I'd hope Troy reconsidered the "just create a business yourself" solution. That could be structured in a way that makes sure the trust Troy earned stays linked to the project. And a bootstrapped company starting from the profitable position I assume HIBP is in now (with the business deals) does not at all have to mean more work for him. He could just offload the work he can't handle anymore to employees.
An acquisition to anyone not as trustworthy as the current solution/the candidates like Mozilla mentioned here would be a disaster mid to longterm.
What makes Troy Hunt any more trustworthy? Do you think he can't make a mistake? What if his operation suddenly can't handle something because of X reason? What if he's breached himself or any of the services he's using break down or worse, provide invalid data or incorrect data? What if user Y searches his site, finds out they aren't vulnerable due to a missed data dump or data dump that isn't been loaded yet, then all of sudden gets compromised? Who's to say his employees won't screw something up.
Troy is right. He can't efficiently do this anymore. From the architecture I've seen, all he's doing is monitoring a twitter feed for new data. What if that twitter feed gets compromised and he just ends up uploading password? If he's dealing with millions of records, there is no way he could "manually verify" if every record was safe to upload, yet he claims he does manually verify them without much elaboration of the process...
Imagine allowing legitimate companies to upload their breaches to the site or maybe other security companies could upload data. It could be so much more accurate. Plus the extra hardware could handle the load and help verify the data being uploaded much better than the current operation.
I trust Troy Hunt more than I trust OP's examples of Facebook and Verizon. I also trust his competence more than I trust theirs. Whose to say that anybody won't make any of the mistakes you mention. FWIW I would doubt he would sell to either of these companies, but it's undeniable that you give up control when you sell and people have made incorrect judgments before.
Nobody is suggesting he continue alone, rather that, if he feels that they're the only two options, he take some venture capital instead of selling the business.
The main reason not to do this is the one that he's given: it may not be the best thing for him personally, and the venture capital plan may be particularly negative for him. I think this reasoning has a lot of merit.
I met with Troy briefly for coffee about 8 to 12 months ago and we chatted a bit about this. I sensed his aversion to growing the biz back then. Seemed like he'd made up his mind. This post from him reinforces that. Even so I feel compelled to post a few thoughts.
Troy is an implementer. I was too. I was a dev guy who started as an ops guy. I really really wanted to build a business and for over a decade I tried to do it myself by writing my own code, doing my own ops, doing my own marketing and so on. It was very very hard, and after many failures and almost financially ruining me, I got to a place where I have an amazing biz and amazing team and I've turned myself into an exec who is no longer doing the day to day implementation, but is leading and coordinating.
This transition is very hard to make for folks like most of the people here - including myself. You have the sense that it's all on you. I need to repeat that in caps because that's how it feels. IT'S ALL ON YOU. I think this deep sense of accountability is what makes great devs and great ops people very good at what they do. But it also is perhaps what leads to burnout.
For an entrepreneur, it really is all on you. That work isn't going to do itself. And so that sense is even more visceral when you're a one man show. Now imagine you're running at the scale of HIBP. Pretty hardcore.
When I made the transition to being a leader and once I had a team behind me, the feeling was a bit like I'd imagine one might feel getting over a traumatic experience. It took a while. I felt like I could breathe again. I never wanted to go back to that place, if I have to be perfectly honest. It's a rough gig.
I think the trouble here is that Troy thinks that scaling HIBP is going to be more of the same. More of everything being on him, more work, more implementation, more accountability, more more more!!!
It doesn't work that way and I'm going to use my own path to growing a team (and regaining my sanity) to describe how it actually does (and can) work.
If one were to not sell HIBP and not raise money but instead grow it yourself into a business, it might work thusly:
1. Immediately work on developing strong cashflow for HIBP. Unfortunately this step is going to take some implementing from Troy. However, with good planning, you can probably hire some help and perhaps even do so in exchange for equity/options if you hire a good lawyer and can structure a cost effective deal. This stage is critical and I'd encourage Troy to get as much advice from other seasoned entrepreneurs as possible. Not folks who have raised VC, but who have actually created cashflow out of thin air. It's a dark art, but many of us know how to do exactly that.
2. Once you launch, it will take a while for the full revenue potential of the business to reveal itself. Cashflow takes a while to kick in and you will take a while to optimize it. e.g. many simply won't know that HIBP now has a paid option. That will take months, perhaps longer. So keep working and wait it out. I've seen this in every single successful cash generating biz I've created. At first it's a trickle, then a stream, then a river, then a wonderful fun and exciting deluge.
3. Once you can demonstrate that the biz is clearly going to grow into something with strong cashflow, you can start making your first hires. I would suggest hiring dev first. At this point you are going to have to do something very difficult. Step back from the coal face and trust your first employee. This was huge for me but thanks to Harvard Biz Review etc writing about this founder dilemma over and over, I was primed and I wasn't going to be the baker that can't get out of the kitchen. So I 100% delegated the job to an amazing person who remains with our team to this day. Once I could hire for ops, did the same. Rinse, repeat. Grow the team.
4. As your expenditures increase, you will need to be very good at managing cashflow. That is because at some point growth will pause. When that happens, if you don't realize that you will run out of money in X months, it will sneak up on you and you will lose the business. It happens every week around the world. Execs take their eye off the cashflow for a few months and byeeeee. Not everyone has the appetite for finance. Some are mildly or even severely allergic. I'm on that spectrum and thankfully my co-founder has a passion for it and happens to be very good at it. This has literally saved our asses and we too went through that growth pause. So if you are allergic, find someone who isn't. This is critical.
Once you do the above, if you build a team you can trust and you are very good at stepping back, finding and motivating talented people and carefully guiding the direction of the biz, things can get weird. You'll see a lot of executives talking about burnout, about how they work 20 hour days and the pressures of being a leader etc. But in your case you'll find that you have more free time and more mental bandwidth to shape the direction of the biz. You'll wake up one morning not sure what to do because you won't have a job anymore. You will have fired yourself from dev, ops, customer service, finance, HR, marketing, blogging and everything else. You'll go "oh shit, what am I supposed to do?"
The answer to this question is really fun: Whatever you and the business want to do. And guess what? You have a CEO who is the company founder and has a ton of energy and bandwidth to continue innovating.
That's pretty much the end of this post. I want to add a few more notes:
Delegating is hard for several reasons: If you're a dev and you have to delegate dev, you need to realize there are developers out there that are better than you and you will need to learn to trust them. You also need to understand that you're firing yourself from a job you are passionate about - a job you have loved and gotten very good at for many years. This is tough.
To scale a biz, you need to continue to delegate, even the things you love doing. Troy loves blogging and he writes epic tomes. But this too will need to be delegated if he wants to run at maximum effectiveness. I know. I did this. It was very hard. But I now have about 5+ writers in our organization and it's freed me up to launch a video podcast which I am already beginning to delegate to a certain extent.
VC is certainly an option, but know that each round you raise will also raise the bar on what success means. Right now you own the biz and success means a team that frees you up and cashflow that pays everyone better than market rate salaries. After the first round, a $20MM exit will be the definition of success. After a B and then C round north of $100MM will become success. And so it goes.
I'd also like to note that HIBP has built an incredible brand and growth. This is very hard to do. As Naval put it in a conversation I had with him not too long ago, it's lightning in a bottle, and I truly think that HIBP is a great example of lightning in a bottle. This won't happen again in Troy's lifetime. And what he has right now makes it very easy to: recruit, hire, retain, get help from other entrepreneurs, find customers, convince them to sign up, convince them to pay, get them to continue to pay, etc. The list of benefits is long. This kind of biz and brand is very hard to create. Troy's personal reputation is sterling and he's one hell of a nice guy. He is young, smart, healthy, well spoken. Seriously, you don't see this very often and it won't happen again, so choose your path wisely if you're reading this Troy.
And finally - and this is really why I'm writing this as a reply to onli's post - because I agree with their sentiment. Have no illusions that once you sell, you 'exit' in a very real sense. You are no longer the owner of the business. You are an employee. I'll also add that M&A folks are VERY good at selling the dream. I was recently at a certain multi-billion dollar company's offices who were trying to buy us. Their offices are based on Lake Washington up here in the Pacific Northwest. The M&A guy actually suggested that once we join their team we can ride to work in our boat. But in his defense, that's his job. Sell the dream. However, in this case I know the reality because I've been here before. Monday morning after you sell your company you will commute to work in a car, sit in a cubicle or office if you're lucky and you will do what you're told to do by the new owners of your business.
You will stare through those bars longing to roam the great plains once again as a free and wild creature in control of your own destiny. Or as Bodhizafa said in the final scene of the original Point Break: You know I can't handle a cage man!
OTOH, it's kind of difficult to begrudge Troy gaining financially from HIBP, since he's spent years building it up and has helped increase security awareness for so many people.
It makes sense to tie it into the Firefox Account password manager too. Mozilla could leverage Troy's close connections with industry to have Firefox as the recommended secure & open-source option for enterprise clients.
Something that hasn't been touched on as much is the limitations that come with contracts for large commercial companies. Side projects are often expressly forbidden. Yes, Google with give you 20% time to work on your own ideas, but you can't then upload it to your personal website and call it your own - it becomes company property and may never see the light of day. I imagine that Mozilla are more open-minded in that respect. They also have plenty of experience with remote teams, which would work well for his family/travel tradeoffs.
Please, Mozilla - if this opportunity is offered to you, take it.
https://www.translatetheweb.com/?from=&to=en&a=https://t3n.d...
Though just realised, they're not that upfront about giving HIBP credit - If I were Troy this would peeve me a bit.
Maybe an organisation not involved in advertising at any level.
But I, personally, would now trust Mozilla with this, were there to take ownership.
"Troy Approved!"
Mozilla is a good group, they've had missteps but I find them trustworthy and the combination would be pretty trustworthy IMO.
Since Troy will still be involved, hopefully he can steer things in a direction that benefits everyone - or at least warn the public otherwise.
Another weird thought is that it's the sort of "baseline infrastructure" that should be "governmental" to the internet. Unfortunately the closest I can think to an existing model for that is ICANN and that may not be something to emulate.
I understand HIBP derives its value from grey-ish hats sharing with Troy any leaked dataset they find because they know him or because of his reputation.
If he leaves, it is not clear to me that his trust and reputation will stay behind with the company running HIBP. The minute HIBP ceases to be the central place for these new datasets to be shared, it ceases to be of any practical use.
He's made it pretty clear in the blog post that he intends to stay on and has acknowledged that his reputation plays an important part in making HIBP what it is.
Its quite interesting putting in various peoples email addresses to see what sites they are linked to. Maybe once he has made some money out of it, a GDPR claim and financial settlement can be made as he's made no steps to control the data privacy of Europeans.
Leak monitoring would be a service provided by the UNS, not falling to a volunteer, and credential revocation could be automatic and immediate.
I suppose we sort of have that bolted on with OpenID/OAuth, but that's still 'choose a provider' rather than 'this is the one way', with many servers run by different entities, but one 'system'.
1) most people don't want their information public and searchable to that extent
2) most orgs _want_ to silo you in or otherwise control your account
3) the org using x500 still needs to have their own permissions separate from the central directory, which is the harder part of auth[nz], so just rolling your own authn is often easier.
I think you're absolutely right in particular with #2.
But if it had come originally, alongside DNS, 'everything has an address, everyone has an identity', it might've been an unquestionable fact of the internet.
Orgs can't silo you in to their alternate net where they have a more desirable domain name, because it's just not practical or user friendly.
I just think it might have been so for user identity.
We should all do away with password complexity rules (except minimum length) and simply test a large, comprehensive exposed password bloom filter for membership. It's very fast (constant time) and efficient and if the test returns no, then it's safe for a user to select that password.
Here's the code: https://github.com/w8rbt/bp
Also note that this approach satisfies the updated (June 2017) NIST 800-63-3B password vetting guidelines.
He did the same thing. Only instead of selling to hackers, he sold our hacked data to companies and governments.
It's legal to sell armor piercing bullets, but marketing them as "cop killers" will not fly.
Wonder if he couldn't just bring it in-house?
https://www.troyhunt.com/microsoft-regional-director/ - "I’m not going to work for Microsoft and despite the title of “Microsoft Regional Director”, I’m no more an employee than what I was (and still am) an MVP"
IIRC aren't there actually privacy concerns regarding Proton? That may just be FUD.
Plus, I doubt they would maintain the level of transparency we've come to expect from HIBP. They don't seem very... transparent.
This is possibly a step by Troy to mitigate that risk, and given his position I’m surprised he didn’t mention that at all in this post.
It's not a repository or method of communications.
> I'll remain a part of HIBP. I fully intend to be part of the acquisition, that is some company gets me along with the project. HIBP's brand is intrinsically tied to mine and at present, it needs me to go along with it.
But for his own well-being over time he needs to delegate and divest himself as the single bus factor for HIBP. But that does not have to happen instantly and can be gradual without affecting the value of HIBP (in money and usefulness for us).
Whoever purchases HIBP also knows this. And as with most acquisitions, they eventually oust the founders. But for it to be successful it is after a long time when it has properly matured into an organisation.
EDIT: Serious question, generate hashes out of the leaked logins, store them in a blockchain and provide an interface for lookup via IPFS. Those credentials are considered burned anyway so storing them for ever in a blockchain won't matter.
Being in a blockchain anyone can access the data and use them for example on a registration page.
Especially if privatized.
Blockchain is Very overrated, but it could be useful in keeping data "safe" where the temptation would exist to index or obscure results. Especially where data collection and censoring / disclosure has value to certain markets, i.e. Timed/rated or delayed disclosure, sic.
IDK, it's not impossible, but it's not my wheelhouse either.
I don't see any reuse or value to old databases and hashes being public, so it's missing that purpose to exist or be used/shared. Like a lot of blockchain is. It's not enough to exist, it has to be shared and kept alive. I suppose.
Still, If you look at the way AV and user security is handled, there are potential vectors to prevent or anticipate, especially if the process of disclosure is censored or segregated.
Perhaps also if they proactively lean towards purges or spontaneous negative actions, in order to obscure their intent or actual content / behavior.
HIBP relies on disclosure, and if it were woven into a typical service structure, there would be a temptation to "alleviate" the workload for customers, offering to "feed the beast" with positive results and competitive, defensive tactics against 3rd parties offering a similar product.
Which could segment the disclosure process, so that you would have multiple options, much the way that AV and Malware is handled.
And now you have the same failures as AV and Malware being segmented domains.
The probability of a corporation being incentivized to airbrush a 3rd party listing in a semi-corporate "index" or offering "alternatives" to anxious, very large corporations to disclosure or remediation. Especially if they deal with financial or legal data, or specific disclosure requirements.
And have problems with timely disclosure, or any disclosure.
Imagine if a clearing house for disclosure existed as a Symantec or Kaspersky "Subscription", with tiers of access and disclosure prevention for corporate members, wrapped up in a daily routine app, such as a 2FA/Password manager.
So that a disclosure would be made silently by the subscription service, without disclosing details, or the level of breach, etc. The accounts or corporations breached, would just have their entire client accounts auto-reset and the updated password would be applied to your password manager within a batch process without the user(s), the press, the security agencies, or the hacker(s) being notified.
That, instead of revealing the time period, the hashes of usernames & passwords, or the name of the user, or their IDs, it would just be rotated on a regular basis, and invisibly managed.
Its a concept with some value, ie "paranoid" security features as a service, to prevent or anticipate disaster, sic. But handled via a handshake type batch process of cycling password management.
But this also has potential for occlusion and obfuscation, especially in examples where the breach would be a crime, or need to be disclosed to federal/state/police agencies, etc.
Thankfully, most security policy would prevent this kind of amorphous takeover, but for small businesses and large businesses, having access security taken away and handled by 3rd parties, for convenience, is inevitable.
Or a more independent company offering it as a standalone service, kinda like Mozilla (Monitor) or even something like Symantec (tho they seem to be bleeding money recently)
I went in the dead of winter, so might be a little different from what you might experience in summer. https://www.facebook.com/dheera/media_set?set=a.101010917929...
Note, my comment is not about Troy. Security-wise, I think the trust he carries is well-deserved.
He's realised he's the single point of failure, can't do it all himself, wants to balance work & family. Doesn't want the work/cost of hiring people and making a business.
So, he's preparing to sell it and there's a wishlist of what he'd like the new owner to do.
Did I get it all?
Or Oracle, or any other mega corps that buy and nerf the usefulness of the product.
I hope Have I Been Pwned goes to the right people and they do an even better job at moving it forward! Kudos Troy
One option that Troy could have done is to spin up a team / small company that would continue this project - with full control and guidance under his direction. That way, the trust that he has built from everyone at the community will be carried forward as the project progresses and matures further.
This will also allow visibility and transparency knowing that the people who would be working on this project will have access to him and everyone is on board on the direction moving forward.
Lots of companies / venture capitalists would be willing to support this cause which could provide the financing the project will need to be sustained and grow further.
