On Sun, Jan 28, 2018 at 04:59:02AM -0500, Thomas Delrue wrote:

[ a lot of things I thoroughly agree with, plus he quoted me, so of course
I agree with that, too ;) ]

Let me reiterate: Facebook, Twitter, Linkedin, etc. are NOT your friends.
They are NOT your allies.

And let me add something that I didn't cover in that snarky essay
three and a half years ago: incompetence.  It is now painfully obvious
to everyone that the technical people running these operations are
hilariously incompetent.  Facebook has admitted that they have 200M fake
profiles, which of course means that the number they know about is higher,
and that the additional number they don't know about is even higher.
Twitter has been completely overrun by a similar number of bots, and
its spokesliars continue to downplay their numbers by several orders
of magnitude.  And so on.

The people running these operations built them without first figuring out
how to run them.  They have absolutely no idea how to handle rudimentary
operational tasks like abuse reporting and response.  As a result, they
have been completely overwhelmed by attackers and abusers -- to the
point where it's now questionable who, exactly, is in effective control.

[ Before someone says "but they're so big that...", let me respond
as politely as I can: unacceptable.  Nobody made them get that big.  They
*chose* to.  Thus they also *chose* to deal with the consequences.  I am
not in the least bit sympathetic toward the ignorant newbies who built
things they have no idea how to run, plugged them into OUR Internet, and
subsequently allowed them to abuse the heck out of everyone and everything.
Scale is not a valid excuse for incompetence and negligence.  If they can't
run it properly, they should shut it down.  RIGHT NOW. ]

And that's the good news.  Here's the bad news:

One of the lessons we've learned in the past couple of decades is that
abuse is a surface indicator of underlying security issues.  Operations
which are well-run don't source or sink abuse on a chronic or systemic
basis because the people running them make it their businesss to keep
that from happening.  Conversely, operations that are massive long-term
abuse factories have put proof on the table that they have serious
security problems.  We may not know exactly what those are or where
they came from, but chronic/systemic abuse is an existence proof.

Which leads me to a pointed question: just how pathetic, exactly, does
your security posture have to be in order to provide a home for hundreds
of millions of fake profiles and/or bots?

I have little doubt that most of these operations have been quite
thoroughly pwned by any government's intelligence agency that could stop
laughing long enough to bother.

---rsk
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing the moderator at 
zakwh...@stanford.edu.

Reply via email to