Twitter’s Birdwatch is Fundamentally Flawed

Earlier this week, Twitter announced an initiative to combat misinformation on their platform that they call Birdwatch.

How Birdwatch works: Volunteers sign up (assuming they meet all the requirements) and can add notes to fill in context on misleading tweets. Other users can rate these contextual tweets as helpful or not helpful. All of these “notes” and ratings of notes are completely transparent.

Credit: the Birdwatch website
Credit: the Birdwatch website

At its face, Birdwatch is an attempt to scale up the existing fact-checking capability used during the 2020 U.S. Elections while also crowdsourcing this decision-making.

I will give Twitter credit for two things, and only two things, before I get into the problems with their design.

1. They’re distributing the power to fact-check bad tweets to their users rather than hoarding it for themselves.
2. They correctly emphasized transparency as a goal for this tool.

But it’s not all sunshine and rainbows.

The Fatal Flaw of Birdwatch’s Design

There’s an old essay titled The Six Dumbest Ideas in Computer Security, that immediately identifies two problems with Birdwatch’s design. They also happen to be the first two items on the essay’s list!

1. Default Permit
2. Enumerating Badness

This is best illustrated by way of example.

Let’s assume there are two pathological liars hellbent on spreading misinformation on Twitter. They each tweet unsubstantiated claims about some facet of government or civil service. Birdwatch users catch only one of them, and correctly fact-check their tweet.

What happens to the other liar?

What happens if Birdwatch users can only identify one out of ten liars? One out of a hundred? One out of a thousand?! Et cetera.

(Art by Khia.)

To be clear: The biggest flaw in their product design is simply that their “notes” and “fact-checks” are negative indicators on known-bad tweets.

This will create a dark pattern: If a tweet slips past the Birdwatch users’ radars, it won’t be fact-checked. In turn, users won’t realize it’s misinformation. A popular term for the resulting conduct is coordinated inauthentic behavior.

This already happens to YouTube.

https://youtu.be/1PGm8LslEb4

Hell, this is already happening to Twitter:

https://www.youtube.com/watch?v=V-1RhQ1uuQ4

How To Fix Birdwatch

I wrote an entire essay on Defeating Coordinated Inauthentic Behavior at Scale in 2019. I highly recommend anyone at Twitter interested in actually solving the misinformation problem to give that a careful consideration.

(Art by Swizz.)

But in a nutshell, the most important fix is to change the state machine underlying Birdwatch from:

• No notes -> trustworthy
• Notes -> misinformation

…to something subtly different:

• No notes -> unvetted / be cautious
• Notes ->
  
  • Negative notes -> misinformation
  • Positive notes -> verified by experts

  
  

This effectively creates a traffic light signal for users: Tweets start as yellow (exercise caution, which is the default) and may become green (affirmed by notes) or red (experts disagree).

What Would This Change Accomplish?

Malicious actors that accomplish Birdwatch evasion will only manage to encompass their message in caution tape. (Metaphorically speaking, anyway.)

If their goal is to spread misinformation while convincing the recipients of their message that they’re speaking the truth, they’ll have to get a green light–which is ideally more expensive to accomplish.

Bonus Round

I would also recommend some kind of “this smells fishy” button to signal Birdwatch contributors that this tweet needs fact-checking. Users might self-select into filter bubbles that Birdwatch users are totally absent from, and in turn come across things that are completely unvetted and possibly ambiguous.

While I have your attention, here’s a quality of life suggestion, on the house:

Being able to link claims together (e.g. reposted images with a false claim, n.b. like how the minions memes on Facebook) to deduplicate their claims about reality would save a lot of unnecessary headache.

(Anyone who has used Stack Overflow will appreciate the utility of being able to say “this is a duplicate of $otherThing”.)

What If These Fundamental Flaws Remain Unfixed?

Although Birdwatch will probably meet the immediate goal of scaling up the fact-checking efforts beyond what Twitter can provide (and satisfy the public relations requirements of tangibly doing something to combat this problem), propagandists and conspiracy theorists will simply become incentivized to evade Birdwatch contributors’ detection while spreading their lies.

As I said above, coordinated inauthentic behavior is already happening. This isn’t some abstract threat that only academics care about.

To the aid of the malicious, most users will confuse tweets that evaded detection with tweets that didn’t warrant correction. This might even lead to users trusting misinformation more than they would before Birdwatch. This would be a total self-own for the entire Birdwatch project.

#bullshit #computerSecurity #enumeratingBadness #misinformation #SocialMedia #Technology #Twitter

You’ve probably heard the rumors by now. It’s cropped up in Michigan, Kentucky, Nebraska, North Dakota, Wisconsin, and even Australia.

The rumor is: Parents around the country are expressing “concerns” over schools allegedly permitting students that identify as cats use litter boxes in public schools.

You can hear this idea being parroted by Nebraska State Senator Bruce Bostelman, without an ounce of irony or self-awareness:

https://twitter.com/jonnykip21/status/1508485363177861124

Of course, it doesn’t matter how often or how thoroughly these allegations are debunked (and, make no mistake, they are debunked), that doesn’t stop people from spreading this false and damnable rumor on Facebook Groups like “Protect Nebraska Children”.

As a member of the furry community who also strongly opposes misinformation on the Internet, I feel it’s necessary and appropriate for me to expose the dark truths about this litter box story once and for all.

Who and What Are Furries?

https://www.youtube.com/watch?v=JPSQVRJuDTs

Furries are members of the Furry Fandom, an art-centric participatory online community (with real-world conventions and events) consisting of people who enjoy anthropomorphic characters.

Characters like this!
(Art: LvJ)

For one reason or another, furries are also a predominantly LGBTQIA+ community. If you took a large random sample of people, you’d expect at least 90% to be heterosexual and cisgender. This shouldn’t surprise anyone. But if you took a random sample of furries, that figure is now only 20%.

For this reason, furry hate was often used as a dog-whistle for homophobia in forums where overt homophobia was not permitted.

https://twitter.com/spacetwinks/status/728349066178998274

If you’d like to learn more about the furry fandom, I highly recommend the appropriately named 2020 documentary The Fandom by Ash Coyote.

https://www.youtube.com/watch?v=iv0QaTW3kEY

Are Furries in K-12 Public Schools?

Overwhelmingly, no. The average age of the furry fandom varies from survey to survey, but 26 years old seems like a good estimate for the median age for survey participants (as of 2020).

Source: FurScience, 2020 survey results

Interestingly, the median age of furries was only 20 in the year 2011, which suggests that the furry fandom is consistently getting older.

That isn’t to say that there aren’t any furries under the age of 18. We just don’t have any data on them today.

Second, due to ethical restrictions, the IARP is unable to study minors (as parental consent would be required, something we cannot reasonably expect to obtain if a person has not “come out” to their family as a furry).

Furscience

This is the only scientific data we have, and it’s not perfect, but you can actually extrapolate a reasonable heuristic for the magnitude of underage furs based on the change in adult median age over time.

Since the adults of the furry fandom are consistently getting older (median 20 in 2011, median 26 in 2020, which is a 6 year increase over 9 years), the proportion of people under 18 was likely at most 33% of the total furry population in a given year during this interval.

This upper limit assumes most underage furries continue to be furries in adulthood, a negligible mortality rate, and people are discovering the fandom younger than 18.

If a lot of furries discover the fandom after they turn 18, then 33% is probably unreasonably high.

If this proportion still holds true, then the median age for furries is still squarely in the realm of young adulthood, not childhood.

Do Furries Identify as Animals?

No, furries do not identify as animals in the way that these very dumb rumors would imply.

People that identify as a non-human animal are called therians (or more broadly, otherkin). Most furries are not therians, but some are.

Do Furries That Identify as Cats Use Litter Boxes?

No, this is a damned lie with no basis in reality. Even Snopes debunked it.

If you’re interested in the origins of this dumb rumor, Dogpatch Press has a deep dive into the history of it going all the way back to the 1990’s.

The Dark Truth About These Rumors

If it’s not true, why are Facebook Groups and GOP politicians spreading lies about furries and public school students all of the sudden?

Unfortunately, the answer is transphobia.

https://twitter.com/KandissTaylor/status/1506603753008472064

There is an emerging generational culture war about transgender people.

To many older Americans, the idea that a person could be anything other than male or female seems absurd, and the notion that anyone could change their gender is uncomfortable (but science is consistently on trans people’s sides here).

Most younger people don’t carry the same prejudices as their parents’ and grandparents’ generations.

This litter box rumor is both a dog whistle for generalized queerphobia (as the majority of furry hate always has been) and a weak satire of non-binary gender identities. “If they can decide they’re neither male or female, what’s stopping them from identifying as a cat?” is the premise of this bigoted reasoning.

Before gay marriage was legal in America, there were a lot of online arguments put forth by evangelical Christians and Republicans that, “If you make gay marriage legal, soon you’ll have people wanting to marry their pets and we’ll have to legalize bestiality.”

Which, yes, is a very dumb slippery slope fallacy, but the current furry panic certainly echoes their same delusional beliefs about alternative lifestyles.

In short, the entire premise of the “furry litter-box in public schools” rumor is to bully nonbinary and/or transgender students through a dog-whistle, so they can evade being cancelled for overt bigotry.

These people are showing their whole ass when they spread these lies.

https://twitter.com/SoatokDhole/status/1506931766837321731

Also, it’s interesting that the people spreading these lies are Republicans, who claim to want to “protect children”, but are also in favor of child marriage.

What Can We Do About These Lies?

Your mission, should you choose to accept it, is to identify anyone in your life who believes these rumors (especially if they’re sharing lies from Facebook Groups that peddle misinformation), and then link them to this blog post.

I don’t expect it to persuade everyone, but it can save you the effort of having to argue further with them. Just copy+paste the URL and move on with your day, knowing you did your part to tell them, “You’re wrong, shut the fuck up.”

Where Did This Hoax Originate?

Allegedly, this entire hoax about “furries being permitted to use litter boxes in public schools” was started as a prank by a user named Tracing Woodgrains, a contributor to the anti-trans podcast Blocked and Reported, hosted by Jesse Singal and Katie Herzog (alternative mirror).

(Art: LvJ)

So—what does it take to persuade Libs of TikTok to tilt at windmills, to spread a moral panic over a falsehood? How can hoaxers break past her fact-checking, with nary a red flag to be seen?

A nonexistent man passed on a false tip on the basis of paper-thin evidence, then squirmed away at any attempts to nail down the concrete before finishing things off with a broken link to a Facebook group that did not exist.

— How I Convinced Libs of TikTok to Publish a False Story

So there you have it. This entire thing is not only unbelievable, but fabricated for the sake of trolls’ amusement.

https://soatok.blog/2022/04/06/the-dark-truth-about-the-furry-protocol/

#demographics #falsehoods #furries #furry #FurryFandom #lies #litterBoxRumor #misinformation #Politics #rumors #Society

Dhole Moments

2020-04-24 02:43:25

My recent post about the alleged source code leaks affecting Team Fortress 2 and Counter-Strike: Global Offensive made the rounds on Twitter and made someone very mad, so I got hate DMs.
No more Angry Whoppers for you, mister!
…Look, I only said I got hate DMs, not that I got interesting or particularly effective hate DMs! Weak troll is weak, I know.

A lot of people online claim they “hate furries”, but almost none of them quite understand how prolific our community is, let alone how important we are to the Internet. As Stormi the Folf puts it…

I guarantee you the internet would collapse in a most horrific manner if all the furries in the world got Thano's snapped.

They *run* the internet in more ways than most people realize

— 🦊Stormi the Folf🐺 🔜FWA (@StormiFolf) April 23, 2020

Stormi is the Potato of Knowledge and Floof
What Stormi’s alluding to is true, and that’s a tale best told by an outsider to our community.

Telecommunications as a whole, which also encompasses The Internet, is in a constant state of failure and just in time fixes and functionally all modern communication would collapse if about 50 people, most of which are furries, decided to turn their pager off for a day. https://t.co/k1UqOv5kpd

— Ẑ͚͔͍̻̤̟ä̶̼̗̟͔́̿̾̓n̬͙̫̿͑͊̈̚d̡̰̭̞͖̟̖̟ͬ̚ê̺͖̂ͩ̀̉ͣrͪ̓ (@mmsword) November 28, 2019

Their follow-up tweet that elaborates on furry involvement is here.
So I’d like take the time to explain why nobody should ever underestimate the ingenuity or positivity of the furry community.

The Furry Fandom Has Saved Lives

https://www.youtube.com/embed/3h9sO17CV9A?feature=oembed
This is just one of many anecdotes. You can find many more here.
Although the furry fandom is widely misunderstood, it’s difficult to overstate how many lives have been saved and enriched by our community.

I wanted to share this touching moment. @Reo_Grayfox was telling me his story, and said those lines while staring straight into his fursuit's eyes. Hearing personal stories like this makes you appreciate the vastly diverse reasons why the furry fandom is essential to so many. pic.twitter.com/fD09Wmv6mf

— Joaquín Baldwin (@joabaldwin) January 22, 2018

Furries Provide Much-Needed Comfort to Others

In 2016, refugees from the civil war in Syria ended up in a hotel in Canada. This would have been an utterly remarkable fact if it wasn’t the same hotel and weekend as the local furry convention, Vancoufur.

The kids loved it.

This isn’t an isolated incident either. Our community is well-known for kindness and generosity in spades.

https://charcoalthings.tumblr.com/post/132996328881/i-will-defend-furries-to-my-grave

https://wakor.tumblr.com/post/126072529744/ok-you-know-what

What’s there to hate?

The Furry Fandom is Collectively Pretty Bad-Ass

Art by RueMaw.
No, not like that.

The fandom is bad-ass in as many ways as the fandom is incredibly diverse.
Image source and backstory of this meme: Dogpatch Press

90s furries built the Internet pic.twitter.com/Gicxme2HkT

— SwiftOnSecurity (@SwiftOnSecurity) April 30, 2019

SwiftOnSecurity knows the truth about more than just corn.

So one of my friends said furries pretty much run the US nuclear response communication networks. Just in case you're worried about Trump.

— SwiftOnSecurity (@SwiftOnSecurity) November 12, 2016

Seriously.

Some of the Most Talented People You’ll Ever Meet Are Furries

eSports Champions:

https://www.youtube.com/embed/TWhrECl6zOY?feature=oembed

Musicians:

https://open.spotify.com/embed/album/4NlXsjKmcWegIfQEI0JzHK?utm_source=oembed

Artists and costume makers: I could literally link to hundreds of artists here. Follow me on Twitter; I retweet a lot of cute stuff.

Pretty much everything you could aspire to be that isn’t also terrible, if you look hard enough, you’ll find furries in the leaderboards having a fun time with it all.

The only reason to hate furries is thinly-veiled homophobia, because only about 25% of furries are heterosexual.

Why So Curious?

If I’ve made you curious about our community, and now you want to learn more about us, I’ve got you.

https://www.youtube.com/embed/K2XeOxWW2oY?feature=oembed

Psychology Today: What’s the Deal with Furries?

Furry Fandom Documentary When?

https://www.youtube.com/embed/cF9DQQsUcs0?feature=oembed

Ash Coyote is releasing a documentary about our subculture soon, titled The Fandom. You can find out more about it on her YouTube channel.

https://soatok.blog/2020/04/23/never-underestimate-the-furry-fandom/

#furries #furry #FurryFandom #hateMail #positivity #Society

There are two news stories today. Unfortunately, some people have difficulty uncoupling the two.

1. The Team Fortress 2 Source Code has been leaked.
2. Hackers discovered a Remote Code Execution exploit.

The second point is something to be concerned about. RCE is game over. The existence of an unpatched RCE vulnerability, with public exploits, is sufficient reason to uninstall the game and wait for a fix to be released. Good on everyone for reporting that. You’re being responsible. (If it’s real, that is! See update at the bottom.)

The first point might explain why the second happened, which is fine for the sake of narrative… but by itself, a source code leak is a non-issue that nobody in their right mind should worry about from a security perspective.

Anyone who believes they’re less secure because the source code is public is either uninformed or misinformed.

I will explain.
Professor Dreamseeker is in the house. Twitch Emote by Swizz.

Why Source Code Leaks Don’t Matter for Security

You should know that, throughout my time online as a furry, I have been awarded thousand dollar bounties through public bounty programs.

How did you earn those bounties?
By finding zero-day vulnerabilities in those companies’ software.

But only some of those were for open source software projects. CreditKarma definitely does not share their Android app’s source code with security researchers.

How did you do it?
I simply reverse engineered their apps using off-the-shelf tools, and studied the decompiled source code.

Why are you making that sound trivial?
Because it is trivial!

If you don’t believe me, choose a random game from your Steam library.

Right click > Properties. Click on the Local Files tab, then click “Browse Local Files”. Now search for a binary.
Me, following these steps to locate the No Man’s Sky binary.
If your game is a typical C/C++ project, you’ll next want to install Ghidra.

Other platforms and their respective tools:

• Java games (.jar files): Luyten
• .NET games: ILSpy
• Android apps: dex2jar then Luyten (as per Java)

If you see a bunch of HTML and JS files, you can literally use beautifier.io to make the code readable.

Open your target binary in the appropriate reverse engineering software, and you can decompile the binary into C/C++ code.
Decompiled code from No Man’s Sky’s NMS.exe file on Windows.
Congratulations! If you’ve made it this far, you’re neck-and-neck with any attacker who has a leaked copy of the source code.

Every Information Security Expert Knows This

Almost literally everyone working in infosec knows that keeping a product’s source code a secret doesn’t actually improve the security of the product.

There’s a derisive term for this belief: Security Through Obscurity.

The only people whose job will be made more difficult with the source code leak are lawyers dealing with Intellectual Property (IP) disputes.

In Conclusion

Remote Code Execution is bad.

The Source Code being public? Yawn.
Pictured: Soatok trying to figure out why people are worried about source code disclosure when he publishes everything publicly on Github anyway (2020). Art by Riley.
Update: Shortly after I made this post, I was made aware of another news story worthy of everyone’s attention far more than FUD about source code leaks.

With the Source leaks happening today, I think everyone is missing the most important part: how much does Valve swear? I tallied up instances of these words in the leak*:

"fuck": 116
"shit": 63
"damn": 109

*There was some non-Valve stuff in the leak; I didn't count it

— @tj (@tjhorner) April 22, 2020

Well damn if that doesn’t capture my interest.
Now this is the kind of story that makes Twitter worthwhile!

Is the RCE Exploit Even Real?

Update 2: I’ve heard a lot of reports that the alleged RCE exploit is fake. I haven’t taken the time to look at Team Fortress 2 or CS:GO in any meaningful way, but the CS:GO team did have this to say about the leaks:

We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds.

— CS2 (@CounterStrike) April 22, 2020

Fake news and old news are strange (yet strangely common) bedfellows.

https://soatok.blog/2020/04/22/source-code-leak-is-effectively-meaningless-to-endpoint-security/

#commonSense #informationSecurity #infosec #misinformation #reverseEngineering #security #securityThroughObscurity #sourceCode

Dhole Moments

2020-04-22 22:13:34

There are two news stories today. Unfortunately, some people have difficulty uncoupling the two.

1. The Team Fortress 2 Source Code has been leaked.
2. Hackers discovered a Remote Code Execution exploit.

The second point is something to be concerned about. RCE is game over. The existence of an unpatched RCE vulnerability, with public exploits, is sufficient reason to uninstall the game and wait for a fix to be released. Good on everyone for reporting that. You’re being responsible. (If it’s real, that is! See update at the bottom.)

The first point might explain why the second happened, which is fine for the sake of narrative… but by itself, a source code leak is a non-issue that nobody in their right mind should worry about from a security perspective.

Anyone who believes they’re less secure because the source code is public is either uninformed or misinformed.

I will explain.
Professor Dreamseeker is in the house. Twitch Emote by Swizz.

Why Source Code Leaks Don’t Matter for Security

You should know that, throughout my time online as a furry, I have been awarded thousand dollar bounties through public bounty programs.

How did you earn those bounties?
By finding zero-day vulnerabilities in those companies’ software.

But only some of those were for open source software projects. CreditKarma definitely does not share their Android app’s source code with security researchers.

How did you do it?
I simply reverse engineered their apps using off-the-shelf tools, and studied the decompiled source code.

Why are you making that sound trivial?
Because it is trivial!

If you don’t believe me, choose a random game from your Steam library.

Right click > Properties. Click on the Local Files tab, then click “Browse Local Files”. Now search for a binary.
Me, following these steps to locate the No Man’s Sky binary.
If your game is a typical C/C++ project, you’ll next want to install Ghidra.

Other platforms and their respective tools:

• Java games (.jar files): Luyten
• .NET games: ILSpy
• Android apps: dex2jar then Luyten (as per Java)

If you see a bunch of HTML and JS files, you can literally use beautifier.io to make the code readable.

Open your target binary in the appropriate reverse engineering software, and you can decompile the binary into C/C++ code.
Decompiled code from No Man’s Sky’s NMS.exe file on Windows.
Congratulations! If you’ve made it this far, you’re neck-and-neck with any attacker who has a leaked copy of the source code.

Every Information Security Expert Knows This

Almost literally everyone working in infosec knows that keeping a product’s source code a secret doesn’t actually improve the security of the product.

There’s a derisive term for this belief: Security Through Obscurity.

The only people whose job will be made more difficult with the source code leak are lawyers dealing with Intellectual Property (IP) disputes.

In Conclusion

Remote Code Execution is bad.

The Source Code being public? Yawn.
Pictured: Soatok trying to figure out why people are worried about source code disclosure when he publishes everything publicly on Github anyway (2020). Art by Riley.
Update: Shortly after I made this post, I was made aware of another news story worthy of everyone’s attention far more than FUD about source code leaks.

With the Source leaks happening today, I think everyone is missing the most important part: how much does Valve swear? I tallied up instances of these words in the leak*:

"fuck": 116
"shit": 63
"damn": 109

*There was some non-Valve stuff in the leak; I didn't count it

— @tj (@tjhorner) April 22, 2020

Well damn if that doesn’t capture my interest.
Now this is the kind of story that makes Twitter worthwhile!

Is the RCE Exploit Even Real?

Update 2: I’ve heard a lot of reports that the alleged RCE exploit is fake. I haven’t taken the time to look at Team Fortress 2 or CS:GO in any meaningful way, but the CS:GO team did have this to say about the leaks:

We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds.

— CS2 (@CounterStrike) April 22, 2020

Fake news and old news are strange (yet strangely common) bedfellows.

https://soatok.blog/2020/04/22/source-code-leak-is-effectively-meaningless-to-endpoint-security/

#commonSense #informationSecurity #infosec #misinformation #reverseEngineering #security #securityThroughObscurity #sourceCode