Weekly Update 170

Monday: 40C and lapping up the Gold Coast sunshine. Wednesday: -8C and lapping up... Juicy IPA! I'm back in Oslo and catching up with the locals including running a roundtable discussion for CSOs at Microsoft, visiting the Norwegian National Cyber Security Centre (recently onboarded to HIBP) and chatting with Forbrukerrådet, the Norwegian Consumer Counsel. Plus, there's an all new blog post on the long-overdue update to Scott Helme's and my little Why no HTTPS? Project. ReferencesForbrukerrådet does some excellent work identifying risks to consumers (link to their findings from a couple of year ago around kids tracking watches)Still why no HTTPS? There's still a heap of websites that need to lift their HTTPS game (see if you can lean...

Still Why No HTTPS?

Back in July last year, Scott Helme and I shipped a little pet project that tracked the world's largest websites not implementing HTTPS by default. We called it Why No HTTPS? and it gave people a way to see the largest websites not taking transport layer security seriously. We also broke the list down on a country-by-country basis and it quickly became a means of highlighting security gaps and serving as a "list of shame". I've had many organisations reach out and ask to be removed once they'd done their TLS things properly so clearly, the site is driving the right behaviour. Today, we're happy to share the first update since November last year. The Web is More Secure More...

Weekly Update 169

I recorded this right before heading out for my final conference talk of the year at YOW! Melbourne where I was due to do the closing keynote of the event. That's now done, questions answered and beers drunk and I left the event feeling great. One of the things I get the most pleasure out of at conferences is hanging around talking to people so a big thanks to everyone who made the time today to stay back on a Friday evening and cap a very busy year of conferences off in this fashion. I'm going to leave that intro here, push this week's update then do it all again (hopefully also on time!) a week from now. ReferencesWhy No...

Generated Passwords, UX and Security Absolutism

Last month, Disney launched their new streaming service Disney+; "The best stories in the world, all in one place", apparently. The service was obviously rather popular because within days the tech (and mainstream) headlines were proclaiming that thousands of hacked Disney+ accounts were already for sale on hacking forums. This is becoming an alarmingly regular pattern with online services, the cause of which was soon confirmed by Disney: Disney says that there is “no indication” of a security breach on Disney+, and that the source of the problem might be a so-called “credential stuffing” attack, in which hackers obtain passwords and usernames from Dark Web databases, and then use a brute force method to see if those passwords and usernames...

Weekly Update 168

I'm presently on the YOW! conference tour which means doing the same keynote three times over in Sydney, Brisbane and Melbourne. It's my first time back at YOW! since 2015 and it's always a nice way to wrap up the year, especially the Brisbane leg I'm on at the moment in my home state. That's kept me busy, but it's some tweets last week that have kept me entertained so I'm talking about those as well as some reflections on what is now 6 years of running HIBP. Next update I'll try and push out a little earlier to align with YOW! in Melbourne and hopefully give myself a bit more downtime come the weekend. ReferencesIt's not just Let's Encrypt...

Weekly Update 167

It's summer! Yes, I know it's back to front for many of you but Dec 1 means it's sunnier than ever here. Regardless, this week I've been at DDD in Brisbane, written my 10 year old son Ari and I running kids coding clubs in Oslo (cold) and London (rainy) next month and the Swiss gov being on-boarded onto HIBP. Plus there's this week's sponsor IVPN and how tracking ain't tracking (that may be a bit of an old Aussieism). Next week I'll come to you from the YOW! conference somewhere else within the country. ReferencesI'll be keynoting at YOW! Sydney, Brisbane and Melbourne over the coming couple of weeks (happy to be back there after a few years hiatus)...

Welcoming the Swiss Government to Have I Been Pwned

I recently had the pleasure of spending a few days in Switzerland, firstly in Geneva visiting (and speaking at) CERN followed by a visit to the nation's capital, Bern. There I spent some time with a delegation of the National Cybersecurity Centre discussing the challenges they face and where HIBP can play a role. Continuing the march forward to provide governments with better access to their departments' data exposed in breaches, I'm very pleased to welcome Switzerland as the 7th national government onto Have I Been Pwned! They'll join the other govs in Europe and Australia and have complete free and direct API access to all the breached addresses appearing on their government domains. I expect to keep on-boarding further...

Teach Your Kids to Code with Ari in Oslo and London

When I first started writing code a few decades ago, it was a rather bland affair involving a basic text editor and physical books for reference. I didn't have an opportunity to create anything usable by others until years later and perhaps most importantly in the context of this blog post, I didn't have anyone in my family able to teach me about coding. For many kids today, that last point is still just as relevant as it was in the 80's and 90's with one major caveat - it doesn't have to be. Teaching your kids to code is easier today than ever before with zero experience required. Since my kids have been around 6 years old, I've been...

Weekly Update 166

Kangaroos! I've been trying to line these guys up for weeks to no avail but finally, they've delivered. Speaking of delivering, I actually got 3 blog posts out this week which I've not done for a while, the most significant of which relates to "data enrichment" companies (also often referred to as "data aggregators"). I have a fundamental issue with the very premise of how these firms operate and I'm getting a little sick of finding my own data in there. Have a listen and see what you think, but certainly the overwhelming feedback I've been hearing from people is that my views are pretty consistent with everyone else's on this. Problem is, I see absolutely nothing on the horizon...

Data Enrichment, People Data Labs and Another 622M Email Addresses

Until this month, I'd never heard of People Data Labs (PDL). I'd certainly heard of the sector they operate in - "Data Enrichment" - but I'd never heard of the company itself. I've become more familiar with this sector over recent years due to the frequency with which it's been suffering data breaches that have ultimately landed in my inbox. For example, there's Dun & Bradstreet's NetProspex which leaked 33M records in 2017, Exactis who had 132M records breached last year and the Apollo data breach which exposed 126M accounts, one of which was my own. When Vinny Troia recently reached out after he and Bob Diachenko and sent me a massive set of data allegedly originating from PDL, I...