Bookmarked If You’re Not Paying for the Product, You Are… Possibly Just Consuming Goodwill for Free by Troy HuntTroy Hunt (Troy Hunt)

What gets me a bit worked up about the “you’re the product” sentiment is that it implies there’s an ulterior motive for any good deed. I’m dependent on a heap of goodwill for every single project I build and none of that makes me feel like “the product”. I use NWebsec for a bunch of my security headers. I use Cloudflare across almost every single project (they provide services to HIBP for free) and that certainly doesn’t make me a product. The footer of this blog mentions the support Ghost Pro provides me – that’s awesome, I love their work! But I don’t feel like a “product”.

Conversely, there are many things we pay for yet we remain “the product” of by the definition referred to in this post. YouTube Premium, for example, is worth every cent but do you think you cease being “the product” once you subscribe versus when you consume the service for free? Can you imagine Google, of all companies, going “yeah, nah, we don’t need to collect any data from paying subscribers, that wouldn’t be cool”. Netflix. Disqus. And pretty much everything else. Paying doesn’t make you not the product any more than not paying makes you the product, it’s just a terrible term used way too loosely and frankly, often feels insulting.

Troy Hunt marks the argument that just because you are not paying for the product, it does not necessarily mean that you yourself are the product. Sometimes, he posits, we are simply consuming goodwill. On the flipside of this, he points out that when you pay for products such as YouTube or Netflix, this does not all of the sudden make you less of a product.

For me, this reminds me of Austin Kleon’s discussion of the power of an email list:

The model is very simple: They give away great stuff on their sites, they collect emails, and then when they have something remarkable to share or sell, they send an email. You’d be amazed at how well the model works.

Bookmarked You Don’t Need to Burn off Your Fingertips (and Other Biometric Authentication Myths) by Troy Hunt (Troy Hunt)

Let me bullet this succinctly:

  1. Obtaining a usable biometric artefact is much harder than obtaining a password
  2. Creating a usable biometric prosthetic is much harder than using a password
  3. Fooling a biometric verifier is much harder than fooling a verifier you can provide a valid password to
  4. Those with the capability to do the above 3 things are not the ones who are most likely to obtain your biometrically protected things

Use biometrics. It incentivises people to secure more things, it’s resilient to all sorts of risks passwords are not and as an added bonus, it makes your digital life a whole lot easier 🙂

Troy Hunt explains why stealling somebodies biomatric data is so much more difficult than a password. Hunt also address this in his ‘Ask Me Anything’ session at the AusCERT2021 conference.

Liked The Internet of Things is a Complete Mess (and how to Fix it) (

This might seem painful right now (and frankly, it is), but it’s also a very exciting time in IoT. It feels like the very early days of the web where everything was a bit of a kludge we hacked together but we made things work and it turned into something amazing. That’s where I think we are now with IoT and as infuriating as it often is, it’s an exciting time to be a part of it and well and truly worth a few lighting problems here and there.

Liked Data Breaches, Class Actions and Ambulance Chasing by Troy HuntTroy Hunt (Troy Hunt)

I’m in no way against penalties being issued to firms that suffer data breaches and outcomes such as the FTC achieved against Equifax seem quite reasonable. This was a case where Equifax didn’t just fall well short of their obligations to secure customer data in the first place, but they did a woeful job of handling the incident after the fact. The “up to $425 million to help people affected by the data breach” settlement seems fair in this case and it was achieved by an independent government agency, not by lawyers looking to cash in.

There will, of course, be many cases that are simply settled out of court and we may never know the result. I dare say this is often the desired outcome of these class actions; strike a deal that’s appealing enough to avoid extensive court time, give those in the breach who joined the action a pro-rata’d slice of the settlement and the law firm keeps a big chunk of coin themselves without ever seeing a courtroom. Each one of those lawyer advertisements earlier on is there for one reason and one reason only: to make money for the firms involved. They’re not charities, this isn’t for good will, it’s simply business.

Liked How I Finally Fixed My Parents Dodgy Wifi With AmpliFi by Troy Hunt (Troy Hunt)

I moved on and extended the network out to my jet ski with their Mesh products, did a ground-up build in my brother’s house (which I remain jealous of) and just last month, released a free course on UniFi commissioned by Ubiquiti. Clearly, I’m a UniFi convert.

But UniFi isn’t for everyone. It’s a “prosumer” product which means it’s great for everyone from technical people installing it in their homes through to professionals building out entire shopping centres or stadiums with the gear. But it’s not great for non-techies; there’s both design and setup involved and frankly, a heap of features they’ll never need. That’s where AmpliFi comes in, Ubiquiti’s consumer line for the home.

Bookmarked Padlocks, Phishing and Privacy; The Value Proposition of a VPN by Troy Hunt (

To be clear, using a VPN doesn’t magically solve all these issues, it mitigates them. For example, if a site lacks sufficient HTTPS then there’s still the network segment between the VPN exit node and the site in question to contend with. It’s arguably the least risky segment of the network, but it’s still there. The effectiveness of black-holing DNS queries to known bad domains depends on the domain first being known to be bad. CyberSec is still going to do a much better job of that than your ISP, but it won’t be perfect. And privacy wise, a VPN doesn’t remove DNS or the ability to inspect SNI traffic, it simply removes that ability from your ISP and grants it to NordVPN instead. But then again, I’ve always said I’d much rather trust a reputable VPN to keep my traffic secure, private and not logged, especially one that’s been independently audited to that effect.

Troy Hunt explains that even with HTTPS, there is still a need for VPNs and the added security/privacy they provide.

As the old saying goes, privacy isn’t necessarily about having something to hide, it’s also about not having something you want to share; if you’re depressed and going to then you may not wish to share that with other people. If you’re having trouble with alcohol and visit then you may not want to share that either. If you’re pregnant and hopping over to then, again, you may expect to keep that information private (let us not forget the story of how Target managed to “data-mine its way into [a teenage girl’s] womb”). Just looking up those URLs I was imagining what sort of conclusions would be drawn about me if someone had access to my connection! (No, I’m not a depressed alcoholic teenager who’s expecting…)

Bookmarked We Didn’t Encrypt Your Password, We Hashed It. Here’s What That Means: by Troy Hunt (

A password hash is a representation of your password that can’t be reversed, but the original password may still be determined if someone hashes it again and gets the same result.

Troy Hunt discusses the difference between encryption and hashing when it comes to passwords.

Troy Hunt reflects on the discussion of the Australian Government’s development of an app that would allow users to identify and be identified if in contact with the coronavirus. He suggests that privacy is not an absolute.

Bookmarked Sharenting, BYOD and Kids Online: 10 Digital Tips for Modern Day Parents (Troy Hunt)

I was invited into the local ABC Radio studio to comment on this piece and online safety in general so in a very meta way, I took my 7-year old daughter with me and captured this pic which, after discussion with her, I’m sharing online:

Discussion quickly went from sharenting to BYOD at schools to parental controls and all manner of kid-related cyber things. Having just gone through the BYOD process with my 10-year old son at school (and witnessing the confusion and disinformation from parents and teachers alike), now seemed like a good time to outline some fundamentals whilst sitting on a plane heading down to Sydney to do some adult-related cyber things!

For Safer Internet Day, Troy Hunt provides a number of tips when it comes to digital parenting. He argues that everyone needs to find there own balance, but this needs to involve guiding children, managing administration duties and living with the chance that anything shared could be made public. In the end, the message that eminates from Hunt’s piece is the importance of being an active parent.

Digital controls can never replace the role parents play in how the kids use devices; they should be complimentary to parenting rather than a substitute for it.

Some other useful pieces on this topic include: