Troy Hunt (of Have I been Pwned fame) has been a vocal proponent of cloud-first services for awhile. Last December, that strategy came back to bite him:
It all started with my monthly Azure bill for December which was way over what it would normally be. It only took a moment to find the problem…
He goes on to tell the tale in excruciating detail. Be careful out there, cloud natives.
Troy Hunt on just how easy it is to fool us humans with sneaky URLs that look like our most common and trusted domains, why a bunch of proposed solutions to this problem fall short, and what he believes are some actual solutions we can put in practice today.
Troy Hunt:
Let me just cut straight to it: I’m going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it. Let me explain why and how.
It’s not open source yet, but it will be and Troy lays out his thinking and the process in this excellent write-up. Since HIBP’s data is both sensitive and the entire point of the software, there will be special consideration taken with it:
I need to really clearly break this part of the discussion out because whilst open sourcing the code base is one thing, how the data is handled is quite another. There’s no way to sugar coat this so I’ll just lay it out bluntly: HIBP only exists due to a whole bunch of criminal activity resulting in data that’s ultimately ended up in my possession.
Then there’s the privacy side of it all: my own personal data is in those breaches and your data almost certainly is too because there are literally billions of people that have been impacted by data breaches. Regardless of how broadly that information is circling, I still need to ensure the same privacy controls prevail across the breach data itself even as the code base becomes more transparent. That’s non-trivial. Doable, but non-trivial.
