troyhunt.com

My going in position when contacted was that this would be yet another case of someone unfairly misattributing a breach to an organisation based purely on what they believe to be a unique email address or password being used in a way they didn't expect. Plugging the email address in question into HIBP resulted in only a single hit: Unverified breaches are incidents where the data is legitimate (for example, people's real email addresses and passwords), but I haven't been able to confirm the legitimacy of the source. Putting aside the fact that discarding it doesn't actually make it go away (a quick search found this data still being extensively traded), historical breaches can be enormously useful in establishing the origin of subsequent breaches. This incident exemplifies that and without ready access to this data I don't know that BeerAdvocate would have established the breach, notified their customers and given them the opportunity to go and change that same one password they use across all their other accounts...

It also has some cool built-in stuff like the ability to create a new private browsing window in Tor rather than just your classic incognito window that might ditch all your cookies and browsing history but still connect to the internet directly from your own IP address. But the thing that's really caught the attention of the people I've been speaking to is Brave Rewards which is an innovative way of simultaneously eschewing traditional ads whilst still shuffling money towards content creators. It works on the basis of awarding "Basic Attention Tokens" (BAT) based on where people spend their time browsing or choose to donate. I'm continually amazed at people's willingness to give back via that page so adding the ability to take BAT donations via Brave seemed like a really good idea.

It's another episode with Scott Helme this week as he's back in town for NDC Security on the Gold Coast (still a got a week to get those tickets, folks! ) The timing actually works out pretty well as there was this week's announcement around Let's Encrypt transition of their root cert which is right up his alley. We're at NDC Security on the Gold Coast week after next (Scott's doing the World's Best TLS Training Let's Encrypt's transition to ISRG root (that post of Scott's went to number 1 on Hacker News so good work on that mate! )

Following successful number verification, the app fires up and asks for access to location data: Based on what I'd already read in the user manual, my location data can be used to direct me to a child wearing the watch so requesting this seems fine for that feature to function correctly. Give it a couple of hours to charge, boot it up and shortly afterwards it's showing a 3G connection: I give it a little time to sync to the TicTocTrack service then successfully find it in the app: Drilling down on Elle's profile, I get an address and GPS coordinates which are both pretty accurate: To its credit, the watch does a pretty good job of the setup and tracking process once you're past some of the earlier hurdles. I want to finish on a broader note than just TicTocTrack or Gator or even smart watches in general; a huge number of both the devices and services I see being marketed either directly at kids or at parents to monitor their kids I don't mean to make that sound trivial either because we're talking about a $549 outlay here which is a hell of a lot to spend on a kid's watch (plus you still need a companion iPhone), but Apple is the sort of organisation that not only puts privacy first, but makes sure they actually pay attention to their security posture too.