Thread
A couple of quick observations on l'affair Indian XCheck and The Wire's last update.
1) Nothing on this page is something that can be verified by me or any other reader. We would need the actual email to do so.
1) Nothing on this page is something that can be verified by me or any other reader. We would need the actual email to do so.
2) The @fb.com/@meta.com argument is the weakest defense by Facebook. Clearly, the company's O365/ProofPoint instance is setup to receive emails for either domain and various employees are sending from different domains. This argument is pretty much useless either way.
3) The Wire's DKIM verification video proves nothing. It would be trivial to fake the verification by dkimverify, as all you would need is a script in your path that prints "signature ok". There are more complicated ways to fake this as well.
What the video does show is that if the email is not legitimate then the person who made the video is in on the hoax. The Wire piece implies (but does not specify) that their own tech employee made the video.
4) @matthew_d_green noticed that the DKIM verification details in the header shown by The Wire do not match what he has received from fb.com senders in the past. I have the same result. This is not strong evidence, but should be noted.
5) The experts who verified The Wire's process are not named. If they did so without access to the raw email, then they should not have confirmed its veracity. Watching somebody else's desktop is not good enough, for the reasons stated above.
6) The emails from the experts were originally timestamped in 2021 in the screenshots posted by The Wire. They silently changed their post to update them to 2022.
You can still see the 2021 screenshot in this thread:
You can still see the 2021 screenshot in this thread:
If this was a local time problem, then that should only affect a thick client, and it wouldn't give you the exact time and date minus one year. It is unclear what kind of mail client these screenshots purport to come from, but there is no good explanation for the year mismatch.
7) The most interesting part is the instagram.workplace.com login. I have never heard of this domain being used and it does not show up in recently leaked documents.
The domain resolves, but so does any subdomain of workplace.com (to the same cname). I expect this wildcard is meant to reduce DNS propagation latency when new customers setup their subdomains.
This person is seen using fbinternal.com to login, which is an actual Meta domain. Once they do so, the user's News Feed is blank. Meaning there is little to no traffic on this Workplace instance.
The notes section has been populated in the last three hours, according to the timestamps, and none of the notes were created by anybody but the logged in user (who has the IG logo as their headshot) and have been shared with no other users.
So, there are two possibilities. First...
- Meta is lying.
- The email is legit and the DKIM discrepancies have an innocent explanation
- There is an innocent explanation for The Wire's screenshots of expert emails having the wrong date initially
...
- Meta is lying.
- The email is legit and the DKIM discrepancies have an innocent explanation
- There is an innocent explanation for The Wire's screenshots of expert emails having the wrong date initially
...
... cont'd
- XCheck allows certain individuals to take down content from outside of Meta and this wasn't in the Haugen docs
- Andy Stone writes very incriminating corporate emails with an English syntax that does not seem right for somebody from New Hampshire
...
- XCheck allows certain individuals to take down content from outside of Meta and this wasn't in the Haugen docs
- Andy Stone writes very incriminating corporate emails with an English syntax that does not seem right for somebody from New Hampshire
...
... cont'd
- There is a secret Workplace instance at Meta that has never shown up in a leaked document or that has been seen by any former employees, and it is only available over VPN (unlike other Meta corp web interfaces)
...
- There is a secret Workplace instance at Meta that has never shown up in a leaked document or that has been seen by any former employees, and it is only available over VPN (unlike other Meta corp web interfaces)
...
... cont'd
- That Workplace instance is used to store highly incriminating writeups of the secret XCheck reports
- It's used for pretty much nothing else, hence the blank newsfeed
- There is a good reason for those reports being written only by the current user in the last 3hrs
- That Workplace instance is used to store highly incriminating writeups of the secret XCheck reports
- It's used for pretty much nothing else, hence the blank newsfeed
- There is a good reason for those reports being written only by the current user in the last 3hrs
or... The Wire is wrong
- The DKIM verification video was faked (which is trivial)
- Somebody created a free trial Workplace instance, filled it with notes (only the titles) and proxied instagram.workplace.com to it
The question would be whether The Wire is in on it or tricked.
- The DKIM verification video was faked (which is trivial)
- Somebody created a free trial Workplace instance, filled it with notes (only the titles) and proxied instagram.workplace.com to it
The question would be whether The Wire is in on it or tricked.
If The Wire is wrong, then Meta has all the evidence they need. While you could create a whole fake Workplace, the easier move is to just create a free trial instance, meaning those fake notes are sitting in Meta's databases along with the metadata of whomever created them.
I think, at this point, it's on Meta to write-up a detailed response with whatever technical evidence they have. This will not go away just by ignoring it.
If The Wire is wrong, then this does not disprove the overall concern over the relationship between the BJP and Meta. I have long said that the biggest organizational weakness at Meta is the unification of platform policy and government relations.
So there will still need to be vigilance and criticism of Meta's approach to India as we approach a critical election for the future of the world's largest democracy. But we might need other journalists to be at the forefront of that.
A PS on source protection, as this is the reason given for not having a 3rd party verify the email.
The problem is that, if they exist, this source is totally burned. Only a handful of people could have been on such an email and screen recording will be a dead giveaway.
The problem is that, if they exist, this source is totally burned. Only a handful of people could have been on such an email and screen recording will be a dead giveaway.
Two other good observations I missed:
From fellow ex-FB security engineer and current SIO CTO
As Pranesh says, there is no accidental way you could have this day/date mismatch. At a minimum, these emails are mockups or have been edited and The Wire is lying about the cause being a bad local time in Tails OS. (This also doesn't look like Tails)
Yikes.
I feel really bad for the rest of the folks at The Wire who will suffer for this. When they wake up in a couple of hours they need to ask some hard questions.
I feel really bad for the rest of the folks at The Wire who will suffer for this. When they wake up in a couple of hours they need to ask some hard questions.
And... scene.
Shoshana deserves a lot of credit for being one of the first (and few) US tech journalists to have an opinion here, and sticking with it despite withering criticism.
If you want a verbal recap of this adventure, as well as a discussion of the real risk of platforms being manipulated in India, @evelyndouek and I had a deep discussion yesterday. This was before the retraction, but everything else we say stands.
law.stanford.edu/podcasts/mcs-weekly-update-down-to-the-wire-v-meta-in-india/?sf171773073=1
law.stanford.edu/podcasts/mcs-weekly-update-down-to-the-wire-v-meta-in-india/?sf171773073=1