Journal Articles

CVu Journal Vol 29, #1 - March 2017
Browse in : All > Journals > CVu > 291 (7)

Note: when you create a new publication type, the articles module will automatically use the templates user-display-[publicationtype].xt and user-summary-[publicationtype].xt. If those templates do not exist when you try to preview or display a new article, you'll get this warning :-) Please place your own templates in themes/yourtheme/modules/articles . The templates will get the extension .xt there.

Title: Troy Hunt: An Interview

Author: Martin Moene

Date: 02 March 2017 18:31:53 +00:00 or Thu, 02 March 2017 18:31:53 +00:00

Summary: Emyr Williams continues the series of interviews with people from the world of programming.

Body: 

Troy Hunt is based in Gold Coast, and is a Microsoft Regional Director as well as an MVP (Microsoft Valued Professional) in the field of developer security, and has become a world class security consultant. He has travelled the globe giving training lectures on security for software engineers. As well as being a Pluralsight author, he is also the man behind the website haveibeenpwned.com where a user can enter their e-mail and check if they have an account on a site that’s been compromised. His blog can be found at www.troyhunt.com

How did you get in to computer programming? Was it a sudden interest? Or was it a slow process?

I had a curiosity as a young teenager but frankly, I preferred to be outdoors doing something active. It wasn’t until I turned 14 and we moved from Australia to the Netherlands (which is often not very conducive to outdoor activities!) that I began showing more interest in computing.

What was the first program you ever wrote? And in what language was it written in?

It would have been something in BASIC but I honestly can’t remember what. Most of my code exposure then was hacking around games and other subversive activities.

What would you say is the best piece of advice you’ve been given as a programmer? 

I can’t think of one piece of advice specifically, but a friend I worked with many years ago pushed me into blogging and that then opened up many opportunities that leveraged my coding experience and led to where I am today.

How did you get in to the field of software security? Was this part of your day job when you worked at Pfizer? Or did it occur naturally?

I worked as a software architect at Pfizer responsible for how we delivered solutions across Asia Pacific and whilst security was also a component of that, it wasn’t the sole focus of the role. But what the role did is exposed me to many seriously bad security practices; Pfizer outsourced everything to vendors in low cost markets and had a very strong focus on price so you can imagine some of the security transgressions that led to!

I see from your blog that some folks send you details of breaches, such as data dumps etc? But do you carry out tests yourself on websites or web services? And if so, how do you do that within the bounds of staying legal? Do you poke and prod at online systems looking for holes and attack vectors?

I make a real point of doing data breach verification in a very transparent way; I expect that people may be watching and I’m exceptionally cautious to ensure I remain ethical the entire time. I look for publicly observable patterns of vulnerable coding, things like missing HTTPS, email address enumeration risks, improperly configured servers, risky patterns with cookies etc. I try and answer the question “does this look like the sort of site that would be vulnerable to attack?”. I also reach out to HIBP subscribers in the alleged data breach and simply ask them – “Did you use that service and is this your data”. That’s a very reliable means of verification.

Having read your blog for some time now, I get the impression you’re insanely busy. How do you maintain the balance between work and family life?

We all trade off work and families. Many people don’t like to think about it that way, but we put a price on our families every day we go to work even in very traditional jobs. The balance my wife and I strike is that I travel a lot and work long hours at home too, but I have heaps of flexibility. I’m often taking the kids to school, I always watch them at tennis, my wife and I often go out for lunch and of course we enjoy the rewards of a successful career too. It wouldn’t work for many other people, but it’s a balance that works well for us.

What would be an average work day for you?

Who knows! If I’m at home, getting up by 5am and sitting outside near the water with a coffee doing emails and catching up on everything that’s happened overnight for an hour or 2. After that I’m often having meetings about upcoming events or courses, writing new blog material, working on HIBP and doing any number of other things. When I’m travelling, it’s non-stop going between hotels, airports, conferences and workshops. That’s a really intense period that often takes me weeks to unwind from once I’m home.

If you were to start your career again now, what would you do differently? Or if you could go back to when you started programming what would you say to yourself?

It’s a different world now to when I was starting out. My first year at uni was the first time I saw the internet so I never really had the advantage of all the online resources we have today. If I’d had them, I would have done a heap of learning online through resources like Pluralsight and built up an online identity much earlier. That’s been the most valuable thing for me in later years and what I wish I had have done earlier.

What would you say is one of the most important books you’ve read as a developer?

HTML for dummies. Seriously, I still have the book I bought in ’95 and used that to start building web apps. It’s such a trivial thing by today’s standards, but that’s what helped get me started in a time where information was sparse.

What would you describe as the biggest “ah ha” moments, or surprises you’ve come across when you’re chasing down a bug?

I’m continually surprised at how on earth some code ever worked to begin with! We all do this – look back at the things we wrote with wonderment – and I do the same thing on a regular basis.

Do you have any regrets? Such as followed a different technical route or something like that?

I’m really happy with my life at present so it’s hard to have regrets as all the things I’ve done have led me to where I am now. Perhaps the biggest would be not starting down the online identity path earlier. I wish I’d been able to fast track the path to my current life but even then, other environmental factors may not have made that happen any earlier. I spend very little time regretting things, I’m usually looking forward to the next thing.

Do you mentor other developers? Or did you ever have a mentor when you started programming?

12. I’m not overly fond of the premise of mentoring as some sort of discrete process. I prefer the idea of having many people you talk to, draw inspiration from and give advice to. Of course I’ve had those relationships more with some people than others, my suggestion to people is to surround yourself (either physically or virtually) with people you respect and aspire to be like and that’s certainly had a very positive impact on me.

Finally, what advice would you give to someone is looking to start a career as a programmer?

Build stuff. More than anything, experience counts massively towards your future potential. Go and learn from resources like Pluralsight then start a project or contribute to open source projects or do something that actually produces an end product. As someone who’s interviewed a lot of people before, I care very little about what school they went to or the grades they got and I care massively about what they’re actually able to do.

Notes: 

More fields may be available via dynamicdata ..