I’m a responsible parent so I use the controls on iOS to limit screen time on the old iPhone my 9-year old uses. A white-listed exception is iMessage; he’s worked out he can send someone a YouTube vid then watch it in iMessage to circumvent the control. So proud 😅
I’d like to say a big “thank you” to
@realDonaldTrump
for providing me with material that’s going to feature in many, many presentations for years to come 🤣
I love that part of the Microsoft Security Score for Identity in Azure improves your score if you *don't* enforce password rotation, what a sign of the times! Who out there still works somewhere that forces rotation (because "reasons")?
5 months to the day since
@elonmusk
took over Twitter. It still works just fine. There are new features. This isn’t the outcome many people were predicting.
It's time for
@haveibeenpwned
to grow up and go beyond what I can do as one person. This has taken a lot of thought over the course of this year; here's the factors driving it, the path forward and what it means for the future. Here's Project Svalbard:
I do my best with
@haveibeenpwned
. It takes huge amounts of time and effort and sometimes, is a thankless pursuit. I don’t reply to messages like this, but I’m sharing it to give just a little bit of a sense of the stuff I have to deal with to make it happen.
New breach: Horse Isle had 28k unique email addresses breached in 2020 - twice. Data included IP address, name, gender, purchases and plain text password, including failed password attempts, also in plain text. 77% were already in
@haveibeenpwned
. More:
This will be a hugely unpopular thing, however...
The premise of attaching a nominal cost to a previously free service in order to combat abuse is exactly what I did with the
@haveibeenpwned
API keys 4 years ago:
This stopped abuse dead. Not a little…
Starting today, we're testing a new program (Not A Bot) in New Zealand and the Philippines. New, unverified accounts will be required to sign up for a $1 annual subscription to be able to post & interact with other posts. Within this test, existing users are not affected.
This…
One day, I'm going to do a NSFW only conference talk on the weirdest data breaches I've ever processed. The one I just got sent is going to be right up there at the top of the list. HOLY. SHIT.
Call comes in:
“Hi this is Telstra, we need to verify your identity”
“Sure, can you verify your identity first?”
“Uh, we’re Telstra”
“Ah, but that’s not how this is going to work, can you verify my account information”
“But we need to verify you first!”
Yeah, nah, bye!
People have been telling me to do this for ages so here it is - I'm open sourcing the code base for
@haveibeenpwned
. It's non-trivial, but it's the right thing to do. Here's the story:
I've wanted to do this post for ages & it's finally done - "Here's Why Your Static Website Needs HTTPS". It's a 24 min video showing a bunch of nasty stuff that can happen to *any* site served insecurely from crypto miners to credential phishing to Clippy:
New data breach now loading into
@haveibeenpwned
that'll push it *well* over 10,000,000,000 records. Wow. Insane, never thought I'd be here doing this with those numbers. It's been a fun little project 🙂
It's been a huge piece of work, but it's done: here's more than half a billion passwords for you to download for free and use to help protect your systems. Or use the online k-Anonymity API developed in conjunction with
@Cloudflare
. It rocks!
10 years ago today, I started a pet project with a stupid name. Like all my previous projects, I expected it to scratch an itch and then fail miserably. But
@haveibeenpwned
didn't do that, not by a long shot. A decade later here we are! 🎂
Felt really sad waking up and seeing “RIP Kevin” in my timeline. I doubt there is a more well known name in our industry but if he’s unfamiliar to you (or you haven’t read this book), go and grab “Ghost in the Wires” which is an exceptional read.
Kevin started regularly coming…
I’ve had a lot of people tweeting this at me so let me give you 2 thoughts on it:
1) Making 2FA a premium service sends a bad message
2) Putting a price on the weakest form of 2FA and keeping 2 much better alternatives free is good
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.
We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate.
Every time I come back to Europe, I’m reminded of the absolute batshit insanity that cookie warnings are. Idiotic, poorly thought out, user experience-killing compliance garbage that can’t possibly do anything to improve privacy in any meaningful way whatsoever.
I took the brief tweet thread I did earlier today on the alleged
@MinneapolisPD
hack and ran the emails and passwords through
@haveibeenpwned
. It's not a new breach, it's existing data that's falsely attributed and is causing disinformation to spread
Remember when the biggest worry we had about candles was the house burning down because *you* left one on? Get ready for other people to start sparking them up for you remotely with “smart” candles... with real fire!
Alleged breach of 400M+ Twitter accounts. Legitimacy isn’t yet clear, but the aggressive, threatening wording is unmistakable. Of course Twitter will never pay, so let’s see what happens next.
So I just managed to lock out the
@haveibeenpwned
Twitter account by putting the service's birthday in and falling afoul of minimum age requirements. I'll get it sorted in a jiffy, just a heads up in case anyone notices something is up and wonders what happened.
I'm so sick of those bullshit "your article is really nice, I think your readers would find my article useful, please link to it" spam emails that I've decided to start featuring them all. Well, kinda, here's what I'm going to do:
The company that sent me the pictured fingerprint lock has provided the security quote of the year: “...the lock is invincible to the people who do not have a screwdriver.”
Good one
@Visa
, absolutely no warning about truncating generated passwords from
@1Password
. The account gets created but then I can't login until I view the DOM and chop the end off my >32 char password. This doesn't need to be this hard...
I’m very happy to announce that
@haveibeenpwned
’s Pwned Passwords is now open source under the
@dotnetfdn
. Now we’ve got some work to do: building an ingestion pipeline for new passwords provided by the
@FBI
on an ongoing basis. This is super cool 😎
I’m astounded to see people still arguing “my site doesn’t need HTTPS” so I’ll put it simply: either spend a few mins putting it on your site now or continually explaining to your visitors why your site is not “not secure” until you end up doing it anyway. It’s not a negotiation.
It had to happen eventually - I made a mistake in "the cloud" that just cost me over $11k. Ouch! Here's what happened, and what I've done to make sure it never happens again:
Hi
@Starbucks
@StarbucksAr
did you know that your in-store wifi provider in Buenos Aires forces a 10 second delay when you first connect to the wifi so it can mine bitcoin using a customer's laptop? Feels a little off-brand.. cc
@GMFlickinger
I've had a blog post in draft for years that's been a bit of a pet project: "Fundamental Financial Lessons for Technology Professionals". Is this something you'd like to read? What would you like to see in it? I want to finally knock it out over the next few days.
Wow, surprised at how much positive feedback this is garnering so quickly, I'm pretty stoked :) "Firefox Will Warn Users When Visiting Sites That Suffered a Data Breach"
Super proud of Ari for building up a new website by hand-writing every line of HTML and FTP’ing it up to the cloud. Small steps, but every great website began here. The first version of is now live!
Pwned Passwords just passed 4 ***BILLION*** requests a month for the first time 🎉
But here's the really cool bit: following the rollout of
@Cloudflare
Cache Reserve earlier this month, our cache hit ratio is now up to 99.999% 😲
So, if you made one of the 189M requests we saw…
HSBC: “Customers can enter additional characters on their password and it be accepted as a successful logon. We don’t classify this as a security risk”
Friendly reminder as a fellow parent: never ever ever ever install spyware on your kid's phone. Seriously, do some "offline parenting" and talk to your kids about online risks, *never* resort to deliberately weakening their personal security
I’m a parent with young kids now coming online. I’m also a guy who sees a lot of data breaches and no-way no-how will I ever resort to installing this sort of product on either of my kids’ devices.
My 5 year old daughter came up to my office earlier today: “Daddy, can we do some coding?”. Yes! Absolutely yes! A few mins later and she’s on which is just awesome 😎
Hey, you know what would be cool? If
@1Password
was to integrate with my newly released Pwned Passwords k-Anonymity model so you could securely check your exposure against the service (it'd have to be opt in, of course). Oh wow - look at this!
This is a real life honest to god password prompt for our company internet banking account with
@jpmorgan
.
I really wasn't ready for an IQ test today. JFC.
So here's the hard facts - I'm dipping into my pocket every week to the tune of... $7.40 for you guys to do 54M searches against a repository of half a billion passwords 🙂
Dear Americans, I know you like to do that MM/DD thing, but it confuses the hell out of the rest of the world so how about we all just use letters for the month instead? I have no idea if 2/3/18 is Feb or Mar and the fix is so easy...
(and yes, I always use DD/MMM/YY)
I started writing this post years ago, adding to it as my own personal journey progressed. Today, on New Year's Eve when people are thinking more about goals, I'm very happy to finally share it: "10 Personal Finance Lessons for Technology Professionals":
Artificial inflation of page popularity through the posing of inane questions that in turn artificially inflate the respondents’ sense of intelligence thus gaining massive levels of engagement as otherwise smart people fall for that one simple trick give me the shits 💩