Parler is a security disaster in progress.
First off, it’s a great demonstration of why depending on “cloud” providers brings in additional risks; sometimes risks that cannot be governed or mitigated. As you’ve probably heard by now, Amazon Web Services (AWS) has decided that Parler’s violating their terms and conditions, and has told them “go host somewhere else.” That’s a problem because all of the other premium hosting platforms will probably also say that there’s no room at Hilbert’s Infinite Hotel, and they’re going to be stuck in the digital limbo that ate 4chan and Stormfront. They are probably toast; stick a fork in them, they’re done.
My take, all along, is that Parler was a skeeve-ball tossed by the Mercers. That’s the Mercers of Cambridge Analytica fame – the company that spectacularly imploded by demonstrating to everyone (especially Facebook) that their terms of service were a mess full of loopholes, and their internal APIs had inadequate controls against data-mining. So, Parler was created because: if you own the social media site, you don’t have to worry about the terms of service because you get to set the terms of service. My suspicions were further triggered when Parler’s sign-up process asks for your social security number, which is an extremely useful index key that Facebook would certainly never share with its advertising partners. This is an example of what I used to call the “kimono strategy” – what’s the best way to look inside someone’s kimono? Be the kimono. I recall a coffee-break conversation at a USENIX in 2000 where Dan Geer and I pondered the wisdom of offering to build social media / file sharing sites for the CIA (just read the terms of service very carefully!) but who wants to have those guys on your board of directors?
Thus, Parler gets to be a demonstration of two problems with cloud computing, simultaneously – one) by being cloud-deplatformed and two) by being an example of the kind of cloud service users should steer well clear of. By the way, since we’re on the topic of strategic computing, the white house’s continued reliance on Twitter, which started making noises about filtering Trump’s lies years ago, is one of those “holy shit you’re stupid!” moments. Why they didn’t stand up a filtered comment-board right on whitehouse.gov (where they could control the terms of service) shows how un-technically-savvy the Trumpists are. And these are the guys who made fun of the Obama administration’s initial capacity problems on healthcare.gov. Turning Twitter into critical infrastructure and then failing to control it is “hey let’s attack Russia on foot without winter gear”-level stupid. In fact, if they had been smart, they would have set it up so anyone could deep-link to controlled-link-depth postings. That way, a zillion zombies could “share” Trumpian wit and wisdom to Twitter and Facebook and the white house could shrug and tell those guys “hey not our problem.” Hell, they could make vast dollars selling the subscriber info, just like every other social media site. Screw it, go totus porcus and sell mypillow ad space right on the main page. It would be unstoppable.
Parler also double face-punched itself by depending on Apple’s store and Google’s walled garden software for distribution. Because, “go to Parler.com and download our app (in the form of something that runs in a browser)” was too hard for one of Parler’s Mercer-funded software geniuses to think about. They could have trained their user community to treat them as a special case, but instead they, as Chuck Tingle would say, got “Slammed in the butt by appstore policy!” What strategic genius would think such a thing might happen? Hello, let me introduce myself:
Another problem Parler is unwittingly illustrating is a problem that most social media sites have, to some degree or another: they can be spidered. I’ve done consulting calls with some organizations that run really big sites (e.g.: Priceline.com) that have data that is extremely interesting to competitors. How do they stop spiders? Well, one way to do it is to hire extremely evil consultants and a few good coders; I’ll have to leave the rest to your imagination beyond one tidbit: once you identify that you’re being queried by a spider, you start giving them information that is subtly wrong. Oh, OK here’s another: you modulate dollar/cents combinations so you can look for that pattern appearing elsewhere on the internet. And, the first rule of mobius-page is you don’t talk about mobius-page and the second rule is you don’t talk about mobius-page and the third…
Anyone who posts anything on Parler should have been assuming all along that the FBI and a zillion marketing companies had access to everything they were saying. Didn’t they read the warning label? It says “Free speech zone” not “private speech zone.”
Many organizations don’t want to respect the terms of service of a social media site, and simply scrape it for new pages and updates. I don’t have accurate information about this but one of the clients I discussed this with in 2014 estimated that half of their site traffic was scraper-bots. That was a commerce site, not a social media site. Social media sites are probably 40% scraper-bots and 40% astroturding sockpuppets. Sites like Parler and Daily Kos are particularly interesting for AI researchers who need training sets representing what a selection of rando internet chimps sound like when typing on a million keyboards. The training sets are useful for creating more, simulated, internet chimps. Oh, joy! Some days I am covinced that if all the humans left the internet, it would just keep yammering on in an endless feedback loop of sockpuppets, spambots, and Sam Harris fans.
Sure enough, when Parler got de-platformed, security researchers (or hackers, what’s the difference?) released complete scrapes of the platform. [cybernews]
Parler, a social network used to plan the storming of the U.S. Capitol last week, has been hit by a massive data scrape. Security researchers collected swaths of user data before the network went dark Monday morning after Amazon, Google, and Apple booted the platform.
The scrape includes user profile data, user information, and which users had administration rights for specific groups within the social network. Twitter user @donk_enby, who first announced about the scrape, claims that over a million video URLs, some deleted and private, were taken.
Of course! It’s probably one of many such archives. Heck there’s even some guy out there with an archive of Geocities and Myspace that you can download if you want to see what background image fashions looked like in the 90s.
What’s amazing is that some lunatic fringers didn’t see this coming. I guess they’re self-selected from the bottom of some bell curve or other.
Back in the 90s I taught a class for USENIX on secure communications over open networks. [ranum] I just reviewed my slides and they’re all mostly still applicable except that AOL instant messenger is gone. Like Parler. Buh-bye! But the point is: you can use other people’s communication channels to set up your own trust relationships. PGP-over-Parler would have been a terrific way to set up comms for insurgents, just like PGP-over-AOL IM and World of Warcraft chat would have been. As always, the security problem is how do you establish and manage trust domains without getting eaten by management costs and complexity. The old tried-and-true system spies use, of cells, controllers, and cut-outs has been used since at least the time of Elizabeth I if not earlier, because it works.
My main thing is what on Earth useful stuff did right-wingers have to say that made up 70 Tb?! That’s a lot of data! I remember when the whole internet would have fit comfortably in that footprint. These guys must be doing some high-bandwidth foaming at the mouth free speech, indeed!