If you’ve ever played Dungeons & Dragons, you probably know that any thief/rogue character automatically knows a language called “Thieves’ Cant.” It’s not really all that well described, and it includes a lot of elements that aren’t technically part of a canting language. Back in the day I played D&D, which hasn’t been for some years now (I moved on to other, more flexible systems), I basically just thought of it as a secret language and left it at that.
But canting languages are really super-cool. The essence of a cant is it’s a means of communication you can use when you’re being observed without the people who are eavesdropping on you knowing what you’re saying.
The canonical go-to example of a canting language is probably Cockney rhyming slang. Take a common, popular two-word expression. Find a word that rhymes with the second word of the expression. Use the first word of the expression in place of that word.
So for example, you might say “mate, I’m in barney, did you bring the bangers?” Barney: Barney Rubble: Trouble. Bangers: Bangers and mash: Cash. “I’m in barney, did you bring the bangers?” means “I’m in trouble, did you bring the cash?”
It’s never been as popular or widely used as pop culture makes it seem, but it’s a cool and interesting example of a cant.
I quite like the idea of canting languages. They’re a way of concealing meaning in an open and hostile environment; kind of like obfuscated JavaScript on malicious websites, in fact. They’re subject to enormous adaptive pressure because, of course, authorities will learn the cants used by the criminal underworld, so they have to change rapidly, but if they change too rapidly they become unintelligible for the people using them. The idea of a universal cant like in D&D is a bit absurd; they’re really of limited use, and they’ve never been all that common.
For my novel Black Iron, I had tremendous fun researching Victorian-era British slang for a canting language used among street urchins:
“My qab!” Missy said. A grin of delight split her grubby face. She leapt to her feet, hands out imploringly.
“I beg your pardon?” Skarbunket said.
“She means her hat, sir,” Mayferry said.
Missy made an exasperated noise. “It’s what I said! My qab! Give it t’me!”
Mayferry took the hat from Skarbunket and peered into it. “Aye, it’s a rum qab for a brim couch as yourself.” He set the hat on Missy’s head. It fell until it nearly covered her eyes. “Where did you get it?”
“I tole you!” Missy said. “It was my pa’s.”
“That’s a rumple kaddie, lass,” Mayferry said. “Don’t snap me for a bemmer. Where did you really get it?”
Skarbunket and Bristol looked sideways at each other. “Well, well, Mister Mayferry, you never cease to amaze,” Skarbunket said. “What the blazes are you two talking about?”
“Thank you, sir. I told her it’s a very fine hat for a young child, but I know she’s lying about where she got it, sir,” Mayferry said.
Skarbunket held out his hand. “No day in which we learn something is a wasted day. Today we have learned something interesting about Officer Mayferry, I think. Pray continue, Mister Mayferry.”
Missy squinched up her face. “‘Pray continue, Mister Mayferry.’ ’E talks like a jeeve.”
“That’s not a very nice thing to say,” Mayferry said. “He got you back your hat.”
Missy looked from Mayferry to Skarbunket and back again. “Aight, I s’pose ’e’s jayed ’nuff.”
“It’s not nice to rim your friends,” Mayferry said.
“Posies ain’t my friends,” Missy shot back.
“These posies got you your hat back.”
Missy looked doubtful. “Well…”
“That’s what the posies are for, isn’t it? That’s why you came to us. To help you get what was rightfully yours. And you have it back!”
Her grin returned. “My qab!”
“We’re not going to take it away,” Mayferry said. “We just want to know where you got it for real.”
“It’s mine! I tole you already!” She folded her arms defiantly in front of her. “My pa gave it t’me! Now you go away!”
Mayferry spread his hands. “Okay. Tell us about the hackie cove who cleved your qab.”
Missy’s face darkened. “’E didn’t give me a shilling.”
“How did you know where he was when you came to us?”
“I followed him, I did! ’E’s a fox an’ duckie for sure. Went all over like ’e had a shortie waking ’im. I was too duckie for ’im. I waked ’im all the way.” Her small face beamed with pride.
“Translation, if you please, Mister Mayferry?” Skarbunket said.
“She’s saying she followed him. Apparently he went to some trouble not to be followed.”
Canting languages are interesting because they’re a playground for language, intended to obfuscate as well as communicate. One thing cants have in common is that, almost by definition, they’re a direct channel for communication. The meaning is hidden in the way they use language, obfuscating the intended meaning behind words that are used in unusual ways or behind invented words, but they’re still direct communication; as long as the sender and receiver know the meanings of the words as they’re used, the communication is straightforward.
My Talespinner and I have finished the third draft of our far-future, post-Collapse magical realism literary novel, so we’ve set it aside to percolate before we return to the fourth draft. In the meantime, we’ve started a new novel, this one a hyperurbanized retrofuturist court-intrigue gangster noir, set in the fictional city of Bander Lautan, kind of a mashup of Hong Kong and Singapore but in an archology that’s basically completely enclosed from stem to stern, but not, like, in a deliberately planned way; think Singapore’s Interlace reimagined as a sort of hotel/convention center on steroids that just so happens to have a population of eight million souls.
The protagonist, Indah Tam, is a gangster, a member of an all-woman organized crime gang that calls itself Warisan Kita (“our legacy”), divided into clans called kongsi. Her particular clan, Taman Kongsi (Garden Clan; informally, taman wanita, garden of women), is one of five kongsi operating in Bander Lautan. (Why all women? Because men are far too emotional for this life, of course. Men will go to war over something like “honor” or some personal insult, the poor dears. They just don’t understand why that’s bad for business.)
Indah is a “Diplomat,” a euphemistic title meaning her job is primarily concerned with dealing with other kongsi and with law enforcement. This sometimes requires actual diplomacy, but a kongsi’s Diplomat is also the tip of the spear, something like the gangland equivalent of the Culture’s Special Circumstances; she handles everything from skulduggery of various sorts to espionage and counterespionage to dirty tricks to sabotage to assassination. In the world of Warisan Kita, the Diplomat is the knife.
Indah Tam, Diplomat of the Taman Kongsi.
The language of Bander Lautan started as a pidgin, then a creole of Malay, Penang Hokkien, and Indonesian. It has a ton of loanwords from Malay and Hokkien, with a smattering of Singlish (which is itself a creole of Malay, English, Hokkien, Cantonese, Mandarin, and Tamil).
Kitty and I decided early on that the language of Bander Lautan, which we still haven’t named, would be atonal. We flirted briefly with the idea that it would have a gestural component that served the same function as tones in a tonal language, but abandoned it as unworkable. If you can’t see the person you’re talking to, the “tonal” component is lost.
What we did instead is give the Warisan Kita a cant, but the cant is gestural. Subtle gestures modify the words being said, negating them, inverting them, or in some cases changing the meaning entirely. Each kongsi has its own particular library of gestures and what they mean, but regardless of the individual gestures, the idea is the same: to prevent conversations from being understood by eavesdroppers.
The gestures address one of the weaknesses of a traditional cant: if a conversation is recorded, which is highly likely (Bander Lautan is a high-surveillance society), the recordings can’t be decoded even if someone who knows the cant is brought in to listen to the recording, or if law enforcement should happen to crack the code. You need a recording of the spoken words and its accompanying gestures, which is more difficult to do by, say, wearing a wire.
This isn’t technically a canting language, because in a conventional canting language, communication takes place in an overt channel, it’s just that the main communication channel is obfuscated to prevent an eavesdropper from understanding it. As long as the speaker and listener both understand the cant, communication is no different from any spoken language.
With the cants of the Warisan Kita, communication is sidechannel. The gestures modify the meaning of the words being spoken; a listener unaware of the gestural part of the language gets one meaning, an insider who understands the sidechannel gets a completely different meaning.
It’s been a ton of fun to develop this system. To my knowledge, there are no real-world examples of canting languages that work this way.
I am more active on Quora than any other social media site. I’ve been there since 2012, in which time I’ve written over 66,000 answers that have received over 1.3 billion views.
It’s no secret that the site has gone steeply downhill recently, with wave after wave of scammers and, now, ch*ld p*rn profiles growing like a cancer on the site. I recently wrote a very long answer about why that is, and how Quora’s policies and procedures basically rolled out the red carpet for people selling ch*ld p*rn (there are now a number of organized CP rings active on Quora). Quora deleted that answer, so I’m re-posting it, with expansions and addendums, here.
If you read this on Quora before it was deleted, feel free to skip to the end, where I’ve added new material.
Why is Quora allowing itself to become a spam and porn site? There are lots of real porn sites without corrupting what used to be an intelligent debate forum. Also, too much scammer spam. Why aren’t the moderators doing their job?
The moderators aren’t doing their jobs because, and I say this as someone who has interacted with many moderators and high level admins and had many lengthy conversations with them, because they cannot.
I don’t mean they can’t as in they don’t know how to…well, no, that’s not true. Some of them don’t know how to.
Sorry, this answer got really, really, really long. It’s my analysis of the many failure modes of Quora leadership and moderation based on hundreds of interactions with Quora employees, moderators, and administrators, including cofounder and CEO Adam D’Angelo, about tens of thousands of Quora scammers and spammers. It’s also based on multiple security issues and bug reports I have made to Quora, and what happened after, and on being stalked, doxxed, and harassed on quora (and having my father and my wife doxxed and harassed on Quora), and what happened after.
But you asked, so here we go.
*** CAUTION *** CAUTION *** CAUTION ***
This answer is my opinion, based on my experiences with Quora. I do not work for Quora (well, I might as well do, with all the bug reports and reports of scammers I send them, but I’m not paid for it), I have not seen Quora’s back-end code, and I don’t have any insights into Quora’s management beyond my personal interactions with Quora admins. So take this with a grain of salt.
Problem 1: Absent Leadership
Let me start at the top. I’ve met Adam D’Angelo in person twice at Quora-sponsored events. In person, he comes across as an introverted, painfully shy dude with limited or no theory of mind and no real understanding of how social media works. Stick a pin in that, we’ll come back to it in a bit.
These days, he’s an absentee landlord. He’s on the board of directors of OpenAI, and pays very little attention to Quora these days.
And yet, at the same time, I’ve talked to Quora mid-level employees who have expressed frustration that they would love to implement technical solutions to address some of the worst problems they see with scammers and spammers, but they can’t do so without sign-off from upper management, which is pretty much absent. That’s one problem. Quora is, from a leadership perspective, a rudderless ship, adrift without a captain.
Problem 2: No built-in anti abuse defenses
I run a very small Mac troubleshooting forum, and I also run half a dozen blogs. All of those sites have simple anti-abuse measures like flood control, dupe control, and username control. That means I can, for example, ban creation of certain usernames. That means, with the click of a button, I can stop this from happening:
And I can stop this from happening:
Quora can’t.
These are all user profiles that are active on Quora right now. Quora literally lacks the capability to block usernames with certain words or phrases. It was never part of the codebase from the start.
Quora also cannot do dupe control (flagging or blocking when a user posts the same word for word identical content over and over and over) or flood control (flag or block when one user posts 80 times per second, which obviously means a spambot and not a real human being).
In 1997, I ran a forum for a few years that had automated, built-in username filtering, dupe control, and flood control.
In 1997.
This is what I mean when I say that Adam D’Angelo has no understanding of how social media works. He was the CTO of Facebook, and he does not have the slightest clue how people use social media, how people interact with social media, or how people abuse social media.
Problem 3: Buggy code riddled with security holes
In December 2018, hackers penetrated Quora using significant security holes and stole the entire Quora user database. They got everything, including passwords, because Quora stored the user passwords in plain text, not encrypted, on disk.
This is Security 101. You never, ever, ever, ever, ever, ever store passwords in plain text. The way every site, and operating system, stores passwords, and has since 1976, is you store passwords encrypted. When someone types a password, you encrypt it, then compare it to the encrypted password on disk to see if they are the same.
I had a TRS-80 as a kid in the 70s. It let you lock files on floppy disk with a password. It stored the password encrypted on disk so someone with a disk editor couldn’t find it.
Quora did not. Quora, a site with hundreds of millions of users, stored everyone’s password in plain text.
If that makes you deeply worried about Quora’s approach to security, you should be, because…
Problem 4: Quora’s codebase is an insecure mess
Quora has no Chief Security Officer. Quora’s codebase is riddled with security flaws, in part because they insist on writing their own code to do everything rather than using public libraries, and Quora’s developers from the earliest days onward did not know about and did not think about security. (See Problem 3. Nobody stores 100,000,000 users with plain-text passwords. Nobody.)
I have personally reported several security vulnerabilities that were actively being exploited to Quora. I’ve never heard back except for a bland “thank you for your bug report, we will pass it along to our developers.” In at least one of those cases, I saw the vulnerability being explited months after I reported it.
The vulnerabilities I reported all had to do with flaws in the way Quora handles Unicode.
Brief (I hope) technical digression about what that means: “Unicode” is a way to represent text characters. Computers were largely invented in the US and Britain, so they started out being able to understand only the uppercase and lowercase Latin alphabet, numbers, punctuation, and some special contol characters. That was it.
That means that for the first decades of the computer revolution, you could not type
Naïve
or
美丽
or
товарищ
For decades, you typed unaccented Latin characters or you typed nothing. No accented characters like the ï in naïve, no Cyrillic, sure as hell no Chinese.
Unicode was a system developed in the late 80s/early 90s to extend the old way that computers represented text, to allow for everything from accents to foreign-language alphabets to idiographic text to, later, “emoji” like 😮 and ✅.
The problem is that it had to be backward compatible with the old way to represent text or else every single computer program on earth ever written in English text would not work with the new system.
So the answer was a new way to represent text and symbols that still worked with the old system but added onto it to allow support for millions of characters, but that would still show old-fashioned characters right.
As you can imagine, Unicode is massively complex. Massively. Like unbelievably bogglingly complex.
Lots of people have written free open-source libraries for handling, storing, retrieving, and displaying Unicode. Quora refused to use them.
Instead, Quora wrote its own Unicode handling software. The thing about Unicode is that some characters are just represented by one-byte numbers (the uppercase letter A is represented by the number 97, or 61 in computer hexadecimal (base-16) numbers) and some are represented by two bytes (the lowercase a with a grave accent, à, is represented in Unicode as U+00E0), and some characters are represented as a list of instructions (basically “draw this letter and make these marks over it). Each mark is represented by a series of numbers.
That means that some Unicode combinations are illegal, not allowed, they don’t produce anything. These are called “invalid character sequences.” Invalid sequences are supposed to be detected and print as �.
Quora doesn’t do this. Because of bugs in how Quora handles Unicode, some invalid character sequences aren’t detected as being invalid. This is how trolls can create usernames that do not show up on Quora and can’t be clicked. If you see a troll answer where the name of the person who wrote the answer is just a blank, there’s nothing there, the troll is exploiting a flaw in Quora’s home-grown Unicode.
Worse, you can smuggle commands to Quora’s software by packaging the commands inside of invalid Unicode. This is similar to SQL injection but instead of wrapping the command in quote marks or SQL comment strings you wrap the commands in broken Unicode.
I’ve reported two different Unicode injection vulnerabilities to Quora. One of them was still actively being abused months later.
Problem 5: Quora does not take security or abuse seriously, and so Quora has become one of the favorite places for scammers and hackers on the Internet
Right now, Quora is struggling with a massive, staggering influx of people selling child abuse images.
I typically report anywhere from 100 to 300 or more romance scam and child abuse accounts to Quora every single day. I log and track every account I report. Yesterday I reported 164 accounts. 33 of those were offering child abuse images for sale, 23 were offering preteen child abuse images for sale, and 3 were offering toddler child abuse images for sale. I spend about an hour a day doing it and it makes me sick to my stomach but I cannot, I cannot stop doing it. I’ve tried. I just…I cannot see it and not do anything.
There is a site called Black Hat World. It is a site where scammers, spammers, computer virus distributors, ransomware distributors, child abuse sellers, and other scum and vermin get together to talk about ways to make the world a shittier place.
I sometimes read Black Hat World. They talk about Quora a lot on Black Hat World. They exchange tips and techniques for running scams and selling child abuse images on Quora. There are at least four organized child abuse rings operating on Quora right now [edit: five, I’ve found another], in addition to all the various random independent child abusers running on Quora.
Black Hat World loves Quora because of its combination of poor security, weak or nonexistent automated controls, and lax, permissive moderation. There are tutorials on Black Hat World for scammers and spammers wanting to do their thing on Quora. Actual step by step tutorials.
This all started because of this woman:
Well, not directly because of her, it wasn’t her fault.
This is Paige Spiranac.
Ms. Spiranac is a pro golfer and a model. Almost exactly two years ago, a romance scammer arrived on Quora and used stolen photos of Ms. Spiranac to run his romance scams.
I saw the account and reported it to Quora.
Nothing happened.
I reported it again.
Nothing happened.
I reported it a total of eleven times.
Nothing happened.
I emailed Ms. Spiranac’s agent and said, “hey, just so you know, your client’s identity has been stolen and her photo is being used as part of a romance scam operation on a social media site called Quora, here’s the profile that is using her photo.”
The next day I got a very polite email from Octagon Agency, the company representing her at the time, thanking me for my email. The day after that, the scam account was taken down, I assume because Ms. Spiranac sent Quora a legal DMCA takedown order.
But it was too little too late.
The scammer running the account ran to Black Hat World and was like “hey, everyone, there’s this site called Quora that permits romance scammers!” and the floodgates opened.
Now here’s the thing:
Any site that allows romance scammers will get flooded with romance scammers, obviously. But as the concentration of romance scammers rises, pretty soon there are tons of scammers competing for the same pool of lonely, gullible victims.
So the scammers start specializing. A new wave of scammers arrives who try to scam people with very specific tastes. They’ll pretend to be trans women to appeal to trans chasers. They’ll pretend to be BDSM dominants to try to scam thirsty, gullible subbies. They’ll pretend to be foot fetishists to appeal to people with foot fetishes.
If that second wave goes unchecked, then the third wave arrives, people who pretend to be underage children in order to appeal to…well, you know.
If that third wave goes unchecked, the child abuse rings are like “oh my God this site permits romance scammers that pretend to be children, we have free reign” and the fourth wave is people selling child abuse images.
This is exactly what played out on Quora.
It took about eighteen months between that one scammer going to Black Hat World and saying “hey everyone, run your scams on Quora” and the child abusers arriving in force.
There’s a lesson here: If you run a social media site, and if you do not crack down immediately and hard at the first sign of romance scammers, you will, you will attract child abusers. It’s inevitable.
At this point, Quora cannot keep up. Of the four child abuse rings I’ve seen here, each makes on average about 20 new profiles a day. You can tell who they are because they all use the same contact information for purchasing their child abuse images. You can tell they’re using bots because they all use word for word identical profiles, the same usernames, and the same images over and over again.
Remember Point 2: No built-in anti-abuse measures. Quora has no automated way to detect identical profiles, nor to block or flag based on certain usernames or certain strings in the profile descriptions. That means Quora moderators are having to do manual searches.
And they’re bad at it. Say a child abuse ring uses the name “Tina.” (This is an example; to my knowledge, they don’t.) They’ll use a bot to create identical profiles over and over. They might, for example, be
Quora moderation will ban Tina-1209 and Tina-1211 but leave the others, because you have to do a hand search to find the others and it’s tedious.
That leads to two more problems:
Problem 6: Quora’s back end tools are badly broken
I’ll give you an example:
On my own Quora space, I will often write about the child abuse profiles I report to Quora. These posts often get deleted by Quora moderation.
If Quora would delete child abuse profiles as aggressively as it deletes Spaces posts about child abuse on Quora, we wouldn’t be here, but moving on:
When Quora moderation deletes a post in a Space, when I appeal, there’s a little dance I have to do.
Quora will usually send an answer that says “We cannot undelete this content because a Spaces admin deleted it.”
Then I send back “no, you deleted it, look at this” with a screenshot that clearly says Quora deleted the post.
Then I get an answer that says “we’re so sorry, our back-end administration tool shows that you deleted the post, it’s a bug in our moderation tools, we will undelete it” and they fix it.
I’ve done this over. And over. And over. And over.
They know there’s a bug in their moderation software, one that wrongly displays to Quora moderators that a Spaces post that was deleted by Quora was actually deleted by a Space admin.
You have to keep reminding them about this bug over and over because different employees handle the appeals and each employee doesn’t know about the bug so you have to tell them “look closer, there’s a bug in your software” and they’re like “Oh! Look at that, you’re right!”
They have never fixed the bug.
They have never trained their staff that the bug exists.
Every time, you’re starting from scratch because this poor training means Quora has no institutional memory of the flaws and bugs in their own site administration software.
This same sloppy, shoddy approach to their back-end tooling exists at every level of the Quora stack from top to bottom.
For example, a few days ago I went through another little dance with Quora moderation. I had an answer deleted for spam. Then I appealed, and it was undeleted. Minutes later, it was deleted again.
10:36: I got an email saying they’d looked at the answer and decided it wasn’t spam. 10:38: They undeleted it. 11:03: They deleted it again.
I appealed again and it was undeleted again. This morning, it was deleted again.
Quora’s tools have no provision for a human moderator saying “Quora moderation bot, we’ve looked at this answer, it’s fine.”
That costs Quora money, because every time this happens, a Quora moderator has to stop what he’s doing, check the answer again, and undelete it again.
There are a ton of other, more subtle flaws, too.
After Quora deletes a child abuse profile, they sometimes delete the profile description, which usually contains an address to buy child abuse images, and sometimes they do not; the profile will stay deleted by the profile description advertising child abuse images for sale, and the address to buy them, will remain.
I asked a Quora admin about this. I got a replay telling me it was a problem in their moderation tool and they’re “aware of it and working on it.”
What’s worse is that they never delete the profile Credentials, so the child abuse rings have learned to put the ads for child abuse images inside the credentials, where they remain visible even if the profile is banned.
I wrote a rather angry email to Quora admins about this and here’s what I got back:
Here’s the thing:
This is wrong. This is not correct. You do not have to visit the deleted profile by a direct link to see this. The screenshot above is not a direct link to the profile. A deleted profile’s credentials remain visible in countless places through Quora, including in other users’ Followers and Following lists.
Quora’s own admins and moderators DO NOT KNOW HOW QUORA OPERATES.
I don’t believe this Quora employee was trying to lie to me. I believe this Quora employee honestly, seriously doesn’t understand how Quora’s software works.
Problem 7: Quora’s moderators are incurious and not proactive, probably because they’re overworked and underpaid
Say you report a profile like Keanu-Reeves-359 for impersonation.
Quora admins will delete it. What they will not do is say “oh, if there’s a fake Keanu Reeves #359, I wonder if there is a fake Keanu Reeves #358. And a fake Keanu Reeves #357. And a fake Keanu Reeves #356.”
Nope. They will delete Keanu Reeves #359 and move on.
This is especially bad with the child abuse profiles.
If you report two profiles, one a child abuse profile that is using the name Tina-1208 and another, created a few milliseconds later and identical to it called Tina-1209, they won’t go “huh, a bot is making child abuse profiles one right after the other like a machine gun. I better look at Tina-1207 and Tina-1210, too.”
Nope.
They also don’t stop and ask themselves what profile names mean if they aren’t in English.
I reported this troll profile 7 times. The first time I reported it, it was banned a few hours later. I reported it six more times after it was banned because, well, see for yourself:
Quora policy forbids hate speech in usernames. When a profile whose username contains hate speech is banned, Quora is supposed to delete the username as well.
Which they usually do. If the username is English.
Six more times I reported this profile, explaining what the username means in English. Six more times they did nothing.
Why did I keep reporting it after it was banned?
Finally, finally, after seven reports, finally, after I emailed my Quora contact directly with a screenshot of the user profile AND a screenshot of Google Translate, finally Quora removed the username:
Quora is totally fine with a username “We Must Exterminate the Jews”…as long as it is not in English.
These problems, broken tools and incurious admins, arise from the next problem:
Problem 8: Quora has no money for, or apparently interest in, paying moderators, hiring developers, or fixing the toolchain
Quora started out with no revenue model. When Quora was first founded, it was pitched to investors as a site that would collect and distill human knowledge and make it searchable.
In 2019, it had a valuation of $2 billion.
Then ChatGPT came along and overnight iQuora lost three-quarters of its valuation, from $2 billion to $500 million, because investors were like “why would someone ask Quora if they can ask ChatGPT?”
That’s why Adam D’Angelo pivoted to AI and why he now sits on the board of OpenAI. It’s why Quora is a rudderless ship.
In 2021 or thereabouts, Quora started to run out of money. With the advent of LLMs, the venture capitalists didn’t see the value in Quora anymore. Its valuation collapsed by 75%. The VCs closed the money spigots and Quora was left to sink or swim on its own.
Quora responded by…
…firing the moderation team.
Adam is pitching an AI moderation bot for sale to other social media sites.
This AI moderation bot cannot look at usernames and ban based on users calling themselves Keanu Reeves or Elon Musk.
This AI moderation bot cannot say “this Telegram username is associated with a seller of child abuse images so I will flag or delete posts where this Telegram username appears.”
This AI moderation bot cannot automatically spot and ban profiles called “Fuck All N—-rs.”
Quora keeps trying to train their AI moderation bot to spot things like fake Keanu Reeves profiles or child abuse profiles using LLMs or whatever because once you’ve scaled to hundreds of millions of people and billions of posts, it becomes difficult to add basic features like flood control or username filtering after the fact.
They could do it, but it would be expensive, so they’re left trying to fine-tune their recipe for chicken cordon bleu while the entire kitchen burns down around them.
I’ve had so many conversations about the romance scam problem and the child abuse problem with everyone from frontline Quora employees to high-level Quora admins and I 100% believe that nobody, nobody at Quora, nobody understands the scale of the problem, nor how hard it is to get rid of these people once they’ve established a presence.
I actually have more to say, there are at least three more points in my head I could make including a significant worldview issue on the part of Mr. D’Angelo, but I’ve already spent hours on this answer and it’s way, way longer than a Quora answer should be.
If you’ve read this far, congratulations! Welcome to my world. As a user who genuinely loves Quora, it’s disheartening and kind of sickening.
I do love Quora. Quora’s been good to me. I’ve met so many people who have become personal friends in the real world outside Quora. I’ve met a lover and co-author here.
But it’s getting harder and harder to stay. I reported a string of profiles selling child abuse images of toddlers—toddlers!—yesterday and it made me want to throw up. When I was done I had to leave the house and go to a coffee shop to get the stain out of my head. It’s wearing me down and I still can’t stop, because if I’m not reporting these, who is?
tl;dr: Quora was founded by someone who doesn’t understand computer security or social media. Quora has never, ever been proactive about preventing abuse. As a result, Quora never implemented the most basic front-line security or anti-abuse measures, measures that were available in free open-source software in 1997, and now lacks the resources to address the problem.
Quora’s own employees also don’t understand Quora itself, their own software, or the scale of the problem in front of them.
I’ve saved this post. In the event Quora deletes it, which I put at about a 50/50 chance, I will make it available on my blog.
So that’s the Quora answer.
After I posted this, it was deleted by Quora admins, then undeleted, then deleted, then undeleted, then deleted again. As I type this right now, it’s still deleted, but I’ve filed another appeal so it will be interesting to see if it gets undeleted again.
Whilst it was available, several folks asked if I would expand on the part where I said I have more points to make, so here they are:
Problem 9: Quora’s algorithm is broken
Like most social media sites, every Quora user sees a different feed. There’s too much content to show anyone the firehose directly, so the Quora algorithm listens to your interactions to learn what content you want to see. For example, if you downvote content, Quora tries to show you less of that kind of content. If you upvote content, Quora interprets that to mean you would like to see more like that. The more you interact, the more Quora tunes your feed.
Trouble is, Quora sometimes gets its wires crossed.
Quora interprets downvoting and muting as negative signals, and commenting and upvoting as positive signals. But bizarrely, it interprets using the Report feature to report users or content as a positive signal.
If you report lots of romance scammers, you start to see more and more romance scammers. If you report spammers, you see more spammers.
Even worse, Quora sends customized “digests” in your email. I get a digest full of stuff that Quora thinks I might like to see in email every day. Usually it’s full of answers on topics like science or linguistics or computers or math.
Lately it’s been full of romance scammers.
I want you to take a step back and let the magnitude of that sink in. Quora sends out romance scam content in emailed digests. Today’s digest included nine pieces of content. Three of them were romance scam posts.
Problem 10: Quora is remarkably tolerant of sexual abuse
Amazon AWS is one of the largest Web hosts and storage engines on the planet. A staggering amount of content, including Quora itself, runs on AWS.
Whatever you may think of Amazon (and there’s plenty to dislike about Amazon), Amazon is fanatical about dealing with ch*ld p*rn. Amazon despises child abuse.
Amazon donates a tremendous amount of money, millions a year, to support the National Center for Missing and Exploited Children (NCMEC).
Amazon maintains an internal team, separate from their normal abuse team, to deal solely with reports of child sexual abuse on their networks.
Amazon, as a matter of policy, logs and tracks every single child abuse report it receives. This information, again as a matter of policy, is forwarded to Amazon contacts within the FBI, and to NCMEC.
Amazon maintains a database of child abusers, and hashes of child abuse images, which it makes available to law enforcement.
Amazon does not fuck around when it comes to child abuse. They have an ultra-strict policy, and they will strike down with great vengeance and furious anger anyone who uses their network for child sexual abuse. Hosting CP on Amazon is like calling down a targeted missile strike on your own location.
Quora, which is hosted on Amazon AWS…does not.
If you create a profile, or five profiles, or a hundred and fifty profiles, on Quora offering child sex abuse materials for sale, Quora will (well, I say will, Quora might) ban your account. It will not do anything beyond that.
The sellers of child abuse materials on Quora know that they need fear no repercussions beyond having their accounts banned…and maybe not even that. They operate brazenly and boldly on Quora, even posting profiles that literally say “CP for sale here, all ages available!”, because they know nothing will happen to them.
Why the pizza emoji? The slice of pizza emoji has become something of a universal signifier of those selling child abuse images. CP: Cheese Pizza. CP: Ch*ld P*rn. Get it?
How did Quora get here? What systemic failures led Quora to be the Internet’s hotspot for romance scammers and ch*ld p*rnographers?
Problem 11: Ayn Rand
Adam D’Angelo, Quora’s cofounder and absentee CEO, is the kind of Big-L Libertarian who mainlines Ayn Rand directly into his veins.
He’s one of those techbro Libertarians who believes, I mean really truly believes, that the solution to bad speech is more speech, as if more speech is a magic wand that somehow magically erases bad actors, scammers, spammers and ch*ld p*rnographers.
His fundamental worldview is one where acting against any speech, even “we have pictures of toddelers being raped and would you like to buy them?”, is anethema.
I believe this is why Quora has no built-in mechanisms to prevent any Tom , Dick, and Harry from creating an account called “Elon Musk” and putting up posts offering free Bitcoin if you just deposit money into an account to, you know, pay for “fees.” It’s why you can create an account called Keanu Reeves or Sandra Bullock and the system will just let you do it, because hey, we wouldn’t want to risk the real Keanu Reeves making an account and running into some kind of barrier, right? It’s why there are thousands of fake Keanu Reeves and thousands of fake Elon Musks and so on, and why Quora’s moderation, what’s left of it, is purely reactive and not proactive.
The problem is, we’ve seen over and over and over again that this approach does not work. It’s empirically not true. But it’s a religious idea among a certain kind of techbro; they want it to be true, so they treat it as Revealed Gospel, never to be questioned.
After not releasing any new books in 2025, I have two advance review books available for 2026. Both these books come out midyear this year, and I’d love to find folks interested in reviewing them.
The first one, The Temperance Engine, is…um. I’m…um. I’m not sure what it is, and I co-wrote it.
It’s kind of an erotica novel (there’s a lot of sex in it). It’s kind of a historical satire. It’s kind of science fiction, sort of. It has elements of steampunk, maybe? It’s sort of a coming-of-age story, I guess, maybe.
The story is set in modern-day Buffalo, New York, and 1870s London. Odd-numbered chapters follow a group of college friends when one of them inherits a house from a relative he didn’t know he had. They find a diary and a hidden mad science lab in a boarded-up section of the basement. The even-numbered chapters, told through the diary they find, follows a London doctor in 1869 obsessed with finding a cure for the mental illness of furor uterinus, also known as “nymphomania,” and details his efforts to build an apparatus that would cure this dread condition.
The college students decide to replicate some of his experiments, for reasons of their own, and in the process discover some things about their own desires they didn’t previously know.
One rather clever person on social media describes it as “steamypunk,” which I suppose is as good a term for it as any.
The second book, Spectres, is much more straightforward; it’s an anthology of supernatural erotica, but with a new spin (no stereotypical vampire porn or ghost porn here!). It contains thirteen stories ranging from short fiction to full novellas, including stories about heartless gods, an archaeologist possessed by the spirit of a long-gone Hittite priestess, alien invasion, a very special hotel that’s visited once a year by a pair of Assyrian lovers, and more.
I have ePubs and a limited number of paperback ARCs available. If either of these books sounds like your jam, let me know!
I just sent a very long email to a contact I have at Quora admin, with a cc to Quora’s legal team and the founder/CEO’s personal email address.
I suppose I should have known it was coming. In January od 2023, almost exactly two years ago, I saw my first romance scam account on Quora. It used a photo of golfer and model Paige Spiranac to try to separate lonely men from their money. I reported the profile to Quora moderation 11 times, without any result, so finally, on January 22, 2023, I emailed Ms. Spiranac’s agent. I received a polite reply on January 23, and the bogus profile was banned on January 25, so I assume Ms. Spiranac’s team sent a DMCA takedown.
Too little, too late. The message came through loud and clear: “Quora has weak moderation that is tolerant of romance scammers.”
The floodgates opened. Today, Quora is the Internet’s Ground Zero for romance scammers; there are tens of tousands of fake profiles. I report every one I encounter. A few months back, Quora admins asked me to stop reporting them one at a time, so now I note the profile URLs and report them all in one go at the end of the day, typically 200-300 a day.
Universal law of social media:
Every site that doesn’t take action against romance scammers inevitably becomes a ch*ld p*rn site.
It happens in stages.
First, a romance scammer discovers a site. He (almost all romance scammers are “he”) sets up a profile. It doesn’t get banned. He tells his buddies, who also set up scam profiles. Word spreads.
Pretty soon, there’s a huge number of romance scammers, all fighting for the same pool of lonely, gullible marks.
They start “sniping:” one scammer will start commenting on other scammers’ profiles, trying to cut in on marks who respond to scam posts. They start angling for niche marks rather than shotgunning a general approach: some will pretend to be trans women, some will pretend to be heavy women to try to attract “chubby chaser” marks; some will pretend to be BDSM dommes, looking for kinky marks.
Then come the ones using stolen photos of underage children.
If those profiles remain without getting banned immediately, that sends a signal to the ch*ld p*rn community: This site is tolerant of exploitation of minors.
That’s when they move in: people offering CP/CSAM images for sale. They use all kinds of euphemisms: “cheese pizza” (CP), “hot yummy pizza images.”
At first, these are individual low-level sellers. If these accounts remain without being banned, then the organized CP rings move in.
That’s the background.
This morning, I set a lengthy email to my contact in Quora administration. I sent a cc to Quora’s legal team and to Quora’s CEO.
In the past few weeks, the number of profiles openly advertising CP for sale has skyrocketed. Yesterday, I found three organized CP rings operating scores of profiles on Quora.
I call these CP rings the “Evelyn ring,” the “Mornay Ivan” ring, and the “Purple Knott” ring, because of the profile names and the Telegram addresses they use. Out of respect to the victims whose images are being exploited, I’ve pixelated and blacked out the images of the victims; the CP profiles don’t.
The “Evelyn” ring:
The “Mornay Ivan” ring:
The “Purple Knott” ring, which seems to specialize in child bestiality:
Every day I report these. Every day Quora bans most (not all) the accounts I report. Every day there are more. Even though these rings create identical profiles with identical content.
Being stalked on Quora didn’t put me off the site. Getting death threats on Quora didn’t put me off the site. Being doxxed on Quora didn’t put me off the site. Having my content plagiarized didn’t put me off the site. This? This might put me off the site.
I have an intellectual property attorney, the wonderful Leonard Duboff of the Duboff Law Group, who I recommend without hesitation to anyone in need of an IP attorney; he’s awesome.
When I first received a demand email from Copytrack, I knew instantly it was a scam; they were complaining about an image that I licensed from Depositphotos, with whom I have a subscription. I informed them I was represented by counsel, gave them my lawyer’s contact information, told them I would not be acknowledging any additional complaints that did not come through my attorney from a lawyer who was a member of the Oregon Bar Association and licensed to practice law in the state of Oregon, and assumed that would be the end of the matter.
David Attenborough voice: “That was not, in fact, the end of the matter.”
Copytrack continued to bombard me with fake copyright claims, in violation of Oregon RPC 4.2, which forbids opposing counsel from contacting anyone represented by an attorney.
Copytrack is clearly, egregiously, grossly, and repeatedly in violation of Oregon RPC 4.2, so I have shifted track.
I sent them a notification that as they were in violation of RPC 4.2, for each individual email they sent me, I would invoice them the sum of $1,800 US.
They emailed me again. I sent them an invoice for $1,800.
This morning, I woke to an email from a Copytrack lawyer telling me he didn’t think they should have to pay me in order to contact me.
I reminded him once again that I am represented by counsel, that by contacting me directly he was in violation of Oregon RPC 4.2, and…
…sent him another invoice for an additional $1,800.
For the record, I’m not joking. It is absolutely my intent to collect on these invoices, using all available avenues to the full extent of the law. If these fuckers think they can scam people out of money with fraudulent copyright requests, I intend to give them a nose full of bees.
Computer history buffs will recognize it immediately. It came to market just before Steve Jobs returned to Apple, and was built around multiple PowerPC processors. It ran an operating system called BeOS, which was neither Windows nor macOS compatible, but was totally its own thing—a vaguely sorta Unix-flavored thing that also was not Unix and could not run Unix software.
The BeBox was unveiled with a splash at MacWorld Boston in 1996. I was there when it was announced, on a stage in the exhibit hall, with snazzy music and lights and a general dog and pony show. Be wanted to sell hardware but also license BeOS, so they showed off the computer, and BeOS running on Mac clones, which were still a thing back then.
I remember it quite clearly, because I made the presenter a bit angry.
After the presentation, he opened the floor to questions. So I, being the smartass I am and also a bit annoyed at the predictability of the crash and burn that was to come, raised my hand and said “How long until you realize there’s no room in the personal computer market for a new hardware platform between Wintel and Apple, stop selling hardware and pivot to a software-only company, and then go out of business?”
I got some laughs and some grumbling from the audience, and an angry scowl from the presenter.
Computer history buffs know how the story ended, of course.
In 1997, Be Inc. announced that it was wrapping up production of the BeBox computer, and would henceforth be a software-only company, licensing BeOS to others. They sold a few licenses to Power Computing and tried to get Apple to buy BeOS to use as the basis for the next-generation macOS. Apple passed, instead buying NeXT and using its operating system, NeXTSTEP, as the core of their operating system, which they called OS X.
In 2000, Be stopped trying to compete as a desktop operating system and pivoted to BeIA, an embedded version of BeOS for Internet appliances and embedded systems. In 2001, Palm Inc. bought Be Inc. to use BeIA for its PalmOS devices. In 2003, Palm Inc. spun off its PalmOS group as a different company, PalmSource. In 2004, PalmSource announced PalmOS Cobalt, built atop BeIA, which was built atop BeOS.
It went nowhere, so in December 2004, PalmSource abandoned PalmOS Cobalt and bought a Chinese Linux firm, building yet another Palm operating system atop Linux that also went nowhere.
PalmSource, which is now kind of still in existence under the name Access Systems Americas, still owns BeOS to this day. BeOS is no longer available, but the open source community is working, slowly, on Haiku, an operating system that looks like BeOS and will run all seven or so BeOS applications ever written, because…well, I honestly don’t know why they’re doing it.
I spend a certain amount of my time each week tracking down spammers, scammers, and phishers. I use a lot of tools for this: Spamcop, wget, other things. One of the tools I occasionally use is the suite of site reputation sites all over the internet, sites that can tell you how long a particular domain has been in use, whether it’s blacklisted anywhere, the site’s overall reputation score.
Occasionally, because I’m curious, when I find myself looking up a site’s reputation score, I’ll look at my own sites’ scores, just because.
So it was that I looked up xeromag.com on one of these sites, when lo and behold:
Just for the record:
No part of xeromag.com uses AI generated text. It’s all written by me, most of it years (or decades!) before LLMs and genAI were even a thing. I first set up Xeromag on January 4, 1997, a time long before ChatGPT was a gleam in Sam Altman’s eye.
In fact, Xeromag has been scraped by genAI bots, which probably explains why AI checkers think it’s AI generated; AI LLMs were trained on what I wrote on Xeromag.
And on my books as well; I’ve been informed by lawyers for the class-action suit against Anthropic that several of my books were fed into the devouring maw of Anthropic’s LLM, as a result of which I’m apparently due thousands of dollars in settlement money if and when the courts approve the settlement.
There’s something deeply offensive about pouring decades of effort into writing, only to have your writing lifted to train AI models, then be accused of using genAI because, well, the AI models produce output that looks like yours, on account of, you know, being trained on your words.
(In fact, most LLMs know me by name; as an experiment, I went to Gemini and asked it to explain fluorine chemistry in the style of Franklin Veaux, which it did, though rather more, I think, in the style of a high school student who read some of my stuff once and tried to mimic it.)
By way of comparison, here’s the real deal:
So, to be clear:
I wrote this blog, every word of it, without the use, direct or indirect, of genAI.
I wrote all my sites, every word of them, without the use, direct or indirect, of genAI (as a trip to the Wayback Machine will show; much of the content on all my sites predates ChatGPT and its ilk).
I am, as one might gather, getting a little sick of people and, now, machines telling the world I am something I’m not.
I have added “Not by AI” tags to my blog and I’m in the process of adding them to my other sites as well.
My mom died just over two years ago. She and my dad were together for most of their lives; they married young, right out of uni, and stayed together until she died.
Since then, my dad’s tried to get back in the dating game. He fell prey to a romance scammer, so I’ve spent quite a bit of time and effort over the last year trying to teach him how to spot romance scam accounts.
About the same time, Quora, a site I am on frequently, became buried in an absolute tsunami of romance scammers. A combination of lax moderation, poor site design, and weak defenses against spam makes Quora pretty much Ground Zero on the Internet for romance scammers; you’ll find more of them on Quora than you will even on dating sites.
This is fairly typical of a romance scammer account on Quora. There are tens of thousands of these accounts; this particular one is using a stolen photo of porn performer Violet Starr. Romance scammers often use stolen photos of celebrities, porn stars, OnlyFans models, and Instagram models in their fake profiles.
I spend about half an hour to an hour a day reporting romance scam accounts on Quora, typically between 150 and 200 a day. On a light day, I’ll only report 100 or so; on heavy days, I’ve reported 300 scam accounts in a single day.
I know it’s a bit like holding back the tide with a broom, but Quora’s been good to me; I’ve met many friends and even a lover and co-author on Quora, so I try to do what I can to make it a better place than I found it.
I am planning to write an essay about how to spot romance scammers.
This is not that essay.
Instead, I want to share an observation I’ve made. I think romance scam accounts are painfully obvious, and easy to spot; they all basically have the same shape, the same feel. You can even oftentimes spot what country the romance scammer is in by the way they mangle English, because nearly all romance scammers do not speak English as a first language.
For example, “Hello dear” and “Kindly let’s” are tipoffs to scammers in India. In fact, Indian scammers loooove the word “kindly” and use it everywhere. Forgetting to use first person pronouns is something you usually only see in Nigerian scammers who speak Yoruba as a native language. “I need urgently” often means Myanmar. Leaving out indefinite articles is typical of scammers who speak Russian natively.
Specific phrases also give scammers away. “Do the needful:” unique to India. “Angry against” instead of “angry at:” Myanmar. “Please quickly:” India again. Using “at” in place of “have:” Nigeria.
Nigerian scammers confuse A and E in English words, so will say “massage me” instead of “message me.” “Looking for serious relation” instead of “””looking for a serious relationship” pops up over and over in scammer profiles.
Some folks claim the poor English is deliberate, to put off people who are smart enough to catch the scam and therefore represent a waste of effort. I think that’s true in phishing emails but I don’t think it’s true of romance scammers; I think romance scammers are genuinely doing the best they can with limited English.
Yet despite how obvious they are, people still fall for them.
Not only that, there are men I call “concentrators,” men who seem uniquely susceptible to romance scammers. You’ll see a guy who follows 800 other profiles on social media, and 780 of them are clearly romance scammers. Everyone they interact with, every post they comment on, is clearly a romance scammer.
I call these people “concentrators,” because their social media connection map concentrates romance scammers extremely efficiently.
I’ve spent a lot, I mean a lot, of time over the past year thinking about that. Why are romance scammers so effective when they’re so obvious? What causes a concentrator to follow hundreds of romance scam accounts? Clearly, despite how obvious they are, their pitch is precisely tuned to a specific type of psychology. What is it?
I’ve now looked at thousands of romance scam accounts, and I recently had an insight:
Romance scammers don’t behave like women. They behave like thirsty, desperate, sexually frustrated men.
This is, I believe, absolutely key to their success. It’s the realization that makes everything else obvious.
Consider:
A genuine woman does not post photos of herself scantily clad with her private contact information and complaints about how much she needs a man. Even OnlyFans performers don’t do this.
This is the behavior of a sexually frustrated man with few social skills, someone who lacks the empathy or experience to understand why woman don’t do this. Women don’t behave this way because, of course, it’s an invitation to get flooded with rape threats, dick pics, commentary on their bodies, slut-shaming, and religious diatribes.
I mean, even women who don’t behave this way get slammed with this sort of garbage. My wife has shared with me some of the comments and DMs she gets from horny men, and brother, let me just say, there’s a reason a lot of men struggle for female companionship.1
Romance scammers behave the way incel men wish that women would behave.
That’s the secret.
There is, I think, a certain kind of man who struggles to get outside his own head, who has difficulty understanding the perspectives or experiences of others, who re-creates the entire world in his own image.2
That’s the target of romance scammers, who have learned through trial and error that the way to target such men is to hold up a mirror in front of them, dressed in the drag of an OnlyFans performer.
We do not see the world as it is, we see the world as we are. Lonely men respond to reflections of their own loneliness.
[1] You’re in her DMs. I’m getting screenshots of her DMs with messages like “check out this loser, have you ever seen anyone with such terrible social skills?” We are not the same.
[2] There are woman who do this as well, of course, but I think that female romance scam victims aren’t among them, there’s something else going on.
Somehow, against all odds, we survived the dumpster fire of 2025, so we can now welcome the endless possibilities of 2026.
I’m feeling surprisingly optimistic about 2026. Despite all signs to the contrary, I think it has the potential to be a good year. I’ve got more than a few irons in the fire bookwise, with two books coming out this year and a third almost finished, the extended polyfamily is planning a trip to Reykjavik near the end of the year, and several large-scale maker projects are finally nearing completion.
I was born in 1966, so 2026 is a bit of a milestone. In honor of so many decades on this spinning ball in the vast frozen empty void, I plan over the next year to blog about this strange and relentlessly eccentric life I’ve lived so far: adventures, relationships, mistakes I’ve made, things I’ve learned along the way, as a way to reflect on the road that led me here.
It hasn’t always been a smooth ride, but I’ve arrived in a place where I am deeply, deeply happy in all of my relationships, and I am profoundly grateful to have these moments in the sun. (I’ve spent about thirteen and a half billion years, give or take, not existing, and a handful of decades existing. Existing is better.)
Here’s to warm wishes to all of you out there for a happy, prosperous, safe, and joyous 2026, despite the odds.
