Category Archives: Weekly update

Weekly Update 213

Weekly Update 213

The week's update comes on the back of a very long week for me, but it's good to be "out there" speaking at events even if they are just from the comfort of my own home. There's also more adventures in IoT, Chrome's experiment with URL paths in their omnibox and Apple messing around with MAC addresses on my phone and watch. Oh - and I did manage to track down what my favourite Norwegian beer is following a question from the audience:

Weekly Update 213
Weekly Update 213
Weekly Update 213
Weekly Update 213

References

  1. I've ordered some Xiaomi Aqara wireless switches (these are Zigbee based and will trigger various Home Assistant automations)
  2. Watching the reactions to Chrome's omnibox experiment to hide the path has been... entertaining 🤣 (but seriously, there's an interesting discussion to be had around people's ability to interpret URLs and how much value there is in removing this "noise")
  3. In iOS 14 and watchOS 7, Apple is randomising the MAC when connecting to new networks (good for privacy, but it messes up a bunch of things including my nice Ubiquiti icons)
  4. Sponsored by Varonis. SecurityFWD. A brand new YouTube show from Varonis. Watch Episode 1: How Far can Wi-Fi Travel?

Weekly Update 212

Weekly Update 212

It's a bit of a mega one this week running over the 1-hour mark, but there's been an awful lot happen during the last week that I reckon is of interest. There's a decidedly adult theme running across the topics not by design, but just by pure coincidence between the Grindr incident, a query I got regarding erasing one's adult website browsing history and the IoT male chastity device full of security holes and potential requiring a grinder (not Grindr!) to remove. We live in interesting times...

Weekly Update 212
Weekly Update 212
Weekly Update 212
Weekly Update 212

References

  1. It's NDC Sydney next week! (I won't "be" there this year, but the show is still going on)
  2. I'm super impressed with the quality on the new GoPro HERO9 Black (more of that to come, including some weekly updates outside the office)
  3. Chowbus got pwned (it's a really odd one)
  4. Your browsing habits may be yours forever if you're not anonymising your IP (what are you doing online today that you'd be happy to be public knowledge not just now, but in the future too?)
  5. The IoT chastity lock with the vulnerability which may require an angle grinder to cut it off you (wow 😲)
  6. Grindr had an absolute shocker of a security vulnerability (I do think they've handled it well, at least once the right people actually knew about it)
  7. The Canadian government is now using HIBP to monitor their domains (they're the 11th gov to be onboarded and I'm sure more will follow yet)
  8. Sponsored by Varonis. SecurityFWD. A brand new YouTube show from Varonis. Watch Episode 1: How Far can Wi-Fi Travel?

Weekly Update 211

Weekly Update 211

This week there's a lot of connected things: connected shoes, connected garage camera and connected GoPro. And then there's Scott's Grindr account. Awkward. Actually, since recording this weekly update the details of the issue have now been released so I'll talk about that in more detail next week. This week there's all the above and, on a more personal note, my relationship with Charlotte. Enjoy.

Weekly Update 211
Weekly Update 211
Weekly Update 211
Weekly Update 211

References

  1. My shoes are connected! (that's the tweet thread of how to update the firmware in them - yep, updating the firmware in my shoes)
  2. My Ubiquiti G3 Micro is up and integrated with Home Assistant to raise motion events (this is super simple and I'll use it to trigger external lights once more Shellys go in)
  3. Got the new GoPro HERO9 Black to start doing some more weekly videos out of the office (might be some jet ski and wakeboard park opportunities in there too)
  4. Charlotte (not sure what I can say here, just watch the video 😊)
  5. Sponsored by: Tines. 22% of breaches begin with phishing (DBIR 2020). Submit suspicious emails and attachments to Phish.ly for free immediate analysis!

Weekly Update 210

Weekly Update 210

Wow, 4 years already. Regardless of where I've been in the world or the stresses that have been going on in my personal life, every single week without exception there's been a video. This makes 210 of them now, and these days they're live from a much more professional setup in a location that has absolutely no chance of changing for the foreseeable future. Not exactly the way I saw things panning out 4 years ago, but I guess we've all been a bit blindsided on that front. Anyway, on with the show and there's not a lot on the professional front this week due to downtime with the kids over their holidays, but some good audience questions I hope people enjoy. Next week - something I'm very excited about and it has absolutely nothing to do with tech 😊

Weekly Update 210
Weekly Update 210
Weekly Update 210
Weekly Update 210

References

  1. I've done this video every single week for 4 years, no matter where I've been (that's a link to the first one ever - same same but different)
  2. I've been replacing external Ubiquiti access points with in-wall units... and they're awesome! (I'll gradually go through the house and replace all the wall sockets with these)
  3. Was Activision "hacked" or do people just choose bad passwords? (without evidence to the contrary, my money is on the latter)
  4. Sponsored by: Join the Microsoft Reactor community for workshops, panels and events to expand your skillset across a range of technologies and topic areas

Weekly Update 209

Weekly Update 209

More IoT, more cyber and more Q&A so yeah, business as usual this week. More specifically, a lot of this week's update talks about VPNs and where they still make sense with so much HTTPS all over the place these days. As I say in the vid, blog posts like the VPN one I did this week are often done to help me get my thoughts on a topic straight and a lot of things became a lot clearer for me in doing that. The headline figure out of that post IMHO is that only 2.3% of websites are forcing all connections to be secure courtesy of HSTS preload and the fact that browsers still default to the insecure scheme. More on that (and much more) in this week's update.

Weekly Update 209
Weekly Update 209
Weekly Update 209
Weekly Update 209

References

  1. The whisky tasting put on by Hacktive was a pretty neat digital experience (pic there from the event)
  2. There's been what's reported as the first death as a result of ransomware (I find it hard to believe it hasn't happened before, and it'll definitely happen again)
  3. The "3Ps" of VPN value proposition (where do they still make sense in an increasingly "secure by default" web?)
  4. Sponsored by: safepass.me helps you quickly secure your AD passwords and reduce the risk of Credential Stuffing

Weekly Update 208

Weekly Update 208

The highlight of my week was absolutely getting the Shelly 1 units behind a couple of my light switches working as I'd always dreamed. It just opens up so many automation possibilities that I'm really excited about what I might do in the future with them now. When I get the place to a standard I'm happy with, I'll definitely do a good walkthrough and show how it all works. Until then, this week's update has some general infosec stuff but chief amongst that is the Giggle app situation. So many layers on this one, so many layers...

Weekly Update 208
Weekly Update 208
Weekly Update 208
Weekly Update 208

References

  1. Got the Shelly 1 working absolutely perfectly! (this is precisely what I always envisaged)
  2. Don't say your app is "highly secure" while the browser is literally telling everyone it's "Not Secure" (it's now fixed but still, how do you even start out without HTTPS these days?!)
  3. So apparently Michael McIntyre needed some good new material 🤣 (honestly, I couldn't care less if he actually did, that'd be kinda cool)
  4. If you want to go down a rabbit hole, read my short thread on the Giggle security situation then delve into the tweet threads 😲 (security is one thing, debates on AI detecting females and what makes someone one is quite another)
  5. Sponsored by: The biggest return on security investment is getting your time back. Scale your defenses and regain control with Tines Security Automation.

Weekly Update 207

Weekly Update 207

I kicked off a little bit earlier on this one in order to wrap up before the Burning Minds keynote, and it's interesting to see just how much difference that little sliver of sunlight makes to the video quality. Check the very start of the video versus the very end; this is the sunset slipping through the crack in the fully drawn blinds, make a massive difference. In other news, I'm talking about how I prepare my talks and deliver them timed down to the minute (I had 20 seconds spare on this one), the dramas I'm having with the Shelly units and putting another dozen neon lights in the house, how encryption and hashing are fundamentally different and we should stop conflating the terms and finally, a bit in response to an audience question about how to phrase messaging for a customer attempting to use a Pwned Passwords.

Weekly Update 207
Weekly Update 207
Weekly Update 207
Weekly Update 207

References

  1. I've been really carefully planning the timing of my talks for years now (dug this tweet out as a reminder of how valuable this approach has been)
  2. Thread here on installing the new RGB LED downlights (no, this is not my bedroom!)
  3. Stefán from EVE Online has written a bunch about how to frame messaging when a customer attempts to use a Pwned Password (search through his other posts on the topic too, CCP Games has put a heap of research into this)
  4. Whilst I'm pimping his writing, check out yesterday's post too: Using HaveIBeenPwned, Application Insights and Grafana to detect credential stuffing attacks (this is really neat)
  5. Sponsored by: AppTrana - A Risk Based Managed Cloud WAF that includes Security Assessment of your Site, Instant Managed protection, 24x7 Monitoring & CDN

Weekly Update 206

Weekly Update 206

Since I recorded this morning, I've had an absolute breakthrough - I CAN OPEN MY GARAGE DOOR WITH MY WATCH! I know, I know, it shouldn't be this hard and that's a lot of the point I'm making in this week's video. Having said that, some parts have been hard because I've made simple mistakes, but the nature of the IoT ecosystem as it stands today predisposes you to mistakes because there's so freakin' many moving parts that all need to be aligned. More on that in the video, plus some actual infosec content too! More on all of that next week 😊

Weekly Update 206
Weekly Update 206
Weekly Update 206
Weekly Update 206

References

  1. The BBC is now using Pwned Passwords (hitting the k-anonymity API too, plus wrote a great description of it in the aforementioned link)
  2. Cloudflare is a reverse proxy, not a host, and they make it easy to submit abuse reports (but that doesn't mean you can ask them to kill content purely because you don't like it)
  3. Sponsored by: Credential stuffing is currently the biggest threat to organisations, find out how you can protect your network right now with safepass.me

Weekly Update 205

Weekly Update 205

Between still feeling a little groggy after hitting the water hard on an early wake boarding session then my camera overheating and shutting down towards the end of the live stream, this wasn't the smoothest of weekly updates, I still got across everything I needed to. I'm especially excited about those Shelly 1 units for cheaply IoT'ing existing lights and I'm hoping to have some of that up and running next week. Until then, here's episode 205:

Weekly Update 205
Weekly Update 205
Weekly Update 205
Weekly Update 205

References

  1. I got an award! (2020 (ISC)² Global Achievement Awards: Celebrating achievements in cybersecurity)
  2. I'm going to put a bunch of Shelly 1 units behind light switches (this is a really neat way of IoT'ing your house)
  3. New lighting systems in Aus tend to be down lights that fit into 90mm cutouts and plug directly into a mains socket (these are cheap - from ~A$12 - and easy to swap out yourself)
  4. Why oh why oh why do websites keep storing DoB?! (I'm yet to hear a good legitimate reason)
  5. Sponsored by: Edgescan: The award-winning, fullstack, vulnerability management solution. All vulnerabilities expertly verified for false-positive freedom.

Weekly Update 204

Weekly Update 204

It's an extra early one this week and on review, I do look a bit... dishevelled! I run through a whole bunch of things from this week's Twitter timeline and there's some great audience questions this week too so thanks very much everyone for the engagement. Next we'll do it at the other end of the day again and I'm sure there'll be a heap of new stuff to cover before then.

Weekly Update 204
Weekly Update 204
Weekly Update 204
Weekly Update 204

References

  1. The feedback on open-sourcing HIBP has been 99.99% positive (that's about as good as you can ever hope for on the internet!)
  2. I reckon 10TB Western Digital Red drives are the sweet spot for storing data at volume these days (not everyone agrees, of course)
  3. Amazing how many people chimed in on the thread re tamper proof screws (also amazing how many people were completely wrong!)
  4. I'm really not finding any good solutions for universal remotes I can program myself (chime in below if you have any great ideas)
  5. Sponsored by: Join the Microsoft Reactor community for workshops, panels and events to expand your skillset across a range of technologies and topic areas