<html><head></head><body><div class="ydp2a38606eyahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
<div dir="ltr" data-setdir="false">Am I the only person who stops and wonders why a website wants my ID? </div><div dir="ltr" data-setdir="false">If it's my bank,wants me to verify my identity, and I am sure the website really is my bank. Well OK. Otherwise, maybe I don't want to pull out my DL.<br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Did you hear about the guy on the news saying that Trump should pardon him because the riot was Trump's idea?</div><div><br></div>
</div><div id="ydp34e31dc8yahoo_quoted_1784110128" class="ydp34e31dc8yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Saturday, January 16, 2021, 03:06:23 PM PST, Deirdre Saoirse Moen <deirdre@deirdre.net> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div id="ydp34e31dc8yiv2341504060"><div>So you may have heard the alt-nut site Parler is offline. This isn’t related to it being offline per se, but it IS related to their security issues.<div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060"><a href="https://gadgets.ndtv.com/social-networking/news/80tb-parler-posts-photos-videos-leaked-by-security-researchers-law-enforcement-can-use-to-identify-january-6-attackers-2350920" class="ydp34e31dc8yiv2341504060" rel="nofollow" target="_blank">https://gadgets.ndtv.com/social-networking/news/80tb-parler-posts-photos-videos-leaked-by-security-researchers-law-enforcement-can-use-to-identify-january-6-attackers-2350920</a></div><div class="ydp34e31dc8yiv2341504060"><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060">1. They were hosted on (self-hosted) WordPress, which is written in PHP.</div><div class="ydp34e31dc8yiv2341504060">2. There are a billion zillion WordPress plugins, many of them with security issues.</div><div class="ydp34e31dc8yiv2341504060">3. Some of Parler’s indeed had major security issues.</div></div><div class="ydp34e31dc8yiv2341504060">4. Some of Parler’s security holes were intentional (e.g., asking for proof, in photo form, of social security card and/or driver’s license in order to become verified).</div><div class="ydp34e31dc8yiv2341504060">5. Once people uploaded videos (with metadata like lat/long), did Parler offload them to another site so the original video couldn’t easily be retrieved? Why no, they did not.</div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060">So, when some of the security failsafes were removed (their 2FA provider having removed them), they failed open rather than closed, meaning people had MORE access than they should.</div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060"><a href="https://www.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giudtnl/?utm_source=reddit&utm_medium=web2x&context=3" class="ydp34e31dc8yiv2341504060" rel="nofollow" target="_blank">https://www.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giudtnl/?utm_source=reddit&utm_medium=web2x&context=3</a></div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060">I’ve been following @donk_enby on Twitter, who was aiming people at saving site archives for OSINT (open source intelligence) purposes.</div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060">What’s just batshit (or, as @questauthority says, flederscheisse): They. Saved. The. Unprocessed. Videos. That. Were. Uploaded.</div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060">Wiith the metadata intact.</div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060"><a href="https://old.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giuz38a/" class="ydp34e31dc8yiv2341504060" rel="nofollow" target="_blank">https://old.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giuz38a/</a></div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060">Which…people were able to download because of them having failed open. Some of that metadata includes things like: lat/long.</div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060"><a href="https://www.vice.com/en/article/n7vqew/the-hacker-who-archived-parler-explains-how-she-did-it-and-what-comes-next" class="ydp34e31dc8yiv2341504060" rel="nofollow" target="_blank">https://www.vice.com/en/article/n7vqew/the-hacker-who-archived-parler-explains-how-she-did-it-and-what-comes-next</a></div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060">Which gives us this map of the 6th of what was uploaded during the insurrection:</div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060"><a href="https://twitter.com/markk116/status/1349466940658634755" class="ydp34e31dc8yiv2341504060" rel="nofollow" target="_blank">https://twitter.com/markk116/status/1349466940658634755</a></div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060">Which is arguably a worse failure than *keeping* the photos with people’s driver’s licenses, etc.</div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060">I mean, if you still wanted to keep all that stuff for legal reasons, the right way to do it is to move that hunk o’ data to a separate server and keep track of the URL the processed version is at (for the videos), and not make the private data readily available when your site fails.</div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060">Oh, and gosh, a lot of those videos were uploaded from military bases and police stations, surprise, surprise, surprise:</div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060"><a href="https://gizmodo.com/leaked-parler-data-points-to-users-at-police-stations-1846059897" class="ydp34e31dc8yiv2341504060" rel="nofollow" target="_blank">https://gizmodo.com/leaked-parler-data-points-to-users-at-police-stations-1846059897</a></div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060">Also, if you haven’t heard *why* Parler is offline, here’s a rather horrifying sample of the stuff Amazon asked them to remove (and they dragged their feet):</div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060"><a href="https://twitter.com/benedictevans/status/1350429324739031041" class="ydp34e31dc8yiv2341504060" rel="nofollow" target="_blank">https://twitter.com/benedictevans/status/1350429324739031041</a></div><div class="ydp34e31dc8yiv2341504060"><br class="ydp34e31dc8yiv2341504060"></div><div class="ydp34e31dc8yiv2341504060">Deirdre</div></div></div>_______________________________________________<br>conspire mailing list<br><a href="mailto:conspire@linuxmafia.com" rel="nofollow" target="_blank">conspire@linuxmafia.com</a><br><a href="http://linuxmafia.com/mailman/listinfo/conspire" rel="nofollow" target="_blank">http://linuxmafia.com/mailman/listinfo/conspire</a><br></div>
</div>
</div></body></html>