Hacker News new | comments | show | ask | jobs | submit login
Disqus Demonstrates How to Do Breach Disclosure Right (troyhunt.com)
176 points by Artemis2 99 days ago | hide | past | web | favorite | 53 comments

> They provided details - the passwords were salted SHA1 hashes which is not a pretty story to tell in this day and age, but they told it truthfully regardless

The leak is from 2012, which might explain SHA1 usage. It should still have been something beter, even for that time, but still.

Anyway, I think it's pretty hilarious that we're now patting companies on the back after leaking 17.5 million user details. Not that Disqus' disclosure wasn't text book. Just that it's now so normal for companies to leak things all over the place that we actually have Best Practices for what to do when (not if ;-) that happens.

Personally, I don't register with my real name and email anymore, anywhere. It's a bit of a pain in the ass sometimes, but worth it.

As someone else said, it’s “when” not “if” when it comes to security. You could have the best defences possible, but all it takes is a vulnerability in something public facing, like a zero day (looking at you Equifax and Struts), and you’re instantly at risk.

Plus, this is ignoring the easiest option... just spear phish the employees, won’t be long before you get a catch or two.

Breaches are inevitable, it’s all about spotting them early and minimising their impact. Oh and strong hashes help :)

I don't agree. With proper design a zero day in a web-facing framework should not automatically expose a full database of sensitive user information to the internet.

In the land of infosec, it's always "when" something happens, not "if". You do your damndest to shore up defenses but a breach is inevitable.

While we're on the subject, is there an alternative to Disqus that doesn't load three terabytes of stuff and have all the social-engagey functionality? I just want something that does comments.

Yes, I built Hosted Comments ( https://www.hostedcomments.com/ ) for the reason you mentioned as well as privacy concerns with ads and tracking scripts. Demo here : https://www.ploggingdev.com/2017/08/building-a-disqus-altern...

But the catch is that I don't have a free plan (yet) since I can't make any money off of users on the free plan. If you're interested though you are welcome to sign up and use the comments system for free. I can offer a few fellow HNers free access as a thank you to this community. If you decide to use the comments system, just send me an email to let me know so that I can mark the account as being on the free plan.

I'd love to see a $2 plan for blogs just starting out with <20k views. Right now 90% of the views I get are my own and I haven't gotten any comments on Disqus yet.

Thanks for the feedback, it's something I'll have to think about. If there is enough demand for a lower tier, I'll add it.


Have a look here, another embedded comments alternative. I'm looking to charge $2, + it's open source. Scroll down to the bottom, https://www.kajmagnus.blog/new-embedded-comments/

(The underlying discussion platform: https://www.effectivediscussions.org/ )

It has some cool features that people at HN might like: https://www.effectivediscussions.org/-32/how-hacker-news-can... (but I haven't ported all that to embedded-comments yet)

I really love how the embedded comments look, but I'm a bit concerned by your other sites. I want my content to be at the forefront, not the commenting system. Is that going to be an issue if I use your system, or are the extra features configurable?

Also, is there any possibility I could use my own users with your site? I don't want to have to make people sign up with another provider just to post comments.

EDIT: Your onboarding is really poor. I tried to create an account and it gave me some odd comments about an email "I specified in the config", and I have no idea what to do now. It seems I have half-created an account where my email is already used but I don't have a password to log in with. Neither can I reset my password or find documentation on how to embed comments.

EDIT 2: It looks like all the permalinks in your embedded comments point to the forum site? That's not something I want for my content, hmm.

Thanks, that was helpful feedback/info :- )

1) I'd like the blog post & content to be at the forefront too. What extra features do you have in mind that you would want to disable/configure? Were you referring to the sidebar with the most-recent-comments list maybe?

2) Use your own users: In the future, I would want to support that. Hmm. How would it work. Maybe your website could send a message to the iframe that "the current user is logged in, with username @Someone, real name Some-One, and (optionally) email@exmalple.com?" — Or it could set some name-and-email cookie.

3) Onboarding: Ok really good to know that it's really poor. The email in the config — I should probably rephrase that, then, or maybe auto-pre-fill the email. It's the email one typed on the very first page, when one also picked a website name...

...What has happened is that you've specified which email the admin is going to have ... and later on you need to create the admin account. Maybe I could merge these steps into one. (They make more sense as 2 steps, when installing on a stand-alone server oneself — then, one first specifies the admin's email in a text config file.)

4) Permalinks are supposed to link back to the blog. However, for the blog to be able to scroll down & focus on the linked comment, I need to implement some message passing between the Javascript code running directly in the blog, and the iframe with embedded comments (so the main frame gets to know how far down to scroll). I haven't done that yet, and was thinking that for now maybe it makes more sense to link to the comments over at *.ed.community (where scrolling works, no iframe).

If you got the impression that all this isn't super ready yet, then yes that's correct, it isn't. Hopefully a beta version at the end of october. One can use everything already but ... might be a bit frustrating sometimes right now. I'm about to deploy a new server, this weekend I would think, with instructions about how one configures embedded comments.

Thanks for your reply! Please feel free to email me if you want to talk about this more (email is in profile). To reply to your points:

1) I mainly noticed the permalink leading to the "forum" domain instead of the page the user is currently on (like Disqus does).

2) The easiest way would be for me to receive an API key from you beforehand, and send you the user's email if you need that (e.g. to email them), or just a random-looking user ID, along with HMAC((email/id, timestamp), API key). This way you can replay the HMAC and prove that I know the API key I'm authenticating this user with. The timestamp is there to prevent replay attacks later on (e.g. to expire the signature after X minutes).

3) Ah, I got confused because I closed the page at some point and came back, and was getting some errors I don't remember now but that were confusing me at the time. When I realized I can just continue the flow, it worked, but yes, I would have liked it to be a bit more straightforward. I tried to log in with Twitter but you wanted write permissions, so I didn't.

4) Hmm, the way Disqus does it is by linking to https://<theblog>.com/<post>#commentid and then using JS to scroll to the element pointed to by the hash. I don't think message passing is required?

In any case, your system was the most visually pleasing and easy to compose with of the five I've tried, so I'd be quite eager to implement it in a side-project I'm working now. It's at a very early stage, but I'd be glad to give you feedback and pay for the product down the line (although I don't anticipate the project ever making any money or having many users, so I probably won't be able to pay much).

Ok, email sent :-) (& permalinks fixed, now they point to the blog ... but I haven't yet deployed the changes.)

It looks like you are mostly targeting big customers (200k pageviews/month is already way beyond most private websites). I am skeptical whether that's the right demographic for such a service. The larger the website the less likely they use some turn-key solution. I would expect a much larger demand from small blogs.

>But the catch is that I don't have a free plan (yet) since I can't make any money off of users on the free plan

Free plans are there to provide marketing and free publicity, not direct income ;)

Just my two cents, obviously I haven't done any detailed market research.

Though I should have done this before starting development, I need to figure out the positioning of this product. Like you suggested, maybe I should be talking to smaller bloggers to start with.

Based on the initial feedback, there's serious demand for a free tier and people don't need much convincing to switch so I think it makes sense to have one for non-commercial personal blogs and websites. Once I have at least a few paying customers I plan to rollout the free tier with a focus on tech blogs. The idea is to avoid a situation where I'm supporting free tier users and footing non-trivial server bills without having any revenue.

There is always demand for a free tier, after all its free. Don't listen to this feedback, freemium is a marketing tool that requires a lot of capital for scaling and additional support, nothing available when bootstrapping. 2usd / month is hard too, because you will loose most of it to transacrion costs. Maybe a yearly or one time fee for up to x comments? The free version could be a trial of sorts, the first 50 comments free.

What would your longer-term plan be for the free tier? If it doesn't eventually turn into revenue, it doesn't make sense to support. And Disqus seems to think the only way to monetize the free piece is through lots of tracking and ads.

I want to limit the number of free tier users to ensure that the cost of servers+support of free tier users is a small fraction of revenue. Since the backend does not do much beyond just serving comments and reordering the comments tree, it's pretty lean.

> If it doesn't eventually turn into revenue, it doesn't make sense to support.

I'll have to consider it a marketing expense.

I'd like to third the other children to your post. I'm working on a (free) side-project that is probably never going to see more than a few hundred users per month, so I can't really pay more than hosting just for comments, but I might be able to swing $2 for it.

Thanks for the suggestion! I definitely think there is a need for a fast, private and good commenting system.

EDIT: By the way, my username is "stavros" on your site. Also, your form says "site URL" but then complains about an invalid domain because I included the "https" part, which was a bit confusing.

> Also, your form says "site URL" but then complains about an invalid domain because I included the "https" part, which was a bit confusing.

I separated the url scheme and domain name in the "Add website form". I'm planning to update it to have a single url field and handle the various cases : with and without url scheme, figuring out whether a website supports https etc. I left it out of the initial version but I'll update the form to make it user friendly.

Isso is a pretty minimal self-hosted alternative https://github.com/posativ/isso

Issp is a lightweight, open source comment service, written in Python:


I'm developing an alternative, me too, here's a blog post incl. demo if you scroll down to the bottom: https://www.kajmagnus.blog/new-embedded-comments/ — the min.js.gz loaded on page load, is 150 kb.

Social-engagey? There's Gmail, Facebook, Twitter login, + email & password alternatively.

(The underlying discussion platform: (it's almost beta status) https://www.effectivediscussions.org/ — there's $2 embedded-comments hosting, + it's open source.)

There are several self-hosted alternatives, for example my own toy-project:


https://news.ycombinator.com/item?id=15428189 (yesterday)

>foxhop: I was wondering if you would entertain the idea of switching out Disqus comments for Remarkbox, a service that I'm trying to launch [...] https://www.remarkbox.com

"Less than a day earlier, they had absolutely no idea what was coming yet they managed to pull all this together in record time."

How is he sure that they had no knowledge?

What if they knew but were just waiting for someone with a blog or a Twitter account to make the "discovery"?

In any event, none of this would have happened if email addresses had not been collected.

There is no need to collect email addresses in order to allow internet users to post comments. Requiring email addresses serves no benefit to the user. It is just more gratuitous data collection. Data which eventually becomes the subject of yet another "data breach blog" entry.

> It serves no benefit to the user.

Persistent identity -> password-protected account -> email for recovery.

I certainly wish more places would make email addresses optional, but there is value in collecting them.

Why do I care about any of that? I just want to leave a comment on some random blog and maybe read a couple of replies. I have backed out of commenting numerous times because of this nonsense.

If you personally don't care, then it provides no value to you. That's fine. In that case you can hope that the blog allows anonymous commenting, which the blog author may or may not want to provide for various reasons.

And I would hope disqus offers them that choice. But even if it doesn't, there are many users who are not you and whose commenting patterns are not yours, and email collection still adds value for them.

I imagine very few users care about having a Disqus account. It's not a feature intended to make the user's experience a better one.

You're making two separate claims, and both of them are very different to the one I originally answered. I'm not really interested in going further with this.

I'm not. I said "I" as in "a user".

Spam reduction. They often require email authentication and this makes it more difficult to submit spam.

In a previous discussion here on HN, there were several folks who claimed that they were (or should have been) affected that did not receive an notification from Disqus but did receive a notification from HIBP.

According to their statement[0], they have 17.5 million emails to get out. Unless they routinely send several times that volume daily, they'll have to batch the notifications over the next few days or the entire thing will get blackholed.

[0] https://blog.disqus.com/security-alert-user-info-breach

> We are currently in process of emailing all of the impacted users directly. Getting all 17.5 million emails out will take us a few days, but we wanted to get this disclosure post out as soon as possible. Additionally we've posted links to this disclosure in our publisher admin panel, user homepages, and on disqus.com.

Their entire business is sending out emails to notify you when someone has replied to your comment.

I have two accounts, both infected according to Troy's site, but zero emails. Just double checked.

One account is the owner of several sites that use disqus too! And few bigger ones.

Would their reaction be so swift and competent if it wasn't Troy but someone with no name?

That level and timeline of response tells you a great number of things, regardless of the source:

1) they had a plan for breaches (it would be hard to cover all the ground without one) 2) they had technical controls/capability to respond (mass password reset) 3) they had clear and direct accountability all the way up to ceo

Other than not having detected the breach, and using not-the-best (but not entirely the worst either) password storage, I don't know what else you could ask for.

> The breach dated back to July 2012 but wasn't identified until years later when the data finally surfaced.

Not everything is rosy. They didn't notice unauthorized access for 5 years.

Is this correct though? I had the email from Troy saying my email was in the breach but I haven't heard anything at all from Disqus...

Yes it is. Here's the official Disqus statement: https://blog.disqus.com/security-alert-user-info-breach

According to it:

> As a precautionary measure, we are forcing the reset of passwords for all affected users. We are contacting all of the users whose information was included to inform them of the situation.

They even give a shoutout to Troy right at the end of that article.

Thanks for the link. This reply to a comment on that page gives the information I'm missing:

> "We are currently in process of emailing all of the impacted users directly. Getting all 17.5 million emails out will take us a few days, but we wanted to get this disclosure post out as soon as possible. Additionally we've posted links to this disclosure in our publisher admin panel, user homepages, and on disqus.com."

Hey, it's kind of appropriate that you find what you're looking for in the comments section on an article from the commenting platform itself. :)

I got an email, despite never having set up an account. I was able to reset my password and delete the account though. Before I did that I looked through the profile and settings, and it was completely blank aside from my email address.

I'm assuming one of the many people who use my gmail address by mistake tried to sign up with it.

This is the primary reason why I switched to using Fastmail with a custom domain. Sick and tired of other people using my email address for stuff, or worse, their friends regularly emailing me to organize get-togethers.

That won't help, I've had a "custom" domain since 1999. I still have people sign up to random services using my email-address.

Try having a common name at gmail and you'll realize that in fact you are wrong, whatever problem you have at your own domain is peanuts in comparison to that nightmare.

Haha, I guess I'm also not publishing my email address anywhere as much as I can? I imagine that eventually the "secret" will get out, but at least I'll no longer have random generators using my email address? Don't rain on my parade, man, it's been quite peaceful over the last half year! :P

With FastMail, you can create unlimited (I think) aliases, so I've started creating one per service I use. I think this is a reasonable approach, though a bit of a pain.

I only give my personal alias out to close friends and family.

Perhaps it is co-incidental, but disclosing the results at 4pm EST on a Friday afternoon helps "bury the bad news".

This ensures it falls outside the news cycle for most journalists and gets the minimum of coverage.

I have my mail in the breach, yet I don't have an account.

Perhaps I've deleted my account after 2012, but don't remember it.

Will be interesting to see if I receive email from them, despite not being a user anymore.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact