Welcome to the Utopia Forums! Register a new account
The current time is Sun Mar 07 04:11:37 PST 2021

Utopia Talk / Politics / Parler got pwned
Mon Jan 11 03:37:14
Sounds bad: when twilio pulled Auth services, it created a bug allowing people to create and escalate permissions of users at will; and extract data, including deleted content which wasn't actually deleted.

I'm kinda torn by this.

On the one hand private responsibility etc. On the other hand imagine this were some kind of commercial service.

Sure, the primary responsibility rests with parler. Some seriously poor error handling and architecture practices for a service operating at that scale (turns out cloning Twitter like UI is easier than thinking through the backend).

Where do these large infrastructure see providers responsibilities and liabilities to end users start and begin?

The Children
Mon Jan 11 07:44:31
funny they waz prolly laughin so hard with huawei and tiktok in da past...

now they got removed. fuckin OWNED so hard. Completely rekted like a drunk redneck tryin 2 pick a fight with a 280 pound bouncer...

haha motherfuckers, this is why u dunt wanna go down that rabbithole coz once u use that slippery slope, others can do it right back 2 ya. and when karma pays u a visit, the ownage is often 10x as hard.

fuckin rekted. Lmao.

How it started
nationolololol security huawei

how it ended
gettin banned by the big bois.
Mon Jan 11 16:13:41
> turns out cloning Twitter like UI is easier than thinking through the backend

Not that I'm above schadenfreude, but shit happens. Twitter has thousands of highly paid engineers who should know better and they had a shared password account to let internal users take over verified accounts. Everything - including IT threat models - has built-in assumptions, explicit and implicit. Some assumptions are proven invalid with time, especially the ones you didn't realize you had.

If you're in a Spy v Spy mood, think of it like walking down a busy street and you have to try to enumerate all the possible ways you might die and mitigate them all. Sure, you look both ways before you cross the street, but are you doing everything you can to fully mitigate the chances that you'll be abducted by a hit squad in a van? Doubtful! The thought has probably never seriously occurred to most people. The only limit on ways you can get got is the breadth of the human ingenuity though. The only way to prevent being killed is to stop them all; one method works and you're still just as dead. For most people, walking down the street is safe solely by virtue of the lack of other people actively trying to kill us. Spend enough time trying to avoid walking under fire escapes, avoid routes that are amenable to van abduction, and not going down boulevards where you could be shot from a grassy knoll and you'll never manage to go buy your groceries though.

A more professional solution would have failed safe in the event of a breach or outage. Look at any professional software though and you'll find infinite opportunities for more professional solutions as the developers uncountable implicit assumptions are invalidated though. It sounds like "Twilio might cut us off" is not a failure mode that even entered their imagination.
Mon Jan 11 16:29:27
Should Parler have been reasonably obligated to maintain contingency plans in the event that the Big Tech cartel arbitrarily decided to go nuclear and colluded with each other to completely destroy the site over the space of a weekend? I would say no.

Twilio should be sued for everything it owns for making the breach possible though. Hopefully the proceeds will suffice to pay for the infrastructure needed to bring Parler back online.
Mon Jan 11 17:14:35
would anyone object to a social media platform exclusively made up of ISIS, al Qaeda and other islamic extremists being taking off of Google play and the app store?
Mon Jan 11 17:36:30
Should I have contingency plans to avoid Saudi hit squads? Not a good use of my time.

Should Salman Rushdie? Yeah, probably so. "Our thing is that we use the proprietary infrastructure provided by all those companies that won't host your content to host your content" is a tenuous spot to try to build a business.
Wrath of Orion
Mon Jan 11 18:07:51
Mon Jan 11 18:22:43
"exclusively made up"

1. Comparing everyone right of Biden to ISIS is retarded. Undoubtedly you have idiotic conspiracy theorists and various far-right actors. However...
2. The make-up is entirely a creation of the colluding big tech actors, and its users. There has been a mass exodus, many of them fairly moderate, tired of the increasing censorship and fact-checking and intentionally vague rules.

When you spend months screaming for complainers to find their own platform, then you heckle them for finding it, the you cheer as massive mega-corps collude to destroy that platform, many might begin to think that you were being disingenuous all along.

But since you mentioned Islamists...several of them are still on Twitter.
Mon Jan 11 18:39:35
rather than "exclusively", I should have used the word "largely" or "mostly".

1. that's not what i am doing. however, proud boys, qanon, groypers, etc.. ARE like islamist extermists and should be treated as such.

2. right, don't see what the issue is with this.

"But since you mentioned Islamists...several of them are still on Twitter."

I am not aware of any major islamic extremists on twitter but if they are there twitter should kick them out.
Mon Jan 11 19:37:34
Propos to Chuck for using my favorite word " Schadenfruede".
Mon Jan 11 22:06:27
Lol @ y2a
Mon Jan 11 22:14:28
"am not aware of any major islamic extremists on twitter but if they are there twitter should kick them out."

Well, the Ayatollah for starters is still on Twitter. He is the leader of a legally designated terrorist state among having ties to/being part of other terrorist organizations such as Hezzbollah.

He has also calles for increased violence on Twitter when reffering to a military assault on alassad air base that "Was not enough"_Jan 8th 2020.Amongst other questionable posts.

Twitter is fully aware of him as they have flagged and removed several posts even recently.
Mon Jan 11 22:16:22
i imagine they have the same problem as with the clown wrt his position as a government leader.
Mon Jan 11 22:35:38
y2a, Which I will agree, makes things hairy. It clearly demonstrates IMO that this was a political matter rather than behavioral.
Tue Jan 12 00:39:03

Vicarious liability for their customers actions is precisely why they pulled their services though.

Bit of a devils fork you are pursuing there.
Tue Jan 12 00:44:16
Convenient, then, that you're the one that has historically argued that platforms be liable for the words of their users.

There is, of course, a difference between expecting limited moderation (which Parler has already caved to) and expecting a platform to hire an inordinate staff or deploy advanced trawlers to catch everyone possible.
Tue Jan 12 02:43:55
"Should Parler have been reasonably obligated to maintain contingency plans in the event that the Big Tech cartel arbitrarily decided to go nuclear and colluded with each other to completely destroy the site over the space of a weekend? I would say no."

I wouldn't really call it arbitrary when the majority of the user base is in a conspiracy frenzy to overthrow the government of a super power nation with thousands of nukes that also will likely fine the shit out of any domestic company hosting said content in the case of escalating sedition in addition to the risk of becoming a truly hostile digital intelligence target of said super power.

Just so many reasons beyond "lol Trump cult" for big business to shun and ban extremists when they reach a point of systemic risk of ruining the system that is making the big business possible in the first place.
Tue Jan 12 02:59:14

Cast your eyes back to the first post muppet.

For clarity:

1. Sites like Twitter and Parler are responsible for what they publish. They are like newspapers. I will accept that they can limit their liability provided they can identify individuals using their services; or do not curate.

2. Equally, as private companies, they can close what they do and do not publish.

3. The freedom and liability for these services go hand in hand.

4. Infrastructure services underpinning them, particularly Amazon, I feel more complicated. This is less like, e.g. a cab firm not willing to take your fare, and more like not being allowed to use the roads.

5. However, if you want end users to be able to directly sue Amazon, twilio etc. for the impact it their provision of services to the service the end user uses, this implies that you could also sue Amazon for the impact a dependent service has on a third party.

6. I think infra companies have a much better claim to being like the post man then Twitter; but the quid pro quo is they should also have limited discretion to refuse services. Particularly the largest platforms that increadingly look like a stock exchange.

7. Rugian desire that infra have liability to third party end users via dependent services but also have no liability to third party end users for criminal behaviour by other end users is just incoherent nonsense.

Tue Jan 12 03:01:50
And in this particular instance, when the FBI is notifying parler that it's hosting terrorist content and being used to plan attacks, I think Amazon probably ought to have the right to take them down.

But that's almost a regulatory action. There should be a cleaner process that fails gracefully.

Tue Jan 12 03:05:34
Interestingly, twilio have released a statement saying they notified parler it was breaching fair use, and then parler wrote back saying they were discontinuing
use and they (Parler) cut the integration.

So it's all on parler.
Tue Jan 12 07:17:29

Morons used sequential numbers to generate the post URL, and let public API pull content. Also did not delete content, instead just added a flag in the API that made the front end hide deleted posts.

So it's all on parler here.

This is (a) reason why you don't use ints as a database key.

Tue Jan 12 08:55:16
Yikes. Relying on code running on the client machine (i.e. trivially corruptible by malicious users) to enforce soft deletion doesn't really fall under "infinite implicit assumptions that can ruin you" umbrella. That's out and out unprofessional.

Auto-incrementing primary key has valid use cases though. It shouldn't matter if people can guess URLs, because the API should have proper security even if someone does guess the URL. They leak some information so if you're trying to keep the number of clients you have secret (or, say, numbering infantry divisions), you shouldn't expose their true IDs.

In general though, not everything has to have a UUID to be secure.
Tue Jan 12 09:03:46
Of course, we say this on UP where every single coffee house wifi snooper knows your password :-)
Tue Jan 12 09:05:09
Who uses public Wifi in 2020?
Tue Jan 12 09:05:21
2021 even...
Tue Jan 12 09:35:30
Who drinks coffee? Brown shit stirred in a cup that costs $6, prepared by some tatted up SJW.

No thank you.
large member
Tue Jan 12 09:50:44
My wife barely ever tatters up in SJW merc.
Tue Jan 12 09:54:40
I definitely do enjoy coffee. Mostly at home and at work, but if I'm going to order a non-alcoholic drink, chances are it will be coffee.
Tue Jan 12 10:12:24

There are a lot of reasons not to in these cases - implicit here social media service - eg. Int types hit scalability issues.

Tue Jan 12 10:14:00
Sure, but that's a separate matter.
Tue Jan 12 10:15:11
Obviously it depends on what you are doing. Putting GUIDs in a lookup table would be stupid, for example.
Tue Jan 12 10:16:38
I drink coffee almost daily.Who the fuck doesnt like coffee? I even like coffee flavored ice cream.

Almost anything coffee and chocolate together is good.
Tue Jan 12 10:26:26

Hence why I said "(a) reason". Implied was in *this* context.
Tue Jan 12 10:30:41
Put it this way, if you were building a Twitter clone, would you be using an incrementing integer as your dB key here?

It makes it very easy to scrape your site, and it probably means you are using int type (I know you don't have to but that's what I'd guess here) you will hit a problem requiring work around.
Tue Jan 12 20:27:35
Wed Jan 13 02:40:06
Speaking of coffee, I bought an automated espresso machine as one part of my wife's 30th birthday present. I actually feel sorry myself, that I went so long without great tasting hassle free coffee. No more instant coffee, or waiting for water to cool down and pressing down a plunger. NO MORE I say.
Wed Jan 13 06:05:59
I've been looking at Amazon's response to Parlers request for injunction.

It is very funny. Parler is a bit of a car crash.
Wed Jan 13 08:09:43
"I bought an automated espresso machine as one part of my wife's 30th birthday present. I actually feel sorry myself, that I went so long without great tasting hassle free coffee. No more instant coffee, or waiting for water to cool down and pressing down a plunger. NO MORE I say."

what machine did you get? I have same issue, I am using mocka pot, but every time I visit someone with coffee machine, their coffee sure tastes better and they dont have to go through the whole process, like I do.
Wed Jan 13 08:19:23
"tired of the... fact checking"

I think that says it all.
Wed Jan 13 10:25:55
> Put it this way, if you were building a Twitter clone, would you be using an incrementing integer as your dB key here?

It would depend on the usage context. I wouldn't fault someone who did as incompetent.

Asking "Is this web scale?" regarding integer PKs is putting the cart light-years before the horse.

Assuming it is a 64-bit int, the only scaling issue is "my app has blown up so much that I can no longer handle DB writes with a single replica."

A single Postgres database can handle sustained load of 32k transactions per second. Every engineering decision has a cost. Solving the problem of "how will I scale to handle more than 32k writes per second though?" is not worthwhile when you have 0 writes/day.

This is a "lucky to have" problem and certainly doesn't justify "never use auto-incrementing PKs" across the board.

as an example, look at Twitter itself. Twitter was written in Ruby on Rails initially. Twitter itself had terrible growing pains. If I were leading a team on a speculative project that could go nowhere, I wouldn't want them to pre-emptively solve all "problems of success" in case the project succeeded, because that's a great way to spend your time on unimportant work and ensure the project fails.

> It makes it very easy to scrape your site

The API shouldn't rely on hard to guess URLs to mitigate this. Requests against the API should be authenticated and clients like scrapers who are making an inordinate number of requests should be throttled or blocked.

Twitter is again an example here, with their `HTTP 420 - Enhance Your Calm` API responses. There are open source projects which you can just drop into your project to achieve this, for example: http://www.django-rest-framework.org/api-guide/throttling/
Wed Jan 13 12:42:32
Chuck, nobody is actually saying "never use incrementing integer pk under any circumstance", the use case is web scale social media service which is fairly specific.

Yes, you wouldn't try and solve everything at once, but this one is well known and fairly low cost to avoid.

Particularly if you aren't actually deleting posts.

Wed Jan 20 16:55:25
Good news, Rugian. Parler is coming back.

Parler Is Coming Back—With Some Russian Help

Parler was kicked offline because of its role in the Capitol insurrection, but now it's back thanks to a Kremlin-linked company.

DDoS-Guard, a Russian company that offers websites protection and hosting services, has an interesting client list, including the Russian Ministry of Defense, the FSB (the Kremlin’s secret service), multiple cybercrime forums and phishing sites — and the official website of Hamas, the Palestinian group labeled a terrorist organization by the U.S. government.

Thu Jan 21 14:18:43
Now they are going to investigate Parler’s Russian ties:

House Oversight Committee chairwoman requests FBI probe of Parler, including its role in Capitol siege

Rep. Maloney says she’s planning to launch an investigation into the conservative site’s policies, ownership and alleged Russia ties

The chairwoman of the House Oversight and Reform Committee on Thursday asked the FBI to conduct a “robust examination” of the alleged role in the Jan. 6 Capitol siege of Parler, the now-disabled social media site that bristled with violent chatter before and after rioters stormed the Capitol in a rampage that left five people dead.

Rep. Carolyn B. Maloney (D-N.Y.), the chairwoman, said the request is a step toward opening a formal committee investigation into sites that may encourage violence, including Parler. It became prominent last year as a freewheeling alternative to Twitter, gaining popularity in particular among conservatives.

She said the committee will begin its own formal investigation of Parler and similar sites, and that it was a “top priority” for her to learn answers to a range of questions about Parler, including its alleged ties to Russia, as documented in news reports. Her letter to FBI Director Christopher A. Wray Thursday singled out Parler’s use of a Russian-owned Web services company, DDoS-Guard, that also has Russian government clients and may leave Parler vulnerable to data requests by Russian agencies.

“I am going to get to the bottom of who owns and funds social media platforms like Parler that condone and create violence,” Maloney said in an interview with The Washington Post.

show deleted posts

Your Name:
Your Password:
Your Message:
Bookmark and Share