And then there was the biggest data breach to go into HIBP ever! I wrote that sentence from home just after publishing all the data, then I got on a plane...
Holy cow that's a lot of emails! Hundreds upon hundreds of emails came in whilst on the way to Dubai, more than I'll ever be able to respond to. Plus, I'm actually trying to have some downtime with my son on this trip particularly over the next few days so a bunch of stuff is going to have to go unanswered or at best, delayed. Mind you, a heap of them were asking questions already addressed in the blog post, but that's just the nature of the internet.
What I will say is that if you're interested in more details on this incident, do read the comments. It'll give you a sense of the way this sort of thing impacts everyday people, and it'll also give you a sense of the sort of comments I have to deal with after these incidents...
Many people will land on this page after learning that their email address has appeared in a data breach I've called "Collection #1". Most of them won't have a tech background or be familiar with the concept of credential stuffing so I'm going to write this post for the masses and link out to more detailed material for those who want to go deeper.
Let's start with the raw numbers because that's the headline, then I'll drill down into where it's from and what it's composed of. Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It's made up of many different individual data breaches from literally thousands of different sources. (And yes, fellow techies, that's a sizeable amount more than a 32-bit integer can hold.)
In total, there are 1,160,253,228 unique combinations of email addresses and passwords. This is when treating the password as case sensitive but the email address as not case sensitive. This also includes some junk because hackers being hackers, they don't always neatly format their data dumps into an easily consumable fashion. (I found a combination of different delimiter types including colons, semicolons, spaces and indeed a combination of different file types such as delimited text files, files containing SQL statements and other compressed archives.)
The unique email addresses totalled 772,904,991. This is the headline you're seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). It's after as much clean-up as I could reasonably do and per the previous paragraph, the source data was presented in a variety of different formats and levels of "cleanliness". This number makes it the single largest breach ever to be loaded into HIBP.
There are 21,222,975 unique passwords. As with the email addresses, this was after implementing a bunch of rules to do as much clean-up as I could including stripping out passwords that were still in hashed form, ignoring strings that contained control characters and those that were obviously fragments of SQL statements. Regardless of best efforts, the end result is not perfect nor does it need to be. It'll be 99.x% perfect though and that x% has very little bearing on the practical use of this data. And yes, they're all now in Pwned Passwords, more on that soon.
That's the numbers, let's move onto where the data has actually come from.
Last week, multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA (the data has since been removed from the service). The collection totalled over 12,000 separate files and more than 87GB of data. One of my contacts pointed me to a popular hacking forum where the data was being socialised, complete with the following image:
As you can see at the top left of the image, the root folder is called "Collection #1" hence the name I've given this breach. The expanded folders and file listing give you a bit of a sense of the nature of the data (I'll come back to the word "combo" later), and as you can see, it's (allegedly) from many different sources. The post on the forum referenced "a collection of 2000+ dehashed databases and Combos stored by topic" and provided a directory listing of 2,890 of the files which I've reproduced here. This gives you a sense of the origins of the data but again, I need to stress "allegedly". I've written before about what's involved in verifying data breaches and it's often a non-trivial exercise. Whilst there are many legitimate breaches that I recognise in that list, that's the extent of my verification efforts and it's entirely possible that some of them refer to services that haven't actually been involved in a data breach at all.
However, what I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago. Like many of you reading this, I've been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again. They're also ones that were stored as cryptographic hashes in the source data breaches (at least the ones that I've personally seen and verified), but per the quoted sentence above, the data contains "dehashed" passwords which have been cracked and converted back to plain text. (There's an entirely different technical discussion about what makes a good hashing algorithm and why the likes of salted SHA1 is as good as useless.) In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see.
So that's where the data has come from, let me talk about how to assess your own personal exposure.
Checking Email Addresses and Passwords in HIBP
There'll be a significant number of people that'll land here after receiving a notification from HIBP; about 2.2M people presently use the free notification service and 768k of them are in this breach. Many others, over the years to come, will check their address on the site and land on this blog post when clicking in the breach description for more information. These people all know they were in Collection #1 and if they've read this far, hopefully they have a sense of what it is and why they're in there. If you've come here via another channel, checking your email address on HIBP is as simple as going to the site, entering it in then looking at the results (scrolling further down lists the specific data breaches the address was found in):
But what many people will want to know is what password was exposed. HIBP never stores passwords next to email addresses and there are many very good reasons for this. That link explains it in more detail but in short, it poses too big a risk for individuals, too big a risk for me personally and frankly, can't be done without taking the sorts of shortcuts that nobody should be taking with passwords in the first place! But there is another way and that's by using Pwned Passwords.
This is a password search feature I built into HIBP about 18 months ago. The original intention of it was to provide a data set to people building systems so that they could refer to a list of known breached passwords in order to stop people from using them again (or at least advise them of the risk). This provided a means of implementing guidance from government and industry bodies alike, but it also provided individuals with a repository they could check their own passwords against. If you're inclined to lose your mind over that last statement, read about the k-anonymity implementation then continue below.
Here's how it works: let's do a search for the word "P@ssw0rd" which incidentally, meets most password strength criteria (upper case, lower case, number and 8 characters long):
Obviously, any password that's been seen over 51k times is terrible and you'd be ill-advised to use it anywhere. When I searched for that password, the data was anonymised first and HIBP never received the actual value of it. Yes, I'm still conscious of the messaging when suggesting to people that they enter their password on another site but in the broader scheme of things, if someone is actually using the same one all over the place (as the vast majority of people still do), then the wakeup call this provides is worth it.
As of now, all 21,222,975 passwords from Collection #1 have been added to Pwned Passwords bringing the total number of unique values in the list to 551,509,767.
Whilst I can't tell you precisely what password was against your own record in the breach, I can tell you if any password you're interested in has appeared in previous breaches Pwned Passwords has indexed. If one of yours shows up there, you really want to stop using it on any service you care about. If you have a bunch of passwords and manually checking them all would be painful, give this a go:
This is 1Password's Watchtower feature and it can take all your stored passwords and check them against Pwned Passwords in one go. The same anonymity model is used (neither 1Password nor HIBP ever see your actual password) and it enables bulk checking all in one go. I'm conscious that many people reading this won't be using a password manager of any kind in the first place and that's an absolutely pivotal part of how to deal with this incident so I'll come back to that a little later. Apparently, this feature along with integrated HIBP searches and notifications when new breaches pop up is one of the most-loved features of 1Password which is pretty cool! For some background on that, without me knowing in advance, they launched an early version of this only a day after I released V2 with the anonymity model (incidentally, that was a key motivator for later partnering with them):
For those using Pwned Passwords in their own systems (EVE Online, GitHub, Okta et al), the API is now returning the new data set and all cache has now been flushed (you should see a very recent "last-modified" response header). All the downloadable files have also been revised up to version 4 and are available on the Pwned Passwords page via download courtesy of Cloudflare or via torrents. They're in both SHA1 and NTLM formats with each ordered both alphabetically by hash and by prevalence (most common passwords first).
Why Load This Into HIBP?
Every single time I came across a data set that's not clearly a breach of a single, easily identifiable service, I ask the question - should this go into HIBP? There are a number of factors that influence that decision and one of them is uniqueness; is this a sufficiently new set of data with a large volume of records I haven't seen before? In determining that, I take a slice of the email addresses and ran them against HIBP to see how many of them had been seen before. Here's what it looked like after a few hundred thousand checks:
In other words, there's somewhere in the order of 140M email addresses in this breach that HIBP has never seen before.
The data was also in broad circulation based on the number of people that contacted me privately about it and the fact that it was published to a well-known public forum. In terms of the risk this presents, more people with the data obviously increases the likelihood that it'll be used for malicious purposes.
Then there's the passwords themselves and of the 21M+ unique ones, about half of them weren't already in Pwned Passwords. Keeping in mind how this service is predominantly used, that's a significant number that I want to make sure are available to the organisations that rely on this data to help steer their customers away from using higher-risk passwords.
And finally, every time I've asked the question "should I load data I can't emphatically identify the source of?", the response has always been overwhelmingly "yes":
People will receive notifications or browse to the site and find themselves there and it will be one more little reminder about how our personal data is misused. If - like me - you're in that list, people who are intent on breaking into your online accounts are circulating it between themselves and looking to take advantage of any shortcuts you may be taking with your online security. My hope is that for many, this will be the prompt they need to make an important change to their online security posture. And if you find yourself in this data and don't feel there's any value in knowing about it, ignore it. For everyone else, let's move on and establish the risk this presents then talk about fixes.
What's the Risk If My Data Is in There?
I referred to the word "combos" earlier on and simply put, this is just a combination of usernames (usually email addresses) and passwords. In this case, it's almost 2.7 billion of them compiled into lists which can be used for credential stuffing:
Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.
In other words, people take lists like these that contain our email addresses and passwords then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem.
By pure coincidence, just last week I wrote about credential stuffing attacks and how they led many people to believe that Spotify had suffered a data breach. In that post, I embedded a short video that shows how easily these attacks are automated and I want to include it again here:
Within the first 20 seconds, the author of the video has chosen a combo list just like the one three quarters of a billion people are in via this Combination #1 breach. Another 20 seconds and the software is testing those accounts against Spotify and reporting back with email addresses and passwords that can logon to accounts there. That's how easy it is and also how indiscriminate it is; it's not personal, you're just on the list! (For people wanting to go deeper, check out Shape Security's video on credential stuffing.)
To be clear too, this is not just a Spotify problem. Automated tools exist to leverage these combo lists against all sorts of other online services including ones you shop at, socialise at and bank at. If you found your password in Pwned Passwords and you're using that same one anywhere else, you want to change each and every one of those locations to something completely unique, which brings us to password managers.
Get a Password Manager
You have too many passwords to remember, you know they're not meant to be predictable and you also know they're not meant to be reused across different services. If you're in this breach and not already using a dedicated password manager, the best thing you can do right now is go out and get one. I did that many years ago now and wrote about how the only secure password is the one you can't remember. A password manager provides you with a secure vault for all your secrets to be stored in (not just passwords, I store things like credit card and banking info in mine too), and its sole purpose is to focus on keeping them safe and secure.
A password manager is also a rare exception to the rule that adding security means making your life harder. For example, logging on to a mobile app is dead easy:
I chose the password manager 1Password all those years ago and have stuck with it ever it since. As I mentioned earlier, they partnered with HIBP to help drive people interested in personal security towards better personal security practices and obviously there's some neat integration with the data in HIBP too (there's also a dedicated page explaining why I chose them).
If a digital password manager is too big a leap to take, go old school and get an analogue one (AKA, a notebook). Seriously, the lesson I'm trying to drive home here is that the real risk posed by incidents like this is password reuse and you need to avoid that to the fullest extent possible. It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web. Just think about it - you go from your "threat actors" (people wanting to get their hands on your accounts) being anyone with an internet connection and the ability to download a broadly circulating list Collection #1, to people who can break into your house - and they want your TV, not your notebook!
Because an incident of this size will inevitably result in a heap of questions, I'm going to list the ones I suspect I'll get here then add to it as others come up. It'll help me handle the volume of queries I expect to get and will hopefully make things a little clearer for everyone.
Q. Can you send me the password for my account? I know I touched on it above but it's always the single biggest request I get so I'm repeating it here. No, I can't send you your password but I can give you a facility to search for it via Pwned Passwords.
Q. How long ago were these sites breached? It varies. The first site on the list I shared was 000webhost who was breached in 2015, but there's also a file in there which suggests 2008. These are lots of different incidents from lots of different time frames.
Q. I'm responsible for managing a website, how do I defend against credential stuffing attacks? The fast, easy, free approach is using the Pwned Passwords list to block known vulnerable passwords (read about how other large orgs have used this service). There are services out there with more sophisticated commercial approaches, for example Shape Security's Blackfish (no affiliation with myself or HIBP).
Q. How can I check if people in my organisation are using passwords in this breach? The entire Pwned Passwords corpus is also published as NTLM hashes. When I originally released these in August last year, I referenced code samples that will help you check this list against the passwords of accounts in an Active Directory environment.
Q. I'm using a unique password on each site already, how do I know which one to change? You've got 2 options if you want to check your existing passwords against this list: The first is to use 1Password's Watch Tower feature described above. If you're using another password manager already, it's easy to migrate over (you can get a free 1Password trial). The second is to check all your existing passwords directly against the k-anonymity API. It'll require some coding, but's its straightforward and fully documented.
Q. Is there a list of which sites are included in this breach? I've reproduced a list that was published to the hacking forum I mentioned and that contains 2,890 file names. This is not necessarily complete (nor can I easily verify it), but it may help some people understand the origin of their data a little better.
Q. Will you publish the data in collections #2 through #5? Until this blog post went out, I wasn't even aware there were subsequent collections. I do have those now and I need to make a call on what to do with them after investigating them further.
Q. Where can I download the source data from? Given the data contains a huge volume of personal information that can be used to access other people's accounts, I'm not going to direct people to it. I'd also ask that people don't do that in the comments section.
Comments Are Now Closed
After several hundred comments in a very short period of time, I'm closing this post for further contributions. Moderating them has consumed a significant amount of time that I've mostly dealt with whilst flying from Australia to Europe. I now need to focus on a short period of downtime followed by a couple of weeks of conference talks. Thank you all for your engagement, I'll talk more about this post in the next weekly update video I'll post on Friday 25.
Well, it's one more sunny weekly update then snow time again so I've gone particularly beachy today. I'm also particularly breachy, talking about a massive combo list I'm presently pondering for inclusion in HIBP. These lists are frequently used for account takeover attacks against the likes of Spotify which is the subject of this week's blog post. Plus, I'm talking a bit about a bunch of Ubiquiti bits I'll be installing soon to fix the problem seen below:
Oh - and I did end up heading out on the water with Kevin Mitnick, albeit on the boat. I think it's alright. Maybe...
Time and time again, I get emails and DMs from people that effectively boil down to this:
Hey, that paste that just appeared in Have I Been Pwned is from Spotify, looks like they've had a data breach
Many years ago, I introduced the concept of pastes to HIBP and what they essentially boil down to is monitoring Pastebin and a bunch of other services for when a trove of email addresses is dumped online. Very often, those addresses are accompanied by other personal information such as passwords. When an HIBP subscriber's address appears in one of these incidents, they get an automated notification and often, it seems, they then reach out to me.
Here's a perfect example of what I'm talking about, this one eventually triggering an email to me just last week:
Let's imagine you're the first person on the list; you get a notification from HIBP, you check out the paste and see your Hotmail account listed there alongside your Spotify password and the plan you're subscribed to. Clearly a Spotify breach, right?
No, and the passwords are the very first thing that starts to give it all away. Just looking at them, they're obviously terrible, but plugging the first one into Pwned Passwords give you a sense of just how terrible it is:
They may not all be that bad (the next one in the list has only been seen twice), but the point is that it's a password that's clearly been seen before and were I to dig back into the source data, there's a good chance it's been seen in a breach alongside that email address too. Then there's the fact that the password is in plain text and I don't know precisely how Spotify store their passwords, but it'd be a very safe bet that by now it's a decent modern-day hashing algorithm. If they had a breach then yes, hashes may be cracked, but that's not what's happening here.
We're simply seeing the successful result of credential stuffing attacks. Regular readers will appreciate the mechanics of this already but all those who I point here for whom this is new, this attack simply takes exposed credentials from a data breach and tries them on another site. The attack is simple but effective due to the prevalence of password reuse. If you were using the same password on LinkedIn when they had their data breach as you are on Spotify today and someone grabbed that password from the breach and tried it on Spotify, you can see the problem. That's it, job done, they're into your account.
Spotify "breaches" like this are enormously common. I just went and looked at the pastes HIBP has collected since the clock ticked over to 2019 and found 20 of them already:
Digging further, I found over a thousand pastes with "Spotify" in the title. These are often removed by Pastebin pretty quickly but looking through some that remain, it's precisely the same pattern as the earlier example. I grabbed a random email address out of one of them and checked it on HIBP:
The same address appears over and over in pastes and each time, the same password appears alongside it. Picking one from the list above that hasn't yet been removed shows a page full of examples like this (with a password Pwned Passwords has seen 4 times before):
This one is interesting for a couple of reasons and the first is the use of the term "combo". I've written about combo lists before and they're essentially combinations of email addresses and passwords used to test against services in credential stuffing attacks. Thousands. Millions. Billions of them, in some cases. The second interesting observation in that image is the "Spotify Cracker" reference. The first Google result for the term shows a popular cracking forum with the following image (password seen 447 times in Pwned Passwords):
This is a tool for breaking into Spotify accounts I wouldn't normally link through to content of that type, but context is important. For people wondering why they're getting alerts from HIBP because their Spotify account is in a paste somewhere, have a flick through some of those pages. 61 of them at the time of writing, each with 20 posts thanking the OP for their work in order to get access to the tool. So what does it do? Have a quick watch of this:
It's a slightly different piece of software based on what's visible, but the objective is the same and the premise is simple: download the tool, pass in the combo list then let it run. Credentials from the list are then tested against Spotify (yes, security friends, there's a very good question to be asked here as to why this is still possible...) and results appear on the screen.
Now, this isn't to say that someone who finds their Spotify account on one of these lists shouldn't worry because it wasn't a breach per se. Instead, they need to look inwardly and adjust their own security practices instead. Get a password manager (8 years on and I still use 1Password every day), create strong and unique passwords on every account and enable 2-factor authentication where available. Well, except that there's still no 2FA support on Spotify so just enable it on every other service that supports it (and most big ones do these days).
And why would someone "hack" (I use the term loosely because they literally logged in with the correct username and password) Spotify accounts? The obvious answer is that they have a monetary value, but I also posit that it's very often just curiosity driving this behaviour. Take a look at a video such as this SQL injection tutorial; I've used it in talks before to illustrate the randomness of attacks as well as the sophistication of those behind many of them. Is the person in this video an evil cyber hacker hell-bent on causing chaos, or just a curious kid whose moral compass is yet to be properly calibrated? That may not make Spotify users feel any better about the end result, but it's important context for this post.
In doing a bit of searching for this piece I found heaps of results for "spotify data breach" that led to discussions highlighting what I've covered above. For example, this one from August on the Spotify community site where the original post begins with:
Someone had access to my pasword [sic] (which is totally unbreakable and diferent [sic] from the one i use in other accounts)
I don't know what their password was, but I do know that I've had dozens of discussions with people making precisely the same claims only to discover "their" password is in Pwned Passwords a few hundred times! Or they entered it into a phishing site somewhere. If we apply Occam's Razor to this (the simplest solution is the most likely one), the password was compromised. I want to illustrate this point via the following Tweet:
For ref, here are the details on my 1Password entry for Pinterest. Definitely the strong, unique one I showed in my tweet. pic.twitter.com/d3sSR8PCu1
This is Scott Helme, a world-renowned security researcher who understands these concepts as well as anyone I can imagine. This tweet is part of a broader discussion where his Pinterest account was logged into by an unknown party and per the image above, Scott was convinced his password was both strong and unique. A couple of hours later, Scott's view is, well, somewhat "different":
Just goes to show, it's sometimes easy to miss these things! I'm now wondering how many other old accounts I have lurking around out there... 🤔 5/5
I spoke to Scott about this incident again whilst writing this post and we both reflected on just how easy it is to have issues like this, even you're convinced your security is spot on. It's precedents like this which cause me to pause and question every strongly made claim of personal security prowess in the wake of examples such as the Spotify community one above.
Reading through that thread only reinforces the view that this was a simple account takeover issue and not a sophisticated hack. For example, this comment:
It's such a shame to see Spotify blaming its users for getting hacked instead of fixing the problem. Got my playlists deleted and the hacker created a playlist called "Get Hacked".
Imagine you're a hacker - a real one with the capabilities to break into a company with hundreds of millions of users and worth billions of dollars - what are you going to do? Are you just going to mess with people's playlists "for the lulz"? No, at the very least you're going to cash in on their public bug bounty or if you're really the malicious type, you're going to monetise their users in a much more surreptitious fashion.
Scroll down a little further and someone is referencing HIBP as "proof" of a hack. Here's what happened to the guy's account:
I got a notification from haveibeenpwned.com and did nothing about it until some random kept playing weird music on a device I did not recognize while I was trying to listen on my normal device. It was annoying, I kept getting pulled out of my song because we started battling for control of what device and what song the audio was to be heard on. I started playing really loud and obnoxious noise music for the hacker while I changed my password.
Now again, let's apply Occam's Razor: is this an elite hacker who's discovered some previously unknown zero-day vulnerability, or someone who's exploited the victim's password and then simply has a different taste in music?
The community thread references a paste titled "Más de 300 cuentas premium de Spotify" ("More than 300 Spotify premium accounts") which has since been deleted from Pastebin (and HIBP doesn't save the contents beyond just the email addresses). But 4 days earlier there was a paste titled "Más de 50 cuentas premium de spotify" which still stands today and its content lines up very closely with the others discussed above; it's simply the output of another automated tool exploiting weak credentials.
I'll end on one final point because if I don't, it'll come through in the comments anyway: online security is a shared responsibility. Some people are quick to play the "victim blaming" card when I write about incidents that can be traced back to weak security practices. Clearly, that's not causing me to sugar-coat the root cause of these incidents but that said (and I touched on this earlier), this is prevalent enough that Spotify also needs to look internally at why this is still occurring. Their job is to stop this form of attack at the platform level and our job as users of the service is to protect our accounts via some basic security practices.
So no, Spotify wasn't hacked, they just allowed malicious parties to log in with other people's poor passwords.
And then it was 2019. Funny how quickly it gets away from you, someone just posted on my 2018 retrospective blog post this week and asked why I didn't include my congressional testimony and if I'm honest, it took me a bit to think about why as well (it was in 2017). But we're here now so it's back to business as usual blog wise.
This week is dominated by the personal finance lessons blog post. This has gotten massive traction this week and has been read by tens of thousands of people. But perhaps what surprises me most is that out of all the feedback I've had, there's only been one negative comment. O-n-e. Frankly, I'm not even sure he actually absorbed the content as the comment was very specifically addressed in the post, but that forms one little part of everything I cover in this week's update. I also touch on the aforementioned 2018 retrospective which I've been doing these last few years as a little reminder of what I've been up to.
This is (probably?) the longest weekly update I've done so far and I do hope it helps add a bit more personality and context to that finance blog post. Do please continue to share feedback and ask questions, I've really enjoyed seeing people get motivated by it.
I started doing these retrospectives 3 years ago in my first year of independence. I reckon they're a good thing for everyone to do if not in written form then at least mentally to look back on your achievements of the year. They're a great way of reflecting on success (and indeed, on failures) and they also help explain why we all feel so damn tired by the end of the year!
Here's my 2018 highlights, starting with travel:
"Oh yeah, I'm totally gonna travel less this year" - me every single year
In reality, my travel ended up looking like this:
That's the same number as last year, 4 more days and another 8,000km. On the other hand, it's 12 less cities and 1 less country and the main reason for that is I've been trying to cram less into trips. I've also been travelling with family far more so whilst those 140 days equate to 38% of my year, there were 14 days in Hawaii, 10 days at the Aussie snow, 11 days in Texas and 17 days in Canada where I wasn't flying solo. That's 52 days where it wasn't just a lonely slog so I'm pretty happy about that.
I actually got a bit of a surprise when I pulled the list of my most popular blog posts for 2018:
The surprise was that after the home page, the most popular page hit on my site was the one about Online Spambot, a post I published in August 2017. I guess it's maintained its traction due it being referenced in the HIBP description and there being a huge number of people finding themselves pwned. In fact, I'm sure that's why the next 3 blog posts are up there too because they're all from similar incidents (number 6 in that list was also from 2017).
If I'm honest though, my favourite post of the year was the one I published earlier this week on New Year's Eve - 10 Personal Finance Lessons for Technology Professionals. I love this post. I love the reaction it's had. I love that based on so much of the positive feedback I've had it might actually improve people's lives in away I don't think any previous post has before. Who knows, maybe this is something I'll even write more about in 2019 if there's an appetite.
The sponsorship model continued strongly too. It's been resoundingly well-received by both browsers to the site and the sponsors themselves and I've already booked 2019 out until August.
Geez, where to start... Probably with my 2018 events page which lists everything I did of a public nature. What it doesn't do is list all the private events which pretty dramatically increases that list. Of the ones I can talk about, they included:
How safe is your #password?! I hope you tuned into #NETUG tonight to find out from security expert @troyhunt!! A huge thank you to Troy for presenting for us tonight. If you missed out, never fear, I’m sure SSW TV will post the video in the coming week! pic.twitter.com/jtHlTyJ9l6
Troy Hunt @troyhunt speaking at his best, he shows that not all hackers come with hoodies and green command line screens, and how security is taken so lightly at even the bigger enterprises. #APIdaysAUpic.twitter.com/19lb65Xhkm
#Sibos Big Issue Debate @troyhunt at Hacker: I have an objection to the thought that increasing security makes things harder. There are technologies that achieve both objectives. We need to help people understand that the technologies are there and use them effective. pic.twitter.com/XaYneE72fJ
The positive stories are the ones you don't see here; the ones that are no longer on the list. Site like the ABC in Australia, the Daily Mail in the UK and Roblox in the US. They're the largest sites in their respective countries to drop off the list and there have been many, many more in the same boat. I've actually had developers from many organisations reach out requesting that the list be refreshed just so their site drops off. Shaming works in powerful ways 🙂
HTTPS is Easy
I didn't want to just shame organisations doing the wrong thing, I also wanted to help everyone get better at HTTPS. After all, HTTPS is easy, so I built HTTPS Is Easy:
This became a great 4-part reference series with 5-minute videos which live up to the title. I'm enormously happy with how it was received, and frankly a bit overwhelmed that the community stepped up and translated it into 19 different languages including: Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Indonesian, Italian, Norwegian, Persian, Polish, Portuguese, Russian, Slovenian, Spanish and Swedish. That's pretty awesome!
Have I Been Pwned
Geez, were to start on this one... In point form:
Added 76 new data breaches
Which encompassed 829,391,906 additional records
Signed up 445,720 new subscribers
Sent 1,224,377 breach notification emails to them
And sent another 239,277 notifications to those monitoring domains
And probably 100 other things that should be in a retrospective but just flew by in a blur! But there was another aspect of HIBP which really took off in 2018 and it deserves its own heading:
When I launched version 2 in Feb, this service really started to get traction. The k-anonymity model courtesy of Cloudflare was the real killer feature and a special mention goes to Junade Ali on that:
If you don't know the back-story on those lava lamps, this is a fun vid that's only a few minutes long:
Back to Pwned Passwords, the premise of checking to see if a password has been previously breached before allowing someone to use it has gained a lot of traction. I've seen dozens of use cases first hand (and there's probably hundreds I'll never know about), with EVE Online being the first big one:
Here is the message we display to our users during login if we find their password in the @haveibeenpwned list. We try to explain calmly what is wrong and how to fix it. Provide links and guidance. pic.twitter.com/9rc8svI0yS
Okta built an absolutely awesome browser extension:
Why I like @Okta's Passprotect plugin: if sites use outdated password complexity rules and tell people that "P@ssword1" is a good password, the plugin still warns the password is unsafe. It uses @troyhunt's pwned passwords and the k-anonimity model to securely check the password pic.twitter.com/wBFWMzrtra
Of those who do consume the k-anonymity API, I'm usually serving up somewhere between 4 and 6 million requests a day:
There were a couple of cache flushes in there but just to give you a sense of how well optimised the service is to serve content directly from Cloudflare's edge nodes and not hit the origin server, here's the last week:
That's a 99% cache hit ratio 😎
Scott wrote a year in review piece this week so I'll defer to his overview for that but in short: heaps of new reporting types, a wizard that makes creating CSPs way easier, the launch of Report URI JS, heaps of both free subscriber and commercial customer growth and we're also pushing a few reports through these days too:
But the highlight - without a doubt in my mind - is covered in this next section:
What. A. Year! In fact, what a couple of weeks and it all began with AusCERT's Award for Information Security Excellence, presented in my home town:
I'm 2 weeks to the day out from heading back to Europe so the whole show starts again very soon. In many ways, 2019 will be more of the same but in other ways, there's a bunch of new things on the horizon. I've already committed to events in 3 new places I've never been before in the first half of the year so that'll be cool.
Beyond that, I honestly don't know. I have a view about 6 months out around travel commitments but the nature of this industry and indeed the role I play today is that I have absolutely no idea what will pop up overnight, let alone further along into 2019. But that's ok, it keeps things entertaining 🙂
Patience. Frugality. Sacrifice. When you boil it down, what do those three things have in common? Those are choices. Money is not peace of mind. Money’s not happiness. Money is, at its essence, that measure of a man’s choices.
This is part of the opening monologue of the Ozark series and when I first heard it, I immediately stopped the show and dropped it into this blog post. It's a post that has been many years coming, one I started drafting about 5 years ago. One I kept dropping little bits and pieces into as the years went by but never finished because the time just wasn't right. It was only after reflecting on the responses to the following tweet that I decided to sit down and finally wrap up this post:
This is a measure of my choices. Of my wife's choices. Of a couple of decades of choices. The car itself is only one small part of that measure, but it was the enthusiasm that tweet was met with by many who expressed a desire to do the same one day that prompted me to finish the post. It's also the negativity expressed by a small few that I should choose to spend our money in this way that prompted me to finish it; those that feel success itself or its manifestation into physical goods is somehow taboo. The latter group won't get anything useful from this post, but it was never meant for them. It was always meant for those who wanted the measure of their own choices to look more like the one above.
So here it is - 10 Personal Financial Lessons for Technology Professionals.
Intro: This Industry Rocks!
I want to start here because this post is very specifically targeted at people working in the same industry as I do. There'll be many things which I hope are useful to those outside of that, but frankly, those of us in tech have a massive advantage when it comes to our ability to be financially successful. I don't just mean at the crazy rich end of the scale (4 of the world's top 10 richest people did it in tech - Bezos, Gates, Zuckerberg and Ellison), but at all levels of our profession. In fact, those guys are all pretty good examples of the ability to build amazing things from the ground up and I'm sure that many of you reading this have sat down and started building something with the same enthusiasm as, say, Zuckerberg did with Facebook in 2004. Of course, success at that level is exceptionally rare, but my point is that in this industry more than any other I can think of, we can create amazing things from very humble beginnings.
But of more relevance to most of us is the opportunities this industry affords the masses. It's one you can get involved in at almost any age (I started both my kids coding at 6 years old), it provides endless opportunities to learn for very little or even free (the vast majority of my own programming education has come via free online resources) and it transcends borders and socioeconomic barriers like few others (think of the opportunities it grants people in emerging markets). It's also up there with the highest paying industries around. I think we all know that innately but it's worth putting into raw numbers; I pulled a report from July put together by Australia's largest employment marketplace (SEEK) which has some great stats. For example, the ICT industry (Information, Communication, Technology) was the 5th highest paying with an average salary of $104,874 (dollars are Aussie, take off about 30% for USD). Number 1 is "Mining, Resources & Energy" which had a local boom here but is now rapidly declining (down 14% on the previous year). Take mining out of the picture and the top industry ("Consulting & Strategy"), pays only 5% more than tech. Look the other way down the list and the next highest industry is "Legal", a whole $9k a year behind. Banking is below that. Medical even lower.
Then there's this:
Today, the Information & Communication Technology (ICT) industry dominates, with salaries from six roles within the industry featuring in the top 20.
The highest salary SEEK has on the books is for architects (the tech kind, not the construction industry kind) at $138k. The third highest is tech industry management roles at $132k. Of course, actual numbers will differ in other parts of the world and indeed across other reports, plus there are many roles in the industry that will pay much less than those (especially during our earlier years). The point is that the tech industry provides people with near unparalleled earning potential across one's career. And it gives them the ability to do so much younger in life than many others do and with much less formal education; I care much more about skills than degrees in tech people, but my doctor / lawyer / pilot better have a heap of formal qualifications from many years of study behind them!
This is a cornerstone of what I'm going to write in this post: technology professionals have a much greater ability to earn more than most other industries and to do so at a young age. Being smart with that money early on gives them an opportunity to leverage it into even greater things again. Keep that in mind because I'll come back to it in lesson 2 but firstly, let's just be clear about why all this is important.
Lesson 1: Money Buys Choices
Let me be crystal clear about this in the very first lesson: money is not about owning a Ferrari and living in a mansion. It's not about expensive jewellery and designer clothes. No, money is about choices. It's about having choices such that you can decide to spend it on what's important to you. That may mean helping out family members, donating to local charities or retiring early so that you can spend more time with your partner and kids. And yes, if it's important to you, it may also mean spending it on luxury items and that's fine because that's your choice! It's a choice you get to make with money as opposed to one that is forced upon you without it.
Let me share some examples of what I mean from my own personal experiences and I hope they cover a broad enough spectrum to resonate with everyone in one way or another. Just over 2 years ago, my wife (Kylie) had spinal surgery. You can read her experiences in that post but in a nutshell, it wasn't much fun and it followed many months of pain due to disc degeneration. The choice that money gave us was to focus on her treatment and recovery without stressing about her needing to work. We said to each other many times "how on earth would we have dealt with this if she still had a full-time job?" and invariably the answer is always that we couldn't have: the job would have gone.
Kylie wasn't working when her back went because we chose not to. She left a very successful corporate role in late 2014 and very shortly after, my own corporate job was made redundant. We never really consciously decided that she shouldn't go back to work, but a series of events including her being fed up with corporate life and us deciding to move interstate meant that she never did (although she's continued consulting on an ad hoc basis). Money gave us that choice. It was a choice that meant one or both of us is always there for the kids in the morning, always waiting to pick them up after school and always there for every tennis match, friend's birthday party or other random kid thing that seems to happen on a near daily basis. Being able to make those choices has enabled us to spend more time together as a family. It's quite literally bought us family time in many different ways, particularly in recent years.
Which leads me to the "but money can't buy happiness" position so many people have repeated over the years. Bull. Shit. Anyone who has ever said that simply doesn't know where to shop. Putting aside the intangible things money buys such as those already covered above, money spent on physical items can bring people a huge amount of pleasure. I'm not a fashion guy (pick almost any talk I've done and you'll see it's jeans and t-shirts all the way), but I totally understand how presenting well can bring a lot of joy to people. Obviously I am a car guy and vehicles such as the one at the beginning of this post and the Nissan GT-R I bought back in 2013 have brought me enormous pleasure. I smile every time I drive either and the latter in particular has resulted in so many immensely enjoyable interactions with people; kids taking pictures, adults wanting to chat and without exception, positive responses from everyone who sees it. Now mind you, some of the most fun times I've had have been in previous cars a fraction of the price so I'm by no means trying to imply a direct correlation between cost and happiness, the point I'm making is simply that tangible items that cost money can bring a huge amount of happiness, but only if you have the choice to obtain them.
I'm very conscious of the fact that for some people, signs of wealth lead to resentment. There was some of that in response to the Mercedes tweet earlier on and in Australia, we'd refer to that as tall poppy syndrome. (I'm still at a loss as to why anyone would take the time to explicitly tell you how displeased they are with your happiness; some people just lose their minds when they're behind a keyboard.) I also touched on this when I first did my Hack Your Career talk in Norway last year where they refer to it as Janteloven (video embedded at the point where I describe it):
For the purposes of this first lesson, I don't care whether someone feels this way or not but regardless of your position, the one thing you should take away from this is that money enables you to choose what's important to you, whatever that may be. That's the mindset you need to take as you progress through this post.
Lesson 2: The Money You Earn Young is the Most Valuable Money You'll Ever Earn
Let's start with a graph and it's one you may have seen before, or at least some interpretation of the same sort of data:
This is Vanguard's 2018 Index Chart and you can either drill down into it and pour over the details or just take one simple truth away from a glance at it: investments grow over time. I know, revolutionary, right? Now to be fair, some investments tank and others skyrocket but what's more important than the minutiae is the overall market forces that enable money to multiply over time. We're looking at 30 years here and $10k invested back in 1988 would be worth almost $59k today invested at cash rates (6.1%), nearly $85k if put into international shares or over $206k if invested in US shares (and that includes the GFC period). There's also CPI at work which makes that $10k worth less today than it was 3 decades ago, but that's tracked at 2.8% per annum which is a damn sight less than a balanced portfolio earns.
An often-heard saying illustrates the value of starting early and allowing time to amplify investments:
It's not timing the market, it's time in the market.
In reality, it's both and buying anything at a low-point is obviously going to net you more dollars than buying at the peak. But the point of all this is that starting young enormously amplifies earning potential and to bring this back around to the tech industry again, those of us in this space have a much better chance than most to earn well at a young age. Let me put some personal context around this:
Almost 9 years ago I wrote a post on a real estate forum looking for feedback and inspiration. We'd bought a lot of property by that time and it became the foundation on which so much of what we've done since has been built. This is the first time I've mixed these two worlds - my background with real estate and my public blogging life as most readers will know it - but it's important context. Do read that post as it goes a long way to explaining why I'm writing this post and indeed, why I have the financial options I do today.
Kylie and I started investing while we were young. We began purchasing real estate in 2003 in our mid-20s and we poured every cent we could save into it. Some purchases were better than others, of course, but the constant theme across all of them was that we knew that good investments made young would pay off big time in the long term. It also created a forced savings plan for us; money in real estate is not "liquid" so you can't readily draw it out of a savings account on a whim and loans need to be paid on time each month or banks start getting cranky. (Incidentally, this is also a strength of home ownership as it's effectively a forced savings plan.) We maximised our borrowing potential, took advantage of every available tax concession and relentlessly pursued more property as soon as we had the savings to put down another deposit. We took risks, but they were calculated and made at a time where we had 2 incomes and no dependants. Everything gets harder when there's kids; more expenses, less time and often, less income if one partner decides to stay at home or work less.
By no means am I saying "go out and put all your money into property", it might be that you start putting a very small amount of money into a share portfolio or managed funds early on, the point is that time amplifies money (at the very least, everyone should understand how compound interest works). That was the single best financial decision we ever made and it happened well before my life as people know it today; there was no Pluralsight, no workshops, no speaking events or Have I Been Pwned or blog sponsorship - nothing. Yet today, that property portfolio is a significant portion of our wealth because even though we weren't earning much money then by comparison, it amplified over and over again.
I want to touch on 2 more things on this because I know they'll come up if I don't mention them. Firstly, if you've passed the age that you might consider "young", the same logic of time amplifying dollars still applies. Obviously, you have less time and there are other considerations such as retirement funds (and associated tax implications), the point is that the earlier you begin on this journey, the better. And secondly, no, this wasn't done with financial support from parents. No deposits were handed out, no financial guarantees were made on our behalf, every single cent had to be earned, saved and then invested. But there was some help we got that moved everything along, and that was with financial literacy.
Lesson 3: Invest in Financial Literacy
I regret many things about my own education at school and university. I regret that I had to learn French in high school. I regret that I had to do chemistry as part of the computer science degree I started and never finished. But most of all, I regret that I was never taught financial literacy. I never learned the importance of the things I've already written in this blog post nor how the share market or property market work or even something as simple as the impact of compound interest on a credit card, something that's at crisis level for many people here in Australia at the moment. These things, to my mind, are essential life lessons and I do hope things have moved on a bit in the education system since then.
But we did have encouragement from our parents when it came to imparting financial advice. The two most notable things that come to mind were my father regularly repeating lesson 1 above (money gives you choices), and Kylie's father helping us understand how the property market works (he worked in the industry). But that was a tiny portion of the education with the vast bulk of it made up of reading books and magazines, going to seminars, hanging out on forums and frankly, also learning by making mistakes. We lost money on shares. We missed opportunities that would have yielded amazing results. We had property deals fall over. We got a lot of stuff wrong, but we got a lot more stuff right.
Part of developing financial literacy is that the more you learn about money, the more conflicting advice you'll get. Last week I tweeted about drafting up this post and I had a number of people contact me with their own tips. One person emailed me with many that aligned with mine, but he also said "only buy properties that you feel you could live in, they are homes as well as investments". I would never want to live in any of our properties we bought as investments. When you buy an investment - any investment - you should be ruthlessly focused on the numbers; what it's yielding, what the growth opportunities are, the tax advantages etc. When you buy a home to live in, you're buying with the heart because a home is a very emotional purchase. That's not to say you can't buy a home that's also a good investment, but you have different priorities and the perfect home for you to live in is almost certainly not the perfect asset for you to invest in. I don't want to live in any of our properties, but they're in high growth areas with good accessibility to public transport and low vacancy rates. Now, that doesn't make me right and him wrong, it's merely an illustration that there are many different views out there and the challenge for you is to understand the reasoning behind them and work out what actually makes sense for you. That knowledge is an investment you have to make.
Financial literacy is a fundamental skill which we all need but few of us genuinely invest in. There are a heap of resources available where you can learn for free and whilst there's frankly a lot of crap out there (the are way too many dodgy characters trying to sell investment opportunities!), it all contributes to the melting pot of information you can absorb. I'm conscious that for most people, developing financial literacy probably seems like a difficult thing that requires a time commitment. And I agree. I found it hard and I found a huge amount of my time being spent on it, but I do believe that we, fellow geeks, have some advantages here.
Those of us in the tech industry are used to seeking out information online. Crikey, I still use Google every time I need to write text to a file in C#! We're also used to engaging with others online in order to learn, we've been doing it on Stack Overflow for years and we can do it on any number of investment forums, debt support communities or other resources designed to help educate in the same way as the tech ones we're so dependent on. I made 414 posts on the property forum I referenced earlier, more than all my questions and answers on Stack Overflow combined.
If you're not sure where to start on this, there's one area of financial literacy that is absolutely essential to understand, and that's tax.
Lesson 4: Learn the Tax System
There's a very famous clip of Kerry Packer (for many years, Australia's richest person), who was questioned about his tax practices in court back in '91. This is worth a quick watch (it's 2 minutes):
The key sentence being the last one in that clip:
Now, of course I am minimising my tax and if anybody in this country doesn't minimise their tax, they want their heads read because as a government, I can tell you you're not spending it that well that we should be donating extra.
Regardless of what you may think of the tax practices of billionaires, it's hard to argue with that statement (it's also hard not to chuckle just a little!). Tax is bloody complicated stuff yet it's something we all need to deal with in one way or another. It also consumes a significant chunk of your income and that only increases as you earn more and spend more. Understanding how your local tax system works is an absolutely essential part of that financial literacy I was just writing about.
For example, in Australia we have pretty attractive negative gearing tax laws for real estate and I'll steal the definition off Wikipedia to explain precisely what that means:
Negative gearing is a form of financial leverage whereby an investor borrows money to acquire an income-producing investment and the gross income generated by the investment (at least in the short term) is less than the cost of owning and managing the investment, including depreciation and interest charged on the loan (but excluding capital repayments).
What this has meant for us is the ability to buy property and claim deductions for non-cash expenses (that is they're not actually coming out of your pocket) thus reducing our taxable income and ultimately increasing our take-home pay. For example, buildings, fittings and fixtures all "depreciate", that is their value decreases over time. Think about curtains - they wear out and need to be replaced and the Australian tax system affords you the ability to claim that depreciation before you actually need to spend the dollars. Your country may well have different laws, but the point is that tax constructs exist to help you legally reduce the amount payable. (Side note: there's been calls for years to abolish negative gearing in Australia in this fashion and there were indeed pretty significant changes made in the 80's... then rolled back.)
Retirement funds are another great example. In Australia, our "superannuation" scheme (think 401k in the US) makes it very attractive to contribute extra cash at a low tax rate. Only up to a threshold, that is, and even that changes based on your age but again, there are constructs designed by the government the help everyone maximise the effectiveness of the dollars they earn by minimising the amount of tax payable on them.
Tax is also where professional help is really important. Unless you're on a very low income that's just a simple wage from an employer, in my experience the ROI of professional guidance means it makes sense to get a good accountant early. Especially once there's more money involved, a very small percentage difference made by a taxation professional easily covers their cost (you may well find that's an allowable deduction too). Over time, our accountancy needs changed from a basic accountant we saw once a year to a larger scale firm we call on regularly. Your needs may well change too as you move through different phases of life, but get someone you can trust and get them early.
Optimising your tax position is free money. Free legal money and there are many, many ways to do it. In this industry, there's everything from income-producing equipment to conferences to charitable donations to an organisation like Let's Encrypt that can reduce your tax bill (obviously get expert advice on this if you're not sure). Sometimes, it's even just as simple as deferring tax that's payable so that you have access to the money for longer and can reap the benefits of the interest it earns. Pay your taxes, but don't donate extra.
Lesson 5: Know Good Debt from Bad Debt
The word "debt" immediately has negative connotations for a lot of people. Many of those people have a bunch of "bad" debt and little or no "good" debt. The latter term might sound paradoxical, but I'll get back to that. Let's start with the bad stuff.
Bad debt is the likes you have on a credit card. It's almost always accrued on a depreciating asset (for example, a new TV) and it's very often at a high interest rate. A credit card in Australia right now can easily run you around 20% per annum which means that not only are purchases going to cost way more than the sticker price (assuming the card isn't paid off each month), but the value of the purchase is also heading south leaving you with negative equity (you owe more than the thing is worth). Because credit cards have such a high rate on them, the single best investment you can make right now is almost certainly to pay off any debt you have on a card as fast as possible. Think back to that Vanguard chart - the highest yielding shares they had there (the US ones) were growing at 10.6% and paying off a credit card can effectively earn you double that. (Side note: that last sentence isn't entirely accurate as income earned on investments is usually subject to tax whereas paying off consumer debt will often have no tax obligations at all. Or if we go even deeper down the rabbit hole, those US shares at 10.6% include capital gains and that's something you may only pay tax on when you sell. So in other words, both the points made in this side note make the investment value of paying off credit card debt even more important than investing in other asset classes.)
Payday loans are another prime example where you have fast, easy access to cash but pay an astronomically high interest rate for the privilege. For example, via Nimble, one of Australia's most prominent short-term lenders:
What does that look like in actual dollar terms? Let's imagine you need a couple of thousand for 12 weeks:
I highlighted the most important part in red because for some reason it was very small and a bit hard to read... In other words, for a loan that's less than a few months long you pay back an additional 32% over what you actually borrowed in the first place. This, in effect, makes whatever it is you bought with that money 32% more expensive and yes, I know that many people are under financial duress and may not have other options, the point is to understand what the actual impact of this debt really is. Remember also that compound interest works on debt too, not just savings. The longer you run with debt, the more you pay. (Side note: I watched a really interesting Netflix documentary on short term loans recently as part of their Dirty Money series - check out the Payday episode.)
Good debt is an investment. All our property purchases, for example, have loans not only because we simply couldn't have afforded to pay cash at the time, but because debt can give you leverage. Rather than paying, say, $250k in cash, you'd put down, say, a 10% deposit and pay perhaps 5% per annum in interest. You then have cash flow from the asset (rent paid by tenants) and as mentioned earlier, there may also be non-cash deductions that give you taxation benefits. You also have expenses, primarily loan repayments but also maintenance, council rates, insurance and possibly strata and property management fees. I don't want to go down that rabbit hole here (we're getting back to the importance of financial literacy again), but the point is that debt can be used to build wealth in an accelerated fashion. (Incidentally, the same approach can be used in shares and managed funds, this is not just the domain of real estate.) Borrowing for education can also be good debt. Kylie and I both had student loans via HECS in Australia which we had to pay off as we began earning money. This was an investment in our future and the return on the investment was an education.
This isn't to say that "good" debt is always a smart idea and in some cases, it can amplify losses dramatically. Some of the properties we bought were only several years old and were being sold for 30%+ less than the original owners had paid. Developers often entice buyers by offering "honeymoon" interest rates and rental guarantees that make the cash flow position look very positive to the unsophisticated investor. However, once those expired and the penny dropped that the properties were no longer financially sustainable (interest rates went up, rent went down), they became distressed sales and the unfortunate purchasers learned that the market valued the properties at a very different mark to what the developers were selling them for. Suddenly, the 5% deposit they paid to get access to real estate has created negative equity 6 times more than that.
Conversely, what we might traditionally consider "bad" debt can be good and I'll give you an example of that. This whole post kicked off with me talking about a car and as much as I love them, let me be really clear about this: fancy cars are one of the worst possible things you can ever spend your money on! They're functionally equivalent to models that are a fraction of the price, they depreciate very rapidly and they have a bunch of acquisition costs that disappear into thin air the moment you buy them (stamp duty, for example). But those are principles I understand very well so I make purchases with full consciousness of the financial impact. The point re bad debt potentially being good is that whilst a car is a depreciating asset, we've had cars in the past where the manufacturer's interest rate was far more attractive than the interest we could earn on the money elsewhere which would make paying cash a sub-optimal use of the money. You need to be careful that an attractive interest rate isn't just capitalised into the purchase cost of the vehicle (and I've definitely seen that before), but the point is that debt can be used in a variety of constructive ways and some of them may be unexpected.
Over and over again, we come back to financial literacy and a big part of that is understanding not just how to use debt efficiently, but how to manage the risk it creates. I reckon as technical folks we tend to be more analytical than your average person and one of the best things you can do for you financial wellbeing is to chuck everything into spreadsheets. This debt situation, for example, can be really multifaceted so if you're looking at taking out a loan, put everything into Excel and analyse the bejesus out of it; cash flow impact, capital gain / loss, opportunity cost (what else you could do with the deposit and repayments), etc, etc. I've had many occasions in the past where I've literally sat down and written all my analysis in C# because I understood the code better than the finances! But by doing that, you learn, and that's a great way of working on financial literacy. (Side note: service like Mint are also a great way of tracking your financial position.)
Lesson 6: Diversify Earning Potential and Risk
This one starts to get to the heart of where money comes from and how to protect it. Specifically to this industry, we have much better potential than most to both earn it and keep it - let me explain.
Traditional incomes generally boil down to trading time for money from a single source (your employer). It certainly did for me for many years and in my case, it meant going into Pfizer each day, doing my architecty thing and receiving a monthly pay check. As we've already established further up, a software architect in this industry can do quite well but this traditional means of working does create risk and I saw that manifest itself through many rounds of redundancies over the 14 years I was there. I'd see the stress people went through as their roles were cut and they were out of a job and there were 2 main reasons for that:
Their job was their sole source of income and if it went, so did their cash flow (in some cases, it was the sole source of income between both them and their partner who may be a stay at home parent)
They were worried about their ability to get another job which, again, would also have a pretty significant cash flow impact
We went through that stress ourselves; about 7 years ago Kylie's job was made redundant. She was 6 months pregnant (seriously, who does that to a pregnant woman about to go on maternity leave?!) and it was entirely unexpected and left us with a very uncertain future. Fortunately, we had my income to cover us and we'd obviously planned in advance for the maternity leave, but it still rocked us.
So let's drill down on this "diversify earning potential" concept and the first point I want to make on that is about your own personal marketability. My very first blog post ever was Why online identities are smart career moves and a cornerstone of that post was that you never know when you might be looking for another job. Making yourself marketable isn't something you can do well at the drop of a hat, it can take significant effort and it's something you need to plan for in advance. You might not necessarily think of that as a personal finance tip, but it can have a fundamental impact on your ability to earn money.
One of the suggestions I received when tweeting about this post last week was this:
How to get rich and not get pwned! Yes please. Maybe some advice about investing in your own learning and pet projects would be nice.
Here's a perfect example that illustrates my point: when I first interviewed for the Pfizer job in 2001, I showed a pet project I'd built. It was a classic ASP and Access Database (stop laughing) project that managed photos I'd taken. It was very basic, but it gave me something to show that demonstrated work in the field. I clearly remember showing my boss's boss the work and him being impressed by it, despite its simplicity. This was a personal project done on my own time as part of my own education and it played an important part of landing me the job I had for the next 14 years. That's the job that contributed significantly to the investment portfolio!
Pet projects, open source contributions, robust Stack Overflow profiles, local user group engagements and a raft of other things you can do in your spare time all contribute to marketability and in turn, diversify your earning potential. (Incidentally, the talk I referenced earlier on Hack Your Career covers all of this in more detail.) This is one of the great advantages we have in this industry in that it's so easy to expand our professional repertoire in our spare time. I'll give you an example of the antithesis of that: One of the people I saw forced into redundancy at Pfizer was in a senior role they'd been in for a very long time (I'm going to be a little vague here in case they read this) and frankly, they really had very little (any?) industry experience outside of that. They were proficient at their job but they really didn't have skills that were transferable across the industry and when the redundancy finally came, they were out of work. Permanently. They ended up re-skilling in another industry in what was quite a stressful time for them.
Moving on, another great attribute of tech is the ability to diversify income sources. Now, I'm conscious there are cases where the employer may prohibit some of these things (even on personal time) but as an example, I did a lot of small independent website projects whilst in my corporate role. Nights, weekends, holidays were often spent building brochureware websites or other little pieces of work that could earn income. Independent income which would contribute to our financial wellbeing. That money then went into the property portfolio and grew further so think about the leverage that provided: the extra money earned was nice in and of itself, but that was then used to borrow money (so it was leverage) which bought appreciating assets. Those nights, weekends and holidays ultimately became very valuable.
In 2012, I started creating what many people came to know me by: Pluralsight courses. Again, something that could be done independently without conflict with my day job. There are many, many little opportunities like this which can actually contribute to both the points made in these last 2 paras, namely diversifying your experience and actually generating income. Today, no more than about 20% of our income comes from any one source which is enormously important in terms of diversification. It means that, for example, if Pluralsight goes down the toilet then yes, I'd be very upset by that but no, it wouldn't be a life-changing event.
Which brings us to risk. Risk is reduced when you have more choices and it's reduced again when you have more sources of income. Drawing it back to investment strategies, you'd never proverbially put all your eggs in one basket by, say, putting all your cash into one stock. Using all your savings to buy that one magic bean, so to speak. When we bought real estate, we bought at a level that would enable us to diversify; I'd rather have 2 small apartments in different suburbs than 1 house because it gives you insurance against everything from tenant vacancies to repairs that need to be made to something extreme like the place burning down. And you definitely don't want all your exposure in one asset class either; property, shares, cash and all sorts of other investment vehicles enable you to spread risk. Try a Google search for life savings lost in investment scheme and you'll understand why this is so important.
Invest in diversifying your earning potential and your assets such that it reduces your risk.
Lesson 7: Prepare for Luck
When I started drafting this blog post all those years ago, one of the things I immediately thought of was this book:
Malcolm Gladwell is a sensational author and his previous books The Tipping Point and particularly Blink are absolute must reads. But what I particularly liked about Outliers is how he systematically broke down the factors that contributed to the success of very noteworthy people such as Bill Gates, The Beatles and even elite athletes. On that final point, let me draw an extract from Wikipedia that illustrates one of the success factors Gladwell identified:
The book begins with the observation that a disproportionate number of elite Canadian hockey players are born in the earlier months of the calendar year. The reason behind this is that since youth hockey leagues determine eligibility by calendar year, children born on January 1 play in the same league as those born on December 31 in the same year. Because children born earlier in the year are statistically larger and more physically mature than their younger competitors, and they are often identified as better athletes, this leads to extra coaching and a higher likelihood of being selected for elite hockey leagues.
There are 2 ways of thinking about this as it relates to success factors and the first is that elite hockey players are exceptionally talented. Regardless of the other opportunities that were granted to them, you simply can't play at that level unless you're at the absolute top of your game. The second is the real insight in this piece and it's that the older kids have a natural advantage due to those extra months of growth. An unfair advantage, some would argue, but an advantage all the same. But it wasn't all luck either - there's plenty of kids born in January that can't compete with much younger players because they simply don't have the natural talent or the family support or the dedication to train or whatever else it may be. Being successful at that level requires both luck and talent.
Bill Gates is worth a mention as it ties in nicely with the tech-centric theme of this post. Yes, he's obviously a super smart bloke, but it was his (very fortunate) access to computers courtesy of his mother's job that amplified that talent and enabled him to build Microsoft. And this is really the point I'm getting at in this lesson: we all come across fortuitous situations - "luck", if you will - and you need to be prepared to take advantage of those opportunities. Those situations may be anything from a sudden job opportunity to a chance investment, both of which often require preparedness to take advantage of. For example, do you have a presentable resume and references for that chance job? Do you have up to date tax returns and financial statements for the investment? Are you able to leverage the skills and the assets that you have - that we all have - to be able to take advantage of these opportunities when they arise? I certainly haven't always and I lament the ones I missed because I simply wasn't prepared.
I vehemently dislike seeing successful people referred to as "lucky" or "fortunate" without further context. Not because they're inherently wrong words to use, but because they imply people achieved that success by chance. It must also be disheartening for others who don't believe they're as lucky or as fortunate themselves which is why I love this quote:
I am a great believer in luck. The harder I work, the more of it I seem to have.
There's debate about who originally said it but it doesn't particularly matter as the sentiment rings true regardless. What I hope people take away from it is an acknowledgement that hard work and preparation amplifies the luck that we all come across from time to time.
One more thing on the whole "luck" piece because it will come through in comments if I don't address it: Just as the older hockey players benefited from the month they were born in, I've benefited from factors I was born into. My gender. My ethnicity. The country I was born in. Even the countries I've lived in; I spent the last few years of high school in Singapore which was an absolute tech mega centre compared to most of the rest of the world in the early to mid-90's when I was there. A chance meeting at the local windsurfing club with a guy working for a satellite systems engineering company in '92 got me my first part time job in technology. These are factors I had no control over, but I amplified that good fortune by working my butt off when I was given the chance. Whatever your circumstances, the premise that opportunities will present themselves over time and that being prepared to leverage them is important is still an absolutely essential lesson.
Lesson 8: Put a Price on Your Time - and Your Family
I stopped playing video games probably about a decade ago. Half Life 2 was my game of choice at the time and I could easily blow a few hours fragging everything that moved. Whilst it certainly wasn't at an addiction level, it was still enough time spent that eventually it dawned on me that it simply wasn't a good way to invest my hours. Now I want to be clear about something here too: investments aren't always of a monetary nature, they can be investments in your health or your mental state or your family and as it stands today, I spend more time playing tennis each week than I did fragging. But the return on that investment is so much greater for my mental state and my health than what HL2 ever was.
To the point about putting a price on your time, I realised holistically I was much better off focusing on our investments and my own personal development than I was spending the time gaming. As time has gone by, I've become more and more conscious of what the value of my time is. Sometimes it's a clear monetary value; I charge companies to run security workshops which is a direct exchange of time and money. Other times it's much less tangible but it feels like it's moving things along in the direction I want them to go. This blog post is a perfect example of that insofar as it will make me zero dollars directly but I feel like it's the right thing to do because it has the potential to improve life for others. Understanding the value of time (and particularly how it changes over the years) has also helped me decide where to spend money to buy back hours; a house cleaner a couple of times a week, someone to wash the cars, business class airfares.
Then there's putting a price on your family. People hate it when I use this term - "what do you mean I should put a price on my family, my family is priceless!" - and they continue to hold that position as they head off to the office each day. The reality is that we all trade time with our families to partake in activities that enable us to actually support them, but most people don't favour thinking about it in those terms. It doesn't have quite the same ring to it, but perhaps a more accurate title would be "consider how much family time you're willing to sacrifice for your prosperity and how long you're willing to wait for that investment to pay off". If you don't have a family to consider, put it in terms of other personal activities you're willing to trade; I traded gaming, others might trade social activities or a holiday or some other form of sacrifice that results in them working towards their own prosperity.
What I mean by putting a price on your family is that you should work out when it makes sense to prioritise spending time with them and when it makes sense to invest time to focus on other things. For many people, there’s no desire to commit anything more than 40 hours a week to earning a living and that’s just fine, so long as the lifestyle that gives them is consistent with the one they want and they're not left unfulfilled as a result. What drives me nuts is when you see people wistfully longing for certain financial or lifestyle goals yet being unwilling to make the sacrifices to get there (more on that in the next lesson).
My balance has changed over time. In the earlier years of my career when I was mostly on hourly contracts, it would be 11-hour days most of the time because surprise, surprise, that pays a lot more than 8-hour days (and remember, that went into leveraged assets that then grew in value over many years). It was fine when it was before kids too and Kylie was either studying or building her own career with similar hours, we both just knuckled down and got on with it. It’s always going to be harder with kids, particularly because higher workloads are inevitably passed onto your spouse if you’re the one doing the extra career things. What I'm finding now is that because we made those sacrifices before kids were around, we're enjoying the pay-off while they're still young.
If nothing else, at least consciously make choices about where time is spent and one of the best things that'll help you do that is to have a goal.
Lesson 9: Have a Goal
The best way I can explain this is to share a speech by Arnold Schwarzenegger. Invest 12 minutes listening to this:
Don't waste your minutes. Work your arse off. You have 24 hours in a day, you sleep 6 of them, maybe you burn 12 with work and travel so now you have 6 hours left. You eat / schmooze a little, but you see how much time is left.
If you don't have a vision of where you're going, if you don't have a goal where you go, you drift around and you never end up anywhere.
A goal keeps you focused. A goal drives you to invest time in working towards something. A goal makes you relish the pain required to achieve it. Schwarzenegger talks about the physical pain of reaching his goals, but also about improving knowledge by investing time which aligns with what you've read here. Now, clearly he took a very extreme approach to reaching his goal because it was an extreme goal. I'm not saying everyone should go out and spend every spare moment figuring out how to maximise their dollars, but what I am saying is that you need to know why you're doing this - what you're working towards - and depending on how lofty that goal is, it may indeed take a significant amount of effort over a long period of time.
In this industry, we work with goals the whole time and we've all worked with tools that help enable us to hit them. We have backlog items that need to be completed and they can just as well be things like getting your insurances in order, assessing your retirement strategy (yes, even when you're young) or setting a learning objective. We deliver work units in sprints and when you have a long-term goal, there's going to be many individual sprints within it. Kylie and I continually have retrospectives; what's working, what's not, what do we need to do differently. And if we really want to draw out the agile analogies, nothing requires adaptive planning like your financial future does because there are so many environmental factors that change; your job, your family structure, interest rates and any number of other things that require a course correction. We, tech friends, understand this. This is what we do day in and day out and you can extend that to your personal financial prosperity.
Inevitably, we all have multiple goals and they'll change over time too; for many years whilst I was living in Sydney and working for Pfizer, my goal was to gain independence and move back the Gold Coast where my family was. In 2015, we did that:
So, I made new goals. I've certainly had others too and they haven't always been this long-term or life-changing. For example, I've had goals for certain cars I've wanted and in some cases, it's taken many years to achieve them. In other cases, I'm yet to achieve them but they're still there on the horizon, driving me forward and giving me direction.
Goals can be very personal; perhaps your goal is to retire young. Maybe it's to support your extended family. It might even be to give as much as you can to charity (Gates is a perfect example of that) and all of those are just fine, but have a goal because without that... you drift.
Lesson 10: Financial Prosperity is a Partnership
I wanted to finish on this point because it's absolutely pivotal to making all the previous ones actually work. If you're in a partnership with someone (wife, boyfriend, whatever), perhaps the most valuable advice I can give is that you must approach financial prosperity as a partnership with a shared vision. If you're not aligned - if you have fundamentally different objectives - you won't be able to give your goals the focus they deserve.
I think back to friends I've seen in the past struggle with this. For example, one partner becomes resentful of the amount the other is spending on personal indulgences. Or they resent the family sacrifices the other is making. Or one is satisfied with a subsistence living whilst the other dreams of millions. Lack of alignment not only makes achieving financial objectives difficult, it can drive a wedge right through the middle of a relationship and I'm sure we've all seen many fail simply because the couple don't see eye to eye on fundamental issues.
I'll give you a few examples of what I mean and the first one that came to mind (for some strange reason) was when Kylie and I were planning a family. Like most couples, there comes a time where that's on the cards and for us we started talking seriously about it in 2008. As we began planning, we literally went to a quiet spot in a local restaurant with a laptop and drew up a spreadsheet of what having a baby would mean. We did this together and planned everything from loss of income due to maternity leave, government parental benefits, the taxation implications of both and even medical expenses and the maintenance cost of a child. I'm sure we didn't get that all spot on (the last one in particular), but the point is that we made a financial decision together (and having a kid is a very big financial commitment) with as many of the facts as possible in front of us.
That partnership extends to everything from the investments we make to the travel I do to the insurances we have (NB: things like income protection and life insurance are another one of those financial literacy things). This isn't just to ensure alignment, it's also a great sanity check. If you're in a relationship, you'll probably find there are aspects of this whole financial prosperity thing that each of you does better than the other; I'm "big picture" and number orientated, Kylie is detail-focused and frankly, much more patient than me! Explaining things to each other has a way of ensuring you stay on track.
But perhaps even more importantly than all of that, relationships are meant to be a partnership. A journey you take together. Hopefully a very long journey that requires planning and there are few more fundamental relationship issues than how you view money.
If you're working in tech, you're working in one of the most well-paid industries with the greatest growth potential and career prospects out there. Your financial potential almost certainly exceeds that of almost everyone else around you. You're already winning just by being here and my hope is that whilst the first tweet in this post might have provided motivation, the post itself helps provide inspiration.
Nice wheels, mate. Motivation No. 946,624 to start hacking my career this year. :)
Keep up the good work, you've earned it all and then some.
Feel free to ask questions in the comments section below and I'll answer what I can. Also - and I trust this was obvious already - do treat this post as a reflection of my own views and experiences and get professional advice where necessary.
I'm home! And it's a nice hot Christmas! And I've got a new car! And that's where the discussion kinda started heading south this week. As I say in the video, the reaction to my tweet about it was actually overwhelmingly positive, but there was this unhealthy undercurrent of negativity which was really disappointing to see. Several other non-related events following that demonstrated similar online aggressiveness and I don't know if it was a case of too much eggnog or simply people having more downtime to be dicks online, but it was a really odd spate of bad behaviour.
Be that as it may, I hope there's some useful content in this one but I do appreciate the car bit in particular may not be relevant to a lot of people. In case you want to skip it, that bit starts at about the 3-minute mark and goes until the 28-minute mark. For those that do watch it, I hope you enjoy something a little bit different this week whether you agree with my choice or not 🙂
It's a new car! (that's the tweet with the pics and all the likes, but if you dig far enough, you'll see a negative undercurrent too)
This week I'm talking about my new (free!) Pluralsight course, yet more data breaches, some really wacky Spotify attitudes towards passwords, a cool new Report URI feature we're looking for beta testers on and introducing an all new sponsor - strongDM. That's it from Canada, it's off to a hot Aussie Christmas now and the next few days will come from sunny home 😎
I'm in Whistler! And as I say at the start of this video, I did seriously consider having a week off these videos, but I found a comfy spot by the fire and a cold beer and all was good in the world again. This week has some updates on my Canada travels, a couple of data breaches I loaded during the week, new HIBP stickers and some really screwy password practices at HSBC. I'll still be here in Whistler next week so will pump out one more snowy update before heading home for a hot Christmas.
I'm on countdown to take-off for the next 2 and a bit weeks so I'm going to keep this intro really short because it's sitting between me and a relaxing cold one (as soon as the bags are ready). Heaps of services got pwned, Australia has a screwy set of circumstances (and reactions) around a cyber bill and HIBP had a 5th birthday celebration which resulted in stickers and a really fun live AMA video. That's it for now - next week's update comes from the snow!
So today is Have I Been Pwned's (HIBP's) 5th birthday. I started this project out of equal parts community service and curiosity and then somehow, over the last 5 years it's grown into something massive; hundreds of thousands of unique sessions a day, millions of subscribers, working with governments around the world and even fronting up to testify in Congress. I'd love to say I had the foresight to see all this coming but I didn't. Not one bit of it. I just did the things I thought made sense at the time and that was that.
As the 5th birthday approached, I asked people what I should do. There were many good suggestions but chief among those which were actually feasible (and frankly, that I liked the idea of!) was to make stickers. So I did:
The sticker is 5.97" x 1" (the olden day equivalent of 15.16cm x 2.54cm) with nice rounded corners. I just bought 1,000 of them off Sticker Mule with free shipping all the way down here to Australia and I'll be handing them out on my travels around the world. Apparently this link will get you $10 off your orderand give me a $10 credit too so that I can put it towards buying more HIBP stickers and handing them out to more people.
If you'd like to order stickers, you can do it yourself directly via the Sticker Mule website (again, that's a referral link in both our best interests!) Sticker Mule doesn't have a way for me to share the exact approved artwork, but I had a better idea anyway; there's now a public GitHub repo on my account called hibp-stickers. You can simply grab the artwork from there (use the .ai Illustrator file in the "Wide Logo" folder) then create a new custom order of rounded corner stickers with a custom size matching the dimensions I mentioned earlier. Order as few or as many as you like, upload the Illustrator file, wait for them to come back to you with a proof (took a couple of hours for me) and it's job done.
I've got 2 requests for this and the first is to simply share generously. Print out a bunch and hand them out at conferences or during security talks or wherever else you like, just enjoy them and socialise them. The second request is that if you're the creative type and can do a better job of a sticker than me (highly likely), make a pull request on that GitHub repo and I'll happily accept any good ones and socialise them accordingly (feel free to drop in a readme crediting yourself too). I'd love to see what people do with these so tweet out a pic and mention me and I'll share your good work.
Along with the stickers, I'm also going to be running a live-streamed AMA at 19:00 my time tonight which will be 09:00 Tuesday morning for London, 04:00 on the US east coast and 01:00 on the west coast (so yeah... sorry US friends!) If I've set all this up right, it should magically start playing in the window below. If I haven't, keep an eye on my Twitter account and I'll communicate whatever other plans I make there.
Thank you everyone who's been a part of this journey from the supporters to the contributors to the pwned. In a week where we've just had news of both the Marriott / Starwood and Quora breaches, clearly the need for HIBP is greater than ever and I look forward to continuing to run it well into the future.
I'm pushing this out a day late so firstly, apologies for the break in what's otherwise a pretty steady cadence. But having said that, as I say at the start of this video I've really been struggling with work / life balance lately. As such, I recorded this Thursday evening then spent most of Friday on the jet ski with my son. We balanced out a lot of work on this trip 😎
But check out the scenery! Just stunning. Saw hundreds of turtles, dugongs, mantas and star fish. Just an amazing place. pic.twitter.com/kgWBhK8nrD
Getting back to business as usual, I was in Sydney for a day trip during the week, I'm off to Canada in a week from today, example.com forgot to renew their cert, there was a massive new breach to go into HIBP and York City Council seriously screwed up their handling of a very ethical security report. Oh - and the massive Marriott / Starwood breach only came to light Saturday morning my time so it didn't get a mention this week, I'll see if there's anything worth covering off next week. For now, here's this week's update and I'll come to you once more next week before heading off to waaay colder times:
It's a no-blog week, but that doesn't mean any less is happening! This week, I've finally wrapped up the Lego Bugatti, got myself into the new iPad, connected my washing machine (I know, I know, I didn't plan it this way!) and then isolated it on a separate IoT network. What a time we live in... Oh - and speaking of times we live in, our data is getting thrown around the place like never before thanks to data aggregators and their constant breaches and frankly, I'm a bit fed up with it. All that and more in this week's update.
Bit of a change of scenery this week; I've gone to the other end of the house whilst invasive palm tree roots are water blasted out from beneath my office window as part of our garden renos. But hey, that's a nice place to be on a day like this 😎
Other than the location, it's business as usual. There's been some interesting discussion on biometric this morning, I'm appealing to developers of extensions and add-ons to whitelist themselves when a CSP is present and I'm talking about Google's U2F implementation. That last one in particular has had a heap of traction so appears to have struck a bit of a chord. Checking out Google Analytics, it looks it made it to the front page of Hacker News and whilst I always take those comments with a grain of salt, it's nice to see it getting air time.