is a good idea. You can implement a fallback for SRI failure in the same way as you do for if the CDN is not available and it works in just the same way, namely by running a piece of script that checks if the resource has loaded then pulling it from a local path if not. You can see this in the source code of HIBP now, for example:

<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.3/jquery.min.js" integrity="sha384-I6F5OKECLVtK/BL+8iSLDEHowSAfUo76ZL9+kGAgTRdiByINKJaqTPH/QVNS1VDb" crossorigin="anonymous"></script>
<script>(window.jQuery) || document.write('<script src="/scripts/jquery"><\/script>');</script>

You'll find Mozilla recommending a similar approach and it's definitely a worthwhile exercise both for if integrity fails and if the CDN is not accessible by the client.

Edit 2: The day after posting this piece, the status of CSP lvl 2 for Microsoft Edge went from "Under Review" to "Working On It". Microsoft takes feedback like this on board so if you've read this post and think there's value in SRI, head on over to the UserVoice to add subresource integrity support and vote that up too!

Let's start with a quick quiz:

Take a look at haveibeenpwned.com (HIBP) and tell me where the traffic is encrypted between:

You see HTTPS which is good so you know it's doing crypto things in your browser, but where's the other end of the encryption? I mean at what point is the traffic decrypted? Many people would say it's at the web server but it's not, it's upstream of there at Microsoft's appliances that sits in front of the web application PaaS offering. You might see a padlock, but your traffic is not encrypted all the way to the server.

But it's not just HIBP and it's not just Microsoft either, many of the websites you visit every day will show you a padlock and not encrypt every segment of the network. For example, there may be unencrypted segments where caching appliances are involved or where security devices are inspecting traffic. That may be within private or public networks; the padlock icon gives you no assurance of that. And even if the traffic is encrypted all the way to the web server (also known as "the origin"), it may not then be encrypted when it goes to the database. Green bits in address bars make no assurances of that.

HTTPS is not an absolute state; it's not "you have it and everything is perfect" or "you don't and it all sucks". But there are some who believe just that and they neglect the more complex fabric of not just how we compose applications, but who is composing them and where the greatest risks we're facing today lie. This is what I mean by "unhealthy security absolutism" and it's a position I'd like to comprehensively squash here.

The mechanics of CloudFlare

Dissenting voices are frequently directed at CloudFlare, the providers of a free service that wraps around your website and does everything from caching your content at edge nodes to blocking various attacks to allowing you to serve resources to your visitors over HTTPS. I've written in detail about the mechanics of this in the past and even created a Pluralsight course on Getting Started with CloudFlare Security. Needless to say, I've spent a lot of time thinking about CloudFlare.

The basic premise is that you create an account, set up a new site that takes a copy of all your DNS records then you update your name servers to use theirs. That's it, job done. It's literally a 5-minute exercise and the most complex part of it for most people will be figuring out where to change those name servers with their registrar. Once you've done that and DNS propagation magic takes hold, traffic is now routing through CloudFlare's infrastructure. Because the service is a globally distributed CDN, it means that visitors will be hitting an edge node in one of these locations:

By operating as a CDN, CloudFlare can do some pretty neat caching tricks. For example, you're reading this now on a page that was served through their infrastructure and a bunch of the content on this page (images, style sheets etc.) would have been served directly by them, not by the website at the back end:

That's 69% of my requests that didn't need to hit my website. That's also 57GB in that same period and remember, this is all on a highly optimised website and during a fairly normal traffic period. This is particularly important for those paying for bandwidth as it slashes that cost by 84%:

Even though my site is served over HTTPS, CloudFlare can do caching tricks because they sit in the middle of the connection, encrypting and decrypting the traffic between the browser and the origin. They offer a number of different configurations for this:

It works like this:

• Off: They won't serve anything over HTTPS
• Flexible: They'll serve content over HTTPS from their infrastructure, but the connection between them and the origin is unencrypted
• Full: Still HTTPS from CloudFlare to the browser but they'll also talk HTTPS to the origin although they won't validate the certificate
• Full (strict): CloudFlare issues the certificate and they'll intercept your traffic, but then it's all HTTPS to the origin and the cert is validated as well

What it means is that you can choose how much SSL you want depending on what's supported by your origin. For example, the blog you're reading this on uses the "Full" model which looks like this (image courtesy of CloudFlare's blog post on the introduction of strict SSL):

In this model, everything between the browser and CloudFlare is encrypted; the router, the modem the ISP and anything else between the person viewing the website and CloudFlare themselves is protected. Traffic between CloudFlare and the origin is also encrypted, but CloudFlare doesn't validate the cert. The reason is because I can't serve a valid cert from the origin for troyhunt.com, it's not a feature supported by Ghost Pro. However, I can serve a wildcard cert for *.ghost.io and this act alone protects against passive eavesdropping (an attacker listening on the wire), but not active interception where an attacker inserts their own cert. They could do this because CloudFlare can't validate it.

If I could serve a valid cert from my blog's origin then most of the anti-CloudFlare arguments would go away, at least those related to interception on the wire. Some opponents would still argue that because decryption (and then encryption) is happening within CloudFlare itself then them having access to the traffic is unacceptable. In some cases, they're probably right, but if you don't want to spend big bucks setting up your own edge caching and optimisation infrastructure then you're left with using a provider like CloudFlare or Akamai or several others who will still have access to your traffic.

However, there are many people using CloudFlare to wrap SSL around their assets who have no access to any form of encryption at all. They can't do "Full" and they certainly can't do "Full (strict)" which means that network segment between CloudFlare and the origin remains open to monitoring and interception. It's predominantly the "Flexible" and "Full" models that opponents would proverbially throw out with the bathwater and that's the absolutism I want to tackle here.

Risks on the transport layer

Let's start by clarifying why we need an encrypted transport layer in the first place, the typical risks we see and who the various threat actors are.

When we talk about encrypting in transit, we're primarily talking about protecting against the threat of a "man in the middle" or MitM as you'll commonly see it referred to. This risk comes in many different forms, for example there's the now infamous Firesheep extension from 2010 which enabled someone to hijack the Facebook sessions of people around them on an unencrypted network:

There's the ongoing scourge of poorly protected router admin interfaces which are vulnerable to DNS modifications via cross site request forgery risks. That's the risk that just keeps on giving!

A particularly accessible way of intercepting traffic is with a device like the Wifi Pineapple that I've used in so many of my conference talks around the world. It's an exceptionally trivial attack to mount:

There's even airlines (and many other service providers) who'll hijack your traffic and modify it to inject their own things:

Oh @Fly_Norwegian ... you didn't just do that?!? /cc @troyhunt pic.twitter.com/1QpsOlUDxX

— David Peter Hansen (@DPHansen) January 10, 2016

Just think about all the points of exposure where normal everyday people face traffic interception risks; I've covered personal routers being DNS hijacked, but think about the cafes people visit, the airports they travel through, the hotels they stay in and number of other points close to the user which put them at risk. On a website like this one you're reading now, there are many, many points between you and CloudFlare that can be intercepted and traffic read or modified. Further to that, the difficulty of doing so is not necessarily high; casual hackers and unsophisticated criminals alike can access many of these methods.

But going back to the earlier diagram, the segment between CloudFlare and the origin remains at risk either via passive monitoring in the "Flexible" model or active interception in the "Full" model. So who are the "threat actors" in that segment of the network? The most important thing to remember (and I suspect this is what opponents of the model neglect), is that we're talking about the internet backbone now and that's an entirely different class of bad guy.

An example of this is the Tunisian government's interception of the Facebook login page in 2011. They controlled the internet backbone going in and out of the country so they could modify the traffic way upstream of all the other risks I just outlined. In some ways that's not such a good example because CloudFlare doesn't have an edge node in Tunisia so all the data from citizens in that country would leave the nation encrypted anyway. But there's a better example:

We know now - quite emphatically - that the NSA and counterparts in other countries have been involved in mass surveillance at the internet backbone level. That means that they could be watching you read this blog post right now! But let's delve deeper on the government risk and indeed the risks that remain in a "Flexible" or "Full" CloudFlare SSL model because it's pivotal to this post.

The government can get your things

There are two sides to the government interception issue I want to touch on and the first is simply this: is government interception a risk for your website?

This is a really important question and it acknowledges the premise that security defences should be commensurate to the risk you're trying to defend against. In the earlier Tunisia example with Facebook, yes, government interception is a real risk as the data transiting the network provides a genuine upside to them. In the case of my blog, no, I don't believe that's a risk of any magnitude, I'm more worried about modification to serve malicious content or possibly phishing material.

The second side to consider is if there's a genuine intent by the government to gain access to data, what channels exist regardless of the ability to intercept plain text communications between CloudFlare and the origin?

Beginning with an NSA slide again, the Snowden leaks revealed they were extracting data directly from the origin anyway:

We don't want to unnecessarily give up our privacy by not protecting traffic to the fullest extent possible (and I will come back to that distinction), but let us also not be under the illusion that SSL alone solves that problem.

Even with the presence of encryption to the origin, an MitM can still observe the HTTPS CONNECTs the browser makes at the proxy level. It won't show what's in the request, but it will show who they're talking to so there's your metadata. In case you think that doesn't matter, remember that governments kill people based on metadata and in many ways it's more valuable than the message contents itself.

Then there's CloudFlare themselves or any other similar provider that supports edge caching (I mentioned Akamai earlier). They're still encrypting and decrypting traffic even when they're then talking to the origin in the most secure way possible (Full "strict", in CloudFlare nomenclature) and should they be subject to the same sort of Prism data collection as all the others were or subject to a legal court order to obtain information then they have the ability to access your traffic. That's an important observation too - there are classes of website that, rightly or wrongly, shouldn't be using CloudFlare at all as this sort of scenario poses too great a risk to their specific class of website.

Take it a step further and we have the whole Diginotar situation with Iran a few years back. Now it's arguably because SSL works so well that they had to go to these lengths in the first place, but the point remains that when your adversary is a nation state, they can be exceptionally resourceful.

But what about that Pirate Bay thing in India?

There was a really well-written piece recently on how an Indian ISP (Airtel) was intercepting CloudFlare traffic destined for The Pirate Bay (TPB) in order to block access to it. The author of this post was able to prove pretty emphatically that whilst his connection to CloudFlare was solid, upstream of CloudFlare when they're connecting to The Pirate bay origin things were being MitM'd. Based on CloudFlare's response to the incident, it appears that TPB had configured CloudFlare to use the "Flexible" model of SSL so in other words, no encryption upstream of their edge nodes whatsoever.

In case you've been living in a cave, TPB has been an enormously popular site for the last decade and a bit that has served primarily to distributed copyrighted material. There's a good reason it has "pirate" in the name... the site has previously been shut down, it's operators have been jailed and many different countries have blocked it at various times. TPB is exactly the sort of site that piques the interest of governments.

In the blog post about CloudFlare and TPB, Airtel is quoted as saying that they will block content "on orders from the government or the courts". Kinda like, well, pretty much anywhere. Now Airtel's choice of words was poor (they begin by saying they don't block), but the bottom line is just like Australia or the UK or US or anywhere else I can think of, ISPs are beholden to the orders of local authorities.

Frankly, the whole CloudFlare thing is a bit pointless because the government could easily block HTTPS connections to sites anyway, but what this article does show us is exactly what CloudFlare have always said is possible: that an MitM can modify upstream traffic from them if you're not using "Full (strict)" SSL. It's precisely what's shown in the earlier diagram of their Full SSL implementation except instead of the NSA you have Airtel at the bequest of the Indian government. This event isn't news, it's simply a demonstration of what we already know.

Without necessarily condoning what they're doing here, the biggest mistake made was TPB not saying "Hey, maybe we're the sort of site that might be at risk of government interception, perhaps our threat model should recognise that". In that case they would have enabled Full (strict) or possibly have even not used CloudFlare at all and served content from the origin (but then of course their bandwidth costs go way up and perf drops). They could still be blocked anyway, but that would have meant this is no longer a CloudFlare story and it simply becomes "Indian government blocks TPB access" in just the same way as so many other countries block it.

It's places like this where we need to cut through the FUD and objectively look at what's actually going on. Anyone jumping up and down and decrying that the CloudFlare model is fundamentally wrong is completely missing not just the point of the whole thing, but how the technology actually works.

You wouldn't want your credit cards going over there, would you, huh, what about that?!

I've heard this a few times from opponents of CloudFlare and they're right - I wouldn't want my credit card going out in the clear - but that's not permissible anyway. PCI DSS disallows it already so it's a moot argument. However...

Think back again to the threat actors who can access data upstream of CloudFlare's edge nodes. So the government or operators of internet backbones could access the card data. I don't necessarily want that to happen, but they're not the guys I'm worried about. I'm worried about those who'd seek to commoditise my card data so we're talking about criminal elements who whilst very resourceful, are far less likely to have access to that segment of the network.

But more than that, merchants taking credit card payments can usually justify the expense of SSL on the origin anyway. And if they don't, they get the PCI hammer for not being compliant so there are well and truly already enough constructs here keeping card data in check.

Again, we're back to commensurate security measures for the asset being protected and the actual security risks faced.

There should be a response header that indicates where the SSL terminates

One request I've heard a number of times is to indicate what is encrypted where in a publicly observable fashion, such as via a response header. This has merit, but is also not straight forward.

To begin with, what does it actually say? Ideally, you don't want a vendor-specific header talking about what CloudFlare does so you need to create a spec that's more agnostic. You could possibly indicate if the node that's done the TLS termination is relaying traffic over another encrypted connection (and then whether it's "Full" or "Strict"), but what happens after that? What if there are multiple points of encryption / decryption due to various caching layers or other app design decisions? What if termination occurs in a network other than the one hosting the origin? Or in the same network but some traffic flows in the clear to the web server after termination?

From a transparency perspective, I like the idea of providing some information and I'll come back to that a bit later on. But from a practicality perspective not only is it difficult to implement in a way that actually makes sense, it's not going to change user behaviour when they arrive at the site. It would allow those of us who look for these things to hold the site more accountable (and that's a good thing), but it would make very little difference to the overall landscape of how SSL is implemented.

Your traffic may be fully encrypted to the origin anyway

CloudFlare does much more than just allows you to (allegedly) cheat at SSL. They do a whole bunch of performance optimisations too, one of which is edge caching. By storing static content on edge nodes, they can avoid the additional hop between their infrastructure and your infrastructure which is why my earlier graphs look so nice. You can configure caching in a variety of different ways depending on how aggressive you want to be.

The point is though, many requests won't even hit your origin, in fact they won't even leave CloudFlare's infrastructure. You could browse an entire site like this one and never actually hit Ghost's platform - it's like, 100% secure! (No, not really, but whilst people are enjoying talking in absolutes...)

The web is more complex than whether you have 100% security all the time or none at all. Nuances like this are all part of the plumbing that makes the whole thing work and this is but one example. Now you could always add yet more headers to indicate where the traffic was last served from, and continue down this slippery path of trying to map out the route of the request, but this is yet another illustration that the view of CloudFlare being "insecure" is much more nuanced than some people think.

Why don't you just do it properly?

I would love for everyone to do it "properly". I'd like to see every website with an A+ rating from SSL Labs and full transport layer encryption all the way back to the origin. I'd like to solve world hunger, poverty and get rid of Trump but none of those things are going to happen in one go (ok, maybe Trump), they all require gradual steps in the right direction.

The reason we can't jump straight to the SSL destination is because the service providers still make it hard. Yes, I could give up on Ghost Pro and self-host on the Azure website service (oh crap - I'd still be behind their shared SSL termination device!) and be perpetually responsible for patching and running an app platform which is way more risky (just read my piece on self-hosted vBulletin if that sounds weird). Only a year ago I explained how we’re struggling to get traction with SSL because it’s still a "premium service" and this is still true. Now there have some great steps forward since then such as Let's Encrypt getting up off the ground, but even then if can be a lot of hard work to get running.

People will make ROI decisions on how many dollars and how much effort are required and they'll assess that against the perceived value. People are generally terrible at doing that, particularly the value piece so the more we can keep cost and effort down, the easier it makes the whole equation. In this instance, "properly" can mean trade-offs; It might mean not using a service or hosting provider that can't encrypt to the origin, it might mean financial, usability or geo-location compromises. Sometimes these will make sense but that's a much more holistic discussion than just "always do your SSL perfectly".

Why you should be using CloudFlare

First and foremost, if your choices are to either run entirely unencrypted or to protect against the 95% (or thereabouts) of transport layer threats that exist between your visitors and your origin, do the sensible thing. Nobody in their right mind is going to advocate for remaining totally unencrypted rather than using CloudFlare purely to encrypt between their edge nodes and your users. There are people not in their right mind that will argue to the contrary and that's precisely what the title of this post suggests - it's unhealthy security absolutism.

Secondly, remember that you're getting many other things out of the box with CloudFlare including all that edge node caching goodness. As I said earlier, if you're paying for bandwidth and you can shave the vast majority of that off your origin for free and serve your content fast then that's a serious advantage. That should be in your ROI somewhere.

And finally, as I recently wrote, HTTPS served over HTTP/2 has a massive speed advantage and you get that from CloudFlare even if your origin doesn't support HTTP/2. Of course it only makes sense for the requests that aren't served from your old HTTP/1.1 origin, but that's a small portion of them anyway.

I'm aware of how evangelical this sounds so for the sake of total transparency, I'm not incentivised by CloudFlare in any way and they've never paid me for anything or given me any free or discounted services. When I really like a technology, I get excited about it and that combined with the counterproductive attitudes I've mentioned throughout this post are what's led me to write it.

If I was CloudFlare, I would do these things:

Now as much as I think opponents have what we refer to down here as "some kangaroos loose in the top paddock", I also think there are opportunities for CloudFlare to help raise the bar.

For example, they could check the highest level of SSL that's available to the origin when the crypto is configured. See if there's a valid cert, see if there's an invalid cert and make a recommendation to the customer about how best to secure their site. Help them fall into the pit of success!

I also think they could give a clearer indication of what's encrypted and what's not at the point where the site is configured. I like their flow diagram with the NSA in it and I'd love to see that facing the customer as they set up their site. Make it impossible for them not to fully grasp the consequences of what they're doing.

And finally, even though I think it's of minimal value, add the chosen encryption model as a response header. Obviously it'd be a non-standard header at this point but something like this would go a long way to establishing transparency:

x-cloudflare-crypto: full

One important thing CloudFlare has done this year that's worth recognising is the introduction of their origin CA offering. If your origin has the ability to do Full (strict) but you don't have the cert (or don't want to pay for it), CloudFlare will give you a free one. There are actually reasons why this makes even more sense than going out and spending money with an incumbent CA and you can read why in that link, point is that they genuinely are attempting to raise the bar at all points in the transport layer and that's something that I hope even the naysayers will recognise.

Summary

We're on a journey to ubiquitous encryption both in transit and at rest. CloudFlare's Flexible SSL model is not the destination, it's merely a step along the way. For some use cases it won't be a step far enough - those with PCI obligations, for example - yet for so many others, moving to CloudFlare regardless of what happens behind their infrastructure is a massive step forward; the site is now SSL friendly, content is embedded correctly, it might mean enabling HSTS, secure versions of the URL are socialised and a huge portion of the hard work of going secure is done. When it does become a no-brainer to encrypt back to somewhere closer to the origin, that one further step is going to be a piece of cake. 86% of the Alexa Top 1 million websites aren't served over HTTPS - any SSL is a move in the right direction for them, we're merely debating how far they should move in one go.

Unhealthy security absolutism does not move us in the right direction. It delays progress and ultimately undermines the very objective those doing the complaining claim to aspire to. In the progress of bemoaning "but it's not absolutely perfect", the people trying to actually deliver working software to the web with appropriate security controls get exposed to the ugly side of security that insists on perfection at all costs. Everyone loses and that's just not a healthy state to be in.

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records.

Very shortly after, a supporter of Have I been pwned (HIBP) sent over the data which once unzipped, looked like this:

What we've got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. It's a relatively even distribution of the two which appears to represent a transition from the weaker SHA variant to bcrypt's adaptive workload approach at some point in time. Only half the accounts get the "good" algorithm but here's the rub: the bcrypt accounts include the salt whilst the SHA1 accounts don't. It's just as well because it would be a far more trivial exercise to crack the older algorithm but without the salts, it's near impossible.

At first glance the data looks legit and indeed the Motherboard article above quotes a Dropbox employee as confirming it. It's not clear whether they provided the data they obtained from Leakbase to Dropbox directly or not, although it would be reasonable to assume that Dropbox has a copy in their hands from somewhere. But I like to be sure about these things and as I've written before, independent verification of a breach is essential. Fortunately because it's Dropbox, there's no shortage of people with accounts who can help verify if the data is correct. People like me.

So I trawled through the data and sure enough, there was my record:

troyhunt@hotmail.com:$2a$08$W4rolc3DILtqUP4E7d8k/eNIjyZqm0RlhhiWOuWs/sB/gVASl46M2

I head off to my 1Password and check my Dropbox entry only to find that I last changed the password in 2014, so well after the breach took place. My wife, however, was a different story. Well it was partly the same, she too had an entry in the breach:

[redacted]@[redacted]$2a$08$CqSazJgRD/KQEyRMvgZCcegQjIZd2EjteByJgX4KwE3hV2LZj1ls2

But here's where things differed:

Now there's three things I'd like to point out here:

1. My wife uses a password manager. If your significant other doesn't (and I'm assuming you do by virtue of being here and being interested in security), go and get them one now! 1Password now has a subscription service for $3 a month and you get the first 6 months for free.
2. Because she uses a password manager, she had a good password. I've obfuscated part of it just in case there's any remaining workable vector for it in Dropbox but you can clearly see it's a genuinely random, strong password.
3. She hadn't changed the password since April 2012 which means that assuming Dropbox is right about the mid-2012 time frame, this was the password in the breach.

Knowing what her original password was and having what as this stage was an alleged hash of it, if I could hash her strong password using the same approach and it matched then I could be confident the breach was legit. With that, it was off to hashcat armed with a single bcrypt hash and the world's smallest password dictionary containing just the one, strong password. Even with a slow hashing algorithm like bcrypt, the result came back almost immediately:

And there you have it - the highlighted text is the password used to create the bcrypt hash to the left of it. Now this isn't "cracking" in the traditional sense because I'm not trying to guess what her password was, rather it's a confirmation that her record in Dropbox is the hash of her very strong, very unique never-used-anywhere-else password. There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing. It confirms the statement from Dropbox themselves, but this is the kind of thing I always like to be sure of.

As for Dropbox, they seem to have handled this really well. They communicated to all impacted parties via email, my wife did indeed get forced to set a new password on logon and frankly even if she hadn't, that password was never going to be cracked. Not only was the password itself solid, but the bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public. Definitely still change your password if you're in any doubt whatsoever and make sure you enable Dropbox's two-step verification while you're there if it's not on already.

There are now 68,648,009 Dropbox accounts searchable in HIBP. I've also just sent 144,136 emails to subscribers of the free notification service and a further 8,476 emails to those using the free domain monitoring service.

Update (the following day): I went back into my 1Password today and whilst my current password was created in 2014, it had kindly stored a previous one I'd overlooked when originally verifying the Dropbox data:

This password was replaced on the 22nd of September in 2012 so that gives you a sense of time frame that reconciles with what Dropbox has said in that the breach would have happened before this time.

So with this password I then repeated the same process as I had with my wife's and sure enough, my hash in the data set checked out - the password is correct:

Both my wife's and my strong, unique password manager generated and stored passwords are the ones in the Dropbox data breach. Frankly, there was no ambiguity as to the legitimacy of this data after my wife's password checked out, but this is yet more certainty that they did indeed suffer a data breach.

Three weeks ago today, I wrote about implementing a rate limit on the Have I been pwned (HIBP) API and the original plan was to have it begin a week from today. I want to talk more about why the rate limit was required and why I've had to bring it forward to today.

As I explained in the original post, there were multiple reasons for the rate limit including high volumes of API calls impacting system performance (they were ramping up faster than Azure could auto-scale), the cost to me personally of supporting the traffic (I pay for all of this out of my own pocket), and finally, my desire to ensure the system is used for ethical purposes to the fullest extent possible. It's this last one I want to share more detail on here.

In the weeks leading up to the original rate limit post, I was seeing large volumes of requests adhering to patterns that I wasn't confident indicated ethical use. These included:

1. Alphabetically working through a large volume of addresses on mail provider domains
2. Obfuscating the user agent by randomising strings across a broad range of otherwise legitimate browser UAs
3. Serving the requests from hundreds of different IP addresses, predominantly in Eastern Europe
4. Actively adapting request patterns to avoid counter-abuse measures I had in place

That third point in particular is typical botnet behaviour; otherwise legitimate machines infected with malware acting on behalf of a malicious party. Azure captures a small snapshot of rolling log files in W3C extended format (usually just the last hour of activity, I don't explicitly retain any logs) and from these I could see patterns such as this:

In this case, they're all from the same Russian IP address, all on the bk.ru domain which redirects to the mail.ru mail service and none of them are in HIBP anyway (they're all returning 404). I'd frequently see volumes of around 12k requests per minute coming from 2 or 3 IP addresses. One of the countermeasures I used was to simply block the addresses and return 403 with a response body referring to the acceptable use terms of the API, but those IPs would quickly be replaced with others following the same pattern. This was easily handled on my end by the minimum infrastructure scale I normally run and at worst, another instance of a medium Azure web site might have been added to handle it. This meant it wasn't a big problem in terms of scale and consequently cost (even though it was causing increased transaction times), but clearly the patterns in the bullet points above are not something I wanted to be seeing. That was the status quo until two days ago when I started seeing traffic patterns like this:

Now we're talking about sustained traffic of up to 60k requests per minute. Remember, each of those is searching 1.3 billion records and when you're doing that a thousand times a second, it's gonna consume a lot of overhead to support it. It was hurting performance, it was hurting my wallet and it was hurting availability:

The image above is traffic over the preceding week. In the last few days of August, the graph shows the suspicious usage patterns described above then in the first few days of September, high levels of sustained organic traffic (normal users with a web browser) of many hundreds of thousands of visitors a day due to the Dropbox incident and subsequent extensive press coverage. However, get to September 3 and you'll see the traffic rocketing up to the levels in the earlier image. I can only speculate on the reasons for this and I suspect it's related to the abuse countermeasures I implemented but clearly, something major changed in the traffic patterns.

The real concern availability wise though is those little red blips on September 3 and 4. Because the traffic was coming on so hard and so fast, I wasn't able to scale quickly enough. The reason for this is that I configure the Azure infrastructure to autoscale and it looks like this:

What you're seeing here is the conditions that need to be met to cause the infrastructure to scale, namely that the CPU overhead exceeds an average of 80% across a duration of 10 minutes. Now that's fine when traffic ramps up even very quickly in an organic fashion, but when it suddenly goes through the roof in mere seconds then you can be looking at minutes before extra scale is added. That scale may not be enough either - I'm adding 1 instance at a time then allowing 10 minutes to see how performance goes before adding another one. When you're suddenly hit with load that requires many additional servers, some of those requests result in errors. At peak, I was seeing 125k requests a minute and when that volume of traffic is suddenly thrown at a scale that's serving "mere" thousands of requests a minute, you're gonna have problems. And that's not cool.

Downtime on a service like this impacts confidence in a domain where trust and integrity are everything. Even mere minutes of downtime is unacceptable as far as I'm concerned and fortunately it was never more than short periods of time, but that was too much. Yes, it's a free service and it would have been a much more uncomfortable situation if I was charging money for it, but it's still a professionally run service and I wasn't willing to have downtime.

I fixed the problem in the immediate term by simply throwing money at it. I scaled up to Azure's S3 Standard App Service (what we used to know as a "large" web server) and then out to 5 of them and just left it there. It cost me money out of my own pocket, but fortunately I got a good number of donations from the Dropbox incident last week so it's only right to invest back into the service. That investment meant that even as the service continued being hammered on Saturday night, errors remained somewhat of a rarity:

That's just what I was seeing on the Azure end though and whilst it was regularly processing up to 70k requests a minute, there were other dropouts I identified via external monitoring services. Granted, they'd be mostly evident to whatever was hammering the service (which seems fair), but inevitably it was impacting legitimate users too. At the end of the day though, I have a fundamental problem with essentially paying to keep the system abusable and there were no guarantees the traffic wouldn't dramatically ramp up again either.

So I introduced the rate limit early. I didn't want to inconvenience any legitimate users who still needed the extra week, but even more than that I wanted to keep the service fast and reliable for the masses.

However, with the API no longer abusable in the same way, attention turned to simply hammering the root of the site with HTTP GET requests. For a good portion of today, the site received unprecedented levels of sustained traffic:

I did a bit of tuning at various points to be able to absorb the traffic, which is one of the reasons why there's a failure rate of less than one in a million requests. The external monitoring showed everything running reliably and the application responsiveness has also remained exactly where I'd like it to be:

But this traffic is no longer API abuse, it's an attempted DDoS. There is absolutely no value in the responses that are returned by making GET requests to the root of the website beyond the satisfaction gained by the adversary if they're able to impact service continuity. I can only speculate that it's frustration being vented at no longer having unbridled access to the API and I understand that - clearly it was very useful to someone in unlimited form. Equally, I hope they can understand why leaving it unlimited was no longer tenable for me.

So that's why the rate limit was brought in early, to ensure I can keep running the service reliably, cost effectively and ethically. I've always been as transparent as possible with how HIBP runs and cases like this are no exception. I've been connecting with people potentially impacted by the limit over the last few weeks and moving the timeline forward should have little to no impact on the ethical users of the system. If it does though, please contact me and I'll make sure I support legitimate use cases to continue using the service in a responsible way.

And lastly, I will write more about the things I've learned from this experience and I'm already dropping a lot of detail into a draft blog post. For now though, I'll keep things a little quiet on that front, but what I will say again is that those donations have been enormously helpful and have made it much easier for me to ensure the service stays up. If you'd like to help, the donations page lists some of the things I'd normally spend the money on (and I guarantee you, I do!) although for the next little while, assume it'll go to "The HIBP Anti-DDoS Fund".

Edit: A day and a half after publishing this post, the source of the data was eventually identified and a statement issued. Do see the updates at the end of this post.

I see a lot of data breaches. I see a lot of legit ones and I see a lot of fake ones and because of that, I always verify them before making any claims that an organisation has been hacked. Usually I'll verify and then in conjunction with journalists I know and trust, there'll be a private disclosure to the company involved. Good journos are very adept at getting answers to these things and when it's going to be a story that hits the news anyway, it ensures there's a way of getting responses from the impacted organisation before it hits the interwebs. Every so often though, we all get left totally stumped as to what actually went on.

Such has been the case recently for a data breach that I'm highly confident is legitimate but nobody wants to "own". I've worked with a couple of different trusted journos who are very good at getting answers but have ultimately been unable to draw the saga to a conclusion, largely because neither of the parties I believe are involved believes the breach originated from them. So I'm just going to write about the whole thing here, lay the facts out as they stand then see if anyone wants to own it once the details are public.

It all began with this tweet a couple of months ago on 10 July:

This isn't an embedded tweet because it has since been deleted. However, that happened more than a month later which was plenty of time for people to access the alleged BlueSnap database on the Mega hosting service before that link was also disabled. I grabbed a copy of it for later review then headed off on travels, not returning to look at it properly until late August.

BlueSnap is a payment provider which allows websites to take payments from customers by offering merchant facilities. BlueSnap was founded in Israel back in 2001 where it was originally known as Plimus (both of these facts have later relevance I'll come back to). It was later acquired in 2011 for $115M and rebranded as BlueSnap which is both the present day trading name and the alleged source of the breach in 0x2Taylor's tweet.

Obviously the first thing anyone is going to do when verifying a data breach is look at the contents so here's what I found: The data is in a single file named "Bluesnap_324K_Payments.txt" and as the name suggests, it has 324,380 rows in it with a total of 105k unique email addresses. The first transaction is on 10 March 2014, the last on 20 May 2016. Each row appears to be a payment record which looks like this:

The grey obfuscation is personal information relating to an Have I been pwned (HIBP) subscriber who assisted me with the verification process. The red obfuscation is card data and the arrow points to the "security-code" field which is the CVV. This is the CVV too but again, I'll come back to that.

This is actually only a small porting of the row, in fact it's a mere 14% of the entire record. Every row begins with "0x2Taylor" and contains pipe delimited values along with XML you see above. I've actually decoded a portion of this; the original file included encoding as follows:

\u003ccard-type\u003eVISA\u003c/card-type\u003e

Which decodes as follows:

<card-type>VISA</card-type>

This gives us a bit of a sense of where the data may have been used as the encoding could be used in the JavaScript context.

The other clue in the file here is the word "Plimus" which as you'll recall, was the name BlueSnap went by before 2011. That's two positive indicators of the source but they're also easily fabricated indicators and I wanted some hard facts. So I asked for them.

I've just passed 700k verified subscribers to HIBP, that is people who've come to the site, added their email address to the free notification service then received a confirmation email and clicked on the link to opt in. These are people who are interested in their exposure online, exactly the sort of exposure that this breach here has led to. What I do these days when I need to verify a data breach that's a bit harder than usual or is particularly sensitive is email some of the most recent HIBP subscribers who are in the alleged data breach and ask them if they're willing to assist in verifying the incident. When they respond (and it's always a positive response because they're naturally curious), I send them an email with questions along these lines:

1. Do you live on [redacted]?
2. Did you have a Visa card that expired in [redacted]?
3. There is a purchase against your record from 2014-06-15 for the value of $160 USD; do you recognise the name beginning with "JCC-Maccabi-Games"? This is possibly the service you paid.
4. This may be a harder one given the card has expired, but if you recall, did the CVV end with the number [redacted]?

Let's talk about that CVV for a moment. The Card Verification Value is an extremely important piece of data because it's used to verify the card in scenarios where it's not present, such as when making an online purchase. When the retailer requests the CVV, it means that even if someone has your card number and expiry, without that 3 or 4 digit code the data should be useless as far as making online purchases go. For example, if a database of transactions is leaked then so long as there's no CVV then the cards should be useless on any site that requests it (most do, Amazon is a notable exception to this). When the CVV is in the hands of a malicious party, the very mechanism that was put in place to protect consumers in "card not present" scenarios falls apart. PCI DSS is very clear about how the CVV (or CVV2 as it is these days) should be stored:

It shouldn't be stored and that's what makes this breach such a big issue. Violation of PCI DSS guidelines can lead to pretty serious fines and even loss of merchant facilities; the card providers take this very seriously. I take it seriously as well which is why I also asked HIBP subscribers to verify their CVV by providing me with an additional digit to avoid any confirmation bias (I didn't want them just answering "yes" to each of my questions). It checked out - this is the CVV.

I still wanted to be certain the transactions themselves were clear though but it was tricky to identify the actual source from the raw data alone. The one indicator of the source that was present in the file was an attribute named "soft-descriptor" which in the example above was "JCC-Maccabi-Games". I wondered initially whether this might just be a case of one particular site losing a bunch of data, that was until I aggregated the attribute and looked at the spread of records. In total, there were 899 unique values with the top 20 by prevalence appearing as follows:

1. EntourageManageme : 6299
2. regpackclients : 6084
3. Kidventure : 3728
4. METNY2015201 : 2660
5. Group-RX-New-Camp : 2535
6. Wild-Whatcom : 2453
7. CampKeeTov2016 : 2232
8. garinusa : 2178
9. JCC-Maccabi-Games : 2163
10. USY-Summer-Program : 2088
11. AvaAndersonNonT : 2005
12. National-College-T : 1986
13. High-Sierra-Pools : 1919
14. Dedicated-To-Learn : 1846
15. METNY-2014-2015 : 1761
16. Dedicated-to-Learn : 1717
17. EastBaySPCA : 1700
18. SanDomenicoSummerC : 1684
19. SAEP : 1642
20. USY-International : 1548

The record I was looking at was merely the 9th most common result, clearly there were many others involved too. But it still wasn't clear precisely what these websites were nor what was purchased from them. The answer to that lie further down in the data within a Plimus URL formatted as follows:

https://www.plimus.com/jsp/show_invoice.jsp?ref=[redacted]

As the URL suggests, this then takes you through to an online invoice like this:

There are many interesting things about the invoice, the first of which is that it obviously identifies BlueSnap quite clearly both by virtue of their brand and the Plimus URL. It also matches the individual's identity and address from the data breach file which goes a long way to establishing authenticity. Then we can see the website itself where the payment was made which is at jcca.org. The site has a donation page complete with a payment form:

As you can see, the logo clearly indicates that this is "Secure Credit Card Processing"...

There's nothing on the site or the structure of the payment form that indicates BlueSnap though and it looks as though the integration with the payment provider is done entirely on the server side without exposing that information publicly. But there was another piece of information on the invoice which didn't initially stand out at me and only later piqued my interest after another HIBP subscriber made this comment:

I still have the conformation email (a Summer Camp). It referenced http://www.regpacks.com so that might be a possible source too.

Now this is interesting because the invoice in the earlier image refers to a support email address on the regpacks.com domain. Regpack offers a registration service and part of the feature set is this:

Receive payments during registration rather than post-registration

Dealing with payment info is serious business so they also offer some assurances as to their security position:

Another piece of relevant information on the Regpack website is a list of just a few of their customers, including JCC Maccabi Games:

Every single HIBP subscriber I contacted had an invoice referencing a Regpack email address for support. It was looking more and more like they were taking the registrations then passing them downstream to BlueSnap for payment processing. In fact, that's precisely what was happening and it was easily verified via a press release a few years ago:

Waltham, Mass.---April 2, 2013---BlueSnap™, the most flexible and advanced buying platform for online companies selling goods and services over the web and mobile, today announced that Regpack, a global online enrollment platform serving the private education industry, has selected BlueSnap to process the financial transactions for its online enrollments. Regpack integrates with BlueSnap’s flexible and advanced payments platform to provide a complete enrollment and payments solution for organizations such as private schools, camps, educational tourism, faith community organizations, seminars and professional conferences.

In that press release, the Regpack CEO goes on to say:

Moreover, BlueSnap’s strict security measures for online transactions mean that we can use BlueSnap to process payments and conduct business without going through the expense of becoming PCI-compliant level one on our own.

Now by this stage you'd think the whole thing was wrapped up; either Regpack or BlueSnap have had a data breach and leaked a few hundred thousand transactions replete with partial card data and CVVs. The problem is though, neither party believes the breach came from them. I worked with two separate journalists on this and they both had feedback from BlueSnap and Regpack suggesting another party was responsible. I also reached out to them both yesterday for comment and got this from BlueSnap:

Based on an investigation we initiated as soon as we heard about the data set, we hired a top PCI-certified Incident Response firm. Based on that investigation we confirmed that BlueSnap did not experience a system breach or any data loss.

And got this from Regpack:

As a preventive measure, we ran a full forensic investigation and it has concluded that there was no data breach on Regpack servers. In spite of that, we have run the full security protocol implemented in these cases and conclusively determined that our servers were not involved.

Personally, I see indicators implicating both of them. On those that point to BlueSnap losing the data, there's the name of the file itself and 0x2Taylor's original assertion that it came from them in the first place. The file wasn't named "Regpack_324K_Payments.txt", it was BlueSnap's name in there and whilst a file name alone is not proof of an incident, it's an indicator. Then there's the nature of the sites that were involved; when I checked with HIBP subscribers, we identified sources such as the Jewish Community Centers Association of North America mentioned above, Liberal Judaism and Passages America Israel. There were other non-Jewish organisations involved as well (such as the East Bay SPCA), but it's hard to ignore the coincidence of the organisation being implicated as having lost the card data to have its origins in Israel then see such a prevalence of Jewish websites using their services. But then again, they all had Regpack support email addresses on them, so onto them...

Regpack's name is associated with every one of the HIBP subscribers I contacted. I'd expect that if BlueSnap was the source of the breach then we'd be seeing a mix of downstream consumers in the file, unless they store the data in such a way that Regpack's records are isolated from other customers and they alone got breached. Another indicator pointing to Regpack as the source of the incident is that per the statement above, they don't need to be PCI complaint and thus haven't gone through the rigour of audits. (Edit: I've put a strike through this because the CEO's comment was around level one PCI compliance. Regpack may be compliant with a lower level requiring less rigour.) Now by no means does merely being PCI compliant guarantee a breach won't happen, but when the transgressions are as egregious as storing the CVV, something is majorly amiss. And finally, "regpackclients" features as the second most common "soft-descriptor" in the earlier bulleted list with over 6k entries. That's slightly odd because there are many other descriptors which then have invoices referring Regpack's email address for support, but it's yet another indicator of how heavily they feature in the data.

Now it's possible that the data has come from another unnamed party, but it's highly unlikely. Not only could I not pick a pattern in the data suggesting it was sourced from elsewhere, but the CVVs just shouldn't have been there. We've got 899 totally separate consumers of the Regpack service (so it's not from one of them) who send their data direct to Regpack who pass payment data onto BlueSnap for processing. Unless I'm missing a fundamental piece of the workflow (and I'm certainly open to suggestions on what this might be), it looks like accountability almost certainly lies with one of these two parties.

Lastly, just to absolutely, positively avoid any remaining doubt that this is a legitimate data breach, let me share a collection of responses from HIBP subscribers (note also the responses regarding the CVV):

Address is correct and yes I did have a card that expired in 2014

That all seems right

Yes, that information is correct

I had a Visa card ending in 10 and I am pretty sure it expired in 2013

Yes, we do have a visa that expires in 2020, and yes the CVV ends in 8

This is genuine information that you have provided

I don’t know how they got the CVV either

So that's where it stands at the moment - it's highly likely that either BlueSnap or Regpack lost the data - but frankly, I'm more concerned about those who have their info floating around the web which includes:

1. Names
2. Physical addresses
3. Email addresses
4. IP Addresses
5. Phone numbers
6. Last 4 digits of their credit cards (remember, this is identity verification data and it's enormously useful for hijacking accounts)
7. CVV
8. Online invoices which then include details of their purchases

These people need to know that their data was posted publicly to Twitter and none of us have any idea how many people now have it. They need to cancel impacted cards (full card data wasn't leaked, but refer to the link above re partial data being used to hijack accounts) and be aware that their personal info has been exposed. The sites using these facilities also need to be notified because they're the ones that have the relationship with the customers. This requires the cooperation of BlueSnap and Regpack, the former of which is still hosting those invoices publicly on the plimus.com domain where anyone who has the invoice numbers from the breach can simply enumerate them and pull down even more personal data. It may not be a pleasant experience for them, but they need to step up and take responsibility.

I've now loaded all 105k email addresses into HIBP so if you think you may have been impacted, you can search for your address on the site. I've indicated that it's a BlueSnap breach and linked through to this post simply because that's the name it was represented as but will change that if it's determined otherwise. Right now the priority should be in supporting those whose personal data has been disclosed and attribution can follow later.

Update 1 (12 hours later): I've had further feedback from BlueSnap who remain adamant the data hasn't come from them and have issued the statement below to their merchants. I've asked point-blank if they believe Regpack is the source of the breach and will post an update here if there's any feedback I can share. As yet, I don't believe the individuals in the breach whose data is been publicly circulated have been notified by either party.

Update 2 (24 hours after initial post): There's been a lot of discussion on this incident both in the comments below and via email. A number of people have said they've reached out to Regpack and received responses indicating that they weren't the source of the breach and offering little support beyond there. I want to reiterate a few immutable facts:

1. The data in the breach is legitimate and contains personal information
2. There are hundreds of thousands of transactions out in the wild including details on over 100k customers
3. The data contains the last four digits of the card which are frequently used for identity verification purposes
4. The data contains the CVV which should never have been stored by anyone
5. BlueSnap has known about the incident since at least the 21st of August
6. Regpack has known about the incident since at least the 26th of August
7. Websites who had customer data exposed were using the services of Regpack
8. Regpack may not have lost the data, but they're accountable to their customers which means the sites using their service
9. As yet, to the best of my knowledge those impacted in the data breach have not been notified and that includes both websites using Regpack and customers who made purchases

Given there's still no resolution to this and neither BlueSnap nor Regpack believe they're responsible, I'm listing all 899 "soft-descriptor" values below complete with the number of transactions each has in descending order (these are the websites using the Regpack service). If your site is amongst that list and you're concerned for your customers, contact the organisation you sent the transaction to as they're the party you have the relationship with and entrusted with the data.

1. EntourageManageme : 6299
2. regpackclients : 6084
3. Kidventure : 3728
4. METNY2015201 : 2660
5. Group-RX-New-Camp : 2535
6. Wild-Whatcom : 2453
7. CampKeeTov2016 : 2232
8. garinusa : 2178
9. JCC-Maccabi-Games : 2163
10. USY-Summer-Program : 2088
11. AvaAndersonNonT : 2005
12. National-College-T : 1986
13. High-Sierra-Pools : 1919
14. Dedicated-To-Learn : 1846
15. METNY-2014-2015 : 1761
16. Dedicated-to-Learn : 1717
17. EastBaySPCA : 1700
18. SanDomenicoSummerC : 1684
19. SAEP : 1642
20. USY-International : 1548
21. ssoregistration : 1479
22. WildWhatcom : 1475
23. yjevents : 1403
24. CampKeeTov2015 : 1397
25. Pantano-Christian : 1377
26. TAPROOTNATUREEXPER : 1232
27. aardvarkisrael : 1224
28. Jackson-Sports-Aca : 1203
29. DBatMustangs : 1151
30. Mda-Israel-Program : 1148
31. JacksonSportsAcade : 1121
32. MissionBaySport : 1064
33. PantanoChristian : 1058
34. ElDoradoMusical : 1032
35. CWRU : 1023
36. USYSummerProgram : 1004
37. DanceTheatre : 967
38. ServeCamp : 965
39. Saint-Helens-scho : 927
40. BrightMindsYouth : 924
41. Northwest-Hydroele : 922
42. CreativeAction : 910
43. shevettapuach : 872
44. Young-Judaea-Year : 866
45. ArtTime : 864
46. USYInternational : 860
47. SAEP2016 : 856
48. Matthew13Catholi : 852
49. North-Texas-Confer : 817
50. real-life-summer-c : 799
51. Hanegev2015-2016 : 799
52. Camp-Kee-Tov-2014 : 786
53. Shasta-Community-C : 777
54. METNY : 773
55. ReggaeRunnerz : 767
56. Seaboard2015 : 742
57. DANCE411 : 740
58. OPEF2016SummerB : 736
59. Gilbert-High-Schoo : 725
60. L3X : 721
61. D2L2016-Walnut : 721
62. ShastaCommunityC : 704
63. ArizonaScienceCe : 701
64. MagnificatHighSc : 689
65. OPEF-BASE-Camp-201 : 674
66. grinnellcollege : 659
67. D2L2016-Diamond : 655
68. Hagalil20152 : 654
69. HS-uniform-fees : 648
70. El-Dorado-Musical : 648
71. Saint-Helens-Schoo : 643
72. artomatic : 639
73. garin : 636
74. WildfishRegistrat : 635
75. ParksPlusCreatio : 625
76. NorthTexasConfer : 625
77. SAN-JOAQUIN : 617
78. EMTZA-Staff-2014-2 : 614
79. Hanegev-2014-2015 : 606
80. teamworksdogtraini : 602
81. CampCardiac : 602
82. BergenCommunityC : 602
83. American-Pavilion : 600
84. tzofimcvk : 571
85. Group-RX : 571
86. BBYO-UK : 564
87. YoungJudaeaYear : 562
88. MdaIsraelProgram : 558
89. Juneau-Dance-Theat : 557
90. BASE-Camp-2014 : 548
91. VISnet-2014 : 539
92. Stonewall-Columbus : 536
93. camp-liberty : 536
94. LaurensKids : 532
95. WesternSocietyfo : 528
96. iedesign : 525
97. wujs : 503
98. camp-liberty2016 : 494
99. LimmudNY2016 : 482
100. visnet : 480
101. PENINSULACOLLEGE : 479
102. CRUSY-2014-2015 : 479
103. CourtsForKids : 479
104. Saint Helen's scho : 479
105. Field-Institute-of : 478
106. Seaboard-2014-2015 : 475
107. CampKeeTov2014 : 473
108. EMTZA2015-2016 : 472
109. Master-Russian-pro : 469
110. HighSierraPools : 463
111. MuseumoftheBibl : 462
112. 1870Farm : 460
113. SummerCollegeTra : 460
114. LIMMUDNY : 459
115. DistrictVIICDA : 456
116. USY-EMTZA : 442
117. UniversityCitySwim : 439
118. KidsCreativeAdve : 431
119. Young-Judaea-Amiri : 430
120. BACC-Camp : 427
121. CHUSY2015-2016 : 427
122. Young-Judaea-Summe : 420
123. VISnet2014 : 410
124. DoctorDevelopment : 399
125. JCCMaccabiGames : 397
126. METNY-2015-201 : 393
127. SWUSY2015-2016 : 393
128. nativ : 392
129. CRUSY2015-2016 : 390
130. BuildingMinds : 386
131. Parks-Plus-Creatio : 383
132. Kids-and-Culture-C : 379
133. CHUSY-2014-2015 : 377
134. Wild What : 374
135. RockyMountainBir : 373
136. SanDomenicoAfter : 372
137. One-Love-Training : 371
138. SaintHelensSchoo : 370
139. Needham-Millis-Dan : 369
140. Songleader-Boot-Ca : 368
141. 3CrossesCamp2016 : 359
142. Southwest-District : 358
143. FZYTour2016 : 356
144. JCCMaccabi2016- : 355
145. JTerm : 351
146. Nevada-City-CA : 350
147. ibc : 349
148. NERUSY201520 : 344
149. XavierHighSchool : 343
150. JewishBookCounci : 338
151. Jivamukti-Yoga-Wil : 337
152. FOOTSTEPSFORFERTIL : 334
153. Dance411Rental : 332
154. NewFrontier2015- : 332
155. SaintHelensBaske : 328
156. CampGideon : 327
157. NORTHERNMOVEME : 326
158. Camp-Eagle : 326
159. RythersAspiringY : 322
160. DBatsHSuniform : 320
161. Hagesher2015 : 318
162. XavieriPadSale : 316
163. IASSIST : 312
164. CH-USY : 310
165. SummerShowoffs : 310
166. Hope-Girls-Basketb : 308
167. Jewish-Book-Counci : 306
168. USYKadimamember : 305
169. USY International : 305
170. Newton-Inspires-20 : 300
171. regpack_clients : 299
172. CampTaylorHearts : 298
173. Hagesher-2014-2015 : 297
174. Soccerstlmo : 297
175. Jivamukti-Yoga-New : 295
176. DramaLearningof : 285
177. Southeast-Student : 282
178. homeschoolcampus : 281
179. SWUSY-2014-2015 : 275
180. Northwest-Technica : 274
181. FZYTour : 272
182. OurLadyofGoodC : 272
183. Hagalil-2014-2015 : 270
184. BACCCamp : 264
185. 3Crosses-Camp : 262
186. Israel Reform Move : 262
187. NorthwestTechnica : 260
188. WashingtonIrving : 257
189. ColoradoEducation : 257
190. COMMUNITYOFCHRIST : 256
191. Grace-North-Church : 254
192. SCRA Group Lessons : 254
193. EmersonWaldorfSc : 253
194. mmea : 251
195. Bali-Institute : 245
196. Menlo-Park-Legends : 244
197. ACSportsAcademy : 244
198. Art-Time : 243
199. WildernessExperie : 243
200. Ramah-2015-Summer : 236
201. Sway-Youth-Enrichm : 235
202. Hi-Tech-Learning : 232
203. CAConsultingLLC : 232
204. Camp-Taylor-Hearts : 230
205. Israel-Reform-Move : 229
206. SW-USY : 227
207. OurLadyMotherofthe : 226
208. WMtrainingandevent : 225
209. Liberal-Judaism-Ev : 224
210. YJyearroundreg : 224
211. NewHeights : 224
212. greenedventures : 223
213. JuneauDanceTheat : 223
214. nyoda : 221
215. TurtleHillEvents : 220
216. IslamicWeekendSc : 219
217. WildfishTheatreS : 216
218. FZY-Tour-2015 : 215
219. SouthwestDistrict : 215
220. CuyahogaValleyCh : 213
221. PortCityCommunit : 208
222. Southern-Connectic : 206
223. PooleofFineArts : 206
224. Cuyahoga-Valley-Ch : 205
225. Hi-TechLearning : 205
226. Group RX : 205
227. SCRA Private lesso : 204
228. Northern-Movement : 203
229. GroupRXNewCamp : 203
230. FreestyleLanguage : 203
231. HitchcockCenterF : 199
232. New-Frontier-2014- : 198
233. FieldInstituteof : 194
234. GilbertHighSchoo : 192
235. D2L2016-Suzanne : 191
236. CarolyneBarryAct : 190
237. Mapleton City - Ra : 189
238. Rye-PTA : 189
239. FarWest2015-2016 : 189
240. BBYOUK : 188
241. IndianapolisBarA : 188
242. Cycon : 186
243. New-Heights : 186
244. Soccerstlmo2016 : 186
245. Klein-United-Metho : 185
246. Walk-Your-Path-Wel : 184
247. WingraBoatsSumme : 181
248. Wildheart-Nature-S : 180
249. Hope-Basketball-Ca : 179
250. Camp-del-Corazon : 177
251. Hitchcock-Center-F : 177
252. Mt-Tabor-Summer-Ba : 177
253. Tzafon201520 : 177
254. USY-Pinwheel : 176
255. Notre-Dame-of-Mt : 175
256. TechSmart Kids : 175
257. catesol-2016-san-d : 174
258. OPEF-Build-Day-201 : 173
259. LincolnSchoolPTO : 171
260. USY-Leadership-Pro : 170
261. CommunityEnvironm : 170
262. Cambridge-EllisSc : 169
263. WoodsHumaneSocie : 169
264. BoysGirlsClubs : 168
265. JesseHelmsCenter : 165
266. YoungJudaeaSumme : 164
267. CampEagle2016 : 164
268. D2L2016-Chaparr : 164
269. PIP : 163
270. SCRA-Group-Lessons : 162
271. MasaTlalim : 162
272. Saint Helens Year : 162
273. LighthouseForthe : 162
274. catesol-2016-la-co : 162
275. YoungJudaeaYearCou : 161
276. Broadway-Bootcamp : 159
277. YoungJudaeaAmiri : 159
278. OCA2016Conventio : 158
279. ConservativeYeshiv : 156
280. OPEFBuild4Good : 156
281. 2015-Camp-del-Cora : 155
282. OPEF-Gadget-Day-20 : 155
283. Galilean-Bible-Cam : 154
284. l3x : 154
285. EMS-and-Healthcare : 154
286. SCRAGroupLessons : 153
287. Camp-Gideon : 153
288. marva : 151
289. AnimalFriends : 151
290. The-Circle-School : 149
291. NERUSY-2014-2015 : 149
292. Animal-Friends : 149
293. BionRegionalSymp : 149
294. Saint-Helens-Year : 147
295. JYTT-India-2015 : 145
296. Rosarian-Academy : 145
297. Jivamukti-Yoga : 143
298. WESLEYANCHURCH : 142
299. yj_events : 141
300. ccofSummer2016 : 141
301. MarquardtSchoolD : 138
302. TheHomeOwnership : 136
303. 2016CampdelCora : 136
304. RamahIsrael : 135
305. Hudson-Valley-Rib : 135
306. StonewallColumbus : 134
307. Liberal-Judaism-Ca : 132
308. SCRAPrivateLessons : 131
309. AMHCA : 131
310. NorthernMovement : 131
311. NoamMasortiSummerc : 130
312. SLBC2016 : 130
313. Dance-411-Summer-2 : 128
314. Pinwheel-2014-2015 : 128
315. ZebrafishHusbandr : 128
316. Master Russian pro : 126
317. Camp-Moonlight : 125
318. SCU : 125
319. AWS-Detroit : 123
320. OakHillMontessor : 121
321. Tichon-Ramah-Yerus : 119
322. HopeGirlsBasketb : 119
323. EMS and Healthcare : 119
324. Courts-For-Kids : 118
325. DoulaTrainingsIn : 117
326. ChoreographyFesti : 117
327. Rocky-Mountain-Bir : 116
328. LiberalJudaismCa : 116
329. knowledgecrossingb : 116
330. RosarianAcademyS : 116
331. McCallum-Theatres : 115
332. Camp-Sunrise : 115
333. HVRF2016 : 115
334. BethEl5776 : 114
335. TK20 : 113
336. Camp-Gan-Israel- : 112
337. KeystoneDiabetic : 112
338. JYTT-Costa-Rica-20 : 111
339. Canterbury-School : 110
340. OmiInternational : 110
341. TheIndependentSc : 110
342. catesol-2016-north : 110
343. BroadwayBootcamp : 107
344. Dance411Staff : 107
345. USPostalService : 107
346. BLax : 107
347. CEF-of-Fargo-and-M : 105
348. EPA20152016 : 105
349. BYP100 : 104
350. Tzafon-2014-2015 : 103
351. FICEAustria : 102
352. YoungJudaeaWUJS : 101
353. HooglandCenterFo : 101
354. Hanefesh2015 : 100
355. SlowFoodNewOrle : 100
356. camp_gan_israel : 96
357. Dance-411-Staff : 95
358. ISL Futbol : 95
359. PlaycreationsKids : 95
360. BeachesEpiscopal : 95
361. EPA-2014-2015 : 94
362. MasterRussianpro : 94
363. Mda Israel Program : 93
364. ZestfulGardens : 93
365. SCRA-Private-lesso : 92
366. CanterburySchool : 92
367. Village-Academy : 90
368. HPCS2016 : 90
369. YoungCodersAcade : 89
370. VistaSchoolingan : 89
371. NewNebConference : 88
372. 3CrossesCamp : 88
373. PacificIntegral : 88
374. Pinwheel2015-2016 : 88
375. Beth-El-School-Reg : 86
376. Doula-Trainings-In : 85
377. USYLeadershipPro : 85
378. Ramah-2014-Summer : 84
379. TheRingBoxingCl : 83
380. EvolveVolleyball : 83
381. Dance 411 Camp : 83
382. Ramah2016Summer : 81
383. Hope Girls Basketb : 81
384. Bios : 81
385. SpartanburgDaySc : 81
386. Hanefesh-2014-2015 : 80
387. CASFM : 79
388. Winterblast : 78
389. MtTaborSummerM : 78
390. Snider-Mountain-Ra : 76
391. NotreDameofMt : 76
392. Db-Skim-Camp : 75
393. BethElSchoolReg : 75
394. JYTTINDIA2016 : 75
395. GraceNorthFamily : 75
396. TheChurchofthe : 75
397. Mars-Global-Summit : 74
398. PensionPro-Confere : 74
399. Seaboard-2015- : 74
400. itf_ie : 74
401. NeedhamMillisDan : 72
402. goodwillevents : 71
403. Sway Youth Enrichm : 71
404. AUJS : 70
405. PacificIntegralR : 70
406. CollegePrepCamp : 70
407. GloucesterCommuni : 70
408. BaliInstitute : 69
409. JYTTCOSTARICA20 : 69
410. Race-Corps : 68
411. Maase-Olam-ITF : 68
412. CampMoonlight201 : 68
413. Dance-Versity : 67
414. WAM : 67
415. NationalAssociati : 67
416. BBYO UK : 66
417. YoungJudaeaCLIP : 66
418. GCBC-Guelph-Comm : 65
419. Overflow-Prophetic : 65
420. BASECampArboretu : 65
421. UtahSuzukiHarpI : 65
422. RamahIsraelInsti : 64
423. San-Domenico-After : 62
424. Mobile-Bay-Sailing : 62
425. WildheartNatureS : 62
426. mda : 62
427. OaklandInterfaith : 62
428. NorthwestHydroele : 61
429. AC-Sports-Academy : 59
430. CampEagle : 59
431. VillageAcademy : 59
432. SleepTreatmentCo : 59
433. Great-Lakes-Econom : 57
434. The Circle School : 57
435. SCAMedicalMissio : 57
436. luselandbiblecamp : 56
437. TheCircleSchool : 56
438. MaaseOlamITF : 56
439. Aspire Soccer Camp : 56
440. USY-ECRUSY : 56
441. USY Leadership Pro : 55
442. Ramah-Jerusalem-Da : 54
443. CollegiateWomens : 54
444. TichonRamahYerus : 54
445. Mabee-GerrerMuseu : 54
446. PACEApplication2 : 54
447. YoungJudaeaShalem2 : 53
448. Northeast Epi Conf : 53
449. american_sokol : 52
450. CampCardiacNeuro : 52
451. Temple Bnai Jeshur : 51
452. SacredHeart-Shi : 51
453. Lipkin-Tours : 50
454. Hagalil-2015-2 : 50
455. GalileanBibleCam : 50
456. Camp-Gailor-Maxon : 49
457. GarinTzabar : 49
458. 2020-Technologies : 48
459. HopeBoysBasketba : 48
460. TzabarPolin : 47
461. SpokaneINWAPSI : 47
462. St-Andrews-Bay-Ya : 46
463. OPAConvention2016 : 46
464. CorpusChristiChu : 45
465. DanceVersity : 45
466. USYAlumni : 45
467. IxlAcademy : 44
468. TheFoodBusiness : 44
469. WISEFORESTPRE : 43
470. Camp-Experience : 43
471. Liberal Judaism Ca : 43
472. SantaMonicaLittleL : 41
473. Willow-Springs-Cam : 41
474. ScruplesSymposium : 41
475. WestSideStudio : 41
476. CEF of Fargo and M : 41
477. Brian Jordan Camps : 41
478. LagniappeAssociat : 41
479. CrestmontCamp : 41
480. RAMAHISRAEL : 40
481. Ramah-Israel-Insti : 40
482. Ixl-Academy : 40
483. Friendship-Caravan : 39
484. PACE-Application-2 : 38
485. ierimon : 38
486. The-Food-Business : 38
487. Game-On-Sports : 38
488. Vermont Infectious : 38
489. CH USY : 38
490. ktantanim : 37
491. Crosslink-Meadows : 37
492. MBP EA Conference : 37
493. Young-Judaea-Shale : 36
494. LFFPPeaceLeadersPr : 36
495. KidsandCultureC : 36
496. ForestHillsField : 36
497. Pioneers Camp : 36
498. Maase Olam ITF : 36
499. WalkYourPathWel : 35
500. CampKeeTov2013 : 35
501. USY Summer Program : 35
502. Northeast-Epi-Conf : 34
503. Christ-Church : 34
504. WomenWorkinginC : 34
505. Clubcorp : 34
506. Hagesher-2015- : 33
507. garin_usa : 33
508. CadillacLaSalleClu : 33
509. CHUSYAnnualBenef : 33
510. FZY-Camp-2015 : 32
511. Collegiate-Womens : 32
512. goodwillslp : 32
513. YoungJudaeaOnwar : 32
514. CSAKarateCamp : 32
515. camp-yavneh : 31
516. CEF2015 : 31
517. IdeaCampRio : 31
518. KarenPickettLMFT : 30
519. ProyectoFeIntern : 30
520. OPEF Base Camp 201 : 30
521. ie_design : 30
522. Kappa-Sigma-5k-Tro : 30
523. SupportabilitiesF : 30
524. Santa-Monica-Littl : 29
525. Hope Basketball Ca : 29
526. ClearconnectSolut : 29
527. ALACCABibleCamp : 29
528. NSTEP-Study-Buddy : 28
529. Qverity : 28
530. CampSunrise : 28
531. HanegevStaff : 28
532. campganisrael : 28
533. CampWildcraft : 28
534. HEICFellowsCours : 27
535. TTS-Certification : 26
536. Young-Judaea-Onwar : 26
537. Onward-Israel-Gree : 26
538. RosarianAcademy : 26
539. StAndrewsBayYa : 26
540. USY - EMTZA : 26
541. Northfield-Confere : 26
542. 1870Farm-Presch : 26
543. SWUSY-Staff : 25
544. MaaseOlam : 25
545. ArtisticallyMe : 25
546. Habitat for Humani : 24
547. FZYKesher2016 : 24
548. GoTechCamp : 24
549. FreedomSchool : 24
550. HarvesterChristia : 24
551. shnatsherut : 23
552. Santa Monica Littl : 23
553. shevet_tapuach : 23
554. Aspire-Soccer-Camp : 23
555. OnwardIsraelGree : 23
556. StrongwaterSwim : 23
557. Camp-KidsTown : 22
558. SWAMIVIVEKANANDA : 22
559. ACNM : 22
560. Kenosee-Lake-Bible : 22
561. DbSkimCamp : 22
562. TheWordChurch : 22
563. EnvironmentalVolu : 22
564. ACNM2016 : 22
565. AnimatheForumF : 22
566. JYTT-Germany-2015 : 21
567. Prepare-Yourself-C : 21
568. GraceNorthChurch : 21
569. MtTaborSummerBa : 21
570. RamahJerusalemDa : 21
571. LimmudFest2016 : 21
572. SW USY : 20
573. Tichon Ramah Yerus : 20
574. Vermont-Infectious : 20
575. GOTS2016 : 20
576. AWSDetroitLadies : 20
577. AllenAcademy : 20
578. TTSCertification : 19
579. NewtonInspires20 : 19
580. Dance Versity : 19
581. Splash Bartow 2013 : 19
582. USY Pinwheel : 19
583. TechSmart-Kids : 19
584. goodwilledp : 19
585. ComposedEssays : 19
586. Sewickley-Academy : 18
587. HudsonValleyRib : 18
588. American Pavilion : 18
589. YoungJudaeaSummerP : 18
590. ATSuccessLondonS : 18
591. fzycamp : 17
592. WholisticLearning : 17
593. Shalomlearning : 17
594. Artstream : 17
595. METNY2016201 : 17
596. USY-EMTZA-Staff : 16
597. GCBCBOATING : 16
598. Veida : 16
599. Tzafon-2015-20 : 16
600. 2015CampdelCora : 16
601. CampMoonlight : 16
602. JYTTGermany2015 : 16
603. SWUSYStaff : 16
604. YoungJudaeaAmirim2 : 16
605. Dance411Camp : 16
606. Baden-PowellNorth : 16
607. GrowAGeneration : 16
608. Hanegev-Staff : 15
609. NERUSY-2015-20 : 15
610. USY - ECRUSY : 15
611. FZY-Year-Course-20 : 14
612. Pacific-Integral : 14
613. CrosslinkMeadows : 14
614. MobileBaySailing : 14
615. FZYYearCourse20 : 14
616. Ramah 2014 Summer : 14
617. FZYVeida2016 : 14
618. International-Law : 13
619. FZY-Events : 13
620. PBC-Church-Registr : 13
621. PensionProConfere : 13
622. EMTZAStaff : 13
623. Songleader Boot Ca : 13
624. JH Ranch - Decembe : 13
625. OneLoveTraining : 12
626. GameOnSports : 12
627. tzofim_cvk : 12
628. YoungJudaeaFood : 12
629. WorldLanguagePro : 12
630. itfie : 11
631. Customer-Love : 11
632. COLLEGECERT : 11
633. PBC-Camp-Registrat : 11
634. CEFofFargoandM : 11
635. FriendshipCaravan : 11
636. JH-Ranch-Decembe : 11
637. SacredHeart-Cam : 11
638. CampGideon-Volu : 10
639. betar-wingate : 10
640. CampLookout : 10
641. CoachTBasketball : 10
642. Pinwheel-2013-2014 : 9
643. GTO : 9
644. InSync Volleyball : 9
645. ChelseaYachtClub : 9
646. fzyyearcourse : 8
647. KolAmi : 8
648. Hanegev-Staff-2014 : 8
649. Hanefesh-2015- : 8
650. IXLAcademy2016 : 8
651. TheSchoolofBasketb : 7
652. SWUSY-Staff-2014-2 : 7
653. BIGR-AU : 7
654. Muscolo-Meat-Acade : 7
655. Zebrafish-Husbandr : 7
656. SouthernConnectic : 7
657. AFSIntercultural : 7
658. MDP : 7
659. IsraelTeenFellow : 7
660. catesol-2016-annua : 7
661. FZY-H-2013 : 6
662. Summer-College-Tra : 6
663. EMTZA-2015-2016 : 6
664. NationalCollegeT : 6
665. SummerAdultTrips : 6
666. green_edventures : 6
667. CrystalaireAdvent : 6
668. HolidayShow-Offs : 6
669. Sportstyme-Jupit : 6
670. GO-ART-BOX : 5
671. EPA-2015-2016 : 5
672. SWUSY-2015-2016 : 5
673. AutomicUniversity : 5
674. IslamicAssociatio : 5
675. fzy_camp : 5
676. FZY H+ 2013 : 5
677. Wild-What : 5
678. ICCA-Membership-Du : 5
679. Dbat-Mustangs-HS : 5
680. FamilySystemSpo : 5
681. GloucesterCounty : 5
682. cwa : 5
683. Camp-Gideon-Volu : 4
684. PBCCampRegistrat : 4
685. Dbat Mustangs - HS : 4
686. fzy_yearcourse : 4
687. ramah_high_school : 4
688. SummerDelegation : 4
689. FZYHadrachaPlus : 4
690. KingdomWorkersSp : 4
691. RaMessut : 4
692. Click-Connect : 3
693. Summer-Delegation : 3
694. EMTZA-Staff : 3
695. MassaFrance : 3
696. PBCChurchRegistr : 3
697. WiseYoungBuilder : 3
698. IdaTeam : 3
699. StaffordTechnical : 3
700. shnat_sherut : 3
701. Christ Church : 3
702. Hagalil20162 : 3
703. ATRRM : 3
704. MissionSquash : 3
705. Innovative-Academi : 2
706. Bumble-ABC : 2
707. A-Little-Culture : 2
708. Noam-Masorti-Summe : 2
709. YWCO : 2
710. Keytana : 2
711. CHUSY-2013-2014 : 2
712. Wise-Young-Builder : 2
713. Real-Life : 2
714. 33rd-FICE-CONGRESS : 2
715. Ramah2015Summer : 2
716. OPEFBASECamp201 : 2
717. FZYTour2015 : 2
718. SportScienceFunS : 2
719. Artomatic : 2
720. yj_yearcourse : 2
721. ramah_summer_semin : 2
722. SplashBartow : 2
723. l3x2012 : 2
724. Rye PTA : 2
725. israelchallenge : 2
726. ienachshon : 2
727. ramahhighschool : 2
728. FortClarkston : 2
729. UnitedSecurityTr : 2
730. FZYKeytana2016 : 2
731. SanFranciscoRecr : 2
732. GrinnellCollege : 2
733. HighroadConsultin : 2
734. CertifiedSiteSaf : 2
735. ChristsChurchof : 2
736. AWSGolfOuting : 2
737. JYCostaRicaAlumni : 1
738. OURLADYMOTHER : 1
739. ALASKA-NEW-MEDIA : 1
740. ALASKATECHNICAL : 1
741. COURTIER-INSPECT : 1
742. N-DEPTH-RESP : 1
743. Camp-Nyoda : 1
744. L3X-2014 : 1
745. COURT-SENTINEL : 1
746. Central-Union-AS : 1
747. Young-Judaea-Famil : 1
748. Legacy-Soccer-Acad : 1
749. Camp-Kee-Tov-2015 : 1
750. SportScience-Fun-S : 1
751. Stone-Mountain-Adv : 1
752. newtoninspires20 : 1
753. Stratford-Camp : 1
754. AC-Flight-Lacros : 1
755. ramahyouth : 1
756. PBC-Individual-Reg : 1
757. Camp-Liberty : 1
758. The-Center-For-Wil : 1
759. StemTree : 1
760. Thinking-Outside-T : 1
761. McCallum-Theatre : 1
762. Ramah-2016-Summer : 1
763. FPX-Conference : 1
764. Einsteins-Workshop : 1
765. Noahs-Ark-Zoo-and : 1
766. Mr-D-Math : 1
767. Western-Society-fo : 1
768. Refreshing-Lives : 1
769. River-City-FC : 1
770. FZY-Hadracha-Plus : 1
771. Palmetto-Engineeri : 1
772. North-Georgia-Home : 1
773. McCallum-Theatre-T : 1
774. SLBC-2016 : 1
775. Strongwater-Swim : 1
776. Young-Coders-Acade : 1
777. Hanegev-2015-2016 : 1
778. CHUSY-2015-2016 : 1
779. You-Give-It-We-Gr : 1
780. Acts-World-Relief : 1
781. Mindful-Leadership : 1
782. Automic-University : 1
783. Mabee-Gerrer-Museu : 1
784. Child-Care-Council : 1
785. FZYCamp2015 : 1
786. CampGanIsrael- : 1
787. USYMembership : 1
788. WildfishTheatre : 1
789. USYUploads : 1
790. InternationalUSY : 1
791. AmericanDanceIns : 1
792. SewickleyAcademy : 1
793. MuscoloMeatAcade : 1
794. CRUSY2014-2015 : 1
795. ECRUSY2015-2016 : 1
796. OPEFBASECampFie : 1
797. FortClarkton : 1
798. CyliaHarrietFoun : 1
799. JacobusConsulting : 1
800. McCallumTheatreD : 1
801. KidzNPlay : 1
802. WestMetroFireRe : 1
803. LifeSafetyDivisi : 1
804. Ktantanim2015-201 : 1
805. JDECRegistration : 1
806. WMtrainingcenter : 1
807. McCallumTheatres : 1
808. TeamworksDogTrai : 1
809. SouthwestVermont : 1
810. MemphisTheologica : 1
811. E-Rive : 1
812. yj_summer : 1
813. ie_rimon : 1
814. israel_challenge : 1
815. JH History Makers : 1
816. LCFOilers : 1
817. ICCA Conferences : 1
818. Innovative Academi : 1
819. yj_shalem : 1
820. SWUSY Staff : 1
821. L3X 2013 : 1
822. shevettapuach2012 : 1
823. College-Hockey-Exp : 1
824. Student-Education : 1
825. OPEF-Day-Camp-2013 : 1
826. tigermma : 1
827. Camp-Jano-India : 1
828. Maccabi-games : 1
829. Florida-Flyers : 1
830. shevettapuach2014 : 1
831. Artisul : 1
832. DanceMissionYout : 1
833. AWSDetroitChrist : 1
834. WaynefleteInc : 1
835. InternationalGlov : 1
836. JacksonSportsAca : 1
837. CATESOL2016Annua : 1
838. AFA : 1
839. Curtissandbox : 1
840. CampRamahIsrael : 1
841. CumberlandCounty : 1
842. FZYWUJSSpring20 : 1
843. FZYAmirim2016 : 1
844. CampLiberty2016 : 1
845. PilgrimCamp : 1
846. Armed2Defend : 1
847. HopeBasketballCa : 1
848. WBRTR-Runners : 1
849. WorldWarBrick : 1
850. DistrictSummitRe : 1
851. FreedomSchoolPar : 1
852. LutheranChurchof : 1
853. PanforkBaptistEn : 1
854. CATESOL2016North : 1
855. SantaClaraUniver : 1
856. GalileanRetreat : 1
857. Spokane-AVIDIns : 1
858. TitanRobotics : 1
859. KingdomWorkers : 1
860. ArmedServicesYMC : 1
861. CIS-HPCS : 1
862. CaliforniaWorkfor : 1
863. SkySummerCamp : 1
864. CIS-CTS : 1
865. TheBlackEconomic : 1
866. Sportstyme-Welli : 1
867. Sportstyme-Winte : 1
868. CHUSY2016201 : 1
869. CRUSY2016201 : 1
870. Emtza2016201 : 1
871. WUSY20162017 : 1
872. VSSDance : 1
873. EPAHagesher2016 : 1
874. HanefeshNERUSY2 : 1
875. HaNegev2016-201 : 1
876. NewFrontier2016 : 1
877. Pinwheel2016 : 1
878. Seaboard2016 : 1
879. Tzafon2016-2017 : 1
880. WildfishTheatreJ : 1
881. ProLevelTraining : 1
882. MinnesotaMusicEd : 1
883. FarWest2016 : 1
884. GlobalWritersIns : 1
885. KidsIntheGame : 1
886. JumpStart : 1
887. YoungJudaeaAlumn : 1
888. KidVenture-Aftersc : 1
889. SEFOF : 1
890. McCallumTheatreT : 1
891. MtCarmelMusicF : 1
892. AWSDetroit : 1
893. StoneMountainAdv : 1
894. CampArrahWanna : 1
895. CampSonburst : 1
896. FrestaValley : 1
897. KieslingAssociate : 1
898. 2016-2017WinterB : 1
899. Medinformatix : 1

Update 3 (a day and a half after initial post):

I've had further communication with both BlueSnap and Regpack since writing this post and the source of the data has now been identified as originating from Regpack. Let me share a statement from them here:

Further to the article Troy Hunt published both Regpack and BlueSnap have looked into the presented data loss. Reviewing the post by Troy Hunt assisted our engineers in reaching this conclusion: 

Regpack has confirmed that all payments information passed to the payment processor is encrypted on its databases. Nonetheless, periodically, this information is decrypted and kept internally for analysis purposes. We identified that a human error caused those decrypted files to be exposed to a public facing server and this was the source of the data loss. This was identified by our teams going back and reviewing some of the log files as indicated in the blog discussion post.  We have changed our approach to handling this data and are confident that this one-time mistake will not occur again.

To reiterate our security stance:

1. The source of the data loss was a procedural human error.
2. Neither Regpack nor BlueSnap had our systems breached. This has been confirmed by independent forensic experts retained by each company after the initial data loss. As a further security measure, RegPack has rebuilt all servers and run full security scans on the new servers. 
3. Both Regpack and BlueSnap have conducted thorough reviews of the environments and found that all systems are secure.
4. Regpack and Bluesnap have updated all internal security procedures and processes to ensure that no data can leave internal environments.  This will prevent the loss we saw in this case.

Regpack is notifying vendors whose customers were potentially affected so they can make the appropriate communications.

Obviously they now have various processes to go through including reaching out to impacted customers who will in turn need to contact their customers (the ones who made the purchases) and notify them of the data exposure. I've just updated HIBP to reflect the source of the data as being Regpack and adjusted the description accordingly.

If you run a website that uses Regpack services then you should hear from them directly. If you believe that your personal information was exposed then you should hear from the site you provided it to (yes, I know they didn't lose the data but that's the chain of relationships here).

Thank you to everyone who commented and provided input on this post, I'm glad the source has now been identified and steps can be taken to protect those who were exposed.

Last week Google announced some changes to Chrome, specifically that come January 2017, practices like this are going to start resulting is browser warnings:

That's just one of many such examples I've called out in the past and frankly, I have about zero sympathy for those who are doing this in the first place so a browser warning is only right.

But here's the really interesting bit - that's just the beginning because Google has a plan:

a long-term plan to mark all HTTP sites as non-secure

I want to show you the significance of this on everyday websites and we can do that today by virtue of jumping into chrome://flags then scrolling down to "Mark non-secure origins as non-secure":

And then we'll do just that - flag them as non-secure. Now let's go browsing!

It's first thing in the morning, so we'll kick off with a bit of international news:

Ok, browser warning there so not that trustworthy. Tell you what - Jony Ive put me in an Apple trance during the keynote last week so let's go and check out the new shiny there:

Huh, warning there too, it could even be a fake Tim Cook since it's loaded over HTTP so better move on. I get accused of being a Microsoft apologist sometimes so we'll try them next:

Shit. Now I honestly expected them to load over HTTP and show a warning but since they redirect to HTTPS by default everything looks cool. This makes a different point though - this is what the new normal will be when the non-secure exodus kicks in. But you already know what a site loaded over HTTPS looks like anyway, let's go for a fly instead:

Dammit! Ok, big warning symbol there so that's no good. I'm sick of flying anyway, let's find a nice car:

Alright, that's it, definitely not buying a Ferrari via the browser now! But at least the warning symbol is red...

Maybe we'll set our sights a little lower and do some eBay shopping:

Right, not so good. At least our banks will be good, right? I mean they're the ones with the bank grade security:

It's one of the biggest banks in the country! Let's go bigger - let's grab one of the biggest in the world:

This is really disheartening, I'm gonna go straight to the Prime Minister and make my feelings known:

Well that's surprising, our government seemed to be so good at getting tech right too...

Not to worry, I reckon we can go even higher still, let's hit up the UN:

Huh. Is it possibly just that these sites don't know how to implement HTTPS? Let's go see if we can find some good guidance on that:

Alrighty then. Tell you what - let's go back to the site where I first read about Chrome's upcoming change last week:

This is obviously intended to be a bit tongue in cheek but here's the point: we are a very, very long way away from a "secure by default" web. Going HTTPS can be easy but it can also be a non-trivial exercise for the likes of Stack Overflow. We should all be going HTTPS only at the earliest opportunity, but the chances of seeing browsers do what they're doing in the screens above in 2017 is near zero and frankly, at this rate even 2018 is hard to see happening. What the January change does is moves the needle just that little bit further around so that more sites use more SSL and better prepare the web for the inevitable transition described here.

And just for the sake of completion to save comments on things I've already covered, we’re struggling to get traction with SSL because it’s still a premium service and no, Let's Encrypt is not a panacea to all our woes (as much as I love the idea), and for many cases, CloudFlare will be an easier and more effective proposition.

I have a love-hate relationship with ads, whether they be on my blog or anywhere else for that matter. I get that they're a necessity for many news outlets to keep providing the free information that we all want, but I also can't stand the way advertising has descended into the sleazy, risky, slow and all-round negative experience it so frequently is today.

I've had ads on this blog for years and they've been provided by Developer Media who specialise in serving technology-centric ads of relevance to my audience. Over the years I've seen a lot of ads for products ranging from cloud services to security appliances. Occasionally, I've also seen ads for things like consumer headphones because unsold ad space ends up being resold to plug more generic products. I was seeing headphones because I was Googling for headphones so yes, there's the whole tracking thing too. A while back, people on iOS were complaining of redirections to the App Store in an attempt to have them download Clash of Clans because occasionally ad networks do screwy things like that too.

Ad networks can do screwy things with your traffic because whilst you think you might just be looking at an image on a page, you're not. For example, this Azure ad was adorning my blog at the time of writing:

Now I don't have a problem with the contents of the ad, but here's how it's embedded in the page:

Only the first highlighted div is the code I actually added to my blog template. When the Azure ad loads into my blog, you're not downloading a hyper-linked image, rather you're downloading an iframe with scripts from adsafeprotected.com which then has another iframe with stuff from atdmt.com (I don't even know who they are) and it all gets rendered into the browser. Sometimes. Other times people run ad blockers (particularity an audience like mine) and they see nothing which I totally get. So we've got lots of extra stuff being loaded from places I don't control and many people block it outright anyway.

By now, many of you are probably thinking "has he really only just worked this out?!". No, but the problem is money: ads pay. A huge amount of time goes into writing my posts and a return on the effort is always welcome, particularly in my life as an independent where I have to carefully figure out how to prioritise my time. But whilst they pay, they also don't pay much and you need huge volumes of traffic to make much of an impact on cash flow. All of this together brings me to the point of the post: I'm offering sponsorship of this blog in place of the ads you see here at the time of writing.

It was Graham Cluley who got me thinking about this and his approach is as follows:

The sponsor is merely a row in the page banner. No iframes, no scripts, no trackers and no unknown third parties. Further to that, no ad blockers keeping it out of sight which is probably just fine by those running them because they're not being subjected to any of the nasty things I just mentioned anyway. I also love that Graham publishes a really clear sponsorship page which outlines everything nice and transparently. I had a good chat to Graham and I really like the way he's done this, especially as he's obviously been successful with it having already sold out space into 2017. Smart guy, Graham.

So to move things forward, I've now created a sponsorship page which gives a more formal definition of what I'm offering, but in short, it looks like this:

Or this on the smaller screens:

Plus it appears up top of the RSS feed which surfaces the message in both RSS readers and other consumers of the feed such as the email subscriptions via IFTTT:

One of the other reasons I really like this approach is that it gives me a connection directly through to the organisation who wants the exposure. Traditional ads never did that; there was no talking to the companies and building relationships, it was just an "arm's length" thing where the ad suddenly appeared one day. Obviously this also allows me to be selective about who appears there and brands that align with my view of the world are great, but you won't be seeing CUJO promoted on this site any time soon.

Of course all this only make sense if brands get exposure out of it. I've shared stats on that sponsorship page, but I'll give you a quick overview here too as I often get asked about traffic. Here's my previous month according to CloudFlare:

I see about 1.2 page views per visitor so call it an even 1M impressions per month. Obviously traffic is always going to fluctuate and this period includes my Dropbox hack story getting a heap of international press, but then again there's always something hitting the headlines. Typically, traffic is in the 20k unique visitors each day range as the last week shows:

Predictably, that traffic is quite US-centric; here's the top 5 geo locations over the last year based on percentage of overall traffic:

1. United States: 35%
2. United Kingdom: 13%
3. Australia: 5%
4. Germany: 5%
5. Canada 4%

India is next and then it tails off from there. I'm happy to provide more demographic breakdown for anyone who wants it too. I'm a bit wary of getting too infatuated with traffic numbers over small windows as it tends to go up and down (I still haven't come close to matching the post-Ashley Madison traffic), but the structure and distribution of the audience tends to remain pretty constant.

So that's it folks, that's the model I'd like to move towards. I'll kick that in as soon as the first sponsor arrives and hopefully I can replicate Graham's success and keep it free of those traditional ads. I'm still working out how to correctly price it and I'm sure that's something that will evolve over time depending on how the interest goes. Obviously I'd love support on this and it will really help me put more effort into blogging so if there's a company you think you should be seeing at the top of this page, give them a nudge. I'm available via my contact page for any enquiries and until then, here's a traditional ad (unless you block it, which I wouldn't blame you for):

I wrote recently about how Have I been pwned (HIBP) had an API rate limit introduced and then brought forward which was in part a response to large volumes of requests against the API. It was causing sudden ramp ups of traffic that Azure couldn't scale fast enough to meet and was also hitting my hip pocket as I paid for the underlying infrastructure to scale out in response. By limiting requests to one per every 1.5 seconds and then returning HTTP 429 in excess of that, the rate limit meant there was no longer any point in hammering away at the service.

However, just because there's no point in it doesn't mean that people aren't going to do it anyway as my traffic stats last weekend would attest to:

That's as measured by CloudFlare and you can see that they passed 97% of the requests on to my site. However, in that 24-hour period where 45 million requests were served, the error rate according to New Relic was 0.0011%. It was only that high because someone also came along and decided to throw an automated scanning tool at it so as far as I'm concerned, downtime was effectively zero. In fact, it is zero as my weekly New Relic report from Monday shows (note that "views" doesn't include API hits which is where all the traffic way being directed to):

That was unchanged from the week before which also had zero downtime and I achieved that because I just spent money on scale to keep it fast for everyone. But that's not really fair now, is it? I mean that I should be paying out of my own pocket just to serve 45-something-million HTTP "Too Many Requests" responses to someone who's getting absolutely zero value out of them anyway. Let's fix that!

I started routing traffic through CloudFlare at the time of the blog post I mentioned in the opening paragraph. This was particularly useful when the traffic went from API abuse to all out attempted DDoS and I'll write more about how I handled that in the future (I'd like to wait until things settle down first). One of the great things about having CloudFlare in front of the site is that it opens up options of how to handle traffic upstream of your server, or origin as it's often referred to. For example, you can block an IP address outright. And they have an API to do it. And whilst there's a heap of IP addresses being abusive (refer back to that post), I can programmatically identify them.

Normally I'd stand up a WebJob to do this and I've written at length about my love of these. I love that they run in your existing website therefore don't cost any more, I love that they deploy along with the site and I love their resiliency. But they do draw resources from the infrastructure they run on and the hot thing these days is "serverless" which is like, on servers, but you kinda don't know it. One of the key tenets of a serverless architecture is that when it's provisioned in the way Microsoft has done it here, you just never even think about scaling underlying resources of what sort of load you're generating on the environment, it's just an endless stream of constant service that you consume at will. Of course you pay for that too in a pay-per-execution billing model (more on that later), but now it's just a money discussion and not a scaling one.

Azure's interpretation of serverless code is their Functions feature which is still in preview at the time of writing, but this is a perfect use case as it's something non-critical to the actual function of the site so a good place to dip a toe in the water. The value proposition of Azure Functions is that they're very small units of code that can be quickly written and deployed then triggered by events. So let's do this: let's use an Azure Function to take abusive IP addresses and submit them to CloudFlare to be blocked. That oughta do it!

My web app is already deciding when an IP is being abusive (and there's parameters around that I won't go into here) and then dropping it into an Azure storage queue. If that's an unfamiliar paradigm to you then check out Get started with Azure Queue storage using .NET first because I just want to focus on functions here. So that's the prerequisite: messages in a queue with each one containing a single IP address

The Azure Function kicks off by creating a new one in the portal with some pretty basic details:

We're given some quick start options:

But let's instead just select "New Function" and start there:

It's going to be a queue trigger that I write in C# so we'll grab that option:

Now we'll name the function and specify the queue name it's going to watch:

This is the queue name my web application is already dropping abusive IP addresses into that resides in an existing storage account. This screen also allows you to choose the storage account (not in the screen cap), but only if it's not a "classic" storage account. However, there's an easy workaround for that if you're not already using the newer storage incarnation.

With the function now created, we have ourselves an empty stub:

And that's it! Well, it's something, it's code that's now running and will be invoked when an item appears in the queue. That item is then available via the "myQueueItem" parameter. In my case, it's just an IP address but it could easily be JSON serialised object containing a lot more data. The point is that I've now got something I can code against so let's look at what's involved in blocking that IP at CloudFlare.

CloudFlare has got a great API that lets you do pretty much everything you can via the web interface in the browser. The API I'm particularly interested in though is the create access rule one on the firewall which looks like this (screen cap of their docs, not my API key!):

All I need to do now is wrangle up an HttpClient and send off the request. Here's the entire code:

The app settings are configurable via the portal just as you would with app settings in a website:

The "ZoneId" here is a unique ID for the CloudFlare asset I'm controlling (there's a zone subscription API you can retrieve that from) and the X-Auth-Key is on your CloudFlare account page. I also elected to use the "js_challenge" approach rather than actually block the traffic outright so that if a genuine user comes by and inadvertently sets off the trigger (or is on a shared IP that someone else is abusing), they'll just get an interstitial page rather than be completely blocked from the service.

You might also notice the rule notes uses a prefixed convention of "rate-limit-abuse-" followed by the present time in sortable format. I wanted to be able to look at CloudFlare and know when the rule was created, not just so that I can eyeball them in the portal, but because I'm going to use that information to manage them a bit later on.

And that's it - all you do now is save the code in the browser interface:

It compiles and runs immediately, returning output to the log beneath the code:

It's automatically picked up a number of items already in the queue and processed them, including IP address 195.211.239.18 (yet another Russian one). Output looks solid, there's a few successes there and they're all taking well under 100ms too. Let's now check the CloudFlare interface:

Perfect! The first IP address you see in that image is the one from the function output in the previous screen. In fact, on that screen you may notice the same IPs appearing a couple of times. This is down to the nature of the conditions in HIBP that flag the IP as being abusive and then queue it for processing, but the great thing about the CloudFlare API is that it's idempotent so it doesn't matter if you keep submitting the same thing to it over and over again.

Of course the real proof in all this is what it does to my traffic:

Now this I like! That's precisely the outcome I was hoping for and it's absolutely smashed the traffic back down to purely organic users and those playing by the rules with the API. As I watched it run after initially rolling it out, I'd see occasional spikes:

These correlate with a new IP address suddenly hammering the service before being identified as abusive, getting thrown into the queue, picked up by the function and pushed over to CloudFlare to be blocked. The poor thing never stands a chance - it has a longevity measured in seconds from the time it starts abusing to being blocked outright.

Now this is blocking which is awesome, but when it's so easy to create code to manage firewall rules this way, we can get even smarter about things. Let's go and create a second function:

This one is a timer trigger and I'm going to configure it like this:

The title should be self-explanatory - I'm going to remove "old" blocked IPs. My theory is that is that sooner or later, a blocked IP gets the message and moves on. Particularly when you're talking about botnet behaviour, these are quite possibly legitimate infected machines whose owners I still want to have unfettered access to the service. Alternatively, if it's just an IP that's inadvertently tripped the trigger then I don't want it being permanently blocked from making API calls which is what a JavaScript challenge effectively does. And finally, that CloudFlare firewall rule list is going to get unwieldy if I don't regularly prune it so this seems like a good move all round.

The schedule you see in the image above is a cron expression and that pattern means the function will run every minute. That's fine for testing, but for production purposes checking for old IPs that can be unblocked is fine on an hourly basis.

Anyway, onto code:

The only difference between the structure of this code and the previous function is the TriggerInfo passed to the run function. It's very simple stuff (in fact I've over-simplified it and not made it particularly resilient), but that's kinda the point with functions too - they can be extremely light weight and serve a very singular purposes within a self-contained construct.

When it runs, I'm seeing output like this:

When there's no IPs to remove, it's just a single GET request to CloudFlare which returns 100 rules (you can page through them if you have more) and the whole thing is executing in about 100ms. If there's a firewall rule to remove, then there's going to be a second call and a fraction more time. Frankly, that barely matters other than for the pricing, but I'll come back to that a bit later.

Checking in a half day after rolling this out, here's how things look from the CloudFlare side now:

In other words, as of Monday morning, 99% of the traffic had come off my origin and you can see where the uncached requests dive dramatically as I implemented this late on Sunday night. Actually, the web server was just sitting there doing, well, basically nothing:

After implementing this, rather than whoever was abusing the system finally getting the message and moving on, they went at it even harder:

But it doesn't matter, not one little bit, because my system didn't have to deal with 67 million requests, rather a "mere" 560k. They can issue a billion requests in a day for all I care and so long as CloudFlare blocks it, we're all good. This all makes me very happy :)

Now this is all great, but how much? You don't get stuff like this for free, right? Let's give the Azure pricing calculator a go and plug in what we know. Functions pricing works by looking at how long the code takes to execute and how many times it runs which is a very nice incarnation of commoditised cloud pricing - you're paying for what you use. Let's assume I see 50 nasty IP addresses a day so there's 50 function executions, then I check hourly for old IPs so there's another 24 which is 74 a day or 2,294 a month. They'll normally take 100ms to run, sometimes a bit longer but that doesn't matter as far as the calculator is concerned as it only works in round seconds. Anyway, it all looks like this:

Yeah, free. In fact, if it was used 1,000 times more it'd still only cost me $0.40 a month because of the free grant in the pricing structure:

Pricing includes a permanent free grant of 1 million executions and 400,000 GB-s execution time per month.

I like free, free is good. So now I've got the free Azure Functions orchestrating firewall rules on the free CloudFlare service which is taking traffic off my origin and dramatically reducing the cost of the web infrastructure I was paying for which is not free!

It's early days for this implementation as it is for my foray into Azure Functions. I love how lightweight they are and how easy it was to throw this all together - it took me longer to write this blog than it did to implement the feature! In fact, until doing this I'd never actually built anything on the Azure Functions service so to go from zero to something so useful in such a short time and for zero monthly cost makes me enormously happy. Only thing now is I'm left wondering how much other stuff I should be migrating over! Oh - and why I keep getting hit with requests that are returning absolutely useless responses 4 days after rolling this out, that remains a bit of a mystery...

I've had this idea in mind for a while to start capturing some video on a weekly basis about things that are topical and interesting but that I'm probably just not going to get around to blogging into detail. Writing is massively time consuming plus I reckon there's a bit more candour that comes across in video.

As I say in the intro, see if you like it. If it's good, let me know. If it's not, well, you probably should also let me know or at least tell me how to improve it. I'm about to head back to Europe for a few weeks so it'll be interesting to see if it makes any sense doing it while I'm away (and indeed if I can even manage to), so the feedback will be awesome.

See how this goes:

References

1. The Yahoo story on the BBC (yeah, I had a haircut between that one this morning and the one above)
2. The Regpack data breach (but remember - don't call it a breach!)
3. Using Azure Functions and the CloudFlare API to deal with massive traffic (67 million requests in 24 hours and only 1% of them hitting my origin)
4. Upcoming Europe travel and where I'll be when (I've got a lot of travel coming...)

Sponsored by: Help Net Security - Trusted source for daily information security news and analysis

Exactly 7 years ago today, I wrote my first blog post titled Why online identities are smart career moves. That's a pretty self-explanatory title and I wrote it while gainfully employed in a job I'd been in for 8 years at the time, but it's worth a quick read as it sets the scene for this post. I may have had a steady job, but I knew I wouldn't always be there...

I won't go into all the background here, if you want the details of what led to my eventual departure from big corporate then have a read of How I optimised my life to make my job redundant. What I thought I'd do here instead is talk just a little bit about how much life has changed. In part this is because reflection is important; sometimes we forge ahead so quickly, we forget where we've come from. But I also wanted to prompt other people who may be where I was 7 years ago to think about what they can do today so that they might have some of the same choices in the future.

When you're reading this, keep in mind that all of this started from that first blog post. That was the initial foray into a public profile, into independence and ultimately into an entirely different way of life for both myself and my family. A massive journey that started with one little blog post. Read on.

I used to commute through traffic every day

Now I sometimes just jet ski to somewhere peaceful and work there on my own terms.

I needed to be "visible" by being in the office, because apparently that's important

Now I'm more accessible to more people than I ever could have imagined, communicating with dozens or even hundreds of others every day, even if just within 140 chars.

My success was measured by annual performance reviews performed by a single person

Now I know I've done good work when tens or hundreds of thousands of people a day read what I write or use what I build.

My pay was assessed against industry benchmarks within organisational constraints and indexed against the profitability of a company making erection drugs

Now I'm paid based on what people think I'm worth. There are no brackets, no caps and nothing to index against, the only constraint is how valuable I can make the things I do.

Expenses were scrutinised and purchases had to be carefully explained and justified

Now I spend money on things that make sense. If it helps me become more productive and better at what I do and there's an obvious ROI, I just buy it. Fast PC, good software, smart services; if it helps me be successful, I don't need to justify it to anyone but myself.

Budgets were meant to be exhausted before the end of the year so they wouldn't be cut in the next year

Now if I spend less money than I planned, I'm happy :)

"Career progression" meant I had to do less of what I really loved

I've thrown out the traditional career metrics I don't care about. Seniority? Who cares. Corner office? I live on a beach. Undercover car space on site? I park the jet ski under the house. But more importantly, I no longer do performance reviews or fill out forms or deal with people I don't want to, I'm actually doing what I love which is working with technology rather than just talking about it.

I went to lots of meetings where people politely agreed with me

Now I'm always interacting with smart people and they tell me how I can be better. They understand what I do. Some of them call me a dickhead because they can - HR isn't going to pull them up!

I used to look at what I'd achieved for the day and it would be emails, phone calls and various activities that helped other people deliver

Now I create things that people actually use whether that be Have I been pwned, Pluralsight courses, blog posts or face to face training. I'm producing really useful stuff and that feels awesome.

I worked in a windowless office in the middle of a building because my seniority didn't grant me natural light

Now I'm writing this next to my pool because independence has granted me the ability to choose where I work.

I'd use my annual leave to attend conferences

Now there's no more annual leave, instead I take time out when I want to and it may not be as much time as I should take out, but I get to decide, not someone else.

The job dictated when I saw my family

Now I choose - with them - how and when I spend time with them. I can take the kids to school and pick them up whenever I want. I can play tennis with my son before school. I can go to the beach with my daughter in the middle of the day. It's entirely my decision.

I longed for much, much more than I had

For the last year, life has finally been where I've wanted it to be since, well, a lot longer than 7 years. This post is not intended to be a self-ingratiating ego booster, rather a moment of reflection that where I am now began with that one blog post 7 years ago. I didn't know how it would go and I had many reasons not to do it, including our first child being born just a couple of weeks later. But I did it and I took years to find my "fit" and then years again to make it genuinely successful.

If any of this resonates with you, get started on whatever your "small step" is and you might find it eventually leads to truly awesome things.

Sponsored by: Help Net Security - Trusted source for daily information security news and analysis

I was on another whirlwind trip back in July, this time to a bunch of spots in the US which included Chicago where Pluralsight has one of their offices. The last time I was there I'd recorded a "Play by Play" course which is video recorded rather than a screen cast like so many of my others. It meant myself and someone else (in this case, Gary Eimerman who's part of the Pluralsight team) actually sitting in front of the camera talking about security as well as recording snippets of screens to illustrate the discussion. I really loved the format of that course as it's very candid and feels like an organic discussion rather than a carefully rehearsed presentation.

So anyway, that recent trip coincided with the very end of the mammoth ethical hacking series we'd done over the previous 18 months so it seemed like a perfect time to do something a little more casual and easily consumable whilst continuing the ethical hacking theme. I'm now really happy to be able to share Play by Play: Ethical Hacking - Deconstructing the Hack:

The theme of the course was to take a number of security events that illustrated various attacks I'd covered in the ethical hacking series and talk through some of the mechanics. Deconstruct them, if you like. These are real world security events so this is far from hypothetical, it's things that have actually happened. Here's what we cover:

1. SQL Injection: TalkTalk
2. Session Hijacking: Valve
3. Evading IDS, Firewalls, and Honeypots: Ashley Madison and Sony Pictures
4. Hacking Web Servers: Drupal
5. Distributed Denial of Services (DDoS): Nissan

These gave us a good opportunity to talk about the real world impact of the risks and the early feedback on the course has been enormously positive after launching a couple of days ago. This is now my 24th Pluralsight course and I'm very happy to share it here: Play by Play: Ethical Hacking - Deconstructing the Hack is now live!

Incidentally, I've got two more Play by Play courses already recorded and waiting publication (one totally unrelated to security) plus I've just wrapped up recording another more traditional course which I hope to get fully edited during my next European tour that kicks off in a few days.

Sponsored by: Help Net Security - Trusted source for daily information security news and analysis

So much to my surprise (honestly, I really didn't expect it), the weekly update I did last week was actually quite popular. People seem to like the short, casual form and it sounds like they're happy either sitting down and watching it or just listening to it in the background. Actually, the most common piece of feedback I received was that they wanted it in podcast form as well so I'm working on getting that out too.

I'll be travelling in Europe for the next 3 weeks but I'm going to keep this weekly update happening, maybe I'll even find some cool locations to do it from. Thanks for the support folks, please keep suggestions and comments coming!

References

1. 7 years of blogging and a lifetime later... (best professional move I ever made, without a doubt)
2. New Pluralsight Course: Deconstructing the Hack (my 24th Pluralsight course and it's a very easy-watching play by play)
3. iPadpalooza conference (talking to teachers about security is a great way of influencing an all new audience)
4. i-Dressup leaking millions of plain text passwords (and nobody seems to want to know about it...)
5. InfoArmor report on data breach trading and Yahoo (very interesting reading, plus they call "bullshit" on Yahoo's state-sponsored claims)
6. Help me spec out a replacement home network using Ubiquiti bits (this gist has got everything I'm planning, input welcome!)
7. Workshop: Hack Yourself First: How to go on the Cyber-Offence: 13-14 Oct, London (United Kingdom) (only a couple of weeks away and still tickets available)

Sponsored by: Sucuri: Incident Response, Monitoring, DDoS mitigation and WAF for websites

The other day, my blog went down:

Sorry folks, blog is down for a bit while @TryGhost puts out the fire pic.twitter.com/h3YAUc2gp0

— Troy Hunt (@troyhunt) September 15, 2016

Now clearly I don't like my blog going down but hey, this is technology and sometimes it fails us. But I host my blog on Ghost Pro which means that when it goes down, I do this:

Wait - aren't I meant to be running around fixing things?! Well no, that's the responsibility of the platform provider and whilst I'd obviously prefer the blog was up and running, it's not my responsibility. So I had a swim while others dealt with the problem.

Now I knew how to handle this emergency because I'd had practice in the past. It was down a few months earlier too:

@Nin_99 @GregF it's @TryGhost that's down pic.twitter.com/wCqpnFgW9z

— Troy Hunt (@troyhunt) July 26, 2016

Clearly I had to do something about this, so I headed off to deal with the problem:

By no means do I want to suggest Ghost Pro has any inherent reliability problems though, I've seen outages in my SQL Azure database that sits behind Have I been pwned (HIBP) too:

And on the day my Azure @pluralsight course goes live :( Looks like @haveibeenpwned has been down for hours pic.twitter.com/3aUsQbtM7G

— Troy Hunt (@troyhunt) April 3, 2015

On that occasion, some more action was required:

So I went tubing with the kids.

This is clearly all a bit tongue in cheek, but here's the point: by using managed platforms like Ghost Pro and Azure's PaaS (platform as a service) offerings, outages are other people's problems. That doesn't mean they won't happen (clearly), but when these services go down I know that the best people in the business are dealing with the outage and doing a better of job of it than what I could self-managing the thing. That's almost certainly the case for you too: you might be the world's greatest sys admin but when you're managing your blog on a VPS somewhere and then you go to sleep, you're going to have problems.

All of this is why I'm such a big proponent of pushing everything as far as possible to the right on this chart:

HIBP runs primarily on PaaS. I load the application into Azure's App Service (effectively just a website) and the data into their managed SQL offering. I do actually use some IaaS (infrastructure as a service) as well for data breach processing but only because I need more ability to run things on the OS.

This blog, on the other hand, runs on Ghost Pro which is SaaS (software as a service). The service they provide is the Ghost blogging platform where they manage everything for me:

The downtime and recovery line is a perfect illustration of what I'm talking about above and I cover this in more detail in the launch post for this new blog earlier this year. Of course this doesn't guarantee you of no outages as the tweets above clearly demonstrate, but what it does is ensures that someone else is looking after it all for me. Even though I've had a couple of outages this year, if you add them all up and look at the availability of either HIBP or this blog, you're going to be looking at 99.9x% availability which for these classes of site, I'm quite happy with.

Another great illustration of why you want to "push to the right" on that earlier diagram is the piece I wrote on vBulletin in August. Here we have troves and troves of self-managed bulletin board systems that never get maintained, fall out of date patch wise and get pwned left right and centre. There are few better illustrations of why you want to task someone else with managing your things than this.

By all means, self-manage your things, but while you're putting out the fires I'm going to be doing something else productive, like laying in the pool :)

Sponsored by: Sucuri: Incident Response, Monitoring, DDoS mitigation and WAF for websites

Given this thing seems to have some traction and people are enjoying them, I'm going to keep these weekly update videos going. As I mentioned last week though, I'm now travelling so that makes this one a little bit different.

I was in Edinburgh yesterday when I recorded this (I'm now in Glasgow), and I actually reckon it turned out kinda neat. Bit shorter (it's not as easy doing this standing around in the wind and the crowds), but hopefully still enjoyable:

References

1. Why I particularly like managed platforms during outages (warning: multiple photos of my legs)
2. News getting worse and worse for Yahoo (still no sign of the half a billion records that were taken either)
3. Free Pluralsight webinar on half a dozen of the big hacks this year (Nissan LEAF, Philippines Election Commission, Lifeboat Minecraft site, Dropbox, Regpack, Yahoo)
4. Free Varonis course on insider threats - "The Enemy Within" (if nothing else, watch it for Bob the guy who outsourced his job to China)
5. Sponsored by Sucuri this week, big thanks to them! (it's actually mid-December I'm now sponsored through to!)

Sponsored by: Sucuri: Incident Response, Monitoring, DDoS mitigation and WAF for websites

China is an immensely fascinating place for many reasons. It's geographically bigger than the US, it has almost double the population of Europe and it's had the world's largest economy for the majority of the last two thousand years.

On the technology front, there are more internet users than the US, Brazil, Japan, Russia and Indonesia combined (which make up 5 of the top 7 most connected countries), yet there's still only about half the population online. When that half does connect, it's usually not to the services that you and I use (assuming you form part of my predominantly Western cultured audience demographic). We use Google, they use Baidu. We use Twitter, they use Sina. We use YouTube, they use Youku Tudou.

It's not just different websites either, there are some fundamental differences in the way they browse the web, starting with the PCs they use. Windows XP still has over 20% of the operating system market share, this in a time where Australian usage is getting close to sub 1% (I've written before about the drivers keeping it alive in China). When folks in China get online, there's a bunch of places they won't be going due to the Great Firewall of China. Everyday sites we take for granted elsewhere are largely inaccessible within China; Google. Facebook. YouTube. Twitter. Instagram. The list is extensive and whilst many people use VPNs, they're regularly blocked or are unreliable.

The point of all this is that China is a very different place to so much of the rest of the world, including neighbouring Asian countries. Yet one thing that's not different is that like everywhere else, data breaches are a serious ongoing problem. In fact in some ways it's worse in China due to their massive size combined with a very different social tolerance for privacy. In my experience travelling there frequently for work and having had many Chinese colleagues I worked closely with, there's just not the same outrage we'd have here knowing that others have access to our personal data. I want to be careful how I put this and caveat it with "my personal experiences", but where we'd be very unhappy with, say, government monitoring of our personal communications, they accept it as a more normal part of life.

When I see alleged Chinese data breaches, it's enormously hard for me to do the same level of due diligence as I'd normally do when I verify these incidents. This is due to a combination of language barrier (there's Google translate, but that only takes you so far), breach origin (site domain names often don't match the name of the service) and a general lack of understanding about how some of the sites implicated in these breaches are used by the local population. I've certainly tried the usual means I wrote about in the above link including reaching out to Have I been pwned (HIBP) subscribers impacted in those breaches and asking for their support in verification. I've had really mixed results from them, for example when providing one subscriber with his data from an incident this week:

Those are sadly legitimate. The ip resolves to my internet provider

And someone else in the same incident who didn't believe they ever had an account on the site:

After triggering "forgot password" I got the email in my spam

Then there was an earlier alleged breach which resulted in feedback from HIBP subscribers such as this:

I have now looked at these sites and have never knowingly used them

Yet she then went on to say:

The word next to my email address is one I used to use as a password

This particular incident had many other subscribers respond in similar ways:

I have never used [redacted] or been to China, so my data being listed as part of a Chinese breach does not make sense. However, I was in Malaysia in 2009, where i would have used those credentials to access various hotel internet services.

Time and time again, Chinese data breaches would pop up and I'd verify them enough to establish that there's some merit to them, but I just haven't been certain enough to put them into HIBP with the same degree of confidence as, say, Dropbox or LinkedIn or any of the others where I've been as close to certain as I can be. As a result, I've been sitting on a lot of large Chinese data breaches that I know have a significant portion of legitimate user information in them. So here's how I'm going to handle them:

Back in July, I introduced the concept of unverified breaches which are incidents that have enough legitimacy to take seriously, but not enough represent them in the same class as the like of Dropbox et al I just mentioned. This is pretty much where I'm at with these Chinese incidents so that's how I'm going to handle them - as unverified breaches.

Starting today, I'm going to start feeding some of these big breaches into HIBP. Some of them are millions of records, some of them are tens of millions. One of them is hundreds of millions and as I've outlined above, whilst it's hard to be emphatic about their legitimacy, they're legit enough to warrant inclusion.

Sponsored by: Help Net Security - Trusted source for daily information security news and analysis

We've all had bad neighbours before. Perhaps they were noisy, maybe the kids ran riot or they could have been just continually snaring all the visitor parking spots in your apartment building (bastards). But last week, someone popped up with another bad neighbour story which was quite different to usual...

Fellow MVP Paul Cunningham runs a blog over at paulcunningham.me and for the most part, it looks like any other ordinary blog:

Now being a forward-thinking bloke, Paul has elected to serve his blog over HTTPS and as I've advocated for many times in the past, he chose to go with Cloudflare to do it. It would have been a 5-minute job for Paul; create the site on Cloudflare, update his name servers, job done. And then Paul looked at the certificate on this site.

Now I'm always pretty open and direct about these things and since we're all adults here (probably), I'm just going to give it to you as it is. Here's what Paul saw when he looked at the cert:

I'm going to avoid listing all the sites in that list here as frankly, I have no idea what it would do to my SEO, but if you're genuinely curious I've dropped them into a Gist. These are "Subject Alternate Names" on what we know as a SAN certificate. The value proposition of a SAN cert is that you can fit multiple different names on the one certificate which gives you some economies of scale in terms of creating, purchasing and loading them. For a service like Cloudflare that offers SSL for free, this makes sense for them as they can combine up to 50 different host names on the one cert. Problem is, you never know who you're going to end up next to. In my case, I've got reasonable company on this blog, at least compared to Paul:

Cloudflare kindly keeps multiple different sites under the same account together on the same cert so each of the ones I've highlighted here are all mine. There are many others that aren't, but I don't have quite the same, uh, "bedfellows" as what Paul does. (Incidentally, this can also serve as an oracle for identifying other assets potentially owned by the same Cloudflare account holder.)

Getting back to Paul, does it really matter? Yes, his neighbours are porn sites and I get that may not be a real professional look, but does it actually have any tangible impact on him? The certs are managed by Cloudflare so there should be no vector available for one of those sites to hijack your traffic, so what's the problem?

The closest I could get to a viable answer was "perception". People might look at Paul's site (or at least his cert) and pass some sort of moral judgement due to the other alternate names on the certificate. But frankly, if you're drilling down into the cert and looking at SAN entries, you've probably got a bit of an idea about what you're doing and would know that the other names are of no real consequence. Besides, if association with other sites is the measure by which a domain name is judged, you could easily do a reverse lookup and find all sorts of other sites sharing actual hosting space (or least sharing the IP address), which is arguably a closer association then the mere presence of a name on a SAN cert.

Be that all as it may, Paul (or others with a SAN containing some undesirable neighbours), can always just buy their way out of the whole conundrum by paying Cloudflare a monthly fee:

Paul ultimately elected to fall back to serving traffic directly from his "naked" site (no Cloudflare in front of it), but I honestly don't think this is too much of an issue either way. I just found it an interesting - if not amusing - example of how you can be inadvertently associated with sites of a very different nature to your own.

Sponsored by: Sucuri: Incident Response, Monitoring, DDoS mitigation and WAF for websites

Another week in another faraway place. Since the last update in Edinburgh I've spent a couple of days in Glasgow, a couple of days in the middle of that in Speyside, a couple of days in Copenhagen then a few nights in London. That's put me a day behind when I would have liked to have published this post but hey, not bad all things considering I reckon, especially given the spot I found to records it:

References

1. You might end up on a SAN cert with "unexpected" neighbours (yes, there's a lot of porn on Paul's cert but no, it really doesn't have any practical impact beyond perception)
2. Modern Business Solutions is (allegedly) the source of a 58 million record breach (that's a lot of data and there's 34k HIBP subscribers in there too, but they won't know how MBS got their data)
3. No, you won't go to jail for using HTTPS on your blog (the perfect headline for people who like to get hysterical about nothing)
4. Planning out January workshops (I'm still in the midst of this European trip, but I'm already planning the next one, yell out if you'd like me to run a private event early next year)

Sponsored by: Sucuri: Incident Response, Monitoring, DDoS mitigation and WAF for websites

I originally wrote this post earlier on in the year. I honestly can’t remember what the abuse was that led to it and frankly, that’s probably for the best as its allowed me to re-read this and ensure it comes across as general advice rather than a knee-jerk reaction to a specific unpleasant experience. Whilst the simple process of writing it helped me get the episode off my chest at the time, I’ve decided to post it now because I think it’s important, both for others who encounter nasty behaviour online and for myself when I next do.

Unfortunately, if you spend enough time online and especially if you’re public enough, this is something you’re going to have to deal with sooner or later. Here’s how I handle it.

Abuse

I’m writing this outside the context of any recent events for reasons that will become clearer as you read on, but after the last abuse incident I thought I’d finally jot some things down. Mostly this serves as a reference point – something I may direct people to in the future – but I also write many of my blog posts as a way of forcing me to think clearly about a topic and articulate it in a cohesive fashion.

It may not be something that many of you would have expected, but I’ve often found myself at the receiving end of online abuse. As time goes by and I get more exposure or profile or whatever you want to call it that puts me in front of more people, I get more vitriol from online antagonists. Let me explain what I mean by that, the types of abuse I get and how I’ve elected to handle these incidents.

What I think constitutes abuse

Let me clear this up first because I appreciate there’s a degree of subjectivity to all this. The sorts of online abuse I get ranges from minor name-calling to slurs about my competence or professionalism to serious threats related to my personal life (I’ve come close to contacting the police in the past). I’m not going to detail what any of these actually were here as I simply don’t want to give the trolls the airtime (more on that later), but I do want to describe some of the broader behaviours.

What I don’t consider abuse is vehement disagreement with my points of view, finding factual faults with things I’ve written or said that are incorrect or any other sort of constructive argument that I may not agree with, but is aired without malice or spite. It’s the stuff that’s said first and foremost to insult or cause harm that I put in the abuse bucket. This is particularly true when it’s done from behind the veil of anonymity.

Very frequently, this is aired publicly via Twitter, in blog comments on troyhunt.com or via other online channels. Only very occasionally does it come via private means and it has never come verbally either face to face or via the phone. At times where I have actually engaged with the other party and offered to talk to them, the opportunity has never been taken up.

I should also be very clear that this is nothing like the abuse you hear of some people copping online; repeated threats to safety or family, prolonged “campaigns” of torment, racial or sexual abuse – all of that is a world apart from what I’m describing here. What I cop is merely nasty vitriol in comparison. In fact, very often it’s the sort of thing I’m teaching my six-year-old is just inappropriate, nasty behaviour and I’m teaching him this because it’s the sort of thing you expect from kids, not grown adults.

Let me explain some of the grievances that have come up multiple times before and I’m going to address them here once and for all.

I’m “profiting from security”

The very first blog post I wrote was in 2009. The first dollar of any significance I recall making out of security was when my first Pluralsight course went live four years later. There may have been some other inconsequential amounts but what I can say for sure is that until Pluralsight kicked in, 90% plus of my income came from working my arse off in a very corporatey role at Pfizer.

One thing that many people don’t realise is that almost every time I talk at an event – including when I travel to the other side of the world to do it – I don’t earn a cent (there are a small handful of rare exceptions). Actually, I make negative money because a huge amount of time goes into not just the travel, but the preparation as well. Between conferences, podcasts and interviews, I’ve done hundreds of talks and almost never made a cent directly from them. These events are about meeting people and increasing my exposure, not just in terms of me putting my name out there, but me getting exposed to other really smart people. My experience has been that the best way to ultimately be personally successful in this area is to do as much as you can for free!

In more recent years, the work I’ve done has begun to pay well, almost entirely off the back of Pluralsight and the workshops I run. It pays well because it’s in demand; there’s a dearth of good security content targeted at developers and evidently the approach I take to explaining it is popular, something I make no apologies for. Which actually brings me to my next point: who my content is for.

I’m not explaining things “the right way”

Let me give you a perfect example of this: I’ve often seen disparaging comments about the use of the Wifi Pineapple to demonstrate security concepts. I’ll see comments about how it’s trivial or a “script kiddy” tool or how real men build their own devices and so on and so forth. What a lot of people seem to miss – and this predominantly comes from security professionals – is who I’m talking to.

The material I create, whether that be on blogs or at talks or in workshops, is very heavily biased towards software developers. Not only is that my background, but I believe that’s where I can make the most difference to security; at the point where software is being written. In a case like the risks the Pineapple demonstrates, the vast majority of developers are unaware of how easily traffic can be hijacked or the risks behind practices such as loading login forms over HTTP. My goal is to make these concepts easily consumable to them and the most impactful possible way I’ve found to do that is by showing how you can order a $100 device off the web, pull it out of the box and 5 minutes later be hijacking traffic. That resonates more with that audience than rolling your own MitM tools ever will.

I fully appreciate that the way I’m explaining security to developers is not the way some security professionals would like to consume it themselves; it’s not meant to be and the very fact that developers often get exposed to security in ways they have trouble consuming goes a long way to explaining why so many of them have such a poor grasp on it. In fact, that’s the very reason I started getting involved in security many years ago – because of the friction I saw between developers and security teams.

There are people who understand many of the concepts I talk about at a greater depth than I do. Some of them are specialists in various niches, others have simply been focusing on specific things for longer. What I’ve found my strength to be is in explaining concepts in a way that’s consumable by the people I speak to. I hope that makes sense and whilst not everyone will agree with the way I present some of these concepts, they can at least appreciate why I put them forward in that fashion.

“Tall poppy syndrome”

This is a term we hear a lot in Australia and whilst there might be different descriptions for it overseas, it generally means the same thing:

The tall poppy syndrome is a pejorative term primarily used in the United Kingdom, Australia, New Zealand, and other Anglosphere nations to describe a social phenomenon in which people of genuine merit are resented, attacked, cut down, or criticised because their talents or achievements elevate them above or distinguish them from their peers. This is similar to begrudgery, the resentment or envy of the success of a peer.

In other words, people being pissed because you’ve done well. I remember learning this term as a kid when you’d see someone getting cranky because someone else has just driven past in a nice car. I’m not sure if tall poppy syndrome is actually jealousy or just the view that someone else shouldn’t be successful in what they’re doing, but frequently this seems to be the undertone of abusive messages I receive.

Sometimes, the underlying resentment when a positive event occurs is particularly raw. I’ve seen cases where I’ve announced something or had some level of success or positive coverage and amongst the outpouring of absolutely awesome feedback, is one lone dissenting voice. Not a subtle disagreement, but outright vitriol. It’s happened enough times in the past to be something I now expect, yet it never ceases to amaze me just how opposite that voice is to all the other ones.

Abuse like this doesn’t have to be cogent or well-articulated and indeed the position of “I don’t like you because you’ve achieved some level of success” is neither of these things. Yet somehow, antagonists taking this position seem to find time to commit to explaining how little attention others should be paying!

I’m a Microsoft / Lenovo / [anything else] shill

I’m certainly not alone in copping flack for affiliations and I can understand the assumption of me being incentivised to say positive things about companies that give me things, but there’s a fundamental misunderstanding of the order in which these things occur. I’m a Microsoft Regional Director and MVP because I spent years writing about their technologies while receiving nothing from them. I’m a Lenovo Insider because I spent decades buying their gear and sharing my experiences publicly before they gave me a thing.

The irony of some of the abuse I get (and certainly some people do get very angry about my affiliations), is that I’ll be reading about how I’m a Microsoft fanboy whilst using my iPhone (I don’t want a Windows phone) or am beholden to Lenovo while reading that on the W540 I bought with my own hard-earned cash a couple of years ago. Independence and trustworthiness is massively important to me to the point where I push back on anything which has even an inkling of a chance of not being consistent with that. If it’s not something that’s an accurate reflection of my own independent views, I outright refuse and that’s the end of it. It’s that simple.

Funnily enough, I’ve often copped flak (I’ll stop short of calling these incidents “abuse”) about my ongoing promotion of tools like Freedome VPN and 1Password. I’ve never received a cent from either of them and I’ve bought every single version of their respective products at retail prices out of my own wallet! I have no financial incentive, yet I influence people to purchase them simply because they’re very good!

I recently spoke to someone in another position of influence with a similar affiliation to another large tech company and was very surprised at the pressure they had to not be seen with competitors’ equipment. That’s never the case with Microsoft or Lenovo and frankly, we’re all that much better off that the opinions of those of us involved in their programs genuinely are independent, regardless of what those who like to hurl insults from the sidelines may think.

Actions I take when receiving abuse

I’ve changed my approach over the years as I’ve gone through various nasty experiences. Earlier on, I’d be tempted to confront antagonisers and challenge their negative perceptions – reason with them, if you like. Other times I’ve allowed followers to argue with them via channels such as Twitter and blog comments, sometimes I’ve even RT’d their ridiculous comments purely to invite a torrent of defensive comments. These days, I’m trying to be much more passive.

One common thing among these individuals is that they want a fight. They’re out there to argue and debate and do whatever they can to piss you off and consume your time. I now mute them at the first sign of the behaviours I described above. Twitter is easy because there’s literally a mute feature and for anyone else who finds themselves in the same position, I highly recommend this. It’s different to “blocking” them in that they can still see my timeline and as far as they know, I just haven’t see their message or I’m ignoring it – the joy of muting is that they don’t know. Blocking is more “passive aggressive” and it’s implicit engagement; IMHO, simply ignoring them from the outset is less confrontational. If it’s comments on other blogs or social sites, I self-mute or in other words, I simply don’t go back to that discussion. I make a conscious decision that doing so would be counterproductive and I simply tune out and go do something constructive.

Comments on my own blog are different, simply because that’s my place and like others who run a blog, I get to decide what stays and what goes. After a nasty incident some years back, I created a page titled Comments on troyhunt.com which I link to just next to the comments section on each blog post. The bottom line is that if someone is abusive then I’ll delete the comment and likely ban them. I’ve already clarified what I mean by abuse and in blog comments it’s often insults or cheap shots without even an attempt to add something constructive to the discussion. I don’t have any moderation before a comment goes live because I want people to come to my blog and discuss the content there, but when the goal of the comment is purely to antagonise without adding value to the content then that’s it – it’s gone.

When I look back at how I’ve handled previous incidents of online abuse, there are times where I wish I hadn’t engaged. Perhaps the person was literally having the worst day of their life or had gone through a few too many glasses of the merlot or maybe they were just proverbially kicking the dog. There were occasions where my engaging with them didn’t work out well for either of us; for me because I wasted time debating with them when I could have been doing useful things, for them in various other ways which they likely now regret.

By pure coincidence, after writing this but before publishing, I read this about Robert Scoble:

This is just nasty. I’d stop short of calling it abusive, but it’s the sort of behaviour that makes the guy look like a dick. No qualification of what it is about Robert he doesn’t like, nothing constructive or insightful, just a nasty comment that many people would find hurtful. That’s not out of the ordinary, but it’s Robert’s response that really resonated:

And this is precisely the point: there will be whingers who for no apparent reason just want to rant. No matter how well-regarded you become at what you do (or perhaps because of it), this stupid behaviour will appear and you can’t help but feel a little bit sorry for the individual who resorts to it. I’m secure enough that I can happily ignore it and I’m not going to devote emotional energy to them which could be used to actually do good things.

Also, read both the cranky guy’s comments and Robert’s response – you actually come away from that with a greater respect for Scoble despite the original negative comment. In fact, for the vast majority of us, cranky guy has caused precisely the opposite effect to what he set out to achieve; he looks like a dick and his target comes out looking level-headed and having earned a new degree of respect from a bunch of people, myself included.

Here’s a question to ask yourself if you recognise your own behaviour in any of this: would you willingly approach me face to face at a conference and say the same thing? Would you look me in the eye and repeat the abuse with the same conviction as you do – often anonymously – from behind the keyboard? If the answer is “no” then think about how invested you really are in your views and if perhaps it’s something you shouldn't be saying in the first place.

Often these individuals are just exercising bravado that deserts them once they’re away from either anonymity or the perceived invisibility that being on the other end of an internet connection gives them. Their better judgement and common decency is put aside in ways it simply wouldn’t be were they not behind those veneers. But whilst they’re behind the “protection” of an IP address and feeling as though they have no accountability, there’s very little point in debating things; rational conversation is the last thing they’re interested in.

It’s literally a small fraction of 1% of people I interact with who decide to behave in this way and that’s likely representative of most people at the receiving end of this sort of behaviour. So for me – and my advice to others as well – is that the right approach is unless it becomes an issue you simply can’t avoid confronting, do your utmost to ignore it and move on. Angry or antagonistic people like an audience, better you don’t give them one and they go elsewhere to find it.

The best defence: go and do awesome things!

There will always be cranky people who just want to get under your skin. We’ve no doubt all had that in the school yard before and many of us have had it in the workplace too. Online is a different story though and one of the best possible things you can do is drown out the negative noise with positive things.

I can’t recall who I heard originally say it, but I distinctly recall a quote very similar to this:

You can’t remove all negative things about you from the internet, the best thing you can do is to flood the web with positive things

And that’s precisely what I intend to keep doing. In fact the abuse is motivation to go out and do great things that people love and want to share positive feedback about; more talks, more courses, more support for data breach victims via Have I been pwned – all of this makes the 99.x% of people I interact with on the web happy and that remaining fraction of a percent will simply need to accept that their abuse is being drowned out to the point where very often, I simply never even know it’s occurred.

Sponsored by: Barkly - Make security something your users actually care about. Download the IT Pro's Guide to Raising Security Awareness.

I'm on a plane! More importantly though, I'm on a plane home. I've had a massive few weeks and I'm now just hours away from getting home and seeing my family which makes me enormously happy. I thought I'd record this in-flight from London to Dubai for something different (although unsurprisingly, sound quality suffers) and I've just published it from the lounge here in the UAE (where my VPN is blocked...)

I've still done a heap since the last update though, packing out the time with travel, another workshop and a couple of conferences. Here's what I've been up to:

References

1. Risky Business talks to Mustafa Al-Bassam (this is Tflow of LulzSec infamy - waylaid kid turned good)
2. Reddit talk about how useful HIBP is (and people suddenly realise how far their data has been spread)
3. I get some pretty nasty abuse online sometimes... (Troy McMooeyMcBaaBalls: woof OFF TROY. YOU'RE JUST A quack WHO THINKS HE KNOWS ABOUT SECURITY. STOP RIPPING OFF PEOPLES CONTENT AND woof OFF. NO ONE WANTS TO SEE YOUR USELESS FACE AT CONFERENCES. STAY THE woof AT HOME AND ROT. Grrrrr.)
4. Sucuri is sponsoring this week's blog (give them a click, they're helping keep this an ad-free zone!)

Sponsored by: Barkly - Make security something your users actually care about. Download the IT Pro's Guide to Raising Security Awareness.

International travel can look pretty glamorous from the outside and certainly it has its moments. But what many people don't tend to see (and indeed what's less interesting to share in 140 char tweets), is just how arduous it can be. So instead of just showing the good bits, I thought I'd jot down a bit more about just how much stuff I fit into one of these trips, my fifth (and last) big international one for 2016. If you think it's all fun and games or if you're just curious about what on earth it is I do, read on and do keep reading too because whilst it'll all start out looking nice, it'll inevitably have some very hard and probably very dark moments.

Here it is, all the good bits and all the bad bits captured candidly as they happen:

Day 1, Sunday October 2: Leaving home

A car picks me up from home just after 9am. Good time of day because I get to spend the morning with the family and don't have to start out at a crazy hour. One of the neat things about flying on Qantas business class tickets is a pickup and drop-off service which makes quite a difference. (Last year I wrote about how I justify more expensive seats and as you'll see, I maximise the space to do productive things.) It also means that right from the outset, I can actually get some work done:

I get most of a new data breach loaded into Have I been pwned (HIBP) which is pretty good use of the time. I try and max out every spare moment of travel I get and an hour here with internet connectivity is pretty useful.

I take carry-n luggage only as it saves a heap of time at check ins and baggage claims not to mention all the walking I know I'll do with full kit in tow. I travel as light as possible, but "light" is a relative word:

I seem to be carrying a lot of stuff with me when I travel... pic.twitter.com/jT2VpWldXw

— Troy Hunt (@troyhunt) August 23, 2016

And yes, everything in there I need either as a primary piece of equipment or as a backup. With all that and a carry-on bag for clothes, I can go from the car to sitting in the domestic lounge is 5 minutes tops. Domestic? Yeah, I have to fly from Brisbane to Sydney first so totally the wrong direction, but flights from Brisbane to Europe either weren't available on that day or were ridiculously expensive so here we are. I wrap the data load up in the lounge and jump on a domestic flight, flying back over home as I go:

It's a one-and-a-bit hour flight so I can't do much by the time I have some lunch too, but I get more done on another HIBP breach:

Get to Sydney and it's a bus to the international terminal then customs then another lounge. It's the last bit of wifi I'll get for a long time.

About to jump on the big plane to London, only 24 more hours to go! pic.twitter.com/ELd6L5Gb3i

— Troy Hunt (@troyhunt) October 2, 2016

Onto the big plane and it's A380 all the way which is nice. First class is also nice, but let me explain - I fly business class because it means I can work, sleep and make way more productive use of the time - there's a clear ROI for me. Lots of business class travel gives me lots of points... points I can't do anything with. Seriously, I've even stopped trying because I've never been able to use Qantas frequent flyer points to book a business trip where I need to leave and arrive on specific days with a few months' notice at most. I've even tried to book the whole family to Vancouver and back on economy (which is just fine for a family holiday), and that's enormously restrictive too. Flexible on days a year in advance? Maybe, even some domestic flights I can use them on but other than that the only thing I've been able to do with the points is spend them on upgrades and even then, I'm accumulating them faster than I can spend them. I'll return from this trip with more than I left with courtesy of what I'll still earn from the business ticket.

On the way to Dubai I get a bunch of coding done for a feature someone was after for HIBP plus get through a module and a half of editing for my next Pluralsight course. I always try and record a course before travelling as editing is a really good use of flight time (no internet, I'm bored anyway and editing is tedious). I take both my Lenovo P50 (I can't begin to tell you how much I love this machine!) and my Lenovo Yoga 900 because I've never been able to get enough power from plane sockets to charge them so I burn through the battery on one then roll over to the other:

I'm really careful on international trips to plan sleep: I figure out when I need to sleep to ensure I can acclimatise immediately at the other end. I take it easy on the alcohol and have herbal tea and a lot of fruit. I get about 8 hours of restless sleep which frankly, is pretty good.

Day 2, Monday October 3: Dubai to London

I get to Dubai after midnight and attempt to fire up Freedome VPN:

Welcome to Dubai! pic.twitter.com/ui5adYEoEY

— Troy Hunt (@troyhunt) October 2, 2016

Oh yeah, the whole we're-blocking-vpns-so-you-can't-use-voip thing. It was fine when I went through only a few months earlier, but now it's no VPN for me. That means there's no way I'm RDP'ing into any important services or connecting via SSMS to HIBP (and yes, they have encrypted transport layers anyway but they're way too valuable to risk). There are various other ways around this, but with only an hour on the ground there's not much point.

The shorter Dubai to London leg gives me enough time to edit another Pluralsight module so that's almost half of the 6-module course now done. I get another 2 and a half hours sleep then breeze through customs and baggage claim (another benefit of business travel with fast track tickets and only carry-on luggage). This is the ROI I speak of in paying for better seats: I've arrived rested and having been pretty productive, neither of which I can do with my 6'5" in frame in small seats.

Jump in a waiting car then struggle though London traffic as a strange orb normally foreign to the UK rises above the horizon:

Holy shit, what is this in the English sky?! pic.twitter.com/nPlS4TGROW

— Troy Hunt (@troyhunt) October 3, 2016

I'm at the hotel by 9am and they let me check in early. I shower, then head straight out for the day. I've planned a massive walk and some stops to meet people because frankly, it's the best way of acclimatising quickly. Full on work starts the next day so the last thing I'm going to do is sleep at the wrong time for the new environment. Plus, it gives me a chance to head to Hamleys and buy my son something for his birthday, an event which I'll miss on this trip. I walk through the store with him on Facetime video and let him choose something that'll actually fit in my baggage (IMHO, a damn cool idea because Hamleys is awesome!)

Drone now in hand, I go for a walk to Hyde Park:

Oh wow, you've got tiny little kangaroos! pic.twitter.com/CepdiFJ7xT

— Troy Hunt (@troyhunt) October 3, 2016

Then meet up with a company I've been talking to about various bits and pieces, have a coffee and a tour then some lunch. More walking, then coffee in the arvo with some Twitter contacts:

People keep saying Monmouth coffee. Who wants to have an impromptu meetup there at 15:00 today? https://t.co/0xOhXV63NQ

— Troy Hunt (@troyhunt) October 3, 2016

This is actually really cool doing impromptu stuff like this and meeting new people, something I really recommend if you're travelling somewhere new and have downtime. I'd been talking online with the Twitterers who came along and I've never had a bad experience catching up IRL with people like this.

By the time it's all done, I've had a good walk:

There's no better jet lag cure than a half marathon walk! Beats any meds.

('cept Runkeeper can't measure distance properly...) pic.twitter.com/djV06rpKcr

— Troy Hunt (@troyhunt) October 3, 2016

I eat at a normal time, go to bed just a little bit earlier than usual then sleep for 10 hours and get up at a normal time. This is invaluable - body clock is good! Anything remotely glamorous about travel ends tomorrow.

Day 3, Tuesday October 4: London workshop day 1

I'm up just after 6am for the first 2-day workshop of the trip (I'll do 5 in total). It's a repeat customer who I'd previously seen at another location in Jan and they liked it enough to run it again in London for other team members (I actually had to bring the whole trip forward a couple of days for this).

It's another rare sunny day in London:

22k walk followed by a 10 hour sleep - there's no better jet lag cure! pic.twitter.com/QbB6dMyvFC

— Troy Hunt (@troyhunt) October 4, 2016

And from here on in, it's pretty much business as usual which means a non-stop 8 hours of talking and running through the workshop:

Current status: pic.twitter.com/IeWnmcuWKm

— Martin Costello (@martin_costello) October 4, 2016

I go for some beers with the attendees later on, get room service back at the hotel and then crash about 20:30.

Day 4, Wednesday October 5: London workshop day 2 and flying to Edinburgh

I'm starting a half hour early as I need to battle London commuters to get to the airport for a 20:00 flight. Frankly, this is about the most stressful parts of these trips - rushing from one event to another where I have to make a flight or the next thing gets jeopardised. I've not slept great either - fine until about midnight but then tossed and turned for another 6 hours.

Workshop runs fine though, clearly those at the event are having fun:

Serious workshop business: https://t.co/8ZbmlicXm8 pic.twitter.com/XKVNlAOEWP

— Troy Hunt (@troyhunt) October 5, 2016

As much as we have a bunch of fun in these workshops, I'm really glad to see people getting practical knowledge they can use in productive ways afterwards. I put a lot of effort into striking the right balance between engagement, entertainment and education.

A big thank you to @troyhunt for 2 days of intense, informative and captivating training. Learned a bunch!

— Luke Merrett (@ClickRex) October 5, 2016

We wrap up and it's tube then the Heathrow Airport Express train then security then lounge. It's about as easy as it can be (carry-on bags folks - that's the secret!), and I use train time to catch up on emails. Lounge time is to invoice the customer and again, work through email backlogs - there's no downtime. I'm extra conscious on these trips that if I start to fall behind, it's really hard to get back on top of things.

It's a short flight but it's 20:00 by the time I get on it and I'm fading. I don't want to sleep though as that starts to mess with the body clock and I'm still acclimatising. I watch some Breaking Bad on the iPad (re-watch it, that is) and stay awake. I get a tram from the airport then walk down unfamiliar dark streets on my own while towing my luggage and watching Google maps:

This phase of travel - the one where I've had a really long day then flown somewhere and tried to get myself to a hotel late in the day - is the most mentally taxing. It's just lonely and it's as far removed as possible from my family and home in the sun. By the time I get to the hotel and into my room it's 22:30. I'm seriously tired.

Day 5, Thursday October 6: Edinburgh talk then driving to Glasgow

I wake on my own at about 06:30 after an awesome sleep and feel really good. I need to rehearse the talk I'm going to deliver that day (all my talks get rehearsed multiple times), so breakfast is quick as is the daily family chat. By the time I do all that plus check out plus get to the event it's 10:00 where I have a press commitment. And then another one. And then another one. And with a bit of socialising as well it's already time to set up for my talk, which ends up going perfectly to plan:

Lessons from data breaches — awesome #scotsoft2016 keynote by @troyhunt now in Edinburgh #Scotland pic.twitter.com/powSyo68Mr

— Mathew J Schwartz (@euroinfosec) October 6, 2016

Per the earlier link, these only go to plan because I plan meticulously. I do some more press afterwards (seems to be a lot of these folks at the event) and then take a bit of a break. I try really hard to get out and about as well during these intense times; I have to get away from things sometimes and just step outside. And wow - outside was awesome:

Love this shot, feels surreal... pic.twitter.com/KFWAyDGm41

— Troy Hunt (@troyhunt) October 6, 2016

But this is a perfect example of what I meant in the opening of this post: that's an epically cool shot that looks great in a tweet, but it doesn't show how damn tired I was by then nor how absolutely non-stop the preceding three days had been. This was snapped during one short break before heading back to the conference. But before I did that, I also record my 3rd weekly update video, my first away from home:

I get just enough time to edit and upload the video after my walk then it's a conference dinner. There's always people that want to talk and believe it or not (and trust me, I'm still getting used to this), people that want selfies with me:

Woo! Today I met @troyhunt and this was my face 😬😳😬 pic.twitter.com/kmkMb4AZpC

— Jamie (@JamiePrentice) October 6, 2016

I keep it early because there's then a 1 hour drive to Glasgow (although fortunately done by my gracious host), check in to the 3rd hotel of the trip already and then a 22:30-ish bed. Long day but hey, at least I got some exercise!

Really glad I got out and had a good walk around Edinburgh today, makes a big difference on these long trips. Now in Glasgow for workshop. pic.twitter.com/ttyX9DyK30

— Troy Hunt (@troyhunt) October 6, 2016

Day 6, Friday October 7: Glasgow workshop day 1

Crap sleep. Tossing and turning from midnight to 05:30 when I eventually got up and I'm not sure why, but it means starting a bit behind the 8 ball today. At least being up early means time to catch up on a bunch of things. It's another private workshop today and I walk the 20 minutes to the office and get there by 8am.

This is a Friday / Monday workshop and I need to make an early departure on Monday to catch a flight so we've crammed more into this session. That means 08:30 to 17:30 and everyone's brains are pretty much mush by the end of it, mine included. So, we get beers:

Well deserved after a great workshop! @troyhunt @aahendry @CJSCO @GeeDotScot pic.twitter.com/e8cYKIrGRX

— Jamie (@JamiePrentice) October 7, 2016

It's great having social interaction like this; you have a lot of banter that wouldn't normally happen in the more formal office environment and it's fantastic for building lasting relationships. I'm also always conscious that it's very easy to have a few too many beers and really set back my sleep and overall health in a pretty intense work period so I'm out of there by about 9.

Day 7, Saturday October 8: Down day in Speyside

The organiser of the workshop is taking me up to Speyside for the weekend so think picturesque Scottish scenery and whisky. Normally I'd be either flying somewhere or amusing myself on a weekend during a trip like this so it's quite unusual. We head off on a 3-hour drive and I start to see how Scotland is pretty cool;

Scotland - your sky is cool pic.twitter.com/j7rCjGYqQJ

— Troy Hunt (@troyhunt) October 8, 2016

Highways are boring though so I write a blog post about Chinese data breaches and get some more data loaded into HIBP. Without wanting to make it seem like I never tune out, when I come on a trip like this I'm considering it work from the moment I leave home to the moment I get back so whilst I definitely have some downtime later on, I'm not passing up this opportunity to do something productive.

Speaking of downtime, we find a cosy spot later:

Wow, they've got whiskey in Scotland now! pic.twitter.com/qibttkxaLK

— Troy Hunt (@troyhunt) October 8, 2016

Also, I learn that trolling Scottish people is like shooting fish in a barrel :)

Day 8, Sunday October 9: Heading back to Glasgow

My son is having his 7th birthday party today. It's hard being away at times like this, particularly seeing video of my entire family celebrating whilst I'm on the other side of the world. That's the nature of travel though and it's very hard to work it around personal events like birthdays.

I go for a walk to console myself:

It's nice here: pic.twitter.com/J7iEkVqzhE

— Troy Hunt (@troyhunt) October 9, 2016

Then it's back to Glasgow again which means more hours of highway and some time to work away on the laptop. Connectivity is a bit dodgy on my tethered iPhone so I'm crunching through tens of millions of records locally within SQL Server running on the Lenovo P50. Every time someone tells you "oh, you don't need a powerful laptop, you just spin up a VM in the cloud", remember that there's nothing like being able to run queries on the metal using a Xeon processor and 64GB of RAM sitting on your lap without and need for an internet connection. I get a lot of stuff done on that trip :)

I get back to Glasgow around lunch, check back into the same hotel I left the day before then go for a wander. I've lost my only toothbrush and the one pair of jeans I brought have got a hole in them so both those are on the cards for replacement (the joys of travelling light). These are the sorts of things someone like my wife would never screw up but somewhere within my compartmentalised mind I've put them in the "not really critical" box where all the things I can easily fix on the fly go. I do get to see some nice sights though:

Nice little wander around Glasgow today pic.twitter.com/vt8B7kkhJI

— Troy Hunt (@troyhunt) October 9, 2016

I get back and do a few hours of work, including parsing some more data breaches for HIBP and editing some Pluralsight. I've had a 14km walk today so I reckon it's ok to pop open a bottle of the home brew my host gave me (which was sensational!) and splurge on a burger:

I crash out early again because the coming week has the busiest schedule of the entire trip.

Day 9, Monday October 10: Glasgow workshop day 2 and flying to Copenhagen

It all starts to get a bit "Groundhog Day" here - same routine over and over again. Get up, hotel breakfast, walk to an office somewhere and do my security thing. It all goes totally fine with this one finishing a bit early so I'm off at 15:30 and being driven back to the airport in Edinburgh. I'm flying Ryanair this time and people have set the bar of expectation very low but right up until getting onto the plane, nothing has gone other than perfectly smoothly:

And that's it for Scotland this trip, thanks for a great time folks. Next stop: Copenhagen! pic.twitter.com/KVIfqDErry

— Troy Hunt (@troyhunt) October 10, 2016

And then I get to my seat... which is actually fine! Ok, it's not first class Qantas but it's right up the front on an aisle so even my long legs have plenty of room. I even wrap up a bit of cloud scaling after loading the Chinese NetEase data into HIBP:

That I can scale the cloud while sitting on a plane using my phone is still kinda magical 😎 pic.twitter.com/JepnlSy5Tj

— Troy Hunt (@troyhunt) October 10, 2016

I hit Copenhagen and get met at the airport by the workshop organiser and taken to the hotel. This is now the 6th time I've checked into a hotel already and it's only day 9. Fortunately, it is awesome:

There's a big lounge room, awesome bedroom, massive bathroom and big stone bath, then there's the rooftop; day bed, spa and a view over Copenhagen. I'm torn because on the one hand this is clearly awesome, yet on the other hand I'm there on my own without my wife, and there's going to be a very small number of hours where I'm actually awake in the place. Again, all this stuff can look epic in photos but the truth is frequently very different to the mental picture people frequently form.

Day 10, Tuesday October 11: Copenhagen workshop day 1 and .NET user group

It's the halfway point of the trip. It's also my son's birthday. And I'm not there. I have a good chat to him on Facetime, but it's hard being so far away:

I spent most of my teenage years living overseas away from everyone but my immediate family. Dad was a pilot which meant not just the half decade on the other side of the world as a family, but him frequently being away on birthdays or at Xmas or other times families traditionally spend together. But you make it work in other ways and I suspect that's shaped my tolerance for not always being with my family when I'd like to be. Other people would never be happy doing that and I totally get why.

I head up to my rooftop, first lamenting never getting to hop in the spa then snapping off a quick pic:

Hello sunny Copenhagen! pic.twitter.com/NdGPcKBLbD

— Troy Hunt (@troyhunt) October 11, 2016

At breakfast to catch up on some backlog. It really is an awesome hotel; very Nordic yet somehow warm and cosy so I'm writing this by candlelight in the dark Danish morning:

More than anything though, I just appreciate having quiet time where I can do my own thing, even it's fleeting. I'm met at the hotel and then it's off to the workshop. Same deal as usual, same old spiel and fortunately, the same levels of enthusiasm from everyone. The day goes flawlessly and it's always great to see feedback like this:

Had a great first @troyhunt workshopday! Cool exercises, great examples and fun stories. Really looking forward to day 2

— Jeffrey Schoemaker (@jschoemaker1984) October 11, 2016

I'm starting to feel run down though. Just a bit tired, a bit congested and feeling like I need some downtime. But that's not happening tonight, instead I'm doing a presentation to the local .NET user group:

Awesome having @troyhunt do a 2 hour talk for #CNUG tonight. Very interesting and entertaining! pic.twitter.com/DFJGGWVen7

— Morten Christensen (@sitereactor) October 11, 2016

The talk is the same one as I've just done in Edinburgh so at least preparation was simple. It's a user group in an auditorium within a university and it's a lot more casual than a formal talk you've got a limited time for so I embellish a bit. It goes for about an hour and then I spend another hour answering questions from the audience:

It seems Twitter hates images, here are some more from the @troyhunt talk. pic.twitter.com/shmJsznkJd

— Allan Kimmer Jensen (@AllanKJensen) October 12, 2016

An evening with @troyhunt. Very interesting.. pic.twitter.com/ZZh9ydJwmc

— Søren Sømand (@sotoq) October 11, 2016

That goes great and I head back to the hotel with a few folks from the event when there's a suggestion of a local craft beer place. I'm tired, but I want to feel like I get to see at least a little bit of Copenhagen and spend some social time with people so two of us head out. The beer is rather sensational :)

Back at the hotel, I'm walking to the lift and the barman suggests I should really try some wine from a bottle he's just opened. I hesitate, then notice a sign which makes a lot of sense:

So I was going to bed and then I saw this sign which made a REALLY compelling argument! pic.twitter.com/VBvPwWEkPV

— Troy Hunt (@troyhunt) October 11, 2016

I don't know that I've ever just sat at a bar and talked to a bartender before, but he was a lovely bloke and we talked a lot about travel. Zero cyber-talk or what I was doing there and that was just fine as it was nice to tune out for a bit. I still got to bed around 22:30 which was ok and I got a great sleep in my awesome room.

Day 11, Wednesday October 12: Copenhagen workshop day 2 and flying back to London

First things first - check this out:

This is awesome - the Danish user group I spoke at gave me a little LEGO me riding a jet ski chasing a cyber criminal :) pic.twitter.com/kR4vMlAqkG

— Troy Hunt (@troyhunt) October 12, 2016

This was such an awesome little gift, particularly from the home of LEGO! Little things like that really make your day so I'm happy. The hotel also gives me a bunch of organic shampoos and things in a goody bag as they're a very alternative sort of setup here. Unfortunately, large bottles of liquids don't mix with carry-on baggage so the workshop organiser's wife has done quite well out of my stay.

The workshop runs fine and I leave 30 happy participants:

Another day filled with aussie accent! Day two of the "Hack yourself first" with @troyhunt. Day one was fantastic fun, educational and scary

— Mikkel Holck Madsen (@mikkelhm) October 12, 2016

Third workshop of the trip now done, time to head back to London pic.twitter.com/tbaxW5U3oi

— Troy Hunt (@troyhunt) October 12, 2016

Train to the airport, breeze through security and definitely feeling tired by now. Fortunately, Copenhagen has an awesome airport with lots of good healthy food which was just what I needed:

This is how to do airports folks, massive juice bar in Copenhagen and don't think I've seen a fast food joint yet pic.twitter.com/90t23ZBQPn

— Troy Hunt (@troyhunt) October 12, 2016

When I checked in earlier I upgraded my ticket for a small fee (seems quite cheap if you do it late when there's spare seats), so I got to relax with a heap of room and eat a meal once I was on the plane. But that was the end of luxurious experiences for a while...

I train it into London from the airport via the Heathrow Express which is pretty awesome then wait at a lonely tube stop in Paddington:

This is the part of travel that starts to get depressing; late nights, tired from the day and strange - or no - faces. I don't think this train has been cleaned since the great depression either:

By the time I get out of the tube it's after 22:00. Problem is, I can't find the hotel. It was on the map and I'm in the right location, but all I find is a door in a nondescript wall. But there's an intercom so I buzz and am let in. I walk up a narrow, steep staircase into a tiny reception area and realise that yes, I'm in the right place. The receptionist explains that my room is downstairs... in the cafe. She leads me down and back out the front door then along a few meters to another locked door which is indeed a cafe. We walk past all the tables and chairs, past the kitchen and through a "private" door. I'm in room "C" which I suspect they named after "cramped". Or "cooped up". Possibly "can't believe this is the room", who knows.

I definitely don't expect a standard like I'd just come from in Copenhagen, but I was pretty unimpressed. There was no desk to work from, no window (there's a blind with frosted glass behind it), no phone and definitely no room service and as I later discover, no iron for the shirt I need to wear the next night.

I'm seriously missing home by now and frankly, I'm a bit over it all.

Day 12, Thursday October 13: London workshop day 1 and Pluralsight dinner

At least the room was quiet, other than the random buzzing that went off in the wall several times during the night, including at 05:30 which ended my sleep for good. I walk crookedly through the bathroom door, not due to the lack of sleep but because I'd hit my head on the low frame otherwise. Shower and grab an old fraying towel then have a quick chat to the family (they're beginning to feel less envious of my "glamorous" travel now).

Now here's the other problem: this workshop only has 6 people in it. There are various factors contributing to this which are all totally upstream of me and out of my control, but I'd normally have 5 times the number of people and unfortunately in this case, I'm paid based on profit share. Almost every other training event I do is a flat rate (those attached to conferences are the exception), which means that at least financially, attendance numbers have no impact on me. But this one will really bite and I'm as frustrated about the low turnout as I am about not using my time as efficiently as I could have.

But more importantly than that, 6 people have paid to come and see me talk for two days and above all else, they've gotta love this workshop. I still need to deliver the best possible experience to them and if there's one thing I never sacrifice on with work, it's quality.

Moving on, at least the coffee in the cafe-thoroughfare-to-my-bedroom is good and the workshop facilities are literally over the road. All 6 people show up too and despite the circumstances, I'm happy with how it's all gone. A couple of the attendees weren't very strong in terms of web programming ability (we do a bit of HTML and JS), so I pair people up which works really well. I must think about this more for the future; I first paired people in the US a few months ago during a private workshop where there were 50 people and I wanted to keep the number of machines down so I could spend more time with people. For all the same reasons pair programming works well, pairing in the workshop makes a lot of sense; collective problem-solving, learning from each other and the exercises run a lot faster too.

We finished at 17:00 and I'm chairing a dinner put on by Pluralsight at 18:00 for some CISOs and other security bods they have relationships with in London. I brought one shirt with me for this event but I can't iron it because, well, let's not get into all the things this hotel room doesn't have again. I walk 20 minutes to the event which fortunately, is in a nice spot:

Seeing friends from the company is really nice after the way I'd been feeling since arriving in London. It's always awesome seeing Pluralsight folks across the world whether they be staff or authors like me; there's a great comradery and for an event like this where I'm turning up to face enterprise customers, there's a sense of really being wanted. In fairness, workshops feel the same way too, but this is a welcome change from something that's rapidly becoming repetitive.

I finish up dinner and snap a pic of the hotel as I arrive "home", lit up in all its glory:

I enter through the locked cafe door hidden behind the stall in the foreground and enter the deserted cafe:

The door at the end of the hall leads to several rooms and I squeeze into mine, tired and a bit fed up. One week from now and I'll be on the plane home then shortly after, sitting in the sun in a place I love. I need to remember why I'm doing this, and having the life I have back home is a big part of it.

Day 13, Friday October 14: London workshop day 2

I wake to a message from my wife saying my son has hurt himself. There's a photo of his chin with a big split in it and blood everywhere. I call her but they're in the hospital and he's just about to get stitches so she can't talk. I check my email while I'm waiting for her and see a thread of problems relating to maintenance issues with the house that could have been pretty serious. It's made things really hard on my wife and now she's got an injured kid as well. This is the part of being away that really sucks and any remaining gloss that was on the idea of international travel is well any truly gone.

But these are all minor road bumps in the grander scheme of things and as much as they can distract you in the short term, you can't let them cause you to lose focus. Kids get hurt, stuff in the house breaks and so long as everything is fixable, let's move on and work on the things we can actually influence.

Back to day 2 of the workshop and it goes like clockwork. I do find myself embellishing a bit more as I do more of these and there's more news and other related stories to talk about. I'm spending a lot of time talking about Cloudflare in the HTTPS module I run not just because they do some very cool stuff in this space, but because their model raises many other interesting angles on the topic. For example, sites not protecting traffic back to their origin and being MitM'd (the Pirate Bay kerfuffle with Airtel in India is a great example), how we need to tackle the price and logistical barriers to going secure by default and who you should and should not trust to handle your traffic depending on your class of site (I question the logic of TPB using Cloudflare). I also talk a lot about defending against attacks by dynamically implementing firewall rules in Cloudflare when abuse is observed. If I'm honest, I'm a bit proud of myself with how well this model is working and people love seeing all the mechanics underneath the implementation. I'm happy to show and discuss things in a private setting like that I tend to keep out of the public eye too and it's very well-received, but does tend to eat into my schedule.

We wrap up and I head back to my hotel (just one more night...) then work on some HIBP features for a bit. Anywhere else and I'd be tempted to just order room service and chill out, but obviously, that can't happen here. Instead, I head out for a walk:

Another one down, 4th workshop for this trip is done, off to Switzerland tomorrow 🇨🇭 pic.twitter.com/mRagUhi1x1

— Troy Hunt (@troyhunt) October 14, 2016

I grab some BBQ and wander around. It's pretty down near Tower Bridge and it was a good idea to get out regardless of the desire to escape the hotel. It also gave me a great spot to head back to the following morning; I haven't recorded my weekly update video and I really would like to keep them up. I've just gotta spend one more night in that hotel first...

Day 14, Saturday October 15: Leaving London and heading to Zurich

I'm up just after 06:00. I don't have to be, my flight isn't until midday, but the sooner I'm up then the sooner I'm out and I can focus on new things rather than lamenting the last couple of days. I head out with suitcase in tow and walk back to Tower Bridge (did I mention the importance of carry-on luggage already?). I'm there around sunrise and it looks sensational:

Nice out this morning pic.twitter.com/hloErIsNun

— Troy Hunt (@troyhunt) October 15, 2016

Now I know I post a lot of awesome Aussie sunrises, sunsets, sunny beaches and so on and so forth and I admit, I do enjoy the reactions to them (particularly from my UK friends), but surely this buys me back some kudos with the Brits, right?! It really is gorgeous and it makes an awesome backdrop for my fourth weekly update:

It's also a good spot to Facetime with the family so they get to see a bit of it. I think back to my teenage years overseas just before the internet and with no way of communicating with family short of very expensive phone calls or faxes (yes, faxes). Every time I'm away and I can actually look at my kids I think back to that and remember how fortunate we are to have the tech now, even though one of the kids looks a little banged up :)

Off to Heathrow, and I love this:

This is such a simple, clever thing in Paddington, so much better than signs pic.twitter.com/tbwRixsncA

— Troy Hunt (@troyhunt) October 15, 2016

So simple, but just enormously effective. I find the first class British Airways lounge (a perk of having a ridiculous amount of travel on Qantas and partners) which is a pretty bloody welcome change of style from the last few nights. The flight itself has me right down the back but for less than 2 hours, I really don't care, I just zone out and watch some TV on the Yoga 900 (it's an awesome screen for this sort of thing, much bigger than the iPad and folds open like a tablet so you can use it on take-off and landing).

Into Zurich, train it to the city and definitely find myself in the right place:

Zurich! pic.twitter.com/nK61Pa0yJ8

— Troy Hunt (@troyhunt) October 15, 2016

The hotel is close... and it's fine. It's certainly not Copenhagen levels of fine, but it's a proper hotel and whilst it's a small room, I've got a desk and all the usual facilities you'd expect. I catch up on a few emails and other bits and pieces then head out for a walk. Zurich is nice:

I sit by the water for a bit and chill, but what I like even more than the visuals is the audio - there's a cacophony of very nice cars in this place! Ferraris, AMG Mercedes and a heap of high performance BMWs. Music to the ears!

I grab some dinner, but it's another lonely affair:

It's also expensive - spaghetti and a glass of wine is over $50 Australian which is kinda nuts. I walk back to the hotel before 19:00 and see two separate incidents of drunk English tourists getting into fisticuffs within 60 seconds of each other, both spilling claret on the cobbled Swiss streets. Nothing like a cultured European holiday...

I manage to rack up 15km or walking for the day which I'm happy with, but I should smash that tomorrow when I have a whole day off all to myself, the only one of the trip without having to be anywhere or travel to another location. Now that's luxury!

Day 15, Sunday October 16: Epic Zurich walking tour

Pro tip: if you want to sleep in, don't leave your alarm on. So yeah, up at 06:30 but it'd be highly unusual for me to sleep longer anyway so I'm not too upset. I spend a few hours attending to the usual electronic things, most of it while sitting in the hotel restaurant enjoying coffee and breakfast.

I head out just after 10:00 with a fog hanging over Zurich. I've got nothing more than a vague idea of where to go, but I head off and snap pics of anything interesting along the way:

Oh nice, Switzerland has some animals that aren't poisonous, venomous, have massive teeth or drop out of trees on you pic.twitter.com/8OxQdzC1eJ

— Troy Hunt (@troyhunt) October 16, 2016

Cows everywhere here 🐮 pic.twitter.com/xsHQogcwN0

— Troy Hunt (@troyhunt) October 16, 2016

It's going to be a big day distance wise, but it's also a day off and I want time to chill which means finding some nice sunny spots and just enjoying the place. I've got the Yoga 900 in my backpack too should I want to actually do something productive so I find a nice little spot to jot down some ideas:

Best coffee of the trip in one of the nicest locations pic.twitter.com/YbOn5KJ0Jm

— Troy Hunt (@troyhunt) October 16, 2016

And I did genuinely use that walking time to work on ideas too. I've had something in mind for HIBP for some time which I just haven't been able to properly position, but I reckon I've got it right now. I write it all down for later sanity checking and also manage to drag out an old blog post I've wanted to get out for a while and prepare this (I post Here's how I handle online abuse the following day). As much as I want to "tune out", I also like enjoying these quiet times to do the things I never seem to get around to while feeling rushed.

I eat in a nice little spot in the sun by the water then head back towards town to catch up with "someone from the internet". As with London, this is always a really nice way to meet local people and also as with London, it's a very positive experience and really adds to the trip. He takes me to a great local spot with a pretty epic view:

Nice out in Zurich today 😎 pic.twitter.com/FG4UcqV3Qc

— Troy Hunt (@troyhunt) October 16, 2016

I head off for more walking, passing a pub with some rather tasty looking beers. I walk past... damn, they did look pretty tasty. Really tasty and I have had a lot of exercise today...

Sightseeing is hard 🍺 pic.twitter.com/xZYjf0vdhl

— Troy Hunt (@troyhunt) October 16, 2016

By the time I'm all done, I've covered over 25km which I reckon is a pretty good effort:

I've grabbed a salad along the way and a combination of lack of forethought and a relatively spartan hotel means eating it with my fingers. Such is my "exotic" jet-setting life.

Day 16, Monday October 17: Zurich workshop day 1

Back to work and the usual "breakfast with emails" routine. I'm met at the hotel at 08:00 and we wander out into the dark, misty Swiss morning. Train, setup at the office and then it's business as usual:

Hack yourself first - before someone else does it. Security Workshop @zuehlke_group @troyhunt #cybersecurity pic.twitter.com/T0V2RiiuAb

— Christian Moser (@moser_christian) October 17, 2016

And it is usual - there's about 30 people in the room and we kick off the 5th and last workshop of the trip in tried and trusted fashion. Everything about the day went to routine which is just fine, but I find myself continually having to remember whether I've shown certain things already or made particular jokes or said other things which could easily have been said in a totally different workshop. Or this one. I'm not sure because I'm going through the same routine over and over again.

That night - cheese:

In Switzerland so eating a bucket of melted cheese 🧀 pic.twitter.com/CP2bpnYrf4

— Troy Hunt (@troyhunt) October 17, 2016

A bunch of people take me out for dinner very close the hotel (big tip from me - having events close to the hotel is awesome as I get to chill for a bit first), which is just a great night out. It's one of the most enjoyable evenings of the trip, just nice people and relaxed conversation.

Small but serious conversation about data leaks, kangaroos and sport cars with @troyhunt and @zuehlke_group pic.twitter.com/wNtyisbIRq

— Natalia Oskina (@Curl_N) October 17, 2016

They also had a much healthier gender diversity than most places. Still far from where we'd all like the industry to be, but well above par and it does make a positive impact on the views and perspectives that are shared not just at dinner, but throughout the workshop itself too.

Day 17, Tuesday October 18: Zurich workshop day 2 and train to Luzern

We're starting an hour earlier so I can get out earlier and head to the next event. I'm up at 05:45 and in the office setting up before 08:00:

Second day of the workshop and @troyhunt is ready for an early start pic.twitter.com/zue41DTtnM

— Daniel Rosendorf (@drosendorf) October 18, 2016

Everything goes to plan, but by midday I'm tired. Really tired. I didn't have a late night or a lot to drink, but I'm conscious of how hard I've been pushing it for the last 2 and a half weeks. I don't feel so much run down or unwell, more that I'd just like to lay on my couch and watch movies for the afternoon. Clearly that's not going happen but I'm now pretty actively counting down the days and hours until I go home. In my mind, I've gotta get through until the end of tomorrow night when I'll be in London again, talk there then I'm done. I've still gotta get to Luzern later in the day and speak at an event there tomorrow, but that doesn't help my mind trick of convincing myself that I'm almost done!

Regardless, I power through the day with some help from a couple of strong espressos (don't make a habit of this folks, it's not good for you in the long run), and get out a couple of minutes before planned close at 16:00. Brisk walk to the train station and the 16:04 back to the city is approaching. I try to buy a ticket from the machine but the train is here so... I figure I'll talk myself out of it if a conductor turns up: "Crikey, I needed a bloom'n ticket? How many dollarydoos is that?". But no conductor so a free 11-minute ride is all mine.

Back at Zurich station, I catch up with Scott Helme. You may remember Scott from such episodes as "let's hack his car and turn on the heater while he's freezing his arse off in England and I'm chilling by the pool":

I'm conscious by now that I don't even know if I'm going to Luzern or Lucern. Or is it Luzerne? I'm literally at the point where I'm just following TripIt instructions and not worrying about the details. As such, I'm happy just to follow someone who's a bit clearer of mind.

It's nice catching up with a friend and being able to cut though the small talk. It's a one hour trip but it absolutely flies and we're off before we know it. We have a quick walk through what turns out to be a very picturesque little spot:

Luzern is pretty nice pic.twitter.com/1ez2nxulgM

— Troy Hunt (@troyhunt) October 18, 2016

Check into the hotel, up to the room... and it stinks. It's really smoky and I honestly walk out and back in 3 times just to make sure I'm not imagining it and it isn't some weird Swiss air freshener or something. Nope, it genuinely stinks and while I'm here, what's with all the smoking in Europe? It's par for the course in a developing nation like China or Indonesia, but it always surprises me when I'm back in an otherwise very developed part of the world and people are puffing away, especially when you're sitting outdoors in a nice cafe and it's wafting over from the table next to you.

Anyway, unhappy reception phone call, back downstairs, new room. I have literally 5 minutes (maybe 6) before I need to meet up with Scott and head out for the Swiss Cyber Storm conference dinner.

It's a casual dinner for the event with lots of unfamiliar faces. Many events I go to are frequented by the same folks, both speakers and delegates, but it's all new here. Still, there were a bunch of really nice folks there:

One happy @swisscyberstorm program chair / groupie with his speakers @troyhunt, @Scott_Helme and @mazen160. pic.twitter.com/WU0biu9T8O

— Christian Folini (@ChrFolini) October 20, 2016

And as with other stops along the way, there was the selfie:

Had the chance tonight to meet @troyhunt in SwissCyberStorm! pic.twitter.com/mAtDGZbXkE

— Mazin Ahmed (@mazen160) October 18, 2016

Wandering home, I get a bit of a sense of just how pretty it is here:

Cruising around Lucern with @Scott_Helme, it's *really* nice here pic.twitter.com/Gkx2ju6YjL

— Troy Hunt (@troyhunt) October 18, 2016

Day 18, Wednesday October 19: Swiss Cyber Storm talk and flying back to London (again)

I've had a crap sleep. Really crap. Couldn't fall asleep in the first place so ended up popping the first sleeping tablet I'd had since arriving then woke up at 03:00 and tossed and turned until 05:00. I get up anyway as I'm meeting Scott for a 06:00 breakfast so we can head out and see a bit of Luzern before the event.

It's dark on our sightseeing tour, but it's also pretty awesome:

Stunningly pretty spot here pic.twitter.com/OVCznoCqwf

— Troy Hunt (@troyhunt) October 19, 2016

However, whilst walking around I talk to my wife. Son's stitches can't come out because he's having a reaction to the tape on his chin so the stitches have to stay in for a bit plus he's got conjunctivitis so now needs to be off school for the remainder of the week which means she's looking after him. It causes other complications as well, not least of which is her having to battle the traffic during the Gold Coast 600 which causes major delays around our house and she'll need to deal with it again tomorrow when the doc tries to take the little guy's stitches out again.

By the time I get to the conference centre where I'm speaking, it's finally getting light but I'm heading into a windowless auditorium. I get everything set up - on the stage, video perfect, audio perfect and the lot tested back to back over and over again. Everything is set to be perfect...

Then I get called on stage late. Then the video doesn't work. I'm standing in front of hundreds of people and only half my screen is visible. I'm mucking around with resolution and trying to make it all good whilst also trying to get the attention of the AV guys. There's nothing I can do but wait, so I'm making small talk with a darkened room of people that's more corporatey than my usual audience. Eventually though, it comes good and the show goes on:

Great talk about data breaches by @troyhunt at @swisscyberstorm pic.twitter.com/CEP1PgV7LX

— Roman Böhringer (@ping_tux) October 19, 2016

It's quite a different audience to usual and I don't sense quite the same levels of engagement, but it might also be a more demure Swiss social norm. Regardless, from the feedback I do get (especially verbally afterwards), people are happy:

data leak based on response time for login: valid vs invalid account on ashley-madison. @troyhunt @swisscyberstorm pic.twitter.com/58y7pF81yK

— Nick Galbreath (@NGalbreath) October 19, 2016

I get a chance to see John Matherly talk and for those who don't know him, John is the creator of Shodan, the search engine for the internet of things. Shodan often features in data breach and other related security stories as people discover all sorts of connected things that should never be there (MongoDBs with no authentication, for example). Scott and I catch up later with John and have a good chat; it's genuinely interesting work he's doing. The gears in Scott's head are obviously turning as he thinks of possibilities and this is one of the great things about events like this: exposure to other really smart people during casual conversation that gets you thinking about things in ways you never have before.

I'm out mid-afternoon, pick up bag, train station, airport, hang around for a couple of hours (finally get some more Pluralsight edited), on the plane and into London City Airport (so much better than battling Heathrow):

Back in London, just 1 more day to go... pic.twitter.com/Fs9kqOBuci

— Troy Hunt (@troyhunt) October 19, 2016

I grab a cab for the short ride to the hotel (I'm totally not up for working out trains by now), and then - for reasons beyond all logic - have a taxi driver that decides he can't take a credit card. FFS - you pick someone up from an international airport and then you can't take a payment with plastic?! It's such a minor thing in the grand scheme of life but the continued logistics of travel are really weighing on me. The hotel pays and bills me then I collapse into the tenth bed I've slept in since leaving home.

Then I realise that I really should run through this talk and get my timing down. It's a 15-minute version of the one I did in Edinburgh, Copenhagen and Lucerne which means a lot less slides and a very different pace. It's late, I'm tired, I've been going all day but I've just gotta do this one last thing...

Day 19, Thursday October 20: WIRED Security event and flying home

Up just after 5 but hey, it's the last day! I want to run through the talk again, catch the family, grab breakfast then get to the event by 07:45 where I'm having a breakfast catch-up with a bunch of people. Unfortunately, the laptop hasn't been on the charger (thank you dodgy international power supply adaptor), and I'm not sure when I'll get to add juice before tonight when I'll really need the power on the plane. But it's just one of those things that I need to put aside so that I can focus on the important issues of the day.

I get a drawing from my daughter while having breakfast:

It's been extremely hard being away, but I'm at a point now where I've made the mental switch to "I'm about to go home" so it doesn't pull at the heartstrings like it would have a few days ago.

I take a short 10-minute walk, leaving the last hotel of the journey and enjoying the last of the glorious British weather as I go:

Last day of the trip, wrapping up in sunny London pic.twitter.com/19yMA3i3N4

— Troy Hunt (@troyhunt) October 20, 2016

I arrive at the event which is very slickly organised. Very well-dressed people here too, making even my best t-shirt look a bit casual. It's the financial district of London so I guess it's to be expected and frankly, by this stage of the journey, it doesn't bother me in the least.

So, the event turns out to be awesome. Not just very well-run, but a cast of really top-notch speakers with genuinely interesting things to share. People like Jamie Woodruff who had a great talk on social engineering (not theory, stuff he'd actually done), Moty Cristal who talked about negotiating ransoms demanded by adversaries who'd breached companies (the guy is an Israeli hostage negotiator - he's seen things!) and Mikko Hypponen who've I've spent a bit of time with in the past and really admire as a speaker.

Then there was Mustafa Al-Bassam, a quietly spoken bloke probably better known for the things he did as a member of the hacktivist group "LulzSec" a few years back than the positive things he's doing today. I had a chat with Mustafa after his talk and more than ever it struck me how so many smart kids find themselves at an infosec crossroad. He was only 16 when he and his cohorts were wreaking havoc and by any reasonable measure, deserved some serious repercussions as a result of their actions. Where the US in particular is throwing the book at people under the CFAA (listen to Lauri Love for a great example), Mustafa has faced penalties and moved on to become a smart, articulate and positive influence on infosec (he's presently undertaking a doctorate).

I do more interviews and then finally, there's my last formal commitment for the trip:

Stories from someone who deals with billions of records @troyhunt @WiredUK #WIREDSecurity pic.twitter.com/jlLNVPXpl8

— Zoë Rose (@5683Monkey) October 20, 2016

It goes flawlessly and there's a massive relief from having now made it all the way through with no mishaps. WIRED runs a really slick event and they have a full story on my talk published within a couple of hours, including a snippet of video from the talk:

I spend time talking to a heap of different people afterwards which frankly, is the real value proposition of these events. People. Connections. Discussions which would never happen online, at least not in the natural, organic way they do at face to face events. Plus, selfies:

#selfiesForPer @troyhunt @thorsheim (Don't be fooled he had to basically sit on the floor.. #shortFTW) #WIREDSecurity pic.twitter.com/FXKDNpRrzu

— Zoë Rose (@5683Monkey) October 20, 2016

This event has been absolutely spectacular; run with precision, fantastic talks, engaging conversation with delegates - I'm happy - this is the perfect ending to the trip. Come 18:15, it's time to play everything back in reverse from when I first arrived in London 2 and a half weeks ago, starting with the car:

The traffic is atrocious. It's going to take about an hour and a half to get to the airport but right now, I couldn't care less. I'm comfy and I'm not having to think. There's been a bomb in a tube station (or at least "a suspicious package") which has caused chaos that seems to be flowing over onto the road. The driver also seems to be having trouble seeing more than a couple of car lengths in front so he's on and off the gas like a crazy man.

Main thing is though that I'm at the airport with heaps of time to spare, fly through the check in and all the security bits and hit the lounge. There's massive relief to finally be done, but I'm ridiculously tired too. Take-off is about 22:30 and I'd normally be in bed by then at the best of times, let alone after the early start, long day and yeah, all the other stuff. I struggle to stay awake on the plane but I want to stay up long enough to eat. I sneak in one last weekly update video first though:

I kill a bit of time waiting for dinner, attempting to read some news via the in-flight wifi. Thing about wifi on these Emirates flights though is that there's barely enough of it to even send a tweet:

Technology is so shit: I'm at 40,000 feet doing 900kph and I can only get 0.05Mbps from the supercomputer in my pocket pic.twitter.com/L2GRlMKUS6

— Troy Hunt (@troyhunt) October 20, 2016

By the time I get to sleep, it's 01:something back in London. I think. Who knows, any sense of time is about be thrown out the window anyway.

Day 20, Friday October 21: Landing in Dubai and leaving for Brisbane

I don't know how much sleep I got on the near 7-hour flight, but when I was woken up a couple of hours before landing for breakfast I was in total sleep-deprived zombie mode. I honestly can't remember ever having woken up this tired before. It takes me a good 5 minutes just to be able to sit up and focus my eyes let alone actually feel like eating anything.

I'm into Dubai just after 08:00. The wifi is frequently pretty awful in the airport plus per my tweet on the way over, there's no VPN allowed. I want to get the weekly update video I mention above loaded so I chance it relying "merely" on YouTube and Ghost's SSL (which is there for precisely such occasions when you don't trust the connection anyway...)

I've got a couple of hours in the airport before the next flight which means catching up on things again. The easterly journey home is always tedious because of the two short nights you endure; it breaks your sleep and I find it much harder to recover. I read a good piece recently which explains the science behind why this direction is worse and whilst they talk about the longer circadian rhythms being the root cause (and I'm sure that's a part of it), the more disrupted sleep patterns is what really gets me.

Regardless, I get a bunch more Pluralsight editing done once I'm back on the plane until I'm having trouble staying awake again. By this time, it's starting to get dark and in an attempt to acclimatise myself to the changing time zones, I try to sleep. I'll take a melatonin tablet about an hour before attempting to sleep for the next few days which is meant to be a more natural alternative to full on sleeping tablets and helps get you back into a normal sleeping cycle (at least in theory). Probably a combination of that and how massively tired I was to begin with helps and I get maybe 6 hours.

Day 21, Saturday October 22: Arriving in Brisbane and then finally home

I awake with a start and I kid you not, I was having a dream about security. In fact, it was about someone breaching my own physical security at home and stealing digital content which is pretty much a nightmare in my books. But oddly, the dream was clear enough that it focused on very specific things I've been meaning to do for some time and I reckon if I'm now having nightmares about them, I probably should get onto that.

I get back into Pluralsight and almost manage to finish editing the entire course before touching down. I'm literally editing the last clip of the course (there are 30 in total), so I'm pretty happy that I've managed to fill all available "down time" with something productive.

As when I left home, Qantas provides a pickup service so I'm out quick and in a waiting car on the way home. Particularly after being away for so long, fast-tracking it home is awesome. It also gives me a chance to have my scheduled monthly meeting with my Pluralsight editor. I'm conscious this seems like I might be overdoing it to jump straight off a tiring flight into a meeting, but it's a commitment I like to keep and the timing is perfect given this latest course is as good as done. While I'm talking, my wife tweets me:

Coffee machine's on, honey! Ready and waiting for @troyhunt after 3 weeks away. pic.twitter.com/Kc4Z6m4IeJ

— Kylie Hunt (@KylieMHunt) October 21, 2016

I've said it before in How I optimised my life to make my job redundant, but the support of your partner is critical for this sort of thing. I've seen the stress it can put on a relationship when your goals and expectations aren't aligned and it can be enormously destructive. I do what I do with the full support of a loving wife and we make decisions about travel like this together.

And then I'm home, far away from lonely airports and strange places, unfamiliar beds and cloudy skies. After seeing my family, the first thing I want to do is one of the simplest: sit down in the peace and quiet and have a good coffee:

And I'm done! Finally home to family, good coffee and sunshine 😎 pic.twitter.com/maeEAUCXPU

— Troy Hunt (@troyhunt) October 21, 2016

Post mortem

Let me point out something that I already knew, yet it became all the more apparent in reading back through this: notice how I've only tweeted photos of awesome things but amongst these are private moments that were sometimes really pretty unpleasant. We all do this - share the positive things on social media - but I really want people to understand just how tough going it was in amongst all this.

I've stayed in 10 hotels and taken 10 flights consuming 54 hours of flight time (that's not including all the waiting time and transiting before airports). I've missed my son's birthday, not been there when he's been injured and left my wife to deal with the lot for 3 weeks. And here's another thing that came as a surprise to many people when I wrote about online abuse last week: I didn't get paid a cent for any of the conferences or user group talks. Yes, people pay to attend conferences and no, tech speakers rarely receive anything. In fact, if you look at the comments there you'll see that some don't even get their expenses paid.

There's one other important thing I elected not to record as I went because I didn't know if she'd want it shared publicly, but given she's blogged and tweeted it I can share it here:

Having spinal surgery tomorrow. Here's my story on how to thrive, not just survive, with chronic pain: https://t.co/yrNP84MYW2 #findyourahha

— Kylie Hunt (@KylieMHunt) October 23, 2016

Kylie has had to deal with chronic back pain since Jan when coincidentally, I was also away in the UK. For the fifth long trip this year, she's had to balance the pain with not just all the household duties every family deals with, but do it solo and whilst in pain. We still made the decisions for me to travel when I did with this in mind and looking back we wouldn't have made the decisions we did any differently, but her condition certainly added to the emotional strain on both of us and definitely added to the physical strain on her as well. I'm finalising this blog post two days after arriving home and I'm very happy (and massively relieved) to say that the operation she had this morning went perfectly. I'm now looking after the kids for the rest of the week while she recovers in hospital so there's definitely no laying around to get over the jet lag (I've been up since 03:00 this morning).

Having said everything about how tough it was being away, on the flip side of it all I've done well from the commercial workshops and that affords me more choices now that I'm back home. That'll mean regularly taking the kids to school and day-care, being there every time they play tennis and having lunch with Kylie each day. I suspect that many people would not willingly trade places with me given the family sacrifices involved, but this is a balance we have consciously decided is the right one for us.

I've now got a few months to do what I normally do from home which will mean more Pluralsight, working on HIBP, some local events and workshops and spending time writing about what I genuinely enjoy on this blog (I've a number of more technical pieces already in the works). Plus of course just generally looking after both Kylie during her recovery and myself whilst trying to get back into a more sustainable, healthy lifestyle, although I did actually manage to lose a kilogram whilst away despite the Swiss fondue (put it down to all that walking)!

I hope this has been an interesting read, I'm sure there will be those who both love and hate it for various reasons. If nothing else though, it's candid and honest and I hope it gives the reader some insight into what goes on behind the shiny travel tweets.