0:00

What other beer was I going

0:03

to drink, honestly, when I came

0:05

to Ireland? It was about the

0:07

only option. If you're listening to

0:09

this later on, I have a

0:11

tall, frosty, cold Guinness, which is

0:13

about exactly what you'd

0:15

expect from Ireland, isn't it?

0:17

That was lovely. It tastes different

0:20

here as well. We got to

0:22

Ireland yesterday. So a very long

0:24

trip for such a short distance.

0:26

There's definitely here. Yeah, Stefan's happy

0:29

because I'm doing this at a

0:31

normal time of day. But yeah,

0:33

so I didn't tell you this,

0:35

Stefan, but we, um, winner, I did

0:38

the thing in Iceland the other day,

0:40

we were meant to get up and

0:42

get a, what was it, a 730

0:44

a.m. flight from Iceland, actually, before

0:46

that, we're meant to go to

0:49

the blue lagoon in Iceland, but

0:51

then Stefan had a, um, a

0:53

volcano, and that didn't work. Why

0:55

can I say, oh there's my

0:58

live chat there. Yeah, so Stefan,

1:00

we'll blame Stefan, Stefan, had a

1:02

volcano, so we couldn't go to

1:05

the blue lagoon because there was

1:07

lava. Apparently that's bad for going

1:09

to the blue lagoon. So I

1:11

had to have an extra night

1:13

in Reykjavik, had one of the

1:16

best meals we had in a

1:18

long time. I didn't tell you about

1:20

this too, either, Stefan. I know you

1:22

saw it on my Facebook. And I

1:24

just put it on, I don't think

1:26

I post anything to Facebook that isn't

1:29

public, because you got to work on

1:31

the assumption that one day it will

1:33

be anyway. So anyway, some pictures like

1:35

that. So I went out, had a

1:37

really good night, found a really cool

1:39

bar with really cool live music, that's

1:41

on Facebook. And yeah, had to go

1:43

home to get up at 4am, to get

1:46

a 730am flight, to leave Reykjavik

1:48

and come to Dublin. And after the really

1:50

nice night we'd had... It was not fun

1:52

getting up at 4am, but we did it.

1:54

And then as we were in the car on the way

1:56

to the airport, Iceland Air decided to tell

1:59

us that the flight... was two and a

2:01

half hours late which they knew before we

2:03

left the hotel because it was coming from

2:05

Chicago so that was a bit sucky so

2:07

we sat around in the airport for a

2:09

very long time and then we got to

2:12

Ireland and then we drove nearly three hours

2:14

as well to get to where were we

2:16

I don't know I just sort of literally

2:18

follow ways from place to place first trip

2:20

to island stayed at a pretty cool

2:22

place last night had some Guinness because of

2:25

course it's the first thing I'm going to

2:27

do an island having a Guinness And

2:29

then today we drove three and

2:31

a half hours. Now, honestly, I

2:34

don't know where I am. If I go, where's

2:36

my location here on the map?

2:38

We drove to Kerry. We need

2:41

Limerick, actually. There you go. Near

2:43

Limerick. So, if you're like me

2:45

and you have no idea where

2:48

anything is in Iceland, island, not

2:50

Iceland. And you need a map.

2:52

It's towards the bottom left. According

2:54

to Google Maps at the moment.

2:57

So it has been a little

2:59

bit of sight seeing today. It's

3:01

like cool today, like a half

3:04

work date. So we are, where are we now?

3:06

Just after 4 p.m. Which again, it's

3:08

kind of weird because it is at

3:10

a time, but never normally do it

3:12

from home. Services love getting these

3:15

notifications late. Yeah, you know,

3:17

the flight thing. Like getting a

3:19

notification that your flight is canceled

3:21

when you're actually in the, actually

3:23

at the airport. You know, the saving grace

3:25

was, it was a direct flight. And there

3:28

is nothing worse than when you're on a

3:30

flight and you realize your connecting flight is

3:32

going to be canceled or you're going to

3:34

be late or something like that. And then

3:37

you're trying to figure out how do I

3:39

join all the dots with, which is basically

3:41

what happened to us with Brisbane when we

3:43

came over to London Heathrow and Heathrow shot

3:46

the other day. You get to the airport

3:48

and then you're like, if I can't get

3:50

to my meetings on Monday and... Anyway, it

3:52

is an absolute pain in the ass. So,

3:55

yeah, fortunately, fortunately, it

3:57

wasn't too bad. Two and a half

3:59

hours. Anyway, Ireland, it's

4:01

nice here. If I'm honest, it feels a

4:03

lot like the UK. Probably for obvious

4:06

reasons. It's very close. We drive on

4:08

the same side of the road, which

4:10

is a lot like home, which is

4:12

kind of handy. I'll be in Dublin

4:14

on Tuesday, Wednesday, Thursday, next week doing

4:17

some work things as we don't have

4:19

a public event at the moment. I

4:21

do have some stickers left. If anyone

4:23

at the very last minute

4:26

can make a public event

4:28

happen in Dublin, that's fantastic.

4:30

Since I did this video last, we

4:32

did have a great public event in

4:34

Reykjavik. So Monday morning we did an

4:36

event at Make There. It was awesome. We

4:38

had a whole stadium full of people.

4:40

We gave out loads and loads of

4:43

stickers and 3D printed logos. Loads of

4:45

good logos. Loads of good Q&A. It

4:47

was just fun. I think you'd agree, man.

4:49

It was fun. Seven says I assume the

4:51

legend is true. And the Guinness and

4:53

Ireland is actually even better than elsewhere.

4:55

Yeah, and I was just before you

4:58

came on. It looks darker, the

5:00

same colour as this black wooden thing

5:02

behind me. I was actually thinking

5:04

last night when I had one, I

5:06

wonder if the alcohol percentage is the

5:09

same or a little bit more, I

5:11

know that's one of the things that

5:13

gets tweaked around the world because then

5:15

they've got different liquor licensing laws and

5:18

rates and things in different places. But

5:20

no, this is lovely, I'm very happy with

5:22

this. Hmm. Soft or tea who's happy

5:24

to be here. I don't need to

5:27

self-ingrationingly. You have that much guiness. Self-inggressiating,

5:30

read all that out. Anyway, so, back

5:32

to business. As you may remember from

5:35

last week, I had an unfortunate

5:37

fishing-related incident,

5:39

and I'm going to talk about

5:41

the fishing-related stuff more in a

5:43

moment, because a few other things

5:45

have come out since then. But

5:47

one of the things that came

5:49

out as a result of the

5:51

fishing-related incident was to have a

5:54

new sponsor on board, which is

5:56

malware bites. male butts browse a

5:58

god in particular because It

6:00

helps not end up like I

6:02

ended up the other day. One

6:04

of the great strengths of browser

6:06

guard is blocking fishing attacks. Blocking

6:08

fishing, blocking ad scams and trackers and

6:11

safer browsing for all. Now, one of

6:13

the, I guess, the joys of blocking

6:15

a lot of the sort of stuff

6:17

that browser guard blocks. I was just

6:20

reading through their website before I

6:22

started this. I was waiting for

6:24

my goodness. And it's all the

6:26

sorts of stuff that any of

6:28

you have been running ad blockers

6:30

or pie holes or things of

6:32

that for a while. The amount

6:35

of rubbish that gets added into

6:37

your browser session, that's not just

6:39

tracking, potentially fishing, but even speed.

6:41

And it's really wild if you go

6:43

somewhere and don't run your ad blocker.

6:45

And you see how different it looks.

6:47

I know when we left Australia the

6:49

other day, Shah, I was like, you

6:52

see how many ads we get when

6:54

we're over here? everything gets blocked. So

6:56

go and check out malware bites

6:58

and browser guard that their timing

7:00

is impeccable with this fishing-related incident

7:02

the other day. So big thanks

7:05

to them and doing it you

7:07

know that it can just be

7:09

the smallest little thing that you

7:11

fall for that results in a

7:13

fish that can have the biggest

7:15

impact. That's probably a nice segue

7:17

into this topic. I love it

7:20

when a sponsor lines up really

7:22

well with content. Let's talk a

7:24

little bit more about my Mailchimp

7:26

incident. Scott's there, hey Scott.

7:28

Those of you who may recall, Scott was

7:30

there, just after it happened, he

7:32

saw the look on my face.

7:34

I fell from Mailchimp Fish. I

7:37

had not only my credentials fished

7:39

because I copied and pasted them

7:41

into a browser window because I

7:43

thought it was just a different

7:45

URL to authenticate to the legitimate

7:47

Mailchimp service, but I had my...

7:49

One-time password also fished because

7:52

I copied and pasted that

7:54

Now I talked about that at length

7:56

last week if it's all news

7:58

Go and watch it We're now, when

8:00

was it Scott, it's Tuesday morning,

8:03

wasn't it? So we're now like

8:05

10 days since I got fished.

8:07

And I've learned a few different

8:09

things. So one is that that

8:11

male fishing campaign went too

8:13

many different parties. Which is

8:15

one of the interesting things.

8:18

I have had direct conversation

8:20

with a couple of those parties.

8:22

One of those parties. who I won't

8:24

know, won't name, but they have

8:26

sent disclosure notices, but if someone

8:28

disclosed the nature of the discussion

8:31

I had with them, did get

8:33

fished for a substantially larger number

8:35

of unique email addresses than mine,

8:37

which is not surprising because mine

8:39

is just a little personal blog

8:41

and there are genuine businesses out

8:43

there building products. Now what

8:45

was interesting with that fish, and I'm

8:48

yet to reply to Mailchimp, but if

8:50

you're listening to this, the email was

8:52

coming. In that incident,

8:54

and also in the other incident

8:56

where someone received the fish but

8:59

didn't fall for it, so the three

9:01

different cases I know of,

9:03

successful one of my own successful

9:05

case, every one of those, there's

9:07

an email address that the Fisher

9:09

person probably shouldn't have had. And

9:12

what I mean by that is

9:14

it wasn't an obvious one, it

9:16

wasn't something where they... had a

9:18

high likelihood of knowing it to

9:20

begin with, number one. Number two,

9:23

it was also effectively just the

9:25

one email that went bam, straight

9:27

to that person. And number three,

9:30

it wasn't someone else at the

9:32

organization that received the same fishing

9:34

emails. And I have a

9:36

mounting probability, or I think there's

9:38

a mounting probability, that

9:40

marching themselves got their

9:42

list taken from somewhere.

9:44

I have asked that question directly before I had

9:47

this additional information and they seem to think

9:49

that was not the case outside of the

9:51

known incident from a few years ago. If

9:53

you're listening to this and you have received

9:55

a mail chimp fish, whether you fell for

9:57

it or not, I would really really like

9:59

to know. Now further

10:01

to that and I haven't shared

10:03

this yet, but there's been

10:06

some interesting research here

10:08

I want to Touch on

10:10

because this This does relate

10:12

to what we're talking about

10:14

Where are we here? I

10:16

saw on the news There's

10:18

an alleged database of send

10:20

grid available 850,000 customers, which

10:22

would also be me wouldn't

10:24

that be freaking ironic? I

10:26

get fished My data gets leaks

10:29

I got fit Let's say

10:31

allegedly got fished, definitely

10:33

got fished allegedly because I

10:35

think that email address of the

10:37

time somewhere on the Malchum side

10:40

of things successfully got fished, my

10:42

data got leaked. I of course

10:44

I know exactly what data was

10:46

got leaked so I what was

10:48

got leaked with that much Guinness

10:50

in. I know exactly what data

10:52

was like so I put it in have

10:54

a pen. And then to make it

10:57

perhaps even more ironic. Now

10:59

we've got Singrid allegedly breached

11:01

and allegedly for sale, whether

11:04

or not they breached or not, we

11:06

had to see. And holy crap,

11:08

I've just actually clicked on

11:10

that tweet. The number of

11:12

fields that are in here,

11:14

allegedly. Route domain, location on

11:16

site, technology spend, sales revenue,

11:18

social, SCU, company, vertical. I

11:20

am two lines out of,

11:23

I reckon about 40 lines,

11:25

into reading the fields, and

11:27

they just go on. It's

11:29

a field called HCPS. It's

11:31

a field called third-party facades.

11:33

A field called HMLL Lang

11:35

Valour, it just goes on

11:37

and on and on and on. This

11:40

is from Dark Web Informer

11:42

on X. This data is for sale.

11:45

Apparently, 850,000 customers. for $2,000

11:47

which sounds cheap with this

11:49

amount of data. Now the

11:51

irony bit of it is

11:53

if this is legitimate then I'm

11:55

in there because we use Sengred

11:57

for have I been told. So

12:00

that would suck if I'm in there again.

12:02

Do they say passwords are in

12:04

there because that's always a bit

12:06

of a bit of a giveaway.

12:09

Has this been like scraped or

12:11

exported? I doubt scraped or I

12:13

think anywhere would expose that, but

12:15

has it been exported from a

12:17

web admin which would not typically

12:20

export passwords? Is that possible?

12:22

I don't know. Anyway, so back on

12:24

topic. This was written up. I'm

12:26

going to get my names right here.

12:28

Where is the story here? Here

12:31

we go from Silent Push.

12:33

So I have had a bit

12:35

of a chat with Silent

12:37

Push offline. They wrote a

12:39

write-up attributing the

12:41

fishing campaign to Scattered

12:44

Spider, which is a,

12:46

I guess, a well-organized group

12:48

with some runs on the

12:50

board, including me. I saw that write

12:53

up last week. I've put that

12:55

in one of the updates. on

12:57

the blog post, this update has

12:59

come through literally just overnight, our

13:02

time, and this also links in

13:04

the mail chimp, sorry, the send

13:06

grid situation as well. And effectively,

13:09

what's the, we need a little T or

13:11

D, the top guys, key findings. So

13:13

I push threat analysts are sharing

13:15

our discoveries related to a

13:17

cryptocurrency in bulk email, provide

13:20

a fishing campaign, targeting enterprise

13:22

organizations and VIP individuals. I

13:24

guess, outside the cryptocurrency industry.

13:26

Along with the supply chain,

13:28

it's not really the thing

13:30

you wanted to be associated

13:32

with. I was important enough

13:34

to get fished. I still

13:36

don't think it was, anyway,

13:38

the only thing was targeted.

13:41

It goes on, targeted crypto

13:43

companies include coinbase and ledger, and

13:45

targeted CRM and bulk email providers

13:47

include mail chimp, Sengrid, Hub Spot

13:49

Mail Gun, and Zoho. I've got

13:51

a mail gun account somewhere too.

13:54

I probably shouldn't say that

13:56

I need fished again. So

13:58

they are referring to this. is this

14:00

initiative, yes, initiative campaign

14:02

as poison seed. We're

14:05

classifying poison seed distinctly

14:07

from two loosely aligned

14:09

threat actors scatter spider

14:11

and krypticamillion. This feels like it

14:13

should be the total of a

14:16

song, krypticamillion. Both of which

14:18

are associated with the Com, which

14:20

is a particularly... unpleasant collective of

14:22

folks who've done some really really

14:25

kind of nasty stuff if

14:27

you read up about it. I

14:29

haven't read this story yet because

14:31

I got it just as we were

14:33

driving today. What is actually in

14:36

here? It's a detailed write-up. The

14:38

first one is a very detailed

14:40

write-up too. A little bit of

14:42

stuff in here about me and Mailchimp

14:44

which is fine. We're all here to

14:47

learn from my misfortune. Have

14:49

a read of this. I'm going to...

14:51

Absorb this in-depth over

14:53

Guinness later. Well, there's

14:55

a lot of detail here. I guess

14:57

my feeling is that most of

14:59

this seems to ultimately

15:02

lead to crypto-related spam. And

15:04

most of it is

15:06

not particularly sophisticated

15:09

or be it well executed.

15:11

When I think about the

15:13

incident against me, I feel

15:15

like that's a fair summary.

15:17

It's a fishing page. It's

15:20

not particularly complex to make

15:22

a fishing page. It wasn't

15:24

exactly sophisticated. It was, as

15:26

I've said before, just the

15:28

right level of urgency without

15:30

alarmism, which would have set off

15:33

my alarms, thinking that this was a

15:35

weird one. So I feel like they

15:37

just, they just handed to them. They

15:39

just did a really, really good job

15:42

of this fishing campaign. So since then,

15:44

I've had many discussions with organizations in

15:46

very positive ways. including ironically the NCSC

15:49

who I was meeting the day before

15:51

where we were talking about past keys

15:53

and then I got fish for the

15:56

past keys and we continued that chat

15:58

a little bit later. I think earlier

16:00

this week, and I was like, hey, you

16:03

know how we're looking for a good example

16:05

of demonstrating the value of pass keys? Well,

16:07

I just wanted to help, it wasn't

16:09

deliberate, but we now have really

16:11

good material. So one of the

16:13

things I am on a little

16:16

bit of a rampage with now

16:18

is having non-fishable second-factor authentication. And

16:20

I've always known this was valuable.

16:22

It's obviously much more personal now.

16:25

And really we're talking about either

16:27

past keys or physical U2F keys.

16:29

Having OCTs generated by an authentic

16:31

caterap or an SMS are very

16:34

fishable and very very trivially circumvented

16:36

as a security control. I

16:38

have been writing this blog post which

16:40

I had thought I might have done

16:42

before today, which is past keys for

16:44

normal people. It is taking longer

16:47

than expected, partly because of travel,

16:49

but partly because... It is very

16:51

hard to write something for normal

16:53

people without it seeming like a

16:56

complete clutch. And I'll give you

16:58

a good example. So I start out

17:00

by saying, ironically, literally minutes

17:03

before I got fished, I was looking

17:05

at a WhatsApp message from WhatsApp themselves,

17:07

encouraging me to turn on pass keys.

17:09

And I'd already planned to write this

17:12

blog post. I was talking about it

17:14

literally the day before at the NCS.

17:16

I'll park this. I'll write it when

17:19

I have time. So when I

17:21

started writing, I said, okay, let's

17:23

do the WhatsApp thing. Pretty trivial.

17:25

Not entirely clear to me where

17:28

I'll actually use it for

17:30

authentication because WhatsApp normally sends

17:32

you an SMS or you

17:34

pair another existing authenticated device.

17:36

And I thought, well, let's

17:38

do something that most people

17:40

understand. And I was looking at pastkeys.

17:42

Directory. Is provided by one

17:44

password. Obviously, we've got a

17:46

long-standing relationship with them. We are also

17:49

discussing about how we can do more

17:51

stuff with pass keys as well, and

17:53

particularly push their usefulness. And I'm looking

17:55

at pass keys dot directory, and I'll fire it

17:57

up on the iPad just so we can talk.

18:00

through this together. It's a very

18:02

very nicely built little website, shows

18:04

all these websites that support pass

18:06

keys, as well as another tab

18:08

which says vote for pass key

18:10

support. So it's all these websites

18:12

that don't support pass keys but

18:14

people would like to have them.

18:17

This is going to be a really

18:19

good source of data for me to

18:21

do why no pass keys.com. Because I

18:23

want to take that list of sites

18:25

that don't have it, split them by

18:28

country, rank them. And then we'll put

18:30

a little bit of heat on

18:32

these organizations on a per country

18:34

basis to say, why don't you

18:36

have pass keys yet? Anywho. So

18:38

I'm looking through the list of who

18:40

has pass keys. And the obvious big

18:43

one out there that most people will

18:45

recognize and understand that isn't

18:48

either a smaller entity or

18:50

something that's very sort

18:52

of tech-centric is linked in.

18:54

So I will add to my blog

18:56

post, the next bit here will be

18:58

linked in. So let's talk about how

19:00

to turn on past keys in LinkedIn.

19:03

And I go through and I'm

19:05

screen capping it all and I've

19:07

turned on the past key. I

19:09

said, all right, this is good,

19:12

this looks really good. Now

19:14

how do I replace the

19:16

soft authenticator OTPs with the

19:19

past keys as a second

19:21

factor? Now here's the answer.

19:23

You can use a past key

19:25

to sign in and solely a

19:27

past key. Or you can use a

19:29

password to sign in. And if you use

19:31

a password, of course you need a

19:33

second factor because, well we know why,

19:36

if you choose a second factor

19:38

you can choose from either

19:40

soft authenticator or SMS. So

19:42

it just blows my mind because

19:44

I've done all the plumbing and all

19:47

the mechanics to implement pass keys,

19:49

but purely as a usability feature

19:51

to sign in and not as

19:54

a security feature, which means. You

19:56

still have to have a password. You

19:58

still have to have... a soft authenticator

20:01

or an SMS OTP, so

20:03

you can have a downgrade attack. If

20:05

someone can convince you to enter

20:07

those weak credentials, credentials being the

20:10

email address, the password and the

20:12

OTP, if someone can convince you

20:14

to enter them into a fishing

20:16

page, then enter your LinkedIn.

20:18

That would have been frankly so much

20:20

worse for me if someone was

20:23

into my LinkedIn because I've got

20:25

so many messages with people. There

20:27

are messages in there about... Business deals

20:29

we've done, or data breaches that have

20:32

been disclosed, or meetings that I've had

20:34

with people in person, it would be

20:36

a nightmare. So I'm having to write

20:39

this up and go, you know, here's

20:41

how to turn it on. By the

20:43

way, it actually won't do anything for

20:46

you, and linked in, other than

20:48

make your life easier to authenticate.

20:50

And one of the things that

20:52

one password does with pastkeys. Directory,

20:54

is if you have a look,

20:56

they've got three columns there, name,

20:58

name, name, and then supported and

21:00

then category. So for example

21:03

under Adobe what's supported

21:05

sign-in and as you keep flicking

21:07

down it's like sign-in, sign-in, sign-in,

21:09

sign-in and sign-in and one

21:11

in about probably 20 different sites

21:14

that implement pass keys supports

21:16

it for MFA. Now it's not

21:18

immediately clear to me if all

21:20

of these ones where it's supported

21:22

for sign-in you can actually get rid

21:25

of the password altogether altogether.

21:27

Which would be fine? There's a

21:29

problem. We'll come back to it. But

21:31

it would be fine. It would be much

21:34

better, in my view, than having a

21:36

username and a password and an

21:38

OTP as a second factor. So

21:40

it's fascinating, as you try and explain

21:43

past keys to normal people, how

21:45

we not only have to explain

21:47

the mechanics of what it is,

21:49

and I think I've effectively referred to

21:51

it as a digital file which is

21:54

stored and synced and synced. You know,

21:56

like all the cryptography stuff in the

21:58

Fido bits and everything is... is

22:00

not what normal people, normal

22:02

people, normal people, would

22:05

actually use, or what normal

22:07

people need to understand. So

22:09

that's part of the problem. Then

22:12

of course part of the problem

22:14

is a little bit like passwords,

22:16

in fact I've explained it like

22:18

passwords, so do you know how

22:20

when you go to a website?

22:23

Different websites have different password complexity

22:25

criteria, where sometimes it needs to

22:27

be six characters, sometimes it's got

22:29

to be eight, sometimes it's got to

22:31

be an upper case. Well, the way that

22:33

you implement a passkey is very similar, because

22:36

sometimes it's in the security settings, sometimes in

22:38

the profile settings. Sometimes you have to prove

22:40

control of your email address first. Sometimes you

22:42

have to enter your password first. The

22:45

experience is always different. And it

22:47

is extraordinarily hard to create a

22:49

compelling... story for normal people that

22:52

they can absorb an action Which

22:54

is kind of wild. Geez just

22:56

looking through this list the

22:58

number of... What's really? Especially

23:00

interesting is to look at

23:02

the tab About the sites that

23:04

don't support it. Now what I

23:07

like about the way one password's

23:09

done this is you can vote.

23:11

Now you don't have to authenticate

23:13

or anything either Which does make

23:15

me wonder if anyone's been

23:18

gaming? That number one service,

23:20

which doesn't support pass keys,

23:22

and is the highest voted one,

23:24

is steam. But Netflix is

23:27

after that. So here's the...

23:29

Actually, it's quite funny. Number

23:32

one, remember, this is the one

23:34

password list of services that

23:36

do not support pass keys.

23:39

Number one is steam. Number

23:41

two is Netflix. Number two

23:43

is Disney. It's

23:46

more of an optics

23:48

thing, you know. There

23:50

are many other mitigating

23:53

security controls

23:56

around one

23:58

password. Yeah, for example,

24:00

you need to have the secret key.

24:02

The secret key goes beyond just the

24:05

email address and the password and the

24:07

second factor. But yeah, maybe the optics

24:09

guys, like maybe adding, because you can

24:11

do two-f-a with your one-passward account, you

24:13

can do two-f-f-a with an OTP, we

24:15

know the problem with that, so maybe

24:17

adding past-key support would be good. Interestingly,

24:19

after that, signal, Instagram, Redit, chat, chat, GPT,

24:21

Proton Mail, Proton Mail, sounds

24:23

like an obvious one, because

24:25

they're so privacy-centric, because they're

24:27

so privacy-centric. So, there's loads

24:30

and loads and loads of things in

24:32

here that we'd like to see better

24:34

support for pass keys. And I think

24:36

the way we've got to look at

24:38

this is this is a very early

24:40

time using what, by all accounts,

24:42

is the success or to the

24:45

password. And I have no problem

24:47

with using your pass key for

24:49

authentication. But because of such an early

24:52

time, we're missing continuity,

24:54

we're missing consistency, and

24:56

we're missing... that I guess

24:58

that the heart of

25:00

what makes it so

25:03

important being a non-fishable

25:05

second factor which is

25:07

not having the fishing

25:09

fishable second factor

25:11

still there so I don't know

25:14

what do you keep doing so

25:16

if we go it's a good

25:18

time to be in the

25:20

industry let's look at the

25:23

comments um Richard's here there Richard

25:25

Yeah you didn't see Richard at

25:27

Summit. You must do that. You

25:30

know Soft Tortilla says I love

25:32

using Google's advanced protection to protect

25:34

all my devices with pass keys.

25:36

I wrote a blog post several

25:39

years ago about tooth factor and

25:41

also just I mentioned something

25:43

before I want to come back to. When

25:46

I was tweeting some of

25:48

this stuff or talking about, or whatever we

25:50

call the different social things now. At one

25:52

point in time, I was talking about past

25:54

keys and one password and someone sort of

25:56

said, well if you save your past key

25:58

in one password, it's no longer 2FA. because

26:00

everything is on the one device. And

26:02

if you know how to unlock the

26:04

device, well then that's just something you

26:07

know. Or if you know the credentials

26:09

to restore it from one password's

26:11

cloud. And I think there is

26:13

noise that we get lost

26:15

in, which is the semantic

26:17

definition of the technology. We

26:19

keep saying two-FA, MFA, two-step,

26:21

two-step, multi-step. Let's stop

26:24

worrying about these things. A lot of

26:26

people have argued for a long time,

26:28

well, if your Authenticator app is on

26:30

your mobile device, then it's not 2FA.

26:33

It really needs to be a separate

26:35

thing because if you can restore it

26:37

from somewhere else, then you don't necessarily

26:39

have to have the device. Therefore, it's

26:41

not proper 2FA. So, okay, I understand

26:44

what you mean, but... It sounds like a

26:46

very academic argument. Let's talk about what

26:48

that means in practice. It means that

26:51

if someone can, for example, restore from

26:53

your I-Cloud account, then you've got a

26:55

massive problem. And so long as they

26:57

can then, in the case of one

27:00

password, have your master password and get

27:02

into the keychain. So what's the

27:04

risk and the controls that are around that?

27:06

Different story. So I just think we get

27:09

a little bit too caught up in, is

27:11

this genuinely MFA or not? or

27:14

Turfay, or Multistur. Ah, it's definitely

27:16

Multistur, let's agree on that. I

27:18

must see other comments here. Stefan

27:21

says, one password has past key

27:23

support, but it's in preview. Okay,

27:26

well then at least that signals

27:28

what's coming, right? Phil Rossman is

27:30

in West Virginia. On my way

27:33

to Amsterdam tomorrow. Love what you

27:35

do, Troy. Thanks, man. Amsterdam's cool

27:37

too. Really, really, really good fun.

27:39

I lived in the Netherlands for

27:41

two years. I enjoy it. Cool

27:43

people. Find a windmill, get a

27:45

beer, relax. Scott says, do we

27:48

have any concern about the

27:50

scenario where pass keys aren't

27:52

supported by the client? And I've

27:54

thought about this as well. This

27:56

is where it gets super super

27:58

messy because very... very often, let's

28:01

say the client is a TV, and

28:03

it's some, let's just say it

28:05

is a smart TV, and you've

28:07

turned on past keys for Netflix,

28:09

and then, well, Netflix is one of

28:11

the highest requested ones for past

28:14

keys, you've turned on past keys,

28:16

but then the client on the

28:18

TV doesn't support it. there are

28:20

implementations where a QR code can

28:22

be shown and then you use

28:24

a device that does have the

28:26

pass key sync to scan the

28:28

QR code. Now try explaining that

28:30

to the normies, right? Like now, now

28:33

it's a really, I said it

28:35

again didn't know, try explaining that

28:37

to the normal people because now

28:39

it gets really really hard to

28:41

throw in yet another spanner into

28:44

the works about explaining why you

28:46

need pass keys. Let's

28:48

imagine Netflix starts supporting it. And

28:51

there are so many account taker

28:53

attacks on Netflix, it's nuts. Going

28:55

to X and search for Netflix

28:57

hacked. I've done this in public

28:59

talks before because it's just really

29:01

fun to see the responses. And

29:04

when I say fun, it's sad. But what's fun

29:06

about it is that when you search

29:08

for Netflix, just do it. I haven't

29:10

done this for quite a while.

29:12

Let's go to X now. Netflix

29:15

hacked. So many of the results

29:17

have been around things like, help,

29:19

someone hacked my Netflix and

29:22

now everything's in Portuguese. What

29:24

else is on here? There's

29:27

actually some stuff about

29:29

people being hacked on Netflix,

29:31

which does conflate the results.

29:33

Here you go, this person

29:36

here. In Ireland, only a few

29:38

days ago, someone hacked my Netflix

29:40

account. And I keep losing access

29:42

to it. Now do you think someone

29:44

hacked Netflix? Or do you think

29:46

Joan has a dog with the same name

29:49

as someone else's and was born

29:51

in the same year? What are

29:53

the chances? It's happened five times in

29:55

10 days. Now I wanted

29:57

to complain. Netflix had no

29:59

complaint. procedure. They just say

30:02

they'll escalate as feedback. Maybe

30:04

get a password manager

30:06

but don't install pass keys because

30:08

you can't use pass keys on

30:11

Netflix and even if you could

30:13

maybe your TV wouldn't

30:15

support it. Jones or normal

30:17

person which makes it very

30:20

hard to explain all this.

30:22

Hmm. Oh there's just so much stuff

30:24

on here. All right so yes that

30:26

is that is a problem. What

30:29

else we got here? Scott says,

30:32

we've had pretty good support across

30:34

mainstream browsers since early 2024, but

30:36

we know that people suck at

30:38

updating stuff. Yeah, at least mainstream

30:41

browsers these days will auto update.

30:43

Remember the days when you

30:45

had to manually update your browser

30:47

and particularly those of us working

30:49

in any sort of web development

30:51

and you had to go and

30:53

test everything. Oh my God, that's

30:56

glad that's a memory already.

30:58

Now it's got to just

31:00

point out pastkeys.dev slash

31:02

device support. What's on

31:04

pastkeys.dev? Who runs that? I

31:06

have seen this the other day. Okay,

31:08

so yeah, good run down

31:11

here on pastkeys.dev about

31:13

the device support from

31:15

different devices for past

31:17

keys, and most things

31:19

just eyeballing it. I've got

31:21

green ticks for certainly all

31:23

the basic capabilities,

31:25

which is good. Passkeys or

31:28

Dev Hello Passkeys Good by

31:30

Passwords get started. Passkeys

31:33

are. Intuitive! I mean a lot

31:35

of this is good.

31:37

They're automatically unique, they're

31:39

breech resistant, they're fishing

31:42

resistant, I love this

31:44

but intuitive. Creating and

31:47

using passkeys is as

31:49

simple as consenting to save

31:51

and use them. No having to

31:54

create a password. Unless you're

31:56

creating a pass-go on

31:58

LinkedIn. I will spend more

32:00

time reading this. I often tend to

32:03

just like start writing based on what

32:05

I know and then I research and

32:07

then I rewrite some stuff and I

32:09

fill in the gaps. Scott says TV

32:11

example is fair and I agree they

32:14

should find alternative solution but what about

32:16

corporate devices but corporate devices in terms

32:18

of like corporate laptops or corporate

32:20

mobile devices I mean we've got

32:22

support across all of those. So

32:24

at least in a corporate environment

32:27

I often said this when some of

32:29

you know you're as Scott and I

32:31

do, you do a workshop or an

32:33

internal talk or something and someone will

32:35

go, you know, what about password managers

32:38

for our, encouraging our password managers or

32:40

our employees to use password managers

32:42

or what about rolling out

32:44

security keys? And so, well, you own

32:46

their assers, so really it's up to

32:49

you. What's a little bit different as

32:51

if you're, let's say you are LinkedIn

32:53

and you have normal everyday consumers, you've

32:56

got to be cautious not to create...

32:58

barriers to entry that might keep your

33:00

customers out. But if you're a

33:02

corporate and you mandate the use

33:04

of past keys or universal two-factor

33:06

keys or whatever oath message you

33:08

want, then so long as you

33:10

provide the equipment for everybody, which

33:13

of course may have a cost, then

33:15

they just have to do what you

33:17

say, which is advantageous. Scott says

33:19

corporate, things that aren't updated regularly

33:21

properly. Yeah, or they're different

33:23

problems. But I think for

33:25

the most part. the corporate

33:27

stuff where we would apply

33:30

passwords is going to be

33:32

my past keys is going

33:34

to be mobile devices and

33:36

operating systems and PCs and

33:38

I guess it depends on how far

33:40

back you go doesn't it in terms

33:42

of whether they support. Scott says

33:45

I just know two if a

33:47

lookouts are a huge support burden

33:49

on report your own and past

33:51

keys so I think when he

33:53

said look at I mean that

33:56

does say lockouts. I have another

33:58

Guinness Troy. So Scott

34:00

knows, after spending all these

34:02

decades looking at a PC, my

34:05

eyes are not great at the

34:07

moment. And past keys scare me

34:09

as a more complex thing and

34:11

therefore a heavier burden. Yeah, that's

34:13

part of the problem because on

34:15

report ERI, 2FA supported, 2FA

34:18

can be done with an

34:20

O2P bioethanicator app. The irony,

34:22

then Scott know discusses many

34:24

times before the irony of

34:26

this model is people. Go to

34:28

report your eye, they create an account,

34:31

and then they set up two-factor,

34:33

multi-factor, multi-factor, multi-factor, whatever we want

34:35

to call it, with a soft

34:38

token, on the basis of telling

34:40

Scott, hey look, if someone comes

34:42

back later on, they have the

34:45

right email address and the right

34:47

password, but they don't have the

34:50

token, don't have the token, don't

34:52

let them in. And then they

34:54

lose their token, because they've got

34:57

just going on. Now we have

34:59

to fall back to manual human

35:01

support tickets and verification, which

35:03

then burdens Scott. So everyone

35:06

says pass key support on things

35:08

like TV. Can I display QR code?

35:10

Did you leave the room and we're

35:13

talking about this? We just had

35:15

this discussion. You can then scan

35:18

with the device. Yep. That's

35:20

exactly what I said. I agree

35:22

with you, Stephen. Good stuff, mate.

35:24

All right. I miss you

35:26

guys. Let's move on to something

35:29

else. Also related

35:31

to Stefan. So we spent

35:33

a lot of time in Iceland

35:35

earlier this week with Stefan.

35:38

Also with Ingeber. So Ingeber

35:40

is a guy in Iceland

35:42

who is doing the web

35:44

front end for Have I

35:46

been paying the UX rebuild.

35:48

If everyone would like to see

35:51

how this is going, if you

35:53

go to... preview. Have I been

35:55

paying.com you will see a static

35:57

H.T.M. website which is the new brand.

35:59

And all in Bootstrap with a very

36:02

nice visual style, I think. It is

36:04

all static. There is a little bit

36:06

of JavaScript to make things feel

36:08

like they're a bit dynamic, but

36:10

nothing is posting to the server,

36:13

pulling back from server. So Ingeber

36:15

has been doing this front end.

36:17

And one of the big things

36:19

that Stefan and Charlotte and I

36:21

did, particularly over Tuesday, wasn't it,

36:23

mate, is we went through and

36:25

listed every single screen. that we

36:28

want to migrate over from the

36:30

old site to the new site and

36:32

we have put them all in as

36:34

issues. So if you go to gethub.com,

36:36

fod slash have I been poned, fod

36:38

slash ux dash rebuild, you will see

36:40

an issue for every single screen that

36:42

needs to be built. What you won't

36:44

see is we've created a

36:46

project under that organizational account

36:48

on get hub to prioritize

36:51

everything, give the work to

36:53

Ingebert. But a couple of things sort

36:55

of dawned on us while we were there

36:57

in terms of how we can make this

36:59

better and a lot of this centers around

37:02

the concept of a dashboard. So have I

37:04

been partners we know it at the moment?

37:06

You go to the front page, you put in

37:08

an email address, you do the search and you

37:10

get results. And then there are

37:12

places where you need to be

37:15

effectively authenticated first. I say effectively

37:17

because we do magic links. which

37:19

are not actually magic, they're just

37:21

unique links that get sent by

37:24

our email, you click on the

37:26

link and then you're logged in. We

37:28

do that when you want to purchase

37:31

or manage an API key, we also

37:33

do that when you want to do

37:35

domain searches or purchase a subscription for

37:37

that, and then we also do that

37:40

when you want to sign up for

37:42

notifications, and then we piggy back off

37:44

the notifications thing in order to do

37:47

searches for sensitive email address. And we're

37:49

going to roll all that stuff up

37:51

into a concert called Dashboard.

37:54

So everybody will have a

37:56

personal dashboard. And you'll see

37:58

that already in the UI. Actually,

38:01

because I'm not lying here, that

38:03

isn't that one. Yep, top right

38:05

is a big button says dashboard.

38:07

And then when you go into

38:09

your dashboard, I think Ingeber is

38:11

probably even link that in. Verify

38:13

your identity. You'll verify

38:15

your control email address and

38:17

then you'll have a couple of brand

38:19

new pages. Now one of them is

38:22

going to be a personal dashboard summary.

38:24

Now I think we put this in

38:26

here somewhere. dashboard page, API documentation, that's

38:28

in his summer in the list. But

38:30

the idea of this is to try

38:33

and give people a summary for them

38:35

that covers the sensitive data breaches,

38:37

covers the Stearler logs, covers things

38:39

that we may add later on,

38:41

which are specific to the individual

38:43

that require identity verification first. So

38:45

you'll be able to wake your

38:47

email address in there, go to

38:49

that page, see that, and then

38:51

we'll be able to do things

38:54

like some aggregated rollups. How many times

38:56

have you had your email address

38:58

exposed? How many times is

39:00

your password being exposed? Your date

39:02

of birth. Let's build a picture

39:04

of what that exposure looks like.

39:07

Now we're building all of this

39:09

in the public domain. She'll

39:11

see the other. She's like, what

39:13

if another company sees that and

39:15

they steal the idea and they do

39:17

it? And we were kind of like, well...

39:19

That's good, because we think it's

39:21

a good idea. Maybe other people

39:24

can then do the same thing.

39:26

Also, once we make it live,

39:28

anyway, people can do it. So,

39:30

we are targeting, at the moment,

39:32

what do we say, Stefan, May

39:34

17, I think to go live, which

39:36

is a weekend. So, we've got

39:39

about five, six weeks, to go

39:41

before we want to have this

39:43

live. There will be the personal

39:45

dashboard page. We will also have

39:47

a personal search page which will

39:49

show you things like sensitive data

39:52

breaches. It will show you if

39:54

you have chosen the opt-out mechanism

39:56

which hides your results publicly but

39:58

still keeps on having... Just a

40:00

bunch of other stuff that we're

40:02

building in the public domain

40:04

because we really want feedback

40:06

from people. And we have had

40:09

lots of good feedback, we've had

40:11

some really good issues raised,

40:13

and they're little things which

40:15

just perfectly tap into the OCD

40:18

side of my brain. And I'll

40:20

give you a good example of

40:22

this. If you go to preview.jo.jo.com.

40:25

And you'll see there's a

40:27

search box just like on the front

40:29

page. And that says email

40:31

address and the search box is

40:33

quite wide and the check button

40:35

is inside the search box. Now

40:38

both the check button and the

40:40

search box have a radius on

40:43

the corners. They've got rounded corners,

40:45

which looks lovely. And someone must

40:47

have just like super zoomed in

40:50

and said, because the radius

40:52

of the check button is the same

40:54

as the surrounding box, yet there's padding

40:57

on it, and it sits inside. it

40:59

looks weird and you need to make

41:01

the radius of the corners on the

41:03

check button tighter than the radius on

41:06

the surrounding box. I was like, holy shit

41:08

he's right. Like we had screwed that up

41:10

and I know that that's a minor

41:12

thing but we've had other feedback around

41:14

things like a lack of contrast on

41:17

some icons which is really important because

41:19

that's going to be the sort of

41:21

thing that there are we some people

41:23

who might have for example visual impairments

41:25

that will pick that up where the

41:27

rest of us won. So we really

41:29

want that we really want more

41:32

feedback on How should these features

41:34

work? You know if we're going

41:36

to have a dedicated like personal

41:39

overview dashboard page? What else should

41:41

we put on there? Like there's

41:43

probably other stuff that we can

41:45

now do that we've just never

41:47

thought of before And I'd really

41:50

like to see that All right, look

41:52

at these comments Steve and I

41:54

bought some yubie keys two years ago

41:56

But honestly not understand when they

41:58

really should get used because everyone still

42:01

uses passwords or forces me to

42:03

use my phone when it's low. Well,

42:05

I actually just reminded me, I

42:07

was going to say earlier on

42:09

someone mentioned Google Advanced Protection. So

42:12

I wrote this blog post about the

42:14

sort of the hierarchy of 2FA.

42:16

I feel it was early COVID time,

42:18

so maybe five years ago. And I

42:21

wrote specifically about Google Advanced Protection

42:23

because it's a really really solid implementation

42:25

where you can use physical U2F

42:27

keys as the second factor exclusively. So

42:29

if you turn on all of

42:31

the Google Advanced Protection knobs you

42:33

will have to be able to

42:36

authenticate yourself with the username password

42:38

security key and I feel there

42:40

are one or two other checks

42:42

and probably things that aren't immediately

42:44

obvious to us there as well. But

42:46

where we're ultimately going to end

42:48

up is... No turf A, fishable

42:51

OTPs, past keys, physical tokens. Yeah,

42:53

these four sort of different options.

42:55

We know I don't want the first

42:57

one because that's crap, that's no

42:59

turf A. We know the problem

43:02

with the second one, that's Troy

43:04

getting his mail chimpless pound. So,

43:06

past keys and physical keys, where

43:08

are we left? And this is

43:10

probably going to be a good

43:12

blog post in and of itself.

43:14

But to me, the answer can

43:17

be answered in or rather... The

43:19

question can be looked at in

43:21

two different ways. One is the

43:23

prevalence with which the second factor

43:25

gets requested. If you are being

43:27

asked for something every day and

43:29

you need to go and find

43:31

a physical key, there's a high

43:33

usability barrier. The other is the value of

43:36

the asset being protected. Now, I'll

43:38

give you an example. If it

43:40

was something that every single day

43:42

I got challenged on and it

43:44

would be bad to get it owned,

43:46

but it would not be financially destructive

43:49

or otherwise catastrophic, I might use a

43:51

passkey. The risk being that if someone,

43:53

for example, can get into my one

43:55

password and they can get the synced

43:58

passkey, then they can get in. If it was...

44:00

crypto and its actual money, then

44:02

I'd probably rather have the physical

44:04

security key, because that's also something

44:06

that I rarely go into. It's

44:08

rare that I have to authenticate

44:10

to my crypto wallet of, will

44:12

it provider, of choice. So when I

44:15

do that, I don't mind a bit

44:17

of extra inconvenience, especially given the

44:19

impact of it financially if someone

44:21

else gets into the account. So

44:23

I think that's a pretty good

44:26

example of where you might look

44:28

at these two strongest forms of

44:30

authentication we have and sometimes use

44:33

one and sometimes use the other.

44:35

All right, what else is here in the

44:37

comments? Soft or Tia, I really

44:39

don't want to start authenticating

44:42

via some dangerous things device

44:44

implanted in my hand. I'm told

44:46

this is off the mark. This is

44:48

the mark of the beast. Now Scott

44:51

does everything implanted in his hand. Where

44:53

are you actually using

44:55

that these days Scott? Because Scott

44:57

got a little chip in his

45:00

hand. I haven't been seeing you.

45:02

When I see you buying coffee

45:04

with that or be impressed.

45:06

It'll be like, remember very

45:09

early on, remember very early on

45:11

if you paid with your watch.

45:13

And people at the shop are

45:15

like, wow, that's cool. I

45:17

haven't seen that people. And

45:19

now it's just like, yeah, who

45:21

cares? There's no actual

45:24

functionality there. Yes, exactly

45:26

what I just said. I said

45:28

that. We'll play it back later.

45:30

All the functionality you see on

45:32

the previous site is just emulated

45:34

for demo purposes. I did realize,

45:36

Stefan, so some of that functionality,

45:39

like what, so today, Ingeber implemented

45:41

the FAQ stuff, so what we've

45:43

done on the FAQs page, and

45:45

everyone will see this live now,

45:47

because I merged that change earlier

45:50

today, is all the FAQs collapse. and

45:52

we were looking at it the other

45:54

day and someone had raised an issue

45:56

saying because all the FAQs collapse you

45:58

can't control F. and find it on

46:01

the page because they're effectively now in hidden

46:03

dives. So Engelberg's put a little search box

46:05

across the top and then you can type

46:07

in the text and as you type in

46:10

the text it just expands anything that matches

46:12

which is a pretty neat way of doing

46:14

it. I still think you can probably bind

46:16

control F to maybe focusing on the box as

46:18

well. Focusing on the box maybe pre-filling it

46:20

when you do the find. Can you do

46:23

that? I don't know. Any who, that's done

46:25

client side. but he's been putting the

46:27

client's side in inline script in the

46:29

source code, does that? The client's side,

46:31

he's been putting the JavaScript in inline

46:34

script in the source code. So we

46:36

need to, because we're not going to

46:38

allow unsafe in line in our CSP,

46:40

we need to now get him to

46:42

put all that in separate JavaScript files

46:45

and just embed them in the page,

46:47

which I added that issue earlier today.

46:49

So we'll be able to sort that

46:51

out. Stephen says, and if people don't

46:54

understand, they're easy to manipulate

46:56

by scammers. This is part

46:58

of the problem. Like, because

47:01

the current landscape for pass

47:03

keys is now so complex,

47:05

later on, when people come to

47:07

use them, are they going to

47:10

be more at risk of

47:12

manipulation because they can have

47:14

concepts thrown at them, which

47:16

seem very, very unusual. I'll

47:18

rephrase that. Concepts thrown at them

47:20

that they don't understand which could

47:22

be to their disadvantage. Now you

47:24

could argue that if you do

47:26

pass keys properly, then that can't really

47:29

happen anyway because you can't fish the

47:31

pass key. But could you potentially fish

47:33

recovery information? How do you recover?

47:35

Let's say you legitimately you lose your

47:38

pass key. And again this is going

47:40

to be up to every single site

47:42

to decide how they implement it. You've

47:44

legitimately lost your pass key. You need

47:46

to get back into the service. You've

47:49

gone to some fishing page,

47:51

the fishing page effectively emulates

47:53

the recovery process. And are we

47:55

then back to square one? But

48:00

yeah, I think that's a very, very

48:02

valid point, David. We create other

48:04

risks. And the fascinating thing about

48:06

this is we're having a discussion

48:09

about the human side of security.

48:11

And there's all of this, like

48:13

you have Fido Alliance, this, and

48:15

you twift that, and you're cryptographyically

48:18

signed and transmit over security. Like

48:20

all of that is wonderful. But

48:22

then you have the meat bags. I

48:24

tell you, it didn't like norm, you're

48:27

not going to like meatbag. But that's

48:29

all of us, right? Every single one

48:31

of us has then got to make

48:34

human decisions about our security.

48:36

And that's very easy to

48:38

break compared to breaking the

48:40

cryptographic implementations of

48:42

the things we just spoke about. Wayne.

48:45

is the dashboard page built out. Some

48:47

stuff is. So Wayne, one of the

48:49

data, and I'm going to double check

48:52

it here, one of the dashboard pages

48:54

that is built out for a large

48:56

part is the domain search page. There

48:58

are changes I think we want to

49:00

make. You'll see that raised in the

49:03

issues log. But if you go

49:05

domain search, you'll see verify new

49:07

domain. You'll see a nice little

49:09

model and the verify options there.

49:11

If you click on Verify Now, after

49:14

you put something that passes validation

49:16

into the domain name, you will

49:18

see the one thing that has

49:20

had some of the best feedback

49:22

we've had so far, which is a

49:24

little animating icon of the new

49:27

Have A Bampone logo. And people,

49:29

honestly, people love that. We

49:31

have so much nice feedback about that.

49:33

What we want to do with the

49:35

domain search page, and again, you'll

49:37

see this in public issues, is...

49:39

simplify the page that lists your

49:41

domains a little bit and then

49:44

when you click on a domain rather

49:46

than just running the search straight

49:48

away give a little bit of

49:50

a summary explain some of the

49:52

high-level numbers and then allow people

49:54

to run a search that just

49:56

returns results to the browser or

49:58

Jason or Excel and probably also

50:00

add some filtering because we've

50:02

got subscribers out there

50:04

using domain search that have

50:06

got domains with hundreds of

50:08

thousands of results in them. So

50:10

I think what we need to do

50:13

is some sort of default to the

50:15

effect of by default only show me breaches

50:17

from the last 12 months or

50:19

something to that effect. So anyway

50:21

have a look at that and incidentally

50:24

anyone can chime in

50:26

on these ideas. So if you read through

50:28

there and you go... I've got a better

50:30

idea or I don't like that idea. Leave

50:32

a comment. Or make a pull request

50:35

and grab the code. Have a

50:37

play with it. Bitcoin Dev Japan

50:39

says one issue we ran into

50:41

was a weak password user had

50:43

someone hack their account and set

50:46

up passkey login and disable password

50:48

login. It was difficult to handle.

50:50

We froze our account just to

50:53

be sure. Yeah, well I mean

50:55

that's that is a problem isn't

50:57

it. You

51:01

could argue it's the same thing. You could

51:03

argue it's the same thing if someone can

51:05

log in and change the password. Now, does

51:07

a change password require a second validation

51:10

step, which is sending an email address

51:12

and you've got to confirm there? But

51:14

if you can get access to someone's

51:16

account, there are multiple different ways, with

51:18

or without a pass key, where you

51:20

can then denial of service them, back

51:22

into the account. So yeah, you're right,

51:24

that's a problem. And

51:26

as Bitcoin Dev Japan has gone on

51:29

to say, so the hacker had the

51:31

pass key. Cybersecurity is hard. It is.

51:33

That's why it's a good industry to

51:35

be. There's lots of challenges to be

51:37

solved. Stephen says it's the ex-case CD

51:39

comic. Superencrypted laptop versus Dragun

51:41

used this wrench to get

51:43

the person's password. People are

51:45

always the weak point. So the comic

51:48

Stephen's talking about is that old

51:50

ex-case CD classic which must be

51:52

like 10 years ago or something

51:54

where... It's effectively comparing the difficulty

51:56

of the technical controls to get

51:58

someone's password versus... Let's just hit

52:01

the person over the head with

52:03

this wrench until they tell us

52:05

the password. There are probably some

52:08

parts of the world where that's how

52:10

they get passwords out of

52:12

people. Scott's found it there,

52:14

thanks mate. Rob says one

52:16

option is only breeches since

52:18

I last visited, when you're in

52:20

domain search. Then we have to

52:22

track when they last visited.

52:25

My inclination. thinking about

52:27

this totally on the

52:29

fly after most of a

52:31

Guinness is give them options

52:33

to say just show me

52:36

from the last breach because

52:38

very often people come there

52:41

every time they get to know

52:43

this so just show me the

52:45

last bridge show me the last

52:47

year show me everything last

52:50

one my time out

52:52

depending on how big your domain

52:54

is The Osinam network

52:57

says tracking client side is

52:59

also an option if you're

53:01

referring to tracking Since the last

53:03

breach client side. Well, then we

53:05

effectively come back to needing to

53:07

either set a cookie on the

53:09

individual or Flag their record such

53:11

that if they when they come

53:13

back in later on we can

53:15

say this is when you're last

53:17

here. I still think those three

53:20

options possibly just defaulting to Show

53:22

me just the last breach is

53:24

probably the most logical thing And then

53:26

Stefan we've got to figure out, given

53:28

that we cashed domain searches at cloud

53:31

flare, we then need to pass those

53:33

parameters to the worker and get the

53:35

worker to filter at that point because

53:37

one thing we want to do now

53:40

compared to before, we moved as much

53:42

as we could over into azure functions

53:44

because we wanted it to be serverless,

53:46

which runs on servers, so it would

53:49

scale as best as possible, which means

53:51

at the moment, you do a search for

53:53

a domain and it's hitting API which

53:55

binds to the functions,

53:57

and it's literally an...

53:59

your function, emitting like in-line HML,

54:01

it's dirty, I feel dirty for having

54:04

done it. But it gave us great

54:06

scalability. And what we want to do

54:08

now is effectively just have a static

54:11

HTL, a near static HTL page, and

54:13

then we'll ace in client side just

54:15

call the API implant, we'll return Jason,

54:17

and then we can at the cloud

54:20

for the level we can filter that

54:22

Jason down to whatever it needs to

54:24

be. So, we'll solve that's not a

54:27

hard problem that one. All

54:30

right, folks, I think that's, that

54:32

actually is about it. So, hmm.

54:34

On that night, we're at, we

54:36

are now at 5 p.m., which

54:38

is officially beer a club

54:40

in Ireland. So I'm going

54:42

to wrap this up. We

54:44

are heading back to Australia

54:46

on Thursday next week. I'll

54:48

do this video from Australia.

54:52

on Saturday. I think it's Saturday. So

54:54

yeah, I'll be back home for then.

54:56

I'll be back home for a very

54:58

short period, but I will be home

55:00

in time to do this. So hopefully

55:02

I can go the next week without

55:04

getting more fished. I just said more

55:06

because I read Stephen's passage says Troy

55:08

needs more Guinness. Or something to that

55:10

effect. It's a really really nice spot

55:12

here. I'll try and get some photos

55:14

and post them. Probably learn my Facebook

55:16

later on. Thanks for joining folks.