greg

“It’s all about being a part of something in the community, socializing with people who share interests and coming together to help improve the world we live in.” – Zach Braff

In any successful network, bad actors will emerge with the simple goal of achieving some result that is in the interests of themselves or those that have hired them. These bad actors could be code, could be individual users on a VPN coming from a location with no recourse to investigate, or an army of humans clicking on behalf of their country. The motivations ar3e endless and we are certain to hear lots about mis-information over the next few months with the elections around the corner.. Whole encyclopedia's could be written on the topic, each attack vector has similarities to other social networks with slight deviations. Most importantly, it is a cat-n-mouse game ... once you are able to minimize the mechanisms by which someone is abusing your system, they will figure out ways around it. If they cannot and go away, someone else eventually will. The previous ones will come back in a year to see if you left your guard down.

Check out this output from analysis of new accounts created over the last few days

The second column shows emails such as Cyr.u.s2boyo1@gmail.com and Cy.rus2boyo1@gmail.com .... gmail users can basically add dots to their email address or append a plus sign and more letters/numbers after the email address to create what looks like a unique email address, but one which not actually unique and, in this example, always sends back to the canonical email address cyrus2boyo1@gmail.com. There are legitimate use cases for doing this out in the real world (for example, I might create a threads account with the email address rockhunters08+threads@gmail.com or maybe your testing team wants to create 100's of emails to test something but all route to the same account). Nontheless, each social network has to decide where and when this is allowed and come up with rules to prevent the creation in the first place, if possible, else detect the bad actor before they impose harm on users or your business, and disable them.

In this particular case, the fact that the user is verifying theses accounts, that all of them were created quickly one after the other, and many already have bios that are the same, implies they likely are planning to follow themselves to give large follower numbers (and later, possible, like or reflip flips from each other) with the goal of gaming our recommendations algorithms. Who knows, really. On Flipboard, this will never work because we, in general, have an allow list approach to recommendations, so unless our editorial staff (a.k.s. carbon based life forms) have reviewed your account or domain of content, it won't make it into other people's For You feeds). This is one of the reasons why we are SLOWLY federating Flipboard accounts: we do not want this gamification to spill over into the fediverse.

There is more analysis we can do if we were not sure if this is a bad actor. For example, on the images below, you can see they already created a magazine and flipped 1 article into it. That .... pattern ... is something we can write a chapter on and is specific to Flipboard, though I suppose the similarity to other social networks is whatever the write action you can take on that network (.e.g Post).

You could then do curl and go to the website of where the article is located and you will get something like the image below

You could take this analysis further and look at who owns the domain, when was it registered, etc... it goes on and on. For now, it is clear this person is not a legitimate user and deserves to be disabled. We'll run this check over accounts daily as well as over longer periods of time. I've seen cases where a bad actor will create 1 account per email address a day over many months and, worse, do that for many email addresses via a VPN with changing ip addresses. Always fun.

In the fediverse, this becomes more complicated because this user could do this same tactic across 10's of thousands of instances where this kind of analysis is not readily available

Thoughts? I'd love to know what you think!

#moderation #trust #safety

Anytime anybody impersonates you, it's a great compliment. – Robert Wagner

In my role at Flipboard a similar position. I'll start with something that is a bit off topic from the typical spammers that we uncovered just the other day: someone impersonating our brand .... because I am actually not 100% sure how we should fully handle it, and would love your thoughts.

The Scam

We received a report over our standard help channels from a non-user that they were cold called by a twitter (a.k.a. X) user claiming to work for Flipboard. They were made some vague promises if they signed up and after saying no ... well .... let's just say this scammer cussed them out with some not so nice language.

After working with the user (and promising them this was not us) we uncovered this account on X which was doing the impersonation.

The Research

Nothing on that account there is legit. Notice the flip[.].it url that redirects to some sort of statement on the SHIB token, which seems part of their scam. Well, when a Flipboard user creates a short url, we keep track of the account that created it. In this case, a simple lookup uncovered the account used to create the link. Luckily, they had accessed that account the day we were notified of this. We keep logs for around 14-21 days from key systems in order to help debug problems legit users report. In this case, I was able to find a log in our haproxy routers for this account:

./12/haproxy-standard:2024-09-25T12:40:09+00:00 [X.X.X.X] <user.notice> haproxystandard[3707085]: Y.Y.Y.Y:2600 [25/Sep/2024:12:40:09.912] fe-production-https be-production-fly-standard/0443f7ece3c501810 0/0/1/0/1 304 168 - - ---- 546/305/0/0/0 0/0 {fbprod.flipboard.com|49.130.131.81, 64.252.103.219|Amazon CloudFront|} "GET /v1/static/config.json?userid=YYYY&ver=4.3.29&device=iphone-17.4.1&model=iPhone11%2C6&lang=zh-Hant-HK HTTP/1.1"

This is a request from their device looking for initial configuration information. There are a few things to notice here: – the ip address they request originated from is 49.130.131.81 – their language is set to traditional chinese, Hong Kong – they are using an iphone and a fairly recent version of our software

NOTE: we utilize this information to ensure the user experience works for the device, language and location of the user and the details above were sanitized

Doing a whois lookup on that ip address and we get confirmation this user is coming from Hong Kong

Great, so now what? I wanted to see if there might be more than 1 user or account on X executing this scam. So, I looked at their 2,245 followers (X only let me search some of them) and quickly found 2 other accounts done in similar fashion: LoisFlipboard and DaisyFlipboard. Continuing down this path, you find more and more .....

Next, I wanted to see if each of these accounts were separate users or the same, so I looked for additionally references flip[.]it links and sure enough, they all tracked back to the same Flipboard account.

The Actions

So, the next question is, what should we do about this? It clearly hurts our brand to have someone scamming people in our name, but also, in general, this is just a bad person doing evil things for self gain. We cannot block all the ip addresses they use .... legitimate users use them. We obviously suspended the account, but they can always easily create a new account on Flipboard. We do have a way to block a device from accessing our service, but I won't go into those details. However, this scam is being executed from X itself, not Flipboard.

X does offer a “report this user” and we could do that for each of these accounts for impersonating out brand and keep trying to hunt them all down. But check this out .... they want you to fill out a form when you get to this part:

Would you send up images of government issued id's and consent to X's trust and safety team to extract biometric data? Especially after they dissolved their Trust and Safety Council?

We do have a plan, but I am curious ... would you send up personal information like this to X and trust how it is being handled? Would you try and track down all the accounts on X taking these nefarious actions and, if so, how? Would you just ignore it? What would you do next?

#moderation #trust #safety

I have not written a blog post, evidently, in 8 years when I documented a bike ride across New York State, which I highly recommend to any road bike enthusiasts. Reach out to me if you want to learn more about that trip.

However, with the looming Bluesky Bridge work, I decided to dust off the Markdown to lend not only my personal support, but as the Mastodon admin of flipboard.social, our full support of BridgyFed.

First off, kudos to Ryan Barrett for his transparency regarding this open source work, one of the principles of the Open Social Web, as well as his thoughtful and mature responses to concerns raised and proposed changes. Brave and thoughtful developers like Ryan everyday are building services we all can choose to be a part of or not, thanks to federation, and we should celebrate those efforts rather than allow the vitriol that has existed on closed networks to permeate this world.

Any software that helps marshal the ability of communities to connect as well as the moderation tooling that allow us as individuals to navigate these communities safely, is a win for federation.

#Mastodon #BlueSky #BridgyFed