Comment by bri3d
4 months ago
The referenced write-up based on the Persona front end code is here:
https://vmfunc.re/blog/persona
I definitely recommend reading this primary source before drawing conclusions about the code as most of the secondary reporting is quite low quality.
Note also there's a direct response from Persona's security team here[1], and a lot of back and forth from Rick on Twitter[2].
[1]: https://withpersona.com/blog/post-incident-review-source-map...
[2]: https://x.com/Persona_IDV/status/2025048195773198385?s=20
> About the name: The subdomain was called onyx, a reference to the Pokémon Onix (a Pokémon made of multiple boulders, fitting for a multi-node architecture). It was an informal codename chosen by the engineer. It had no connection whatsoever to Fivecast ONYX, an unrelated 3rd party commercial product previously used by ICE. We understand this coincidence caused confusion, and we address it further below.
The fact that this is even being discussed is truly a bad smell of bad-faith “dig up anything that sounds bad” “reporting”
2 replies →
Twitter requires login to view the replies, might use an alternative:
https://nitter.net/Persona_IDV/status/2025048195773198385
It doesn't appear that any of the replies contain anything of substance
Submitted 6 days ago but flagged https://news.ycombinator.com/item?id=47059129
@dang can this get a second chance?
I read it and, maybe it’s because I’ve spent too much time in fintech, I don’t share most of the concerns.
The differences in proclaimed data retention periods is concerning though. The rest is par for the course for KYC/AML.
I agree; I didn't want to editorialize too much as I think the writeup stands on its own.
My takeaway was that in this case, even an author with a clear and extreme bias against this sort of thing could find only unfortunately-common bad practices rather than deeply nefarious intent. Of course, this is just the front-end code, but this just looks like a KYC platform to me. Most of the secondary reports on this write-up seem to completely ignore section 0x13 and jump to the specific conclusions the author does not draw.
The fact that we've created a system where Discord need and want a KYC platform is a different and quite strange thing, but the KYC platform itself just looks like what it says on the tin.
Tell me more before I doom about this too much.
Any time you interact with the financial services industry in a meaningful way, they are doing almost exactly all of these checks on you. It is mandated by law, and they're overseen by FINTRAC in Canada and FinCEN in US.
When you applied for a bank account for your freelancing business (or startup idea), some people googled you, looked for PEPs (politically exposed persons) in your family, stored photos of your IDs and probably even printed them off, and sent everything in a nice package to some "risk" department. Who knows how that department is handling your data.
The only difference is that Persona is trying to put a front-end on it and selling the process as a SaaS. Look up "KYC/KYB saas" and you'll find hundreds of businesses doing this (including, of course, Persona).
edit: I want to emphasize that this isn't restricted to just business banking. Poor wording on my part. Lots of industries are legally mandated to conduct KYC/IDV. Notaries do it in home sales, your stock brokerage is doing it, employers in regulated industries do it to everyone on payroll. The list is very long. Unfortunately...
The government should take on responsibility for KYC imo, instead of letting 100 vendors come up with their own solutions. But that would probably have some nasty externalities.
Good article but the web site gave me eye and ear cancer.
Please make it actually readable and don't steal my audio!
[flagged]
There is more than “unique web design” that cause reading issues with that article. For one the lowercase and as well as arcane keywords and organization. Not mention the autoplay music. I have communicated this to the author and they shrugged it off.
3 replies →
Reading mode doesn't work on Safari for me... I get a paragraph and sod all else.
So respectfully, do not make assumptions. And if you want someone to read the content, don't surround it with shite.
2 replies →
Seems to be down for me. https://web.archive.org/web/20260220192124/https://vmfunc.re...
It's up.
And his follow up here: https://vmfunc.re/blog/persona-2
damn. why did the website stole my audio?
Some of the most interesting authors in tech on the internet have just absolute awful websites. Blinking animations everywhere, weird sounds, "cute" little javascript animations like it's 1999 again.
the last time the website was submitted, over half the comments talked about website design instead of the actual content. we can probably skip doing it again.
different people have different tastes. people complain about boring websites, people complain about websites with animations or colors. the only guarantee is that the conversation isnt interesting.
if you are on the side that doesnt like music, animations, whatever, i recommend a combination of noscript and using reader mode.
15 replies →
Yeah, come on! I'm trying to watch a video and read the article!
yeah no. i was listening to background music of my choice while browsing the internet.
That was a great read, very interesting!