Parler’s amateur coding could come back to haunt Capitol Hill rioters
arstechnica.comFrom what I understand, Parler was bankrolled and designed to do exactly what it was ultimately shutdown for. That is, be a concentrated anger-machine-echo-chamber. I'm not angry at the public corporations that have dropped Parler. I'm angry at the people that created Parler in the first place. It was basically a poison pill designed to test our feelings about free speech, designed to provoke. Mission accomplished, buttheads.
I think we'll see the angry mob go end up at less discoverable, but more robust distributed platforms. Which is a shame, because it means eventually, when I say that you can find me on Mastadon/Scuttlebutt/etc, the average person will say, "Oh, you're on that extremist network?"
The benefit to Facebook/Reddit/Twitter is that while Parler is dominating the discussion, they can start cleaning up their most toxic communities.
> From what I understand, Parler was bankrolled and designed to do exactly what it was ultimately shutdown for. That is, be a concentrated anger-machine-echo-chamber.
How is/was Parler different from Facebook in this regard? Facebook makes money on ads, so the longer you stay on their site, the more money they make. One way to get people to stay longer is by encouraging the sorts of posts that gets people riled up.
I'm not accusing Facebook of being complicit in the events of last week, but from personal observation, I see a lot more low-effort, angry posts on Facebook than I do on Twitter or Reddit.
Yes, the mechanism is the same.
However, Facebook has lines that when crossed result in being moderated. Their moderation system is obviously imperfect and a lot of the time they act too late, but it's there.
Parler was courting all the line-crossers with the promise that there would be no such moderation on their platform. That ended with predictable results.
There was more moderation going on, on Parler, than anywhere else. Users would start out shadow-banned until the moderators approved of their groupthink.
It wasn't just calculated to bring out the worst: it was actively fostering it.
> I think we'll see the angry mob go end up at less discoverable, but more robust distributed platforms. Which is a shame, because it means eventually, when I say that you can find me on Mastadon/Scuttlebutt/etc, the average person will say, "Oh, you're on that extremist network?"
That's always a problem with communities explicitly dedicated to freedom/non-censorship/etc., cf. Scott Alexander's https://slatestarcodex.com/2015/07/22/freedom-on-the-central...
> There’s an unfortunate corollary to this, which is that if you try to create a libertarian paradise, you will attract three deeply virtuous people with a strong committment to the principle of universal freedom, plus millions of scoundrels. Declare that you’re going to stop holding witch hunts, and your coalition is certain to include more than its share of witches.
>I think we'll see the angry mob go end up at less discoverable, but more robust distributed platforms.
Not unless those distributed platforms are as easy to sign up for and use as twitter. I realize that not all the type of people that went to riot at the capitol or stupid, but the fact that they were there proves that most are intellectually lazy at best. Any extra effort to use a social network will completely block most from participating.
I thought that at first, but I realized that I was biased towards the people I personally know who have been fully consumed into the right-wing conspiracyverse (older boomers who never liked computers until the internet was easy).
Ultimately I think you underestimate many of them. They feel persecuted and righteous and have the ability to follow step-by-step directions.
> From what I understand, Parler was bankrolled and designed to do exactly what it was ultimately shutdown for. That is, be a concentrated anger-machine-echo-chamber. I'm not angry at the public corporations that have dropped Parler. I'm angry at the people that created Parler in the first place.
Where did you get this understanding? Seriously. My understanding was that the founders were mostly anti-trump libertarians.
> "My understanding was that the founders were mostly anti-trump libertarians."
https://en.wikipedia.org/wiki/Parler says "Founder(s): John Matze, Jr., Jared Thomson, Rebekah Mercer" and "conservative political commentator Dan Bongino has said he is an owner."
https://en.wikipedia.org/wiki/Rebekah_Mercer#Donald_Trump says she supports Trump. eg, "Mercer aimed her support at GOP candidate Donald Trump in June 2016 after Cruz lost the primary. Mercer directs the Mercer Family Foundation and served on the Executive Committee of the transition team of United States President-elect Donald Trump"
https://en.wikipedia.org/wiki/Dan_Bongino says "He is a staunch supporter of President Donald Trump"
> Its public API used no authentication. When users deleted their posts, the site failed to remove the content and instead only added a delete flag to it. Oh, and each post carried a numerical ID that was incremented from the ID of the most recently published one.
There's really nothing wrong with any of that, unless you're specifically coding to defend against content scraping. I mean, the whole point of a "tweet" or whatever they're called in Parler land is to be public and discoverable.
> failure to scrub geolocations from images and videos posted online
Worse, but again, was the site even supposed to be designed with anonymity in mind?
>Worse, but again, was the site even supposed to be designed with anonymity in mind?
According to reports from several HN users who tried making accounts, Parler requires drivers license photos as a part of the process you have to go through before you can post. Rather than being designed for anonymity, they seem designed to identify all of their users as unequivocally as possible.
I had an account and you definitely didn't need a drivers license to post anything. I didn't have a picture or anything on my profile.
Yeah you never give out your drivers license number as an American (or passport number, for international users), and especially not for some sketchy social media platform. It’s an easy way to get your credit stolen.
Maybe they let people block out their ID numbers on the license photos, but I doubt that the vast majority of users there would even bother.
Some governments do have eIDs, that work cross-border, that are designed for both the public and private sector, with emphasis on security (although there are bound to be serious problems). This is the case in many European Union countries, and it will apply at some point to the entire EU: https://ec.europa.eu/digital-single-market/en/policies/trust...
From what I understand, the drivers license photo was required to have your account verified, someone was talking about this here https://news.ycombinator.com/item?id=25730344
So it was a honeypot.
Stupidity is the most likely explanation, especially given literally everything else we know about their technical and legal approach. But I’ll agree that “it was a honeypot” conspiracies aren’t built entirely out of whole cloth.
If this twitter thread is right, it sure does look like honeypot
https://twitter.com/davetroy/status/1327253991936454663?lang...
Schadenfreude non-withstanding, why didn’t more users see that as a massive red flag?
Because 90% of people or more literally don't care. I bet if Facebook started asking to submit the scan of your credit card + photo ID + birth certificate, a LOT of people would comply. We are creatures of comfort and very rarely logic.
The topper is that it doesn't appear that requesting post #N did any checks for if you are allowed to see it (i.e., it doesn't check if post #N is private or deleted). That means that naïve content scraping will uncover private/deleted posts, which is the really big "oops" that Parler had.
Ah - well, yes, that's worse.
> There's really nothing wrong with any of that, unless you're specifically coding to defend against content scraping.
> Worse, but again, was the site even supposed to be designed with anonymity in mind?
Yes! Privacy, security and harm/abuse mitigation must be one of the considerations when you're writing a project. This isn't even anonymity, these are basic safeguards one should put in place. Not doing so is like selling a car with no seatbelts, and arguing that there's nothing wrong with that unless you're specifically manufacturing to defend against car crashes.
This isn't like the argument about how many tests you should have and what kind; this absolutely must be one of the key things to consider when you're creating a project that's going to be used by people to communicate with one another.
Was their security even supposed to work? Yes.
Why is the auto incrementing ID bad? Easier to scrape, I suppose, if the db ID was in the URL
If you’re not requiring any level of authorisation to enable someone to read a post (ie, this post has been removed, you can’t see it any more or this is a private post, you must be a friend of its author to see it), then you’re just relying on people not being about to guess it’s ID and grab it from the API. It’s a poor version of security through obscurity. Could have easily been rectified by using UUIDs instead of sequential integers (which is what I’m _guessing_ they used)
They used sequential integer, which means it wasn't even security through obscurity. There wasn't any form of security. Not even a post it with "please don't hack me".
With a browser and enough time at hand even my grandfather could have dumped their whole DB.
If by "dumped their whole DB" you mean "a snapshot of their public pages", then yes. Otherwise, no. This was an ArchiveTeam-affiliated scraping operation that relied on slurping down as much public-facing data as quickly as possible, just like their other efforts.
> When news of donk_enby's archival efforts broke, several viral tweets, Reddit posts, and Facebook posts claimed that she had captured private information, scans of drivers licenses and IDs, and other highly sensitive information. She said those posts are “not at all” accurate.¶ “Everything we grabbed was publicly available on the web, we just made a permanent public snapshot of it,” donk_enby told me.
https://www.vice.com/en/article/n7vqew/the-hacker-who-archiv...
Please stop making bombastic claims that will lead to people finding it easier to believe the kinds of unfounded rumors referenced above.
> Worse, but again, was the site even supposed to be designed with anonymity in mind?
Given that a common conspiracy theory espoused on Parler is (was) that vaccines contained tracking microchips (?), I imagine Parler users expected at least some anonymity.
I still doubt many rioters used Parler to coordinate. Glenn Greenwald has been investigating this and had as of a few days ago found none of those arrested on the platform. Facebook sat on the "stop the steal" FB groups for ~70 days and had so far not gotten much scrutiny.
As linked in article, scraping code here:
https://github.com/ArchiveTeam/parler-grab/blob/master/parle...
If I’m understanding what happened correctly, the archivists here exploited a vulnerability to create numerous administrator accounts on the system, bypassing Parler’s security (as trivial as that was), and used those accounts to access private information from all individuals on the platform.
My question is this: are the people who originally exploited this, created the image, and the users who downloaded it to collect the data going to be subject to federal charges? It seems obvious that they broke the DMCA in using the exploit and the FCAA in collecting and publishing the data acquired.
If so, and the data were obtained through criminal means, is it even admissible in a criminal case?
Full disclosure - I have/had a verified Parler account, dating long before the Capitol stuff. I tend to join pretty much all the new social network stuff to claim my name and so I know what I’m talking about when I discuss it elsewhere. I don’t think I ever posted a “Parley”, and if memory serves the only PMs I sent were asking a friend about LED headlight options for my wife’s vehicle. I’m not concerned about that conversation leaking, but it will amuse to me see if it’s in the collected dataset.
IANAL, but... I expect the hackers to be subject to federal crimes.
As I discussed elsewhere: opening mail addressed to someone else is a federal crime, because mail has an expectation of privacy. It doesn't matter how easy it is to open an envelope, all that legally matters is the assumed intent.
If one party clearly wanted a message to be private, it is illegal to open that message.
------
In contrast, a Postcard has no expectation of privacy. And therefore, it is perfectly legal to read a postcard.
Were these posts private? I've never been on Parler so I have no idea, but I'm not reading anything that suggests they were direct messages or "private" accounts making the posts.
They were marked "deleted".
Which means the privacy question is a bit ambiguous. They were public at one point, but at the time they were leaked out, they had a deleted flag and clearly were meant to be private.
IANAL, but I'd expect it to be illegal to grab data marked "deleted". If you were a few hours earlier and archived them before they were deleted, that probably would be legal.
If I walk up to someone's house and say, "Hey can I have a copy of the seventh book in the third drawer of your nightstand" (e.g. `/api/books/03/07`), and you say "Sure here you go", it seems like it should be hard to argue that you have any expectation of privacy (for things that you are giving out freely) -- even if that book was something like your diary. HTTP codes for denying access exist specifically for this reason.
Of course, the iteration of accounts that Weev was convicted of was nearly exactly this, so we know that this doesn't always hold true, but it really is baffling why.
> IANAL, but... I expect the hackers to be subject to federal crimes.
Only if they’re in the USA based on their IP address or online testimony.
if you're accessing a public api, you're not a hacker.
A lot of web-infrastructure is public API these days. If someone misconfigures their S3 instances and allows the public to access it... accessing internal S3 data (despite being from a public API) is considered hacking IIRC.
The law doesn't care about how easy or hard it is to perform the hack. All it cares is about intent.
> the archivists here exploited a vulnerability to create numerous administrator accounts on the system
I don't see any suggestion that they had elevated accounts or access. They directly hit parler's public backend server that powers the apps and website, asked it for as many posts as they could, and archived them. The backend did not require authentication to do this, and the posts were identified by auto-incrementing IDs, so it was trivial to scrape essentially all posts from 1 - n.
If we we had GDPR I think individual posters could probably sue the archivists? I'm not sure. Otherwise this is essentially webscraping, which doesn't seem to have been successfully prosecuted much [0].
> My question is this: are the people who originally exploited this, created the image, and the users who downloaded it to collect the data going to be subject to federal charges?
Realistically the FBI won't be eager to file charges to protect a company seen as a Biden opponent.
I’m morbidly curious: what was their tech stack?
Sarah Mei did an interesting thread [1] on one aspect. A few months back, they had an unexpected outage that turned out to be caused by hitting 2,147,483,648 notifications. That number should look instantly familiar to most programmers.
She's a little over the top. I seem to recall that Twitter was running on Rails & Postgres for years after it had a ton of VC money.
Interesting points. But, unnecessary humiliation as well.
That is terrifying.