Parler data is being downloaded – This is huge!

1108
Blogtrepreneur / Flickr Computer Data Hacker...
Blogtrepreneur / Flickr

My friend who lurks Reddit posts messaged me in the middle of the night with this absolutely bombshell. I work in tech and someone on the internet has managed to crack into Parler and begin downloading all of their content. They were able to do this because Twilio severed their ties to Parler. For those who are not tech savvy, Twilio helps keep track of a website’s users and passwords. It makes it so you can build your website faster rather than worry about boilerplate stuff like logging in and password recovery, etc. Well, since Twilio announced they were severing ties, hackers were able to create administrator accounts which gave them full privileges inside Parler. This means all the videos, posts, and other media people uploaded are available and currently being downloaded…including driver’s license photos.

You see, Parler billed itself as the far right alternative to Twitter and Facebook. It’s the brain child of the mega Trump donors: The Mercer’s. On Parler you can upload your driver’s license to prove you’re a citizen so you know you’re talking to real people and not random bots. It also has a nice nationalist ring to it. Also, they were going to keep your data secure, unlike the evil anti-free speech big tech.

And unlike Big Tech, they are AMATEURS with security.

There is also a security principle called “fail-open vs fail-closed” which you can read about here. I’m a developer, not a security expert, but as a developer, I understand this concept because when I write code I need to keep it in mind. When Twilio said “Hey, we’re not supporting your authentication anymore Parler because you aid and abet terrorism” that means that when you try to go to Parler and log in, there is nothing checking your password to see if you’re you. If I were the programmer,  when you try to log in, and Twilio isn’t available for whatever reason, you would get an error saying “Hey, uh, I dunno what happened but Twilio isn’t responding. Get out.” I would close access to my system after this error. It’s logical because the maxim “unauthenticated users do not get permissions” would apply.

Parler didn’t.

So that leaves the door WIDE OPEN. It was easy to create an administrator password, if not thousands of them to cover your tracks, and then you get access to the whole store. Another thing which also appalls me, is that there is a lot of PIFI (personal information) data that a would-be hacker has access to…and it doesn’t seem to be encrypted. See, when you build security you need to have fail-safes if in fact they do succeed in hacking you. I mean, 10 foot wall, 11 foot ladder applies in tech. If you break into my database, and you’re scrounging around for people’s social security numbers, then A) I’m not going to so easily label them as that and more importantly B) I’m going to encrypt them. This is “at rest” encryption, meaning when it is sitting in my database it is in encrypted form.  So that column labeled “General_ID” (which may or may not be their SS #) will have a bunch of gobbledygook and it’ll take you a long time to figure out how to decrypt it. Have fun.

So I don’t think Parler encrypted their PIFI data or their image data with respect to licenses, or store it in a secure image bucket. I mean, this is one horrific security architecture failure after another.  The bigger thing, however, is the fact that now all your neighbors violent posts about insurrection are being archived and associated with their identification. You cannot hide behind the anonymity of a username since the database keeps track of which user posts what. I mean for law enforcement this is huge, but for anyone tracking the far right this data would be a veritable gold mine.

Conservatives like to pretend liberals are bad at executing things, but then we get gems like this.

Monday, Jan 11, 2021 · 6:19:23 AM PST · sujigu

Also, in case you’re wondering, there’s a design choice between deleting data and having it go away forever, and deleting data but in reality you’re just “deactivating” it and it still sits on your servers.  Parler chose the latter, so everything, I mean EVERYTHING, is up for grabs.

Monday, Jan 11, 2021 · 6:31:03 AM PST · sujigu

cybernews.com/…

Been researching for independent verification and it is seeming more and more legit.

Tuesday, Jan 12, 2021 · 7:10:03 AM PST · sujigu

Correction from source on Twitter.

This content was created by a Daily Kos Community member.
Thank you to all who already support our work since we could not exist without your generosity. If you have not already, please consider supporting us on Patreon to ensure we can continue bringing you the best of independent journalism.

Leave a Comment

4 Comments on "Parler data is being downloaded – This is huge!"

avatar
newest oldest most voted
Thomas
Guest
Thomas

What a bunch of idiots

Marie Tobias
Member
I’m awaiting “3 8TB Drive sets” to arrive at the FBI, Justice Dept., Homeland Security, and the State Dept. When you hire Billy-Bob (because Billy-Bob’s a good’ol boy) to build your Social Media Platform… and the only thing he knows is WordPress (not a criticism on WordPress), you get what you deserve. 5 will get you 10, the Root User on their site was named “Admin”. Yeah, this is monumental stupid. In related news, Amazon just told Parler to suck gas… kicking Parler off their AWS web service. So now they need to move to a new, Neo-Nazi friendly Web… Read more »
Inzane
Guest
Inzane

I would not want my name on Parler or any other extremist media. Just imagine the FBI rolling through looking for threat messages.

Linda
Guest
Linda

😂😂😂😂😂😂😱 You reap what you sow!