undefined | Better HN

0 pointseli6y ago0 comments

The bad guys have access to it either way. That's the whole point: this is data that already leaked.

0 comments

As discussed elsewhere in this thread, there are real benefits provided to bad guys by allowing them to look up this information about anybody in a central location.

ReverseCold6y ago

There are plenty of other similar services that you can find that cheaply do the same thing AND provide you with the leaked hashes/emails.

HIBP doing the same thing with less friction for people who are trying to learn about security is probably fine in comparison.

eliOP6y ago

This just feels like another iteration of the Full Disclosure debate.

zaroth6y ago

I’ve never heard Full Disclosure concepts applied to serving stolen PII in an API.

The reason is that the purpose of full disclosure is to shame the vendor into ensuring the patch is made, and to warn the user base that the attack is possible, while disclosing a flaw in a commercial product.

In this case, we are not effectively doing either naming or shaming by publishing actual email addresses, rather than just user counts and the type of hashing that was performed.

And at the same time the information being “bartered” is private user information and not merely identifying a flaw in a commercial product.

I fail to see how an API into the HIBP database can be justified under the concept of full-disclosure. Particularly when the service could have been implemented as an email report to the queried email address.

1 more reply

jtbayly6y ago

Interesting. Good point. I'll have to think about that.

sneak6y ago

It feels that way, but there is definitely a different utility value in “searchable by the whole world” and “leaked in obscure formats in small nonpublic forums”.

Troy has absolutely added value here, although 100% of the data is all “public” from having been leaked already.

Searching over data that was publicly available some time in the past (but isn’t now) is also a value, sort of like time-shifting of the publicness of the data...

j / k navigate · click thread line to collapse

0 comments

jtbayly6y ago

As discussed elsewhere in this thread, there are real benefits provided to bad guys by allowing them to look up this information about anybody in a central location.

ReverseCold6y ago

There are plenty of other similar services that you can find that cheaply do the same thing AND provide you with the leaked hashes/emails.

HIBP doing the same thing with less friction for people who are trying to learn about security is probably fine in comparison.

eliOP6y ago

This just feels like another iteration of the Full Disclosure debate.

zaroth6y ago

I’ve never heard Full Disclosure concepts applied to serving stolen PII in an API.

In this case, we are not effectively doing either naming or shaming by publishing actual email addresses, rather than just user counts and the type of hashing that was performed.

And at the same time the information being “bartered” is private user information and not merely identifying a flaw in a commercial product.

1 more reply

jtbayly6y ago

Interesting. Good point. I'll have to think about that.

sneak6y ago

It feels that way, but there is definitely a different utility value in “searchable by the whole world” and “leaked in obscure formats in small nonpublic forums”.

Troy has absolutely added value here, although 100% of the data is all “public” from having been leaked already.

Searching over data that was publicly available some time in the past (but isn’t now) is also a value, sort of like time-shifting of the publicness of the data...

j / k navigate · click thread line to collapse