Mastodon

Weekly update

A 508-post collection

Weekly Update 512: IoT Lockout Fail

"Build a smart home", they said. "It'll make life so much better", they said. Well, life wasn't very bloody good at 23:00 the other night after travelling 33 hours from Paris only to find the IoT doorlock batteries dead and the 9V "jump start" procedure completely failing! Eventually, the locksmith arrived and opened an old-school physical lock on another door in an alarmingly short time. So, lessons: 1. Battery-powered locks suck and will eventually lock you out of your house 2. Don't trust...

Weekly Update 511: Live from my Riad in Marrakech

How's this for a location?! I mean, last week was nice with Scott in Mallorca, but Marrakech is, well, wow 😮 Anyway, about those data breaches... This week I'm talking about the futility of attempting to remove piss from a pool, yet here we are, with various companies wanting to place that message alongside the very data breaches they can do nothing about! As I say in the post, I don't question the good intentions behind setting up a service to try to scrub data from legally operating data brok...

Weekly Update 510: Live From Mallorca with Scott Helme

How's the view?! Back to business, it's now 8 years ago that Scott and I thought it would be a cool idea to build Why no HTTPS? We used the site to shame companies for not implementing their transport later security property, and to make it a bit of fun, we shamed by country as well. This helped people jump on the bandwagon of giving their respective countries a little "encouragement", and we hope they'll do the same now with Why no Passkeys? Following my infamous phishing incident last year, I...

Weekly Update 509

I know enough about home cinema audiovisual to know there's a lot I don't know. It's conscious incompetence, if you like, which is different to the unconscious incompetence most people have on the topic. That's not to sound derogatory (it's spelled out that way in the competence model), rather it recognises that this is a super specialised area and as soon as you start scratching the surface, things get very complex and very expensive really fast. But it's also exciting, and what we've got in th...

Weekly Update 508

Light switches. How on earth is it so hard to find decent light switches?! It sounds ridiculous until you actually spend enough time looking for ones that meet two simple criteria: 1. Aren't stateful (switch is up or down, has to be push-button) 2. Looks good Now, I'm conscious that this is also very likely an Australian problem, more so than a European or North American one. We're pretty limited by what we get down here, and because it involves electricity, the switches here have to pass al...

Weekly Update 507

1,000 breaches is one hell of a milestone. It's not just the process of getting data, verifying it, loading it, sending notifications etc, it's all the other stuff that goes into keeping the whole thing afloat. Legal docs. Trademarks. Accounting. Agreements. The most mind-numbingly boring stuff you can imagine happening in the background so that the stuff you see in the foreground can all work. And then there are those "other things" I had to deal with along the way, but more of that in this wee...

Weekly Update 506

I'm finding it quite fascinating to watch the current spate of ShinyHunters breaches and dumps. There's the obvious criminality of it all, but then there's also the response from organisations (or lack thereof, as it relates to disclosure to victims), the appearance and disappearance of victims on their dark web site, the speculation around payments and so on and so forth. And it's seemingly endless - I mentioned DentaQuest during the video, and sure enough, the next day, a 233GB corpus allegedl...

Weekly Update 505

Well, that didn't last long! Recording this on Saturday morning my time, I observed ShinyHunters having gone quiet since the massive haul that would have been the Instructure ransom. It was two weeks almost to the hour since I'd first heard rumour of payment being made, and I posited that groups like this often go quiet after they feel the heat, only to emerge shortly after, the drug that is hacking being too strong to ignore. Anyway, here we now are: 🚨🇺🇸 ShinyHunters Claims 3 New Victims...

Weekly Update 504

It's a hot topic, the old "pay or don't pay" for hackers not to leak your data. Since recording this a few days ago, we've had Grafana go with the "no pay" approach, and I've seen a raft of commentary around other companies reaching "agreements", which is a much politer way of saying "we paid extortionists a ransom". I'm concerned about the normalisation of ransom payments, and using language that deflects from the criminal nature of it is a big part of that. Instructure's exact words were that...

Weekly Update 503

Well, it's the day before the Instructure "pay or leak" deadline (at least by my Aussie watch), and the company remains removed from the ShinyHunters website. In its place sits a press statement that amounts to "we're not making any statements". So did they pay? And if so, what lofty figure would an incident of this scale command? The lawsuits are already being prepared (search for "instructure class action lawsuit"), so perhaps that will be the catalyst for transparency. What a crazy time....