back to article Have I Been Pwned goes open source, bags help from FBI

The creator of the Have I Been Pwned (HIBP) website, which alerts you if it turns out your credentials have been swiped and leaked from an account database, has open sourced the project's internals. Troy Hunt set up HIBP in 2013, and the dot-com is now said to be getting a billion requests a month. Last year, the man Down …

  1. Anonymous Coward
    Anonymous Coward

    forget ths fbi

    I want the nsa to dump their collected password database into HIBP...

    1. RuffianXion
      Big Brother

      Re: forget ths fbi

      Isn't that just 'all of them'?

    2. Dan 55 Silver badge
      Black Helicopters

      Re: forget ths fbi

      Wouldn't there be more chance of the opposite happening?

    3. Anonymous Coward
      Anonymous Coward

      Re: forget ths fbi

      All those web sites that use the Google CAPTCHA system to "protect" login pages, has anyone ever thoroughly reviewed the code to check that Google are not keystroke-sniffing what the user enters into the login fields, and then exfiltrating the data for other Eyes to use...?

  2. 0laf Silver badge
    Pint

    Beers

    I know Troy has been working with UK security people as well.

    The site is a very useful resource and a significant help just by flagging the staggering number of compromised accounts to senior managers.

    At least someone is working and trying to help.

    Beers for that man.

    1. Dan 55 Silver badge

      Re: Beers

      It's nice to be warned but when your name, DOB, address, or something like NI or social security number is out there, what can you do at that point? It's not like you can easily change them.

      There needs to be real consequences for the directors of companies involved in data leaks, it's the only way.

      1. ThatOne Silver badge
        Devil

        Re: Beers

        > real consequences for the directors of companies involved in data leaks

        There are millions in lobbying dollars making sure this won't happen anytime soon.

        Selling peoples' personal information is an emerging market which has everybody salivating, since it doesn't require any big investments; So everybody will try to make sure nothing stands in the way of making a quick buck selling whatever PI they happen to collect in their core business. Free enterprise man! It never has been that easy to "monetize" masses of people since slavery was made illegal!

  3. ThatOne Silver badge
    Paris Hilton

    Half-Double Rowhammer

    > industry partners to work together to develop lasting solutions

    Or just leave it just as it is, covered by a software Band-aid, it's not like customers can go elsewhere...

    Or am I wrong? Genuine question, have all those bugs been fixed in recent CPUs (and by "fixed" I mean in a better way than by simply deactivating the offending parts of the CPU and slow it down)?

    (Yes I know this is about RAM, but I shove it in the same "hardware bugs" category as Spectre & Company.)

    1. Blazde Silver badge

      Re: Half-Double Rowhammer

      Pretty much. There's been a couple of iterations of hardware fixes now for Intel & AMD. If you want either software to not have to care about security compartmentalisation, or increased security without any performance impact at all you're going to be waiting forever because those things aren't desirable/possible.

      I don't see how RowHammer/etc will ever be 'fully' fixed because it's essentially probabilistic and the surest ways to mitigate it significantly increase latency, power consumption, or silicon area in ways fundamentally linked to the physical laws of the universe. It could perhaps become the purest example of a security/cost/performance trade-off. The other dimension potentially worth trading against is uptime, because if hardware detects it might have been successfully Hammered the last line of defence is to halt execution rather than cede control to the attacker. Hard decisions.

      1. Claptrap314 Silver badge

        Re: Half-Double Rowhammer

        Not entirely. Standard ECC can fix one bit flips & detect two. For the last two decades. Two-bit-fix ECC (& detect 3&4) would only be marginally more expensive, and would be strongly resistant to this class of attacks.

        But I was a validator, not a designer, so I don't have specifics.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021