We're two weeks in from the launch of the new HIBP, and I'm still recovering. Like literally still recovering from the cold I had last week and the consequent backlog. A major launch like this isn't just something you fire and forget; instead, it takes weeks of tweaks and refinements to iron out all the little creases, both known and unpredictable. None of them have been significant, fortunately, but the more I look at it, the more I see, and the more we refine. This week, we're diving headfirst into something I'd rather avoid: wacky procurement demands. Stuff like quote generation so that you can have the same stuff as you can find on the pricing page right now, just as a PDF with your name on it 🤦‍♂️ And look, I get it - it's not the people reading this making those demands and I have tread in your shoes and felt your pain. Hopefully, sometime this week, we'll automate away both your and my pain, and that'll be a massive step forward for all of us. Stay tuned!

References

1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
2. I'm coming to Zurich! (now at the correct date of June 16)
3. The Fédération Francaise de Rugby breach turned up (282k people in there, including with their DoBs for some reason 🤷‍♂️)
4. Sticking with the French theme, their "Free" ISP data popped up too (another 14M people there, also with dates of birth 🤷‍♂️)
5. And the second coming of Operation Endgame also made its way to HIBP (with support from our friends in LEA 👮)

Well, the last few weeks of insane hours finally caught up with me 🤒 Not badly, but I evidently burned enough midnight oil to leave the immune system somewhat degraded and just after recording this video, I really didn't feel like doing much at all. Some congestion and sniffles aside, it's really not that bad, but definitely evidence of a very intense period, which thankfully, is now behind us. So, this week, let's talk about that awesome new HIBP website 😊

References

1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
2. We launched! (the end of one era, the beginning of another)
3. Cloudflare's Turnstile is protecting a bunch of features in the new HIBP site from automation (but we do need to work on the rate at which it thinks real people are bots)
4. I later put out a poll on the rate at which Turnstile was blocking access (when I speculated about 10%, I was pretty close - it's actually 8.7%)

Funny how excited people can get about something as simple as a sticker. They're always in hot demand and occupy an increasingly large portion of my luggage as we travel around. Charlotte reckoned it would be the same for other merch too, so, while I've been beavering away playing code monkey on the rebranded HIBP website, she built a merch store. Talking about it in this week's video obviously got a bunch of people excited, as a flurry of orders followed. As I said in the video, we put everything up there at cost (ok, so Teepsring made us add 1c to each because you couldn't list exactly at cost), so it's just a fun way to enjoy the new HIBP brand more than anything. Enjoy the merch and this week's video, next week we'll have a brand new site live and ready to talk about 😊

References

1. Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
2. Malaysia became our 40th government to take up the HIBP service (actually our first gov from Asia, too)
3. We're going to put a small number of carefully selected partners on breach pages in HIBP (we want companies that can add something genuinely useful to breach victims)
4. Merch! (what are we missing?)

The Have I Been Pwned Alpine Grand Tour is upon us! I've often joked that work is always either sitting at my desk at home in isolation or on the other side of the world, and so it is with this trip. As we've done with recent travel to the US and colder parts of Europe, we've booked to travel to places we know have lots of people we're interested in seeing then we'll fill in the itinerary. Since the blog post last week, we've lined up folks in Leichtenstein, Zurich (which will be a publicly event I'll announce soon), Bern, Geneva and Lyon. I'm still trying to make contact with the folks at CERT-MC in Monaco, and same with the Italian equivalent in Rome. I've planned a bit more time at the latter and would like to try and line up another event like we'll be doing in Zurich so if you're over that way and run a user group or similar, I'd love to hear from you.

References

1. Sponsored by: Join Snyk's May 15th event to discover how to establish a Security Champions program, bridging security and development
2. If you're interested in a cool panel for putting Home Assistant on the wall somewhere, check out this thread ()
3. Gambia's national CSRIT is now the 38th gov on HIBP (they're the first African nation to come on board)
4. And the Isle of Man is the 39th (they're a "self-governing British Crown Dependency", so I've learned something new this week)
5. Passkeys for normi... normal people! (they can be really simple to setup and use, but that's highly dependent on how the service implements them)
6. The HIBP Alpine Grand Tour is next month (summer, the Alps, cyber, what more could you want?! 😄)

Looking back at this week's video, it's the AI discussion that I think about most. More specifically, the view amongst some that any usage of it is bad and every output is "slop". I'm hearing that much more broadly lately, that AI is both "robbing" creators and producing sub-par results. The latter is certainly true in many cases (although it's improving extraordinarily quickly), but the former is just ridiculous when used as a reason not to use AI. After doing this week's video, I saw press of Satya saying that 30% of code in some Microsoft repositories is written by AI; so, are developers in the same boat? Should we go back to writing more code by hand to keep us more employed? Maybe chuck out all the other efficiency tools we use too - IDEs give way to notepad.exe, and so on. It's kinda nuts.

References

1. Sponsored by: Malwarebytes Browser Guard blocks phishing, ads, scams, and trackers for safer, faster browsing
2. NDC Melbourne has been run and done (that's actually the last even on my calendar at present, at last until things start filling in for Europe next month)
3. We're progressing well with our new Have I Been Pwned challenge coin (but some of the comments about using AI in the process... 😲)
4. There is a view amongst some that AI just shouldn't be used for things a human could be paid for (I'm sure a similar discussion was had over and over again during the industrial revolution and, well, every other time tech solved a laborious problem)
5. This Facebook phish was way too convincing (largely due to the shock and emotion it created on first read)

Today, I arrived at my PC first thing in the morning to find the UPS dead (battery was cactus) and the PC obviously without power. So, I tracked down a powerboard and some IEC C14 to mains cable adaptors and powered back up. On boot, neither the Bluetooth mouse nor keyboard worked. So, I tracked down a wired version of each, logged on, didn't find anything weird in the Device Manager, then gave it a reboot, which resulted in the machine not getting past the Lenovo splash screen. So, I rebooted and the same thing happened, unplugged the new USB devices, rebooted again and ended up on the Bitlocker key entry screen. So, on my spare PC I went to my Microsoft account, retrieved the correct key for the disk in question, rebooted and ended up on the recovery screen. So, I ran the recovery process and, much to my surprise, got straight back into Windows.

That's what trying to work out the login / log in / log on / sign in thing was like this week; incrementally shaving the yak until things work and make sense!

References

1. Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
2. The new Pwned Passwords search is actually too fast! (settle down, usability isn't as simple as "always make everything as fast as possible")
3. I went down the "login" rabbit hole and emerged with "sign in" (I still feel this was the most logical conclusion to reach)
4. Keep those great HIBP UX ideas coming! (May 17 is our go-live date for the new UX, and it's going to be amazing!)

I'm a few days late this week, finally back from a month of (almost) non-stop travel with the last bit being completely devoid of an internet connection 😲 And now, the real hard work kicks in as we count down the next 25 days before launching the full HIBP rebrand. I'm adamant we're going to push this out on the 17th of May, and I reckon it's looking absolutely awesome! Do please feel free to check out what we're doing and chime in on the GitHub repository via the links below. I'm sure there's a lot of untapped potential yet to be unlocked.

References

1. Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
2. I'm speaking at NDC Melbourne on Wednesday 30 (lots of data breachy stuff, unsurprisingly)
3. The LabHost "phishing as a service" platform has been well and truly pwned by our law enforcement friends (they've sent us over hundreds of thousands of passwords from the now-defunct service that are now searchable in HIBP)
4. Samsung Germany had more than 200k of their customers' records breached via a third party (this was all allegedly caused by an infostealer infecting a Spectos employee)
5. Each and every interface is being built in the public domain (that's the live preview link, which is just a static site, but you can click through it and get a really good idea of how it will all look)
6. We're welcoming feedback via the issues log and discussion list on the open source GitHub repo (lots of good stuff has already come in via there)