The Threat to our Security & Privacy
Ockom is not politically leaning. In fact, we hire hackers of all gender, religious, and political views. We care only about their ability to do their job. We want the best. When we engage with a client, we do not care their religious, political, or social views. Our job is to ensure they implement the best security and privacy practices.
The recent joint cyberattack by Google, Apple, Amazon, and others have fundamentally changed how we must view privacy and security.
In Ockom’s combined 40+ years of experience, we have never seen anything quite like this. The arbitrary removal of an app from the app stores such as Google Playstore and Apple App Store, is virtually unheard of. And when we say arbitrary, we mean arbitrary. The reasons given to Parler by Google and Apple and Amazon, would apply to many other apps. Take Gab, Twitter, Gmail, Facebook, OK, and the many other available social media apps. And yet, the same policies have not been applied. And if they were, certainly their hosting provider would not have stepped in and removed them.
Take for example Tor, which for many years has been a method of making it harder to detect and deter illegal activities. In fact, it is the number one method of conducting such business and facilitating illegal activity. And yet, it can be still be downloaded from Google Play Store and Apple App Store:
Many would argue that the “reason” Parler was removed was due to their supposed support of inciting the Capitol Hill riots and frenzy by not moderating their users posts. However, by referring to the Apple App Store Review Guidelines and the Google Developer Guidelines, the moderation of user generated content is a requirement upon submission to the app store. Meaning, that Parler had to demonstrate effective controls prior to being approved to be published on the app store. As you see from the letters below, Parler responded with various processes to the allegations that users were posting content inciting violence, and yet the big tech companies said the process wasn’t quite what they were looking for. Entirely arbitrary and subjective.
Never mind that Twitter still hasn’t suspended Antifa page, which directly incites and gives you instructions for inciting violence:
https://twitter.com/antifaintl
And never mind the numerous groups in Facebook inciting violence, sexual content, and more. When was the last time that the FBI investigated terrorists or violent extremist groups forming on Parler since 2018.
So why do we care and what can I do?
Normally, Ockom is relatively agnostic to political affairs. However, in this case we are less concerned with the politics (though that seems troubling), and more concerned with what this means for security and privacy. We now are having to take certain measures that we would normally suggest to users in ant-privacy countries such as China, Iran, and other Middle Eastern countries. So what has changed and what does Ockom suggest now?
Backups
When we develop disaster recovery plans for companies, we normally assume a certain level of trust in the various providers. Now, we must take the potential threat model of service providers completely dropping our clients. So while we do suggest redundant backups. However, in the modern day and age of cloud hosting, the backups are done by the hosting provider. If one server goes down, we can spin up a new one and load the snapshot or backup of our site and be up and running in short order.
It is costly to have a portable backup which must be ready to spin up on an entirely different hosting platform, and certainly more costly to maintain your own servers. Especially for high traffic applications such as social networking platforms. However, if your
Domain Redundancy
If your domain registrar drops you due to domain abuse, what do you do? This is a potential possibility considering recent events, and registrars reserve that right. For example, see Google’s Domain Abuse Policy. One of Ockom’s suggestions has always been a “diverse tech stack”. In this case, it means registering domains with a registrar separate from your hosting service. This means, if you use Squarespace to host, do not use Squarespace to register your domain.
However, now we suggest that you not only do the aforementioned, but also register some “redundant domain names” as a backup. This way you can at least set up 301 redirects, or spin up entirely new servers on a similar but different domain name. Make sure you have properly signed certificates, otherwise your user-base may think it is a malicious site or somesuch.
Sometimes, it is best to have the various backup domains redirecting to the live domains. This ensures that they get crawled from the get go, and once they failover they will still show up. That being said, it is best to notify your userbase if you have their email upon registration. And if not, then notify via other channels. The word will get out.
Binary Redundancy
While this is less applicable for non-mobile apps, it is of great concern for those in the mobile space. What does a user do if both Google and Apple remove you from their play store? How do end users download your app? Well, if your platform is available online, you’re ok for the time being. An app is simply the mobile friendly and specific version (usually).
However if not, or if it is simply easier for mobile use, then you must provide the .apk or .ipa binary to the general public. This allows them to install manually and on their own outside of the playstore. Remember, signing it with a trusted certificate is essential. Ensure that iOS and Android can verify and yadayada. While this presents a risk of reversal, it is still is better than nothing. You could also release as last resort, which also ensures release updated code first. Bear in mind, this still requires some backend infrastructure in place, so you’ll want to make sure you update API’s and other strings to point to the correct place in the app. You may have to distribute over available channels, but how do mods for games get passed around? ;)
Consider Opensource
At the end of the day, unless your platform costs money, opensourcing it is a great way to increase visibility and also security. We now would have our clients consider having an opensource release as a final resort if censorship or removal happens to them. The best way is to always maintain your code repo’s with that potential in mind. Think “I might have to open source this one day”, and you will develop and maintain your CI/CD in a better manner. This also forces you to practice good software development, and also generally be more mindful of clean build processes and security practices.
Call to Action
While Ockom supports and uses many Google and Apple services and devices, this shows us that there needs to be a market shift and growth of linux and opensource devices and platforms. While the “tech giants” own the monopoly, the usage of alternative mobile OS’s must become a technological priority. While Parler is the first example of a sanctioned joint cyber attack by very large and very public tech companies, we should not think it is the last. And although this is a very clear example of biased silencing of differing and competing opinion with a political agenda (yes, even we can see that), it goes far beyond that.
This marks the move from a façade of privacy and security which the US is built on and tech companies proclaim, to an overt political stance by tech companies and show of power. Whether politician forced or not (yes, we know the connections), tech companies are entrusted by their clients to maintain objectivity and unbiased decision making. Simply to provide their platforms to their userbase and keep people safe from direct harm. Was what happened to Parler what was best for the state of technological privacy, freedom, and security in America? We think not.
So move to open source and diversify that technology portfolio.
