PLUS : Parler’s data was not “hacked”. The truth was far simpler: Parler lacked the most basic security measures that would have prevented the automated scraping of the site’s data.
Eric De Grasse
Chief Technology Officer
13 January 2021 (Paris, France) – There’s a lot of confusion about what it means when Parler was kicked off Amazon Web Services, a subsidiary of Amazon providing on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis. It’s known as AWS in the industry.
So here a quick summary to explain it to folks who aren’t deep in the technical weeds (a mash-up of my thoughts, aided by a few cloud computing mavens of mine):
You use an app (in this case, Parler). There’s a web site you can use, and apps you can download onto your phone via Apple and Google. Those three versions of the app all talk to servers (large computers) behind the scenes.
In the Olden Days, getting those servers took months. Then you had to sign deals with companies to host those servers. They take massive amounts of power, they run hot so air conditioning is a big deal, and they need an enormous amount of bandwidth.
What became AWS first surfaced in 2004 and officially launched in 2006. In the last reported year (2019) AWS generated revenues of $35 billion.
The idea behind it was that instead of needing tens of thousands of dollars to get those servers built up, and spending months on it, you could simply rent these servers by the hour. A credit card and a few clicks of a mouse later and you were basically able to spin up huge numbers of these servers.
Obviously, it’s not just random social media apps. It’s what powers Netflix, it’s what Capital One and a hundred credit card companies use, etc.
NOTE: although Netflix does use AWS in some aspects, they also have their own proprietary hardware which are in colo datacenters, mostly for caching purposes. These are a type of data centre where equipment, space, and bandwidth are available for rental to retail customers. Netflix owns their own CDN (Content Delivery Network) to deliver actual videos as AWS would be prohibitively expensive. This is what powers Netflix’s metadata and account info.
Now, getting booted off of AWS is virtually unheard of. When people leave intentionally the planning takes months, execution can take years. It’s a lot harder than you think for a few reasons.
NOTE: I’ll leave out the Parler lawsuit against AWS and the AWS “Terms of Service” because later this week there will be some very good analysis posted by several legal media sites. Basically, though, in AWS’s contract terms, you’ll find (and I am paraphrasing) “We reserve the right to boot you off for convenience” and “We reserve the right to boot you off immediately for cause”. But to be clear: all of those cloud companies have basically the same “Acceptable Use Policy”. But for those of you interested, Amazon filed their response to Parler’s motion for a temporary restraining order. It’s short and looks like it’s a “take no prisoners” approach, at least based on the 1st paragraph. Click here.
Amazon’s lawyers are phenomenal, and Amazon has deep pockets. I’ve been in IT since the 1990s and got into cloud computing almost at the start (the term was coined in 1996 in a Compaq presentation although it was originally linked to the concept of distributed computing). I have had the opportunity to work with Amazon lawyers numerous times through the AWS Partner Network which is a global community of partners who leverage AWS to build solutions and services for customers. The caliber of the Amazon legal team is off-the-charts. Tech savvy, legal savvy, business savvy.
It takes time to move all of that data (there’s a reason downloads take a while), but that’s just the beginning. AWS doesn’t just sell “big empty computers.” They offer higher level services. Preconfigured databases, automatic video streaming, etc. These services aren’t really directly compatible with other companies’ offerings. Making what you built on AWS’s systems work elsewhere is super challenging.
Parler claims they didn’t use these higher level services. Taking that as true, there are still problems. The way AWS’s services work – how you create them, how long that creation process takes, how you get data onto them – mean they behave differently in AWS’s world than elsewhere in the cloud world.
A lot of assumptions about how the servers behave are “baked in” to how Parler (and any AWS hosted application) are built. A lot of companies don’t realize that those assumptions are there until they try to move. That’s why migrations take months / years. Parler had 30 hours.
A lot of folks in the cloud computing world make noises about this, about why “deploying on multiple clouds at once” is imperative. I have and do disagree with this notion – it takes a lot of work and time that could be used to make the product better.
But if you’re going to get booted off of basically every cloud provider out there because you can’t follow their very, very, very permissive rules it’s no longer optional.
As we all know, Rebekah Mercer started and funded Parler. She is the American heiress and Republican political donor who is the director of the Mercer Family Foundation – that mega-rich family.
But I think Parler was more a vanity project for Rebekah. It was formed/launched in September 2018 after 1 month of “planning”. It was all marketing 💬 💬 chat. No tech savvy. Its systems allowed a massive data take-down of all its members data (see details below). Obviously they built Parler on a shoestring budget otherwise they wouldn’t be using AWS or any other Big Tech providers. If Parler was truly intended to compete with the big boys then it would have been resourced. Parler should have built their own. As my business partner, Greg Bufithis, noted in a blog post yesterday “the people running Parler are technology idiots”. The sentence I wished he had left in: I feel like if you asked the Parler CEO what the 1930s Nazis got the most wrong, his response would be “having good graphic design.”
Look at the approach the far-right social media site Gab took. Gab is the other major American alt-tech social networking service known for its far-right and extremist userbase. Gab runs its own servers, email system and messaging service and the entire infrastructure took 2 years to create. That is the way it is done. Or Pornhub which also self-hosts. Although the chans are something of a mystery to me. There are a number of those plus adult entertainment sites on AWS and others, but you won’t see their logos on the AWS sales pages.
Parler’s response has been … well, ludicrous. “We’re going to build our own hyperscale cloud provider like Amazon, Google, and Microsoft!” Notice how all three of those companies had existing businesses that weren’t cloud computing first? Figure on $20 billion for your first wave hyperscale cloud. Rebekah, are you fed up yet?
And the rejoinder to all those “Amazon took Parler down because they don’t like us!” takes? AWS continues to host the “publication” (The National Enquirer) that threatened to leak Jeff Bezos’s dick pics. Let that sink in.
I do get the concern this might reflect poorly on AWS for future companies to use them/cloud in general. I get the PR of why they did it and am glad we are stopping violence. But if AWS can effectively put a company out of business in 24 hours, that makes you want on-prem workflows. Yes? Ah, no. I would be less likely to use AWS to host, y’know, Stormfront. AWS’ generic terms are quite clear in when they’re allowed to do this. Netflix is NOT losing sleep tonight.
Will Parler come back? The conventional wisdom is “never”. But in today’s world, “never” is a bad term. I mean, thank God the U.S. had that intricate system of institutional checks and balances and constitutional safeguards so that a demagogue could “never” …. ah. Let me get back to you on that.
Rebekah was why Parler got up the first time. But VCs certainly won’t invest in this. Ad revenue isn’t anywhere near where it would have to be to support it. The “commerce dynamics” behind web sites is not really my area. But I do know that the talent and resources it takes to host this equates to a burning pile of cash. So there is a wider implication from all of this … the Amazon take-down, being booted off the Apple and Google app stores, etc. … and that is the world of alt-tech isn’t just looking for alternative platforms, but hosting, payments and app stores. The big question now is – does the alt-right actually have access to the capital and tech talent to make that happen?
The most disturbing part? Parler’s CEO Matze has family connections to Russia (his wife is Russian, he lived in Russia for awhile) so we should assume he is getting offers of hosting there. If he hosts Parler there, it then becomes open to NSA surveillance. If he accepts material support from Russia in support of sedition here, it could be seen as treason. Hmm. Additionally, according to one of our military intelligence sources, any material relationship with Russian interests would require registration under FARA § 951. And all this in the context of having dead, banned apps, with only a web UX for distribution. With users leaving in droves, and funds draining rapidly.
Other bad actor hosts like the Jim Watkins/VanWaTech group are likely also offering to help. They are enabled by a company called CNSERVERS in Vancouver, WA. Guess what ‘CN’ stands for? You guessed it. Flag of China. Their infrastructure is sometimes backed by assets in Russia/China.
So, like Cambridge Analytica (another Rebekah investment), given the almost near zero possibility of survival, I assess that all involved will likely terminate this kamikaze mission, take the data they harvested, use it for future ops, share it with the Russian government in trade for something, and move on to a new venture.
Parler has given us so much!! No, Parler was not hacked. A viral and now-deleted Reddit post that on Sunday claimed Parler had been hacked, and that users’ private messages and other personal info had been harvested for public leaking, is basically not true.
Said post was written by someone who claimed to have heard from a friend with “technical” skills who explained how Parler had been broken into, and the prose used a garbled mix of IT terms, from Twilio APIs being abused to magic SETI-like Docker containers. It had a whole “my uncle works for Nintendo” vibe to it. The post, for instance, referenced a Twilio press release that “accidentally” spilled the beans on Parler’s security, but no such press release exists.
Based on what appears to be from the lead hacktivist archiving Parler’s public contents, all that’s going on is common-or-garden scraping of publicly available posts – or what was available until AWS pulled the plug on Parler’s hosting on Sunday night. The process of scraping the site was containerized, and a Dockerfile shared, for anyone who wanted to grab a copy of the 70TB-odd of hosted data for themselves.
It was discovered that it’s trivial to enumerate public posts, videos, and images shared on Parler, allowing them to be downloaded en masse. That’s it. There was no collection of Parler users’ private messages, credit card details, or government-issued photo IDs. (Netizens can submit their IDs to Parler to verify their identities and gain so-called Parler citizen status.) Much of the leaked private information was shared with law enforcement who shared it with airlines to establish “No-Fly” lists for those that stormed the Capitol last week, and to arrest them as they landed back home.
In a statement on Monday, Twilio said it had told Parler on Friday it was withdrawing its multi-factor authentication services from the social network due to a breach of its terms and conditions. Parler had, we’re told, preemptively stopped using Twilio’s APIs before that plug was pulled.
As for the now-scraped pictures and videos posted publicly by Parler users, well, if they uploaded files with identifying metadata and geographic co-ordinates embedded, more fool them. It appears Parler did not strip this information from uploaded files.
For a very detailed article on the scraping tech involved, here is a great piece in Wired magazine. Click here.
And some Parler users don’t believe they’ve been hacked. They are blaming Amazon instead. Click here.
