I tip my hat
Mr Hunt has done the world a great service in a responsible way. I wish him the best and hope that his efforts will be bolstered by a company or partners that will bring the same respect to his creation that he brought to the public.
Troy Hunt, inventor and operator of the popular security website Have I Been Pwned (HIBP), is putting the service up for sale. Hunt, a Microsoft Regional Director and MVP for security, created the site in 2013 after Adobe leaked 153 million usernames and weakly encrypted passwords. Users can enter an email address and discover …
Seems like he is done with the altruism and is looking to cash in. Instead of expanding it as a opean source project, he will sell the 8Bn records to the highest bidder. Care to guess whether it will be someone looking to keep the functionality and impartiality intact, or just gobble and exploit the juicy dataset?
I'm sure that he pays fees for hosting out of his wallet
Yup. People can contribute (via PayPay or Bitcoin); there's a Donate page on the site that explains things. I set up a small monthly donation myself. But even if donations are covering the hosting costs, which I doubt, there's a lot of work involved in running HIBP.
Ahhhh the entitled brigade are here I see. It's attitudes like this that actually stop people running projects and closing them up completely. He's spent his own money and his own time building and maintaining this. Sure he could make it open-source, but then it pretty much already is, most of the code behind it is in his blog if you want to look at it and the datasets are out there for anyone who wants to find them. Then he'd have more people to coordinate and lose all control from the off.
If it went open source then a limited number people would still need to be responsible for loading the data in, you don't want that data loaded up in to github before it's processed and passwords removed.
It doesn't sound like he's after a "highest bidder" sale anyway. It all sounds like he's responsibly trying to secure a viable future for the project. As it stands, if he were to be hit by a bus then the whole project would be abandoned - he's simply trying to find an organisation that can take care of it. Getting that organisation to put their hand in their pocket is a good way of filtering down to those who are serious.
Agreed, definitely the highest bidder.
I mean he claimed to be an honest trader, but this is K.P.M.G. we are talking about, renown for fawning headlines like these ones :
2015 Corruption in FIFA? Its Auditors Saw None
https://www.nytimes.com/2015/06/06/sports/soccer/as-fifa-scandal-grows-focus-turns-to-its-auditors.html
2016 KPMG Switzerland resigns as Fifa auditor
https://www.ft.com/content/a872af30-316e-11e6-bda0-04585c31b153
2017 US KPMG Fires 6 Over Ethics Breach on Audit Warnings
https://www.nytimes.com/2017/04/12/business/dealbook/kpmg-public-company-accounting-oversight-board.html
2018 Seven UK KPMG partners leave after inappropriate behaviour
https://www.ft.com/content/50a716c2-fcac-11e8-ac00-57a2a826423e
2019 Aiding 'organized crime': India alleges 22 audit violations by Deloitte, KPMG arm in fraud case
https://www.reuters.com/article/us-india-il-fs-deloitte-kpmg/aiding-organized-crime-india-alleges-22-audit-violations-by-deloitte-kpmg-arm-in-fraud-case-idUSKCN1TE1X4
2019 KPMG 'severely reprimanded' for audit failings at Co-op Bank
https://www.theguardian.com/business/2019/may/08/kpmg-severely-reprimanded-for-audit-failings-at-co-op-bank
Yeah, what could possibly go wrong with selling user data to such a globally respected audit service?
I suspect it's labelled as an acquisition rather than a sale for a reason.
You also can't really have responsible disclosure with a wholly open source project... because it's open.
What he needs is an established business already comfortable operating in this space willing to take on a service that may have fairly low commercial profitability.
Dear Mr Krotos
I am writing to you on behalf of the police. We had been going to tell you that when we arrested Mr Big, he had your name, email, address and photo in a little black book under the title 'People to assassinate next week'. Clearly as the book contained personal information we had no choice but to return to it's owner. At that point we had no evidence left, so we released Mr Big. Obviously we aren't actually going to send you this letter, because we securely deleted your email and contact details. Still - sleep tight!
[Name redacted because its obv personal]
Interesting point, legally I don't know where this business would sit - there's no agreement with data subjects or data controllers to hold the information. Then again it could be argued that it's in the public arena already and hence is no longer "private" even if it's about private individuals and he wasn't the source of the breach/leak etc.
I think you'd be hard pressed to find any Information Commissioner or equivalent keen to go after him as frankly he's doing a public service.
" it could be argued that it's in the public arena already and hence is no longer "private" "
Yes, when it comes to the breach datasets. However, people who actively use his service are supplying information that may or may not be in any of those datasets, That would be the sensitive information.
Kudos to Mr. Hunt. I understand burnout all too well, and I am deeply appreciative of his work with HIBP.
I'm nervous about this announcement, though. HIBP operates with very sensitive data and has earned a great deal of trust. Any new owner must have an impeccable reputation and there are very few companies that have that. I'll wait and see who buys it before making any decisions about continuing to use it.
HIBP operates with very sensitive data
How so?
The breach datasets are all published before HIBP gets them, by definition.
Usernames that people submit are not sensitive, by Kerckhoff's Principle. There's no need for HIBP to keep them after performing the search, so there's no GDPR issue even if they're not in the datasets.
No one needs to submit plaintext passwords to HIBP - you can submit hashes.
While I wouldn't want HIBP taken over by a malicious actor, it's not high on my list of things to worry about. It's not nearly as sensitive as, say, most of the Alexa 100 sites, in terms of actual relative risk.
"other strategies like multi-factor authentication, but take-up is weak as data from services like Microsoft's Office 365 demonstrates."
That effect isn't very hard to understand. All of the MFA implementations I've seen so far are much less convenient than passwords and/or require information disclosure to unsavory companies.
All of the MFA implementations I've seen so far are much less convenient than passwords and/or require information disclosure to unsavory companies.
All security is a trade-off with convenience. (Wouldn't it be more convenient if you just had your user name, with no password to remember?)
From a convenience/handing over data perspective, I've used:
- Mobile app notification: minimal inconvenience, who knows about data (though not an inherent issue)
- Phone call: slightly more inconvenient than an app for most, but you need to hand over your telephone number.
- SMS OTP: probably slightly more inconvenient than a phone call in most cases; again, you need to hand over your number.
- TOTP/HOTP and similar (RSA SecurID springs to mind): like SMS OTP except no data.
The only other option I'm aware of (am I missing any?), and looks very interesting to me, is U2F. This keeps the "no data" aspect of TOTP etc, while reducing inconvenience to be similar to a mobile app. From a security perspective, it also allows a lot of potential weaknesses affecting the above to be avoided.
"All security is a trade-off with convenience."
Indeed so. When you're talking about why MFA hasn't been adopted widely by the average user, convenience is probably near, or at, the top of the list of reasons.
I think you covered all the options in your list. Of those, U2F is the most acceptable to me -- but I think that the requirement to buy and carry a U2F device, however cheap it is, puts off a lot of ordinary users.
There's also password-less login, where an email is sent to the registered address. Similar to a password reset (same security level, i.e. not much) but the resulting link is a one-time login, short term. I've used it for a low security required site where there was about 50% password resets, this went to zero. Example for WordPress: https://www.cozmoslabs.com/add-ons/passwordless-login/
With so many big companies talking about their Corporate and Social Responsibility efforts - and then doing things like planting trees or helping in homeless shelters - perhaps on of them could step up and provide both people and resource to support this effort.
This work has been phenomenal, and has certainly earned him a place in Internet history. Like Wayback machine, it would be sad to see it go...or get corrupted from it's current highly trusted and reputable state.
As thankful as I am for this service, I wonder if it has had any noticeable effect on shoddy company practices and software SNAFU’s
Microsoft are still hosting phishing pages on their Forms service, they’re still facilitating spam, like, not even trying to stop it, and the icing on the cake, try using their incarnation of 2FA with powershell.
This is one shitty company in a sea of shitty companies, Faecesbook, Frugle, CrApple, the list is long
Yes I know this is about database breaches, shitty security and shitty humans with their lack of foresight, go hand in hand, the apple rarely falls far from the tree
Should add here, the onus is on the end-user to create ever more complex random unique passwords
The onus should be on the reckless ‘for profit’ companies to not spill peoples personal details all over the internet. If their marketing budgets were as high as their security budgets...
A rude awakening is not far away
"The onus should be on the reckless ‘for profit’ companies to not spill peoples personal details all over the internet."
I agree (although it's not just for profit companies that fall down on this.)
But we should also keep in mind that breaches will continue to happen even if every company handles their security very well. There is no such thing as perfect security, after all. If something can be accessed legitimately, it can be accessed illegitimately. The only question is how much time and effort is required to do it.
I fully understand how he feels. On an incomparably smaller scale I have been running, almost entirely single-handedly a non-profit project for 13 years and, frankly, a ZERO rate for volunteers willing to give a helping hand (with thousands offering a "great job mate!" free pat on the back). No matter how optimistic, or resilient you are, this ratio just steady erodes your faith in, well, human nature in general. It's a matter of when, not if, when you say: ok, fuck this and fuck you all.
"No matter how optimistic, or resilient you are, this ratio just steady erodes your faith in, well, human nature in general."
This isn't a universal truth. I run a couple of services alone and for free and have done so for at least a decade. I've stopped running service before because of burnout -- but I have never been bothered by the ratio you're talking about, and it has certainly not eroded my faith in anything.
Full respect to Troy for all the effort he has put in and reading his own blog post (https://www.troyhunt.com/project-svalbard-the-future-of-have-i-been-pwned/)
he is looking for the right people to take over.
from the current people working with HIBP, i reckon either Cloudflare or Mozilla would be the best homes for the service, and both have the scale to support it.