Wednesday, January 13, 2021

When is a "Hack" not a hack? How about fraud and negligence?

So... Was the "parler hack" a crime?

Was it even a HACK?

Well...There was almost certainly a crime comitted.... several in fact... but probably not what you might think... or by who you might think.

Because of the comprehensive incompetence and fundamental errors in architecture, design, development, and implementation of the Parler site, services, applications and infrastructure; technically, a very strong argument can be made, that none of the actions the people who accessed (or possibly compromised) the Parler data took in doing so, were actually illegal under U.S. federal law, and the laws of most states.

Effectively, there was no private or confidential data access, because none of the data was actually private or confidential, regardless of whether it was intended to be or legally required to be... the site admins allowed elevated privileged access to be created by unprivileged users, and allowed privileged users to query and retrieve all data within the control of the organization, without properly validated authorization or authentication  

Everything else those accessing the data did, was just scripting those authorized queries to run over and over until they had all the data.

That's not technically illegal, so long as they didnt eliberately circumvent or compromise a policy, wiith a deliberate technical control mechanism enforcing that policy, using an unlawful method. 

...And by any reasonable interpretation of federal law and definitions, and at least most state laws and definitions, the individuals accessing that data didn't so so... Because they didn't have to, because the site devs and admins didn't program or implement any ACTUAL privacy or security controls into the site or the database.... Anyone who knew how to do it, could have done it for themselves, at any time, without bypassing or circumventing anything, or using any outside tools etc... 

The researcher who discovered the data exposure, made her own privileged account, because the site devs and admins didn't implement account controls that would prevent any authenticated user from doing so if they knew how... and privileged accounts were never verified or properly authenticated, and had permissions to do everything else.

...At that point, I don't believe any actual access restriction ornother relevant policy enforcement control, or privacy control, was actually compromised or circumvented by unlawful means... Or for that matter, at all. 

Now... that wasn't the developers or administrators or owners INTENT... but you don't commit a crime for circumventing INTENT.

Its not even a crime to violate policies and terms of service... usually... maybe... depending on many details and variables.

It actually IS a crime to create a new account to circumvent policy, after you have been banned... at that point you are using a technical means to circumvent enforcement of your authorization removal and ban... Even though any user could do so, for any reason, and there isn't anything special about doing so, because you know that you have been banned and are no authorized, an are using technical means... making a new account... to circumvent a technical control... the blocking of your old account... and are accessing such systems without authorization through such circumvention. 

That is explicitly a federal crime "Knowingly unlawfully or improperly accessing a computer system or communications network, without proper authorization".

 If you use such circumvention to do more than a trivial amount of damage, or to intimidate or harass people or commit other crimes, its a fedral felony, under the telecommunications act (originally passed all the way back in 1934 but revised MANY times since) as modified by the computer fraud and abuse act, the USA patriot act, and other related acts and sections etc... etc...

But if a site admin/dev writes a policy that says "users won't use their accounts to gain more access and privileges than they are explicitly granted by admins' that policy won't actually have any force, and violating it won't be a crime... 

at least until you get caught the first time, and kicked, and then log in or make a new account, and try it again, at which case you are knowingly circumventing policy and controls via technical means. 

Even if it was clearly not intended for users to give themselves admin privileges, and gain access to other users daya... even if there's policies that say so explicitly... its not a crime, if the user can do it, without using technical means to circumvent technical controls enforcing those policies.

In this case, they never actually properly implemented such controls. Users were able to make privileged accounts and access other users data, without any technical circumvention... they just had to know job to do so. Nothing else would have stopped them. 

...That means it was almost certainly not a crime... But like I said, there is maybe a little wiggle room for charging something here... 

Oh... But here's the really fun twist...

The Parler site owners, admins, devs etc... ?

They had legal and regulatory requirements under various state, national, and international laws and regulations, to properly and effectively control, secure, and protect, the personally identifiable, private, secure, or confidential or higher data, of its users, employees, partners, and other corresponding entities.

They also had a lawful duty of care, to implement security and privacy controls, at least to the minimum prevailing industry standards of compliance, and generally accepted minimum proper practices, and minimum best practices, for operational protection of personally identifiable, private, or confidential or higher information. 

...In fact, they had state, federal, and international legal and regulatory requirements; as persons of responsibility for the care and protection of the security and privacy of such data; to legally certify, under penalty of perjury, and civil and criminal liability...

... on at least an annual basis (and possibly as often as every 30 days)...

... that they were in fact meeting such minimum standards and practices with policies,, processes, and technical controls, that were in fact effective in doing so.

...When, in fact, they did not have such policies processes and technical controls, that were in place and effective... Or at all...

Which means everyone who signed those certifications, was committing state, federal, and international fraud, breech of trust, and failure of duty of care (and by the by, violation of their own published and stated policies, and the public statements of their persons of responsibility, which extends the fraud, and may also be interpreted as breech of contract or breech of promise, depending on the exact data, the type or individual or organization, their relationship to the organization and the exact laws of the jurisdiction in question)

That...essentially automatically... makes what they did both tortuous civil negligence, and gross criminal negligence.

I say this as someone who does this for a living, advises clients on it professionally, has co-authored many briefs and provided support for many motions, and testified in both depositions and trials; both as an investigator, and as an expert witness on this subject.

All that said... I mean... you always have to take two major factors into account:

1. MOST jurisdictions that I know of, would probably agree with what I wrote above, most of the time, presuming what we now believe we know, holds true... But not necessarily all.

 Some states and other jurisdictions have different legal standards and definitions, under their own  laws and regulations, that could see these various individuals actions in accessing Parlers data,  interpreted by prosecutors and judges, as rising to criminal behavior... Or conversely could interpret the site owners, admins etc... as neither criminally or civilly liable, or that insufficient actual harms had resulted from those otherwise negligent actions such that they would meet thresholds for criminal or civil liability.


2. On any given day, given any particular set of facts, circumstances, and laws, any judge can decide almost any possible way, accounted for under the law... 

...and maybe some not contemplated by the law... 

Or may even simply act flatly outside the law; either because they believe the law is itself in error or improperly interpreted or applied, and that the courts should or must address this defect or defects...

...Or that regardless of any potential legal defect existing or not, that their actions outside the boundaries of the law are in the interest of justice... 

...Or sometimes they just think its the morally or ethically correct thing to do, regardless of the law... That they SHOULD or MUST take such action, regardless of the law, even if they are later reversed, because to do otherwise would be absurd,, obscene, or would tend to shock the conscience (and yes, all of those unusual words and usages are quotes from famous rulings where judges did exactly those things, for those reasons).

A Little Ramble about Liquor

I suppose I'm "lucky" as far as that whole "manly vs. Girly drinks" thing goes...

...Well... Firstly in that I really couldn't give the slightest bit of a damn what other people think about what I drink, or whether its "girly" or not. 

Here's a hint... If you are so concerned about whether other people think you're "a real man" or not... you aren't. 

That aside though... My actual preferences, and what I really enjoy, are on what would generally be considered the "manly" side of things, and I generally don't care for things that would be stereotypically girly.

...Mostly because I like sharper, spicier, more sour, more bitter, more savory, more earthy etc.... flavors, and I generally dislike sweeter and milder or mellower flavors. Though I love "creamy" and "rich" stuff... which I suppose some consider more "girly". 

My favorite alcoholic beverages are weissbiers, and brown, red, or amber ales; dry and sharp or full and buttery hard ciders; unoaked or lightly oaked dry whites or unoaked to moderately oaked (moderate body fruity or spicy, and not too astringent or too sweet) reds; and quality sipping spirits.

Of those, my default choices are hard cider, brown ale, a solid red wine to go with red meat,  and a high proof sipping whiskey.... and MAYBE, on occasion, a dry or sour cocktail or other mixed alcoholic drink

...All of those are pretty much considered "manly" by default...

 My preferred spirits are cask strength or overproof... Meaning they're all over the standard 70-90 proof of most spirits (legally, in the U.S., 80 proof is considered the default standard proof), generally ranging from around 100 proof (50% alcohol) up to 150+ proof (75% alcohol)... Though I'd say the majority of my favorites fall between 110 and 140 proof.

...And by most peoples judgement, that level of alcohol in a spirit, kinda "wins" the "manly vs. girly" test automatically. 

Just generally I don't like drinks that are particularly sweet...Hell, I don't even like my DESSERTS to be particularly sweet. 

As such, most standard proof rums, whiskeys (particularly bourbons, sourmash whiskeys, corn whiskeys, etc...), and tequilas are far sweeter than I like... Even some "dry" gins, are far too sweet for my taste (and almost all Dutch or French style gin/genniver/genevre is). Makers Mark and Jack Daniel's taste like alcoholic brown sugar syrup to me (and in fact my preferred use for either is in making caramels, ice cream, whipped cream, and other sweet sauces and confections). 

Oh... and the caloric content of those spirits bears out my perceptions of sweetness by the by. Bar syrup/bartenders syrup/cocktail syrup (a simple syrup made of sugar boiled in water, with or without some minor additions or modifications, or infused flavors) has appx. 75 to appx. 100  calories per fluid ounce (depending on the exact sugars you used, in the exact proportions you used, and the exact process you used... mostly how long you boiled it for and what temperature, dissolved solids {brix} and specific gravity you boiled it to). Makers Mark has appx. 70  calories per fluid ounce (100% from sugars), which is fairly typical of bourbons (and whiskies in general tend to run between 60 calories and 80 calories per ounce, again all from sugars). In fact, most standard proof brown liquors, distilled from a relatively sugary mash (any kind of molasses or corn based spirit for example), will be very close to a sugar syrup in calories and total sugars. 

All that said, even the driest of neutral spirits, at 80 proof, is going to have something like 52-55 calories per ounce, simply because of the calories in ethanol. 52 is just about the minimum possible calories per ounce, in a spirit that is 40% ethanol.

Pure ethanol itself has about 200 calories per ounce... about 7 calories per gram. Which is actually more than pure glucose, at about 4 calories per gram. Meaning the higher the proof, the more calories a given amount of alcohol is likely to have... But not necessarily more sweetness. 

...But its still a big difference between a very dry neutral vodka or gin at 52-55 calories per ounce, and the as much as 80 calories per ounce you can get in some of the sweeter corn whiskies for example, or the absolutely ridiculous sweetness of many rums, at anywhere from 100 to 140 calories per ounce (more than most liqueurs that have added sugar), at 80 proof.  Ever calorie an 80 proof spirit has over 52, is a calorie from either sugar, or from sugar alcohols formed alongside the ethanol in the mashing and distilling process... and as it happens many sugar alcohols actually taste sweeter than pure glucose. 

Also one should note that a lot of overproof spirits are fortified with extra sugar in their mash, so they can use special varieties of fast eating fast metabolizing yeast that will produce more alcohol in the initial fermentation, and survive longer in a higher alcohol concentration (most yeast will only survive to between 8% and 12% alcohol in the brew, but some varieties can survive to over 20%).  Yes, the yeast eat more sugar to make more alcohol, but its not an even balance, and you need to add more sugar than the yeasts can convert, to ensure they fully expend themselves making as much alcohol as possible. This results in a final mash with more sugar, and more sugar in the final spirit... as well as more of the natural digestible sugar alcohols that  go along with all ethanol production and distillation. 

-----A long but hopefully interesting aside-----

...All of the above actually reminds me of the few very sweet, and particularly very few explicitly sweetened with added sugars... alcoholic spirits I like.

As it happens, I have been makjng my own cordials and liqueurs, since several years before it was legal for me to buy the main ingredient thereof; having been taught both to enjoy them, and to make them, by a friend in the SCA who made many different kinds himself, and who always brought large supplies of them to society events (he also taught me brewing, mead and winemaking, and a fair bit of what I know about distilling).

Most often I make my own apple pie (and sometimes other types as well...Lemon, coffee, coconut, cinnamon, and vanilla bean are favorites for example. All share in being, strongly flavored, strongly sweetened and STRONGLY alcoholic) from my own secret recipes of sweeteners, spices, and flavorings, and from... lets say, available high proof spirits...

...By that I mean the best quality highest proof spirits I can get, that have either a truly neutral flavor profile, or a complimentary basic flavor profile, to my desired end products flavor profile... If I can actually get some of the true, I'll happily use that and prefer it to other options... but it's kind of hard to come by. Meaning that mostly I use something like Gosling Black Seal Overproof Bermuda Black rum, at 151 proof, or similar, and with a quite nice basic flavor profile of its own (its not harsh at all, in fact its quite smooth and pleasant. It's actually my favorite relatively low cost rum, even for standard rum drinks).

By preference I generally WON'T use Everclear (or its sister product goldengrain) even though its supposed to be 190 proof or 95% ethanol. Though I CAN use it, I generally don't because it doesn't make sense to do so... Because it is entirely unaged and unfiltered (more on that later), everclear has more of the nasty volatile aromatics, congeners, and fusil oils (all natural byproducts of distilling, that aging and filtering tend to reduce or eliminate in more expensive spirits). Thus, everclear ends up having unpleasant harsh flavors and odors that I have to compensate for, by dilute it more, having to use more stronger flavors and sweeteners, and cooking off more of the volatile and more of the alcohol with them, so it ends up not being the 190-ish proof it starts off at anyway. 

In fact, because of those factors,, by the time I'm done compensating and correcting the flaws in the base spirit, it ends up weaker than starting with an actual good tasting overproof liquor at 150ish to 180ish proof.

The same is true to a lesser extent for "lab grade", "medical grade" or "food grade pure" ethanol, which varies from 95% pure, to 99.75% pure, and is sold for making tinctures, extracts, infusions, flavor concentrates etc... in theory it should all be very close to truly neutral.and very close to 100% pure ethanol... But in the real world theres always a small percentage of undesirable elements mix in... and those tend to very WILDLY, from brand to brand or even lot to lot, based on the exact recipe they use, the process they use, even the equipment they use to distil and process the spirit. 

Because Everclear, other ultra high proof liquors (theres a 196 proof liquor on sale that calls itself high proof vodka for example, and several 180 proof rums and vodkas), "neutral grain spirit", and "XXX grade pure ethanol" are all.... to my knowledge, completely "unaged", and in distilled spirit terms "unfiltered" and  "unblended"...

--- Another not quite as long but still long aside about some spirit terminology ---

"Unaged" doesn't necessarily mean exactly what it sounds like. One batch of "unaged" spirit from one brand, may have been distilled, bottled, and delivered to you within a few days or a few weeks. Another brand may have spent weeks or months in "blending" and "mellowing" tanks... even a year or two... And then may have spent years sitting in bottles in "resting" or even ridding racks, in an aging warehouse or laagering cave somewhere... and it may be anywhere from 2 to 12 years old by the time its actually sold to you.... But in the world of spiritous liquors, none of that counts as actual "aging". 

In industry terms, aging requires the spirit be exposed to a slightly porous and permeable environment where solvents in the spirit can interact with soluble elements (almost always wood, or woody plant matter, of some kind in some state, but also may include paper or other textiles, and various minerals), and to a lesser extent the atmosphere and environment around the aging vessel, where volatile vapors can expand and contract, with some escaping and some entering... and with sufficient gas/vapor exchange flow to have some oxygen exchange, and some oxidation, but NOT so much as to have significant undesirable modes of oxidation occurring. 

Ideally this aging should occur in a vessel which allows for all of those basic factors, and which when exposed to air and ethanol and the other elements of the spirit, will absorb or modify or allow to evaporate on their own, harsh or unpleasant or unbalanced components of mouth feel,  aroma, and flavor; while also imparting the solvents and other elements of the spirit, with some of the essential aroma and flavor compounds from within the material of the vessel itself, or from other elements placed into the spirit... Again almost always wood, or pieces of woody plant matter, but it also may include those other elements listed above. 

"Unfiltered" spirits aren't... they ARE actually filtered, for particulates and contaminants that would make the base spirit not meet quality grading standards. But in distilling parlance, "unfiltered" actually means they ARE filtered (as noted above) but they're NOT "filtered" through the thick stacks of paper, charcoal, charred wood, various other textiles,, minerals, and relatively recently engineered polymers  (some componets of which may be soluble, some ion exchanging, some hydrophilic or hydrophobic, some oleophilic or oleophobic, some none of the above), and "botanicals" (distillers speak for any plant product used, in whole or minimally processed form, to infuse or filter a spirit in a manner which may notably alter the flavor and aroma of that spirit (and not always in ways you might expect). Usually its aromatic herbs and spices, fruits or bits of fruits including pith, pit, rind or skin, zest,  nuts, seeds, and dried leaves or bark; but it can be any plant matter really).

These "filter" elements are generally used in the distilling trade to "blend" (see below), "mellow" (reduce volatility, harshness, undesirable top notes of  pungency and astringency, and other potentially unpleasant, undesirable, poorly integrated, or poorly  balanced, and non-,complementary components; of aroma, mouth feel, and flavor overtones, undertones,, and highlights) and "sweeten" the spirit (which actually means removing or masking undesirable bitterness, undesirable basal astringency, excessive "earthy" or "grassy" or vegetal flavors, metallic flavors, "chemical" alkalai or basic flavors, and other unpleasant flavor components;, and improving the balance and integration of desirable and complementary flavor components.. It doesn't mean actually adding sweet flavors).

Similarly, "unblended" spirits ARE almost always actually blended as well, in terms of being combined from multiple batches, or even multiple different distilleries... But only for ease, convenience, and consistency in manufacturing, and to aid in improving quality control.  In distilling industry parlance "blended" means the distillers deliberately took several different batches of spirits from different distillation runs, different stills, different recipes, or even entirely different distilleries; that all taste and smell anywhere from slightly to entirely different from one another; and then blended fhem together in various and variable proportions to each other, and with water; in order to end up with a final bottled spirit that has a specific and consistent alcohol percentage, and a specific, consistent, and pleasant, aroma, flavor, and mouthfeel; matching the specific desired characteristics nd properties of the spirit they want to bottle. 

---- end aside on terminology for liquor -----

... As I was saying... Very strong overproof "unaged"  "unblended", and "unfiltered" spirits, can end up being so harsh, with such a high percentage of the nastier volatile aromatics (still a very low percent, but high enough to make it unpleasant), that you don't see much of the benefit of the higher alcohol percentage, because you have to boil off a lot of those volatile and that ethanol from the spirit, and mask the off flavors with dilution, sweetening, etc... 

That said, such "xxx grade" ethanol can sometimes be had quite cheaply in some states (I recently saw 99.97% pure "medical and food grade" ethanol selling for $40 a gallon, shipped, before quantity discount. That's compared to the $20-$40 per LITER you may see other high proof spirits sell for)  because it doesn't have to go through the standard liquor distribution channels, and may not have the extra state and local alcohol taxes tacked on...

Some batches of such high proof or high purity spirits, from some manufacturers and bottlers, may have very few actual flaws requiring specific correction, and may only have the basic issues caused by lack of aging and filtering to deal with. At prices like $40 per gallon, it may actually be worth buying some for use in more strongly flavored more heavily sweetened liqueurs, and taking the time to cook the harsh volatiles out longer, while infusing your flavorings longer and hotter, masking the remaining flaws in the base spirit.

Also, if the base spirit is mostly free of major flaws and defects as above, at prices like $40 a gallon, it very well may be worth experimenting with filtering and aging the spirit for yourself at home, and with doing infused spirits (rather than flavored and sweetened liqueurs). I have actually done so myself, and the results can be quite good... Sometimes, some batches may even be good enough to drink neat (especially strong infusions, and particularly when served ice cold from the freezer, or in strong punches, or strong grogs or toddies) or with some water and ice. Most of the batches I made were quite suitable for use in cocktails, and certainly more than good enough for use in cordials and liqueurs.

...And now I want to make some apple pie again...

----- End of long and hopefully interesting extended aside -----

My preferred mixed drinks are mostly dry, sour, or both... with the exception of some sweeter drinks that are sweet because of fresh fruit juice or fresh fruit... when the sweetness isn't the point, it's just a side effect of the fruit goodness (I LOVE pineapple based drinks, if they're not made overly sweet... which unfortunately they often are). 

If I just want alcohol for the sake of drinking, not to specifically enjoy a fine spirit... That's what double tall vodka tonic, double lime, is for... IF its unsweetened tonic, or I know and like the brand of tonic they're using. If not, then I sub soda water, because again, most tonic is sickeningly sweet (particularly because they usually sweeten it with saccharine). 

Or, being a native New Englander, I love cranberry juice (if they have REAL cranberry juice, not "cranberry juice cocktail" thats usually 3/4 apple or white grape juice, and again way too sweet), and I love dry and sour cranberry juice based cocktails. 

...But I don't go for that "test of manhood" level of bitterness, sourness, peat, smoke, whatever... A Lagavullin is nice every once in a while, or a Stone or Dogfish head IPA... but I don't think it's necessary to drink something overpowering and unbalanced, just for the sake of it. 

Some think that overproof spirits are like that... But to me they actually taste BETTER than regular spirits. Spicier, sharper, crisper...with an almost mint like refreshing bite, and a shorter, cleaner finish. Less sweetness or oiliness laying on the pallet after you sip.

...And cocktails that would be FAR too sweet made with a standard proof bourbon or rum (which might as well be a full measure of sugar syrup each shot), are suddenly refreshingly dry with an ovenproof spirit instead. 

...So yeah... do what you like, drink what you like and enjoy, and who the hell giives a half a  damn what anyone else thinks about it.