<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>greg</title>
    <link>https://flipboard.team/greg/</link>
    <description>CTO @ Flipboard</description>
    <pubDate>Sun, 12 Jul 2026 19:55:12 +0000</pubDate>
    <item>
      <title>Built for AI Discovery: How Flipboard and Surf Help Brands Stay Visible in AI-Driven Answers</title>
      <link>https://flipboard.team/greg/feeding-the-machines-responsibly-how-flipboard-and-surf-help-businesses-get</link>
      <description>&lt;![CDATA[As discovery shifts from search results to AI answers, here&#39;s how we help partners earn AI visibility — credibly, and without compromising on privacy.&#xA;&#xA;A media partner recently put words to a shift we&#39;d been watching for a while. Evaluating a content partner, they said, used to come down to one question: can you help us reach people? Now there&#39;s a second: are you helping our brands show up inside AI-driven discovery experiences — or, as they memorably put it, helping brands &#34;feed the machines&#34;?&#xA;&#xA;It&#39;s the right question, and it&#39;s fast becoming part of how brands evaluate everyone they work with. More and more, people begin with a question to ChatGPT, Perplexity, Gemini, Claude, or Google&#39;s AI Overviews — and the answer names just a handful of sources. The old game was ranking among ten blue links. The new game — call it AI discovery, or AI visibility — is being one of the two-to-seven sources an AI assistant cites when it answers. The bar is higher, and the brands and publishers that prepare now will own that surface as it grows.&#xA;&#xA;Here&#39;s how Flipboard and Surf are built to help — and, just as importantly, how we do it responsibly.&#xA;&#xA;1. We speak the language of AI discovery&#xA;&#xA;Being discoverable by AI isn&#39;t the same as being crawlable by a search engine. AI systems increasingly look for content that&#39;s structured, retrievable, and explicitly described for them — and they&#39;re starting to use new, agent-oriented standards to find it.&#xA;&#xA;Surf already publishes those standards in production:&#xA;&#xA;An llms.txt at surf.social — a machine-readable description of our content and capabilities, written for large language models.&#xA;An agent discovery card (/.well-known/agent-card.json) that advertises what Surf can do to other AI agents, using emerging agent-to-agent protocols.&#xA;A live Model Context Protocol (MCP) server at mcp.surf.social that lets assistants like Claude search our feeds, summarize content, and build feeds as a native tool — through a clean, sanctioned interface rather than scraping.&#xA;&#xA;When an AI assistant goes looking for trustworthy social and news content, our front door is already open and labeled.&#xA;&#xA;2. We make content structured and retrievable&#xA;&#xA;AI systems cite what they can cleanly parse. Surf indexes feeds and posts as Schema.org-structured data and exposes them through natural-language retrieval, so an assistant answering a question can pull our content in a form it understands — a feed is a feed, an author is an author, a post is a post, with all the context attached. That structure is what turns &#34;content that happens to exist on the web&#34; into &#34;content an AI can confidently surface and attribute.&#34;&#xA;&#xA;3. Trust is the differentiator — and it&#39;s enforced, not just stated&#xA;&#xA;As AI assistants get more careful about where their answers come from, the signal they increasingly reward is source trustworthiness. This is where Flipboard&#39;s model is a genuine advantage:&#xA;&#xA;Human editors curate on top of the algorithms. Trained journalists make judgment calls machines can&#39;t.&#xA;A vetted base of trusted publishers — AP, BBC, NPR, ProPublica, Bloomberg and many others — anchors what we surface.&#xA;AI transparency is required, and enforced. Publishers must disclose AI-generated content, and our developer license prohibits using Flipboard content to train AI models without our permission.&#xA;&#xA;&#34;Human-vetted and transparently sourced&#34; isn&#39;t a tagline for us — it&#39;s the architecture. And it&#39;s exactly the signal the next generation of AI discovery is learning to prize.&#xA;&#xA;4. &#34;But what about my posts?&#34; — discovery with consent&#xA;&#xA;Whenever the topic of AI and content comes up, a fair question follows: what about people who don&#39;t want their posts swept into AI experiences? It&#39;s the right question to ask, and our answer is built into how the system works — not bolted on afterward.&#xA;&#xA;Only public content is ever surfaced. Posts marked unlisted, followers-only, or direct are dropped before they reach any discovery or AI surface. If you didn&#39;t post it publicly, an assistant won&#39;t find it through us.&#xA;We respect the visibility settings your platform gives you. Public stays public; private stays private. Your choices on Mastodon and Bluesky — including Bluesky&#39;s &#34;logged-out visibility&#34; setting — travel with your content.&#xA;AI visibility is not training. Being cited live, with a link back, is fundamentally different from being absorbed into a model&#39;s weights. Our developer license forbids using our content to train AI models without permission — so this is about helping people find a post and click through to its source, not about feeding it into a training set.&#xA;Attribution by default. When an assistant reaches our content, it&#39;s pointed back to the original — the author and the post — rather than quietly paraphrasing it away.&#xA;&#xA;The result is a system designed for two audiences at once: brands and publishers who want to be found in AI-driven discovery, and people who simply want their public posts treated with respect and their private ones left alone.&#xA;&#xA;5. We&#39;re building the measurement to prove it&#xA;&#xA;You can&#39;t improve what you can&#39;t see. So we&#39;re standing up measurement of how Flipboard and our partners&#39; content appears and is cited across the major AI assistants — mention frequency, citation rate, position, and share of voice against the competitive set. For marketers, this is the practical payoff: a way to understand how brand and content visibility now extend beyond traditional search into AI-driven discovery experiences — and to manage that visibility with the same rigor they bring to SEO and social today.&#xA;&#xA;How we measure it matters as much as what we measure. The methods we&#39;re adopting are footprint-based: they observe our presence in AI outputs directly and don&#39;t rely on user data. We&#39;re measuring our own footprint in the AI ecosystem — not tracking people.&#xA;&#xA;What this means for partners&#xA;&#xA;Brands and publishers don&#39;t need to navigate this rapidly evolving landscape on their own. By partnering with Flipboard and Surf, their content lands in an environment already engineered for AI discovery — structured, agent-accessible, human-vetted, transparently sourced, and increasingly measurable — with privacy respected by design.&#xA;&#xA;Internally, our own sales teams have started pointing to this work as a clear example of how Flipboard is investing, innovating, and evolving its thinking in the space — because AI discovery is going to be part of every serious media conversation from here on. We&#39;ve been building for it, the right way. If you&#39;re thinking about how your brand shows up in AI-driven discovery, let&#39;s talk.&#xA;&#xA;]]&gt;</description>
      <content:encoded><![CDATA[<p><strong>As discovery shifts from search results to AI answers, here&#39;s how we help partners earn AI visibility — credibly, and without compromising on privacy.</strong></p>

<p>A media partner recently put words to a shift we&#39;d been watching for a while. Evaluating a content partner, they said, used to come down to one question: <em>can you help us reach people?</em> Now there&#39;s a second: <em>are you helping our brands show up inside AI-driven discovery experiences</em> — or, as they memorably put it, helping brands “feed the machines”?</p>

<p>It&#39;s the right question, and it&#39;s fast becoming part of how brands evaluate everyone they work with. More and more, people begin with a question to ChatGPT, Perplexity, Gemini, Claude, or Google&#39;s AI Overviews — and the answer names just a handful of sources. The old game was ranking among ten blue links. The new game — call it <strong>AI discovery</strong>, or <strong>AI visibility</strong> — is being one of the two-to-seven sources an AI assistant cites when it answers. The bar is higher, and the brands and publishers that prepare now will own that surface as it grows.</p>

<p>Here&#39;s how Flipboard and Surf are built to help — and, just as importantly, how we do it responsibly.</p>

<h2 id="1-we-speak-the-language-of-ai-discovery" id="1-we-speak-the-language-of-ai-discovery">1. We speak the language of AI discovery</h2>

<p>Being discoverable by AI isn&#39;t the same as being crawlable by a search engine. AI systems increasingly look for content that&#39;s structured, retrievable, and explicitly described for them — and they&#39;re starting to use new, agent-oriented standards to find it.</p>

<p>Surf already publishes those standards in production:</p>
<ul><li>An <strong><code>llms.txt</code></strong> at surf.social — a machine-readable description of our content and capabilities, written for large language models.</li>
<li>An <strong>agent discovery card</strong> (<code>/.well-known/agent-card.json</code>) that advertises what Surf can do to other AI agents, using emerging agent-to-agent protocols.</li>
<li>A live <strong>Model Context Protocol (MCP) server</strong> at <code>mcp.surf.social</code> that lets assistants like Claude search our feeds, summarize content, and build feeds <em>as a native tool</em> — through a clean, sanctioned interface rather than scraping.</li></ul>

<p>When an AI assistant goes looking for trustworthy social and news content, our front door is already open and labeled.</p>

<h2 id="2-we-make-content-structured-and-retrievable" id="2-we-make-content-structured-and-retrievable">2. We make content structured and retrievable</h2>

<p>AI systems cite what they can cleanly parse. Surf indexes feeds and posts as <strong>Schema.org-structured data</strong> and exposes them through natural-language retrieval, so an assistant answering a question can pull our content in a form it understands — a feed is a feed, an author is an author, a post is a post, with all the context attached. That structure is what turns “content that happens to exist on the web” into “content an AI can confidently surface and attribute.”</p>

<h2 id="3-trust-is-the-differentiator-and-it-s-enforced-not-just-stated" id="3-trust-is-the-differentiator-and-it-s-enforced-not-just-stated">3. Trust is the differentiator — and it&#39;s enforced, not just stated</h2>

<p>As AI assistants get more careful about <em>where</em> their answers come from, the signal they increasingly reward is source trustworthiness. This is where Flipboard&#39;s model is a genuine advantage:</p>
<ul><li><strong>Human editors curate on top of the algorithms.</strong> Trained journalists make judgment calls machines can&#39;t.</li>
<li><strong>A vetted base of trusted publishers</strong> — AP, BBC, NPR, ProPublica, Bloomberg and many others — anchors what we surface.</li>
<li><strong>AI transparency is required, and enforced.</strong> Publishers must disclose AI-generated content, and our developer license prohibits using Flipboard content to train AI models without our permission.</li></ul>

<p>“Human-vetted and transparently sourced” isn&#39;t a tagline for us — it&#39;s the architecture. And it&#39;s exactly the signal the next generation of AI discovery is learning to prize.</p>

<h2 id="4-but-what-about-my-posts-discovery-with-consent" id="4-but-what-about-my-posts-discovery-with-consent">4. “But what about my posts?” — discovery with consent</h2>

<p>Whenever the topic of AI and content comes up, a fair question follows: <em>what about people who don&#39;t want their posts swept into AI experiences?</em> It&#39;s the right question to ask, and our answer is built into how the system works — not bolted on afterward.</p>
<ul><li><strong>Only public content is ever surfaced.</strong> Posts marked unlisted, followers-only, or direct are dropped before they reach any discovery or AI surface. If you didn&#39;t post it publicly, an assistant won&#39;t find it through us.</li>
<li><strong>We respect the visibility settings your platform gives you.</strong> Public stays public; private stays private. Your choices on Mastodon and Bluesky — including Bluesky&#39;s “logged-out visibility” setting — travel with your content.</li>
<li><strong>AI visibility is not training.</strong> Being cited live, with a link back, is fundamentally different from being absorbed into a model&#39;s weights. Our developer license forbids using our content to train AI models without permission — so this is about helping people <em>find</em> a post and click through to its source, not about feeding it into a training set.</li>
<li><strong>Attribution by default.</strong> When an assistant reaches our content, it&#39;s pointed back to the original — the author and the post — rather than quietly paraphrasing it away.</li></ul>

<p>The result is a system designed for two audiences at once: brands and publishers who <em>want</em> to be found in AI-driven discovery, and people who simply want their public posts treated with respect and their private ones left alone.</p>

<h2 id="5-we-re-building-the-measurement-to-prove-it" id="5-we-re-building-the-measurement-to-prove-it">5. We&#39;re building the measurement to prove it</h2>

<p>You can&#39;t improve what you can&#39;t see. So we&#39;re standing up measurement of how Flipboard and our partners&#39; content appears and is cited across the major AI assistants — mention frequency, citation rate, position, and share of voice against the competitive set. For marketers, this is the practical payoff: a way to understand how brand and content visibility now extend beyond traditional search into AI-driven discovery experiences — and to manage that visibility with the same rigor they bring to SEO and social today.</p>

<p>How we measure it matters as much as what we measure. The methods we&#39;re adopting are <strong>footprint-based</strong>: they observe our presence in AI outputs directly and don&#39;t rely on user data. We&#39;re measuring our own footprint in the AI ecosystem — not tracking people.</p>

<h2 id="what-this-means-for-partners" id="what-this-means-for-partners">What this means for partners</h2>

<p>Brands and publishers don&#39;t need to navigate this rapidly evolving landscape on their own. By partnering with Flipboard and Surf, their content lands in an environment already engineered for AI discovery — structured, agent-accessible, human-vetted, transparently sourced, and increasingly measurable — with privacy respected by design.</p>

<p>Internally, our own sales teams have started pointing to this work as a clear example of how Flipboard is investing, innovating, and evolving its thinking in the space — because AI discovery is going to be part of every serious media conversation from here on. We&#39;ve been building for it, the right way. If you&#39;re thinking about how your brand shows up in AI-driven discovery, <a href="mailto:advertising@flipboard.com" rel="nofollow">let&#39;s talk</a>.</p>
]]></content:encoded>
      <guid>https://flipboard.team/greg/feeding-the-machines-responsibly-how-flipboard-and-surf-help-businesses-get</guid>
      <pubDate>Wed, 24 Jun 2026 17:35:41 +0000</pubDate>
    </item>
    <item>
      <title>Bad Actors, Email Addresses .... and the Dot</title>
      <link>https://flipboard.team/greg/bad-actors-email-addresses</link>
      <description>&lt;![CDATA[  “It’s all about being a part of something in the community, socializing with people who share interests and coming together to help improve the world we live in.” – Zach Braff&#xA;&#xA;In any successful network, bad actors will emerge with the simple goal of achieving some result that is in the interests of themselves or those that have hired them.  These bad actors could be code, could be individual users on a VPN coming from a location with no recourse to investigate, or an army of humans clicking on behalf of their country.  The motivations ar3e endless and we are certain to hear lots about mis-information over the next few months with the elections around the corner.. Whole encyclopedia&#39;s could be written on the topic, each attack vector has similarities to other social networks with slight deviations.  Most importantly, it is a cat-n-mouse game ... once you are able to minimize the mechanisms by which someone is abusing your system, they will figure out ways around it. If they cannot and go away, someone else eventually will.  The previous ones will come back in a year to see if you left your guard down.&#xA;&#xA;Check out this output from analysis of new accounts created over the last few days&#xA;Image of bad actors with email addresses using the dot that gmail allows to make many accounts&#xA;&#xA;The second column shows emails such as Cyr.u.s2boyo1@gmail.com and Cy.rus2boyo1@gmail.com .... gmail users can basically add dots to their email address or append a plus sign and more letters/numbers after the email address to create what looks like a unique email address, but one which not actually unique and, in this example, always sends back to the canonical email address cyrus2boyo1@gmail.com.  There are legitimate use cases for doing this out in the real world (for example, I might create a threads account with the email address rockhunters08+threads@gmail.com or maybe your testing team wants to create 100&#39;s of emails to test something but all route to the same account).  Nontheless, each social network has to decide where and when this is allowed and come up with rules to prevent the creation in the first place, if possible, else detect the bad actor before they impose harm on users or your business, and disable them.&#xA;&#xA;In this particular case, the fact that the user is verifying theses accounts, that all of them were created quickly one after the other, and many already have bios that are the same, implies they likely are planning to follow themselves to give large follower numbers (and later, possible, like or reflip flips from each other) with the goal of gaming our recommendations algorithms. Who knows, really.  On Flipboard, this will never work because we, in general, have an allow list approach to recommendations, so unless our editorial staff (a.k.s. carbon based life forms) have reviewed your account or domain of content, it won&#39;t make it into other people&#39;s For You feeds).  This is one of the reasons why we are SLOWLY federating Flipboard accounts: we do not want this gamification to spill over into the fediverse.&#xA;&#xA;There is more analysis we can do if we were not sure if this is a bad actor. For example, on the images below, you can see they already created a magazine and flipped 1 article into it.  That .... pattern ... is something we can write a chapter on and is specific to Flipboard, though I suppose the similarity to other social networks is whatever the write action you can take on that network (.e.g Post).&#xA;&#xA;Image of single magazine created by bad actor&#xA;&#xA;Image of single post by bad actor into magazine&#xA;&#xA;You could then do curl and go to the website of where the article is located and you will get something like the image below&#xA;&#xA;Image website not working with errors&#xA;&#xA;You could take this analysis further and look at who owns the domain, when was it registered, etc... it goes on and on.  For now, it is clear this person is not a legitimate user and deserves to be disabled. We&#39;ll run this check over accounts daily as well as over longer periods of time. I&#39;ve seen cases where a bad actor will create 1 account per email address a day over many months and, worse, do that for many email addresses via a VPN with changing ip addresses.  Always fun.  &#xA;&#xA;In the fediverse, this becomes more complicated because this user could do this same tactic across 10&#39;s of thousands of instances where this kind of analysis is not readily available&#xA;&#xA;Thoughts?  I&#39;d love to know what you think!&#xA;&#xA;#moderation #trust #safety&#xA;&#xA;]]&gt;</description>
      <content:encoded><![CDATA[<blockquote><p><em>“It’s all about being a part of something in the community, socializing with people who share interests and coming together to help improve the world we live in.” – Zach Braff</em></p></blockquote>

<p>In any successful network, bad actors will emerge with the simple goal of achieving some result that is in the interests of themselves or those that have hired them.  These bad actors could be code, could be individual users on a VPN coming from a location with no recourse to investigate, or an army of humans clicking on behalf of their country.  The motivations ar3e endless and we are certain to hear lots about mis-information over the next few months with the elections around the corner.. Whole encyclopedia&#39;s could be written on the topic, each attack vector has similarities to other social networks with slight deviations.  Most importantly, it is a cat-n-mouse game ... once you are able to minimize the mechanisms by which someone is abusing your system, they will figure out ways around it. If they cannot and go away, someone else eventually will.  The previous ones will come back in a year <a href="https://www.npr.org/2022/12/12/1142399312/twitter-trust-and-safety-council-elon-musk" rel="nofollow">to see if you left your guard down</a>.</p>

<p>Check out this output from analysis of new accounts created over the last few days
<img src="https://cdn.flipboard.com/dev_O/flipboard.team/dot1.png" alt="Image of bad actors with email addresses using the dot that gmail allows to make many accounts"></p>

<p>The second column shows emails such as <em>Cyr.u.s2boyo1@gmail.com</em> and <em>Cy.rus2boyo1@gmail.com</em> .... gmail users can basically add dots to their email address or append a plus sign and more letters/numbers after the email address to create what looks like a unique email address, but one which not actually unique and, in this example, always sends back to the <strong>canonical</strong> email address <em>cyrus2boyo1@gmail.com</em>.  There are legitimate use cases for doing this out in the real world (for example, I might create a threads account with the email address <em>rockhunters08+threads@gmail.com</em> or maybe your testing team wants to create 100&#39;s of emails to test something but all route to the same account).  Nontheless, each social network has to decide where and when this is allowed and come up with rules to prevent the creation in the first place, if possible, else detect the bad actor before they impose harm on users or your business, and disable them.</p>

<p>In this particular case, the fact that the user is verifying theses accounts, that all of them were created quickly one after the other, and many already have bios that are the same, implies they likely are planning to follow themselves to give large follower numbers (and later, possible, like or reflip flips from each other) with the goal of gaming our recommendations algorithms. Who knows, really.  On Flipboard, this will never work because we, in general, have an <em>allow list</em> approach to recommendations, so unless our editorial staff (a.k.s. carbon based life forms) have reviewed your account or domain of content, it won&#39;t make it into other people&#39;s For You feeds).  This is one of the reasons why we are SLOWLY federating Flipboard accounts: we do not want this gamification to spill over into the fediverse.</p>

<p>There is more analysis we can do if we were not sure if this is a bad actor. For example, on the images below, you can see they already created a magazine and flipped 1 article into it.  That .... pattern ... is something we can write a chapter on and is specific to Flipboard, though I suppose the similarity to other social networks is whatever the write action you can take on that network (.e.g Post).</p>

<p><img src="https://cdn.flipboard.com/dev_O/flipboard.team/dot2.png" alt="Image of single magazine created by bad actor"></p>

<p><img src="https://cdn.flipboard.com/dev_O/flipboard.team/dot3.png" alt="Image of single post by bad actor into magazine"></p>

<p>You could then do curl and go to the website of where the article is located and you will get something like the image below</p>

<p><img src="https://cdn.flipboard.com/dev_O/flipboard.team/dot4.png" alt="Image website not working with errors"></p>

<p>You could take this analysis further and look at who owns the domain, when was it registered, etc... it goes on and on.  For now, it is clear this person is not a legitimate user and deserves to be disabled. We&#39;ll run this check over accounts daily as well as over longer periods of time. I&#39;ve seen cases where a bad actor will create 1 account per email address a day over many months and, worse, do that for many email addresses via a VPN with changing ip addresses.  Always fun.</p>

<p><strong>In the fediverse, this becomes more complicated because this user could do this same tactic across 10&#39;s of thousands of instances where this kind of analysis is not readily available</strong></p>

<p>Thoughts?  I&#39;d love to know what you think!</p>

<p><a href="/greg/tag:moderation" class="hashtag" rel="nofollow"><span>#</span><span class="p-category">moderation</span></a> <a href="/greg/tag:trust" class="hashtag" rel="nofollow"><span>#</span><span class="p-category">trust</span></a> <a href="/greg/tag:safety" class="hashtag" rel="nofollow"><span>#</span><span class="p-category">safety</span></a></p>
]]></content:encoded>
      <guid>https://flipboard.team/greg/bad-actors-email-addresses</guid>
      <pubDate>Mon, 07 Oct 2024 11:30:38 +0000</pubDate>
    </item>
    <item>
      <title>Impersonating Your Brand</title>
      <link>https://flipboard.team/greg/impersonating-your-brand</link>
      <description>&lt;![CDATA[  Anytime anybody impersonates you, it&#39;s a great compliment. - Robert Wagner&#xA;&#xA;In my role at Flipboard, I wear many hats, one of which is helping to ensure the trust and safety of everyone utilizing our services.  We suspend 100&#39;s of accounts daily in the cat and mouse chase against those trying to game the system for their own benefit at the expense of our users. It is mesmerizing, sometimes, the level that other organizations will go in hiring humans to manually execute on these tasks attempting to circumvent all your checks. I was recently asked to maybe blog about some of this as sharing might help others who are in (or may one day be in) a similar position.  I&#39;ll start with something that is a bit off topic from the typical spammers that we uncovered just the other day: someone impersonating our brand .... because I am actually not 100% sure how we should fully handle it, and would love your thoughts.&#xA;&#xA;The Scam&#xA;&#xA;We received a report over our standard help channels from a non-user that they were cold called by a twitter (a.k.a. X) user claiming to work for Flipboard. They were made some vague promises if they signed up and after saying no ... well .... let&#39;s just say this scammer cussed them out with some not so nice language.&#xA;&#xA;After working with the user (and promising them this was not us) we uncovered this account on X which was doing the impersonation. &#xA;&#xA;image of bad actor screen shot account on X&#xA;&#xA;The Research&#xA;&#xA;Nothing on that account there is legit. Notice the flip.].it url that redirects to some sort of statement on the SHIB token, which seems part of their scam.  Well, when a Flipboard user creates a short url, we keep track of the account that created it.  In this case, a simple lookup uncovered the account used to create the link. Luckily, they had accessed that account the day we were notified of this.  We keep logs for around 14-21 days from key systems in order to help debug problems legit users report.  In this case, I was able to find a log in our [haproxy routers for this account:&#xA;&#xA;./12/haproxy-standard:2024-09-25T12:40:09+00:00 [X.X.X.X] user.notice haproxystandard[3707085]: Y.Y.Y.Y:2600 [25/Sep/2024:12:40:09.912] fe-production-https be-production-fly-standard/0443f7ece3c501810 0/0/1/0/1 304 168 - - ---- 546/305/0/0/0 0/0 {fbprod.flipboard.com|49.130.131.81, 64.252.103.219|Amazon CloudFront|} &#34;GET /v1/static/config.json?userid=YYYY&amp;ver=4.3.29&amp;device=iphone-17.4.1&amp;model=iPhone11%2C6&amp;lang=zh-Hant-HK HTTP/1.1&#34;&#xA;&#xA;This is a request from their device looking for initial configuration information. There are a few things to notice here:&#xA;the ip address they request originated from is  49.130.131.81&#xA;their language is set to traditional chinese, Hong Kong&#xA;they are using an iphone and a fairly recent version of our software &#xA;&#xA;  NOTE: we utilize this information to ensure the user experience works for the device, language and location of the user and the details above were sanitized&#xA;&#xA;Doing a whois lookup on that ip address and we get confirmation this user is coming from Hong Kong&#xA;&#xA;image whois lookup of ip address originating from Hong Kong&#xA;&#xA;Great, so now what?  I wanted to see if there might be more than 1 user or account on X executing this scam. So, I looked at their 2,245 followers (X only let me search some of them) and quickly found 2 other accounts done in similar fashion: LoisFlipboard and DaisyFlipboard. Continuing down this path, you find more and more ..... &#xA;&#xA;Next, I wanted to see if each of these accounts were separate users or the same, so I looked for additionally references flip[.]it links and sure enough, they all tracked back to the same Flipboard account.&#xA;&#xA;The Actions&#xA;&#xA;So, the next question is, what should we do about this?  It clearly hurts our brand to have someone scamming people in our name, but also, in general, this is just a bad person doing evil things for self gain. We cannot block all the ip addresses they use .... legitimate users use them.  We obviously suspended the account, but they can always easily create a new account on Flipboard.  We do have a way to block a device from accessing our service, but I won&#39;t go into those details. However, this scam is being executed from X itself, not Flipboard.&#xA;&#xA;X does offer a &#34;report this user&#34; and we could do that for each of these accounts for impersonating out brand and keep trying to hunt them all down.  But check this out .... they want you to fill out a form  when you get to this part:&#xA;image of X wanting picture of my drivers license&#xA;&#xA;Would you send up images of government issued id&#39;s and consent to X&#39;s trust and safety team to extract biometric data? Especially after they dissolved their Trust and Safety Council?&#xA;&#xA;We do have a plan, but I am curious ... would you send up personal information like this to X and trust how it is being handled?  Would you try and track down all the accounts on X taking these nefarious actions and, if so, how? Would you just ignore it? What would you do next?  &#xA;&#xA;#moderation #trust #safety&#xA;]]&gt;</description>
      <content:encoded><![CDATA[<blockquote><p><em>Anytime anybody impersonates you, it&#39;s a great compliment. – Robert Wagner</em></p></blockquote>

<p>In my role at Flipboard a similar position.  I&#39;ll start with something that is a bit off topic from the typical spammers that we uncovered just the other day: someone impersonating our brand .... because I am actually not 100% sure how we should fully handle it, and would love your thoughts.</p>

<h2 id="the-scam" id="the-scam">The Scam</h2>

<p>We received a report over our <a href="https://flip.it/help" rel="nofollow">standard help channels</a> from a non-user that they were cold called by a twitter (a.k.a. X) user claiming to work for Flipboard. They were made some vague promises if they signed up and after saying no ... well .... let&#39;s just say this scammer cussed them out with some not so nice language.</p>

<p>After working with the user (and promising them this was not us) we <a href="https://x.com/Titan_ena" rel="nofollow">uncovered this account on X</a> which was doing the impersonation.</p>

<p><img src="https://cdn.flipboard.com/dev_O/flipboard.team/imp1.png" alt="image of bad actor screen shot account on X"></p>

<h2 id="the-research" id="the-research">The Research</h2>

<p>Nothing on that account there is legit. Notice the flip[.].it url that redirects to some sort of statement on the SHIB token, which seems part of their scam.  Well, when a Flipboard user creates a short url, we keep track of the account that created it.  In this case, a simple lookup uncovered the account used to create the link. Luckily, they had accessed that account the day we were notified of this.  We keep logs for around 14-21 days from key systems in order to help debug problems legit users report.  In this case, I was able to find a log in our <a href="https://www.haproxy.org/" rel="nofollow">haproxy routers</a> for this account:</p>

<p><code>./12/haproxy-standard:2024-09-25T12:40:09+00:00 [X.X.X.X] &lt;user.notice&gt; haproxystandard[3707085]: Y.Y.Y.Y:2600 [25/Sep/2024:12:40:09.912] fe-production-https be-production-fly-standard/0443f7ece3c501810 0/0/1/0/1 304 168 - - ---- 546/305/0/0/0 0/0 {fbprod.flipboard.com|49.130.131.81, 64.252.103.219|Amazon CloudFront|} &#34;GET /v1/static/config.json?userid=YYYY&amp;ver=4.3.29&amp;device=iphone-17.4.1&amp;model=iPhone11%2C6&amp;lang=zh-Hant-HK HTTP/1.1&#34;</code></p>

<p>This is a request from their device looking for initial configuration information. There are a few things to notice here:
– the ip address they request originated from is  <strong>49.130.131.81</strong>
– their language is set to traditional chinese, Hong Kong
– they are using an iphone and a fairly recent version of our software</p>

<blockquote><p>NOTE: we utilize this information to ensure the user experience works for the device, language and location of the user and the details above were sanitized</p></blockquote>

<p>Doing a whois lookup on that ip address and we get confirmation this user is coming from Hong Kong</p>

<p><img src="https://cdn.flipboard.com/dev_O/flipboard.team/imp2.png" alt="image whois lookup of ip address originating from Hong Kong"></p>

<p>Great, so now what?  I wanted to see if there might be more than 1 user or account on X executing this scam. So, I looked at their 2,245 followers (X only let me search some of them) and quickly found 2 other accounts done in similar fashion: <a href="https://x.com/LouisFlipboard" rel="nofollow">LoisFlipboard</a> and <a href="https://x.com/DaisyFlipboard" rel="nofollow">DaisyFlipboard</a>. Continuing down this path, you find more and more .....</p>

<p>Next, I wanted to see if each of these accounts were separate users or the same, so I looked for additionally references flip[.]it links and sure enough, they all tracked back to the same Flipboard account.</p>

<h2 id="the-actions" id="the-actions">The Actions</h2>

<p>So, the next question is, what should we do about this?  It clearly hurts our brand to have someone scamming people in our name, but also, in general, this is just a bad person doing evil things for self gain. We cannot block all the ip addresses they use .... legitimate users use them.  We obviously suspended the account, but they can always easily create a new account on Flipboard.  We do have a way to block a device from accessing our service, but I won&#39;t go into those details. However, this scam is being executed from X itself, not Flipboard.</p>

<p>X does offer a “report this user” and we could do that for each of these accounts for impersonating out brand and keep trying to hunt them all down.  But check this out .... they want you to <a href="https://help.x.com/en/forms/authenticity/impersonation" rel="nofollow">fill out a form</a>  when you get to this part:
<img src="https://cdn.flipboard.com/dev_O/flipboard.team/imp3.png" alt="image of X wanting picture of my drivers license"></p>

<p>Would you send up images of government issued id&#39;s and consent to X&#39;s trust and safety team to extract biometric data? Especially after they <a href="https://www.npr.org/2022/12/12/1142399312/twitter-trust-and-safety-council-elon-musk" rel="nofollow">dissolved their Trust and Safety Council</a>?</p>

<p>We do have a plan, but I am curious ... would you send up personal information like this to X and trust how it is being handled?  Would you try and track down all the accounts on X taking these nefarious actions and, if so, how? Would you just ignore it? What would you do next?</p>

<p><a href="/greg/tag:moderation" class="hashtag" rel="nofollow"><span>#</span><span class="p-category">moderation</span></a> <a href="/greg/tag:trust" class="hashtag" rel="nofollow"><span>#</span><span class="p-category">trust</span></a> <a href="/greg/tag:safety" class="hashtag" rel="nofollow"><span>#</span><span class="p-category">safety</span></a></p>
]]></content:encoded>
      <guid>https://flipboard.team/greg/impersonating-your-brand</guid>
      <pubDate>Wed, 02 Oct 2024 10:07:30 +0000</pubDate>
    </item>
    <item>
      <title>In Support of BridgyFed</title>
      <link>https://flipboard.team/greg/in-support-of-bridgyfed</link>
      <description>&lt;![CDATA[I have not written a blog post, evidently, in 8 years when I documented a bike ride across New York State, which I highly recommend to any road bike enthusiasts. Reach out to me if you want to learn more about that trip.&#xA;&#xA;However, with the looming Bluesky Bridge work, I decided to dust off the Markdown to lend not only my personal support, but as the Mastodon admin of flipboard.social, our full support of BridgyFed. &#xA;&#xA;First off, kudos to Ryan Barrett for his transparency regarding this open source work, one of the principles of the Open Social Web, as well as his thoughtful and mature responses to concerns raised and proposed changes. Brave and thoughtful developers like Ryan everyday are building services we all can choose to be a part of or not, thanks to federation, and we should celebrate those efforts rather than allow the vitriol that has existed on closed networks to permeate this world. &#xA;&#xA;Any software that helps marshal the ability of communities to connect as well as the moderation tooling that allow us as individuals to navigate these communities safely, is a win for federation.&#xA;&#xA;#Mastodon #BlueSky #BridgyFed]]&gt;</description>
      <content:encoded><![CDATA[<p>I have not written a blog post, evidently, in 8 years when I <a href="https://medium.com/@gregoryscallan/empire-state-ride-day-6-6849588b80e" rel="nofollow">documented a bike ride across New York State</a>, which I highly recommend to any road bike enthusiasts. <a href="https://flipboard.social/@greg" rel="nofollow">Reach out to me</a> if you want to learn more about that trip.</p>

<p>However, with the looming <a href="https://snarfed.org/2024-02-12_52106" rel="nofollow">Bluesky Bridge</a> work, I decided to dust off the Markdown to lend not only my personal support, but as the Mastodon admin of <a href="https://flipboard.social" rel="nofollow">flipboard.social</a>, our full support of <a href="https://fed.brid.gy/" rel="nofollow">BridgyFed</a>.</p>

<p>First off, kudos to <a href="https://snarfed.org/" rel="nofollow">Ryan Barrett</a> for his transparency regarding this open source work, one of the principles of the Open Social Web, as well as his thoughtful and mature responses to concerns raised and proposed changes. Brave and thoughtful developers like Ryan everyday are building services we all can choose to be a part of or not, thanks to federation, and we should celebrate those efforts rather than allow the <a href="https://mozilla.social/@Damon/111926147487545361" rel="nofollow">vitriol</a> that has existed on closed networks to permeate this world.</p>

<p>Any software that helps marshal the ability of communities to connect as well as the moderation tooling that allow us as individuals to navigate these communities safely, is a win for federation.</p>

<p><a href="/greg/tag:Mastodon" class="hashtag" rel="nofollow"><span>#</span><span class="p-category">Mastodon</span></a> <a href="/greg/tag:BlueSky" class="hashtag" rel="nofollow"><span>#</span><span class="p-category">BlueSky</span></a> <a href="/greg/tag:BridgyFed" class="hashtag" rel="nofollow"><span>#</span><span class="p-category">BridgyFed</span></a></p>
]]></content:encoded>
      <guid>https://flipboard.team/greg/in-support-of-bridgyfed</guid>
      <pubDate>Wed, 14 Feb 2024 20:45:09 +0000</pubDate>
    </item>
  </channel>
</rss>