https://vmfunc.re/blog/persona
I definitely recommend reading this primary source before drawing conclusions about the code as most of the secondary reporting is quite low quality.
@dang can this get a second chance?
(This is a joke in case that wasn't clear)
if you expand the scope to a handful of adjacent figures, the catastrophe is truly amazing
I think the whole "after its code was found tied to U.S. surveillance efforts" part is new and wasn't known before, so feels important to have in the title too. Although most of us probably assumed it was true before too.
New and also should be the big story.
"Butcher cuts ties with supplier when steaks found to be human meat" shouldnt be a story about changing suppliers ...
>Persona performs 269 distinct verification checks, including screening for “adverse media”
im sure everyone assumed this, but its good to know it.
>And the information was openly available. “We didn’t even have to write or perform a single exploit, the entire architecture was just on the doorstep,”
it is kind of scary how often these types of situations are only found out because of wild incompetence. you have to imagine that most similar situations dont suffer from the same incompetence (and thus arent known)
>“At Discord, protecting the privacy and security of our users is a top priority.
please, i wish companies would just stop saying this obvious lie. you know that you dont care. we know that you dont care.
>It’s dystopian that we want people to facedox themselves to everyone to be real online.
.... says the ceo of the company that you have to send your face ("facedox", if you will) to
No, they’re outsourcing the verification to an external company. Just not this one.
Side note: The verification is only if you want to remove content filters, join adult-themed servers and a couple other features. If you only want to chat with your friends and use voice then no verification is required.
This was undermined by the fact they were also trialling a switch to Persona (the vendor in the story), which did not uphold that guarantee. It was horrific optics to be reassuring people that it was ok because you didn’t save data but also be trialling a switch to a vendor which did save data, which I guess is a lot of the reason this vendor switch was cancelled. (Though it does call into question discord’s judgment that they thought this was a good idea).
Anyway, Persona was also breached which is how the government links were discovered and also probably a part of this decision. This is not to be confused with the breach in November of 5CA, _another_ vendor they used in the initial UK and Australia roll outs. The fact that two vendors were breached in four months is a good example of why this is a bad idea
Ah yes, we only store it for 7 days. During those 7 days, we pass it to Persona, and who knows how long they keep it!
> "Identity documents submitted to our vendor partners are deleted quickly— in most cases, immediately after age confirmation"
So now it's not "immediately" but 7 days? I don't know how anyone can trust any statement from these guys.
If a tech company says something to you, and they don't give you the means to verify it on your own, they are lying to you. Do not trust anything they say, ever.
Yes, I'm making (another) argument in favour of IRC. IRC has optional client-server encryption, and you can set channel modes to only allow encrypted clients access. So that way you at least prevent eavesdropping.
We decided to just meet up in person twice a month and play board games instead.