Svalbard - the new project name Have I Been Pwned before selling.
In 2013, I began to realize that private data leaks are becoming ubiquitous. Indeed, such cases have become frequent. And the impact of these leaks on their victims, including me, has increased. Increasingly, I wrote a blog post on this topic, which seemed to be a fascinating segment of the infobase industry: how the reuse of passwords on Gawker and Twitter led to massive blueberry spam on Twitter , and that Sony Pictures passwords were really as bad as possible. expect from these people , but damn it, still shocking to see your password in this leaked database. At the same time, 59% of passwords from the Sony database coincided with passwords from Yahoo mailboxes .
Around that time, there was an Adobe data leak, and that made me really interested in this industry segment, not least because I was in that database. Twice. Most importantly, it contained 153 million other people. It was an exceptionally massive leak, even by today's standards. All this together - the frequency of leaks, my database analysis and the scale of Adobe - made me think: I wonder how many people know? Do they understand that their data has gone public? Do you understand how many times ? And, perhaps most importantly, have they changed their password (yes, almost always the only one) in other services that they use? And so was born the project Have I Been Pwned (HIBP): search for your passwords in a variety of leaked databases.
Let me briefly talk about the current affairs of the service. There are almost 8 billion records in the database, almost 3 million people have subscribed to the notifications, I sent people 7 million messages about the leakage of their data, another 120 thousand people are monitoring domains, they made 230 thousand search queries and I sent them another 1, 1 million notifications. On a normal day, the site has 150,000 unique visitors, 10 million on an abnormal day, a couple more million API hits and 10 million search queries. But now even these figures are exceeded:
By the way, the service has commercial subscribers who depend on HIBP. These are the most different companies that already inform their customers. And there are governments around the world that use HIBP to protect their departments, law enforcement agencies that use it for their investigations, and all sorts of other uses that I have never seen or could not even suggest . And today, every line of code, every configuration and every lost account is handled by me personally. There is no “HIBP team”, there is one guy who keeps it all afloat.
')
When I needed infographics to explain the architecture, I sat down and did everything myself . I myself found the source of each logo of the hacked company, cut it off, resized and optimized. Every time I disclosed information about a hacking company that didn’t know about it, I had to tackle such a bunch of problems, and I did it too (believe me, this takes a lot of time and turned out to be the main bottleneck and the main obstacle to downloading new data). Every interview in the media, every request for support and, frankly, almost everything that you could imagine was done by only one person in his spare time. These are not just load problems; I became increasingly aware of the fact that I was the only point of failure. And it needs to be changed.
It was a long introduction, but I wanted to describe the situation, so that it’s logical to get to the point: HIBP is time to grow up. It's time to move from one guy doing what he can, in his spare time, to a better-endowed and better-funded structure that can do much more than I could on my own. To better understand why I'm writing this now, let me share an image with Google Analytics:
The graph displays 12 months to January 18 of this year, and the surge corresponds to the loading of accounts from Collection # 1 . This also corresponds to the day when I went to Europe for a couple of weeks of “ordinary business” conferences, which were preceded by several days of communication with my 9-year-old son and good friends in a wooden hut in the middle of Norwegian snow. I was subjected to an unprecedented bombardment of emails, tweets, phone calls across every imaginable channel due to the immense attention that HIBP received all over the world. And I turned off all the gadgets, sitting by a small fireplace, enjoying drinks and good conversation. At that moment I realized that I was very close to burning. I’m pretty sure I haven’t burned out yet, but I also realized that I can see this moment in the not too distant future, if I don’t make some important changes in my life (I would like to talk about this in the future, because here are some rather important lessons, but now I want to set the context in relation to time and tell what happens next). All this happened at the same time when I traveled the world, spoke at events, held seminars and did a million other things so that life would go on as usual.
To be completely honest, it was an extremely busy year. The extra attention that HIBP began to receive in January never returned to the 2018 level, it just continued to grow and grow. I made various changes to adapt to my workload. Perhaps one of the most obvious is the massive decline in participation in social networks, especially on Twitter:
Until December of last year, I tweeted an average of 1,141 times a month (for some reason, the export function did not include May and June 2017 and only half of July, so I dropped these months on the chart). From February to May of this year, the number dropped to 315, that is, from January I abandoned social networks by 72%. This may seem a frivolous fact, but this is a significant number, which is directly related to the influence of HIBP attention on my life. The same, if you look at the statistics of blog posts. I religiously published weekly videos, but I had to cut down on all the other technical posts that I had been so fond of writing in the last decade.
When I returned from this trip, I had occasional conversations with several organizations that I thought might be interested in buying HIBP. These were conversations in a comfortable atmosphere with familiar people, so the situation did not cause any stress. This is not the first time I have had such discussions - I have already done this several times when organizations applied and asked what my interest was in the sale - but this was the first time since the overhead of managing the service went beyond graphs. There was a great genuine enthusiasm, but I quickly realized that when it comes to discussions of this kind, here I am a complete ignoramus. Of course, I can process billions of hacked records and run online services alone, which are used by hundreds of millions of people, but this is a completely different game. It's time to call for help.
Back in April, during a regular conversation with people from KPMG about some of the usual financial things (I regularly met with consultants because my own financial condition became more complicated ), they offered to talk to their M & A department about finding a new home for hibp. It was convenient for me to do this: we have a long-term relationship, and they understand not only the essence of HIBP, but also other sensitive things that I constantly do online. It was an easy decision: I needed help, and they have the right experience and the right expertise.
Meeting with these people, it quickly became clear what kind of support I really needed. The main thing that I understood is that I never took the time to step back and see what HIBP actually does. This may seem strange, but since the project has grown organically over the years, and I built it in response to a combination of immediate needs, I did not find the time to retreat and take a holistic look at all this. And I did not have enough time to see what he could do. Later, I will return to this topic - how many opportunities there are to do much more, and I really need the support of people who understand business.
One of the first tasks was to come up with the name of the project for sale: apparently, this is how things are done. There were a lot of terribly kitschy options and many others that relied on the buzzwords of infobase, and then I had a thought: remember this massive seed store beyond the Arctic Circle? I have seen references to it before, and the idea of ​​a huge repository storing something valuable for helping humanity began to really resonate. It turns out that this place is called Svalbard (World Seed Storage on Svalbard) and looks like this:
It also turned out that it is located in Norway, and all this began to sound like a proper name, starting with the obvious analogy of storing a huge number of "units". There is a cool video, shot several years ago , which says that the capacity of the World Warehouse is about a billion seeds - not as many records as in HIBP, but you understand the idea. So there is a name: it is a bit strange. "Svalbard" is difficult to pronounce for those who are not familiar with this word (although this video helps ), just like ... pwned. And finally, Norway is of great importance to me: almost five years ago, my first overseas performance took place there. I spoke in front of a crowded hall, and when the audience came out, each of them threw a green rating card into the box.
It was a turning point in my career. In January of this year, I was again in Norway when HIBP literally lost its mind, as you saw in the previous chart. It was there, in a small log cabin in the middle of the snow, I realized that it was time for HIBP to grow up. And by pure coincidence, today I am publishing this article again from Norway, having arrived at NDC Oslo for the sixth year in a row. As you can see, Svalbard is an appropriate name.
So what does this mean if another company acquires HIBP? Honestly, I don’t know exactly what it will look like, so let me just frankly share my thoughts for today, and there are some really important points that I want to emphasize:
I have a clear understanding of what specific organizations can help in these points. There is also a second group for which I have tremendous respect, but who are worse equipped to help achieve this. As the process develops, KPMG will help to more clearly determine which organizations fall into the first category. I am sure you can imagine that there are very serious discussions: how HIBP will fit into the company, how they will help me to achieve these goals and whether this company is suitable for such a valuable service as HIBP. I have some important personal considerations, including the one with whom I work comfortably, a free schedule and, of course, the financial side. I will be honest - it is equally difficult and exciting.
Before publishing this article, I contacted all interested parties that may be relevant to the Svalbard project. I explained my motives and my view on the future of HIBP: that the project should become not only more reliable, but also significantly increase its influence on the situation with massive data leaks. This has already led to some really productive discussions with organizations that could help HIBP have a much more positive impact on the industry. There was a lot of enthusiasm and support for this process, which is encouraging.
You may ask why not register a commercial company and simply not hire people? Of course, I had the opportunity to finance the company either independently or through various venture capitalists who had knocked on me for many years. But I didn’t do that, because a commercial company greatly increases my responsibilities, while I needed the opposite. From that day I couldn’t just leave for a week, and if I tried to disconnect for just a day, I would constantly worry about missing something important. Over time, the creation of a company can allow me to relax, but only after investing a significant amount of time (and money), and this is not what is needed at the moment.
I am extremely excited about the potential of the Svalbard project. In these early discussions with other organizations, I am already beginning to see how the outlines of better managing the entire ecosystem in the area of ​​data leakage appear. Imagine a future in which I can receive and process much more data, actively contact the affected organizations, help them in the process of solving the incident, help users like you and me, better understand what is happening (and what to do about it) and, in Ultimately, reduce the damage from such leaks to organizations and users. And it goes much further, because after the leak, much more can be done, especially in the fight against attacks like automatic account hijacking at high speed, which we see these days. I am really pleased with the success of HIBP, but for now this is only the tip of the iceberg.
I made this decision when I have full control over the process. I am not under some kind of pressure (except for a high workload, of course), and I have time to search for a buyer to go on as usual and find the best candidate for the project. And as always with HIBP, I continue to do everything with full transparency, describing this process in detail here. I really recognize the trust of users and every day remind me of the responsibility that comes with this trust.
HIBP less than six years, but this is the culmination of the work of my life. I still vividly remember the beginning of the 90s, when I first started creating software for the Internet and dreamed of creating something big: “Isn’t it surprising that I’m sitting here at home and writing code that one day can have a real impact on the whole world? ”I had a few false starts and it took a combination of factors to make HIBP what it is today, and this is exactly what I was hoping for. The Svalbard project is the fulfillment of this dream, and I am extremely excited by the opportunities that will emerge as a result.
Around that time, there was an Adobe data leak, and that made me really interested in this industry segment, not least because I was in that database. Twice. Most importantly, it contained 153 million other people. It was an exceptionally massive leak, even by today's standards. All this together - the frequency of leaks, my database analysis and the scale of Adobe - made me think: I wonder how many people know? Do they understand that their data has gone public? Do you understand how many times ? And, perhaps most importantly, have they changed their password (yes, almost always the only one) in other services that they use? And so was born the project Have I Been Pwned (HIBP): search for your passwords in a variety of leaked databases.
Let me briefly talk about the current affairs of the service. There are almost 8 billion records in the database, almost 3 million people have subscribed to the notifications, I sent people 7 million messages about the leakage of their data, another 120 thousand people are monitoring domains, they made 230 thousand search queries and I sent them another 1, 1 million notifications. On a normal day, the site has 150,000 unique visitors, 10 million on an abnormal day, a couple more million API hits and 10 million search queries. But now even these figures are exceeded:
By the way, the service has commercial subscribers who depend on HIBP. These are the most different companies that already inform their customers. And there are governments around the world that use HIBP to protect their departments, law enforcement agencies that use it for their investigations, and all sorts of other uses that I have never seen or could not even suggest . And today, every line of code, every configuration and every lost account is handled by me personally. There is no “HIBP team”, there is one guy who keeps it all afloat.
')
When I needed infographics to explain the architecture, I sat down and did everything myself . I myself found the source of each logo of the hacked company, cut it off, resized and optimized. Every time I disclosed information about a hacking company that didn’t know about it, I had to tackle such a bunch of problems, and I did it too (believe me, this takes a lot of time and turned out to be the main bottleneck and the main obstacle to downloading new data). Every interview in the media, every request for support and, frankly, almost everything that you could imagine was done by only one person in his spare time. These are not just load problems; I became increasingly aware of the fact that I was the only point of failure. And it needs to be changed.
It's time to grow up
It was a long introduction, but I wanted to describe the situation, so that it’s logical to get to the point: HIBP is time to grow up. It's time to move from one guy doing what he can, in his spare time, to a better-endowed and better-funded structure that can do much more than I could on my own. To better understand why I'm writing this now, let me share an image with Google Analytics:
The graph displays 12 months to January 18 of this year, and the surge corresponds to the loading of accounts from Collection # 1 . This also corresponds to the day when I went to Europe for a couple of weeks of “ordinary business” conferences, which were preceded by several days of communication with my 9-year-old son and good friends in a wooden hut in the middle of Norwegian snow. I was subjected to an unprecedented bombardment of emails, tweets, phone calls across every imaginable channel due to the immense attention that HIBP received all over the world. And I turned off all the gadgets, sitting by a small fireplace, enjoying drinks and good conversation. At that moment I realized that I was very close to burning. I’m pretty sure I haven’t burned out yet, but I also realized that I can see this moment in the not too distant future, if I don’t make some important changes in my life (I would like to talk about this in the future, because here are some rather important lessons, but now I want to set the context in relation to time and tell what happens next). All this happened at the same time when I traveled the world, spoke at events, held seminars and did a million other things so that life would go on as usual.
To be completely honest, it was an extremely busy year. The extra attention that HIBP began to receive in January never returned to the 2018 level, it just continued to grow and grow. I made various changes to adapt to my workload. Perhaps one of the most obvious is the massive decline in participation in social networks, especially on Twitter:
Until December of last year, I tweeted an average of 1,141 times a month (for some reason, the export function did not include May and June 2017 and only half of July, so I dropped these months on the chart). From February to May of this year, the number dropped to 315, that is, from January I abandoned social networks by 72%. This may seem a frivolous fact, but this is a significant number, which is directly related to the influence of HIBP attention on my life. The same, if you look at the statistics of blog posts. I religiously published weekly videos, but I had to cut down on all the other technical posts that I had been so fond of writing in the last decade.
When I returned from this trip, I had occasional conversations with several organizations that I thought might be interested in buying HIBP. These were conversations in a comfortable atmosphere with familiar people, so the situation did not cause any stress. This is not the first time I have had such discussions - I have already done this several times when organizations applied and asked what my interest was in the sale - but this was the first time since the overhead of managing the service went beyond graphs. There was a great genuine enthusiasm, but I quickly realized that when it comes to discussions of this kind, here I am a complete ignoramus. Of course, I can process billions of hacked records and run online services alone, which are used by hundreds of millions of people, but this is a completely different game. It's time to call for help.
Svalbard project
Back in April, during a regular conversation with people from KPMG about some of the usual financial things (I regularly met with consultants because my own financial condition became more complicated ), they offered to talk to their M & A department about finding a new home for hibp. It was convenient for me to do this: we have a long-term relationship, and they understand not only the essence of HIBP, but also other sensitive things that I constantly do online. It was an easy decision: I needed help, and they have the right experience and the right expertise.
Meeting with these people, it quickly became clear what kind of support I really needed. The main thing that I understood is that I never took the time to step back and see what HIBP actually does. This may seem strange, but since the project has grown organically over the years, and I built it in response to a combination of immediate needs, I did not find the time to retreat and take a holistic look at all this. And I did not have enough time to see what he could do. Later, I will return to this topic - how many opportunities there are to do much more, and I really need the support of people who understand business.
One of the first tasks was to come up with the name of the project for sale: apparently, this is how things are done. There were a lot of terribly kitschy options and many others that relied on the buzzwords of infobase, and then I had a thought: remember this massive seed store beyond the Arctic Circle? I have seen references to it before, and the idea of ​​a huge repository storing something valuable for helping humanity began to really resonate. It turns out that this place is called Svalbard (World Seed Storage on Svalbard) and looks like this:
It also turned out that it is located in Norway, and all this began to sound like a proper name, starting with the obvious analogy of storing a huge number of "units". There is a cool video, shot several years ago , which says that the capacity of the World Warehouse is about a billion seeds - not as many records as in HIBP, but you understand the idea. So there is a name: it is a bit strange. "Svalbard" is difficult to pronounce for those who are not familiar with this word (although this video helps ), just like ... pwned. And finally, Norway is of great importance to me: almost five years ago, my first overseas performance took place there. I spoke in front of a crowded hall, and when the audience came out, each of them threw a green rating card into the box.
It was a turning point in my career. In January of this year, I was again in Norway when HIBP literally lost its mind, as you saw in the previous chart. It was there, in a small log cabin in the middle of the snow, I realized that it was time for HIBP to grow up. And by pure coincidence, today I am publishing this article again from Norway, having arrived at NDC Oslo for the sixth year in a row. As you can see, Svalbard is an appropriate name.
My commitment to the future of HIBP
So what does this mean if another company acquires HIBP? Honestly, I don’t know exactly what it will look like, so let me just frankly share my thoughts for today, and there are some really important points that I want to emphasize:
- Search for users should remain free . The service gained such success, because I guaranteed the absence of any barriers for people who are looking for their data. And I definitely want to stay that way. Therefore, this item comes at number 1.
- I will remain part of the HIBP . I intend to become part of the transaction, that is, the company will get me along with the project. The HIBP brand is inextricably linked with mine, and now I have to stay.
- I want to competently implement much more features . There are a lot of things I want to do with HIBP, and I just could not do them myself. This is a project with great potential beyond what has already been achieved, and I intend to do this.
- I want to reach a much larger audience than now . Now the audience is huge, but still it is just a tiny piece of users who need to be informed about the leaks of their personal data.
- Much more can be done to change consumer behavior . Credential stuffing is a huge problem right now, and it only exists because of the reuse of passwords. I want HIBP to play a much bigger role in changing habits, how people manage their accounts.
- Organizations can benefit much more from HIBP . Following the preceding paragraph, user services can much better protect their customers from this form of attack, and data from HIBP can play a significant role (and some organizations are already taking advantage of this feature).
- There should be more openness - and more data . I have already mentioned how burdensome is the disclosure of the fact of hacking, and Svalbard makes it possible to fix it. A whole bunch of organizations do not know that they were hacked, simply because I did not have time to cope with all this.
I have a clear understanding of what specific organizations can help in these points. There is also a second group for which I have tremendous respect, but who are worse equipped to help achieve this. As the process develops, KPMG will help to more clearly determine which organizations fall into the first category. I am sure you can imagine that there are very serious discussions: how HIBP will fit into the company, how they will help me to achieve these goals and whether this company is suitable for such a valuable service as HIBP. I have some important personal considerations, including the one with whom I work comfortably, a free schedule and, of course, the financial side. I will be honest - it is equally difficult and exciting.
Before publishing this article, I contacted all interested parties that may be relevant to the Svalbard project. I explained my motives and my view on the future of HIBP: that the project should become not only more reliable, but also significantly increase its influence on the situation with massive data leaks. This has already led to some really productive discussions with organizations that could help HIBP have a much more positive impact on the industry. There was a lot of enthusiasm and support for this process, which is encouraging.
You may ask why not register a commercial company and simply not hire people? Of course, I had the opportunity to finance the company either independently or through various venture capitalists who had knocked on me for many years. But I didn’t do that, because a commercial company greatly increases my responsibilities, while I needed the opposite. From that day I couldn’t just leave for a week, and if I tried to disconnect for just a day, I would constantly worry about missing something important. Over time, the creation of a company can allow me to relax, but only after investing a significant amount of time (and money), and this is not what is needed at the moment.
Summary
I am extremely excited about the potential of the Svalbard project. In these early discussions with other organizations, I am already beginning to see how the outlines of better managing the entire ecosystem in the area of ​​data leakage appear. Imagine a future in which I can receive and process much more data, actively contact the affected organizations, help them in the process of solving the incident, help users like you and me, better understand what is happening (and what to do about it) and, in Ultimately, reduce the damage from such leaks to organizations and users. And it goes much further, because after the leak, much more can be done, especially in the fight against attacks like automatic account hijacking at high speed, which we see these days. I am really pleased with the success of HIBP, but for now this is only the tip of the iceberg.
I made this decision when I have full control over the process. I am not under some kind of pressure (except for a high workload, of course), and I have time to search for a buyer to go on as usual and find the best candidate for the project. And as always with HIBP, I continue to do everything with full transparency, describing this process in detail here. I really recognize the trust of users and every day remind me of the responsibility that comes with this trust.
HIBP less than six years, but this is the culmination of the work of my life. I still vividly remember the beginning of the 90s, when I first started creating software for the Internet and dreamed of creating something big: “Isn’t it surprising that I’m sitting here at home and writing code that one day can have a real impact on the whole world? ”I had a few false starts and it took a combination of factors to make HIBP what it is today, and this is exactly what I was hoping for. The Svalbard project is the fulfillment of this dream, and I am extremely excited by the opportunities that will emerge as a result.
Source: https://habr.com/ru/post/456796/
All Articles