Parler Finds a Reprieve in Russia—but Not a Solution

The far-right platform still hasn’t found a US-based home. Where it lands could have serious consequences for its users’ privacy. In the wake of the Capitol riots two weeks ago, a number of large tech companies pulled support for Parler, a Twitter-like social network that Donald Trump’s supporters have increasingly favored since its launch in 2018. Apple and Google removed the Parler app from their digital stores, and Amazon Web Services cut the platform’s hosting services. After more than a week offline, the site is now partially back up, in the form of a landing page that promises a full return. To get even this far, Parler has hired DDoS-Guard, a Russian digital infrastructure company, to defend it against the endless barrage of attacks that virtually all sites face online—particularly those as controversial as Parler. DDoS-Guard told WIRED it is only providing defense against denial-of-service attacks, not hosting Parler’s site. But even that level of support requires access to all the traffic that flows through Parler, so that it can “scrub” out malicious traffic aimed at overwhelming the site. Given the Russian government’s active efforts to isolate the country’s internet and gain access to all data, Parler could expose its users to Russian surveillance if the site someday does relaunch in full with DDoS-Guard.  “Now seems like the right time to remind you all—both lovers and haters—why we started this platform,” Parler’s homepage currently proclaims. “We believe privacy is paramount and free speech essential … We will resolve any challenge before us and plan to welcome all of you back soon.” Parler’s chief operating officer, Jeffrey Wernick, told The New York Times on Tuesday that the social network would prefer US-based providers and is working to find them. The platform registered its domain through  Seattle-based Epik. But while Parler has been shunned by the US tech industry’s biggest names, it purports to have more than 12 million users, making the platform too big for most small hosts. So its domestic options are sparse. By embracing DDoS-Guard, even as a stopgap, Parler joins a growing list of far-right sites like 8kun (formerly 8chan) and the Daily Stormer that US infrastructure companies have knocked offline, only to see companies in countries with limited internet freedom—like DDoS-Guard—enable their reemergence.  “At this time, does not violate either our Acceptable Use Policy or the current US law to the best of our knowledge,” DDoS-Guard said in a statement to WIRED. “DDoS-Guard responsibly keeps customer data without disclosing it to third parties. Moreover, the provider stores only information required for the service and explicitly provided by the customers.” But Russia has passed laws that compel tech companies to comply with government requests, and it has deployed physical network infrastructure to monitor everything from web user IP addresses and communications to location data. Employing Russian infrastructure services could expose a site's users to the country's surveillance schemes, says Alp Toker, director of the nonpartisan connectivity tracking group NetBlocks. Most posts on Parler are meant to be public, but the platform also offered a direct messaging feature and numerous types of “verified” accounts, including red badges for anyone who uploads an image of their government identification card. All of this information, as well as granular user activity data and user IP addresses, would  potentially be exposed to the Kremlin if Parler returns with those same features while routing its data through Russian servers. Regardless of where Parler ultimately lands, it seems likely to find a home somewhere. The internet's decentralized design helps ensure connectivity, but it also makes it difficult to keep people or platforms from being silenced. Even repressive governments in countries like Iran and China have struggled with the logistics of fully controlling a regional internet.  “It seems an unsolvable dilemma,” Toker says. “If you’re a victim of violent speech, then there is nothing more reasonable than getting it taken down. But on the other hand, pulling down technical infrastructure to limit speech isn’t part of the great internet freedom vision everyone set out with.” Researchers emphasize that the potential privacy and security risks Parler users may face in the future echo discussions about where the line is for, say, an individual using a Chinese-owned platform like TikTok. But where TikTok's mainstream popularity has exploded in the US, shunned platforms like Parler that have sought alternative hosting and DDoS protections have largely been bastions of right-wing extremist content. As a result, driving Parler into the arms of Russian infrastructure companies poses particular risks, given the Kremlin's existing efforts to target the far right in the US and Europe with disinformation. Carte blanche access to additional data on these types of users would be particularly valuable to Russia. “It makes sense to demand that social media platforms have clearly stated rules and enforce them transparently with due process," says Evan Greer, deputy director of the digital rights group Fight for the Future. “But when you start pushing for moderation to occur at the infrastructure level, like demanding that Apple and Google ban apps from their app stores or CDNs make content-based decisions, it raises a lot of concerns.” Parler may not end up contracting with DDoS-Guard long term. But wherever the platform lands will have consequences—for Parler's own users, for geopolitics, and for other sites that may find themselves in similar situations in the future. More Great WIRED Stories 📩 Want the latest on tech, science, and more? Sign up for our newsletters! I am not a soldier, but I have been trained to kill Everything we know now about kids and Covid-19 In India, smartphones and cheap data give women a voice In Minecraft’s Dream SMP, all the server’s a stage How to get more plant-based meat onto plates in 2021 🎮 WIRED Games: Get the latest tips, reviews, and more 📱 Torn between the latest phones? Never fear—check out our iPhone buying guide and favorite Android phones

A Site Published Every Face From Parler's Capitol Riot Videos

Faces of the Riot used open source software to detect, extract, and deduplicate every face from the 827 videos taken from the insurrection on January 6. When hackers exploited a bug in Parler to download all of the right-wing social media platform's contents last week, they were surprised to find that many of the pictures and videos contained geolocation metadata revealing exactly how many of the site's users had taken part in the invasion of the US Capitol building just days before. But the videos uploaded to Parler also contain an equally sensitive bounty of data sitting in plain sight: thousands of images of unmasked faces, many of whom participated in the Capitol riot. Now one website has done the work of cataloging and publishing every one of those faces in a single, easy-to-browse lineup. Late last week, a website called Faces of the Riot appeared online, showing nothing but a vast grid of more than 6,000 images of faces, each one tagged only with a string of characters associated with the Parler video in which it appeared. The site's creator tells WIRED that he used simple open source machine learning and facial recognition software to detect, extract, and deduplicate every face from the 827 videos that were posted to Parler from inside and outside the Capitol building on January 6, the day when radicalized Trump supporters stormed the building in a riot that resulted in five people's deaths. The creator of Faces of the Riot says his goal is to allow anyone to easily sort through the faces pulled from those videos to identify someone they may know or recognize who took part in the mob, or even to reference the collected faces against FBI wanted posters and send a tip to law enforcement if they spot someone. "Everybody who is participating in this violence, what really amounts to an insurrection, should be held accountable," says the site's creator, who asked for anonymity to avoid retaliation. "It's entirely possible that a lot of people who were on this website now will face real-life consequences for their actions." Aside from the clear privacy concerns it raises, Faces of the Riot's indiscriminate posting of faces doesn't distinguish between lawbreakers—who trampled barriers, broke into the Capitol building, and trespassed in legislative chambers—and people who merely attended the protests outside. An upgrade to the site today adds hyperlinks from faces to the video source, so that visitors can click on any face and see what the person was filmed doing on Parler. The Faces of the Riot creator, who says he's a college student in the "greater DC area," intends that added feature to help contextualize every face's inclusion on the site and differentiate between bystanders, peaceful protesters, and violent insurrectionists. He concedes that he and a cocreator are still working to scrub "non-rioter" faces, including those of police and press who were present. A message at the top of the site also warns against vigilante investigations, instead suggesting users report those they recognize to the FBI, with a link to an FBI tip page. "If you go on the website and you see someone you know, you might learn something about a relative," he says. "Or you might be like, oh, I know this person, and then further that information to the authorities." “Everybody who is participating in this violence, what really amounts to an insurrection, should be held accountable.” Faces of the Riot creator Despite its disclaimers and limitations, Faces of the Riot represents the serious privacy dangers of pervasive facial recognition technology, says Evan Greer, the campaign director for digital civil liberties nonprofit Fight for the Future. "Whether it's used by an individual or by the government, this technology has profound implications for human rights and freedom of expression," says Greer, whose organization has fought for a legislative ban on facial recognition technologies. "I think it would be an enormous mistake if we come out of this moment by glorifying or lionizing a technology that, broadly speaking, disproportionately harms communities of color, low-income communities, immigrant communities, Muslim communities, activists ... the very same people that the faces on this website stormed the Capitol for the purpose of silencing and disenfranchising." The site's developer counters that Faces of the Riot leans not on facial recognition but facial detection. While he did use the open source machine learning tool Tensor Flow and the facial recognition software Dlib to analyze the Parler videos, he says he used that software only to detect and "cluster" faces from the 11 hours of video of the Capitol riot; Dlib allowed him to deduplicate the 200,000 images of faces extracted from video frames to around 6,000 unique faces. (He concedes that there are nonetheless some duplicates and images of faces on protest signs included too. Even the number "45" on some signs was in some cases identified as a human face.) He emphasizes also that there's no search tool on the site, and it doesn't attempt to link faces with names or other identifying details. Nor is there any feature for uploading an image and matching it with images in the site's collection, which he says could lead to dangerous misidentifications. "There's a very hard no on allowing a user to take a photo from a wanted poster and search for it," the site's creator says. "That’s never going to happen." The roughly 42 gigabytes of Parler videos that Faces of the Riot analyzed were downloaded prior to Amazon's decision early last week to cut off Parler's web hosting, leaving the site largely offline since. Racing against that takedown, hacktivists took advantage of a security flaw in Parler that allowed them to download and archive every post from the service, which bills itself as an uncensored "free speech" alternative to Twitter or Facebook. Faces of the Riot obtained Parler's salvaged videos after they were made available online by Kyle McDonald, a media artist who obtained them from a third party he declined to identify. The Faces of the Riot site's creator initially saw the data as a chance to experiment with machine learning tools, but quickly saw the potential for a more public project. "After about 10 minutes I thought, this is actually a workable idea and I can do something that will help people," he says. Faces of the Riot is the first website he's ever created. McDonald has previously both criticized the power of facial recognition technology and himself implemented facial recognition projects like ICEspy, a tool he launched in 2018 for identifying agents of the Immigration and Customs Enforcement agency. He tells WIRED he also analyzed the leaked Parler videos with facial recognition tools to see if he could identify individuals, but could only ID two, both of whom had already been named by media. He sees Faces of the Riot as "playing it really safe" compared even to his own facial recognition experiments, given that it doesn't seek to link faces with named identities. "And I think it's a good call because I don't think that we need to legitimize this technology any more than it already is and has been falsely legitimized," McDonald says. But McDonald also points out that Faces of the Riot demonstrates just how accessible facial recognition technologies have become. "It shows how this tool that has been restricted only to people who have the most education, the most power, the most privilege is now in this more democratized state," McDonald says. The Faces of the Riot site's creator sees it as more than an art project or demonstration. Despite the safeguards he put in place to limit its ability to automatically identify people, he still hopes that the effort will have real, tangible results—if only indirectly through reports to law enforcement. "It's just felt like people got away with a lot of bad stuff for the last four years," he says. "This is an opportunity to start trying to put that to an end." More Great WIRED Stories 📩 Want the latest on tech, science, and more? Sign up for our newsletters! I am not a soldier, but I have been trained to kill Everything we know now about kids and Covid-19 In India, smartphones and cheap data give women a voice In Minecraft’s Dream SMP, all the server’s a stage How to get more plant-based meat onto plates in 2021 🎮 WIRED Games: Get the latest tips, reviews, and more 📱 Torn between the latest phones? Never fear—check out our iPhone buying guide and favorite Android phones

The SolarWinds Hackers Used Tactics Other Groups Will Copy

The supply chain threat was just the beginning. One of the most chilling aspects of Russia's recent hacking spree—which breached numerous United States government agencies among other targets—was the successful use of a “supply chain attack” to gain tens of thousands of potential targets from a single compromise at the IT services firm SolarWinds. But this wasn't the only striking feature of the assault. After that initial foothold, the attackers bored deeper into their victims' networks with simple and elegant strategies. Now researchers are bracing for a surge in those techniques from other attackers. The SolarWinds hackers used their access in many cases to infiltrate their victims' Microsoft 365 email services and Microsoft Azure Cloud infrastructure—both treasure troves of potentially sensitive and valuable data. The challenge of preventing these types of intrusions into Microsoft 365 and Azure is that they don't depend on specific vulnerabilities that can simply be patched. Instead hackers use an initial attack that positions them to manipulate Microsoft 365 and Azure in a way that appears legitimate. In this case, to great effect. "Now there are other actors that will obviously adopt these techniques, because they go after what works," says Matthew McWhirt, a director at Mandiant Fireeye, first identified the Russian campaign at the beginning of December. "I'm sure that other attackers will note this and use it more and more from now on." Shaked Reiner, CyberArk In the recent barrage, hackers compromised a SolarWinds product, Orion, and distributed tainted updates that gave the attackers a foothold on the network of every SolarWinds customer who downloaded the malicious patch. From there, the attackers could use their newfound privileges on victim systems to take control of certificates and keys used to generate system authentication tokens, known as SAML tokens, for Microsoft 365 and Azure. Organizations manage this authentication infrastructure locally, rather than in the cloud, through a Microsoft component called Active Directory Federation Services. Once an attacker has the network privileges to manipulate this authentication scheme, they can generate legitimate tokens to access any of the organization's Microsoft 365 and Azure accounts, no passwords or multifactor authentication required. From there, the attackers can also create new accounts, and grant themselves the high privileges needed to roam freely without raising red flags. “We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet,” Microsoft said in a December blog post that linked these techniques to the SolarWinds hackers. “We also hope publishing this information helps raise awareness among organizations and individuals about steps they can take to protect themselves.” The National Security Agency also detailed the techniques in a December report. “It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” the NSA wrote. “Otherwise, SAML tokens could be forged, granting access to numerous resources.” Microsoft has since expanded its monitoring tools in Azure Sentinel. And Mandiant is also releasing a tool that makes it easier for groups to assess whether someone has been monkeying with their authentication token generation for Azure and Microsoft 365, like surfacing information on new certificates and accounts. Now that the techniques have been exposed very publicly, more organizations may be on the lookout for such malicious activity. But SAML token manipulation is a risk for virtually all cloud users, not just those on Azure, as some researchers have warned for years. In 2017, Shaked Reiner, a researcher at the corporate defense firm CyberArk, published findings about the technique, dubbed GoldenSAML. He even built a proof of concept tool that security practitioners could use to test whether their clients were susceptible to potential SAML token manipulation. Reiner suspects that attackers haven't used GoldenSAML techniques more often in the past few years simply because it requires such a high level of access to pull off. Still, he says he has always viewed increased deployment as inevitable, given the technique's efficacy. It also builds on another well known Microsoft Active Directory attack from 2014 called Golden Ticket. “We did feel validated when we saw that this technique had been used by the SolarWinds attackers, but we weren’t really surprised,” Reiner says. “Even though it’s a difficult technique to perform, it still gives attacker a lot of crucial advantages that they need. Because the SolarWinds attackers used it so successfully I'm sure that other attackers will note this and use it more and more from now on.” Along with Microsoft and others, Mandiant and CyberArk are now working to help their clients take precautions to catch Golden SAML-type attacks sooner or respond more quickly if they find that such a hack is already underway. In a report published on Tuesday, Mandiant details how organizations can check whether these tactics have been used against them, and set up controls to make it harder for attackers to use them undetected in the future. “Previously we have seen other actors use these methods in pockets, but never to the scale of UNC2452,” the group that perpetrated the SolarWinds attack, says Mandiant's McWhirt. “So what we wanted to do is put together a sort of concise playbook for how organizations investigate and remediate this and harden against it.” For starters, organizations must make sure their “identity provider services,” like the server that holds token signing certificates, are configured correctly and that network managers have adequate visibility into what those systems are doing and being asked to do. It's also critical to lock down access for authentication systems so that not too many user accounts have privileges to interact with and modify them. Finally, it's important to monitor how tokens are actually used to catch anomalous activity. For example, you might watch for tokens that were issued months or years ago, but only sprang to life and started being used to authenticate activity a few weeks ago. Reiner also points out that attackers' efforts to cover their tracks can be a tell for organizations with strong monitoring; if you see a token being widely used, but can't locate the logs from when the token was issued, it could be a sign of malicious activity. “As more organizations transfer more and more of their systems to the cloud, SAML is the defacto authentication mechanism being used in those environments,” CyberArk's Reiner says. “So it's really natural to have this attack vector. Organizations need to be ready, because this is not really a vulnerability—this is an inherent part of the protocol. So you're still going to have this issue in the future." More Great WIRED Stories 📩 Want the latest on tech, science, and more? Sign up for our newsletters! The self-driving chaos of the 2004 Darpa Grand Challenge The right way to hook your laptop up to a TV The oldest crewed deep sea submarine gets a big makeover The best pop culture that got us through a long year Hold everything: Stormtroopers have discovered tactics 🎮 WIRED Games: Get the latest tips, reviews, and more 🎧 Things not sounding right? Check out our favorite wireless headphones, soundbars, and Bluetooth speakers