Svalbard - new name for Have I Been Pwned project before sale

Original author: Troy Hunt
  • Transfer
In 2013, I began to realize that private data leaks were becoming ubiquitous. Indeed, such cases have become more frequent. And the influence of these leaks on their victims, including me, has increased. Increasingly, I wrote on a blog on this topic, which seemed to be a fascinating segment of the information security industry: how the reuse of passwords on Gawker and Twitter led to massive blueberry spam on Twitter , and that the passwords of Sony Pictures users turned out to be really as bad as possible to expect from these people , but damn it, it is still shocking to see your password in this leaky database. At the same time, 59% of passwords from the Sony database coincided with passwords from Yahoo mailboxes .

Around that time, Adobe was leaking data and it made mereally interested in this segment of the industry, not least because I was in that database. Twice. Most importantly, it contained 153 million other people. It was an exceptionally massive leak, even by today's standards. All this together - leak rate, my database analysis and Adobe scale - made me wonder: I wonder how many people know? Do they understand that their data is publicly available? Do they understand how many times ? And, perhaps most importantly: have they changed their password (yes, almost always the only one) in other services that they use? And so the Have I Been Pwned (HIBP) project was born : finding your passwords in a lot of leaked bases.

Let me briefly talk about the current affairs of the service. There are almost 8 billion records in the database, almost 3 million people signed up for notifications, I sent people 7 million messages about the leak of their data, another 120 thousand people monitor domains, they made 230 thousand search queries and I sent them another 1 by mail, 1 million notifications. On a normal day, the site has 150,000 unique visitors, 10 million on an abnormal day, a couple more million API hits and 10 million search queries. But now even these numbers are exceeded:


By the way, the service has commercial subscribers that depend on HIBP. These are a variety of companies that already inform their customers. And there are governments around the world that use HIBP to protect their departments, law enforcement agencies that use it for their investigations, and all sorts of other uses that I have never seen or even imagined . And today, every line of code, every configuration and every leaked account is processed by me personally. There is no “HIBP team," there is one guy who keeps it all afloat.




When I needed infographics to explain the architecture, I sat down and did everything myself . I myself found the source code of each logo of the hacked company, cut it, resized and optimized. Each time I disclosed information about hacking a company that did not know about it, I had to rake up such a bunch of problems, and I also dealt with it (believe me, it takes a lot of time and turned out to be the main bottleneck and the main obstacle to downloading new data). Every interview in the media, every request for support and, frankly, almost everything you could imagine, was done by only one person in his spare time. This is not just a load problem; I became increasingly aware of the fact that I became the only point of failure. And it needs to be changed.

It's time to grow up


It was a long introduction, but I wanted to describe the situation in order to get to the point logically: HIBP it's time to grow up. It's time to move from one guy doing what he can, in his spare time, to a more resourced and better funded structure that can do a lot more than I ever could on my own. To better understand why I am writing this now, let me share the image with Google Analytics: The



graph displays 12 months until January 18 of this year, and the surge corresponds to loading the accounts from Collection # 1. This also corresponds to the day when I went to Europe for a couple of weeks of “ordinary business” conferences, which were preceded by several days of talking with my 9-year-old son and good friends in a wooden hut in the middle of Norwegian snows. I was bombarded unprecedentedly with emails, tweets, phone calls on every imaginable channel because of the hugethe attention that HIBP has received around the world. And I turned off all the gadgets, sitting by the small fireplace, enjoying drinks and good conversation. At that moment, I realized that I was very close to burnout. I am quite sure that I have not burned out yet, but also realized that I can see this moment in the not too distant future if I do not make some important changes in my life (I would like to talk about this in the future, because here are some pretty important lessons, but now I want to establish a context in relation to time and tell what will happen next). All this happened at the same time as I traveled the world, spoke at events, conducted seminars and did a million other things so that life went on.

To be completely honest, it was an extremely busy year. The additional attention that HIBP began to receive in January never returned to the level of 2018, it simply continued to grow and grow. I made various changes to adapt to the workload. Perhaps one of the most obvious is the massive decline in participation on social networks, especially on Twitter:



Until December of last year, I tweeted an average of 1,141 times a month (for some reason, the export function did not include May and June 2017 and only half of July, so I omitted these months on the chart). From February to May this year, the number dropped to 315, that is, from January I refused social networks by 72%. This may seem like a frivolous fact, but this is a significant number that is directly related to the impact on my life of attention to HIBP. The same thing if you look at the statistics of blog posts. I religiously published weekly videos, but I had to cut back on all the other technical posts that I loved writing in the last decade.

When I returned from this trip, I had occasional conversations with several organizations that I thought might be interested in buying HIBP. These were conversations in a comfortable atmosphere with acquaintances, so the situation did not cause any stress. This is not the first time I have had such discussions - I have already done this several times when organizations contacted and asked what my interest in the sale was - but this was the first time since the overhead of managing a service went beyond schedules. There was great genuine enthusiasm, but I quickly realized that when it comes to discussions of this kind, here I am a complete layman. Of course, I can process billions of jailbroken entries and run online services alone that are used by hundreds of millions of people, but this is a completely different game.

Svalbard Project


Back in April, during a regular conversation with people from KPMG about some ordinary financial things (I regularly met with consultants, as my own financial condition became more difficult ), they suggested talking with their M&A department staff about finding a new Home for HIBP. It was convenient for me to do this: we have a long-term relationship, and they understand not only the essence of HIBP, but also other sensitive things that I constantly do online. This was an easy decision: I needed help, and they have the right experience and the right expertise.

Meeting these people, it quickly became clear what kind of support I really needed. The main thing that I realized was that I never took the time to step back and see what HIBP actually does. This may seem strange, but since the project has grown organically over the years, and I built it in response to a combination of urgent needs, I did not find the time to step back and take a holistic look at all this. And I did not have enough time to see what he could do. Later I will return to this topic - how many opportunities to do much more, and I really need the support of people who are versed in business.

One of the first tasks was to come up with the name of the project for sale: apparently, this is how things are done. There were a lot of terribly kitsch options and many others that relied on buzzwords infobes, and then I had the thought: remember this massive seed storage beyond the Arctic Circle? I saw links to it before, and the idea of ​​a huge repository storing something valuable to help humanity began to really resonate. It turns out that this place is called Svalbard (the World Seed Store on Spitsbergen) and looks like this:



It also turned out that it was in Norway, and all this together began to sound like a proper name, starting with the obvious analogy of storing a huge number of “units”. There is a cool video shot a few years ago, which says that the capacity of the World Repository is about a billion seeds - not as many entries as in HIBP, but you understand the idea. So there is a name: it is a little strange. Svalbard is hard to pronounce for those who are not familiar with the word (although this video helps ), just like ... pwned. And finally, Norway is of great importance to me: almost five years ago, my first foreign performance took place there . I spoke in front of a crowded room, and when the audience left, each of them threw a green rating card into the box.


This was a turning point in my career. In January of this year, I was again in Norway, when HIBP literally went crazy, as you saw in the previous chart. It was there, in a small log cabin in the middle of the snow, I realized that it was time for HIBP to grow up. And by pure coincidence, today I am publishing this article again from Norway, having come to NDC Oslo for the sixth year in a row. As you can see, Svalbard is a good name.

My commitment to the future of HIBP


So what does it mean if another company acquires HIBP? Honestly, I don’t know exactly how it will look, so let’s just openly share my thoughts for today, and there are some really important points that I want to emphasize:

  1. Search for users should remain free . The service was so successful because I guaranteed the absence of any barriers for people who are looking for their data. And I absolutely want it to stay that way. Therefore, this item goes at number 1.
  2. I will remain part of the HIBP . I intend to become part of the transaction, that is, the company will receive me along with the project. The HIBP brand is inextricably linked with mine, and I must stay now.
  3. I want to competently implement much more functions . There are tons of things that I want to do with HIBP, and just could not do them myself. This is a project with huge potential beyond what has already been achieved, and I intend to do it.
  4. I want to reach a much larger audience than now . Now the audience is huge, but still this is just a tiny bit of users who need to be informed about leaks of their personal data.
  5. Much more can be done to change consumer behavior . Automated account hijacking ( credential stuffing ) is a huge problem right now, and it only exists because of password reuse. I want HIBP to play a much larger role in changing the way people manage their accounts.
  6. Organizations can benefit much more from HIBP . Following the previous paragraph, user services can protect their customers much better from this form of attack, and data from HIBP can play a significant role (and some organizations already take this opportunity).
  7. There should be more openness - and more data . I have already mentioned how burdensome the responsibility of revealing the fact of hacking, and Svalbard makes it possible to fix it. A whole bunch of organizations do not know that they were hacked, simply because I did not have time to deal with all this.

I have a clear understanding of what specific organizations can help with these points. There is also a second group, to which I have great respect, but who are worse equipped to help achieve this. As the process develops, KPMG will help to more clearly determine which organizations fall into the first category. I am sure you can imagine that there are very serious discussions: how HIBP will fit into the company, how they will help me achieve these goals, and whether this company is suitable for such a valuable service as HIBP. I have some important personal considerations, including who I feel comfortable working with, a free schedule, and, of course, the financial side. To be honest, it’s equally challenging and exciting.

Before publishing this article, I contacted all interested parties that may be relevant to the Svalbard project. I explained my motives and my view on the future of HIBP: that the project should not only become more reliable, but also significantly strengthen its influence on the situation with massive data leaks. This has already led to some really productive discussions with organizations that could help HIBP have a much more positive impact on the industry. There was great enthusiasm and support for this process, which is encouraging.

You may ask, why not register a commercial company and simply not hire people? Of course, I had the opportunity to finance the company either on my own or through various venture capitalists who had knocked on me for many years. But I did not, because a commercial company significantly increases my responsibilities, while I needed the opposite. From this day I couldn’t just leave for a week, and if I tried to disconnect even for a day, I would constantly worry that I would miss something important. Over time, the creation of a company can allow me to relax, but only after investing a significant amount of time (and money), and this is not what is needed at the moment.

Summary


I am extremely excited about the potential of the Svalbard project. In these early discussions with other organizations, I am already starting to see how the outlines of better management of the entire ecosystem in the area of ​​data leaks appear. Imagine a future in which I can receive and process much more data, actively contact the affected organizations, help them in the process of resolving the incident, help users like you and me better understand what is happening (and what to do about it) and, in Ultimately, reduce the harm from such leaks to organizations and users. And this goes much further, because after the leak you can do much more, especially in the fight against attacks like automatic hijacking of accounts at the high speed that we see these days. I am really pleased with the success of HIBP, but so far this is just the tip of the iceberg.

I made this decision when I have full control over the process. I am not under any kind of pressure (except for a high workload, of course), and I have time for the search for the buyer to go their course and find the best candidate for the project. And as always with HIBP, I continue to do everything with complete transparency, describing this process in detail here. I really recognize the trust of users and every day they remind me of the responsibility that comes with this trust.

HIBP is less than six years old, but it is the culmination of the work of my whole life. I still vividly remember the beginning of the 90s, when I first started creating software for the Internet and dreamed of creating something big: “Is it not surprising that I sit here at home and write code that one day can have a real impact on the whole world? ”I had several false starts and it took a combination of factors to make HIBP what it is today, and that’s exactly what I was hoping for. The Svalbard project is the realization of this dream, and I am extremely excited about the opportunities that will arise as a result.

Also popular now: