from Hacker News

Project Svalbard: The Future of Have I Been Pwned

by benmarks on 6/11/19, 6:04 AM with 145 comments

by onli on 6/11/19, 9:53 AM
But we see that so often. The original founder of a thing has a list of requirements he wants met, he wants to stay onboard. But then stuff happens and the buyer uses his control. Think Instagram, Whatsapp, Tumblr(?) - there are thousand examples.
I'd hope Troy reconsidered the "just create a business yourself" solution. That could be structured in a way that makes sure the trust Troy earned stays linked to the project. And a bootstrapped company starting from the profitable position I assume HIBP is in now (with the business deals) does not at all have to mean more work for him. He could just offload the work he can't handle anymore to employees.
An acquisition to anyone not as trustworthy as the current solution/the candidates like Mozilla mentioned here would be a disaster mid to longterm.
by cm2187 on 6/11/19, 8:11 AM
I cannot say enough praises of Troy and HIBP. But it is a risky operation.
I understand HIBP derives its value from grey-ish hats sharing with Troy any leaked dataset they find because they know him or because of his reputation.
If he leaves, it is not clear to me that his trust and reputation will stay behind with the company running HIBP. The minute HIBP ceases to be the central place for these new datasets to be shared, it ceases to be of any practical use.
by GordonS on 6/11/19, 7:40 AM
I'd love to see a non-profit organisation like Mozilla pick this up, but that's obviously going to mean a lot less money going to Troy.
OTOH, it's kind of difficult to begrudge Troy gaining financially from HIBP, since he's spent years building it up and has helped increase security awareness for so many people.
by w8rbt on 6/11/19, 10:53 AM
I hope that the SHA1 hashes remain freely available for download. I use them to build a bloom filter for password vetting.
We should all do away with password complexity rules (except minimum length) and simply test a large, comprehensive exposed password bloom filter for membership. It's very fast (constant time) and efficient and if the test returns no, then it's safe for a user to select that password.
Here's the code: https://github.com/w8rbt/bp
Also note that this approach satisfies the updated (June 2017) NIST 800-63-3B password vetting guidelines.
by bookofjoe on 6/11/19, 11:40 AM
Totally off topic, but still...: Many years ago, the New York Times did a lengthy piece about the Svalbard Seed Repository, referring to it as being located on "the island of Svalbard." It took repeated emails/corrections/tweets by me before they finally corrected the story and noted "Svalbard is not an island, it is an archipelago." All subsequent references in the Times have got it right.
by trollied on 6/11/19, 8:17 AM
I'd like to see Let's Encrypt step up and run this service. Seems like a natural fit.
by reallydontask on 6/11/19, 7:12 AM
It's a shame as this is likely to mean that we end up with a worse service, but completely understandable. hopefully, I will be proven wrong
by arkitaip on 6/11/19, 7:44 AM
This is really public utility work and should be treated like it instead of a for-profit project. Many thanks to Troy for his hard work over the years for making the internet a safer place.
by vermilingua on 6/11/19, 12:38 PM
Worth mentioning that the value of HIBP is largely based on trust in Troy Hunt. I think he’s an incredible guy who does incredible work; but he’s also an Australian citizen. Due to our new surveillance laws, he could be forced to backdoor HIBP, or more likely, Pwned Passwords.
This is possibly a step by Troy to mitigate that risk, and given his position I’m surprised he didn’t mention that at all in this post.
by OJFord on 6/11/19, 5:00 PM
In some ways, wouldn't it be great if the internet had evolved with, analogously to DNS, 'User Name Servers', like a sort of global distributed IAM?
Leak monitoring would be a service provided by the UNS, not falling to a volunteer, and credential revocation could be automatic and immediate.
I suppose we sort of have that bolted on with OpenID/OAuth, but that's still 'choose a provider' rather than 'this is the one way', with many servers run by different entities, but one 'system'.
by dhruvrrp on 6/11/19, 9:53 AM
HIBP could be an excellent B2B offering for companies. Imagine someone like Microsoft offering it as an addon to their business clients to improve security practices.
Or a more independent company offering it as a standalone service, kinda like Mozilla (Monitor) or even something like Symantec (tho they seem to be bleeding money recently)
by chaitanya on 6/11/19, 9:02 AM
Many people here assuming that Troy Hunt will leave HIBP after selling it. He explicitly mentions that he will remain a part of it:
> I'll remain a part of HIBP. I fully intend to be part of the acquisition, that is some company gets me along with the project. HIBP's brand is intrinsically tied to mine and at present, it needs me to go along with it.
by djee on 6/11/19, 1:37 PM
I guess he's feeling the heat of sites that do more than parsing emails from SPAM lists. These sites include full cracked passwords, HIBP 2.0, see e.g. https://scatteredsecrets.com/.
by dreamcompiler on 6/11/19, 3:22 PM
Brewster Kahle, are you here? This seems like something in your wheelhouse.
by nebulous1 on 6/11/19, 9:56 AM
I missed this verifications.io story and it appears that my personal email address was in the breach. Is there any way of knowing whether or not other data was associated with my listing? DOB etc.
by Calib3r on 6/11/19, 6:29 PM
It pains me to see how many posters on this thread are not aware of the leakedsource (.ru, .co, etc.) websites that show the exact thing HIBP shows, except with a much higher fidelity.
by runjake on 6/11/19, 3:09 PM
Good luck to Troy. The money would be really good, but hopefully for the rest of us, he doesn't sell to Cisco.
Or Oracle, or any other mega corps that buy and nerf the usefulness of the product.
by dheera on 6/11/19, 6:45 PM
I came here hoping it was something about Svalbard. I went there a couple years ago in the dead of winter. It's an amazing place.
by ComodoHacker on 6/11/19, 7:39 AM
I wish you luck, Troy! Just don't sell it to some data mining/ad company.
by yhoiseth on 6/12/19, 7:53 PM
Maybe relevant for Stripe? Based on their acquisition of Indie Hackers, it seems like they’re adept at this kind of acquisition. And online security contributes to their goal of increasing “the GDP of the internet.“
by therealdrag0 on 6/11/19, 4:22 PM
So many people saying the value of HIBP is the trust in Troy Hunt. But surely I'm not the only one that has used the service for years (and shared it with friends) without knowing anything about Troy Hunt...
by elamje on 6/11/19, 7:11 AM
Troy is an awesome guy and I’m really happy that HIBP is outgrowing him to get more support, datasets, and features.
I hope Have I Been Pwned goes to the right people and they do an even better job at moving it forward! Kudos Troy
by twayback on 6/14/19, 12:06 PM
Guys whats the fuss about -- its just a stupid database - anyone can make this by scraping hacker spoil dumps available on the internet.
by ThinkBeat on 6/11/19, 1:07 PM
I hope that other companies will still be able to query to the database for free. 1Password does it now and I like it.
by pbhjpbhj on 6/11/19, 8:09 AM
tl;dr
He's realised he's the single point of failure, can't do it all himself, wants to balance work & family. Doesn't want the work/cost of hiring people and making a business.
So, he's preparing to sell it and there's a wishlist of what he'd like the new owner to do.
Did I get it all?
by ddffre on 6/11/19, 10:05 PM
His blog is really good, I have enjoyed reading his other posts as well.
by jedberg on 6/11/19, 9:26 AM
TL;DR: Have I Been Pwned is for sale and is being renamed Project Svalbard. Troy is looking for buyers that will keep the service free, and he'll go work with the buyer.
by giorgioz on 6/11/19, 11:34 AM
wasn't HIBP going to a B2B SaaS that you hook up at signup to forbid users to signup with an email/password combination that has already been leaked? I'm a SaaS owner, I would pay for that.
by ga-vu on 6/11/19, 10:55 AM
So why was the owner of LeakedSource arrested and charged, and this guy isn't?
He did the same thing. Only instead of selling to hackers, he sold our hacked data to companies and governments.
by twayback on 6/11/19, 12:19 PM
How is making money from stolen data legal? My email address is in the database and I never consented to it. Is there no legal repercussion?
by brightball on 6/11/19, 1:23 PM
Best of luck Troy and keep up the good work!
by AngeloAnolin on 6/11/19, 4:13 PM
I understand why Troy is doing this. Security is a big and a complex endeavor and having majority of the stuff done by himself alone is taking a toll.
One option that Troy could have done is to spin up a team / small company that would continue this project - with full control and guidance under his direction. That way, the trust that he has built from everyone at the community will be carried forward as the project progresses and matures further.
This will also allow visibility and transparency knowing that the people who would be working on this project will have access to him and everyone is on board on the direction moving forward.
Lots of companies / venture capitalists would be willing to support this cause which could provide the financing the project will need to be sustained and grow further.
by skc on 6/11/19, 10:26 AM
He's still a Microsoft employee is he not?
Wonder if he couldn't just bring it in-house?
by parliament32 on 6/11/19, 4:30 PM
Summary: Troy is bored so he's selling out. Great.
by sschueller on 6/11/19, 10:44 AM
Can we move the project into a blockchain and run it on IPFS?
EDIT: Serious question, generate hashes out of the leaked logins, store them in a blockchain and provide an interface for lookup via IPFS. Those credentials are considered burned anyway so storing them for ever in a blockchain won't matter.
Being in a blockchain anyone can access the data and use them for example on a registration page.