Cloudflare drops KiwiFarms 🥝TikTok Denies Breach 🌊 Metaverse Laws 👩‍⚖️

🧔Personal News

I've been told my life would make a funny YouTube series. I guess it's worth sharing!

Last week was the back-to-school grind! I can't believe the influx of e-mails we are getting. I have three children in elementary school and somehow the staff sends us three copies of everything. What frustrates me the most is that we have a mobile app! Why am I not receiving the comms from transportation, child care services, teachers, school directors, school boards, finances, and the ministry of education in the freaking app? At least covid restrictions are behind us. These were so mesmerizing I flinched each time I got new decision trees.

🔦This week's spotlight: Cloudflare drops services to trans hate website KiwiFarms

Cloudflare is one of the biggest network and cybersecurity services providers in the world. However, it appears Cloudflare lacks flair for its content moderation practices.

Clara Sorrenti, known as trans Twitch streamer Keffals, launched the #DropKiwiFarms campaign after suffering 6 months of targeted online harassment by users of hate speech cesspool Kiwi Farms. The Washington Post reports Kiwi Farms being possibly responsible for up to three suicides after organized harassment campaigns against LGBTQ people. Observers, such as NBC's Ben Collins, believe the echo chamber effect would have eventually led to a mass shooting.

Cloudflare responded to public pressure on September 3rd by dropping its services to the hate forum. Cloudflare's CEO blog post labelled the decision "dangerous", which drew criticism. Many observers felt Cloudflare was too soft with the online hate group due to hiding behind "free speech" rhetoric.

Cloudflare sees itself as a telecommunications provider which should only provide the internet's "piping" and be completely content-agnostic. The network giant's position contrasts its service with social media, which cannot operate without "reading" user content. The controversy participates in the wider debate of big tech's moral obligation towards online harmful content.

I can't help but feel that the core problem of the endeavour lies with law enforcement. If Kiwi Farms were an Islamist propaganda machine, I believe there would have been helicopters at the administrator's doorsteps. The USA possesses the necessary legal and law enforcement infrastructure to crack down on hate and domestic terrorist groups. The one thing remaining is the perception of the enemy. We have been trained to equate "terrorism" with "evil foreigners", but that's not the case anymore.

In a perfect world, Cloudflare should not have to intervene against what seems like violent and criminal activity. Our accepted judiciary process should be making that call. Cloudflare would get hit by a subpoena so hard they'd turn to rain. However, online radicalization spreads much faster than law enforcement can absorb for now. Should we expect more out of law enforcement? Yes! Yet, in the meantime, Companies have to bear the moral duty of giving these blows to such organizations.

🥑Legal Jam

👩‍⚖️Privacy and Tax Laws in the Metaverses

Last week, two excellent essays addressed challenges with current laws about decentralized metaverses. IAPP explores how a metaverse avatar constitutes personal information. As long as the avatar can be linked to a person, its contents shall be protected by privacy laws. I question this interpretation. When the public key is the only element that a metaverse operator can link to an individual, can we really pretend it is PII? Is your game's high score really personal information?

The article glosses over the technological limits of decentralized metaverses: in a distributed computing model, inter-jurisdictions data transfers are near-impossible to control. If a Russian player lends their computing power to join a blockchain, then they will gather a copy of the blockchain. How can the data be deleted? How can you enforce the right to be forgotten when every transaction is immutable?

Ethereum developers should also follow Cloudflare's Kiwifarms controversy. Are blockchain operators responsible for the "piping" of the blockchains, or they will be expected to moderate its contents?

Governments built privacy laws with centralization by large corporations in mind. Web3's decentralization ideology will clash with such laws. Data controllers and data processors, for example, lose all meaning. I am still on the fence about whether we privacy enthusiasts are looking for a solution to a non-problem. Maybe I lack the vision to foresee abuses. As of now asking for data subject requests about in-metaverse-games looks a bit ridiculous: can your "metaverse Minecraft home" really be associated to a real-life address?

In the same vein, Coin Telegraph looks at the tax implications of metaverses. Tax authorities must define the various types of transactions that happen in metaverses. If you play a game to earn tokens, is it: a. gambling b. labour or c. purchase of securities? The same questions apply to the discovery of a rare item in a game. In centralized games, the transaction from "real" money to "virtual" currencies remained akin to any other commercial purchase. It is the interoperability of the tokens that poses a problem. Taxing only the conversions from the tokens to "real" money misses a large breadth of possible taxable transactions. One could easily imagine somebody benefitting from social welfare operating a thriving business in a metaverse. Proficient Minecraft players nowadays are expected to earn a reputation. If their play leads to earning "tangible" assets such as pizza, gas or electricity, then I think everybody agrees it corresponds to some type of revenue. But what about trades of purely digital goods? Devil is in the details, and there will be plenty.  

⌚Worker Productivity Apps Track Your Idle Time to Not Pay You

Here at ppfosec, I strive to build nuanced opinions and acknowledge tradeoffs to complex problems. That said: Fuck Workplace Productivity Tracking. A chilling report from the New York Times describes how American companies deployed spyware on their employee's machines to log any "idle time" and take random screenshots to ensure employees working from home are indeed sitting behind a computer. The practice is already widespread in lower-income areas (and prisons) and technology now enables the same maltreatment of white-collar workers. I always feel baffled by the labour practices going on in the USA. Now that the practice has hit the privileged class, one can hope better laws are ahead to protect individuals.

As I explained in my Teamwork App Review, Charles Darwin spent less than four hours a day in his office and almost three walking outside. One cannot constraint creativity and original research: such tasks keep happening in our minds, they don't follow clocks and shifts. Computers will never fully master creativity, innovation, empathy, and originality. Leave these tasks to trained humans and trust their expertise. The rest can be automated: that's a better investment than spyware.

🗣️Social media Chronicles

🕰️TikTok Denies Data Breach Claims

Hactkvist group Against The West claims it breached TikTok. The militant clan posted on darknet forums content that was allegedly stolen from an Alibaba cloud instance left wide open. TikTok representatives denied the allegations. Troy Hunt, creator of popular breach notification website HaveIBeenPwned, could not validate that the data came from TikTok servers. Other researchers suggested the data could have come from a data scraping company. The owner of the darknet forum, the infamous pompompurin from the ShitExpress story, later banned Against The West for falsely attributing the breach to TikTok. He ain't takin' no shit!

The popular video-sharing app seems on top of the world right now. A security breach would cause a devastating blow to TikTok's partnerships.        

🙅‍♂️Google Blocks Truth Social from Play Store

Google denies access to the Donald Trump-backed app due to its incapacity to demonstrate adequate content moderation practices. The right-wing-friendly social media relies on an AI moderation system named Hive, but Google was unsatisfied with the input from human moderators. Truth Social responded with the usual "big tech censorship" rhetoric. TechCrunch reports the presence of posts "promoting the hanging of public officials" on the app, which is still listed in Apple's App Store.

Blocking Truth Social from the Play Store appears to me a much more straightforward decision than Cloudflare's issues with KiwiFarms. An app store provides a clear service to users: it implies curated content based on quality and security criteria. You can install apps from anywhere on Android! Consumers reap a more tangible benefit from Google's content moderation policies than from Cloudflare's network speed.

😘Twitter's failed OnlyFans Imitation

In another example of the difficulties to moderate content on user-generated websites, The Verge reveals Twitter renounced launching an adult-driven subscription service due to its incapacity to remove potential child sexual abuse content. The Verge's article rightfully focuses on questions around Twitter's lack of investment in content moderation. However, what catches my attention is how "old" social media like Twitter and Facebook let other platforms lead the way. Listen to the Simon Sinek Apple vs Microsoft talk: successful companies like Apple are obsessed with their purpose; laggards are obsessed with their competition.

🎮Facebook Shutting Down Its Gaming App and Shopping Feature

Speaking of imitating competition and drifting away from your core purpose: Facebook will shut down its games app and shopping feature and replace them with "Super", a Twitch imitation. If you don't know why this will fail you have not been reading enough ppfosec.

😸Snapchat joining the has been clan?

Snap announced a massive layoff of 20% of its staff. Divisions that will be hit hardest are AR hardware (told you people don't want to wear stupid stuff on their head) and games (sense a trend?). To complete the fall from grace, it announced a dual camera feature that is totally-we-swear-not-similar-to BeReal.

🎯Quick Hits

🚮Dating App Uses GPT-3 to Spam the Spammers

When I created my Instagram earlier this year, it took about three days for a busty woman to follow my profile and compliment me on my picture. It took me 3 seconds to block the spammer­. Dating app Filter Off took matters into its own hands. The video-dating site flagged potential spam accounts. Instead of deleting them, Filter Off sent them to an account full of spammers and its homemade bots. These bots used GPT-3 language generating software to exchange endlessly with the spammers. You can read some excerpts on FilterOff's blog. Lucky for me, GPT-3's encoding does not enable it to make puns.

🚕Hackers Cause a Traffic Jam in Moscow

A bunch of pranksters ordered dozens of taxis to Moscow's downtown from the Yandex Taxi app. The ensuing confusion resulted in viral tweets. Can we really call this hacking? I think so! The individuals did exploit a design flaw of the app! Please, don't try this at home.

Pllllleeeeeaaaassssseeeee

🐶This week's rant: How to Make DevOps Work?

I spent a good portion of my first internship in cybersecurity supporting a large IT operations department in the financial sector. I created service accounts with minimal permissions, maintained firewall configurations, designed workstation and server baselines, piloted access removal initiatives, and was a "level 3 support" for helpdesk security matters (hint: it's always DNS). Ops people are generally not the fondest of "least privilege" and "access restrictions", it was a good time to build character.

I wanted to move to development matters because ops felt like "in a vacuum". OK, we are maintaining these servers, WHY? I needed to see the business side of it and enjoyed everything I did with software development projects.

Fast forward to now: I have been coming full circle back to my early ops days. Ops followed ITIL, which is my favourite framework. I learned to love standardization and "menial" janitoring tasks, just like you love a clean bathroom every Saturday morning.

I bring this story up because my experience taught me that dev and ops have different mindsets. And just like putting cheese and tomato together doesn't make a pizza, smashing dev and ops together doesn't make DevOps. This idea comes from a  provocative short essay by Lane Wagner: Devops: An Idea so Good, No One Admits They Don’t Do It. Wagner identifies common pitfalls of organizations that recognize DevOps's theoretical "superiority" but lack the courage to commit to the principles.

Based on my experience and bouncing off Wagner's essay, I'll give you some tips on DevOps.

Don't Do Like Agile

I dislike Agile because the software development framework has constantly been applied to activities that would have been better served by ITIL-driven principles. Agile works for creative endeavours. ITIL works for services. I don't see how I would go about in a payroll department filling user stories with a straight face.

Organizations took the fun marketing elements off scrum (the daily ceremonies, the boards) and said: we're agile! That's not agile. That's agile theatre. Agile came to mean "fast", whereas the idea was always about experimenting.

The idea behind DevOps is: you build it, you own it. Any appropriation that removes ownership from the equation is DevOps theatre. Wagner cites as failing examples organizations that merely rely on changing job titles and shuffling chairs on the Titanic org charts.

Don't require devs do ops stuff and vice versa

Development requires creativity. Ops requires rigour. That's not to say software development lacks discipline. Developers thrive on exploration. Ops will obsess over the little things. Separation of tasks is inevitable. Some individuals will gravitate towards infrastructure, others towards data analysis. DevOps welcomes multi-disciplinary teams. Telling a dev team to patch operating systems, or an ops person to code a singleton, will not work.

It's about the process

The coolest DevOps practice I have seen is the "no bug sprint". What blew my mind is that the team who ran the "no bug sprint" also had "feature is documented" as a condition for done. Essentially: any incident, vulnerability, support ticket, etc. was a "bug" and the sprint was successful only when all these fixes were delivered and documented.

DevSecOps is a Pleonasm When You Have DevOps

It may be my ops background talking over its head here! A fully functional "traditional" ops team needs SecOps baked in. Ditto in the dev world. You can't have quality software if you don't have secure software. Yes, DevOps needs security tooling (more than ever). Should DevOps have a full-time security generalist doing pentests before every release, running SAST/DAST, fixing vulnerabilities, responding to incidents, applying secure configurations, planning disaster recovery, testing backups, applying security groups, and rotating secrets? I don't think there are enough of these in the world. I see SAST and DAST as a natural extension of the software testing process. Applying the latest software patches and managing backups have always been "pure ops" tasks. ITIL has all the incident response playbooks you need to handle security incidents. Cloud deployments made data at rest encryption a checkmark. We are not that far away from not needing those annoying security specialists!

Don't worry about us, we'll make ourselves useful elsewhere.