On Sun, Jan 28, 2018 at 04:59:02AM -0500, Thomas Delrue wrote: [ a lot of things I thoroughly agree with, plus he quoted me, so of course I agree with that, too ;) ]
Let me reiterate: Facebook, Twitter, Linkedin, etc. are NOT your friends. They are NOT your allies. And let me add something that I didn't cover in that snarky essay three and a half years ago: incompetence. It is now painfully obvious to everyone that the technical people running these operations are hilariously incompetent. Facebook has admitted that they have 200M fake profiles, which of course means that the number they know about is higher, and that the additional number they don't know about is even higher. Twitter has been completely overrun by a similar number of bots, and its spokesliars continue to downplay their numbers by several orders of magnitude. And so on. The people running these operations built them without first figuring out how to run them. They have absolutely no idea how to handle rudimentary operational tasks like abuse reporting and response. As a result, they have been completely overwhelmed by attackers and abusers -- to the point where it's now questionable who, exactly, is in effective control. [ Before someone says "but they're so big that...", let me respond as politely as I can: unacceptable. Nobody made them get that big. They *chose* to. Thus they also *chose* to deal with the consequences. I am not in the least bit sympathetic toward the ignorant newbies who built things they have no idea how to run, plugged them into OUR Internet, and subsequently allowed them to abuse the heck out of everyone and everything. Scale is not a valid excuse for incompetence and negligence. If they can't run it properly, they should shut it down. RIGHT NOW. ] And that's the good news. Here's the bad news: One of the lessons we've learned in the past couple of decades is that abuse is a surface indicator of underlying security issues. Operations which are well-run don't source or sink abuse on a chronic or systemic basis because the people running them make it their businesss to keep that from happening. Conversely, operations that are massive long-term abuse factories have put proof on the table that they have serious security problems. We may not know exactly what those are or where they came from, but chronic/systemic abuse is an existence proof. Which leads me to a pointed question: just how pathetic, exactly, does your security posture have to be in order to provide a home for hundreds of millions of fake profiles and/or bots? I have little doubt that most of these operations have been quite thoroughly pwned by any government's intelligence agency that could stop laughing long enough to bother. ---rsk -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing the moderator at zakwh...@stanford.edu.