This came a couple of days after their post about an "alleged data breach" which is full of pretty bizarre statements: news.gab.com/2021/02/26/all…
For example, because they couldn't find any public discussion about the breach they assumed that @WIRED reporters were "essentially assisting the hacker in his efforts to smear our business". There are *always* discussions held in private about a breach before it's made public.
"It is standard practice for passwords to be hashed. If the alleged breach has taken place as described, your passwords have not been revealed." This is misleading and ignores the simplicity of hash cracking. If your password is "maga2020!" (or similar), it has been revealed.
"It is entirely possible for a user of the site to be unidentifiable based on the information they provide at login." You login with your email address. This (almost always) identifies you, it's literally how people communicate with *you*!
"In our subscriber records we do not collect health or financial information; we do not collect dates of birth; we do not collect [blah blah]." When you've just had your neo-Nazi hate speech associated to your email address leaked, DoB is the least of your worries!
"Every major tech company – from Facebook to Twitter – has been the target of multiple and continued data breaches." AFAIK, neither of these companies have ever had their entire DB dumped in the style @getongab appears to have, nor would that be an excuse if they had.
Then there's the @WIRED piece from @a_greenberg, a top-notch journo I've got a lot of respect for based on previous pieces he's written and many discussions I've had with him personally: wired.com/story/gab-hack…
DDoSecrets has a @getongab page saying: "Due to these concerns, along with presence of passwords and other PII, this dataset is currently only being offered to journalists and researchers." I'd love to get this into @haveibeenpwned, if anyone knows anyone there, ping them for me.
And lastly, @getongab's atrociously unprofessional and derogatory references to @beka_valentine are matched only by her grace and humour in response
Just one more thing: my random @getongab password stored in @1Password begins with "t9q@" (created an account when I was doing commentary on them and Parler). If someone has my password hash, they're welcome to publicly share it and I'll verify then share the original password.
Looking into the (alleged) @getongab data breach, many records don't have an email address or a password hash (mine has the former, but not the latter). But for verification, don't those dates and times look... similar. Coincidence? Or real breach? (Aus time in @1Password)
Although it does appear that @getongab is no longer denying there was a breach, although I’m yet to see a formal disclosure notice (and yes, I know that’s not the most noteworthy thing about the embedded tweet below...)
Next prediction whilst I’m on a bit of a roll: if Gab becomes the platform the existing violent content on Parler migrates to (and arguably there’s a lot of that there already), the odds of it remaining easily accessible to the masses will be short
Just signed up to Gab to take a look around, took several minutes for each page to load during registration so looks like they're getting absolutely hammered right now
And they're down. Also just realised they're behind Cloudflare who've previously terminated services such as Daily Stormer and 8chan. Life gets real hard when that protection is removed regardless of how much of the origin services you have complete control over.
I give it 50:50 odds that by the time I wake up tomorrow, Amazon has either pulled the pin on Parler “Google-style” or given them a similar ultimatum to Apple. Given what we’ve seen today (and what I saw spending some time on the platform), it wouldn’t surprise me in the least.
Ok, so it was about 6 hours *after* I woke up, but I was pretty close 🙂
Politics aside, this creates a really interesting engineering challenge; Parler has had sudden and rapid growth and one would assume have huge infrastructure needs and volumes of data. How do you move that over in less than 30 hours? And to where that would accept them?
Had an email recently which boiled down to a guy being into porn sites about a decade ago: "all I ever did at these sites was create accounts, with fake emails that I opened and discarded the same day"
Turns out that whilst the email addresses were fake, the passwords weren't: "I was stupid enough to use the same password for my real life accounts and for these shady accounts (it's generic, but my whole family knows it's my pw)."
Then another penny drops for the guy: these sites often store IP addresses, not just of the last login but the one used at registration as well. So now he's stressed that even with fake email addresses, someone could correlate both his password and IP and de-cloak his port habit.