[conspire] Something hilarious happened in Internet Security…
paulz at ieee.org
paulz at ieee.org
Sat Jan 16 20:19:05 PST 2021
Am I the only person who stops and wonders why a website wants my ID? If it's my bank,wants me to verify my identity, and I am sure the website really is my bank. Well OK. Otherwise, maybe I don't want to pull out my DL.
Did you hear about the guy on the news saying that Trump should pardon him because the riot was Trump's idea?
On Saturday, January 16, 2021, 03:06:23 PM PST, Deirdre Saoirse Moen <deirdre at deirdre.net> wrote:
So you may have heard the alt-nut site Parler is offline. This isn’t related to it being offline per se, but it IS related to their security issues.
https://gadgets.ndtv.com/social-networking/news/80tb-parler-posts-photos-videos-leaked-by-security-researchers-law-enforcement-can-use-to-identify-january-6-attackers-2350920
1. They were hosted on (self-hosted) WordPress, which is written in PHP.2. There are a billion zillion WordPress plugins, many of them with security issues.3. Some of Parler’s indeed had major security issues.4. Some of Parler’s security holes were intentional (e.g., asking for proof, in photo form, of social security card and/or driver’s license in order to become verified).5. Once people uploaded videos (with metadata like lat/long), did Parler offload them to another site so the original video couldn’t easily be retrieved? Why no, they did not.
So, when some of the security failsafes were removed (their 2FA provider having removed them), they failed open rather than closed, meaning people had MORE access than they should.
https://www.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giudtnl/?utm_source=reddit&utm_medium=web2x&context=3
I’ve been following @donk_enby on Twitter, who was aiming people at saving site archives for OSINT (open source intelligence) purposes.
What’s just batshit (or, as @questauthority says, flederscheisse): They. Saved. The. Unprocessed. Videos. That. Were. Uploaded.
Wiith the metadata intact.
https://old.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giuz38a/
Which…people were able to download because of them having failed open. Some of that metadata includes things like: lat/long.
https://www.vice.com/en/article/n7vqew/the-hacker-who-archived-parler-explains-how-she-did-it-and-what-comes-next
Which gives us this map of the 6th of what was uploaded during the insurrection:
https://twitter.com/markk116/status/1349466940658634755
Which is arguably a worse failure than *keeping* the photos with people’s driver’s licenses, etc.
I mean, if you still wanted to keep all that stuff for legal reasons, the right way to do it is to move that hunk o’ data to a separate server and keep track of the URL the processed version is at (for the videos), and not make the private data readily available when your site fails.
Oh, and gosh, a lot of those videos were uploaded from military bases and police stations, surprise, surprise, surprise:
https://gizmodo.com/leaked-parler-data-points-to-users-at-police-stations-1846059897
Also, if you haven’t heard *why* Parler is offline, here’s a rather horrifying sample of the stuff Amazon asked them to remove (and they dragged their feet):
https://twitter.com/benedictevans/status/1350429324739031041
Deirdre_______________________________________________
conspire mailing list
conspire at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/conspire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20210117/f8145ede/attachment-0001.html>
More information about the conspire
mailing list