Weekly Update 306

I didn't intend for a bunch of this week's vid to be COVID related, but between the breach of an anti-vaxxer website and the (unrelated) social comments directed at our state premier following some pretty simple advice, well, it just kinda turned out that way. But there's more on other breaches too, in particular the alleged Paytm one and the actual Customer.io one. I'm really looking forward to next week's update, here's a little teaser of what you can expect to hear about then 🤣 ReferencesI've updated the Paytm data breach to be flagged as "fabricated" (full thread on the reasons why, it's a tricky one)Anti-vax dating site that let people advertise ‘mRNA FREE’ semen left all its user...

Weekly Update 305

I broke Yoda's stick! 3D printing woes, and somehow I managed to get through the explanation without reverting to a chorus of My Stick by a Bad Lip Reading (and now you'd got that song stuck in your head). Loads of data breaches this week and whilst "legacy", still managed to demonstrate how bad some practices remain today (hi Shadi.com 👋). Never a dull moment in data breach land, more from there next week 😊 ReferencesThe Yoda 3D print looks amazing (just don't touch his stick)New flash - social media platform collects lots of data! (seriously, the TicTok hyperbole got a bit too much this week)What if... some free stuff is actually free? (you're not always "the product" and...

If You're Not Paying for the Product, You Are... Possibly Just Consuming Goodwill for Free

How many times have you heard the old adage about how nothing in life is free: If you're not paying for the product, you are the productFacebook. LinkedIn. TikTok. But this isn't an internet age thing, the origins go back way further, originally being used to describe TV viewers being served ads. Sure, TV was "free" in that you don't pay to watch it (screwy UK TV licenses aside), but running a television network ain't cheap so it was (and still is) supported by advertisers paying to put their message in front of viewers. A portion of those viewers then go out and buy the goods and services they've been pitched hence becoming the "product" of TV. But what I...

Weekly Update 304

It's very much a last-minute agenda this week as I catch up on the inevitable post-travel backlog and pretty much just pick stuff from my tweet timeline over the week 😊 But hey, there's some good stuff in there and I still managed to knock out almost an hour worth of content! ReferencesLa Poste Mobile got themselves ransom'd and their data dumped (and they're still offline)Mangatoon are very clearly covering up their breach (which is now hard to do given it's in HIBP and received plenty of press)The "Seconds" app is my secret presenting sauce! (any workout app that can run a sequence of timed intervals will do it)I'm totally loving Apple's AirTags to track all my things!...

Weekly Update 303

And we're finally done with this trip. 26 days, 14 different accommodations, 5,146km of driving through 4 states and the last 4 weekly vids all done on the road. Travel is great, but right now going home is even better 😊 Next week's vid will be back in my comfy office with good lighting, video, audio and better planning. Until then, here's a (late) weekly update 303: ReferencesIf you're going to scrape someone else's content, don't embed the images directly off their site! (referrer header based Rickrolls 😎)The Shanghai police data breach is massive... (if it turns out to be legitimate)SHA-1 is fine and k-anonymity isn't PII (and frankly, if an organisation doesn't understand these simple facts, they've got...

MVP Award 12

11 years now, wow 😲 It's actually 11 and a bit because it was April Fool's Day in 2011 that my first MVP award came through. At the time, I referred to myself as "The Accidental MVP" as I'd no expectation of an award, it just came from me being me. It's the same again today, and the last year has been full of just doing the stuff I love; loads of talks (which, like the one above at AusCERT, are actually starting to happen in front of real live humans again), live streams every week, blog posts and perhaps my favourite thing of all, open sourcing Pwned Passwords and standing up an ingestion pipeline for the FBI. Cool 😎 But it...

Welcoming the Polish Government to Have I Been Pwned

Continuing the rollout of Have I Been Pwned (HIBP) to national governments around the world, today I'm very happy to welcome Poland to the service! The Polish CSIRT GOV is now the 34th onboard the service and has free and open access to APIs allowing them to query their government domains. Seeing the ongoing uptake of governments using HIBP to do useful things in the wake of data breaches is enormously fulfilling and I look forward to welcoming many more national CSIRTs in the future....

Weekly Update 302

In a complete departure from the norm, this week's video is the much-requested "cultural differences" one with Charlotte. No tech (other than my occasional plug for the virtues of JavaScript), but lots of experiences from both of us living and working in different parts of the world. Most of it is what Charlotte has learned being thrown into the deep end of Aussieness (without the option of even getting out of the country until very recently), which I thought made for some pretty funny viewing 🤣 We almost got through the entire content I had planned... then my phone went into battery saving mode and killed the mic so apologies for that last little bit of missing content. But hey, it...

Understanding Have I Been Pwned's Use of SHA-1 and k-Anonymity

Four and a half years ago now, I rolled out version 2 of HIBP's Pwned Passwords that implemented a really cool k-anonymity model courtesy of the brains at Cloudflare. Later in 2018, I did the same thing with the email address search feature used by Mozilla, 1Password and a handful of other paying subscribers. It works beautifully; it's ridiculously fast, efficient and above all, anonymous. Yet from time to time, I get messages along the lines of this: Why are you using SHA-1? It's insecure and deprecated.Or alternatively: Our [insert title of person who fills out paperwork but has no technical understanding here] says that k-anonymity involves sending you PII.Both these positions make no sense whatsoever when you...

Weekly Update 301

First up, I'm really sorry about the audio quality on this one. It's the exact same setup I used last week (and carefully tested first) but it's obviously just super sensitive to the wind. If you look at the trees in the background you can see they're barely moving, but inevitably that was enough to really mess with the audio quality. I do actually have a windsock for the mic, but it's in a drawer at home so for the remainder of this trip it'll be indoor recording only. Speaking of which, because there was a lot of enthusiasm for Charlotte and I to do one together on the cultural differences we've both experienced living in different parts of the...