Hacker News new | past | comments | ask | show | jobs | submit login

But we see that so often. The original founder of a thing has a list of requirements he wants met, he wants to stay onboard. But then stuff happens and the buyer uses his control. Think Instagram, Whatsapp, Tumblr(?) - there are thousand examples.

I'd hope Troy reconsidered the "just create a business yourself" solution. That could be structured in a way that makes sure the trust Troy earned stays linked to the project. And a bootstrapped company starting from the profitable position I assume HIBP is in now (with the business deals) does not at all have to mean more work for him. He could just offload the work he can't handle anymore to employees.

An acquisition to anyone not as trustworthy as the current solution/the candidates like Mozilla mentioned here would be a disaster mid to longterm.




This isn't, by no means, a belittlement against Troy Hunt, but here are some things to consider:

What makes Troy Hunt any more trustworthy? Do you think he can't make a mistake? What if his operation suddenly can't handle something because of X reason? What if he's breached himself or any of the services he's using break down or worse, provide invalid data or incorrect data? What if user Y searches his site, finds out they aren't vulnerable due to a missed data dump or data dump that isn't been loaded yet, then all of sudden gets compromised? Who's to say his employees won't screw something up.

Troy is right. He can't efficiently do this anymore. From the architecture I've seen, all he's doing is monitoring a twitter feed for new data. What if that twitter feed gets compromised and he just ends up uploading password? If he's dealing with millions of records, there is no way he could "manually verify" if every record was safe to upload, yet he claims he does manually verify them without much elaboration of the process...

Imagine allowing legitimate companies to upload their breaches to the site or maybe other security companies could upload data. It could be so much more accurate. Plus the extra hardware could handle the load and help verify the data being uploaded much better than the current operation.


I'm afraid I agree with basically nothing you've written here!

I trust Troy Hunt more than I trust OP's examples of Facebook and Verizon. I also trust his competence more than I trust theirs. Whose to say that anybody won't make any of the mistakes you mention. FWIW I would doubt he would sell to either of these companies, but it's undeniable that you give up control when you sell and people have made incorrect judgments before.

Nobody is suggesting he continue alone, rather that, if he feels that they're the only two options, he take some venture capital instead of selling the business.

The main reason not to do this is the one that he's given: it may not be the best thing for him personally, and the venture capital plan may be particularly negative for him. I think this reasoning has a lot of merit.


Your argument is self contradictory because you seem to make an exclusion for Troy's fallibility by pointing to my same argument about the fallibility of others. There's no reason other than you think Troy is some super human.

Troy has basically said nothing about his manual verification process and he says its the worst part of the architecture. There seems to be no mechanism of removing your email from the list once it's added so he'll just keep adding/merging data I guess until it starts giving false positives. He doesn't have the infrastructure to make this scale into a reasonable utility. Even if he did hire employs, he's now delegating responsibility which will introduce new potential judgement holes into the process.

Simply put, it's too big for him. And it has nothing to do with trust. Venture capital is a crap excuse because now there's a profit motive for the service for something that should arguably be non-profit. Venture capital has a track record for producing several, high profile companies that make no profit for years and are compromised in themselves.

The best thing he could do is pass it to Mozilla or some other tech non-profit. It would be even better if it was a government service.

Remember, the founder of Facebook still runs the company. It got big, and look what happened.


The argument was not self-contradictory. I did not say that Troy was infallible, I specifically said that anybody, not just Troy, could make the mistakes you listed. That was to demonstrate the fallacy in your argument that he should give up HIBP because he might make mistakes.

Contrary to what you say, Troy has detailed his verification process. There also is an opt out form on the site which will allow you remove your email from the current dumps and future ones.

Troy is talking about somebody acquiring HIBP. This implies he is not necessarily looking to give it away for free. There are already paid aspects of HIBP.

I would have no issue with it going to Mozilla.

I can't tell if you're joking by suggesting he give it to a government or by comparing him to Zuck.

I guess we're at least agreed on Mozilla, who he is already talking to.


I looked at his architecture diagram and his complaints about it. He specifically cites his manual verification process as being a problem and does not go into detail on how its done. How do we know dumpmon is legit? The file is a legitimate compromised file? Whether the file contains adequate data and is adequately scrubbed? Why isn't HIBP open source?

And what I was trying to argue is that we shouldn't put so much faith in one man. Whatever he does, it will, more than likely, not be feasible for him to control all himself. Especially with the legal ramifications of storing private data.

And I don't know why you think it's a joke to trust the government with something like this. We trust them with a lot more dangerous things. Considering it's the only entity that can compel a business to do something, it could actually work out if there was ever a law requiring breaches to be reported.


> FWIW I would doubt he would sell to either of these companies

He might not, but 6 months later the company he sells to *might. Or if public could be taken over with little choice in the matter.

As you say, control is gone once he sells.


But until that point, you might have a good enough product: One that has momentum and requires effort to corrupt, that users are aware of and have expectations about, and that presents value that people otherwise might not have known is possible. Control being lost doesn't necessitate that all the value & impact is lost with it.


I understand Troy, especially his fear of a burnout. That's no joke. I think there are several interesting companies, besides Mozilla. I could see F-Secure making an offer. HIBP ticks a lot of boxes when it comes to business security, password reuse beeing a big issue there. Mikko and his team have a proofen track record and are well connected in the grey-hat area. Plus, they are in Finnland, near to Norway :)


If F-Secure is in Finnland, doesn't that mean they would have to delete user data on demand, undermining the service in doing so?


Undermine the service for who? The person who asked to have their data removed or the company who is interested in data about a specific person. If the answer is the latter then I think its fair that the person can ask to have their information removed. I think that Troy understands this distinction too and I also hope that HIBP remains that way.


I wonder if you just have passwords and don't link them to usernames, then that wouldn't be "your data" because it can't be connected back to you?


>I could see F-Secure making an offer

I'd be surprised if F-Secure made another acquisition so soon.


For context, I've sold a business, been a full time entrepreneur for about 16 years, got it wrong many times and am currently the founder/CEO of a biz with a team of around 40 people, strong cashflow and we continue to grow and innovate - and we're founder controlled.

I met with Troy briefly for coffee about 8 to 12 months ago and we chatted a bit about this. I sensed his aversion to growing the biz back then. Seemed like he'd made up his mind. This post from him reinforces that. Even so I feel compelled to post a few thoughts.

Troy is an implementer. I was too. I was a dev guy who started as an ops guy. I really really wanted to build a business and for over a decade I tried to do it myself by writing my own code, doing my own ops, doing my own marketing and so on. It was very very hard, and after many failures and almost financially ruining me, I got to a place where I have an amazing biz and amazing team and I've turned myself into an exec who is no longer doing the day to day implementation, but is leading and coordinating.

This transition is very hard to make for folks like most of the people here - including myself. You have the sense that it's all on you. I need to repeat that in caps because that's how it feels. IT'S ALL ON YOU. I think this deep sense of accountability is what makes great devs and great ops people very good at what they do. But it also is perhaps what leads to burnout.

For an entrepreneur, it really is all on you. That work isn't going to do itself. And so that sense is even more visceral when you're a one man show. Now imagine you're running at the scale of HIBP. Pretty hardcore.

When I made the transition to being a leader and once I had a team behind me, the feeling was a bit like I'd imagine one might feel getting over a traumatic experience. It took a while. I felt like I could breathe again. I never wanted to go back to that place, if I have to be perfectly honest. It's a rough gig.

I think the trouble here is that Troy thinks that scaling HIBP is going to be more of the same. More of everything being on him, more work, more implementation, more accountability, more more more!!!

It doesn't work that way and I'm going to use my own path to growing a team (and regaining my sanity) to describe how it actually does (and can) work.

If one were to not sell HIBP and not raise money but instead grow it yourself into a business, it might work thusly:

1. Immediately work on developing strong cashflow for HIBP. Unfortunately this step is going to take some implementing from Troy. However, with good planning, you can probably hire some help and perhaps even do so in exchange for equity/options if you hire a good lawyer and can structure a cost effective deal. This stage is critical and I'd encourage Troy to get as much advice from other seasoned entrepreneurs as possible. Not folks who have raised VC, but who have actually created cashflow out of thin air. It's a dark art, but many of us know how to do exactly that.

2. Once you launch, it will take a while for the full revenue potential of the business to reveal itself. Cashflow takes a while to kick in and you will take a while to optimize it. e.g. many simply won't know that HIBP now has a paid option. That will take months, perhaps longer. So keep working and wait it out. I've seen this in every single successful cash generating biz I've created. At first it's a trickle, then a stream, then a river, then a wonderful fun and exciting deluge.

3. Once you can demonstrate that the biz is clearly going to grow into something with strong cashflow, you can start making your first hires. I would suggest hiring dev first. At this point you are going to have to do something very difficult. Step back from the coal face and trust your first employee. This was huge for me but thanks to Harvard Biz Review etc writing about this founder dilemma over and over, I was primed and I wasn't going to be the baker that can't get out of the kitchen. So I 100% delegated the job to an amazing person who remains with our team to this day. Once I could hire for ops, did the same. Rinse, repeat. Grow the team.

4. As your expenditures increase, you will need to be very good at managing cashflow. That is because at some point growth will pause. When that happens, if you don't realize that you will run out of money in X months, it will sneak up on you and you will lose the business. It happens every week around the world. Execs take their eye off the cashflow for a few months and byeeeee. Not everyone has the appetite for finance. Some are mildly or even severely allergic. I'm on that spectrum and thankfully my co-founder has a passion for it and happens to be very good at it. This has literally saved our asses and we too went through that growth pause. So if you are allergic, find someone who isn't. This is critical.

Once you do the above, if you build a team you can trust and you are very good at stepping back, finding and motivating talented people and carefully guiding the direction of the biz, things can get weird. You'll see a lot of executives talking about burnout, about how they work 20 hour days and the pressures of being a leader etc. But in your case you'll find that you have more free time and more mental bandwidth to shape the direction of the biz. You'll wake up one morning not sure what to do because you won't have a job anymore. You will have fired yourself from dev, ops, customer service, finance, HR, marketing, blogging and everything else. You'll go "oh shit, what am I supposed to do?"

The answer to this question is really fun: Whatever you and the business want to do. And guess what? You have a CEO who is the company founder and has a ton of energy and bandwidth to continue innovating.

That's pretty much the end of this post. I want to add a few more notes:

Delegating is hard for several reasons: If you're a dev and you have to delegate dev, you need to realize there are developers out there that are better than you and you will need to learn to trust them. You also need to understand that you're firing yourself from a job you are passionate about - a job you have loved and gotten very good at for many years. This is tough.

To scale a biz, you need to continue to delegate, even the things you love doing. Troy loves blogging and he writes epic tomes. But this too will need to be delegated if he wants to run at maximum effectiveness. I know. I did this. It was very hard. But I now have about 5+ writers in our organization and it's freed me up to launch a video podcast which I am already beginning to delegate to a certain extent.

VC is certainly an option, but know that each round you raise will also raise the bar on what success means. Right now you own the biz and success means a team that frees you up and cashflow that pays everyone better than market rate salaries. After the first round, a $20MM exit will be the definition of success. After a B and then C round north of $100MM will become success. And so it goes.

I'd also like to note that HIBP has built an incredible brand and growth. This is very hard to do. As Naval put it in a conversation I had with him not too long ago, it's lightning in a bottle, and I truly think that HIBP is a great example of lightning in a bottle. This won't happen again in Troy's lifetime. And what he has right now makes it very easy to: recruit, hire, retain, get help from other entrepreneurs, find customers, convince them to sign up, convince them to pay, get them to continue to pay, etc. The list of benefits is long. This kind of biz and brand is very hard to create. Troy's personal reputation is sterling and he's one hell of a nice guy. He is young, smart, healthy, well spoken. Seriously, you don't see this very often and it won't happen again, so choose your path wisely if you're reading this Troy.

And finally - and this is really why I'm writing this as a reply to onli's post - because I agree with their sentiment. Have no illusions that once you sell, you 'exit' in a very real sense. You are no longer the owner of the business. You are an employee. I'll also add that M&A folks are VERY good at selling the dream. I was recently at a certain multi-billion dollar company's offices who were trying to buy us. Their offices are based on Lake Washington up here in the Pacific Northwest. The M&A guy actually suggested that once we join their team we can ride to work in our boat. But in his defense, that's his job. Sell the dream. However, in this case I know the reality because I've been here before. Monday morning after you sell your company you will commute to work in a car, sit in a cubicle or office if you're lucky and you will do what you're told to do by the new owners of your business.

You will stare through those bars longing to roam the great plains once again as a free and wild creature in control of your own destiny. Or as Bodhizafa said in the final scene of the original Point Break: You know I can't handle a cage man!


HIBP shouldn't be for profit because it's harvesting personal data and it should be used as a mechanism for people to be aware of serious breaches. There's a lot of legal entanglement possible with this with HIPAA being an example of what can happen. It's probably a more difficult path, but in my opinion, HIBP should be a tax funded service because it's largely a public good product.


Fantastic post. This is exactly how it goes, especially with a bootstrapped company. Detachment and delegation are everything.


Excellent, excellent post. I do hope Troy reads it.


Hear, hear. I hope Troy, and others in similar shoes, will read this and consider it carefully.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: