Login
Somewhere in the next few hours from publishing this post, I'll finally push the HIBP domain search changes live. I've been speaking about it a lot in these videos over recent weeks so many of you have already know what it entails, but it's the tip of the iceberg you've seen publicly. This is the culmination of 7 months of work to get this model right with a ridiculous amount of background effort having gone into it. Case in point: read my pain from last night about converting thousands of words of lawyer speak T&Cs from Microsoft Word to HTML. As if preparing these wasn't painful enough, trying to make them simply play nice on a web page has been a nightmare! (I settled for dumping stuff in a <pre> tag for now and will invest the time in doing it right later on.)
I hope you enjoy this week's video, I'll talk much more about the domain search bits in the next video, hopefully following a successful launch!
IoT, breaches and largely business as usual so I'll skip that in the intro to this post and jump straight to the end: the impending HIBP domain search changes. As I say in the vid, I really value people's feedback on this so if nothing else, please skip through to 48:15, listen to that section and let me know what you think. By the time I do next week's vid my hope is that all the coding work is done and I'm a couple of days out from shipping it, so now is your time to provide input if you think there's something I'm missing that really should be in there π
Sad news to wake up to today. Kevin was a friend and as I say in this week's video, probably the most well-known identity in infosec ever, and for good reason. He made a difference, and I have fun memories with him π
Felt really sad waking up and seeing βRIP Kevinβ in my timeline. I doubt there is a more well known name in our industry but if heβs unfamiliar to you (or you havenβt read this book), go and grab βGhost in the Wiresβ which is an exceptional read.
β Troy Hunt (@troyhunt) July 20, 2023
Kevin started regularly coming⦠pic.twitter.com/w1UMm7mGa8
In other news, I share a lot more on the upcoming domain search changes in this week's video and I've gotta say, I'm feeling pretty good about them. I spent most of the day after recording this writing code and drafting the blog post and I'm pretty damn happy with each right now. I'll keep sharing more info via these updates to the extent that by the time everything launches in a couple of weeks, you'll know it all anyway if you're paying attention here π
Today was a bit back-to-back having just wrapped up the British Airways Magecart attack webinar with Scott. That was actually a great session with loads of engagement and it's been recorded to so look out for that one soon if you missed it. Anyway, I filled this week's update with a bunch of random things from the week. I especially enjoyed discussing the HIBP domain search progress and as I say in the video, talking through it with other people really helps crystalise things so I think I'll keep doing that as the dev work continues. Stay tuned for more on that next week, see you then π
Alrighty, "The Social Media". Without adding too much here as I think it's adequately covered in the video, since last week we've had another change at Twitter that has gotten some people cranky (rate limits) and another social media platform to jump onto (Threads). I do wonder how impactful the 1k tweet view limit per day is for most people (I have no idea how many I usually see, I just know I've never hit the limit yet), and as I say in the video, I find it increasingly hard to tell when community outrage is evidence-based versus "because Elon". Strange times, for now I'll just keep a foot in each camp and then who knows how the whole thing will play out in the future.
I'm in Thailand! It's spectacular here, and even more so since recording this video and getting out of Bangkok and into the sorts of natural beauty you see in all the videos. Speaking of which, rather than writing more here (whilst metres away from the most amazing scenery), I'm going to push the publish button on this week's video and go enjoy it. Seeya! π
This feels like a week of minor frustrations with little real world consequence but they just bugged the hell out of me. Couldn't record in my office due to a weird ground loop problem, my Home Assistant instance was unexpectedly rebooting, the Yale IoT door locks had near unprecedentedly bad UX... and then I saw Miele's IoT π Other than that, everything is fine π
Domain searches in HIBP - that's the story this week - and I'm grateful for all the feedback I've received. I've had a few messages in particular since this live stream where people gave me some really excellent feedback to the point where I've now got a much clearer plan in head as to what this will look like. I need to keep writing code, revising the draft blog post to announce it then sometime in hopefully about a month, push it all live. What I'm zero'ing in on now is a free tier that covers most domains, a very low entry fee for almost every personal or small business case you can think of and then a few tiers above that to cover the rest. Do keep that feedback coming, it's all read, it's all taken onboard and I'm responding to absolutely everyone that sends it to me. If you're one of those people, thank you π
I spent most of this week's update on the tweaking I went through with Azure's API Management service and then using Cloudflare to stop a whole bunch of requests that really didn't need to go all the way to the origin (or at least all the way to the API gateway sitting in front of the origin Azure Function instance). I'm still blown away by how cool this is - tweak the firewall via a web UI to inspect traffic and respond differently based on a combination of headers and response codes and bam! A massive reduction in unnecessary traffic follows. That's so cool, I love cloud π
And so ends a long period of back-to-back weeks of conferences and talks. It's funny how these things seem to cluster together at times and whilst the last 6 or 8 weeks (I honestly lose track!) have been chaotic, I've now got a few weeks of much less pressure which will give me time to finally push out some HIBP stuff that's been in the wings for ages. I've just got to get through this weekend first, stay tuned for pics on social for that, it's going to be pretty epic π
This week's update is dominated by my experience with "Lena", the scammer from Gumtree who tried to fleece my wife of $800. There's a blow-by-blow rundown of how it all happened in this video and it's fascinating to think that these things can actually be successful given all the red flags. But they are, and in Australia alone innocent victims are stung to the tune of more than 3 billion dollars every year by fraudsters which is a staggering number. Understanding how these scams work and sharing that knowledge broadly with the less technical of those around us is part of how to combat this, so please share the tweet thread generously... and enjoy the entertainment π
I feel like the .zip TLD debate is one of those cases where it's very easy for the purest security view to overwhelm the practical human reality. I'm yet to see a single good argument that is likely to have real world consequences as far as phishing goes and whilst I understand the sentiment surrounding the confusion new TLDs with common file types, all "the sky is falling" commentary I've seen is speculative at best. But hey, there's no rolling it back now, we can start judging by what actually happens with the TLD rather than sitting around creating misuse hypotheses.
A late one this week as I cover from the non-stop conferencing that was the Azure user group in Perth, followed by the Cyber West keynote, then the social drinks that night, the flight back home straight into the AusCERT gala dinner, the panel on data governance that morning then wrapping up with the speed debate Friday arvo. I think that's all... Anyway, better later than never and nothing too serious in this week's update. Personally, I'm finding the house works the most fun to talk about so I'm going to hit the publish button on this post now then go back to drafting the blog series on everything we've done π
It's a bit of a mixed bag this week with a very light-hearted look at the death of the browser padlock icon (which has been replaced by an icon that looks like a sex act), and a much more serious discussion about divorce. It took a long time to write and be ready to publish that blog post, many years in fact, but I'm so glad I did. You don't have to scroll far through the responses to the launch tweet or the comments on the blog itself to get a sense of how it's impacted people, and as I said in the very opening of the post, this sort of openness tends to be really well received. Wherever you are in your own stage of life, I hope you enjoying reading that post and share it generously with those for whom it might just make a real difference.
I stand by my expression in the image above. It's a perfectly accurate representation of how I looked after receiving the CityJerks breach, clicking on the link to the website then seeing what it actually was π³ Fortunately, the published email address on their site did go through to someone at TruckerSucker (π³π³) so they're aware of the breach and that it's circulating broadly via a public hacking website. That segment is last up in this week's video and I do give fair warning just in case you're not in the best environment to be watching that part of the update. Viewer discretion advised!
I feel like a significant portion of this week's video went to discussing "the Coinbase breach that wasn't a Coinbase breach". There are various services out there that are used by the likes of password managers to alert their customers to new breaches (including HIBP in 1Password) and whoever Dashlane is using frankly, royally cocked up the attribution. What was a garden variety list of email addresses someone had just chucked the "Coinbase" name on had absolutely nothing to do with a breach of the crypto company. It's frustrating to watch, and I suspect that will come through when you watch the video too. See what you think.
A bit late this week as I've prioritised time out with the family doing as many New Zealand adventure things as we can. And we've seriously maxed out the time, as you can see via the FB link below. But that hasn't stopped a couple of new data breaches flowing into HIBP nor me having some pretty direct thoughts on the premise that the vast bulk of IT pros are being told not to report data breaches. I hope you enjoy this impromptu vid from a faraway location at an odd time, I'll be back to normal again next week.
Next time I post a poll about something as simple as "when is next Friday", I don't expect I'll get as much interest. Of course "next time" will be whatever poll follows the last one, not the poll that falls after that one! But more seriously, I cannot think of a better example of ambiguous language that's open to interpretation and so easily avoided (hello MM-DD people!)
Also, Genesis Market and Operation Cookie Monster. This is just amazing stuff and a testament to a coalition of law enforcement agencies across the globe that have now made well over 100 arrests. Off the back of the NCA's DDoS market honeypot, the BreachForums admin arrest and the takedown of RaidForums before that, if you're playing in this space you'd have to be looking over your shoulder by now. Interesting times in cyber(crime) space.
Most of this week's video went on talking about the UniFi Dream Wall. What a unit! I mean it's big, but then it wraps a lot of stuff up in the one device too. If you watch this and have thoughts on how I can integrate it into the new garage such that it doesn't clash with the dark theme, I'd love to hear about it. I'll share more once I set it up in the coming weeks but for now, enjoy this week's video π
I'm excited about coming to Prague. One more country to check off the list, apparently a beautiful city and perhaps what I'm most stoked about, it's the home of Prusa 3D. Writing this as I wrangle prints out of my trusty MK3S+, I'm going to do my best to catch up with folks there and see some of the super cool stuff they're doing. Other than that, this week is full of the usual; data breaches, IoT and a cold πΊ
Why can't I audio right? It's my 339th video and I still make mistakes π But it came good and we got a decent show out of it with lots of interesting engagement even though doing this a lot later in the day than usual. I found the discussion around IoT door locks especially interesting as it's a real nexus of security, usability and a bit of critical thinking about real world risks. That term "security absolutism" that came up in the comments is gold, I hope you enjoy watching this episode.
I'm going lead this post with where I finished the video because it brought the biggest smile to Charlotte's and my faces this week:
This. Is. Amazing π pic.twitter.com/wOl4kpK841
β Troy Hunt (@troyhunt) March 3, 2023
When I talked about the McLaren in this week's video, Frits made the comment "the smile on your face says it all", which absolutely nailed it. But more than that, it brings a smile to the face of everyone who sees it (I suspect the colour helps), we're just loving seeing the excitement expressed by kids and adults alike. It's so much fun π
Less fun is dealing with Eye4Fraud. 24 hours on from recording this video, there's still zero visible progress and I lament that this one is just going to slip beneath the radar. If you're in the breach, do push for answers, it really shouldn't be this hard. All that and more in this week's video, enjoy!
Guns! You know, the things you kinda want to keep pretty well protected and out of the hands of nefarious parties, like the kinds of folks that following their data breach could match firearms to an individual at an address on a phone number of a gender and specific age. But don't worry, no financial information was compromised! π€¦ββοΈ
All that and more in the 337th addition of my weekly update, enjoy!
Hey, it's double-Troy! I'm playing with the Insta360 Link cam, a gimbal-based model that can follow you around the room. It's tiny and pretty awesome for what it is, I'm doing some back-to-back with that and my usual Sony a6400 this week. A little note on that: during the live stream someone suggested there was some lag from that camera (very minor, they suggested), but others couldn't see it. I've just been watching a bit of the video while writing up this post and I reckon they're right. Try the 3:02 mark, for example, where on Insta360 Link I have my finger up but on the Sony a6400, I don't:
It's very minor, but it's just enough to notice. Anyway, see what you think, all that a much more in weekly update 336:
No cyber. It's literally a "cyber-free" week, as least far as the term relates to security things. Instead, I'm unboxing an armful of Insta360 goodies and lamenting the state of IoT whilst putting even more IoT things into our massive garage renovation. I'm enjoying it though. Honestly. I think...
Did I really need to get a connected BBQ? No more than I needed to connect most of the other things in the house which is to say "a bit useful but not entirely necessary". But it's a fascinating process when looked at through the lens of how accessible the technology is to your average person given it's embedded in a consumer-orientated product. In short - it's painful - but listen to this week's update to hear precisely why. Plus, there's a heap of new data breach and some really, really good news about the NTLM hashes now being available in Pwned Passwords. Enjoy π
Getting everything out nice and early today so we can get out there in hit the wake park in the balmy "well over 30C" weather (the radio is talking about "severe heatwave weather" as I write this). But hey, we're surrounded by water and a beer delivery is due today so no crisis π There's also a heap more data breach news and I'll be putting that connected BBQ to use for the first time today, stay tuned for epic pics on all of the above over the coming hours!
Breaches all over the place today! Well, this past week, and there's some debate as to whether one of them is a breach, a scrape or if the term just doesn't matter anyway. Plus, we've been kitchen shopping, I'm helping friends out with connected doorbells and other random but somehow related things this week. Enjoy π
Well and truly back into the swing of things in the new year, I think what I've found most satisfying this week is to sit down and pump out a decent blog post on something technical. It's an itch I just haven't had enough time to scratch properly in recent times and I really hope Pwned or Bot makes up for that. I love that it's generating discussion (both for and against) and that it's causing people to stop and think about how we establish the legitimacy of identities in an increasingly bot-centric world. I hope you enjoy this week's update and all the conversation surrounding it.
Big week! So big, in fact, that I rushed into this week's update less prepared and made it a very casual one, which is just fine π It's mostly password books and kitchen equipment this week, both topics which had far more engagement than I expected but made them all the more interesting. Next week I'll get back into the pattern of switching between last thing Friday and first thing Friday so it'll be my morning again on the 20th, see you then!
Strap yourself in, this is a big one! Big video, big breach (scrape?), and a big audience today. The Twitter incident consumed a heap of my time before, during and after this live stream, but then I go and get a sudden itch to do stuff like the number plate capturing and, well, there goes even more hours I don't have. But hey, I love what I do and I have no regrets, I hope you enjoy watching this week's vid π
Oh - one more thing: today I set up an official Mastodon account for HIBP. If you've got a footprint in the fediverse, please go and give the account a follow. There are a bunch of others out there that definitely aren't run by me, it's only this one, it only follows me personally and it has a verified website of haveibeenpwned.com so should be easy to find even if you don't follow the link above.
We made it! That's 2022 done and dusted, and what a year it was, both professionally and personally. It feels great to get to the end of the year with all the proverbial ducks lined up, some massive achievements now behind us (not least of which was the wedding), and a clean slate coming into 2023 to do amazing things. I'm super excited about next year and can't wait to share a whole bunch of new stuff over the coming 52 Fridays. For now though, here's the last of it from a pretty crazy year, enjoy π
It's my last weekly update on the road for a while! As enjoyable as travel is, I'm looking forward to getting back to a normal routine and really starting to smash out some of the goals I have for the coming year. For now though, I've published this a couple of days after recording, and a day after an awesome hot, beachside Christmas. Hope yours has been amazing too, see you from home next week π
Despite having both my tripod and mic in the wrong suitcase in the wrong place, Scott and I still pulled together a weekly vid from the Norwegian mountains. Much of this week is a combination of our travels here, responses to my tweets around cookie warnings and reactions to Elon's various decisions (and undecisions) on Twitter. Plus, there's the CoinTracker and Gemini breaches which appear to have stemmed from the SendGrid breach, the connection to that incident having been made by CoinTracker just after we had a friendly exchange about the description in HIBP π
I'll leave you with some epic pics we snapped a few hours after this video, what a sight to behold, especially whilst sitting in the hot tub with good friends and cold beer π
π€― pic.twitter.com/Q5hYc0tGHd
β Troy Hunt (@troyhunt) December 17, 2022
For the first time in I don't know how long, I couldn't do this live. Turns out both cell and wifi in Lapland are, with the benefit of hindsight, exactly what you'd expect from a remote location in the Arctic circle. The rest of the place was pretty amazing though, and a good deal of this week's content has gone to that. Plus, there's the whole "Australia becoming the world's most cyber-secure country" goal which deserves discussion. Oh - and the tweet with that pic I discuss - I'll just leave that one here π
Sometimes, life feels like a fairytale. This is now my favourite photo ever β€οΈ pic.twitter.com/lspKwVVSly
β Troy Hunt (@troyhunt) December 9, 2022
We're in Copenhagen! Scott and family joined us in Oslo for round 2 of wedding celebrations this week before jumping on the ferry to Copenhagen and seeing the sights here. There's lots of cyber things in this week's vid relating to HIBP's birthday, Medibank and financial penalties for breaches, but I'm just going to leave you with one of the most amazing moments of my life captured in pics:
π³π΄ β€οΈ π°ββοΈ π€΅ pic.twitter.com/pPY49DArIF
β Troy Hunt (@troyhunt) December 2, 2022
Finally, after nearly 3 long years, I'm back in Norway! We're here at last, leaving our sunny paradise for a winter wonderland. It's almost surreal given how much has happened in that time, not just the pandemic but returning to Oslo with Charlotte as my Norwegian wife is super cool π Other things this week are not so different, namely people complaining on Twitter (albeit also complaining about Twitter). As I find myself continually caveating, YMMV but it does feel like events are being overly dramatised by some at present. Time will tell, but I think we'll all still be using the platform to complain about things just as effectively in a year from now as we are today π
It's very strange to have gone 1,051 days without spending more than a few hours apart, but here we are... very temporarily:
Only 15,501km away π’ And only 4 days until I head back to Oslo π pic.twitter.com/PDn1Syplig
β Troy Hunt (@troyhunt) November 20, 2022
Which means that right now, I'm throwing myself into a gazillion other things to keep me busy including how schools advise parents to manage devices, wrapping gup that HTML signature, asking probing questions about paying ransoms and, unbelievably, fighting off the most ridiculous claim of HIBP having been P'd. That last one especially, FFS, just listen...
What a week to pick to be in Canberra. Planned well before things got cyber-crazy in Australia, I spent a few days catching up with folks in our capital and talking to the Australia Federal Police for scam awareness week. That it coincided with the dumping of Medibank customer health records made it an especially interesting time to talk with police, politicians and industry leaders. A bit of a bizarre, whirlwind week if I'm honest, but full of very positive encounters even though it coincided with such a demanding time for many of us in this industry down here.
FreshRSS 