Privacy

A 7-post collection

These Cookie Warning Shenanigans Have Got to Stop

This will be short, ranty and to the point: these warnings are getting ridiculous: I know, tell you something you don't know! The whole ugly issue reared its head again on the weekend courtesy of the story in this tweet: I’m not sure if this makes it better or worse... “Cookie walls don't comply with GDPR, says Dutch DPA”: https://t.co/p0koRdGrDB — Troy Hunt (@troyhunt) March 8, 2019 The reason I don't know if it makes it better or worse is that on the one hand, it's ridiculous that in a part of the world that's more privacy-focused than most it essentially boils down to "take this cookie or no access for you" whilst on...

Enhancing Pwned Passwords Privacy by Exclusively Supporting Anonymity

When I launched Pwned Passwords in August, I honestly didn't know how much it would be used. I made 320M SHA-1 password hashes downloadable and also stood up an API to query the data "as a service" by either a plain text password or a SHA-1 hash. (Incidentally, for anyone about to lose their mind over SHA-1, read that launch post as to why that hashing algorithm is used.) But the service did become quite popular, although that was just the beginning... I launched V2 in February and pumped the number of passwords up to just over half a billion. The big difference, however, was the introduction of the k-Anonymity model developed by Cloudflare (special hat-tip to Junade...

Strawberrynet's privacy insanity

A little while back, I wrote about Website enumeration insanity and how our personal data was being mishandled. In a nutshell, an enumeration risk boils down to a feature on a website allowing anyone to "ask" if a user exists on the website with the site then returning a positive or negative response. For example, to this day you can go to Adult Friend Finder's password reset page, plug in anyone's email address and they'll happily tell you if they'd signed up for a bit of swinger sex action. (Or at least whether their address is on the site, someone else could have entered it into the registration form. Honestly...) Now all that's bad, but as I pointed...

Going dark: online privacy and anonymity for normal people

Last week we got news of the Rosebutt data breach. This is a very particular class of site and like many others we've recently seen compromised, it's highly likely that members would have preferred to keep their identities secret. It doesn't matter if you don't agree with the lifestyle choice of those on the site and certainly I myself am not one to look around the house at everyday items and think "I wonder if that could...". That's entirely beside the point though which is that a bunch of consenting adults now have their identities in the hands of an untold number of people who are willingly sharing the data around web. But it didn't have to be...

Have I been pwned, opting out, VTech and general privacy things

It’s now going on two and a half years since I launched Have I been pwned (HIBP) and I’m continually amazed by how much has happened in that time. It started out with a “mere” 152M breached records and has now more than doubled in volume, I’ve added an API, notifications, domain searches, pastes and a heap of other things both visible to the public and behind the scenes. It’s also gone from a hobby project which I thought only a few curious technology people would visit to a site that’s seen over a million visitors in a single day in the wake of the Ashley Madison breach...

Disassembling the privacy implications of LinkedIn Intro

Update: 17 Feb 2014: Sanity has prevailed and the service has now been pulled. LinkedIn Intro has already become known by many names: A dream for attackers, A nightmare for email security and privacy and A spectacularly bad idea to mention but a few. Harsh words. The general consensus of people I’ve spoken to is that it’s fundamentally stupid and about the worst thing you could consider doing with your privacy. It looks like this: You probably didn’t know this, but apparently you want a third party to access your email, pull some data out of it, manipulate the contents then send it on for you. That’s every email you send. Oh...

Find my car, find your car, find everybody’s car; the Westfield’s iPhone app privacy smorgasbord

When news came through recently about the Bondi Westfield shopping centre’s new “Find my car” feature, the security and privacy implications almost jumped off the page: “Wait – so you mean all I do is enter a number plate – any number plate – and I get back all this info about other cars parked in the centre? Whoa.” If that statement sounds a bit liberal, read on and you’ll see just how much information Westfield is intentionally disclosing to the public. Intended use Let’s begin with how the app looks to the end user. This all starts out life as the Westfield malls app in the iTunes app store...