티스토리 뷰
Mark Burnett is putting his database into the public domain to help improve online security, but fears an FBI raid his actions
You know what's cooler than a million passwords? 10m passwords. Although even Facebook-era Sean Parker might raise an eyebrow at said passwords being published online alongside their associated usernames for all to see
That's what security researcher Mark Burnett has done, though - but his intentions are benign. Burnett has built his database of usernames and passwords for the purposes of reseach into how password security can improve
Frequently I get requests from students and security reseachers to get a copy of my password research data. I typically decline to share the passwords but for quite some time I have wanted to provide a clean set of data to share with the world," he wrote in a blog post this week
Burnett has done exactly that, despite fears that he could be arrested for releasing the information. As evidence, he cited the case of journalist Barret Brown, who posted a link in a chatroom to a "data dump" of leaked personal information of private intelligence firm Stratfor in 2012
"Suddenly even linking to data was an excuse to get raided by the FBI and potentially face serious charges. Even more concerning is that Brown linked to data that was already public and others had already linked to," wrote Burnett
In his blog post, Burnett explained that by publishing his own dataset of usernames and passwords, he wants to "further research with the goal of making authentication more secure" rather than harm the security of those internet users
"Although researchers typically only release passwords, I am releasing usernames with the passwords. Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone
Most researchers are afraid to publish usernames and passwords together because combined they become an authentication feature. If simply linking to already released authentication features in a private IRC channel was considered trafficking, surely the FBI would consider releasing the actual data to the public a crime
Burnett stressed that he had removed the domain portion from email addresses; mixed data samples from various security breaches over the last 10 years to avoid any single company's data being too obvious; removed keywords that might give away the source of the logins removed credit
card and financial account numbers; stripped out as many entries from government and military sources as he could; and manually reviewed the data to remove any other information that might be linked to an individual
He added that all the data is, or at least was, available to anyone and discoverable via search engines, suggesting that it was thus aleady available to cybercriminals, and also that breached companies have already had plenty of time to reset passwords and warn their employees
"I could have released this data anonymously like everyone else does but why should I have to? I clearly have no criminal intent here," wrote Burnett.
"It is beyond all reason that any researcher, student, or journalist have to be afraid of law enforcement agencies that are supposed to be protecting us instead of trying to find ways to use the laws against us"
The dataset, made available as an 84.7MB download, appears to have been popular:
Burnett has also been tweeting links to researchers who've been exploring the data, including a Twitter account - @10millioncombos - which is a bot tweeting all the logins from his password dump
He added a further defence against accusations that publishing the data will harm internet users' security rather than improve it. "No, every hack today wasn't because of the passwords I released. Seriously you people are like my father-in-law when I fix his computer"
fix his computer
wasn't because of the passwords I released
rather than improve it
added a further defence against accusation that publishing the data will harm internet users' security
has also been tweeting links to researchers who've been exploring the data
appears to have been popular
instead of trying to find ways to use the laws against us
to be afraid of law enforcement agencies that are supposed to be protecting us
is beyond all reason that any researcher
clearly have no criminal intent here
could have released this data anonymously
breached companies have already had plenty of time to reset passwords and warn their employees
was thus aleady available to cybercriminals
discoverable via search engines
might be linked to an individual
manually reviewed the data to remove any other information that might be linked to an individual
stripped out as many entries from government
might give away the source of the logins removed credit card
from various security breaches over the last 10 years to avoid any single company's data being too obvious
stressed that he had removed the domain portion from email addresses
would consider releasing the actual data to the public a crime
was considered trafficking
simply linking to already released authentication features in a private IRC channel was considered trafficking
combined they become an authentication feature
are afraid to publish username
has been greatly neglected and can provide as much insight as studying passwords alone
rather than harm the security of those internet users
wants to further research with the goal of making authentication more secure
by publishing his own dataset of usernames
even more concerning is that Brown linked to data that was already public
potentially face serious charges
suddenly even linking to data was an execuse to get raided by the FBI
a data dump of leaked personal information of private intelligence firm
cited the case of journalist Barret Brown
despite fears that he could be arrested for releasing the information
provide a clean set of data to share with the world
typically devline to share the passwords
get requests from students
for the purposes of research into how password security can improve
has built his database of usernames
his intentions are benign
might raise an eyebrow at said passwords being published online alongside their associated usernames for all to see
is cooler than a million passwords
to help improve online security, but fears an FBI his actions