Home again! Another NDC is down and I talk a little about how the talks were rated and about PubConf [https://pubconf.io/] (make sure you get to one of these one day!) I've got another couple of weeks at home before any more travel and I'll talk more about the next things as they draw closer. This week, I'm on my new iPhone (which is very similar to my old iPhone), I'm talking about Uber getting fined, Cloudflare introducing some very cool new things, Firefox Monitor launching on top of the HIB...

I have a love-hate relationship with ad blockers. On the one hand, I despise the obnoxious ads that are forced down our throats at what seems like every turn. On the other hand, I appreciate the need for publishers to earn a living so that I can consume their hard-earned work for free. Somewhere in the middle is a responsible approach, for example the sponsorship banner you see at the top of this blog. Companies I choose to partner with get to appear there and they get themselves 140 characters...

It's another day-late weekly update courtesy of another hectic week. Scott and I were at NDC Sydney doing a bunch of talks and other events and I just simply didn't get time to push this out until sitting at the airport waiting for the plan home. This week's update is a little different as we did it at SSW's [https://www.ssw.com.au] recording setup in front of a live audience. Better video, better audio and some questions asked in the process too. Other than that, it's business as usual: more k...

That's it - I'm calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from "barely there" to "as good as non-existent". This change has come via a combination of factors including increasing use of mobile devices, removal of the EV visual indicator by browser vendors and as of today, removal from Safari on iOS (it'll also be gone in Mac OS Mojave w...

We're on a boat! This week, Scott Helme is back in town so I'm treating him to a rare sight for the Englishman - sunshine ☀️ We're also talking about my .NET Conf talk, Chrome's visual changes (and rolling back some of them), the FreshMenu data breach, getting better at filtering CSP reports, the effectiveness of public shaming, the kayo.moe credential stuffing list and lastly, Scott talks about his blog post on protecting sites from modified JavaScript (now linked to in the references below)....

This is going to be a brief blog post but it's a necessary one because I can't load the data I'm about to publish into Have I Been Pwned [https://haveibeenpwned.com] (HIBP) without providing more context than what I can in a single short breach description. Here's the story: Kayo.moe [https://kayo.moe/] is a free, public, anonymous hosting service. The operator of the service (Kayo) reached out to me earlier this week and advised they'd noticed a collection of files uploaded to the site which a...

Here's how it normally plays out: It all begins when a company pops up online and makes some sort of ludicrous statement related to their security posture, often as part of a discussion on a public social media platform such as Twitter. Shortly thereafter, the masses descend on said organisation and express their outrage at the stated position. Where it gets interesting (and this is the whole point of the post), is when another group of folks pop up and accuse the outraged group of doing a bit o...

It's been a week of travel for me with API Days in Melbourne on Tuesday, Fortinet Fast & Secure in Sydney on Wednesday then the Varonis webinar yesterday (recorded, I'll share once it's online). Be that as it may, I did manage to pump out a long-awaited blog post on the total cost of running Pwned Passwords in HIBP and its... 2.6c per day ? This week there's also a few random things ranging from online authenticity (the human kind), changes in Chrome 69 (there's some major visual security indic...

As time has gone by, one of the things I've enjoyed the most in running Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) is seeing how far I could make the dollars stretch. How big can it go whilst at the same time, running it on a shoestring? I keep finding new ways of optimising cost and the two most significant contributions to that since launching almost 5 years ago have come via serverless technology provided by 2 of my favourite tech companies: Cloudflare and Microsoft. By way of (v...

A few little bits and pieces this week ranging from a new web cam (primarily to do Windows Hello auth), teaching my 8-year-old son HTML, progress with Firefox and HIBP, some really ridiculous comments from Namecheap re SSL (or TLS or HTTPS) and a full set of Pwned Passwords as NTLM hashes. I didn't mention it when I recorded, but there's already a bunch of sample code on how to dump your AD hashes and compare them to the Pwned Passwords list in the comments on that blog post. Also, just in case...