Parler is a security disaster in progress.
First off, it’s a great demonstration of why depending on “cloud” providers brings in additional risks; sometimes risks that cannot be governed or mitigated. As you’ve probably heard by now, Amazon Web Services (AWS) has decided that Parler’s violating their terms and conditions, and has told them “go host somewhere else.” That’s a problem because all of the other premium hosting platforms will probably also say that there’s no room at Hilbert’s Infinite Hotel, and they’re going to be stuck in the digital limbo that ate 4chan and Stormfront. They are probably toast; stick a fork in them, they’re done.
My take, all along, is that Parler was a skeeve-ball tossed by the Mercers. That’s the Mercers of Cambridge Analytica fame – the company that spectacularly imploded by demonstrating to everyone (especially Facebook) that their terms of service were a mess full of loopholes, and their internal APIs had inadequate controls against data-mining. So, Parler was created because: if you own the social media site, you don’t have to worry about the terms of service because you get to set the terms of service. My suspicions were further triggered when Parler’s sign-up process asks for your social security number, which is an extremely useful index key that Facebook would certainly never share with its advertising partners. This is an example of what I used to call the “kimono strategy” – what’s the best way to look inside someone’s kimono? Be the kimono. I recall a coffee-break conversation at a USENIX in 2000 where Dan Geer and I pondered the wisdom of offering to build social media / file sharing sites for the CIA (just read the terms of service very carefully!) but who wants to have those guys on your board of directors?
Thus, Parler gets to be a demonstration of two problems with cloud computing, simultaneously – one) by being cloud-deplatformed and two) by being an example of the kind of cloud service users should steer well clear of. By the way, since we’re on the topic of strategic computing, the white house’s continued reliance on Twitter, which started making noises about filtering Trump’s lies years ago, is one of those “holy shit you’re stupid!” moments. Why they didn’t stand up a filtered comment-board right on whitehouse.gov (where they could control the terms of service) shows how un-technically-savvy the Trumpists are. And these are the guys who made fun of the Obama administration’s initial capacity problems on healthcare.gov. Turning Twitter into critical infrastructure and then failing to control it is “hey let’s attack Russia on foot without winter gear”-level stupid. In fact, if they had been smart, they would have set it up so anyone could deep-link to controlled-link-depth postings. That way, a zillion zombies could “share” Trumpian wit and wisdom to Twitter and Facebook and the white house could shrug and tell those guys “hey not our problem.” Hell, they could make vast dollars selling the subscriber info, just like every other social media site. Screw it, go totus porcus and sell mypillow ad space right on the main page. It would be unstoppable.
Parler also double face-punched itself by depending on Apple’s store and Google’s walled garden software for distribution. Because, “go to Parler.com and download our app (in the form of something that runs in a browser)” was too hard for one of Parler’s Mercer-funded software geniuses to think about. They could have trained their user community to treat them as a special case, but instead they, as Chuck Tingle would say, got “Slammed in the butt by appstore policy!” What strategic genius would think such a thing might happen? Hello, let me introduce myself:
Another problem Parler is unwittingly illustrating is a problem that most social media sites have, to some degree or another: they can be spidered. I’ve done consulting calls with some organizations that run really big sites (e.g.: Priceline.com) that have data that is extremely interesting to competitors. How do they stop spiders? Well, one way to do it is to hire extremely evil consultants and a few good coders; I’ll have to leave the rest to your imagination beyond one tidbit: once you identify that you’re being queried by a spider, you start giving them information that is subtly wrong. Oh, OK here’s another: you modulate dollar/cents combinations so you can look for that pattern appearing elsewhere on the internet. And, the first rule of mobius-page is you don’t talk about mobius-page and the second rule is you don’t talk about mobius-page and the third…
Anyone who posts anything on Parler should have been assuming all along that the FBI and a zillion marketing companies had access to everything they were saying. Didn’t they read the warning label? It says “Free speech zone” not “private speech zone.”
Many organizations don’t want to respect the terms of service of a social media site, and simply scrape it for new pages and updates. I don’t have accurate information about this but one of the clients I discussed this with in 2014 estimated that half of their site traffic was scraper-bots. That was a commerce site, not a social media site. Social media sites are probably 40% scraper-bots and 40% astroturding sockpuppets. Sites like Parler and Daily Kos are particularly interesting for AI researchers who need training sets representing what a selection of rando internet chimps sound like when typing on a million keyboards. The training sets are useful for creating more, simulated, internet chimps. Oh, joy! Some days I am covinced that if all the humans left the internet, it would just keep yammering on in an endless feedback loop of sockpuppets, spambots, and Sam Harris fans.
Sure enough, when Parler got de-platformed, security researchers (or hackers, what’s the difference?) released complete scrapes of the platform. [cybernews]
Parler, a social network used to plan the storming of the U.S. Capitol last week, has been hit by a massive data scrape. Security researchers collected swaths of user data before the network went dark Monday morning after Amazon, Google, and Apple booted the platform.
The scrape includes user profile data, user information, and which users had administration rights for specific groups within the social network. Twitter user @donk_enby, who first announced about the scrape, claims that over a million video URLs, some deleted and private, were taken.
Of course! It’s probably one of many such archives. Heck there’s even some guy out there with an archive of Geocities and Myspace that you can download if you want to see what background image fashions looked like in the 90s.
What’s amazing is that some lunatic fringers didn’t see this coming. I guess they’re self-selected from the bottom of some bell curve or other.
Back in the 90s I taught a class for USENIX on secure communications over open networks. [ranum] I just reviewed my slides and they’re all mostly still applicable except that AOL instant messenger is gone. Like Parler. Buh-bye! But the point is: you can use other people’s communication channels to set up your own trust relationships. PGP-over-Parler would have been a terrific way to set up comms for insurgents, just like PGP-over-AOL IM and World of Warcraft chat would have been. As always, the security problem is how do you establish and manage trust domains without getting eaten by management costs and complexity. The old tried-and-true system spies use, of cells, controllers, and cut-outs has been used since at least the time of Elizabeth I if not earlier, because it works.
My main thing is what on Earth useful stuff did right-wingers have to say that made up 70 Tb?! That’s a lot of data! I remember when the whole internet would have fit comfortably in that footprint. These guys must be doing some high-bandwidth foaming at the mouth free speech, indeed!
Sunday Afternoon says
I would generalise this – “demonstrates again how uninterested in the job of actually governing the Trumpists are”.
Which prompts a thought – I realize that I’m of the opinion that the Trumpists got as far as they did in taking over the republican party given how uninterested they actually are in governing. My contention is that a large fraction of the population can see themselves in the Trumpist’s obvious laziness and aversion to actual hard work (cf the ludicrous lawsuits regarding the election). Had Trump pulled off a mask and demonstrated even basic competence in governing, I’m convinced he would have lost a lot of this support.
The optimistic take: only an incompetent and/or lazy authoritarian could get this far due to a large fraction of the populous being incompetent and lazy.
The pessimistic take: how the fuck can 70 million Americans be so incompetent and/or lazy? This country is fucked!
Patrick Slattery says
Don’t know if you had seen this, but apparently Parler didn’t strip the EXIF or GPS data from uploaded images/video giving the Feds a gold mine of location data.
https://techcrunch.com/2021/01/11/scraped-parler-data-is-a-metadata-goldmine/
JM says
Parler had video so 70 Tb doesn’t surprise me. Some of the people kicked from other sites that went to Parler probably uploaded every video they already had and that would ramp it up quickly.
One thing that occurred to me about this situation is that Parler probably could survive if they wanted to. If they cut back the worst of the right wing violence they could find hosting from a 3rd tier no questions asked company. What they can’t do is host that way and make money. The only people who will sell ads to those bottom of the barrel sites are porn and scams, neither of which pay well. Sites hosted that way usually end up asking users for donations occasionally. If their actual primary goal was free speech that would be workable though.
John Morales says
A bit of an aside re the ridiculous storage figure: images/video suck up bandwidth.
Especially when people use high definition formats that would still look good projected on a wall-screen, though mostly they look at them on phones. I know of people that seek out 4K videos on their phones, even.
(Back in the day, I showed some cow-orkers a set of images side by side on their monitors; one set was around 60Kb per image, the other set around 5Mb.
Of course, when put to the test, they could not tell which was which and just guessed)
Holms says
Lots and lots of rant videos would make up a large chunk of that 70TB.
Owlmirror says
Cynically. I’d guess porn.
Even more cynically, I’d guess at least some kiddie porn.
dangerousbeans says
@Owlmirror that’s my guess too. Mostly pirated porn, some illegal porn