[1] https://twitter.com/donk_enby/status/1347939939120533506 [2] https://twitter.com/donk_enby/status/1346565749977051136
Tolerance is a peace treaty: https://extranewsfeed.com/tolerance-is-not-a-moral-precept-1...
Nowadays, liberal isn't "how you act" or "what your values are", is an identity. People identify as liberal: kind, right and "definitely not nazis". If you disagree with them, then you must be evil, right?
I've given up trying to explore contentious issues online. It's impossible to take a different view on a hot topic without getting blocked and reported. You don't even have to take a polar opposite view or get snarky. Sometimes you only have to ask a valid question (now known as a dog-whistle). It doesn't matter if you've got science or logic to back it up.
Someone said it on HN yesterday - the old words are failing us. I no longer recognise this thing that they call "liberal" today. I see it as "woke" - a cult, with dogma, heresies and grand inquisitors.
Which is not surprising, given how the term free speech is getting twisted these days. It seems the term is now used more often to whine about others who don't want to disseminate a faction's lies (without comment!) than to actually argue for the free exchange of ideas in good faith.
People shouldn't be fooled and take this notion of 'free-speech' that is being advocated by these platforms at face value. They're not about genuine free exchange, they're funded by and organised by very well networked organisations who use them to further extremist political causes.
Whereas the Kochs want to be in charge of government, the Mercers want to eliminate government.
Can you please explain how they use that to "ensure ideological conformity in their posts"?
What do ideological conformity tools look like to you?
Am I missing something? What are you referring to exactly? The mod tools screenshot doesn't support that assertion.
For clarity I don't support changing 230.
It both:
a. pays popular users
b. Puts warnings on political issues, like statements that Biden's crime bill contributed to mass incarceration [0]
[0] https://twitter.com/ben_awareness/status/1339293381625864195
There appears to be quite a difference between what Instagram does and what Parler does. The two do not appear to be comparable.
https://twitter.com/johnfpfaff/status/1128369019164200960?la...
I assume that point was an extension of OP's comment of: "that they use to ensure ideological conformity in their posts."
For those interested, here is a link to the USA Today article from the screenshot evaluating whether "the crime bill brought mass incarceration to Black Americans": https://www.usatoday.com/story/news/factcheck/2020/07/03/fac...
> Stephen Ross Johnson, of Knoxville, Tennessee, a board member of the National Association of Criminal Defense Lawyers and past president of the Tennessee Association of Criminal Defense Lawyers, told USA TODAY that it is "over simplistic" to say the 1994 crime bill led to mass incarceration.
> Asked if the bill caused or largely contributed to it, Johnson says: “The bottom line answer to that is no. Was it a link in the chain? Yes. Is it the beginning of the chain? No.”
> Johnson argues that the roots of mass incarceration can be found in the late 1960s and early 1970s, with legislation that created, among other things, the RICO statute, which broadened the scope of federal law as the war on drugs began to take shape.
I'd say I agree with the points in the article over the non-contextual, anonyomous, blanket statement that the crime bill brought ("caused") mass incarceration of Black Americans.
Source?
The general tendency these days, fed by narratives from interested parties like the media, is to mash all right leaners (pretty much any one supporting the conservative ideas and opposing the Democrats) as clueless, racist, redneck, neo-Nazis (a bit of hyperbole here, but you see what I mean). Once you think that way (that "they're all nub jobs"), pretty much anything from leaking their user info to shutting them down to throwing them in jail would seem OK. Please, please don't fall into the trap and accept the "all right is nuts" narrative and decide for yourself.
There are traditonal conservatives: god, guns, limited government. Mitch McConnell, David French, Mitt Romney, Charlotte Lawson. I fundamentally have different values from these people, but their perspectives are useful, enlightening, and reading their viewpoints causes me to better defend my own, or even occasionally change. They are staunch defenders of individual rights and traditional liberty.
There are libertarians on the right. Rand Paul, Spike Cohen, Justin Amash. These people I share a surprising number of values with, but fundamentally disagree with on the conclusion. Due to an inherent argumentativeness, it's hard to get a good faith debate, but I acknowledge their opinions that the government uses its power poorly, that both political parties are primarily concerned with remaining in power, and so on.
And then there's the group who wear t-shirts with "Camp Auschwitz 2021", "6 million wasn't enough". Signs that say "Q Sent Me". Hats with "Make America Great Again". These people are absolutely racist neo-nazis. These people are pretending to believe that Italians stole the election. There's no true belief here, no fundamentally held tenant other than "my side is better". This is not a small group - a YouGov poll puts it at 18% of Republicans. And this is Parler's user base, self-selected. The reasonable ones are still on Twitter.
And a social media company paying the users that create the most content? Dastardly!
References:
- https://medium.com/swlh/youtube-algorithm-rigged-breadtube-e...
- https://theindustryobserver.thebrag.com/spotify-joe-rogan/
EDIT:
Wow: So many down-votes in less than a minute, without any comment.
interesting opinion from Glenn Greenwald:
"Do you know how many of the people arrested in connection with the Capitol invasion were active users of Parler?
Zero.
The planning was largely done on Facebook. This is all a bullshit pretext for silencing competitors on ideological grounds: just the start."
Sounds like Parler, fearing that their OTP provider might go down, decided to fail-open, ie: if the dependency throws an exception, presume there's something wrong with the dependency and that the code provided is acceptable. It never occurred to them that the dependency could be down permanently, or that malicious actors[0] would be able to realize it and exploit to quickly.
Lesson learned: do not fail open where security matters, where authentication matters. Failing closed prevents new users/customers from signing up, but it protects your existing users/customers.
[0]From a security standpoint, these are malicious actors. I would also probably buy said malicious actors a beer if I met them, accompanied by a high five.
Edit: this is a hypothesis of course. Maybe the bug was somewhere else in the system- it could be in Twilio's provided integration library where the fail-open occurred.
I'd assume that Parler's engineers motivations had more to do with politics than providing a secure platform for protecting dissidents under duress.
(Or, if we look at the history of a recent major war, the mediocre engineers working for the other side thought they were the good guys.)
Fairly sure we could replace algorithm and data structure whiteboard interviews with security interviews and we'd all be better off
If one is to look at the LinkedIn for the tech leadership of Parler it would not be a stretch to say that they are way outside of their depth technologically speaking.
In that context, and with folks with no regard for consequences in charge, an emergency decision to allow everything seems plausible.
You would, would you? Thousands of individuals who by and large wanted to try out a competitor to Facebook ended up getting their personal details downloaded and leaked (and we're talking about very sensitive details here), and you're going to buy a beer for the criminals who did this? I assume before you turn them into the authorities for their 10-20 year sentences?
That is a very, very generous take. And if that's all users were doing then their data being breached is regrettable but not world ending.
Example: In production, a load balancer or other proxy handles authentication and passes a signed JWT to the application but running locally the application will take a JWT directly and signature verification is disabled. In this case, the application has multiple checks in place to make sure it's running locally and in production environments it has network policies to only allow traffic from the authentication infrastructure.
I've had flakey dependencies. I've thought "maybe fail open is okay in this one case". You're growth hacking your company and you don't want to be held back because a dependency can't handle your scale. And hey, if a few fraudulent accounts get in, we'll just clean them up later. Cost benefit analysis here, right?
But the road to hell is paved with trying to improve user experience.
Everything has/should have a "break window" escape, and yes, that's a security weakness, but I don't see many alternatives to that.
>With this type of access, newly minted users were able to get behind the login box API used for content delivery. That allowed them to see which users had moderator rights and this in turn allowed them to reset passwords of existing users with simple “forgot password” function. Since Twilio no longer authenticated emails, hackers were able to access admin accounts with ease.
So these 'security researchers' are random hackers that illegally gained access to accounts and servers are actively doxxing people and this behaviour's now being praised?
Apart from being illegal, I seem to recall severe backlash against several instances of doxxing in the past, which is exactly what these people have done.
I wonder if people would still be cheering this on if 70TB worth of twitter information had been leaked instead.
Let alone the creation of a coordinated, decentralized network of machines to exploit the attack and maximize data extraction.
"Security Researchers"
The doublespeak is getting maddening.
Also, it's hard to tell from the article, but it seems like there's phone.numbers and id involved as well.
How does that change things? The article calls them security researchers. In the title! Isn't that an example of something that HN is tacitly acknowledging to be true by leaving the title alone?
[0] trial by ordeal
Not really. If they had sent it to a journalistic organisation à la the Panama Papers, where e.g. curious peoples’ government IDs could be stripped and criminal activity highlighted, that would have be been different.
I think there's a real argument that this data is in the public interest.
> Do you know how many of the people arrested in connection with the Capitol invasion were active users of Parler?
> Zero.
> The planning was largely done on Facebook.
[0] https://twitter.com/ggreenwald/status/1348619731734028293?s=...
edit: bad formatting
Edit: I suppose not.
If I were sitting on a dataset like this, I'd probably try to share it with the authorities like the FBI and selected journalists who I feel would behave responsibly.
If I were twitter user @donk_enby I would be very worried about an imminent visit by law enforcement.
On the other hand if an actual researcher leaks data they're still a researcher; they might be a bad person, but that's orthogonal.
I would disagree. To me at least, the difference between researcher and hacker is what you do with the knowledge you have.
I still think it's wrong to leak the data.
Many of these people use twitter and gmail too - does that justify a leak from those services? If not, why not?
There were and are legal means for law enforcement to access that data if they need to.
People minimizing this attack and not treating it like a legitimate 9/11 scale crisis for the US are not considering the propaganda win this is for extremist groups domestically and autocratic regimes internationally. Could this be a slippery slope? Sure, but it's not as slippery as the other side of the slope which goes right off a cliff.
There is still plenty of time/space to have debates about how to move forward from here with moderation and privacy on social networks, but for now we are in the middle of an insurrection that needs to be put down.
Also, should another attack take place couldn't platforms knowingly providing services to the capitol attackers find themselves liable for providing material support for terrorists? If I were managing risk at AWS that definitely be a major concern.
My POV, if we wouldn't have a problem doing it to ISIS after an attack on our Capitol, then we shouldn't have problem doing the same to QAnon and these "patriots".
I create a Parler account myself out of curiosity's sake. The platform had basically no moderation, and was rife with open calls to violence. It was absolutely serving as a recruitment & coordination site for domestic terrorism.
Even if the platform had terrible and dangerous content on it, we should avoid assuming that everybody on it supported that content, and we shouldn't celebrate their personal information being leaked.
People are forgetting that if they're ok with this sort of behavior now, it'll be difficult for them to argue-against or prevent the same behavior when their opposites are in control.
Will happen? Try has happened. Partisan hacking has been a thing for a decade. Remember the DNC emails? Remember weev?
>People are forgetting that if they're ok with this sort of behavior now
What does it matter if I'm okay with it? Nobody consulted me before breaking into Parler. In fact, they didn't take my opinion into account at all. Sure, grey-hats are somewhat motivated by public opinion, but even Mitch McConnell gave a floor speech on Wednesday angry enough to incite a few keyboard taps.
>it'll be difficult for them to argue-against or prevent the same behavior
Because American politics consistently punishes hypocrisy, right?
I'd argue the opposite: As the rank rhetorical hypocrisy on BLM-related protests vs. Trump protests shows, the marketplace of ideas has broken down and all that really matters is power. We're only a couple steps away from tech/media being able to dictate that we've always been at war with Eastasia, with a horde of willing partisans being eager to punish any sort of dissent on the matter. Being hypocritical is unimportant if you have the ability to mess with the lives of those who are too vocal in pointing out whatever hypocrisy. Most people are perfectly rational in not being willing to risk cancellation by speaking up.
Please tell me how rooting out seditionists is a bad thing.
You can pretend that people are being persecuted for being a Republican but 30 seconds of fact checking will disprove that. In fact the only ones calling for violence against Republicans are those very same white supremacists and domestic terrorists because it seems that anyone that doesn't align with Donald Trump is somehow not a conservative. Mike Pence isn't a Republican? Really? I can't think of a politician much further right, and somehow he's no longer acceptable.
If your political belief system is "whatever Trump thinks this week" then maybe it's time to re-evaluate what you really stand for.
Right???
Honestly, the speculative and proactive accusations of hypocrisy are getting really tiresome. I wish people would stop.
The real crime here is that Parler was collecting sensitive information above and beyond what most social providers were asking for and still made shoddy security decisions.
and what do you think they are?
This was also a bad thing to do, since, presumably - some of it was intended to be private or hidden.
It will be interesting to see what the results of the content are. There have been many arguments implying that parler was "pretty normal". We can now empirically find out.
As others have noted, this is also a lesson in design and code priorities.
They sacked the capitol and cheered it on (yes, almost exclusively as far as the people on Parler are concerned).
They are indeed the bad guys.
I doubt anyone on HN would take seriously any other service turning over evidence of a crime to authorities because its 'private messages'. We might not like that it is there policy but we damn well would know it is their policy and not use services where it is technically possible to plan crimes?
https://www.ipsos.com/en/american-reaction-pro-trump-mob-ass...
What I'm surprised the most is that with these complex and not obvious questions (at least to me) people without any shadow of a doubt are certain that it is right for big tech to censor Trump, shut down parler and take political sides like it happened.
Maybe Trump is bad but at least i want to see his stupidity or his wrongdoing rather than other people to chew the news and feed me like im an infant.
To me these questions require philosophical debates and dialogue (even with myself) to understand f it is right for a company to impose their political worldview on their clients - I don't feel it is right.
But if others take these positions very easily, to me that is an indication that they got these ideas from somebody else rather than thought them through.
The memory of all the pathological mob like violence that occurred during the BLM movement which occurred worldwide should still be fresh in all of our memories. If only the actors who incited that violence were held to this same standard.
Hate speech is not protected. Plotting and committing treason against the United States government is not protected.
Say unimaginably hateful shit, see how fast it takes to get punched in the mouth. Simple as that.
Parler's members are the rejects that couldn't survive on mainstream platforms due to their poor conduct. That userbase just planned and executed an attempt at insurrection against the US government.
The market overwhelmingly has agreed that Parler violated ethical standards egregiously enough that severing business ties is appropriate.
I fail to see the importance of these people's privacy in the wake of recent events. I also fail to have sympathy for people who trusted this hacked-together Twitter clone with their personal information.
Leaking this information sends a clear message: Extremism and violence are intolerable, and every possible means is at our disposal to fight back against it. That includes exposing violent extremists to the light of day.
(($0.15/GB10) + ($0.11/GB 40) + ($0.09/GB20)) 1000 => $7,700
https://aws.amazon.com/blogs/aws/aws-data-transfer-prices-re...
Even the Chase Bank hack had an astronomical amount of data that didn't appear to set off any alarms.
7.7k is not really a noticeable increase, and any alarms that did trigger would likely have been attributed to increased user growth and platform load.
That is if someone was even seeing a billing alarm alerting with every other issue that was going on.
It's easy not to care since Parler is the "bad guy" here, but I do think that Internet infrastructure companies need to give a reasonable heads-up before pulling the rug under business customers.
Whereas AWS can plausibly claim that they don't want to host illegal content, what can Twilio say for themselves here? From Twilios perspective, providing Twilio's core product to Parler isn't any different than serving them to other platforms. They have no responsibility or liability. The lack of moderation on Parler is irrelevant when Twilio isn't involved with moving that data.
For a Saas platform to abruptly cut-up a contract, immediately breaking the authentication mechanism for the site on the other end of the contract, which directly results in a serious data breach for thousands of users (the majority of which have done nothing wrong), because your employees and leadership don't like their politics, doesn't sound like something that a publicly traded company should engage in.
edit: especially once it became obvious that AWS was going to bring the site down just a few hours later. They had a clear route to make their ideological stand and cause no damage by merely waiting 12 hours more.
The issue is that a “reasonable” heads up here is literally years long for some of these products, especially AWS. It’s hard for these companies to show bad clients the door in a way that isn’t disruptive.
So realistically, does that mean like 10 devs running a social network with 5-10 million users?
I imagine its pretty ceazy there right now after getting booted off AWS, google just banned u off play store, so cant use them, i assume they cant use microsoft because theyll ban them there as well, it would be cool to see if they are able to get things up and running again. (Ive never used Parler but i assume its just like a simple Facebook type webpage/apps)
Not defending, just observing. It's interesting from a business/development perspective when it comes to rapid scale and team size.
I would guess that they spend quite a bit of resources on content moderation tools development as this is the bespoke part of their business.
Imagine what they'd be called if this was Reddit, Twitter or a non-conservative site they'd hacked.
It's supported through their api.
EDIT: accidently wrote DMCA
Edit: I should add, it would be under the CFAA.
Edit #2: I could be wrong, it looks like they used Parler's APIs, and didn't bypass any auth. I really shouldn't have even called this a hack, it's more just archiving. But weev went to jail for the same thing, so I'd say there's a chance of prosecution, would come down to a court case. If I was the person who did this, I would never step foot in America, just to be safe.
There are other laws this would likely fall under. Laws against hacking are generally "access in excess of authorization," where "authorization" is legal permission, not system permission.
Allegedly Parler didn't scrub exif data from any media, including all of their "verification" materials including Drivers Licenses and Passports.
I'm not in favor of vigilante justice. I hope some of these people do sued under the CFAA. If all they wanted to do was archive public posts, there are ways to do that that don't involve programmatically creating fake accounts.
> U.S. Capitol last week [..]
I thought "huh, never heard that before" - checked the source [1] and it's essentially some people working at DRFLab speculating that it _may_ have been the case. So not off to a great start.
The links appear down to me, but if I remember correctly these were a series of links to Parler - which the website is now down due to AWS. So the "leaks" can no longer be downloaded. I also believe that the links were essentially all just public material from what I could find...
[1] https://www.atlanticcouncil.org/content-series/fastthinking/...
Apple told Parler to moderate their extremist content, and Parler refused. At that point, if Apple left Parler on the App Store, Apple would be complicit. Same story played out for all the services.
And guess what, treason by definition is infectious. Giving aid to an enemy of the United States. So Apple at that point would be opening themselves to a huge legal liability if they kept the app available. Nothing has been proven in court but big tech is naturally risk adverse.
If Parler has agreed to moderate extreme content, even if they had done so dragging their feet, they would still be alive.
You're cheering on a criminal committing a crime. You're cheering on the suppression of an entire political party, while calling them extremists, fascists, terrorists, and every other -ist that you feel vaguely fits the bill.
Yes, a few of them marched on the capitol. Yes, that was awful. No, you're not going to stop the underlying feeling by simply wishing it away, or taking more and more byzantine measures to suppress their ability to associate with one another.
Whether we can beleive that the FBI, etc, will deal with this appropriately is another matter.
Republicans are way more than that alt-right fringe. They have a respectable history and many good political stances.
Can anyone make sense of this? In all the "forgot password" functions I've seen, you click "forgot password" and they email you a link to reset the password. How does "Twilio won't send our emails any more" lead to the "forgot password" function allowing account takeovers? I'd have expected it to just make "forgot password" no longer work because nobody can get a reset link any more. I can't figure out how you could configure things for this to lead to a security flaw this bad - other than "write all emails that fail to send somewhere public" which I can't imagine anyone doing. I can't imagine Twilio writing rejected emails from a closed down account somewhere public either. How does Twilio shutting down the account mean password reset links leak?
https://twitter.com/donk_enby/status/1347939939120533506
>This is not an ad network. This is a system where their most "influential" users can get paid to post organic-looking sponsored content. Their CEO talks about it…
The logic doesn't even make sense. Twilio goes down for them and then they just allow anyone access to user accounts.
Twilio shut down the account and Parler decided to pass all verification attempts instead.
Edit: this Reddit post appears to be inaccurate. More details here: https://news.ycombinator.com/item?id=25725268
https://donk.sh/06d639b2-0252-4b1e-883b-f275eff7e792
Picked a URL from one of the files - eg.:
https://parler.com/post/c86aa37121374606aa63439ff15362aa
And put that into archive.is - eg.:
https://web.archive.org/web/20210110213100/https://parler.co...
All just seems to be Parler "tweets"; not particular interesting.
Maybe there is a deleted post somewhere and that could be interesting but since it is not marked and there a millions of URLs it is kind of useless.
There is an inappropriate use of the word "researcher" in the title. More appropriately this should read "...scraped via IDOR vulnerability."
Not that I don't think they didn't have a pretty good database of this already.
But this still is the aspect of this that I find more worrisome. Russia, China and whomever else might be interested could weaponize this to great effect.
I don't give a damn about Parler or USA politics.
The troubling thing here is how the security underpinnings of an entire platform like Parler can be screwed over by third-party SaaS provider.
The fact that the platform contained some "bad actors" is only a distraction. This is the real issue, or one of them.
News flash: Twilio doesn't control who gets in, just instead of returning ack/nack, they simply were unavailable.
The onus of what to do in this case is entirely on Parler who foolishly decided to default to fail-open (presumably because Twilio being down might impact their bottom line or adoption).
If that's a "real issue" then blame the ones who implemented this service for Parler.
Even the Hunter Biden story went through the NY Post.
This doesn't feel like a responsible, good-faith effort to save the republic. It feels like an attack on one's political enemies.
Using the euphemnism "security researcher" in this case doesn't help. Perhaps underhanded tactics are needed to prevent evidence destruction, but call them what they are. Don't pretend they are curious academics or a corporation hardening their systems.
Seems to me like that's exactly what the rest of the country has been doing this whole time. For years everyone went along with the fringe right and placated them. The mainstream media covered Trump closely. Talked to his supporters to try to understand them. The more mainstream Republicans have backed up all the things Trump has done and said until now. Facebook got tons of flack the last 4 years for not silencing them sooner. Now it has escalated to dangerous levels of inciting violence that actually came pass, which has led to a stronger response. But you're arguing for continuing to go along with them? Why should we expect that continuing down the path we've been on for years would reverse the trend of them getting more and more extreme?
This seems far worse - so of course we can expect criminal prosecution of these "researchers"?
If these guys are security researchers, then Julian Assange is the best security researcher of the world.
This all looks like normal politics to me.
This hack made the "front page" of news sites here in Norway, and I've never heard of the thing.
I guess it's only fitting that I just got my own lawn...
... but that's probably one of the lessons here: unless we demand accountability, we generally have no idea of what practices services we rely upon are using. How many systems we use daily do any kind of formal audits?
I'm surprised it also didn't require a social security number and credit card as well. /s
On the other hand, lock down your shit hard. Can't blame them for scraping it all down if it's just hanging out in the open like that
Depending on what the user posted, they might be embarrassed, lose their jobs, or end up in court.
We can have a reasonable discussion about the ethics of hacking a site like parler, but not if the starting point is "this is the equivalent of violent mobs literally murdering innocent people".
https://www.washingtontimes.com/news/2021/jan/10/social-medi...
https://www.reddit.com/r/ParlerWatch/comments/kuqvs3/all_par...
"Trump storming the US Capitol on January 6, 2021"
While as we know very well, chicken shit (and/or delusional?) as he is, Trump himself did no such thing.
This is the data they wanted...
Did security researchers leak the messages, videos and posts? Or did they access them (i.e. Parler leaked them to the researchers)? Seems the headline is misleading.
like i get it, personal information shouldn't be leaked and i feel bad for those users who weren't a part of the extremism and getting potentially doxxed for it.
at the same time anytime this happens to a larger corporation don't we absolutely SHIT on them for the substandard security procedures? and whatever happened w/ parler is looking more and more amateur hour here, nothing sophisticated to get the data.
just because it's some "underdog" suddenly it's okay?
How did they accumulate so much content so fast? 70TB seems insanely huge for a pretty new company, isn't it only like 5 months old?
"Do you know how many of the people arrested in connection with the Capitol invasion were active users of Parler?
Zero.
The planning was largely done on Facebook. This is all a bullshit pretext for silencing competitors on ideological grounds: just the start."
The security researchers were wrong to make this information publicly available but the fact that Parler actually put their users at risk like this with such a disturbingly glaring security flaw is absolutely infuriating and outrageous. I'm speaking as a believer in civil rights and user protection. Call it growth hacking or try to overlook this as a sympathetic mistake if you wish but this was a disgustingly reckless decision for any competent technical team to make and it deserves profound censure.
That being said, doing to lords work. Expose this cancer so it can be removed.
This is a political purge.
And HN is cheering?
Patriot Act 2.0 in 3... 2... 1....
What’s extra funny is I recognize the names cheering — and on other days, they’d talk about how the Patriot Act is wrong.
But these are bad hombres, you see?
It's highly unlikely Twilio's API responds with something like {"authenticated": true} when you haven't paid your bill or they suspend you.
