This is the transcript of the intrerview with Troy Hunt. You can find the full interview, video, audio and infographic here.
Vladimir: Hi everyone, my name is Vladimir Pecanac and I’m an author and a founder of Code Maze blog. My guest today is a Microsoft Regional Director and the Most Valuable Professional for developer security, a family guy and a prolific author on Pluralsight. He also blogs a lot and attends conferences all over the world and still finds the time to have a personal life and play tennis with his children (Troy laughing). It is my great pleasure and honor to talk to one and only Troy Hunt. So Troy welcome, nice to have you today with me.
Troy: Thanks Vladimir, we should tell people I had to, I didn’t realize, I don’t know I had something in my calendar and I knew we are gonna talk and I forgot that it was gonna be recorded. So I had to come home from a tennis court and I am still like sweaty and puffing and tired. So we’ll see if I make any sense.
Vladimir: Yeah, I’m sorry about that. I should have mentioned that we’ll be recording.
Troy: No, no, no it’s ok. We’ll manage.
Vladimir: (Vladimir laughing) So, have I missed something in that elaborate intro? Do you have something more to add? Maybe …
Troy: Did you mention the “Have I Been Pwned”?
Vladimir: I don’t think I have. Maybe you should.
Troy: Ah, oh right. Alright, right so yes all of the things that you’ve said and the creator of “Have I Been Pwned” another breach verification service, which has become surprisingly popular. So (Troy laughing) that is that as well.
Vladimir: So “Have I been pwned” was your pet project, to say it like that and then grew up to be something entirely else. So what do people do when they get to “Have I Been Pwned”? How do they use it?
Troy: Well they go to haveibeenpwned.com and they enter their email address and then it comes back and it tells them all the websites that they have been breached in and then they cry for a little bit (both laughing) and then they figure out, hopefully, they figure out that is actually very important to have unique credentials on every website. So, what I’m really trying to drive people towards is using a password manager. So, “Have I Been Pwned” is sort of interesting for knowing where you have data exposed, but the real impact I hope it makes is that people improve their online hygiene, their security hygiene and honestly the best way to do that and really the two best possible things that people can do after finding themselves is to get a password manager. I’ve used “1password” for years, the program “1password”. I don’t just use a single password (Troy laughing), so I use the program called “1password” and turn on two-factor for multistep verification, or whatever they like to call it on every service. And if we can get just more people doing those two really simple things, we’d make a really big difference to online security.
Vladimir: Yeah, so you’re trying to raise awareness in people’s minds of where they put their passwords to and that even the biggest websites like Dropbox and LinkedIn can get hacked at some time?
Troy: You’re right and to be honest it’s almost a bit contradictory to sort of say “Be aware of where you put your passwords” and then say “Yeah, but even the biggest services get hacked!” you know, because some people might say well if the site doesn’t look trustworthy, then maybe I shouldn’t use it. But if it’s LinkedIn, you know or MySpace or Dropbox. Some of these are some of the biggest web assets in the world. You can’t reliably make a decision about how the site is going to protect your credentials, just based on how familiar you are with it. So we always have to sort of work with this assumption of, we’re using services which may one day be breached and we as normal everyday consumers of these services need to be resilient to that.
Vladimir: Yeah, I completely agree. I’ve been guilty of using my passwords all over the place and when I’ve got a bit more aware of the consequences of that I started using different passwords. And it’s pretty strange that people are using passwords like admin1234 or something like that. I heard that there is even a list with billions of passwords circling around lately, so …
Troy: Yeah look, we’ve seen a few of these lists. There was a lot of news in December about a list of 1.2 billion usernames and passwords. What that was, was someone consolidating their credentials from many different breaches and consolidating it all into one single collection of email addresses and passwords. And really the reason why that was newsworthy and the reason why it is worrying is because there’s a lot of usernames and passwords in there which will work on many different systems. So, because of password reuse we see people logging into other people’s say Gmail accounts or their bank account or something totally unrelated to where they originally had their password exposed, but because it’s the same password, well it works in other places.
Vladimir: Yeah, that’s a pretty tough problem for the most of the people. So (Troy agreeing), I think your website will help raise awareness about that. And I’ve even found one of my emails from MySpace and I don’t even recall registering for MySpace ever, because haven’t used it. (laughing shamefully) So …
Troy: Well this is also the problem, right. Like we have been online for many many years and there are so many places where you need to create accounts, even to do simple things that there’s no way you’re going to remember all the places and ultimately that the reality that we all have to face, is that our data has been exposed many times over. Many times we don’t even know about, that “Have I been pwned” doesn’t even know about, because the site owners don’t know about it (Vladimir agrees). And it could have been a service that you’ve signed up to ten years ago and something you might have used once. So, it’s you know we have a very, very long trail of digital footprints.
Vladimir: Yeah, okay. So that’s about that. We won’t go any further. I think it’s pretty clear that people should care about their passwords a lot more. And let’s go on. One thing I think we haven’t mentioned… You live in Australia, yeah?
Troy: Oh, yeah (Troy laughing).
Vladimir: I forgot to mention that, but your accent is giving away your location in the world.
Troy: (Troy laughing) Yeah, it does give it away. And for anyone who thinks my accent is British, no no it’s not.
Vladimir: No, it’s similar, but you can tell (Troy disagrees amused). So, how do you cope with living upside down most of the time?
Troy: I cope very well with it (Troy laughing).
Vladimir: Do you use some glue to put on your shoes or something? I don’t know how…
Troy: There’re actually conspiracy theories out there that think Australia does not exist and that it’s all made up (Vladimir laughing). But no, look its real. You know I spend a lot of time traveling as well. So I spend a lot of the year overseas and I get to, sort of see other ways of living. I’ve lived overseas a lot myself as well. So it’s you know, I guess I have a perspective where I can look at Australia in the context of the rest of the world and it really is such a unique place here. That, yeah everyone who comes here loves it and it’s just a very, very nice place to come home to each time.
Vladimir: I’ve heard a lot of pretty nasty creatures live in Australia. Is that true or …?
Troy: Yes. (grimly)
Vladimir: Yes?! (both laughing) Everything that lives in Australia tries to kill you, pretty much.
Troy: It’s like you got to be rational about it, right. So you know, where we live and what are the things here that kill us? So we live on the water where we have sharks. We know we have sharks because we’ve caught sharks before. We’ve literally been fishing and caught sharks, but they’re not big sharks and you know like maybe a meter and something long. Well, you’re very unlikely to be killed by them. But it’s a little bit like anything where you sort of do your risk assessment. So I wouldn’t be swimming in murky water at dusk or during the night. Like the people that get taken by sharks, it’s like you’re swimming at 2 a.m. in a canal.
Vladimir: (Laughing) You’ve asked for it, so you got it.
Troy: Yeah, it’s the same every time someone gets taken by a crocodile in Australia, it’s often a tourist and they went swimming next to the sign that says don’t swim with the crocodiles (Vladimir laughing) So what do you expect. You’re gonna be eaten by a crocodile.
Vladimir: (Laughing) You’ve asked for it.
Troy: It’s funny that they call it, yeah this is like Darwin theory, right. Like the theory of evolution. The weakest and the stupidest will get eaten. And a lot of our crocodiles are actually in a place in Australia called Darwin. So you know, there might be something there.
Vladimir: (Laughing) That’s pretty ironic. I like it. So you live on the Golden Coast?
Troy: On the Gold Coast. So we live in an area of Australia, if anyone looks at a map of Australia we’re sort of on the very far eastern corner. Just above the far eastern corners, Australia looks a little bit like a diamond on the eastern side. And the Gold Coast is a 6th largest city in the country. We have about 600.000 people here. We’ve got everything you could possibly want in the city, in terms of schools for our kids and health care and all sort of thing, but it’s also very very lifestyle orientated place. So there’s lots of outdoor activity. Most people are here because they just really want to live in this place. They’re not here because they have to be, like Sydney or Melbourne. And if anyone’s curious about the Gold Coast, just go to Google Images and google the Gold Cost Australia and you’ll know.
Vladimir: Yeah, I’ve seen some videos of you riding your jet ski on the Gold Coast. It looks wonderful.
Troy: Yeah, sounds about right. (laughs amused)
Vladimir: Okay, so you seem to be a very busy man. You travel a lot and you produce a lot of content and do a lot a traveling and conferences, but you’re also a family guy. How do you manage those two? How do you balance that? Do you have any problems balancing it?
Troy: Well I think, maybe the first thing to mention is if anyone’s interested in sort of how I do that, there’s a talk that I’ve done called “Hack Your Career”. And if you go to youtube and search for Troy Hunt “Hack Your Career” I talk a bit in more detail there. I guess to sort of answer it more specifically here, probably the most important thing with this is, that because I’ve got a wife and two kids this only works because she supports what I do. And if I’m gonna travel overseas, for example, we’ll talk about it and go “Hey, you know does this make sense? Should I go overseas now? Are you gonna be alright with the kids? Is it going to work?” So we have a shared vision, if you like in terms of the way I work and what we find is that sometimes that can make things very hard. So I’ve been away for say four weeks at the time before, which I’m trying not to do anymore, but I mean that’s a very long period and then she has to look after two kids on her own. But the balance if you like is, you know we’ve just said, “Okay, off I’ve been out playing tennis with my son. I mean it’s nearly 4:30 in the afternoon here. Most people would be at work in their shirt and you know, doing work things and I’m just doing whatever I want.” But the offset is that I’ll probably be working very late tonight and I normally start at 5 or 6 o’clock in the morning as well. So I am happy with that balance and I’m happy with the uncertainty that sort of independent life gives me, but that also doesn’t work for everyone. I’m really contentious of that.
Vladimir: Yah, I asked that because I find it to be the most difficult aspect for me at least for now, while I have a full-time job and I write a blog and do interviews and all kinds of stuff and still have to attend to my wife. It’s so difficult to balance all that. She does support me and she understands that I need to invest some time in all that activities, but it’s still hard to achieve all that. So kudos to you for balancing all that.
Troy: Yeah, look thanks for that and just a full perspective as well and maybe to make you feel a little bit better about it too. I started blogging in 2009 and this was when I first started investing my personal time in this pursuit and it took years of blogging on evenings and weekends and then doing conferences and talks and everything in spare time and often holidays, before I made any money whatsoever out of it or before I had any sense that it might actually be something that I could make a career out of. So it took a very long time of sacrifices before things started happening and it’s like I’m really really contentious of that every day, even now. It’s because it’s still recent history now. It doesn’t seem that long ago to look back. It’s only sort of 8 or 9 years.
Vladimir: You need to have that motivation and understanding that you need to sacrifice some things to get something else in the future. So that’s also the hard part. You need to believe in yourself and to be patient enough to get to that part when things start rolling down.
Troy: Well I think also you got to enjoy the journey. (Vladimir agrees) You know if someone was sort of saying “I’m only doing this so that one day I could make more money out of it“. You don’t want to go like years being miserable and certainly, I did not, you know. Like I went years like not necessarily expecting this to turn into what it is today, but enjoying what I was doing …
Vladimir: Yeah, you started because you like to do it.
Troy: Yeah exactly. And look if you’re not enjoying it, you might as well just go back and working on …
Vladimir: Yeah, it won’t succeed if you don’t enjoy it. At least it’s what I think. Because it requires a lot of sacrifices and you need to be motivated and how are you going to be motivated if you don’t like what you do?
Troy: Well you know, your passion will sort of show through in what you do, too. And if it is something that you genuinely love and you’re enthusiastic about, then that will be obvious as you do what you do. And if you don’t, well you know it’s gonna be hard.
Vladimir: Yeah, yeah my thoughts exactly. So I have one question for you. It might be a rumor, it might not, but I’ve heard that you teach people to do something called “squirrel injection”. Is that right?
Troy: Yeah! (Laughing)
Vladimir: (Laughing) Is that right? Are you a veterinarian, also?
Troy: Oh man. How much time we’ve got to explain this? So I’ve been doing a talk. I think I first did this talk I mustered up a year and a half ago. A lot of the talks that I do at conferences; look they’re security talks but their stories as well, right. So that they’re not just the mechanics of security. I like to sort of take people on a bit of a journey and make it something that they enjoy watching. Like I want people to come to my talks and learn stuff, but to have fun too. So I try and draw a lot of sort of examples from the real world. I try and bring a lot of interesting insights into information security when I talk about it. And one of the things that I wanted to demonstrate to people is that SQL injection is a very very easily exploitable vulnerability. And when I was preparing for this talk I was looking at YouTube videos, because I wanted to see some of the YouTube videos that children were making about hacking. And when I say children, we’re talking often sort of 15, 16, 17 years old …
Vladimir: Yeah, teenagers.
Troy: Legally children, but really still kids. And there are tools out there that make attacks like SQL injection in particular, really really simple. And I found this video of this kid and it was just perfect for what I wanted to demonstrate because the kid was very unsure of himself. He spoke in a not very confident sort of way. He used terms which were very strange. Like obviously he didn’t actually understand what they mean. He had trouble sort of finding the right words and one of the things that he said, several times in the talk is, instead of saying SQL or “sequel”, he called it squirrel.
Vladimir: (Laughing) I laughed my ass off. It was hilarious.
Troy: This is like it’s just the most perfect thing to show in a talk, because everyone’s laughing at it, right. Saying this is hilarious. But there’s a deeper message here, which is that this kid is doing something highly illegal which is really really damaging to the organization and someone built the code in this application that a kid, who doesn’t even know how to pronounce SQL can come along and exploit and suck your data out of, you know. Like that to me is that that’s just a really really significant thing. So yeah, there was a bit of fun that talk and every time the kid said squirrel I put a picture of a squirrel up on the screen …
Vladimir: (Laughing) Yeah, that squirrel jumped out of there. That was hilarious. You’ve had a few of those talks that are really memorable and I remember them to this day. I don’t have much of a visual memory but those talks really resonated with me and I liked them a lot.
Troy: Awesome. I’m really glad to hear that. Look, I mean if anyone wants any more talks that were done before and wants to see them; if you go to troyhunt.com/recorded-talks there’s how many now? Well, there are 38 talks that have been recorded and are listed there at the moment. So heaps of stuff including “squirrel injection”.
Vladimir: Yeah, you can watch for days. (Troy laughing) There’s, there was one hilarious one. I think you tried, not tried but you did some SQL injection with your son when he was 4.
Troy: Hmmm, yeah. I‘ve actually used him a couple of times. I’ve used him initially when he was 3 to demonstrate SQL injection. Squirrel injection!
Vladimir: Three years old?!
Troy: Yeah, yeah because if you can hold a mouse you can do SQL injection. And like again that the point of this was to show that all I really needed to get him to do copy and paste. Because using automated tools it’s as simple as taking a URL, usually with the query string parameter and pasting it into one of these tools and just hitting the button and it goes. As he’s gotten a little bit older I’ve actually used him in some conference talks. So I’ll be on the stage and I’ll do my talk and then I’ll sort of say “Look you know, let me show you how simple SQL injection is”. So I would get my son up on the stage. I’ve got him to do it a couple of times last year in Oslo and also in Sydney for the NDC conferences. He comes up on stage and he’s like, he’s 7 years old. Like he’s still a little kid. So he stands up on a chair and he has a hoodie, so he puts his hoodie on (Vladimir laughing), cause he’s gotta do that before he starts hacking. And everyone thinks it’s hilarious and I get really good marks for the talk because there’s a kid.
Vladimir: That time he did it independently, you didn’t help him or anything. He had a script and did it from the start to the end.
Troy: We rehearsed it a few times because he’s old enough now to actually know how to copy and paste on his own.
Vladimir: So besides attending conferences, you do a lot of Pluralsight and you have how many video courses right now?
Vladimir: Yeah, play by plays are pretty useful in my opinion. I’ve watched a few of those on Pluralsight and I learned a lot there. There’s one I think, about TDD or something like that, it’s really really nice to see someone’s thought process when doing something like that especially if he’s experienced, you learn a tremendous amount.
Troy: That’s cool. I’m very glad to hear that. It’s always nice to actually hear from people that watch the courses, because for us as authors, most of the time we’re sitting at home on our own with no humans around and it gets really boring and repetitive. So it’s actually really nice to hear that.
Vladimir: Yeah, you live in your head and don’t know if it’s really useful or not and … Yeah, yeah feedback is really important. I love feedback. Every comment I get I read it and think about it and respond to it because I think that’s the way you learn and that’s the most important part of sharing knowledge.
Troy: Yeah, absolutely.
Vladimir: So, how much time you still have? Do we have time for some more questions or…
Troy: Yeah, I’m okay. I can keep going.
Vladimir: Okay. So I saw you recently attended a meeting with American Congress. So, how’s that been for you? Have you been nervous, maybe?
Troy: You know, I wasn’t nervous. I don’t get nervous anymore and I know that there are some speakers who are very experienced and they say they still get nervous, but it doesn’t happen for me anymore and I think if anything I get a bit excited. Insofar I actually really enjoyed doing these things and maybe the excitement sort of overcomes the nerves. But for Congress you know, I was there at the end of November testifying on how data breaches are impacting our ability to do knowledge-based authentication. So yeah, if your bank calls you up and says or let’s say you call your bank and you need to verify who you are and your bank says, ok well just tell us your date of birth and then we’ll know that you are who you say you are. Except, your date of birth has been leaked in all these data breaches. Yeah, so you can’t reliably use that piece of knowledge-based authentication. And the Congress thing was very interesting because it was my first trip to Washington DC I was seeing all of these things that I’d only seen in the movies before.
Vladimir: Yeah, I can imagine.
Troy: Yeah, like all the memorials and stuff like that. You know, I’ve seen the White House I’ve only seen that in movies, like being blown up and stuff like that. You know maybe like “Independence Day” or something. And yeah, when I went into Congress that the really interesting thing there was that it’s obviously a very formal environment. So on the one hand, there’s a lot of structure to it, but on the other hand, I was speaking to people who were sort of the staffers, who were organizing everything and they were very very normal, down-to-earth people. Very lovely people. And what I sort of really really worked on for my testimony, for my written testimony and then my… So you had to sort of submit a written testimony, which I think was sort of a few thousand words and then a verbal testimony which is a five and a talk and then you got questions from congressmen and congresswomen and what I really had to work on was to try and explain things in ways that non-technical people could understand, but also give enough information such that they can then give my testimony to staffers, so that they can go away and do something useful with it. So you know, don’t make it detailed, but give enough detail they can use. And it’s like that was fun. I kind of like figuring out how to communicate in a way that works across those demographics.
Vladimir: Yeah, and while you’re at it. I watched some of your videos at Pluralsight and they seem pretty down-to-earth and simple. Do you intentionally make them that way? Do you think it resonates better with people or it comes naturally to you? Because when I’m writing my blog I’m trying to dumb down things as much as I can because I think that most important thing is that more people understand it and not to get technical and complicated and to sound more authoritative or something like that.
Troy: Well yeah, there are a few things there. So in terms of Pluralsight, the vast majority of demographics of people who watch the courses want introductory content and we know this empirically. So we know from the numbers, from the evidence that if you write something for an intermediate audience, the number of people that watch it is going to be significantly less and if you write something for an advanced audience it’s going to be significantly less again. And Pluralsight is a royalty based model, so when you sit there and you’re deciding “What do I do with my time? What is the highest and best use of my time?” If it’s anything not targeting beginners, it’s basically a waste of time, financially. And I want to caveat it there because it’s going to be very useful for some people, but if your purpose is there to make money out of it, then that’s not gonna be a good return. So yeah, that’s why the vast majority of my content is very entry level. In fact, just coincidentally, I’ve got some stats up in front of me at the moment and my most popular course in terms of, that the return of the effort is one called the “Web Security and the OWASP Top 10: The Big Picture”. And this is just slides. This is targeted at manager or people who might watch it over lunch or people with not any technical depth whatsoever. And there’s about 32,000 hours’ worth of that I’ve been viewed.
Vladimir: Oh my God. That’s so much.
Troy: Yeah well you know, that is very important in terms of the monetary return. So the effort, it has to have a return. Now in terms of my blog, you’ll see that there’s a really broad range there, you know. So if I think about some of the recent things I’ve written, I’ve gone into a lot of detail on content security policies, SRI, HSTs and that goes down to as much detail as anyone would need to actually implement it.
Vladimir: Yeah, that’s much deeper than some courses you’ve done.
Troy: Correct. And then you have a look at other blog posts and they might be very high level. Some of them might not even be technical. I’m writing one at the moment, that I hope to publish today about how real-life examples that are not very good analogies for digital equivalents. So you know, when someone says: Well, taking data off the server is like walking into someone’s and stealing something. No, it’s not, it’s a terrible example. So I’m writing about that, but it’s not technical.
Vladimir: Yeah, yeah, yeah … And it’s a pretty way to explain to people that they shouldn’t rely on real-life examples. Like there was one with exchanging cards and data breaches, but if you exchange data either party gets both their data and the data they acquired from the second party. So it’s not like exchanging cards where you give a card and get another one in return.
Troy: Well look, I understand why people are doing it. It’s because they’re trying to explain things in relatable terms, but the problem is that very often in an attempt to do that they actually conflate the issues and they make it more confusing. And my sort of conclusion and what I’ve actually done is I’ve taken a lot of tweets that I got over last few days, in response to another blog post and I’ve tried to use them to demonstrate that look we just can’t explain the technology with these IRL equivalents and these in real life equivalents. And in fact, in this particular case, you can explain the technology perfectly, well just by talking about the technology.
Vladimir: Yeah. So, you must be careful when choosing examples to explain …
Troy: Yeah. I think so. I think we can adequately explain things with just the technical terms.
Vladimir: Yeah, okay. That’s fair enough. So you have done a lot in your career and have many titles and accomplishments. What are you most proud of? Is there something you would like to tell us?
Troy: I think to date it would have to be “Have I been pwned” because this was … It’s funny when I think back about it because I was about to say this was something I never really gave a lot of thought to, you know. I just created it on a whim. I had some downtime when I was in my old job. I was in the Philippines for a little while and I had nothing to do so sat in the hotel room and I started building this. But there’s a part of me as well where I’ve always had this sense and if I think back even to sort of .com era and I’m thinking 1997-98 where I was building little things and marveling how even then, and that was before, cloud is out today as well … So I was marveling how you could just sort of sit on your own and create something that the world could use and could actually turn out to be really valuable one day. And I’ve always wanted to do something like that. And I didn’t necessarily think that “Have I been pwned” would be that thing, but now when I look back at it; it has become something that’s actually really valuable and really useful. And I still find it just amazing that I can just sit at home and do this. It’s just one guy, right.
Vladimir: That’s amazing and you talked about having millions of requests someday, some days when you go live on some media. That’s unimaginable.
Troy: Yeah, yeah well. I mean it’s even more than that because it’s not requests, it’s unique users.
Vladimir: Unique users per day?!
Troy: This is millions of unique users. In fact, I’m just gonna look back on my…
Vladimir: There was some 68 million or something like that you’ve mentioned one time.
Troy: Yeah look, sometimes things do just go really nuts in terms of scale. You know, when I look at requests I had one-day last month, this was on 30th of March and I had 49 million requests on that day. Now that’s not users that was only 7,900 users only. (Troy laughing)
Vladimir: (Laughing) They liked it.
Troy: I know. This is the thing though, this is still just like the one guy sitting at home building some stuff. I’m still running in on yet very very cheap infrastructure as well. And you’ve got nearly a million people in a day and the normal day now is somewhere between 100,000 and 200,000 visitors.
Vladimir: Yeah, that’s crazy. I can’t even imagine how that would be. So let’s wrap this up and let’s tell people where they can find you and maybe recommend some Pluralsight videos where they can start if they want to go into security a bit deeper.
Troy: Sure. So look, I mean obviously the most logical place to start is troyhunt.com. That’s got a lot of stuff on it. You’ll find me on Twitter as well @troyhunt. That’s got a lot of stuff. I use Twitter quite a lot. If you start there, those two places like lead to everything else, you know. Like that’s the center of the universe of Troy.
Vladimir: Yeah, so there’s the best place to start.
Vladimir: Okay Troy. It was a pleasure talking to you. I would like to do this again sometime if you find the time. I was surprised you had time for this interview too.
Troy: I’ll make time. Look it’s fun to do these things and you know, it gives me a break from just sort of sitting there blogging or playing tennis.
Vladimir: Yeah, thank you for that and thank you for the wonderful interview.
Troy: My pleasure.
Vladimir: We’ll talk again sometime.
Troy: Good on you!
Vladimir: Cheers. Bye.