Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Open Source Security

Security Researcher Troy Hunt is Open Sourcing the Have I Been Pwned Code Base (troyhunt.com) 25

Security researcher Troy Hunt: Let me just cut straight to it: I'm going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it. Let me explain why and how.
This discussion has been archived. No new comments can be posted.

Security Researcher Troy Hunt is Open Sourcing the Have I Been Pwned Code Base

Comments Filter:
  • Early leak (Score:4, Funny)

    by Anonymous Coward on Friday August 07, 2020 @09:44AM (#60376867)

    It's just a static page that says "Yes you've been pwned"

    • by grep -v '.*' * ( 780312 ) on Friday August 07, 2020 @01:52PM (#60377801)

      It's just a static page that says "Yes you've been pwned"

      Years ago (20 is a number) our boss was looking to buy a virus scanner product to alert the users if they had a virus. I offered to write it, for free -- to wit:

      Virscan.bat:
      @echo off
      echo off
      %ECHO_ON%

      echo You have a virus!
      :exit

      She was not amused. (Actually she was, but we still bought McAfee.)

      That was back in the days when I collected and stored viruses on floppies ... and I ended up with 2 entire bins of them. I basically treated the company as my own personal virus magnet.

      Of course, I also wrote my own, but for some reason it didn't get much traction:

      Virus.bat:
      @echo off
      echo off
      %ECHO_ON%

      copy virus.bat c:\
      echo c:\virus.bat >> c:\autoexec.bat
      echo Please insert a floppy and hit Enter.
      pause
      copy c:\virus.bat a:\
      echo You have been infected.
      echo Please remove the floppy, hand it to your neighbor, and have them run A:\Virus at their earliest convenience.
      echo Thank you.
      :exit

    • by GoRK ( 10018 )

      Minimum viable feature. Push it

  • The link in the summary is broken

  • by jellomizer ( 103300 ) on Friday August 07, 2020 @09:50AM (#60376895)

    A good Slashdot summary should have enough information for us to determine if we should read it or not. Not leave us hanging with some vague YouTube Thumbnail stater.

    • by deKernel ( 65640 )

      You must be new to /. because we haven't had that for YEARS. These days we get at best poorly worded summaries and typically just plain misleading AND poorly worded.

      • I was going to say how low my User ID is compared to yours. Buy you have a much lower one than I. So yes I am still considered new here.

    • by raymorris ( 2726007 ) on Friday August 07, 2020 @12:16PM (#60377409) Journal

      Here is more information. Right now, the HIBP team is Troy. (Plus thr pwoppw who send him data). If Troy gets hit by a bus, the service goes away. That's not good.

      He has selected someone to head it up, but it would be awfully hard for that one person to suddenly take over. HIPB now has APIs used by popular password managers and I think Firefox, so there is a lot of processing load and there is work to be done to support scaling. It's not just a MySQL database and a PHP script to submit a search, sitting on a server somewhere.

      People submit information to HIPB, including submitting their email addresses to search to see of their passwords have been leaked. We trust Troy isn't harvesting those email addresses for a marketing list or anything like that. There are various elements of "we just have to trust Troy". Seeing the code makes it easier to trust. (Not that he couldn't secretly run a modified code base, but transparency helps).

      It's also just too much work for one guy and he's *starting* to get a little burned out. Not that he's leaving any time soon, but he doesn't want to be the only person who can do any of the work, forever.

      I've been programming in the security space for 20 years, ane constantly studying my craft for those 20 years. I'm qualified to help, I'm willing to help, but HIPB isn't set up to allow me to help.

      For these reasons, he and a couple of trusted helpers are cleaning up his years of code to get it suitable for public release and maintenance.

  • *tips hat* We salute you.

  • The worst kind of click bait! Die! Die! Die!

  • by Octorian ( 14086 ) on Friday August 07, 2020 @12:08PM (#60377363) Homepage

    I hate to say it, but almost all of these sites/systems end up being far more annoying than useful. Why? Almost all the time, their alerts simply are not actionable. At best, they'll tell you that your username/email was included in a breach and often identify the breach itself by some nebulous data cache name that means nothing to you.

    They almost never tell you which site was actually breached, nor do they ever give you any hints as to what password was actually compromised.

    So really, when I show up in one of these alerts, I'm always asking myself:
    - Was this a recent breach, or a redundant alert from something I dealt with months ago?
    - What account do I actually need to update, if any, to be safe from this alert?

    These questions almost never seem to be answered. As someone who uses a password manager and a different random password for every site, there's no way I'm going to proactively hunt down and change every single entry in its DB when I get the "alert of the week."

    (FWIW, I once worked somewhere that somehow had access to a far better version of this data than they'll ever let the public get access to. That data actually did generate alerts that were actionable. I only wish I had a way to get useful alerts like that as a private individual.)

    • I can absolutely relate. I handle HIBP notifications for sveral thousand users, and there is indeed a step ij between getting the notification and taking action.

      The alert should guve the name of the breach. Check this page for the "missing information" you mentioned:

      https://haveibeenpwned.com/Pwn... [haveibeenpwned.com]

      That will tell you which information was leaked, from where.

      • by Octorian ( 14086 )

        The "name of the breach" is always the name of some aggregation of data or some backend service I've never heard of. It is almost never the name of an actual site I recognize or knowingly have an account with. Thus its useless and unactionable information.

    • Might be different for free emails, but we signed our business domain up with HIBP and the alerts tell us exactly the usernames (if the username is an email address) that has shown up in a breach. Once alerted, we can download that list into one of the formats his site offers, and then take any action needed.
      So there is that at least.
      But yeah, outside of that I could understand the frustration.
      • Ah, I think I see what you mean. So, the email you get (at least we get) tells you what breach it is for. But when you request the list of which email addresses were in the breach, you get all the email addresses for your domain that were in ANY breach, which is just extra noise. And there is no way to know if it was the email address itself, or the password that was breached.

        I could see how that is tough if 1) it isn't your own domain and 2) you re-use passwords and stuff.
        Since we don't, this is still ve
      • by Octorian ( 14086 )

        Knowing the username/email involved in a breach is also useless and unactionable information. That's a piece of information that is essentially common to 90% of my accounts.

        Unless I can actually find out the breached password (or a searchable fragment thereof) or the name of the actual site I knowingly have an account with, this information does me absolutely no good.

Trap full -- please empty.

Working...