Weekly Update 288

Wow, what a day yesterday! I mentioned at the start of this week's update that Charlotte and I jumped on a chopper with our parents to check out our wedding venue, here's the pics and I just added a video to the thread too: Well that was amazing; chopper ride to our wedding venue for lunch with our parents. So happy to live here and have access to such a wonderful place. And such a wonderful woman in @charlottelyng 😊 🚁 💍 pic.twitter.com/NEgDxZxNeR — Troy Hunt (@troyhunt) March 24, 2022 I talked a bunch about Okta today and shortly after, jumped in the car and turned on the latest Risky Business podcast. Have a good listen to Patrick and Adam's...

Welcoming the Italian Government to Have I Been Pwned

For the last 4 years, I've been providing API-level access to national government agencies so that they can search and monitor their government domains on Have I Been Pwned. Today, I'm very happy to welcome the 29th government to join the service, Italy! Via CSIRT-Italia within their National Cybersecurity Agency (ACN), they now have free access to breach data I hope will further empower them to protect their people in the wake of data breaches. I expect to continue onboarding eligible governments and look forward to welcoming many more in the future....

Weekly Update 287

So the plan was to schedule this week's session in advance then right on 17:30 at my end, go live. It mostly worked, I just forgot to press the "go live" button having worked on the (obviously incorrect) assumption that would happen automatically. Lesson learned, session restarted, we'll be all good next week 😊 ReferencesAsking about IoT'ing the kids' showers led to lots of wrong answers (maybe I'm just scarred now knowing how much work is involved as soon as you touch actual plumbing in a bathroom)Seeing a psych and getting help is just fine (after recording this vid, I was watching Toto Wolff on Drive to Survive and the enormous amount of pressure on him)CafePress got slapped...

Setting the Bar for Government Access to Have I Been Pwned

Over the last 4 years, I've onboarded 28 national government CERTs onto Have I Been Pwned (HIBP) and given them free and open access to APIs that enable them to query and monitor their gov domains. This doesn't give them access to any information they can't already access via the free public domain search feature, but it makes their lives easier. Much easier. As interest from govs has grown, it's caused me to ponder: who am I willing to give access to? Who am I unwilling to give access to? Those questions prompted a tweet earlier today: If I was to define metrics for which governments I accepted onto @haveibeenpwned, what should they look like? Human rights? Other? And as...

Weekly Update 286

Somehow this week ended up being all about Russia and Cloudflare. Mostly as 2 completely separate topics, but also a little bit around Cloudflare's ongoing presence in Russia (with a very neutral view on that, TBH). Looking back on this video a few hours later, the thing that strikes me is the discussion around what appears to be a phishing page seeking donations for Ukraine. Just listen to me try to figure this out and as I say in the vid, if I have trouble discerning phish from legit resource, how do people who don't live in this world work it out?! Easy answer - they don't, that's why phishing remains so lucrative. ReferenceThe idea of Tesla remotely killing cars...

Building Password Purgatory with Cloudflare Pages and Workers

I have lots of little ideas for various pet projects, most of which go nowhere (Have I Been Pwned being the exception), so I'm always looking for the fastest, cheapest way to get up and running. Last month as part of my blog post on How Everything We're Told About Website Identity Assurance is Wrong, I spun up a Cloudflare Pages website for the first time and hosted digicert-secured.com there (the page has a seal on it so you know you can trust it). Instantly, I fell in love with this method of building websites so when I came up with an idea just yesterday, I knew exactly how I wanted to build it. Here's the idea: I've been...

Weekly Update 285

With travel now behind me, I'm back to a stable schedule and doing these on time again. Mind you, I came home to some of the wildest weather I've ever seen here, but it was kinda cool to watch and the kids didn't complain getting days off school. Oh - and I also loaded a bunch of new data breaches this week, the Robinhood one from earlier today being particularly noteworthy with more than 5M unique email addresses. At that and more in this week's update. ReferencesThe weather here got a bit crazy, check out how much dirt got dumped into the waterways (drone footage courtesy of Heather Downing)So much water the kids were literally kayaking out of our...

Weekly Update 284

A little late this week as the tail end of travel bites into my time, but it's nice to be home again (albeit amidst a period of record rainfall). I'll get back on a normal schedule next week but for now, here's all the usual stuff in number 284, complete with a super cool "ransomwear" hoodie from this week's sponsor, Varonis 😎 ReferencesThe Messaging Malware Mobile Anti-Abuse Working Group Mary Litynski Award (seeing industry recognition for HIBP is enormously fulfilling)Hacktivist action against Russia might be well-intentioned, but is fraught with problems (a kid in their bedroom on the other side of the world is a very different story to someone on the ground defending their livelihood)The documentary I was...

I Wanna Go Fast: How Many Pwned Password Queries Can You Make Per Second?

I feel the need, the need for speed. Faster, Faster, until the thrill of speed overcomes the fear of death. If you're in control, you're not going fast enough. And so on and so forth. There's a time and a place for going fast, and there's no better place to do that than when querying Have I Been Pwned's Pwned Passwords service. (Ok, a lot less glamorous than the context of the previous statements, but also less likely to have a catastrophic outcome.) In December last year, Pwned Passwords saw not just a fresh batch of 225M new passwords from the NCA, but it also welcomed the ongoing ingestion of new passwords from the FBI. This created a lot of...

Weekly Update 283

A super quick intro this week as I take a bit of time out before a hectic week. It's hotel room quality audio this week, but that's a temporary state before I'm back home next week. I hope you entry week 283, so much FUD to debunk on website identity verification... References I took issues - lots of issues - with DigiCert's guidance around ho to verify website identity (with the EV cash cow dead, it's desperate times...)New Zealand is now the 28th government to join HIBP (free and open access to query all data in the service for their gov domains.)Sponsored by: Varonis. Reduce your ransomware blast radius with the leader in data-first security. Try it free!...