Downloading Pwned Passwords Hashes with the HIBP Downloader

Just before Christmas, the promise to launch a fully open source Pwned Passwords fed with a firehose of fresh data from the FBI and NCA finally came true. We pushed out the code, published the blog post, dusted ourselves off and that was that. Kind of - there was just one thing remaining... The k-anonymity API is lovely and that's not just me saying that, that's people voting with their feet: That's already 58% by volume from my December blog post, only 5 months ago to the day. It's also just a rounding error off a 100% cache hit ratio too 😎 But the bit that remained was the promise I made in that last blog post: Lastly, as of right...

Weekly Update 295

A short one this week as the previous 7 days disappeared with AusCERT and other commitments. Geez it was nice to not only be back at an event, but out there socialising and attending all the related things that tend to go along with it. I'll leave you with this tweet which was a bit of a highlight for me, having Ari alongside me at the event and watching his enthusiasm being part of the industry I love 😊 At #AusCERT with Ari for “take your son to work” day 🙂 I’m up next on stream 2 at 14:45 talking about Pwned Passwords, the FBI, the NCA and giving the whole thing over to the community, come say hi! https:...

Weekly Update 294

It's back to business as usual with more data breaches, more poor handling of them and more IoT pain. I think on all those fronts there's a part of me that just likes the challenge and the opportunity to fix a broken thing. Or maybe I'm just a sucker for punishment, I don't know, but either way it's kept me entertained and given me plenty of new material for this week's video 😊 ReferencesThe book is almost ready to launch! (I've totally rewritten the intro, tweaked a bunch of the stories and added more - hopefully only a month off go-live)My fallback position for the IoT not working is literally climbing over the wall (I'm going to solve - and...

Weekly Update 293

Didn't get a lot done this week, unless you count scuba diving, snorkelling, spear fishing and laying around on tropical sand cays 😎 This week is predominantly about the time we just spent up on the Great Barrier Reef which has very little relevance to infosec, IoT, 3D printing and the other usual topics. But as I refer to in the guitar lessons blog post referenced below, I share what I do pretty transparently and organically and this week, that's what I want to talk about. So, either enjoy it or skip it until next week when I'll back to business as usual 😊 ReferencesI followed Lars' guidance and installed the physical mailbox sensor (so far, I'm unhappy with it, more next...

Weekly Update 292

Well that was an unusual ending. Both my mouse and keyboard decided to drop off right at the end of this week's video and without any control whatsoever, there was no way to end the live stream! Wired devices from kids borrowed, I eventually got back control and later discovered that all things Bluetooth had suddenly decided to die without any warning whatsoever. I certainly wasn't updating drivers mid-live stream or anything like that so... 🤷‍♂️ Anyway, other than that it's business as usual this week, enjoy! ReferencesThe shots I'm getting with the new drone are amazing! (it's crazy how much tech is jammed into this little thing)I'm disappointed that Mailchimp has stopped offering a discount for users with 2FA...

Breach Disclosure Blow-by-Blow: Here's Why It's so Hard

For many years now, I've lamented about how much of my time is spent attempting to disclose data breaches to impacted companies. It's by far the single most time-consuming activity in processing breaches for Have I Been Pwned (HIBP) and frankly, it's about the most thankless task I can imagine. Finding contact details is hard. Getting responses is hard. Not having an organisation just automatically assume you're trying to shake them down for cash is hard. So hard, in fact, I thought I'd record the process end-to-end and share it publicly to help demonstrate just how painful the process is. I'd filed the (alleged) Avvo breach away in the "too hard" basket a long time ago and it was only...

Weekly Update 291

Bit of a long one this week, just due to a bunch of stuff all coinciding at the same time. The drone is obviously the coolest one and it was interesting to hear other people's experiences with theirs. This is just super cool tech and I can't remember the last time I looked at a consumer product and thought "wow, I didn't know they could do that!" Check that out and a whole heap more in this week's video below 👇 ReferencesAs travel gradually resumes, there are more events you can now catch me at (stay tuned for one in Tasmania in July too)It was 7 years ago today I left a 14 year career at Pfizer... (...and never once...

Welcoming the North Macedonian Government to Have I Been Pwned

In my ongoing bid to make more useful information on data breaches available to impacted national governments, today I'm very happy to welcome the 32nd national CERT to Have I Been Pwned, the Republic of North Macedonia! They now join their counterparts across the globe in having free API-level access to monitor and query their government domains. I look forward to welcoming more governments in the future and building out additional support to assist them in the wake of further data breaches....

Weekly Update 290

I hope scheduling these in advance is working well for everyone, the analytics certainly suggest a much higher viewership so I'm going to keep scheduling these and refining the whole thing further. Other than that, it's same-same this week with the usual array of breaches, tech and life down under. Enjoy 😊 ReferencesI keep forgetting to talk about upcoming events (that's a list of what's coming  in 2022, I'll try to remember to discuss it next week given I'm off to Sydney the week after for the Akamai event)Indonesian real estate site Travelio was breached (this dates back to last year, but the data is now in HIBP)Lots of crickets chirping over at Avvo (this is becoming a textbook...

Welcoming the Serbian Government to Have I Been Pwned

Supporting national governments has been a major cornerstone of Have I Been Pwned for the last 4 years. Today, I'm very happy to welcome the 31st government on board, Serbia! The National CERT and the Gov-CERT of the Republic of Serbia now has free and complete access to query their government domains via API. Visibility into the exposure of government departments in data breaches remains a valuable service I'm glad to see continuing to be taken up by national CERTs....