First time back in a restaurant! Wandering down my local dining area during the week, I was rather excited to see a cafe that wasn't just open, but actually had spare seating. Being limited to only 10 patrons at present, demand is well in excess of supply and all you have to do is leave some contact info in case someone else in the restaurant tests positive at a later date. Fair enough too, yet somehow - still beyond my comprehension - there was a bunch of outrage expressed at the necessity to provide personal information. Talk of data breaches, stalking and government control ensued which all started to get a little "tinfoil hat", to my mind. My (more candid!) thoughts on that and more in this week's update.
I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It's about a data breach with almost 90GB of personal information in it across tens of millions of records - including mine. Here's what I know:
Back in Feb, Dehashed reached out to me with a massive trove of data that had been left exposed on a major cloud provider via a publicly accessible Elasticsearch instance. It contained 103,150,616 rows in total, the first 30 of which look like this:
The global unique identifier beginning with "db8151dd" features heavily on these first lines hence the name I've given the breach. I've had to give it this name because frankly, I've absolutely no idea where it came from, nor does anyone else I've worked on with this.
My delving into the breach began back in Feb with a tweet:
I'm trying to trace down the origin of a *massive* breach someone sent me. Looks very much like a data aggregator but I can't attribute it. Came from a cloud hosted IP so no clues there. My own data is there, anyone see any clues indicating the source? https://t.co/GHBoWN93Fy
I embedded my own record which you can pore through in more detail on Pastebin:
It's mostly scrapable data from public sources, albeit with some key differences. Firstly, my phone number is not usually exposed and that was in there in full. Yes, there are many places that (obviously) have it, but this isn't a scrape from, say, a public LinkedIn page. Next, my record was immediately next to someone else I've interacted with in the past as though the data source understood the association. I found that highly unusual as it wasn't someone I'd expect to see a strong association with and I couldn't see any other similar folks. But it's the next class of data in there which makes this particularly interesting and I'm just going to quote a few snippets here:
Recommended by Andie [redacted last name]. Arranged for carpenter apprentice Devon [redacted last name] to replace bathroom vanity top at [redacted street address], Vancouver, on 02 October 2007.
Met at the 6th National Pro Bono Conference in Ottawa in September 2016
Met on 15-17 October 2001 in Vancouver for the Luscar/Obed/Coal Valley arbitration.
It feels like a CRM. These are records of engagement the likes you'd capture in order to later call back to who had been met where and what they'd done. It wasn't just simple day to day business interaction stuff either, there was also this:
But then there's also a bunch of legal summaries, for example "CASE CLOSING SUMMARY ON USA V. [redacted]" and "10/3/11 detention hrg in court 20 min plus travel split with [redacted]"
But nowhere - absolutely nowhere - was there any indication of where the data had originated from. The closest I could get to that at all was the occurrence of the following comments which appeared over and over again:
This contact information was synchronized from Exchange. If you want to change the contact information, please open OWA and make your changes there.
Exported from Microsoft Outlook (Do not delete)
Contact Created By Evercontact
Evercontact did actually reach out and we discussed the breach privately but it got us no closer to a source. I communicated with multiple infosec journalists (one of whose own personal data was also in the breach) and still, we got no closer. Over the last 3 months I kept coming back to this incident time and time again, looking at the data with fresh eyes and each time, coming up empty. And just before you ask, no, cloud providers won't disclose which customer owns an asset but they will reach out to those with unsecured assets.
Today is the end of the road for this breach investigation and I've just loaded all 22,802,117 email addresses into Have I Been Pwned. Why load it at all? Because every single time I ask about whether I should add data from an unattributable source, the answer is an overwhelming "yes":
If I have a MASSIVE spam list full of personal data being sold to spammers, should I load it into @haveibeenpwned?
So, mark me down for another data breach of my own personal info. There's nothing you nor I can do about it beyond being more conscious than ever about just how far our personal information spreads without our consent and indeed, without our knowledge. And, perhaps most alarmingly, this is far from the last time I'll be writing a blog post like this.
Edit 1: No, I don't load complete and individual records into HIBP, only email addresses. As such, only the presence of an address is searchable, the data associated with the address is not stored nor retrievable.
Edit 2: No, I can't manually trawl through 100M+ records and extract yours out.
I think I'm going to stick with the live weekly update model for the foreseeable future. It makes life so much easier when it comes to editing, rendering and uploading and it means I always have something out on time. So, that's that, other news this week is mostly just bits and pieces here and there and some banter with the audience and that's just fine, it's nice having a quieter week sometimes 😊
I went with the "just record it live" approach again this week and honestly, it's working out much better for me. It's easier to publish (no manual retrieval of audio and video from devices, no editing in Premier, no waiting for upload) and doing it in my office gets almost the same audio and video quality as the "old" way anyway. Plus, I get to interact with people whilst recording so all in all, I'm pretty happy with this approach. Let me know how you find it and if you have any suggestions for improvement, I'll try and do this earlier in the day next Friday to hit the Aus and US friendly time zones rather than Aus and Europe per the last couple of weeks.
Last week, I got the vid out a day late and by early afternoon today it looked like I was heading the same way. So, for the first time I ended up just live streaming it direct to YouTube. I actually quite liked the interaction, although I picked the quietest time in the day with most of the world asleep and obviously the audio quality wasn't the same as sitting in my office but still, not a bad end result I reckon.
I decided to sit outside on the boat as in just a few hours from now, our restrictions here will begin lifting and we'll actually be able to head out on it for leisure again. I talk a bit about what's changing here, what our numbers look like and, of course, the whole COVIDSafe situation. Our contact tracing app has been really well received here by and large but holy shit, those who don't like it are an angry bunch, just listen to one example I read out. All that and some IoT and networking bits as well in this week's update.
I've written a bunch about COVID-19 contact tracing apps recently as they relate to security and privacy, albeit in the form of long tweets. I'm going to avoid delving into the details here because they're covered more comprehensively in the resources I want to consolidate below, firstly the original thread from a fortnight ago as news of an impending app in Australia was breaking:
Ok folks, let's talk about the Coronavirus tracking app as news of Australia adopting Singapore's "TraceTogether" gains momentum. I'd willingly run it and I want to explain why because there's also some very valid concerns. Let's begin:
On Sunday night, that app finally landed here, branded as COVIDSafe. I installed it the day after, capturing a bunch of my own thoughts and linking to efforts from the community to dissect what it was actually doing:
I've just installed #covidsafe and want to capture my thoughts on the experience and the general principles behind the app here, especially as they relate to privacy and trust in the government. My last thread on this was 11 days ago and is still relevant: https://t.co/YCoA6x3zql
The efforts of fellow community members (several of them fellow Microsoft MVPs) garnered a lot of attention so we banded together to run a public panel yesterday. That 2-hour panel discussion has now been published to YouTube and it's chock-a-block full of real world observations about what the app actually does, what it collects, what it sends and what the real world privacy and security implications are. I loved being a part of this panel as it allowed us to step away from the speculation and conspiracy theories and instead focus on the facts of how the thing works. None of us have any commercial interests in this (we all went through a disclosure process in the video), it's just pure independent, fact-based discussion. Enjoy:
It's a day late because somehow, even in the current climate, I still find myself with a lot on my plate and the 2am getup yesterday morning didn't leave me much like talking by the usual time I'd record this video came around. Regardless, I haven't missed a week yet and I wasn't going to start today! No great single stories of significance this week but I thought I'd share some insights into how life is gradually returning to a new kind of normal here. We've fared exceptionally well in Australia and I'm conscious many people watching this are in very different situations, this is merely my experience and what my daily life looks like at present.
Spiders! Ok, not your normal start to a weekly update but yeah, we had a bit of an infestation this week which did take the mind of other current events for a while. Much of what's happened beyond that this week has resulted in various tweet storms; the Zoom credential stuffing situation, the Coronavirus tracking app (holy cow that has some "robust" debate around it) and the (seemingly endless) thread of progress as I build up my Ubiquiti network. All that and more in the vid below ?
Somehow this week's update ended up being 55 minutes, largely because of playing with a bunch of the new network gear and unboxing a pretty snazzy looking rack from 4Cabling. I get through with that then sit by the pool for the rest of this week's update. (And yes, I shaved!)
Incidentally, there's some audio clipping occurring after I sit by the pool. I've tweaked the levels a bit at that point to try and compensate, still not quite sure what happened but hopefully it's not too bad.
Hey, did you hear that Facebook are going to start using your personal photos in whatever way they see fit? For real, it's going to start tomorrow unless you act quickly! All you have to do is copy and paste this message onto your own Facebook page and wammo - they're not allowed to touch them! Ready? Here goes: "With this statement, I give notice to Facebook it is strictly forbidden to disclose, copy, distribute, or take any other action against me based on this profile and/or its contents..."
This sounds ridiculous. It is ridiculous yet somehow, otherwise smart people in my own social networks (and probably yours) lapped it up. Copying and pasting this message achieved absolutely nothing beyond shining a spotlight on those who were prone to falling for hoaxes and disinformation campaigns. I've been following and writing about these for long enough that they're dead obvious to spot these days, for example:
As a general rule of thumb, anything on Facebook expressed in all caps, accompanied by many explanation points and encouraging other people to do something is outright bullshit ? ? https://t.co/DscXPmjNJe
And so it is with posts about the dangers of 5G. I've seen a massive uptick of people sharing information about the emerging cellular standard over the last week or so, enough that it prompted me to ask what's going on via Twitter:
I’ve seen a big uptick in people petitioning 5G rollout recently. These are normal everyday folks - not scientists - what’s driving their fear? Just the social media echo chamber? Or is there any scientific basis for concern whatsoever? pic.twitter.com/q099V3L5Wm
By all means, read through the responses if you want to get a sense of how people responded, but let's avoid the discussion of "does 5G present a danger to our health" and instead talk about how to identify false or misleading information spread by social media. If we spoke about the former, we'd be here all day and others are much more qualified to do it than me. The latter, however, is right up my alley and understanding the hallmarks is valuable well beyond just the current 5G discussion.
So, let's not talk about whether 5G is safe or not, let's instead talk about why opponents of the technology display every single spammy, scammy, hoaxy behaviour imaginable and then you can consider how much you should trust them. I'll break this down into logical headings everyone can easily follow and call out key insights in bold.
It Takes Minutes to Establish (Lack of) Credibility
Let's take a perfect example of disinformation and how easy it is to establish the credibility of what's being shared. I had this pop up a couple of weeks ago:
Just got this from a parent who distributed it to a heap of other parents in a WhatsApp group. It takes 10 seconds to Google this stuff folks, the last thing we need right now is more FUD replicating itself across the web: https://t.co/9qHVtghyUqpic.twitter.com/kBuQz0VIwd
Sounds ridiculous, but also sounds like the sort of thing non-techie people might fall for. I don't personally know the lady who posted it; she's the mum of a kid in my son's class and AFAIK, not a malware analyst (or anything close) and is unlikely to have an informed opinion on the matter. So let's just Google it:
Well that was easy. I replied to the lady's message with a link to the hoax within about 60 seconds yet still, other parents chimed in and thanked her.
No mention of 5G, but clearly a conspiracy theorist. And again, the insight from above - what does it tell you about a topic when you look at those supporting it?
It took several minutes after looking at Jenn's petition to find the information above and also find a complete lack of information on Jenn herself; no scientific papers, no peer-reviewed content or anything else of any kind you'd expect someone mounting scientific arguments to have produced.
You can play the same easy game with every one of the petitions mentioned above. For example, the "Stop the 5G roll out / Turn off 5G Australia" was started by a "Mumma, Photographer, Glamour/Promotional Model" in Bundaberg, a place better known for making rum than producing scientific research:
The "Ban the 5g network in Australia" petition was started by a vegan Instagram star, so far the only person who actually contributes to the wellness industry but a world away from scientists who study the effects of radio waves on the human body.
All of the people above are, of course, entitled to their own opinions, but the question you need to ask yourself is contained within the next insight:
Insight 2: Understand the difference between people who have formed their own opinion versus those who are qualified enough to influence your opinion.
One last example just to drive the point home:
Woody Harrelson shared this yesterday on Instagram.
I enjoyed Zombieland, but not once did I stop and think "here's a guy who looks like he'd know a thing or two about voltage-gated calcium channel activation exacerbating viral replication". Yet here he is, broadcasting it to 2M Instagram followers. Fortunately, he's since deleted the post.
Understand Your Own Susceptibility to Confirmation Bias
Confirmation bias is the tendency to search for, interpret, favour, and recall information in a way that confirms or strengthens one's prior personal beliefs or hypotheses. It is a type of cognitive bias. People display this bias when they gather or remember information selectively, or when they interpret it in a biased way. The effect is stronger for desired outcomes, for emotionally charged issues, and for deeply-entrenched beliefs.
As it relates to the 5G topic, what I'm consistently seeing is people who want to believe that governments or big tech are suppressing the little guy and willingly believe that resources confirming this view are trustworthy. The problem with confirmation bias is that if you search hard enough, you'll always find material that supports your point of view.
There's a sensational documentary about flat earthers (ok, sensationally entertaining!) I watched on Netflix recently called Behind the Curve. If you've not seen it already, take a moment to watch the trailer:
Note the quote at about the one-minute mark:
I want to believe "this", this doesn't mesh with reality so don't change my view, change reality!
It's the antithesis to scientific research; instead of setting out to determine the conclusion in an evidence-based fashion, people set out with the conclusion they want to believe already cemented in their minds then find the evidence they need in order to support that conclusion.
Insight 3: Consider whether you believe a claim because the evidence supports it, or simply because you want to believe it.
We are all susceptible to confirmation bias, and that includes me. There are things I dearly want to believe and when I see a headline that supports my bias, I'm naturally inclined to latch onto it. The question for you when reading about a topic such as 5G is whether you want to believe that it's dangerous, or whether you want to research it properly and will be satisfied which whatever conclusion the evidence draws you to. That's the key differentiation, and that's what most people I see sharing the conspiracy theories simply aren't doing.
Occam's Razor (Usually) Provides the Answer
A (non-tech) mate asked me about 5G the other day. He'd read news of it being linked to Coronavirus, a conspiracy theory that has gained a surprising amount of momentum in recent weeks. (Sidenote: Wired has a piece titled How the 5G coronavirus conspiracy theory tore through the internet which explains the origins of this.) It doesn't take much searching to find precisely the sort of correlation conspiracies he's talking about:
So we had a discussion about how correlation does not imply causation and how tweets such as the one above show absolutely zero evidence of a cause and effect relationship between 5G and Coronavirus. If that all sounds a bit wordy for you, the following tweet illustrates it beautifully:
Is just people confusing correlation with causation. Could explain to these people with basic science why no reason for causation but they likely wouldn't understand. Easier to give examples of random correlation with memes: pic.twitter.com/bremifbegM
So, what's to be done? do we ban Nicholas Cage movies to prevent drowning? No, because that's a patently ridiculous assertion and we can easily reach that conclusion by applying Occam's Razor:
The simplest solution is most likely the right one.
Applied to 5G and Coronavirus, Occam's Razor would conclude that a densely populated city with 11M people will likely spread a highly contagious virus quite quickly. Also, a large city in China (which is rapidly becoming the tech hub of the world) is likely to be an early adaptor of next gen tech. These are both logical, rational and unrelated conclusions.
Insight 4: When faced with alternative theories, consider which one is the simplest and therefore most likely to be true.
Let's apply Occam's Razor to another accusation being made in the 5G debate space: that big tech is censoring discussion on the topic. My mate brought this up in our discussion: "Google shouldn't be censoring free speech by removing YouTube videos, that should be our right". Alrighty then, let's play that thought out - should Google allow extremist videos that incite violence? No, of course not, because that actually has the potential to cause serious harm. How is that related to 5G hoaxes? Convinced of the role 5G plays in the spread of coronavirus, people are literally destroying 5G towers in the UK:
It's just insane, and it's spurned on by batshit crazy videos like this:
One video, removed by the site after the Guardian flagged it, featured a man claiming to be a former executive at a UK mobile network falsely stating that coronavirus tests were actually used to spread the virus, and that the pandemic was created to hide deaths from the mobile technology.
So, applying Occam's Razor, are videos being removed because big tech is trying to silence "the little guy" blowing the whistle on a corrupt industry that is deliberately spreading a deadly virus to cover up 5G radiation deaths, or are they being removed because they incite dickheads to destroy critical infrastructure? There's only one simple answer...
The "Viral" Nature of Hoaxes is a Warning Sign
Let's go back to the Dance of the Pope hoax for a moment, the one that was circulated by a parent in WhatsApp. Literally whilst writing this blog post yesterday, the following came in via Facebook Messenger from a friend of my parents in a totally different social circle:
The last sentence is the warning sign - "Fwd this msg to as many as you can!" - and you see it over and over again in hoaxes and disinformation campaigns. You'll also see it over and over again as it relates to the 5G debate:
It's very likely Helen doesn't have an informed view on the 5G situation and that it's appealing to her confirmation bias (I'm drawing that conclusion based on her other tweets), yet she's appealing to thousands of follows to reinforce her own view of 5G. When Bal watched the video of a former Vodafone employee drawing links between 5G and coronavirus it "connected a lot of dots" for him (which again, is obviously just appealing to his own confirmation bias), and he encouraged others to watch it and draw the same conclusion. This is the viral nature of social media - one person's enthusiasm or endorsement rapidly spreads to others and it's just so easy to replicate a message without giving any thought to the topic nor the consequences that "going viral" can have.
Going back to the Dance of the Pope, I asked the sender of the hoax what made her believe it was real and now that she knows it's a hoax, how she feels about it:
This sentence nails it, both as it relates to the hoax video and much of the 5G debate that's currently raging:
In my case (& I think with many others), when you know that you lack knowledge & experience in this field, & that you don’t know enough to call it ‘most definitely’ a scam, (& that you feel it’s arrogant to make a choice on other people’s behalf) you err on side of caution & post it on
You know you lack knowledge but you post it on anyway. Now here we are with a dancing pope and 5G spreading coronavirus.
Insight 5: Question why you're being encouraged to influence others and if you're sufficiently informed to do so.
The problem with the 5G situation specifically is that if there are valid concerns to be had, they're buried in there somewhere amongst all the crazy. And let's face it, there's a whole spectrum of legitimacy in this discussion, the challenge is sifting through it, discarding the rubbish and focusing on the good stuff. And that's really the point of this post: being able to identify when information is hyperbolic and likely to be either misleading or outright false versus something we genuinely need to take seriously.
If I was to be concerned about 5G (which I'm not) and I wanted to learn more (which at this stage, I don't), I'd go straight to a technology resource I trusted. Many people pointed me at Wired's coverage in December so if you want to learn more, start there. I'd also defer to the likes of the World Health Organisation:
I wouldn't go to Jenn in Parkerville because without evidence to contrary, I can only assume she has absolutely no idea what she's talking about. I also wouldn't share any information on the topic unless I felt informed enough to influence others. I do feel informed enough to share an opinion on hoaxes and disinformation campaigns, so here we all are.
If I've appealed to your own confirmation bias by highlighting nut jobs talking about 5G conspiracy theories, please share this post with your entire social network ?
If you're reading this, chances are you've arrived here from a link I sent you via email. That email would have been a reply to one you originally sent to me that would have sounded something like this:
Hi, I came across your blog on [thing] and I must admit, it was really nicely written. I also have an article on [thing] and I think it would be a great addition to your blog.
No, no it wouldn't and there are all sorts of reasons why not. First among them is that if I was to add a link to your resource, I'd be legitimising the spam email you just sent me. Wait - you think It's not spam? Of course it's spam! Keep reading the definition until you understand then proceed:
Spamming is the use of messaging systems to send an unsolicited message, especially advertising
Alrighty, so it's an unsolicited message (I certainly didn't ask for it) and it's intended to advertise your work. And that's really what you're asking for here - free advertising. You want people reading my content to leave my site and head on over to yours where they'll not only read your content, but (probably) view your ads and drive revenue for you.
Thing is, it's probably not even "your" site anyway because there's a very high likelihood that you're an Oompa Loompa in the "digital marketing" space tasked with spamming people like me (remember, you're only allowed to have gotten down to here if you understand what spam is) in order to drive clicks. It's either clicks alone or clicks and SEO courtesy of establishing more inbound links in an attempt to artificially inflate the popularity of the site.
So here's how I've decided to deal with the problem: every time I receive spam of this nature I'm going to add an item to the list below. It will have the title of the resource you wanted me to link to, except... no link! Just the title. On a popular blog. So now when people search for [thing], they'll hopefully end up here rather than on the spammy article thus penalising you for your behaviour. And just to help my own SEO and awareness of your spammy behaviour, I'll tweet a link to this page with the title of your page each time it happens.
The Ultimate Tor Browser Guide for 2020
The Best VPN for China 2020
How to know if someone is watching you on your camera
5 Ways to Stay Protected from Advanced Phishing Threats
How to Access Windows Remote Desktop Over the Internet
What We Need To Know About Bluetooth Security
The Best Internet Browser for 2020
Two-Factor Authentication: What Is It and Why You Should Use It
14 Ways to Create a Secure Password in 2020 (That you’ll Remember)
Black Hat SEO
Infidelity Statistics (2020) – Do Men Or Women Cheat More?
PayPal Fees: 5 Ways to Avoid This
How to Come Up With a BS-Free Answer to This Question: “What Does Customer Service Mean to You?”
The History and Uses of the Occupational Outlook Handbook
Cybersecurity Career Guide
Best Email Finder Tools to Find Emails Addresses And Phone Number
Sell Bitcoin for Skrill
The Student's Internet Research Guide
A Guide to Public Wifi Security Risks & How to Use it Safely
Incidentally, I think this blog post would be a great addition to your article, would you mind linking to it? kthanksbye!
I actually lost track of what week it was at the start of this video. Did I do the Aussie workshops last week? Or the week before? I know I was at home so... it's just all becoming a blur. But be that as it may, life marches on and this week like every other one before it was full of interesting cyber-things. I find the situation with Zoom in particular quite fascinating, particularly the willingness - even eagerness - that so many seem to have to throw the very tool that's bringing so many people together in a time of need under the security and privacy bus. More on that and a bunch of other things in this week's update.
That last one is particularly apt here as it gets us on-topic with kids watches. Almost a year ago to the day, I wrote about a serious flaw in TicTocTrack watches that made it trivial to track kids, re-position them and even enable strangers to call their watch which would answer with zero interaction from the child. This wasn't the first instance of a tracking device on a kid going wrong, it was just the latest in a long line of them. To their credit, TicTocTrack rectified the flaw (insecure direct object references), communicated with parents and got back to business. Meanwhile, the whole kids-watch-security-train-wreck continued:
In that tweet, I concluded that "the pattern is alarmingly predictable" which foreshadowed what would inevitably be yet more incidents with yet more kids watches to come. TicTocTrack saw things differently:
@tictoctrack has invested heavily in ensuring we remediated any findings from April and are committed to working with industry experts to ensure we are mitigating any risks. https://t.co/I7cfOnzxEX
The linked piece is titled "Cyber Resilience Key For iStaySafe" and is a short read wound up with a link to a PR company's email address. Amongst the reassurances of their investment in security is this paragraph:
In the following months, iStaySafe made significant investments both financially and by allocating staff resources to conduct a comprehensive penetration test of their software platform, mobile applications, sales website, all API’s and entire systems architecture. This investigation was conducted by a 3rd party C.R.E.S.T certified cybersecurity firm based in Brisbane to ensure that iStaySafe and subsidiary TicTocTrack has the best-practice cybersecurity and risk management protocols in place.
This is not at all unusual and it's from the same old "reassure customers of how seriously we take security" playbook. Many organisations assert precisely the same things: penetration tests, code reviews, ticks from certified bodies etc. A really key thing to understand here is that most of this is "point in time"; when the penetration test was conducted, everything was ok (or appropriately remediated). But the next day? Who knows. I don't mean to solely criticise TicTocTrack here, this is pretty standard PR which in my mind, didn't change a thing:
Sure enough, less than 2 months later, someone sent me my entire TicTocRecord pulled out via a flaw in their system:
Fortunately, that person was Gordon Beeming, a fellow Microsoft Most Valuable Professional who identified the vulnerability, contacted me privately, had the details passed on to TicTocTrack and then the flaw remediated before writing about it publicly a couple of weeks ago:
Now consider the filter in the query string and ponder: "what would happen if there was no filter"? Here's what Gordon wrote:
I thought what happens if I browse directly to that container without any filter, this pulled to my browser every user in their system
And that's how he ended up with every user in the system, including myself.
The point of all this is that despite the best of intentions (and I do believe their intentions are good), per the title of this post those good intentions and reassuring words do not mean that a security incident won't occur. Obviously, they also don't mean that one won't reoccur and any assertion to the contrary puts us back at the same November discussion in the tweets above (and we now know how that worked out).
So, should you not buy a kids tracking watch due to the inherent risks? I'm not saying that any more than I'm saying you shouldn't buy a connected sex toy; by all means, if one of these devices provides value to you and you're conscious of the privacy risks and willing to accept them, then do it. But for me, my own personal risk assessment puts a lot of weight in the old mantra of "you cannot lose what you do not have" so no, I wouldn't buy either.
Further to this, Jeremy Kirk has written about the incident today including comments from TicTocTrack on their decision not to disclose the exposure of their customer database in January this year. That's a bit tangential to the purpose of this blog post so I won't delve into it here, but leave your thoughts on that in the comments below. Here's their statement from the cyber resilience page mentioned earlier, just for context:
iStaySafe will continue to operate in an open, transparent and honest manner
This has been an absolutely flat-out week between running almost 3 hours of our free Cyber-Broken talk with Scott Helme, doing an hour of code with Ari each day (and helping get up to speed with remote schooling) then running our Hack Yourself First workshop on Aussie time zones the last couple of days. But, especially given the current circumstances, I'm pretty happy with the result ?
This week's update covers those events plus the onboarding of the USA government onto HIBP, an announcement I was very happy to make this week! Oh - and about the green screen - I don't know whether I'll stick with this for future weekly updates or not, I'm just enjoying the novelty factor for the moment ?
Over the last 2 years I've been gradually welcoming various governments from around the world onto Have I Been Pwned (HIBP) so that they can have full and unfettered access to the list of email addresses on their domains impacted by data breaches. Today, I'm very happy to announce the expansion of this initiative to include the USA government by way of their US Cybersecurity and Infrastructure Security Agency (CISA). CISA now has the ability to query US government domains via API and receive notifications when they're impacted in subsequent data breaches.
Over the coming months I expect to continue expanding the scope of government support in HIBP. For now, it's a big welcome to the USA and I'm enormously happy to see HIBP able to support them in this fashion.