There must be large swaths of people that have either been careful or have specific emails that they use for certain purposes that haven't been pwned.
The question, what should happen if I haven't been pwned? Should I not be able to purchase the thing or would I face some annoying captcha?
I like Troy Hunt, but this idea penalize people with good habits and that is just something I can't support.
> Applying "Pwned or Bot" to your own risk assessment is dead simple with the HIBP API and hopefully, this approach will help more people do precisely what HIBP is there for in the first place: to help "do good things after bad things happen".
Original comment:
No, it doesn't penalize them (at least not his idea, implementations might), it simply fast tracks pwned emails and doesn't apply the normal bot checks that would otherwise apply to everyone.
This new approach seeks to extend this feature to the entire internet. What could possibly go wrong?
Back when I had a facebook account I recall it suddenly up and demanding I scan my drivers license one day or I couldn't log in again...on the same and only machine I actually had used facebook on.
> so they can verify that you didn't photoshop a fake government ID.
Still active, and I've sold a handful of things with it.
So they admit that new generations are not interested in FB or Twitter and they will die with the boomer generation? If not then this logic makes little sense :)
Is it a black and white silver bullet one call destroys 'em all solution? Not even close. But, like he states in his article; from a "defence in depth" its another strong signal.
Are you a bad guy just because you have a weirdo email (which I do)? No.
Are you a bad guy just because you use tor? No.
Are you a bad guy just because you're trying to make a purchase during an extreme surge? No.
Are you PROBABLY a bad guy given a weirdo email, you're on tor, and you're trying to buy during a surge in purchases? I would say yes. I might not ban you outright, but you're going to jump through a lot more hoops than someone with an ancient email and a residential ip address.
I understand this kind of reasoning.
At the same time I see a potential to snowball. This will encourage people to move away from weird addresses. Which will make it an even more effective filter and will justify stricter measures. So more people will move away. Etc.
I use a self hosted VPN (digiOcean); but under duress, I'd be a jerk to me. tbh; most sites are, lol. I've given up youtube and google because I am reCaptcha'd to death...
To your actual point, I don't think it would be a deal killer per se in implementation. Weirdo@Weirdo.com isn't blocked because they show up in troys list of known emails.
Fakebook@Weirdo.com is suspicious in this model because it has not been seen before.
1- periodically set up a legitimate looking service, possibly proxying real services. 2- wait a year or two for your fake service to premiate throughout the www and for seach engines to index it. 3. Mix your bot email addresses with legitimate previously pwned addresses. 4- proclame "woe is me, for thyself hasth been pwned"
You can set up this process so that you can inject a couple 100k bot email addresses periodically every couple of months.
This is an incredibly shortsighted idea with the potential to hurt a lot of innocent people.
Same way some people just set up businesses with random names in tax-shelter territories and sell the company 10 years later to add a sense if legitimacy.
Plus, this might incentivize hackers to defeat the system by logging into and using email accounts pwned in these breaches.
This already happens at a large scale anyway.
There's hundreds, if not thousands of "account shops" and sellers online selling hacked accounts for all sorts of services. Everything from Spotify to Twitter to news sites.
They ingest new breaches (or use automated tools to go hack sites and dump databases), and automatically test the leaked credentials against loads of shit using tools like OpenBullet or SentryMBA.
Those tools even integrate rotating proxies, captcha solvers, etc.
There's a few good talks on this, credential spraying and account shops.
I’ve started converting all my heritage details for already registered accounts.
Takes less than 2 minutes to create one with my paid mail provider.
On 2 occasions, I knew a system was compromised before an announcement because suddenly I was getting spam to the specific email address.
I’ve started using iCloud Hide My Email which generates a random email that forwards to my account email. This assumption is going to cause issues.
> (…) or even using a masked email address service such as the one 1Password provides through Fastmail. Absence of an email address in HIBP is not evidence of possible fraud, that's merely one possible explanation.
This depends on the lack of use of good tools like FF's relay to anonymize accounts. I mean, HIBP is great, but Troy is self-consciously not interested in handling subaddressing, which would improve his service and its (mis)use in detecting "humanness".
I don't think Troy is not interested in handling subadressing in the general sense, I think he just dismisses it as "not worth the time" given current statistics.
If it is worth the time and you were writing one of these "Pwned or Bot" "email credit score" detectors, it is easy: you could easily strip +whatever before an @ and check if that exists as well. (Check both!)
> which would improve his service
It's not actually his service he's talking about in this particular article. He doesn't run an explicit "Pwned or Bot" "email credit score" service. He's pointing out it is an interesting use of the HIBP API and also to do it right it needs some sort of value add/scoring system, which he hints at ways to do that but does not provide one (and especially not as a service).
HIBP itself doesn't support subaddressing as a feature, but that's on purpose for a different reason: many of the people that use subaddressing, especially consistent users, use HIBP to narrow down specific account threats and it is useful to them today that HIBP tracks all of their subaddresses independently.
Without an idea for the percentage of emails that are still in the original owners hands, this risks a high false negative rate.
This reminds me of Utility Monsters[0]. From Wikipedia:
> the utility monster, receives much more utility from each unit of a resource that it consumes than anyone else does. For instance, eating a cookie might bring only one unit of pleasure to an ordinary person but could bring 100 units of pleasure to a utility monster.
I'm a utility monster, and shops and convenience stores either love or hate us (since the monster consumer derives a skewed amount of utility from certain items). Some stores deliberately up their prices on certain items if they see utility monsters taking advantage, other times, they let the price remain stagnant, in full knowledge the utility monster brings them good business.
Compromised data: Email addresses, Geographic locations, Names, Professional skills, Usernames, Years of professional experience
Should we be using if an email is pwned as input to antiabuse systems to give them higher confidence?
It reminds me a bit of when the % of emails that were #spam vs ham crossed 50% many years ago.
That “extremely rare” is about plus-addressing. My experience is that catch-all subaddressing (e.g. *@chrismorgan.info in my case) is considerably more popular, only rare rather than extremely rare.
Who’s got the high score in here?
If people were content to get the product at a fair price, scalpers wouldn't be a problem in the first place. The whole reason scalpers are considered a problem is that people want the product at a cheaper than fair price, and scalpers prevent that by buying up any inventory that is being sold for below the market rate.
Basically, if companies employed the strategy you suggest, then they'd effectively become the scalpers in the eyes of people who consider scalping a problem, with all the PR issues associated with that.
That's not to say it's necessarily a bad idea though. Once you accept the fact that scalpers exist, it makes sense for companies to capture those profits themselves rather than let scalpers just have them for free.
All these methods of trying to recognize government ID pictures and etc. just seem very inefficient and not accurate enough for wide-spread use.
Unfortunately, not many governments are well-run to manage such solutions.
And even if bank accounts were free, getting a bank account means accepting the terms and conditions written by the bank. Not to mention the laws and regulations regarding banking, which include sending your bank details to the US government, even if you are a European using a European bank.
Is it true that Nike actually wants to cut the snipers out? It seems like they're selling the shoes either way, possibly faster this way, and the resellers are doing free promotion for their shoes in order to resell them.
Did you know, that at least in my country, nearly everybody is behind CGNAT, so hundreds if not thousands households has exactly same external IP address and this rotates very often. So you constantly have same IP address, which hosts tons of torrents with porn or movies (nobody cares about torrents in my country). etc.
I guess I cannot effectively object to my email being included in data leaks…
Sounds like a self fulfilling prophecy, if they use these rules to authorize transactions.
Wanting an RNG / ping based system is not in everyone's interests. Plenty of people want to be able to just buy a product wherever they feel like and not have to spam refresh at specific time for a chance to get a product. Resellers offer this convince and clearly people are willing to pay for it.
It's either some consumers get a good deal while others get nothing, or all consumers pay a fair price and get it.
This isn't even getting to the higher resale price if resellers are blocked because there is less competition between resellers.