Beleaguered free-speech app Parler is down for the duration, as you probably know. What you might not know is that an Austrian lover of free speech managed to preserve “99.9%” of the posts from the service—even the deleted ones.
It was a simple matter of scraping more than 50TB of data via HTTP before AWS pulled the plug. I’m sure the site owners and their users are overjoyed that all this free speech has been rescued for posterity. It’ll make a fine record of their grand day out in DC last week.
It turns out that law enforcers are kinda happy, too. In this week’s Security Blogwatch, we learn learnings from lemmings.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 50 in 720.
FBI adores IDORs
What’s the craic, Zack? Mister Whittaker reports—Scraped Parler data is a metadata gold mine:
While the site is gone (for now), millions of posts published to the site … are not. A lone hacker scraped millions of posts, videos and photos published to the site … before the site went offline on Monday, preserving a huge trove of potential evidence for law enforcement investigating [those] who allegedly used the platform to plan and coordinate the breach of the Capitol.
…
@donk_enby scraped the social network and uploaded copies to the Internet Archive. [It] could be a gold mine of evidence for authorities. … Most web services remove metadata when you upload your photos and videos, but Parler apparently didn’t.
…
Many of the posts made calls to “burn down [Washington] D.C.,” while others called for violence and the execution of Vice President Mike Pence.
And Andy Greenberg adds—Basic Bug:
A very basic bug in Parler's architecture nonetheless seems to have made it all too easy to … freely download every message, photo, and video posted to the site, including sensitive geolocation data. … In the days and hours before [its] shutdown, a group of hackers scrambled to download and archive the site … dozens of terabytes of Parler data.
…
Parler lacked the most basic security measures that would have prevented the automated scraping. … It even ordered its posts by number in the site's URLs, so that anyone could have easily, programmatically downloaded the site's millions of posts [a] cardinal security sin … known as an insecure direct object reference [or] IDOR. … Services like Twitter, by contrast, randomize the URLs of posts so they can't be guessed.
Dude. You’re getting it. Dell Cameron spoke with the pseudonymous Ms. Enby: [You’re fired—Ed.]
[She] began with the goal of archiving every post from January 6 … what she called a bevy of “very incriminating” evidence … hoping to create a lasting public record for future researchers to sift through. … The scope of the project quickly broadened, however, as it became increasingly clear that Parler was on borrowed time.
…
Operating on little sleep, [she] began the work of archiving all of Parler’s posts, ultimately capturing around 99.9 percent of its content. … The copious data may also serve as a fertile hunting ground for law enforcement. Federal and local authorities have arrested dozens of suspects in recent days.
Perhaps it’s not only law enforcement who’d be interested in the info. Camel Pilot wants your help to liberate a Nigerian legacy:
My first reaction was: Wow, a list of extremely gullible people would be a marketing dream.
But but but … censorship!!!1! Wheels Of Confusion turns it around:
Parler was in a profit-sharing scheme with paid "influencers" and actively banning left-wing content. All while advertising themselves as the "free speech" platform for people who were banned from Twitter.
…
They knowingly, actively cultivated and created a business model around fueling right-wing extremism that was too militant for other services. And no, being kicked off Amazon isn't censorship anymore than being refused a book deal from the major publishers is.
It turns out that AWS had been “repeatedly” trying to get Parler to do something about the content—or so it claims:
AWS notified Parler repeatedly that its content violated the parties’ agreement, requested removal, and reviewed Parler’s plan to address the problem, only to determine that Parler was both unwilling and unable to do so. AWS suspended Parler’s account as a last resort to prevent further access to such content.
…
This case is about Parler’s demonstrated unwillingness and inability to remove from the servers of … AWS content that threatens the public safety, such as by inciting and planning the rape, torture, and assassination of named public officials and private citizens. There is no legal basis in AWS’s customer agreements or otherwise to compel AWS to host content of this nature.
…
The facts are unequivocal: If there is any breach, it is Parler’s demonstrated failure and inability to identify and remove such content. AWS was well within its rights to suspend Parler immediately for those failures.
Lest we forget, there’s a human person behind this story. Mata Hari worries for Ms. Enby’s safety:
Parler apparently has many military and ex-military members. … That's not the kind of people I'd openly flout about how I just screwed them.
Oh dear. But Properjob70 thinks it’s not as bad as all that:
Thankfully the young lady who pulled this off is over here in Europe. I suspect she's somewhat safer from vengeful [people] than in the States.
In related news, Joseph Cox notes more metadata malarkey—Another Muslim Prayer App Tracking Users:
The app sends notifications reminding users when to pray, shows them which direction to pray while pointing towards Mecca, and displays nearby mosques to users based on their current location. … Salaat First has more than ten million downloads. … The company collecting the location data, a French firm called Predicio, has previously been linked to a supply chain of data involving a U.S. government contractor that worked with ICE, Customs and Border Protection, and the FBI.
…
The leaked data itself contains precise latitude and longitude of app users, their phone model, operating system, IP address, and a timestamp. The data also includes the user's unique advertising ID [allowing one to] follow that person's movements through time.
…
Senator Ron Wyden [said] in a statement that "Google and Apple took a good first step protecting Americans’ privacy when they banned the data broker X-Mode Social last year. But … Google and Apple need to ban every one of these shady, deceptive data brokers from their app stores."
Meanwhile, ArchieBunker sees the silver lining:
Besides the armed insurrection it was also a super spreader event. Good to know we can do contact tracing on these … people.
The moral of the story?
Protect your object references. And throttle attempts to scrape. And strip metadata. And don’t render deleted objects.
And finally
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
This week’s zomgsauce: Andy Feliciotti (via Unsplash)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
