167 comments

[ 1.9 ms ] story [ 243 ms ] thread
The description of the hack is not accurate. Okta is the service that disclosed the endpoints used.
Okta is a large, enterprise identity provider. I doubt in the case of a right-wing site existing they'd give out access to that provider on purpose? Did they mess up? I can't find any details about it yet.
I won't speculate on their intent, but by publicly commenting on disabling the account it looks like it opened the door for the hackers, again, if any of this is true.

It's entirely possible that Parler stored all of their data in S3, with metadata documents, and someone managed to find some creds in the app to list the object storage. These practices and this kind of vulnerability are both common.

It just a scare tactic to discourage the use of Parler. It's so poorly written that it sounds like a kid.
Not that they need much to discourage Parler, lol.
I mean, to scare off the existing users of Parler, but, I guess, shutting the whole thing down by the Big Tech Cartel was more efficient. I just don't get how people get away with abusing an undocumented API to fetch and publish PII - something that's illegal. Remember how people did the same with with T-Mobile and got into a huge trouble? Until we keep having these double standards, there always will be polarization and tensions! And how is this mess good for America and the world?!
If you're not signed up as a foster/adoptive parent, now is a good time if you want to have an impact. There are going to be a lot of kids flooding into the system from families that felt emboldened to become domestic terrorists by the President and those he surrounds himself with.
Probably a bigger effect is all the people who lost their jobs to covid. Domestic abuse always follows a large spike in unemployment
Certainly not disregarding that either, however it is also likely compounded by people that think COVID-19 is a ploy by liberals to fraudulently steal an election.
Cope harder loser.
Obviously you can't post like this or https://news.ycombinator.com/item?id=25710342 to HN, regardless of how wrong someone is or you feel they are. We ban accounts that do this.

I'm not going to ban you right now, because although you've broken the site guidelines in the past, it looks like you've mostly posted good comments. But if you don't start following them, we'll have to ban you next time. If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the spirit of this site to heart, we'd be grateful.

Unfortunately there was also a massive dip in reports because of schools not being in session.
I can't think of a more effective way to spark a civil war than threatening to take people's children from them.
Well many of them will hopefully have family that is able to take the role, but sometimes the consequences of a failed insurrection aren't well thought out.
I thought the implication was that they'd be dead or in prison.
I can: Actually doing it, and selling them. Claiming they are not human, they deserve it, they are property, they are unequal, they are unworthy of compassion, then outlawing people's liberty to prevent it. And do it based on skin pigment.
I'm not sure why this comment is relevant. No one in the US (or the West more generally) is doing that or planning on doing it.
I though that's what folks on Parlor were doing but I couldn't download the app to see for myself ;-). My comment was an atttempt to highlight to the huge gap between threatening rhetoric and moral atrocities in sparking natonwide infighting.
"Twilio put out at midnight last night. In that Press Release, Twilio accidentally revealed which services Parler was using. Turns out it was all of the security authentications that were used to register a user. This allowed anyone to create a user, and not have to verify an email address, and immediately have a logged-on account.

Well, because of that access, it gave them access to the behind the login box API that is used to deliver content -- ALL CONTENT (parleys, video, images, user profiles, user information, etc) --. But what it also did was revealed which USERS had "Administration" rights, "Moderation" rights.

Well, then what happened, those user accounts that had Administration rights to the entire platform... The hackers, internet warriors, call it what you will, was able to use the forgot password link to change the password. Why? Because Twilio was no longer authenticating emails. This meant, they'd get directly to the reset password screen of that Administration user."

I'm not from the US, but as an outsider, this leaves a really bad taste with how Twilio handled the situation AS A BUSINESS.

> Because Twilio was no longer authenticating emails.

Can someone explain what does this mean?

Trying to make sense of it, I believe that means Parler was delegating their email verification and 2fa checks to Twillio. And somehow, without access to Twillio's API, they defaulted to not do any check at all? I'm not sure what to do of this, that doesn't sound that realistic but who knows.
That, or Twillio was reporting authenticated emails, without actually authenticating them?

It seems to involve some skipped auth steps on someones part though, not just a fail-safe/fail-dead mixup. It's not clear.

Maybe Parler was deciding based on HTTP status codes returned from the Twilio API, or the presence of some expected "error" field in the response (if it's not there, consider it ok), and one side screwed up the handling of an unexpected case? Pure speculation.

Instead of having "if explicitly ok, proceed", they maybe had "unless it's an explicit negative response in an expected format (or a connectivity issue, timeout, etc.), proceed"?

Which would be a pretty dumb thing to do, but I've seen worse.

> they defaulted to not do any check at all?

That would be a very unsafe default.

They wanted more users to register - they were urging users to invite friends and family - so they may have changed the safe default to the unsafe one thinking on verifying later without realizing the full consequences of what they did.
Maybe it was more complex: Create new acct 1 using valid email. Request users by username and see privilege. Find likely phone # and likely email for user : arroganttechfounder1 (admin). Create new acct 2 using likely phone number (fail, account exists). Change (add) new acct 1 phone # to match likely phone number (normally, the twilio validation step here would prevent duplicate phone numbers for multiple accounts?). Request pw reset for phone number (pw reset key saved to both accts?), no sms sent. Request pw reset for email (new acct 1) and logic sees non-expired key from previous request, emails you same key. Modify url to reset pw for arroganttechfounder1 using phone # and key.
> And somehow, without access to Twillio's API, they defaulted to not do any check at all?

I guess you could imagine user accounts being created with `authenticated=null`, and then having `authenticated=False|True` set in the in the success handler for some Twillio API call. Having null as the default would allow you to see in the database where authentication emails hadn't been sent out, so you could resend them.

And then I guess you could imagine a developer checking authentication by looking for cases where `!authenticated`, rather than `authenticated == True`. Granted I don't think this hack is real, but if it were then that's probably how it would play out.

Nope it was totally realistic.

I tried to create an account on Parler last night to check which services were turned off by AWS. I entered dummy data into their form. The POST to their auth service timed out...but the auth flow took you to the success page anyway?

I would hold off judging Twilio based on a random anonymous reddit post's account
Hijacking top comment.

Here's the data: https://donk.sh/06d639b2-0252-4b1e-883b-f275eff7e792/

#noflylist is trending on Twitter. Guess a lot of jobs will soon be available in Silicon Valley.

That is just a list of parler public urls.
The URL lists were used to distribute archiving of media content. 70TB of text, image, video, and metadata content was downloaded in a few hours with essentially a volunteer botnet.

The team at archive.org is importing the full archive right now.

I don't know about that's Only that the FBI is creating their nofly lists based on it.
Just a disclaimer, in case anyone has forgotten about the great ion cannon from back in the day:

If any of these Twitter or Reddit posts are true then I would talk to a lawyer before participating.

Participating in what?
BTW, where is that Press Release? Can't find it on the Twilio website.
Did Twilio actually make this alleged press release? There is nothing like that on https://www.twilio.com/press/releases
I have the same question about the press release. Where was it posted and what was its content?

I know that not all press statements are going to be on the website.

You said it nicely. At the end of the day, we all look after ourselves the most, and one cannot avoid thinking what if this happened to our company?

Twilio as a B2B doesn't gain a lot from being a "woke" company and following the trend of lynching Parler, on the contrary this can and will scream how Twilio can put your whole platform down overnight..

I wonder when are we going to see a legal discussion if / when internet access is going to become a basic human right? Just like electricity became ubiquitous, I expect internet access (email, payment processing, etc) to also become a right.

>> I wonder when are we going to see a legal discussion if / when internet access is going to become a basic human right? Just like electricity became ubiquitous, I expect internet access (email, payment processing, etc) to also become a right.

Is electricity a right?

In a way, yes (even in the US). You still have to pay for it, but there is a litany of rules and procedures they must follow before they can cut you off. Kind of like the foreclosure process.

They can't cut a customer's power over his politics--especially paying customers!

Electricity is a public utility, not a right. A public utility is a regulated entity that must supply anyone in their region who follows the rules -- and, in general, if you break the rules but then fix your behavior, they must allow you service again. The existence of a public utility does not forbid a private competitor, but the scale advantage of a public utility is generally overwhelming unless you have specialized needs.

It is reasonable to suggest that Internet bandwidth should be a public utility.

It would be useful to clarify what "follow the rules" here means, in the USA (for us non-USA audiences). It probably varies in different countries, but in most cases doesn't it simply refer to fair usage? Make your payments in time and don't put excessive strain on the grid by powering your inter-dimensional portal. Does ideology or clandestine activity matter in how you use electricity? Of course, a court order could force the utility company to cut you off, but can the utility company simply cut you off based on their or society's _opinion_ of your activities?

If you consider an internet connection a public utility, which we should, then that would be ostracism. In terms of companies being able to successfully run their businesses, are we at the point where a "cloud provider" should be considered part of a country's infrastructure?

I can agree with the point being made about an internet connection, but Parler was still able to buy some servers and self-host. Unless there's an argument here to consider cloud providers a de-facto component of a nation's tech infrastructure. Seeing as we have no proper public regulation of the sector and no public player providing the service, I'm not sure how far that argument would go. It's still an interesting question to ponder on, I guess.

ISPs, CDNs, domain registrars, DNS, etc. have all cut off services to sites that they consider in violation of their user agreements (which mostly boil down to you've become a liability for us). If you've annoyed enough people, you can pretty much get booted off the Internet--especially if you need enough infrastructure, data, authentication, etc. that you can't easily just force people into a game of whack-a-mole.
iirc a county in california recently switched off some youtubers' electric because they were hosting big get togethers despite social distancing rules. which seems to go a bit beyond fair usage. not sure if it was 100% legally sound, but they probably had to be at least reasonably confident in the move, since they could reasonably expect PR
> this leaves a really bad taste with how Twilio handled the situation AS A BUSINESS.

I wouldn't blame Twilio. It's entirely Parler's fault they allowed an unvalidated account to successfully register and log in.

Of course, it's also entirely the intruder's fault they exploited the wide open security hole.

Agreed. It’s a bit of column A and column B. Twilio shouldn’t have disclosed the services that Parler were using. Parler should not have allowed unverified users to log in ESPECIALLY if they’re dealing with PII. (Verified Parlers submitted photos of their licenses.)

Either way, this feels like something that will end in a lawsuit.

I doubt Parler will survive long enough.
I have no idea about what twilio did, as this is all completely unrelated to any work I've ever done, so that leads me to wonder about contingencies like this in general.

From the perspective of any company using a service like twilio (i.e., not just Parler and this specific set of events), would there not be some sort of failsafe in case something just like this were to happen? Or would this kind of thing be so nearly inconceivable that you wouldn't protect against it?

There's two ways to react if an API you're using for authentication type stuff is down:

* Fail and essentially have downtime on the features using the API

* Succeed and essentially have no authentication for that time but no downtime

Parler took the second approach. Platforms that value security would take the first approach.

The description doesn't really make any sense. Did everything just fail open? I would assume that if your SMS/Email service stopped working then it would just be that nobody could login or sign up.
> Did everything just fail open?

That seems to be the consensus.

Tagging onto the top comment here. I work at Twilio and this is our official statement on the enforcement of our AUP with Parler.

---

With regards to reports of cyber security issues Parler experienced and have been attributed to Twilio, our security team investigated the claims and found no evidence indicating their security issues were related to Twilio or our products. Per our Website [0], Twilio has not issued any press releases pertaining to or referencing Parler.

Furthermore, Parler was using Twilio to send out identity verification codes for new downloads or password resets. Once a user was verified, security protocols were independently handled by Parler and did not involve Twilio or its products. On Friday, January 8th, we sent Parler a letter informing them they were in violation of our Acceptable Use Policy [1] and notifying them that we would suspend their account if they did not make efforts to remediate multiple calls for violence on their platform. Shortly after receiving our letter, Parler informed us they had already turned off their integration with Twilio.

Any cyber security issues experienced by Parler were completely unrelated to Twilio or any of its products.

[0] https://www.twilio.com/press/releases

[1] https://www.twilio.com/legal/aup

I find it hard to believe this timing is a coincidence...
Nobody is claiming that it's a coincidence.

They're claiming that the "we're not providing services to Parler any more" public statements of Twilio unintentionally provided the information necessary to perform the hacks.

How would disabling Twilio disable authentication entirely? From what I see it is used to send SMS and maybe Email as well. So I could understand that it would prevent login, registration and password reset if that service is offline, but it shouldn't allow any of these without authentication.

Unless the software skipped authentication entirely when this service was unavailable, which I find hard to imagine. But that seems to be what is claimed right now.

It appears Okta also banned them, they must have default succeeded instead of default fail, maybe an interaction between the two?:

https://twitter.com/okta/status/1348191370528256002?s=20

That would be extremely careless, and I find it very hard to believe that this happened.

An unlikely, but more plausible option to me would be that after removal of the Parler account, someone else was able to register the same account and gain access that way. But that doesn't fit the description all that well, and I'd also expect that this would not work at all if the authentication service is not very careless.

Parler's infrastructure was extremely carelessly built in lots of ways, so it doesn't shock me.
Maybe another explanation is that they quickly hacked around the lack of these services just to get things working again? I can imagine them quickly making a bunch of ill-advised code changes just to get their platform working.
They make a request to twilio and their logic checks for a failure response instead of looking for a success response. They are not getting back a different failure response and this causes the requests to be incorrectly be marked as success.

For example here is how something like that might break:

    /auth 
    -> returns {"success": true} and 200 on success
    -> normally returns {"success": false, "error": "BLAHLBAH"} and 200 on failure
developer checks if response["error"] is null to check if it was successful or not

after your account is disabled /auth starts returning empty json: {} with a 500 error code

oops. now all the requests are incorrectly marked as success. i know this happens because i've seen similar things happen in real life.

the error could also be more obvious and the code just fails open. someone has a try/catch and returns true either because of an accidental mistake or because they don't want users to be locked out when the provider is down.

> the error could also be more obvious and the code just fails open. someone has a try/catch and returns true either because of an accidental mistake or because they don't want users to be locked out when the provider is down.

Failing open would be a catastrophic mistake either way. "The auth provider is down, just let everyone in!"

Wait. So how did it work exactly? Why would you get to reset password after clicking "I forgot password?"

I thought password reset flow is initiated from the email link not from "Forgot password" link and just paused till email link is clicked.

Oh come on, it was a honeypot from the beginning.

Everybody in the last few days was talking about Parler -- they got more exposure than ever in their life. The takedown from AWS was announced a few days before, so more users could register. Parler was running a "Verified Parler citizen" (wat?) campaign, to gather more personal data. And now, hackers conveniently exposed everything. Hackers are unpredictable, you know.

I am not defending the Parler audience; the honeypot was elegant, but is it ethical?

I signed up to explore the site yesterday. Was curious from hearing in the news and it required an account to view. There was no verification process whatsoever. I popped in a fake email and then got immediate access. So not sure what this "Verified Parler citizen" thing refers to ...
To get verified you had to post a scan of your driving license or another document, which was then stored in Parler's database. After all that happened (and even before 6/1 it was clear that Parler was being closely watched by a lot of three letter agencies), it was clearly a honeypot.
"Verified Parler Citizen" is basically a red badge to prove that you weren't a bot account. I think there were other benefits but I can't recall off the top of my head.

As a privacy-conscious person, the thought of uploading the front and back of a driver's license + selfie, or passport just to get an "I'm not a bot" badge is ridiculous.

Prior to Okta and Twilio revoking their accounts you needed to provide SMS authorization to create an account (you give them a number, they send you a code, etc.). It seems likely after their API access to Okta/Twilio was revoked their services weren't written to catch and handle the new exception these API calls were probably raising...

Based on this twitter thread from Nov 2020 they may not have been hiring the best developers: https://twitter.com/davetroy/status/1327253991936454663

It was funded by the Mercers so probably wasn’t a honey pot as they have interest in its business model as a primary cause.

It may have ended up as one intentionally anyway.

(comment deleted)
Yeah, sure buddy. Financed by the Mercers[1], are you kidding me.

[1] https://edition.cnn.com/2020/11/15/media/rebekah-mercer-parl...

So what? The operation could have been approved only in the last few weeks or so. It is this "account verification" thing that convinced me. Even Facebook does not encourage you to upload a driving license, ffs.
So what? Anything could be. Maybe this site is a honeypot! Maybe not.

Just always cherry-picking the interpretation you happen like to be true does not lead to the truth, it leads to conspiracy phantasms.

The verification, according to their ToS, was only required if the user wanted to take part in their monetization program. Their ToS states that US law requires them to gather certain PII for auditing purposes. A regular user didn't need to submit anything but an email address.
Not exactly. They were promoting verification on their front page, as a measure to "fight bots". Verified accounts were displaying a "not a bot" badge.
This post seems fake. There was a group of people archiving the public content of parler using this docker container https://github.com/ArchiveTeam/parler-grab and archiving it here https://tracker.archiveteam.org/parler/.

I can't validate anything else in this twitter post. The administrator accounts part all seems fake, unless anyone has found the rest of the content or has a better source?

Previous discussion deeming its fake here https://news.ycombinator.com/item?id=25725268

The reddit post describing the hack mentioned creating "MILLIONS" of fake admin accounts: https://www.reddit.com/r/ParlerWatch/comments/kuqvs3/all_par...
This directly references the public archive team effort, not evidence of a the hack. The comment and “story” that is circulating seems like it’s just taking the public archive team effort and adding some sort of falsehoods around a hack where they were also pulling data via admin functionality. I can’t find any other information about the admin hack apart from this potentially false story.
Check out my comment, below the top-comment in this post.
Your post just links to the list of public Parler posts that were scraped from the website. Not evidence of a hack.
This was my take on reading the wild "2nd hand story" in that reddit post.

Almost none of it makes any sense; instead it seems like people just crawled parler's public API and saved the responses into a big archive ("the leak"). The only "exploit" I see could be that parler uses incrementing IDs for posts/content allowing easy enumeration crawling.

(comment deleted)
I don't know why but what's happening to Parler doesn't feel right at all...
While it does feel reactionary (if that's the right word) that the services are only now revoking doing business with Parler, they are within their rights to stop the contract one-sidedly. I'm actually fairly sure that in the contract they don't even have to state a reason, but don't quote me on that.

Something something free market.

that would be cool if they also implemented the same policy towards other violent/inciteful players and terror organizations
They should, and many do. Once you start peddling in calls to violence against people, no just ideas, then you should lose access to your platform and well deserve to be investigated.

Being complacent with these things gets people killed. You can have free speech all you want but are also responsible for what you say.

Free speech doesn't mean you get a free pass without consequences.

except their efforts are largely focused and selective

switch to arabic language and you will see things that could be easily identified as violent propaganda,yet they stay up because FB censorship system is not interested in enforcing rules in that sector

from what i hear its pretty much the same for India

(comment deleted)
> While it does feel reactionary (if that's the right word) that the services are only now revoking doing business with Parler, they are within their rights to stop the contract one-sidedly. I'm actually fairly sure that in the contract they don't even have to state a reason, but don't quote me on that.

Yeah most of these services are doing that to avoid being associated with Parler and these Trump movements. But it has an anti-democratic feel to it.

Yep, there are no good choices here. Parler is an organizing venue for Trump supporters attempting to overturn a democratic election and/or storm the capitol, which also has a rather anti-democratic feel to it, no? So you can think of it as a trolley problem with "democracy" strapped to both sets of tracks. Since democracy will be a casualty, to one extent or another, in both the "do nothing" and "do something" options, the service providers must ask themselves: which scenario will hurt democracy worse?
> the service providers must ask themselves: which scenario will hurt democracy worse?

As I mentioned above, what they are likely asking themselves is pragmatic instead of moral, i.e. "which option exposes us as a company to the most legal problems? What hurts profits?"

That explains why service providers changed their thinking so suddenly and dramatically after, you know, a whole lot of serious crimes against the state happened on the 6th, and the evidence trail runs through those service providers.

> the service providers must ask themselves: which scenario will hurt democracy worse

Adendum: why _must_ they ask themselves that? Do you think Facebook ever has acted in that way? Do you think that Fox News does?

It would be nice, but recognise that none of these are entities dedicated to maximising democracy. They have been behaving otherwise for decades. They won't spontaneously change of their own accord.

https://www.nytimes.com/2018/11/06/technology/myanmar-facebo...

You think that, democratically speaking, the majority of Americans are in favor of Parler conducting business? You think there should have been a vote or something?

Amazon, Apple, etc don't work democratically though so it doesn't matter.

We just had elections, see how that went.
I agree. As much as I feel it should be taken down, this has all the makings of a (corporate) lynch mob.
(comment deleted)
I guess you dont get the irony of using 'Lynch Mob' figuratively, because Parler was de-platformed for helping organize literal Lynch Mobs
No, I was aware of that. It was why I used the term.

It’s not the same at all, but it still leaves a bad taste in my mouth.

Legal action against the platform would have been fine.

No judge would take the case though. Not from an ideological stand, but from a technical one. Amazon (presumably) has a contract that says they can nullify the contract if you do things that violate certain conditions.

Say it was Amazon suing Parler here. Amazon says that Parler is doing stuff Amazon doesn't like. Parler says tough cookies, we're still gonna do that stuff. So Amazon brings Parler to court. The Judge asks what Amazon wants to do about this. Amazon says it wants to kick Parler off. The Judge says 'Yes, the contract between you two says you can do that. Why the hell are you wasting my time? Read your own contract, what are you, a buncha pre-laws?' Parler is then kicked off.

Bad taste or not, Amazon (it appears) is well within it's rights to dissolve the contract with Parler (which I have not seen).

I believe GP is referring to government legal action against Parler for "helping" organize lynch mobs. Extralegal retribution from oligopolistic service providers is of course also allowed by law, that just doesn't make it fine.
Tech companies are shutting the Trump movement down because of public pressure. Its no different from any other boycott in that sense. Capitol Hill riot was the classic "free speech but not free from consequences" moment. Association with conservatives is now a financial liability.
> Association with conservatives is now a financial liability.

Considering they make up an enormous percentage of the population, I'm not sure that's a sound strategic move.

(comment deleted)
The left loves to defund/demonitize firearms content, the right nudity and lgbt content and both love deplatforming their opponents one moment and then get outraged if their stuff is removed the next. You see it with net neutrality, cda230, demonitization, forum moderation etc.

It seems people just don't care about consistency anymore, it's just whatever is convenient in the moment.

You're talking about authoritarians on both sides. There are still libertarians on both sides (and even independent) who care more about civil liberties like freedom of speech (the ideal, not just the first amendment).
This! It frustrates me so much that so many people constantly just talk about left and right while completely ignoring the Y-axis of the political spectrum! To me, both parties are firmly in authoritarian land, and no amount of calling it "both sides-ism" will change that fact.

Another frustrating thing is seeing people take a position and just label everything one or the other side, while there are a huge swath of voters and non-voters who don't identify with either party.

(sidenote: Right now, I am liking the Movement for a Peoples Party.)

It frustrates me that people mistake the political compass meme for a thing that actually exists.

It's more complex than "left" vs. "right" and authoritarian vs. libertarian. Compressing politics down to literally two dimensions is a disservice to any political discussion.

What better way is there to condense the political "spectrum" into an easily digestable product? Of course it's not perfect by any stretch, but the multi-axis charts are much more useful than the line-chart of left right most people tend to talk about. It's certainly much more than just a "meme" that doesn't exist.

From The Decision Lab: "A single-axis model conflates liberal and conservative ideologies with right-wing and left-wing stances, excluding the nuances that can exist in someone’s political ideals. Single-axis models like the right/left-wing divide have been criticized for being too simple and reductionist, and it has been suggested that the right/left divide only captures economic issues but that it need not be reflective of one’s social political identity.2 Instead of having to have left-wing mean liberal and right-wing mean conservative, the political compass proposes that we are better off measuring political ideologies on two separate axes: a right/left economic axis and an authoritarian/libertarian axis.3 With such a model, it would be possible for someone to be right-wing and libertarian, or left-wing and authoritarian; none of the views are made mutually exclusive with another. The political compass proposes this alternative model because research has suggested that one’s economic views do not always align with their overall political identity, and therefore, the model would allow people to more accurately understand where they stand in relation to other views, which could mean a less polarized political landscape." [1]

https://thedecisionlab.com/reference-guides/test/political-c...

At least we can agree that a two dimensional spectrum is infinitely better than a one dimensional spectrum. Especially when terms such as "left" and "right" are incredibly vaguely defined and differ greatly based on who you're talking to.
It's true but feels like a loosing battle for principled moderates/libertarians these days. Everyone loves to critique and tear down what we have for real or perceived injustices but few are willing to the context and compromises that led to them or propose realizable, incremental solutions.
If any competitors pop up, they can just get AWS or VISA to pull the plug. We're now officially living in a totalitarian state and Silicon Valley is the secret police.
I would draw a distinction between "Conservatives" and a small subgroup within the right that is actively fomenting a violent insurrection.
I think that's what's happening is that the big tech cos have had conversations with their lawyers along the lines of "it's one thing to host talk of insurrection from Bob in Knoxville when it looks like cosplay fantasising, but it's another to host it after they killed an on duty police officer while storming the Capitol building with intent to kill senators". The provider's potential liability in planning high crimes will tend to focus minds in a way way that "hosting deplorable speech" did not.

I'm not suggesting that the deplorable speech was mere harmless fantasising, as it seldom is, on a long-enough timeline. Just that this justification is manifestly no longer tenable.

This reminds me of the fascist movement in 1930s Britain. They became socially unacceptable when they started to use violence.
Parler was set up by spivs and cranks to encourage fools and fascists to gather and destroy civil society. Now that same civil society has rejected them. Don't feel too bad.
Parler is a single issue site funded by the Mercer family, the same family that funded Cambridge Analytica who helped Trump rise to presidency.

It's sole purpose is to be a staging area for right wing extremists and politicians who support things like violent coup attempts in D.C.

I didn't cry about Amaq being removed every time it popped up and I won't be crying about this. If you feel so strongly about it look up the reasons why Amazon and others dropped them. Look at the posts the Parler mods refused to remove.

If there is one lesson to be learned from these last few weeks it is that you can not rely on any external service if you do anything which goes against the dominant political narrative. I have never been on Parler's site so I can not check the veracity of their supposed implied or direct support for seditious acts but that does not seem to matter anyway, it is enough to stand accused to be considered a witch and burned at the stake.

Build your own is the device, keep your equipment on your own premises, make sure not to have single points of failure - that implies you need to have a backup access provider just in case your internet connection gets cancelled. Don't rely on electronic payment processors, you can use them but make sure to have a backup. Don't rely on a single bank, have multiple accounts, preferably in more than one country.

It is a sad thing that it has to come to this but I think we'll eventually end up with politicised service institutions which cater to "progressives", others which cater to "conservatives". They won't state this directly but it will be known that a conservative builder is better of at this bank and that insurance company, he'll prefer to buy this coffee and that brand of razor, etc. A shame, really, the more divided society becomes, the harder it will be to find a common cause when such is needed, e.g. in case of a national emergency like an epidemic.

It has nothing to do with "the dominant political narrative", and it has everything to do with violent rhetoric on their platform that they refuse to moderate. This violent rhetoric is against the Terms of Service for the external services that they rely on, hence the termination of those relationships.
There's going against the dominant political narrative, and there's organizing and committing federal crimes like breaking and entering into congress.

You have freedom of speech and the government cannot arrest you from saying things on the internet. However, organizing a raid on the government will get you in trouble, and never forget that nobody is obligated to give you a platform.

Except for lol the fact that this isn’t the first time they block and erase pages and people they have been doing it for years without any kind of organization or real life reasons for it stop licking the boots of technocrats is pathetic.
You have freedom of speech and the government cannot arrest you from saying things on the internet. However, organizing a raid on the government will get you in trouble, and never forget that nobody is obligated to give you a platform.

This sums the whole thing up pretty neatly.

> if you do anything which goes against the dominant political narrative

I'm so tired of this. The reason people are getting banned from these platforms and services isn't because of just run of the mill political views. They're getting banned because they are hosting content calling for the violent overthrow of the US government. Apple didn't ban Parler from the app store for their attitude towards capital gains tax, they banned them because they found

> direct threats of violence and calls to incite lawless action

The reason people are being banned now isn't some sudden decision by publicly traded companies to try and endorse a left wing agenda. It's because there's been a massive uptick in the number of people advocating violence as a means of advancing their political agenda.

People keep acting as if these actions are being taken in the context of the 2008 election where everyone was pretty much civil and there was no real question of violence. In that context, yes, it's an outrage that liberties are being crushed. But that's not the context of today. Today we have people openly talking about murdering democratic (and somewhat bizarrely, insufficiently local republican) politicians, and credible evidence they plan to carry out those attacks.

The issue isn't that those people are being censored, the issue is they exist in the first place.

America is going off the deep end. Who would have believed 10 years ago that members of Congress would dispute the outcome of the elections?

What was once extreme and crazy is now the new normal.

> direct threats of violence and calls to incite lawless action

And we see that every single day on Facebook and Twitter. Its against their terms of service, just like its against Parler's.

As a single entity, I don't really give a shit about Parler. What I do give a shit about is treating everyone fairly. If Parler goes because it has a shitton of users and can't swiftly police all content, then Facebook needs to go because they have a child pornography problem.

Listen to this podcast if you want to learn just how widespread the issue is: https://samharris.org/podcasts/213-worst-epidemic/

I don't see how you can make the argument that child pornography is the same systemic risk as allowing people to openly plan to overthrow your democracy.

If child pornography is happening on your site, the FBI can come along and crack down, arrest those involved, and of course you're keeping logs to help them. If I plan a revolution on your site, the FBI are coming - not for me, for you. Once I'm in charge sure as shit you're not going to have the freedom to overthrow me the way I overhtrew you.

> just like its against Parler's.

Amazon and others asked Parler to remove content, they didn't. So they were removed from the service. If you want to lie or make up a defense for Parler please at least try a narrative that isn't false.

> the dominant political narrative

Funny, I thought the dominant political narrative was that terrorism is bad.

AWS gives 5Gbps connectivity to instances, according to https://docs.aws.amazon.com/whitepapers/latest/ec2-networkin...

So, if the sum total of Parler was 70 Terabytes, as claimed... the transfer time would be 38 hours, if it was hosted on one instance... but it obviously wasn't. It was more likely only a matter of minutes.

This shows a new type of cloud hosting vulnerability. Your entire corporations infrastructure could be mirrored faster than you could notice.

An interesting bit is how easily broken the website was without key components. There's a worthwhile case study here (if any of this is true) that I would suspect concludes in divesting from SaaS and IaaS.
> This shows a new type of cloud hosting vulnerability. Your entire corporations infrastructure could be mirrored faster than you could notice.

This is actually fucking terrifying.

Additional interesting scenarios:

- Nation states that manage to infiltrate a few spies into Amazon or Google could "just" copy the backups of the database without anyone being the wiser.

- My favourite mission ever from the "Shadowrun" games: Step 1 was a mission to alter the backups of some main database (stored at some 3rd party) to include additional admin credentials. Step 2 was to "clumsily" attack the main target and not-quite-hack the main system so that they would restore from backup just to be sure, thereby importing the actual backdoor.

The problem with this is that in the case of Google/FB/etc the database to be copied is so large as to make this task functionally impossible. Even if you happened to have a half a petabyte of storage available somewhere you would lack the bandwidth to exfiltrate. The problem with Parler is that it was living on a shared cloud so it was easy for someone to spin up copies and use intra-DC copy mechanisms (or even simple volume mirroring) and the data was also small enough to be within reach for anyone who was curious -- it would cost you less than $5K to copy and then export the entire Parler corpus in less than an afternoon.
> This shows a new type of cloud hosting vulnerability. Your entire corporations infrastructure could be mirrored faster than you could notice.

and YOU are paying for the bandwidth too :-)

"There's no such thing as a free security incident"
Upload into many clouds is free. You could set up a bunch of instances on Azure to download data to a data store and shutdown when finished, unless I’m missing something.
They mean that the corporation is paying for the people downloading 70 terabytes from them.
Ahh, I misunderstood.
Moving 70 TB off quickly of AWS with anything less than EC2 resources costing hundred bucks an hour sounds infeasible
Spot instances, though.
The explanation is a jumbled mess, but I think there are two key parts here:

1. Somebody reverse engineered the iOS app, which allowed them to access Parler's API and enumerate all of the content on the app

2. The Twilio shutdown affected SMS verification for new account registration, meaning people were now able to programmatically create many new user accounts which they could combine with #1 to scrape all the data without being rate limited

I don't believe they were actually rate limiting per account regardless. The "hacker" Set later in the day on Twitter that there was a misunderstanding that the account creation script was related at all to the data scraping. Just that it was actually possible, but unnecessary because they didn't rate limit per account.
I wonder if Twitter will be nuking any info from their site, with their policy against posting hacked information and whatnot.
Seems to be another faked "hack" of Parler. Does Twilio even have a user management component? Why is the explanation of the hack a jumbled mess?

I'll believe it when after private convos are leaked.

> "The things that they are saying on here are vile and disgusting and should be removed from the internet"

> "Let's archive everything that was ever posted on there are share it with the public"

If I am understanding this correctly, Parler devs left the app as MVP. They never rebuilt it with security and privacy in mind.
Can we get some better sources? This seems like an awful lot of hearsay, and there have been several comments from HN readers in this thread[0] and another[1] indicating that there is no public evidence to support these claims. Given that the author is alleging this is a crowdsourced effort, such evidence should be trivial to locate, but none has surfaced.

[0]: https://news.ycombinator.com/item?id=25727332

[1]: https://news.ycombinator.com/item?id=25725268

For those coming to the comments later, it was bullshit. No one from that group was claiming admin accounts were able to be created. Just that you could easily create regular accounts with a script because email verification wasn't required anymore. That original reddit explanation was mostly bullshit.

That so called technical person that knew much more than the poster apparently was misinformed.

Very shoddy development. It sounds that if there was ever a Twilio outage, the same vulnerability could have played out. Not hard to know how Twilio is used either, especially as employees come and go. This was a disaster waiting to happen either way.
More terror ops against conservatives.
Your security is only as good as your unpopularity. Karma.
In the midst of all this, one thing always bite any site when some break-up happens:

>Also, a lot of posts were deleted by Parler members after the riots on the 6th. Turned out... Parler didn't actually delete anything.. just set a bit as deleted.

The perils of soft/logical delete instead of hard/real deletion.