“Have I been pwned?”: a force for good or evil?

A new website called “Have I been pwned?” will tell you if your email address was involved in an account-data theft, or hacking, of a website.

While that may sound great, the problem is that _any_ email address can be entered in the search field; it doesn’t have to belong to you. And that makes this “feature” of the website very interesting for people who like sticking their noses in other people’s business.

For example, entering the email address of any person I know enables me to see whether their LinkedIn account was compromised. But the information that their LinkedIn account was compromised is not what interests me. It is the fact that I now know that they are on LinkedIn.

And that is a problem. Admittedly, being on LinkedIn is not something most people would want to keep a secret. But what about having your email address linked to an account on e.g. YouPorn, Naughty America, Fling or Ashley Madison?

Of course, if you really want to find this information, then it is possible to do so. But it would certainly be a lot harder without a search engine like “Have I been pwned?”. Additionally, compromised websites will nearly always email their users to inform them of the breach, urging them to change their passwords. Consequently, what would be the point of looking up your own address on “Have I been pwned?” if the compromised website has already informed you of the breach?

So is “Have I been pwned?” really a useful tool for security conscious internet users? Doubtful. Is it a time-saving search tool for amateur black hats and nosy people? Probably.

I don’t doubt that the website was created with the best intentions, but it still seems a bit… odd. And while there is an “opt-out” option, perhaps it would have been nicer to make it an “opt-in” version instead.

[UPDATE (d.d. 20170628)]

Today I noticed that the “Have I been pwned?” website now requires email verification before including sensitive websites in the search results. That’s much better. ;-)

Collar stays: a great way to recycle your expired debit- or creditcard

The collars on some of my shirts require collar stays to support them. Without the added rigidity conferred by the collar stays, the shape of the collar typically assumes a wide range of visually displeasing configurations. Thus, wearing a shirt without collar stays almost inevitably results in a fashion no-no.

But shirts must also be washed, even fancy ones that require collar stays. At some point, someone will inquire why your shirt smells as if it was previously owned by a particularly sweaty colonial, has cracked yellow stains under the armpits and moldy coffee stains on the front. And you will not be able to talk yourself out of that situation by saying “Ah yes, but observe how nice my shirt collar looks, thanks to these fancy collar stays I’m using”. Trust me.

However, before washing a shirt, the collar stays must be removed or else they may detach from the collar and vanish in the laundry machine. Unfortunately, I regularly forget to remove them and I have lost a few collar stays this way. Not many, but still more than I would like.

Then, one day, I open my mailbox and find a letter from my bank. It’s a new creditcard. Having no further use for the old creditcard, I began playfully flexing it in my hand. Then it struck me that the card’s rigidity seemed quite similar to that of my plastic collar stays. So, using one of my collar stays as a template, I tried cutting a new pair of collar stays out of the old credit card using a pair of scissors.

It worked.

The original collar stay above and the fancy new credit card derived collar stay below.

The original collar stay above and the fancy new credit card derived collar stay below.