WTF is Parler doing?

I told myself after my last post that I wouldn’t do much politics, and that’s because I don’t want to be a political commentary blog, that’s no fun compared to tech, and I often end up talking about people I don’t agree with politically before being subsequently associated with them. This seemed easy, there was the Solarwinds hack, I was working on some VFIO/virtualization stuff–

*angry growl*

*deep breath*

Ok. Fine. I will do another political piece on ONE condition. I do NOT want to associate myself with the people in the Capital Hill riot, Parler, its founders, the current US White House administration, or anyone else I mention in this piece. I am looking at this from a technical standpoint to learn what is happening.

Parler, a “town-hall”-like social media service that was quickly used as a dump of right-wing political content has come under fire recently due to concerns over its role in the Capital Hill riots. Parler was a fairly standard looking closed social media network created by a startup currently burning investor capital until they get enough users to sell their data. One of the quirks, however, is that anyone can become verified by submitting a photo ID (or other government-issued ID) and running it through a third party service. Another note is that Parler was used during the riots by people in the Capitol building sharing photos of what they were doing, often without masks (which, even if you don’t believe in covid, would help keep your identity a secret as you commit felonies!) and using their personal smartphone with both GPS and LTE signal triangulation turned on. Some people, after the riots, wanted to delete these images from the internet as to protect themselves, and as such also deleted the posts on Parler. I hope you have more thumb-tacks because I could to all day.

As people start to identify Parler as a massive source of data for all these people, the network security teams start digging. This was accelerated by the AWS announcement that they were going to remove them from their platform within a few days. As this happens, the datahoarders get to work…

Some people even say they heard something so jolly, so merry, so extremely loud, they though it was Santa coming for second Christmas.

But it wasn’t. It was coming from the datahoarders.

They were laughing as they picked apart Parler’s infrastructure piece by piece by just looking at it too hard.

You have the Poorly implemented caching system that caused people to appear to be logged in as someone else, you have the probable misuse of their identity verification service due to not wanting to pay for a subscription, you had the issue caused by their database choice that was not accounted for, and, just for laughs, the CTO, or as he might call himself, a blockchain engineer.

Cringeworthy boss, not being willing to pay for identity verification, and the fact that they were backed by The people who also backed Cambridge Analytica, all of this sounds like debating over parking tickets after convicting a serial killer in court when you see their app.

  • They did not delete posts, instead opting to send the posts in feeds with a “Deleted bit,” only hiding them visually.
    • I’m going to hope it is obvious why this is stupid, but if it isn’t then let me say this. Even if you wanted to not delete their posts on the backend, running the message check in the database would be so astonishingly cheap that it is industry standard while being practically never discussed. Even Snapchat does (or did, anyway) this, since deleting a record was more expensive than just not sending it, but note the words I used, not sending something is not the same as not showing it to the user.
    • I would’ve seen this back when I was 10 and programming my first website.
  • They did not scrub EXIF data
    • This may sound like technical jargon to the uninitiated, but this means that you can locate every single photo within a 5-meter radius of where it was taken unless the user explicitly turned it off in their camera settings or scrubbed the photo themselves.
    • This is step #1 for handling people’s private photos on public social media.
    • This means that every single person who posted a photo on Parler during the Capitol Hill riots and then deleted the post not only did not delete the photo but probably left their location information in the photo allowing anyone with the most basic technical knowledge to find exactly where they were.
  • Everyone who noticed what was going on in the app could’ve seen ahead of time that AWS might get mad at them soon and kick them off, but they did NOT have ANY of their own servers.
    • Let me repeat, they had content that was easily going to piss off big tech, but they did not have a backup plan.
    • I, an individual who makes no money from my websites, self host them to keep them safe and secure as well as giving me freedom from tech giants (not that I condone any of the content in question when it comes to the AWS platform removal)
    • Now their website is down, not even a placeholder website. It is completely unavailable

Let’s verify this because we don’t trust anyone but ourselves. For transparency, I did remove the DNSSEC information to keep this brief, if you don’t understand this post then you may want to read my last post.

;dig any @ | grep -i -e dnskey -e rrsig -v
<trim>		299	IN	A		299	IN	NS		299	IN	NS	ns4.epik.		3599	IN	SOA 2021011109 10800 3600 604800 3600		299	IN	MX	0		299	IN	TXT	"v=spf1 -all"		299	IN	CAA	1 issue ""		299	IN	CAA	1 issue ""
;; Query time: 1579 msec
;; WHEN: Thu Jan 14 01:46:14 EST 2021
;; MSG SIZE  rcvd: 1287

Alright, this looks pretty odd, why is their A record going to (in IPv4 speak, this basically means nowhere) instead of something like a placeholder? Anyway, normal CAA records (unusual to see 2, but totally within spec) but their DNS service seems familiar…

Oh god dammit

Well, here we go again.

Now that we both know who epik is from a nutshell, let’s take a magnifying glass to their DNS setup. Remember, they run DNS as a professional service (DNSSEC trimmed as always, please use DNSSEC in your services, I just dont want to fill up my blog with base64 encoded crypto.)

$for d in {1..7}; do echo NS$d; dig +short any @ ns${d}|grep -e NSEC -e RRSIG -v -e 5305;done

I’m sorry, what?

So, let me get this straight, you have SEVEN DNS SERVERS set up in your DNS records, but you just dont use them? Who thought of this? Why do your re-use IP addresses and why is NS1 the only domain with 2 addresses? Why do you reuse the same AWS IP address 4 times? Do you think AWS is very happy with you reselling their services to someone who was already banned from their platforms?

Last time, I left it here, and although I don’t want to drill too much deeper into this right now, I want to remind you, Parler had millions of dollars to spend and ended up with the greatest non-example wrapped in a bow for college professors teaching new kids for the next decade. They had millions of dollars, but never considered a backup hosting provider. They had millions of dollars, but could not do the work of child. Even now, as they’re put on the spot, they don’t go and buy some servers to spin up and self-host, they went to Epik.

Although I cannot conclude anything solely from 2 observations, what I can say is that anyone using Epik is definitely a red flag, and if I was designing a secure network environment, they’d be the first think I would block. I can’t speak for the people behind Epik either, but if they are reading this, I strongly suggest you look at who you are serving and decide where your ethics and morals lie. Free speech is good, threats, rioting, and misinformation are not.

I truly hope that if we ever need a civilian lead coup to evade a fascist government, someone smarter than a child who cannot watch Jurassic Park in theaters alone is calling the shots.

Leave a Reply