Reader

“It’s all about being a part of something in the community, socializing with people who share interests and coming together to help improve the world we live in.” – Zach Braff

In any successful network, bad actors will emerge with the simple goal of achieving some result that is in the interests of themselves or those that have hired them. These bad actors could be code, could be individual users on a VPN coming from a location with no recourse to investigate, or an army of humans clicking on behalf of their country. The motivations ar3e endless and we are certain to hear lots about mis-information over the next few months with the elections around the corner.. Whole encyclopedia's could be written on the topic, each attack vector has similarities to other social networks with slight deviations. Most importantly, it is a cat-n-mouse game ... once you are able to minimize the mechanisms by which someone is abusing your system, they will figure out ways around it. If they cannot and go away, someone else eventually will. The previous ones will come back in a year to see if you left your guard down.

Check out this output from analysis of new accounts created over the last few days

The second column shows emails such as Cyr.u.s2boyo1@gmail.com and Cy.rus2boyo1@gmail.com .... gmail users can basically add dots to their email address or append a plus sign and more letters/numbers after the email address to create what looks like a unique email address, but one which not actually unique and, in this example, always sends back to the canonical email address cyrus2boyo1@gmail.com. There are legitimate use cases for doing this out in the real world (for example, I might create a threads account with the email address rockhunters08+threads@gmail.com or maybe your testing team wants to create 100's of emails to test something but all route to the same account). Nontheless, each social network has to decide where and when this is allowed and come up with rules to prevent the creation in the first place, if possible, else detect the bad actor before they impose harm on users or your business, and disable them.

In this particular case, the fact that the user is verifying theses accounts, that all of them were created quickly one after the other, and many already have bios that are the same, implies they likely are planning to follow themselves to give large follower numbers (and later, possible, like or reflip flips from each other) with the goal of gaming our recommendations algorithms. Who knows, really. On Flipboard, this will never work because we, in general, have an allow list approach to recommendations, so unless our editorial staff (a.k.s. carbon based life forms) have reviewed your account or domain of content, it won't make it into other people's For You feeds). This is one of the reasons why we are SLOWLY federating Flipboard accounts: we do not want this gamification to spill over into the fediverse.

There is more analysis we can do if we were not sure if this is a bad actor. For example, on the images below, you can see they already created a magazine and flipped 1 article into it. That .... pattern ... is something we can write a chapter on and is specific to Flipboard, though I suppose the similarity to other social networks is whatever the write action you can take on that network (.e.g Post).

You could then do curl and go to the website of where the article is located and you will get something like the image below

You could take this analysis further and look at who owns the domain, when was it registered, etc... it goes on and on. For now, it is clear this person is not a legitimate user and deserves to be disabled. We'll run this check over accounts daily as well as over longer periods of time. I've seen cases where a bad actor will create 1 account per email address a day over many months and, worse, do that for many email addresses via a VPN with changing ip addresses. Always fun.

In the fediverse, this becomes more complicated because this user could do this same tactic across 10's of thousands of instances where this kind of analysis is not readily available

Thoughts? I'd love to know what you think!

#moderation #trust #safety

Anytime anybody impersonates you, it's a great compliment. – Robert Wagner

In my role at Flipboard a similar position. I'll start with something that is a bit off topic from the typical spammers that we uncovered just the other day: someone impersonating our brand .... because I am actually not 100% sure how we should fully handle it, and would love your thoughts.

The Scam

We received a report over our standard help channels from a non-user that they were cold called by a twitter (a.k.a. X) user claiming to work for Flipboard. They were made some vague promises if they signed up and after saying no ... well .... let's just say this scammer cussed them out with some not so nice language.

After working with the user (and promising them this was not us) we uncovered this account on X which was doing the impersonation.

The Research

Nothing on that account there is legit. Notice the flip[.].it url that redirects to some sort of statement on the SHIB token, which seems part of their scam. Well, when a Flipboard user creates a short url, we keep track of the account that created it. In this case, a simple lookup uncovered the account used to create the link. Luckily, they had accessed that account the day we were notified of this. We keep logs for around 14-21 days from key systems in order to help debug problems legit users report. In this case, I was able to find a log in our haproxy routers for this account:

./12/haproxy-standard:2024-09-25T12:40:09+00:00 [X.X.X.X] <user.notice> haproxystandard[3707085]: Y.Y.Y.Y:2600 [25/Sep/2024:12:40:09.912] fe-production-https be-production-fly-standard/0443f7ece3c501810 0/0/1/0/1 304 168 - - ---- 546/305/0/0/0 0/0 {fbprod.flipboard.com|49.130.131.81, 64.252.103.219|Amazon CloudFront|} "GET /v1/static/config.json?userid=YYYY&ver=4.3.29&device=iphone-17.4.1&model=iPhone11%2C6&lang=zh-Hant-HK HTTP/1.1"

This is a request from their device looking for initial configuration information. There are a few things to notice here: – the ip address they request originated from is 49.130.131.81 – their language is set to traditional chinese, Hong Kong – they are using an iphone and a fairly recent version of our software

NOTE: we utilize this information to ensure the user experience works for the device, language and location of the user and the details above were sanitized

Doing a whois lookup on that ip address and we get confirmation this user is coming from Hong Kong

Great, so now what? I wanted to see if there might be more than 1 user or account on X executing this scam. So, I looked at their 2,245 followers (X only let me search some of them) and quickly found 2 other accounts done in similar fashion: LoisFlipboard and DaisyFlipboard. Continuing down this path, you find more and more .....

Next, I wanted to see if each of these accounts were separate users or the same, so I looked for additionally references flip[.]it links and sure enough, they all tracked back to the same Flipboard account.

The Actions

So, the next question is, what should we do about this? It clearly hurts our brand to have someone scamming people in our name, but also, in general, this is just a bad person doing evil things for self gain. We cannot block all the ip addresses they use .... legitimate users use them. We obviously suspended the account, but they can always easily create a new account on Flipboard. We do have a way to block a device from accessing our service, but I won't go into those details. However, this scam is being executed from X itself, not Flipboard.

X does offer a “report this user” and we could do that for each of these accounts for impersonating out brand and keep trying to hunt them all down. But check this out .... they want you to fill out a form when you get to this part:

Would you send up images of government issued id's and consent to X's trust and safety team to extract biometric data? Especially after they dissolved their Trust and Safety Council?

We do have a plan, but I am curious ... would you send up personal information like this to X and trust how it is being handled? Would you try and track down all the accounts on X taking these nefarious actions and, if so, how? Would you just ignore it? What would you do next?

#moderation #trust #safety

If you don't know who you truly are, you'll never know what you really want. – Roy T. Bennett

We often receive questions about what kinds of requests Flipboard makes and when. All requests coming from Flipboard have the string Flipboard somewhere in the User-Agent header, to help identify requests coming from us. Requests can come from a client or a server. Clients are always on behalf of a user. Servers are for backend systems made in response to a user action or partner configuration.

Here is a breakdown of the various user agents you may see

String	Description	Examples
Flipboard	Any request made by the Flipboard App on iOS or Android as well ad the Briefing app on Samsung phones.	Mozilla/5.0 (Linux; Android 8.0.0; SM-A720F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.110 Mobile Safari/537.36 Flipboard/4.1.13/4342,4.1.13.4342
FlipboardProxy	Flipboard uses a proxy service to fetch, validate, and prepare certain elements of websites for presentation through the Flipboard Application	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 (FlipboardProxy/1.2; +http://flipboard.com/browserproxy)
FlipboardRSS	Any request made from servers for RSS feeds	Mozilla/5.0 (compatible; FlipboardRSS/1.2; +http://flipboard.com/browserproxy)
Flipboard ActivityPub	Activity Pub Requests	Flipboard ActivityPub/1.0.0 (+https://flipboard.com)

Note that after a request for an RSS feed one should expect to see numerous requests from the Proxy for excerpt extraction and image thumbnailing of the RSS items.

Older User Agents

In the past, we have used FlipboardBriefing, Flipboard-Briefing, and FlipboardSeneca but these are being phased out.

Verification

You can verify Flipboard requests by checking for string above in the user agent. To cover all user agents, look for Flipboard in the User-Agent header.

Flipboard primarily runs in the AWS cloud in the us-east-1 availability zone, so a request can emerge from any public ip address within that zone as they change often and occur from a large pool of shareable instances. However, if you want to specifically verify the ip addresses we use via reverse DNS lookup, you can get the list of ip addresses to check against here

Control

For server related requests, we honor robots.txt Disallow and will not crawl your site when this is specified.

Reporting Issues

If you have problems with any requests coming from Flipboard, we are here to help. Whether you would like us to never make requests to your domain (blocking from our side) or reducing the rate of requests or limiting to a specific set of originating ip addresses, reach out to us.

A lack of transparency results in distrust and a deep sense of insecurity. – Dalai Lama

Today, Flipboard announced the ability for our users to follow anyone in the fediverse. As a company, we are strong supporters of decentralized social media and in particular the role that Activity Pub plays in this space.

Prior to this launch, we created an account called tdf (for the daily fediverse) and followed many users very quickly prior to creating a profile or doing normal user behavior things for an account. This (rightfully) upset many in the fediverse as it was implied this was some sort of bot account out to take nefarious actions on users personal posts. There was also confusion on the role of this account as compared to the equivalent Mastodon account

This account was just an early account supporting the features of today's announcement. It's not a bot. It's me. Greg. I did not want to clutter my personal account so I created a new one where my goal was to interact with as many people in the active fediverse as possible so I could learn and help the rest of our Flipboard users find interesting people to follow and interact with in the fediverse. For example, check out our blog post on how to discover people to follow. I've since updated the profile with more details, but wanted to share in a blog post also for those still concerned.

We want Flipboard users to be part of the fediverse

When I follow you, you will see a follow request like any other good natured fediverse account. When I post (and I won't more than a few times a day) and you follow me, hopefully you will see my posts. And we can reply to each other. That's it. A normal account. I check it every day. I've already received over 1000 follows from just a few days of posting independent of the people I followed. This tells me there is some sort of value in what we are doing and as I continue to utilize this account, I hope we can further bring that kind of value to the rest of the fediverse and Flipboard. The same is true for the flipboard.social version of this account.

Transparency

Transparency is important to me and Flipboard, so I will attempt to address many of the reasonable questions people had regarding this account:

1) Why did you follow so many people?

I followed many to find interesting people in the fediverse, to interact, reply, see their posts in this new feature set, and make sure our work did the right things before launching. I could have done this more slowly or more intentionally by reviewing the posts of everyone first. Next time I will.

2) How did you find these people and follow them so fast?

I looked at our flipboard.social instance to find recent users it knew about who had many followers and had posted recently. I then wrote a script that gave my account permission to invoke an API and requested to follow those accounts.

3) Why not just setup a relay instead?

My goal is to post a few times and interact with people. A relay is intended to suck content in for others to discover when there is a public timeline. Flipboard does not offer a public timeline for discovery. Down the road, if we support a direct follow and public timeline, this would work and is something we are looking into per request from our users.

4) What are you doing with all the data (users and posts) that you receive from the fediverse?

We utilize the data only in the product as per the blog post. That data never leaves our premises and is removed as soon as it is no longer utilized and needed. We (and I, personally) care greatly about privacy and security at Flipboard.

5) How is this account different from the same account on flipboard.social?

Both accounts are the same behavior, but meant for different systems. On flipboard.com, I use our actual product to interact with everyone. On flipboard.social, I use a variety of Mastodon supporting apps.

6) Was this worth it?

Absolutely! One of the hardest things about being a good citizen in the fediverse is learning what everyone thinks it means to be a good citizen in the fediverse. And the only way to can learn is by interacting with the fediverse. I've had a number of bugs reported to me including ones really really important (like private posts being replied to publicly ... which we fixed immediately) and more esoteric ones like replies seen on the latest Mastodon instances showing a translate option when the reply was in English and the user the reply went to had English as their language.

I want to thank everyone in the fediverse who has helped this be a positive experience and look forward to continued interactions. Reach out to me at tdf or via Greg with questions any time.

#flipboard #fediverse #activitypub #publishing #socialmedia

The strength of unity and federation are unquestionable. – Rig Veda

You may have heard about Flipboard's recent support of the Activity Pub protocol. How does one find these Flipboard Accounts and Magazines to follow? One approach is to visit our Mastodon instance flipboard.social and search for flipboard.com to find profiles and Magazines to follow.

However, without an actual account on our Mastodon Server, you are limited in the content you can find where you can see individual posts along with profiles.

Another approach is to federate with flipboard.com and then you can receive all the posts from our federated Flipboard Accounts and Magazines via search on your own local instance, receiving all the same results. From Mastodon, this is easy to do from the administrative relays page on your instance

Click the button to add a new relay and add the url https://flipboard.com/actor/inbox into the edit box and then click Save And Enable.

We check daily for new requests and will review the request for approval. That's It! You can always disable the federation on your side if for some reason you decide to stop or halt receiving posts from flipboard.com.

#flipboard #fediverse #activitypub #publishing #socialmedia

I have not written a blog post, evidently, in 8 years when I documented a bike ride across New York State, which I highly recommend to any road bike enthusiasts. Reach out to me if you want to learn more about that trip.

However, with the looming Bluesky Bridge work, I decided to dust off the Markdown to lend not only my personal support, but as the Mastodon admin of flipboard.social, our full support of BridgyFed.

First off, kudos to Ryan Barrett for his transparency regarding this open source work, one of the principles of the Open Social Web, as well as his thoughtful and mature responses to concerns raised and proposed changes. Brave and thoughtful developers like Ryan everyday are building services we all can choose to be a part of or not, thanks to federation, and we should celebrate those efforts rather than allow the vitriol that has existed on closed networks to permeate this world.

Any software that helps marshal the ability of communities to connect as well as the moderation tooling that allow us as individuals to navigate these communities safely, is a win for federation.

#Mastodon #BlueSky #BridgyFed

Hello World!