Alright, let me get this off my chest first - I've totally lost it with these bloody Instamics [https://instamic.io/]. I've had heaps of dramas in the past with recordings being lost and the first time I do a 3-person weekly update only 2 of them recorded (mine being the exception). I was left with a zero-byte file on my unit which we tried to recover to no avail. It's not just that; the mobile app is clunky AF (Scott was demonstrating how many times he had to mash a button on his just to get it...

Geez time flies. It's just a tad under 4 years ago that I wrote about teaching kids to code with code.org [https://www.troyhunt.com/kids-and-code-simple-programming-on/] which is an amazing resource for young ones to start learning programming basics. In that post I shared a photo of my then 6-year-old son Ari holding a Lenovo Yoga 900 I gifted him as part of the Insiders program I'm involved in: He got a lot of mileage out of that machine and learned a lot about the basics of both code and us...

We're in Norway! More specifically, Scott Helme and I are in Hafjell [https://www.hafjell.no/en] and recording this after a day on the snow before heading back to Oslo and the NDC Security conference [https://ndc-security.com/] next week. For now though, we're talking about some really screwy global roaming behaviour with telcos, the Danish gov coming onto HIBP, babies in data breaches and the takedown of We Leak Info. We'll do this again together next week from Oslo and then again the followin...

In a continued bid to make breach data available to the government departments around the world tasked with protecting their citizens, I'm very happy to welcome the first country onto Have I Been Pwned [https://haveibeenpwned.com/] for 2020 - Denmark! The Danish Centre for Cyber Security [https://fe-ddis.dk/cfcs/Pages/cfcs.aspx] (CFCS) joins the existing 7 governments who have free and unbridled API access to query and monitor their gov domains. As the year progresses, I'll keep onboarding add...

I really should have started the video about 3 minutes earlier. Had I done that, you'd have caught me toppling backwards into the frangipani tree whilst trying to position my chair and camera which frankly, would have made for entertaining viewing. Instead, this week's update is focused primarily on a completely different epic fail, namely Surebet247's handling of a breach impacting their customers. I chose those words carefully as it now seems almost certain the breach was actually of BtoBet an...

This is a blog post about disclosure, specifically the difficulty with doing it in a responsible fashion as the reporter whilst also ensuring the impacted organisation behaves responsibly themselves. It's not a discussion we should be having in 2020, a time of unprecedented regulatory provisions designed to prevent precisely the sort of behaviour I'm going to describe in this post. Here you're going to see - blow by blow - just how hard it is for those of us with the best of intentions to deal w...

I couldn't get 2 days into the new decade without having to deal with ridiculous password criteria from Tik Tok followed by my phone automatically associating with what it thought was my washing machine whilst in a grocery store on the other side of the world (yep, you read that correctly). It somehow seems to just be reflective of how crazy online security is becoming in the modern era. On the plus side, Chrome is making some really positive changes to how it handles cookies so it's not all bad...

Cookies like to get around. They have no scruples about where they go save for some basic constraints relating to the origin from which they were set. I mean have a think about it: If a website sets a cookie then you click a link to another page on that same site, will the cookie be automatically sent with the request? Yes. What if an attacker sends you a link to that same website in a malicious email and you click that link, will the cookie be sent? Also yes. Last one: what if an attacker di...

Sitting down to do this one today I thought it would be brief, turns out a bit more ended up on the agenda than I expected. The GoGetSSL bit in particular was unfolding as I recorded and to their credit, they later apologised for their "rude messages" [https://twitter.com/gogetssl/status/1210842825992085506] which is a good sign. I still intend to finish writing up the blog post because the issues they've raised need tackling, but as with the Sophos example I also talk about, it's good to see a...

When is data "public"? And what does "public" even mean? Does it mean it's merely visible to the public? Or does it mean the public can do anything they like with it? This discussion comes up time and time again as it did with the huge leak of PDL data only last month [https://www.troyhunt.com/data-enrichment-people-data-labs-and-another-622m-email-addresses/] . For the most part, the impacted data in this incident came from LinkedIn, a service where by design we (including myself) publish perso...