Daniel Spilsbury

It might be obvious that any LastPass users should want to migrate away from the service given the recent data breach they've had but it's not that simple, especially when you're fully in with the service. To put that in to context, I've been a user for about eight years, fully paid up with an annual plan that I share across the family; we're all pretty heavy users and I had over 500 passwords stored in the service to give you some context. The service works well, a few autofill niggles aside, it's a user friendly way to manage all the many passwords we need to generate these days and takes a lot of the heavy lifting away. They also offer a multi factor authentication OTP service which synchronises all the tokens so that when you lose your phone it's not the end of the world, you just resync your new device and you're back up and running. All that sounds too good to be true and, unfortunately, it is. Putting all your eggs in one basket is never a good id

My home is relatively smart in that I run a Home Assistant server with quite a few integrations with lighting, motion sensors, door/window sensors, CCTV, temp/humidity, energy and heating so I figured I'd list out my tech choices and any good/bad points that I've found while in use. My tech choices are now pretty stable after a few iterations over a few different types which means I have time to write a blog about it rather than play with Home Assistant all the time! Home Assistant This is the brains of the operation - it sits in the garage running on an old Shuttle PC with a DeConz Conbee II Zigbee stick in the back and is exposed to the internet so that the associated Android phone app can communicate with it at all times. That's pretty useful as I have a bunch of geo based automations hooked in but means that I have to be on top of my security model. Home Assistant has been rock solid for many years now. It's consumed A LOT of time in configuration and maintenance b

  what's this site all about then?! This site has been around since 2016 in one form or another and tends to get heavily modified with little warning! I created this site for two reasons: as a place to put down my thoughts about the things that interest me, such as technology, techno, aviation and travel, amongst others. as a testing site for some of the new and interesting security related features that are available on the internet. That second point means that this site was hosted in an AWS S3 bucket, served via Cloudfront (with Lambda@Edge injecting Content Security Policy headers) and is IPv6 enabled. In previous incarnations, it was self hosted on an EC2 instance just to get the CSP headers to work, but Lambda @ Edge smashed that one out the park! However, I recently migrated away from that AWS tech stack to blogger.com just for simplicity. I wasn't updating the site very often so figured I'd migrate to a blog site for a while and see how that goes. For now, it's

My previous post looked at producing a C4 model for my (simple) website. This post takes that a step further and looks at how we can use C4 modelling to elicit security and privacy threats using two frameworks: STRIDE . Most people know STRIDE, it’s derived from the Microsoft security threat modelling process from the early 2000s and represents Spoofing, Tampering, Repudiation, Information leakage, Denial of service and Elevation of privilege. LINDDUN . This is not so widely known but I first came across it in one of the Application Security Podcasts on  Privacy Threat Modelling . “ LINDDUN  was created in 2010 as a collaboration between the DistriNet and COSIC research groups of KU Leuven, Belgium”. It is a framework, not unlike STRIDE, which represents Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness and Non-compliance. However, both STRIDE and LINDDUN base themselves around classical threat modelling techniques which, in my opinion

This site has been around for a few years now and has changed significantly, mainly from an infrastructure perspective, over that time. That can be done as the site gets very few hits so I can use it to test features and experiment without worrying about outages.‌ In a work context, I very much promote the use of  C4 modelling  as a consistent and clear means of expressing a system architecture. C4 modelling struck a chord with me when I first came across it as it takes the best bits from UML and structured systems engineering, which is my background, but allows them to be used in a more agile (with a small ‘a’) software development context. Consistency is also the key; on a daily basis I review a handful of threat models which have historically been drawn using  any  drawing method (logical, physical, software based, high level, low level, etc) and tooling that you can imagine. Such a lack of consistency brings with it a time burden; it takes time to understand how each of the varying

Here’s a review of the work that I did during 2019 whilst working for the BBC (under the heading Application Security (AppSec)): BBC: Application Security