2024: The Year of Infinite Infosec Fail

First up in today’s game of “who fed it and who ate it:” Artificial Intelligence.

AI is everywhere. AI chatbots! AI image generators! And now, AI code assistants, that help developers write computer programs!

Only here’s the thing: AI doesn’t know anything. A lot of folks think these AI systems are, like, some sort of huge database of facts or something. They aren’t. They’re closer to supercharged versions of the autocomplete on your phone.

Which means if you ask an AI chatbot or code generator a question, it does the same thing autocomplete does: fills in syntactically correct words that are likely to come after the words you typed. There is no intelligence. There is no storehouse of facts it looks up.

That’s why AI is prone to “hallucinations”—completely imaginary false statements that the AI systems invent because the words it uses are somehow associated with the words you typed.

AI Fembot says: The Golden Gate Bridge was transported for the second time across Egypt in October of 2016. (Image: Xu Haiwei)

So, code generation.

AI code generation is uniformly terrible. If you’re asking for anything more than a simple shell script, what you get likely won’t even compile. But oh, it gets worse. So, so much worse.

AI code generators do not understand code. They merely produce output that resembles the text they were trained on. And sometimes, they hallucinate entire libraries or software packages that do not exist.

Which is perfectly understandable once you get how AI LLMs work.

What’s particularly interesting, though, is that malware writers can write malware, give it the same name as the packages AI code generators make up out of thin air, and devs will download and install them just because an AI chatbot told them to.

Bet you didn’t have that on your “Reasons 2024 Will Suck” bingo card.

And speaking of things that suck:

I woke this morning to a message from Eunice that a popular, trusted developer had inserted malicious code in an obscure Linux library he maintains, code that would allow him to log in and access any Linux system that his library is installed on.

In February, then again in March, the developer released updates to a library called “XZ Utils.” The update contained weird, obfuscated code—instructions that were deliberately written in a manner to conceal what they did—but because he was a trusted dev, people were just like 🤷‍♂️. “We don’t know what this code he added does, but he seems an okay guy. Let’s roll this into Linux.”

He seems a decent fellow. We don’t know what this code does, but what’s the harm? (Image: Zanyar Ibrahim)

Fortunately it was spotted quickly, befure it ended up widely used, so only a handful of bleeding-edge Linux distros were affected, but still:

What the actual, literal fuck, people??!

“This library contains obfuscated code whose purpose has been deliberately concealed. What’s the worst that can happen?”

Jesus. And it’s only March.

Developers should never be allowed near anything important ever.

Beware Bowdlerization of Google Docs

Image: David Pennington

I write novels almost exclusively in Google Docs.

It’s an aggressively mediocre word processor with two killer features: you have access to it wherever and from whatever device you have Internet access, and it is hands-down the absolute best thing out there for collaborative writing. Nearly all my books are co-written with other people. Google Docs makes this effortless; in fact, many’s the time I’ve been working with Eunice or my Talespinner as both of us type in the same Docs file at the same time.

Even when we aren’t writing at the same time, Google Docs makes it easy for us to leave notes to each other within the same document. It’s no exaggeration to say Docs is probably the best thing to happen to collaborative writing since the invention of the fountain pen.

So you can imagine when I opened my Messenger app a couple days ago and found a message from my co-author Eunice linking to a story by a writer who’d lost access to Google Docs and her manuscript because they contained sexually explicit content.

I’ve spent the last couple of days poring over the Google Terms of Service, and what I found is…worrisome.

Many of the novels I write contain sex. Some of them contain a lot of sex; the Passionate Pantheon series Eunice and I write, a far-future post-scarcity science fiction series where residents of the City worship AI gods through highly ritualized group sex, is a vehicle for us to explore sexual ethics, philosophy, and society in a setting where attitudes toward sex and violence are pretty much exactly the opposite of what they are here in the real world. And these books have tons of sex, some of it so kinky the kinks don’t even have names—we looked.

Naturally, the notion that Google can terminate your Google account and delete your manuscripts in progress for (consensual adult) sexual content is a little alarming.

The issue seems to be Google’s March 2024 anti-spam update.

What does spam have to do with sex and Google? Glad you asked.

More and more often, I am seeing spam that directs to Google properties: Google Sites and Google Docs, mostly. The spammers link to a Google page, which has a link that goes on to the spam site.

Why? Because it keeps the spam emails from being filtered by anti-spam filters (Google links aren’t flagged as spam) and helps prevent the spammers from having their sites shut down.

Sex spammers especially seem to be flocking to Google:

If you click on the link, you’re taken to a Google Site (as in this example) or a Google Doc that then contains a link to the spam site. The Google page includes a little circle-I icon that, if you click on it, brings up the option to report the Google Site or Google Doc for abuse.

If you hit the Report Abuse link, one of the options is “Sexually Explicit.”

So. It seems Google doesn’t permit sexually explicit content. But is that actually part of the Google Terms of Service? Well, kinda.

Here’s the relevant part of the Google Terms of Service:

This…isn’t actually terribly clear. It forbids distributing sexually explicit material, though it doesn’t ban creating sexually explicit material, nor does it say what constitutes “distributing.”


What follows is a completely unofficial speculation about what might be happening and what you might be able to do about it. I claim no insider knowledge of Google’s policies; this is simply informal noodling about the situation.

There are several ways to share a Google Doc. You can invite specific people to see it, and give them different levels of access (read only, comment, propose changes, edit, and so on). You can set it up so that anyone who has the URL can read the document, but can’t make any changes. The way you share it affects what people who view it will see.

If you invite specific people to be able to see and/or comment on the document, they will not see the little information bubble that gives them the option to report the site to Google’s abuse team.

If you set the document up so that anyone with the link can see it, which is what spammers do, then anyone who views the document will see the option to report the document for abuse.

I think—and let me emphasize again this is not based on insider knowledge of anything happening at Google—I think what’s happening is that authors who share Google docs with beta readers may be sharing it by setting the document up so that everyone who has the link can see the doc, and people are reporting the doc.

Why? Unknown. Maybe they’re undermining an author they personally don’t like. Maybe they’re just busybodies.

Point is, Google is a big company, with billions of files and docs on Google Sites and Google Docs and so forth, and they’re not generally proactive about deleting content that violates their terms. They’re reactive—they take action when someone calls attention specifically to a doc or file or page.

So it would seem that they consider sharing a read-only link to be “distribution,” and authors who “distribute” sexual content this way are prone to getting their stuff deleted.

If that’s true, what does it mean?

First of all, it suggests that sharing docs with sexual content to beta readers or reviewers is very dangerous. One person clicking that “report abuse” link may be all it takes to lose access to your Google Docs.

So if you’re sharing content with beta readers, especially beta readers you haven’t individually vetted, don’t do it by sharing a publicly-accessible link to any Google content. Create a Word file and share that, or host the copy you share on your own site…basically anything else.

But it also suggests that in the future, should they want to, Google can decide to be less reactive about enforcing their terms and simply search for sexual words or phrases. It would be trivial of them to do so. Their current terms forbid “distributing” sexual content, but of course they decide what distributing means, and they can change that whenever they feel.

The second thing it means is back up your Google content!

You can download from a Google doc to a Word file easily; it’s in the File menu in Docs.

Back up early. Back up often. (I’ve long had a policy of downloading Google Docs after every major change, because Google has been known to accidentally lose files, but this recent development has me doing so even more aggressively).

I plan to continue using Google Docs to write manuscripts. Thankfully, I don’t share the docs to dog+world, so I’m not likely at risk of having a malicious rando report me.

But I will continue to keep local copies of everything, and I’m in search of a replacement for Google if things should go pear-shaped.

Anyone out there who knows of any good collaborative writing tools, please shout out in the comments!

The Lads from Cyprus: Now on Quora!

Back in March 2016, eight years and one day ago, I published an analysis of a spam ring advertising phony pay-for-play scam “dating sites.” This particular group was responsible for about 90% of the “Hot Lady Wants to F*ck You” spam in circulation. The spam contained links to hacked sites that the spammers placed malicious redirectors on, that would redirect to other sites that redirected to other sites that redirected to a site that would promise sex and ask you a bunch of questions about what you were looking for, then take you to the actual scam site.

I called these guys “the Lads from Cyprus” because invariably the scam dating sites were registered to a shell company organized in Cyprus.

Times have changed, and the Lads from Cyprus have changed with them. While they still do send spam emails, I rarely see them any more—perhaps six or eight times a year, where I used to see them multiple times per day.

Instead, they’ve moved on…to Quora.

The Quora Connection

I spend most of my time on Quora these days. A few years back, I started noticing a certain type of profile: large number of profiles with consistent behavior: a profile pic of a hot woman in a kind of blandly generic Instagram pose, answering questions at an enormous rate (sometimes once a minute or more), with the answers all being a sentence or so that might or might not be related to the question, but that always included a photo of a scantily-dressed woman.

The profiles look like this:

The links (“Latest Nude Videos and Pics,” “Hookup [sic] with me now”) all lead to domains that are registered on Namesilo, usually with ultra-cheap TLDs like “.life,” that—rather amazingly—are still using the exact same templates I saw in 2016.

Go with what works, eh?

Anyway, these sites ask you a bunch of questions, tell you you’re about to see nude photos, then redirect you to a scam dating site—in this case, one called onlylocalmeets.com”—where you will immediately see a direct message request the moment you connect, though of course you’ll need to pay if you want to receive it.

It’s actually kind of amazing to me that they’re still running the same scams essentially unchanged, using the same templates they used eight years ago. They’ve clearly got this down to an art—the redirection sites even do some spiffy geolocation and collect as much information from your browser fingerprint as they can before sending oyu off to the scam site.

There are at least hundreds, possibly thousands, of these fake profiles on Quora, all of which use stolen photos of Instagram models, and all of which link back, through various intermediaries, to the same scam dating site.

I started recording the scam profiles in a Notes file. I deliberately didn’t go out searching for them; instead, I just browsed Quora as I normally do, and made a note whenever I encountered one of these scam profiles (and if I was in the mood, did a reverse image search to see whose photos were stolen for that profile).

There are…a lot of them.

Based on what I’ve seen, I’d say probably 800 on the low end and 1,500 on the high end.

One of them even used stolen Instagram photos of pro golfer and model Paige Spiranac. When I reverse image searched the photos, I looked up the email address of her agent (who was easy to find) and sent an email saying “hey, just so you know, your client’s photos are being used in a catfishing scam, here’s the link.” The profile was banned a few days later, so maybe she or her agent filed a DMCA takedown request.

I find it interesting that this organized spam gang is still at it, still running the same scam they’ve been running for at least ten years, but always looking for new ways to find fresh crops of victims.

I also find it interesting that it works. These scam profiles quickly end up with thousands, sometimes tens of thousands, of followers.

And finally, if you’ve ever wondered what it’s like to be a woman online, just look at the comments to the spam posts, which range from the drearily predictable:

To the completely unhinged:

(And what is it with these people not knowing the difference between “your” and “you’re”? You can be a completely deranged psycho who abuses women online or you can spell, but not, it seems, both.)

To the…well, I don’t know what the fuck this is. I’ve deliberately cropped off this fellow’s username.

Jesus, I do not understand why any woman would ever voluntarily go online.

On the one hand, it’s kinda hard to feel sorry for some of these blokes, who will no doubt be fleeced of all their money. That particular combination of toxic entitlement toward access to women’s bodies and aggressive stupidity makes it really hard to sympathize with the folks being ripped off here.

On the other, any scam is wrong, regardless of the victims it targets.

To terse or not to terse

I woke this morning thinking about work emails.

I emailed my lawyer and my therapist this morning.

When I write a work-related email to a client or a vendor or some professional I’m contracting for services, I tend to take a lesson from my experiences when I owned a computer consulting firm back in Tampa. Back then, I strongly, strongly preferred clients who sent me terse emails that got straight to the point in the first two sentences to meandering emails that took three paragraphs to get to the point, because the time I spent reading an email was time I wasn’t making money.

So for example, I really appreciated a client who sent me an email saying something like “We’re adding three new workstations to our network, but the network switch is out of ports, so we’d like you to come in and see about installing a larger switch and maybe get costs to upgrade to a faster network.” One sentence, spells out exactly what they need, boom, done.

I worked for a time as a print liaison for a small company that developed training manuals for businesses; they hired me to act as the go-between with printers and shipping companies, primarily, because at the time I already had a working relationship with most of the printers in the area.

I cc’d the business owner on all my emails with print shops and shipping companies. I remember a phone conversation with her one day where she complained about the brevity of my emails—she believed, strongly, that the emails should be longer, with introductory paragraphs like we really appreciate the work you did for us on the last print job and we’re looking forward to working with you again.” Where I would send a print shop an RFQ that might be two, maybe three paragraphs long, she preferred emails that were eight or ten.

I did it hr way, of course, because she was the client, but since I happened to be thinking about it, I’m curious. For those of you who communicate by email for professional or work-related reasons, what are your preferences?

The dumbification of social justice

This is an essay about cultural appropriation, except that it’s not really an essay about cultural appropriation.

This is actually about the way genuine, complex problems in complex societies get reduced to nattering virtue-signaling nonsense that become used as blunt instruments to ensure conformity and serve as tribalistic us-vs-them markers, in a process of ensuckitude that substitutes sloganeering for genuine thought, bleating of approved bumper-sticker platitudes for engagement, and tribalism for solutions.

Buckle up, Dorothy, ’cause Kansas is going bye-bye.

Let’s look at cultural appropriation

Odds are probably pretty good you’ve heard of cultural appropriation. Odds are also pretty good you have strong feelings about it, and that your strong feelings map closely to whether you self-identify as liberal or conservative, but can you actually offer a cogent description of what it is?

Cultural appropriation is a great proxy for the general dumbification of social justice and the generalized ensuckitude of real social discourse, because, oh my God, the prevailing culture-wars conversation around it is So. Fucking. Dumb.

This is how social justice dumbification in general works:

Step 1: Distort and water down the meaning of “cultural appropriation” until you use it for nothing more than “wearing vaguely ‘ethnic’ clothing” or “styling your hair in an unconventional way.” (To be fair, those who understand cultural appropriation is a real thing sometimes do this step for you.)

Step 2: Ignore and/or disregard actual instances of genuine cultural appropriation.

Step 3: Pretend your diluted, absurdist definition of “cultural appropriation” is the only definition there is; refuse to discuss, or even acknowledge, any other meaning.

Look, I get it. There are folks who make me roll my eyes so hard I can see my own brain stem when they talk about “cultural appropriation.”

Probably the greatest example of an absurd self-own was the Internet goon squad that accused a woman of “cultural appropriation” for wearing Japanese clothing when she was Japanese.

All the cringe. ALLLLLL the cringe.

So yeah, I get it. Stupid gonna stupid, man.

And it ain’t just cultural appropriation. Remember when James Cameron’s movie Avatar 2 came out? Some Native people complained that the movie peddled Native tropes for entertainment without actually recognizing Native history of defending biodiversity.

A lot, and I mean a lot, of white urban liberals jumped onto Twitter (yes, I’m totally deadnaming the name of Elongated Muskrat’s social media platform) to crow about how they were boycotting the movie and dish on people who saw it.

Some folks I know personally, folks I once used to respect and even admire, did this. And you know what was especially pathetic about it? They had no intention of seeing the movie in the first place, oh no. They took to social media to crow about how righteous they were for not watching a movie they never intended to watch, because it made them better people than the ones who did watch it…

…and yet, did they actually materially improve the lives of even one single Native person anywhere? Even one? Even a little bit?


See, I might respect someone who went onto social media to say “hey, this movie might be problematic, and here’s why, so I took the $30 I was gonna spend on tickets and popcorn and a gigantic tub of Coke, and I donated it instead to this charity that helps Native populations, and here’s the URL where you can donate too,” but did they?

Nah, bruh, because it was never about the Native people.

It was virtue signaling and bullying. It was “Look at me! Look at me! I’m better than you! Hey, everyone, look at me!” It helped nobody, because it wasn’t intended to. It was about preening and primping, about vanity disguised as social justice.

In love with my own virtue. Image: olly

I didn’t watch Avatar 2, but I didn’t crow about it on social media either, because I never intended to see it in the first place.

Not watching a movie you never intended to watch is not a virtue, and that’s really what this is all about.

But I digress. Let’s get back to cultural appropriation.

“Cultural appropriation” in the academic sense does not mean “woman who kinda looks maybe white on Twitter wearing a yukata that self-righteous white craft-beer liberal dumbfucks think is a kimono.”

Cultural appropriation is when a white businessman sees a Navajo pattern, thinks it’s pretty, and commissions a sweatshop in China to make millions of knockoffs that he gets rich from without, you know, contributing to the people who created it, or even bothering to learn anything about it at all.

And that’s not nonsense. It’s a real thing that happens, just like turning other people’s brutal oppression under colonialism into entertainment whilst you eat overpriced popcorn is a thing that really happens.

But bullying a Japanese woman on social media because she looks “too white” to be wearing the clothes you don’t think she should wear doesn’t actually strike a blow against cultural appropriation, does it?

The difference between social justice and bombastic bullying

Liberals tend to whine about conservatives who mock and deride “social justice warriors,” but if I’m to be perfectly honest, a lot of that is our own fault. We liberals are easy targets, because we have a habit of taking our own values and reducing them to bumper sticker platitudes that we use to bully others without, you know, actually doing anything to solve the problems we claim to care about so much.

I would like to propose a test to help separate genuine concern with social justice from the general enshittification of morality into empty tribalism and bullying. Don’t worry, it’s a simple test, one that can be applied in less time than it takes to drink a single soy-milk latte. Just ask yourself these questions:

  1. At the end of your social justice venture, can you point to any person whose life or situation is now a bit better for your actions, in any way, however small?
  2. Was your social justice venture invited by the people you, a rich white person, claim to be speaking on behalf of?
  3. Is your social media venture targeted at the people who are responsible for the injustice you see, rather than bullying people for not doing what you want them to do?

If you can’t answer “yes” to all three of those questions, maybe you aren’t as virtuous as you like to pretend you are.