A typical nose, the sticky-out bit of the face part (photo by lightwavemedia)
I have, as many who know me can attest, a rudimentary, almost vestigial sense of smell. I’ve always been this way. I can detect really strong smells, like bleach, but for the most part I’m all but nose-blind.
So it came to pass last Friday that I headed home from Lenscrafters, where I’d just picked up a new pair of glasses to cope with the more ordinary sort of blindness. This being Portland, and March, Portland did what it does in March and started to rain.
This isn’t new. I’ve lived in Florida for decades, where it rains all the time, and now live in Portland, where it rains all the time but not as hard. However, on this particular day, something most peculiar happened.
Midway home, rain started falling. That’s not the unusual bit. The unusual bit was the smell. The heavens opened up and for a few brief, glorious hours, I could smell…everything.
Imagine you’re born blind. Imagine that you go to a nightclub one day, and whilst you’re there dancing to the beat of music, abruptly and without warning, you can see. But not just see, like, vague colors and shapes, but something like this…
Everything had a smell. The storm drain I stepped over had a smell. The cars driving by had a smell. People! People have a smell, my God! Who knew? A dude walked past me eating gummy bears and I could smell them! Half the thing I smelled I couldn’t identify, nor figure out where the smell was coming from.
Like our hypothetical blind person granted sight in the middle of a goth club dance floor, I was a bit overwhelmed. You have to understand, in my five-plus decades of life I’ve never experienced anything remotely like this.
It lasted for five hours or so after I got home (it took half that much time to figure out the cloud of scent that seemed to follow me around everywhere was my laundry detergent, which I’d always assumed was unscented), then slowly faded. I woke on Saturday back in my normal state of nearly complete nose-blindness.
The whole thing was weird and freaky and I do not understand it, like, at all. (According to the Internet, a particularly acute sense of smell is called “hyperosmia,” and can be caused by a brain tumor, because we learn from reading Dr. Google that everything is caused by a tumor.)
For one brief, shining moment, an entire sense I’ve never had before opened up, then closed again. Which is a little sad. It’s one thing to live your life without having a particular sense; it’s quite another to have it and then lose it.
I am more active on Quora than any other social media site. I’ve been there since 2012, in which time I’ve written over 66,000 answers that have received over 1.3 billion views.
It’s no secret that the site has gone steeply downhill recently, with wave after wave of scammers and, now, ch*ld p*rn profiles growing like a cancer on the site. I recently wrote a very long answer about why that is, and how Quora’s policies and procedures basically rolled out the red carpet for people selling ch*ld p*rn (there are now a number of organized CP rings active on Quora). Quora deleted that answer, so I’m re-posting it, with expansions and addendums, here.
If you read this on Quora before it was deleted, feel free to skip to the end, where I’ve added new material.
Why is Quora allowing itself to become a spam and porn site? There are lots of real porn sites without corrupting what used to be an intelligent debate forum. Also, too much scammer spam. Why aren’t the moderators doing their job?
The moderators aren’t doing their jobs because, and I say this as someone who has interacted with many moderators and high level admins and had many lengthy conversations with them, because they cannot.
I don’t mean they can’t as in they don’t know how to…well, no, that’s not true. Some of them don’t know how to.
Sorry, this answer got really, really, really long. It’s my analysis of the many failure modes of Quora leadership and moderation based on hundreds of interactions with Quora employees, moderators, and administrators, including cofounder and CEO Adam D’Angelo, about tens of thousands of Quora scammers and spammers. It’s also based on multiple security issues and bug reports I have made to Quora, and what happened after, and on being stalked, doxxed, and harassed on quora (and having my father and my wife doxxed and harassed on Quora), and what happened after.
But you asked, so here we go.
*** CAUTION *** CAUTION *** CAUTION ***
This answer is my opinion, based on my experiences with Quora. I do not work for Quora (well, I might as well do, with all the bug reports and reports of scammers I send them, but I’m not paid for it), I have not seen Quora’s back-end code, and I don’t have any insights into Quora’s management beyond my personal interactions with Quora admins. So take this with a grain of salt.
Problem 1: Absent Leadership
Let me start at the top. I’ve met Adam D’Angelo in person twice at Quora-sponsored events. In person, he comes across as an introverted, painfully shy dude with limited or no theory of mind and no real understanding of how social media works. Stick a pin in that, we’ll come back to it in a bit.
These days, he’s an absentee landlord. He’s on the board of directors of OpenAI, and pays very little attention to Quora these days.
And yet, at the same time, I’ve talked to Quora mid-level employees who have expressed frustration that they would love to implement technical solutions to address some of the worst problems they see with scammers and spammers, but they can’t do so without sign-off from upper management, which is pretty much absent. That’s one problem. Quora is, from a leadership perspective, a rudderless ship, adrift without a captain.
Problem 2: No built-in anti abuse defenses
I run a very small Mac troubleshooting forum, and I also run half a dozen blogs. All of those sites have simple anti-abuse measures like flood control, dupe control, and username control. That means I can, for example, ban creation of certain usernames. That means, with the click of a button, I can stop this from happening:
And I can stop this from happening:
Quora can’t.
These are all user profiles that are active on Quora right now. Quora literally lacks the capability to block usernames with certain words or phrases. It was never part of the codebase from the start.
Quora also cannot do dupe control (flagging or blocking when a user posts the same word for word identical content over and over and over) or flood control (flag or block when one user posts 80 times per second, which obviously means a spambot and not a real human being).
In 1997, I ran a forum for a few years that had automated, built-in username filtering, dupe control, and flood control.
In 1997.
This is what I mean when I say that Adam D’Angelo has no understanding of how social media works. He was the CTO of Facebook, and he does not have the slightest clue how people use social media, how people interact with social media, or how people abuse social media.
Problem 3: Buggy code riddled with security holes
In December 2018, hackers penetrated Quora using significant security holes and stole the entire Quora user database. They got everything, including passwords, because Quora stored the user passwords in plain text, not encrypted, on disk.
This is Security 101. You never, ever, ever, ever, ever, ever store passwords in plain text. The way every site, and operating system, stores passwords, and has since 1976, is you store passwords encrypted. When someone types a password, you encrypt it, then compare it to the encrypted password on disk to see if they are the same.
I had a TRS-80 as a kid in the 70s. It let you lock files on floppy disk with a password. It stored the password encrypted on disk so someone with a disk editor couldn’t find it.
Quora did not. Quora, a site with hundreds of millions of users, stored everyone’s password in plain text.
If that makes you deeply worried about Quora’s approach to security, you should be, because…
Problem 4: Quora’s codebase is an insecure mess
Quora has no Chief Security Officer. Quora’s codebase is riddled with security flaws, in part because they insist on writing their own code to do everything rather than using public libraries, and Quora’s developers from the earliest days onward did not know about and did not think about security. (See Problem 3. Nobody stores 100,000,000 users with plain-text passwords. Nobody.)
I have personally reported several security vulnerabilities that were actively being exploited to Quora. I’ve never heard back except for a bland “thank you for your bug report, we will pass it along to our developers.” In at least one of those cases, I saw the vulnerability being explited months after I reported it.
The vulnerabilities I reported all had to do with flaws in the way Quora handles Unicode.
Brief (I hope) technical digression about what that means: “Unicode” is a way to represent text characters. Computers were largely invented in the US and Britain, so they started out being able to understand only the uppercase and lowercase Latin alphabet, numbers, punctuation, and some special contol characters. That was it.
That means that for the first decades of the computer revolution, you could not type
Naïve
or
美丽
or
товарищ
For decades, you typed unaccented Latin characters or you typed nothing. No accented characters like the ï in naïve, no Cyrillic, sure as hell no Chinese.
Unicode was a system developed in the late 80s/early 90s to extend the old way that computers represented text, to allow for everything from accents to foreign-language alphabets to idiographic text to, later, “emoji” like 😮 and ✅.
The problem is that it had to be backward compatible with the old way to represent text or else every single computer program on earth ever written in English text would not work with the new system.
So the answer was a new way to represent text and symbols that still worked with the old system but added onto it to allow support for millions of characters, but that would still show old-fashioned characters right.
As you can imagine, Unicode is massively complex. Massively. Like unbelievably bogglingly complex.
Lots of people have written free open-source libraries for handling, storing, retrieving, and displaying Unicode. Quora refused to use them.
Instead, Quora wrote its own Unicode handling software. The thing about Unicode is that some characters are just represented by one-byte numbers (the uppercase letter A is represented by the number 97, or 61 in computer hexadecimal (base-16) numbers) and some are represented by two bytes (the lowercase a with a grave accent, à, is represented in Unicode as U+00E0), and some characters are represented as a list of instructions (basically “draw this letter and make these marks over it). Each mark is represented by a series of numbers.
That means that some Unicode combinations are illegal, not allowed, they don’t produce anything. These are called “invalid character sequences.” Invalid sequences are supposed to be detected and print as �.
Quora doesn’t do this. Because of bugs in how Quora handles Unicode, some invalid character sequences aren’t detected as being invalid. This is how trolls can create usernames that do not show up on Quora and can’t be clicked. If you see a troll answer where the name of the person who wrote the answer is just a blank, there’s nothing there, the troll is exploiting a flaw in Quora’s home-grown Unicode.
Worse, you can smuggle commands to Quora’s software by packaging the commands inside of invalid Unicode. This is similar to SQL injection but instead of wrapping the command in quote marks or SQL comment strings you wrap the commands in broken Unicode.
I’ve reported two different Unicode injection vulnerabilities to Quora. One of them was still actively being abused months later.
Problem 5: Quora does not take security or abuse seriously, and so Quora has become one of the favorite places for scammers and hackers on the Internet
Right now, Quora is struggling with a massive, staggering influx of people selling child abuse images.
I typically report anywhere from 100 to 300 or more romance scam and child abuse accounts to Quora every single day. I log and track every account I report. Yesterday I reported 164 accounts. 33 of those were offering child abuse images for sale, 23 were offering preteen child abuse images for sale, and 3 were offering toddler child abuse images for sale. I spend about an hour a day doing it and it makes me sick to my stomach but I cannot, I cannot stop doing it. I’ve tried. I just…I cannot see it and not do anything.
There is a site called Black Hat World. It is a site where scammers, spammers, computer virus distributors, ransomware distributors, child abuse sellers, and other scum and vermin get together to talk about ways to make the world a shittier place.
I sometimes read Black Hat World. They talk about Quora a lot on Black Hat World. They exchange tips and techniques for running scams and selling child abuse images on Quora. There are at least four organized child abuse rings operating on Quora right now [edit: five, I’ve found another], in addition to all the various random independent child abusers running on Quora.
Black Hat World loves Quora because of its combination of poor security, weak or nonexistent automated controls, and lax, permissive moderation. There are tutorials on Black Hat World for scammers and spammers wanting to do their thing on Quora. Actual step by step tutorials.
This all started because of this woman:
Well, not directly because of her, it wasn’t her fault.
This is Paige Spiranac.
Ms. Spiranac is a pro golfer and a model. Almost exactly two years ago, a romance scammer arrived on Quora and used stolen photos of Ms. Spiranac to run his romance scams.
I saw the account and reported it to Quora.
Nothing happened.
I reported it again.
Nothing happened.
I reported it a total of eleven times.
Nothing happened.
I emailed Ms. Spiranac’s agent and said, “hey, just so you know, your client’s identity has been stolen and her photo is being used as part of a romance scam operation on a social media site called Quora, here’s the profile that is using her photo.”
The next day I got a very polite email from Octagon Agency, the company representing her at the time, thanking me for my email. The day after that, the scam account was taken down, I assume because Ms. Spiranac sent Quora a legal DMCA takedown order.
But it was too little too late.
The scammer running the account ran to Black Hat World and was like “hey, everyone, there’s this site called Quora that permits romance scammers!” and the floodgates opened.
Now here’s the thing:
Any site that allows romance scammers will get flooded with romance scammers, obviously. But as the concentration of romance scammers rises, pretty soon there are tons of scammers competing for the same pool of lonely, gullible victims.
So the scammers start specializing. A new wave of scammers arrives who try to scam people with very specific tastes. They’ll pretend to be trans women to appeal to trans chasers. They’ll pretend to be BDSM dominants to try to scam thirsty, gullible subbies. They’ll pretend to be foot fetishists to appeal to people with foot fetishes.
If that second wave goes unchecked, then the third wave arrives, people who pretend to be underage children in order to appeal to…well, you know.
If that third wave goes unchecked, the child abuse rings are like “oh my God this site permits romance scammers that pretend to be children, we have free reign” and the fourth wave is people selling child abuse images.
This is exactly what played out on Quora.
It took about eighteen months between that one scammer going to Black Hat World and saying “hey everyone, run your scams on Quora” and the child abusers arriving in force.
There’s a lesson here: If you run a social media site, and if you do not crack down immediately and hard at the first sign of romance scammers, you will, you will attract child abusers. It’s inevitable.
At this point, Quora cannot keep up. Of the four child abuse rings I’ve seen here, each makes on average about 20 new profiles a day. You can tell who they are because they all use the same contact information for purchasing their child abuse images. You can tell they’re using bots because they all use word for word identical profiles, the same usernames, and the same images over and over again.
Remember Point 2: No built-in anti-abuse measures. Quora has no automated way to detect identical profiles, nor to block or flag based on certain usernames or certain strings in the profile descriptions. That means Quora moderators are having to do manual searches.
And they’re bad at it. Say a child abuse ring uses the name “Tina.” (This is an example; to my knowledge, they don’t.) They’ll use a bot to create identical profiles over and over. They might, for example, be
Quora moderation will ban Tina-1209 and Tina-1211 but leave the others, because you have to do a hand search to find the others and it’s tedious.
That leads to two more problems:
Problem 6: Quora’s back end tools are badly broken
I’ll give you an example:
On my own Quora space, I will often write about the child abuse profiles I report to Quora. These posts often get deleted by Quora moderation.
If Quora would delete child abuse profiles as aggressively as it deletes Spaces posts about child abuse on Quora, we wouldn’t be here, but moving on:
When Quora moderation deletes a post in a Space, when I appeal, there’s a little dance I have to do.
Quora will usually send an answer that says “We cannot undelete this content because a Spaces admin deleted it.”
Then I send back “no, you deleted it, look at this” with a screenshot that clearly says Quora deleted the post.
Then I get an answer that says “we’re so sorry, our back-end administration tool shows that you deleted the post, it’s a bug in our moderation tools, we will undelete it” and they fix it.
I’ve done this over. And over. And over. And over.
They know there’s a bug in their moderation software, one that wrongly displays to Quora moderators that a Spaces post that was deleted by Quora was actually deleted by a Space admin.
You have to keep reminding them about this bug over and over because different employees handle the appeals and each employee doesn’t know about the bug so you have to tell them “look closer, there’s a bug in your software” and they’re like “Oh! Look at that, you’re right!”
They have never fixed the bug.
They have never trained their staff that the bug exists.
Every time, you’re starting from scratch because this poor training means Quora has no institutional memory of the flaws and bugs in their own site administration software.
This same sloppy, shoddy approach to their back-end tooling exists at every level of the Quora stack from top to bottom.
For example, a few days ago I went through another little dance with Quora moderation. I had an answer deleted for spam. Then I appealed, and it was undeleted. Minutes later, it was deleted again.
10:36: I got an email saying they’d looked at the answer and decided it wasn’t spam. 10:38: They undeleted it. 11:03: They deleted it again.
I appealed again and it was undeleted again. This morning, it was deleted again.
Quora’s tools have no provision for a human moderator saying “Quora moderation bot, we’ve looked at this answer, it’s fine.”
That costs Quora money, because every time this happens, a Quora moderator has to stop what he’s doing, check the answer again, and undelete it again.
There are a ton of other, more subtle flaws, too.
After Quora deletes a child abuse profile, they sometimes delete the profile description, which usually contains an address to buy child abuse images, and sometimes they do not; the profile will stay deleted by the profile description advertising child abuse images for sale, and the address to buy them, will remain.
I asked a Quora admin about this. I got a replay telling me it was a problem in their moderation tool and they’re “aware of it and working on it.”
What’s worse is that they never delete the profile Credentials, so the child abuse rings have learned to put the ads for child abuse images inside the credentials, where they remain visible even if the profile is banned.
I wrote a rather angry email to Quora admins about this and here’s what I got back:
Here’s the thing:
This is wrong. This is not correct. You do not have to visit the deleted profile by a direct link to see this. The screenshot above is not a direct link to the profile. A deleted profile’s credentials remain visible in countless places through Quora, including in other users’ Followers and Following lists.
Quora’s own admins and moderators DO NOT KNOW HOW QUORA OPERATES.
I don’t believe this Quora employee was trying to lie to me. I believe this Quora employee honestly, seriously doesn’t understand how Quora’s software works.
Problem 7: Quora’s moderators are incurious and not proactive, probably because they’re overworked and underpaid
Say you report a profile like Keanu-Reeves-359 for impersonation.
Quora admins will delete it. What they will not do is say “oh, if there’s a fake Keanu Reeves #359, I wonder if there is a fake Keanu Reeves #358. And a fake Keanu Reeves #357. And a fake Keanu Reeves #356.”
Nope. They will delete Keanu Reeves #359 and move on.
This is especially bad with the child abuse profiles.
If you report two profiles, one a child abuse profile that is using the name Tina-1208 and another, created a few milliseconds later and identical to it called Tina-1209, they won’t go “huh, a bot is making child abuse profiles one right after the other like a machine gun. I better look at Tina-1207 and Tina-1210, too.”
Nope.
They also don’t stop and ask themselves what profile names mean if they aren’t in English.
I reported this troll profile 7 times. The first time I reported it, it was banned a few hours later. I reported it six more times after it was banned because, well, see for yourself:
Quora policy forbids hate speech in usernames. When a profile whose username contains hate speech is banned, Quora is supposed to delete the username as well.
Which they usually do. If the username is English.
Six more times I reported this profile, explaining what the username means in English. Six more times they did nothing.
Why did I keep reporting it after it was banned?
Finally, finally, after seven reports, finally, after I emailed my Quora contact directly with a screenshot of the user profile AND a screenshot of Google Translate, finally Quora removed the username:
Quora is totally fine with a username “We Must Exterminate the Jews”…as long as it is not in English.
These problems, broken tools and incurious admins, arise from the next problem:
Problem 8: Quora has no money for, or apparently interest in, paying moderators, hiring developers, or fixing the toolchain
Quora started out with no revenue model. When Quora was first founded, it was pitched to investors as a site that would collect and distill human knowledge and make it searchable.
In 2019, it had a valuation of $2 billion.
Then ChatGPT came along and overnight iQuora lost three-quarters of its valuation, from $2 billion to $500 million, because investors were like “why would someone ask Quora if they can ask ChatGPT?”
That’s why Adam D’Angelo pivoted to AI and why he now sits on the board of OpenAI. It’s why Quora is a rudderless ship.
In 2021 or thereabouts, Quora started to run out of money. With the advent of LLMs, the venture capitalists didn’t see the value in Quora anymore. Its valuation collapsed by 75%. The VCs closed the money spigots and Quora was left to sink or swim on its own.
Quora responded by…
…firing the moderation team.
Adam is pitching an AI moderation bot for sale to other social media sites.
This AI moderation bot cannot look at usernames and ban based on users calling themselves Keanu Reeves or Elon Musk.
This AI moderation bot cannot say “this Telegram username is associated with a seller of child abuse images so I will flag or delete posts where this Telegram username appears.”
This AI moderation bot cannot automatically spot and ban profiles called “Fuck All N—-rs.”
Quora keeps trying to train their AI moderation bot to spot things like fake Keanu Reeves profiles or child abuse profiles using LLMs or whatever because once you’ve scaled to hundreds of millions of people and billions of posts, it becomes difficult to add basic features like flood control or username filtering after the fact.
They could do it, but it would be expensive, so they’re left trying to fine-tune their recipe for chicken cordon bleu while the entire kitchen burns down around them.
I’ve had so many conversations about the romance scam problem and the child abuse problem with everyone from frontline Quora employees to high-level Quora admins and I 100% believe that nobody, nobody at Quora, nobody understands the scale of the problem, nor how hard it is to get rid of these people once they’ve established a presence.
I actually have more to say, there are at least three more points in my head I could make including a significant worldview issue on the part of Mr. D’Angelo, but I’ve already spent hours on this answer and it’s way, way longer than a Quora answer should be.
If you’ve read this far, congratulations! Welcome to my world. As a user who genuinely loves Quora, it’s disheartening and kind of sickening.
I do love Quora. Quora’s been good to me. I’ve met so many people who have become personal friends in the real world outside Quora. I’ve met a lover and co-author here.
But it’s getting harder and harder to stay. I reported a string of profiles selling child abuse images of toddlers—toddlers!—yesterday and it made me want to throw up. When I was done I had to leave the house and go to a coffee shop to get the stain out of my head. It’s wearing me down and I still can’t stop, because if I’m not reporting these, who is?
tl;dr: Quora was founded by someone who doesn’t understand computer security or social media. Quora has never, ever been proactive about preventing abuse. As a result, Quora never implemented the most basic front-line security or anti-abuse measures, measures that were available in free open-source software in 1997, and now lacks the resources to address the problem.
Quora’s own employees also don’t understand Quora itself, their own software, or the scale of the problem in front of them.
I’ve saved this post. In the event Quora deletes it, which I put at about a 50/50 chance, I will make it available on my blog.
So that’s the Quora answer.
After I posted this, it was deleted by Quora admins, then undeleted, then deleted, then undeleted, then deleted again. As I type this right now, it’s still deleted, but I’ve filed another appeal so it will be interesting to see if it gets undeleted again.
Whilst it was available, several folks asked if I would expand on the part where I said I have more points to make, so here they are:
Problem 9: Quora’s algorithm is broken
Like most social media sites, every Quora user sees a different feed. There’s too much content to show anyone the firehose directly, so the Quora algorithm listens to your interactions to learn what content you want to see. For example, if you downvote content, Quora tries to show you less of that kind of content. If you upvote content, Quora interprets that to mean you would like to see more like that. The more you interact, the more Quora tunes your feed.
Trouble is, Quora sometimes gets its wires crossed.
Quora interprets downvoting and muting as negative signals, and commenting and upvoting as positive signals. But bizarrely, it interprets using the Report feature to report users or content as a positive signal.
If you report lots of romance scammers, you start to see more and more romance scammers. If you report spammers, you see more spammers.
Even worse, Quora sends customized “digests” in your email. I get a digest full of stuff that Quora thinks I might like to see in email every day. Usually it’s full of answers on topics like science or linguistics or computers or math.
Lately it’s been full of romance scammers.
I want you to take a step back and let the magnitude of that sink in. Quora sends out romance scam content in emailed digests. Today’s digest included nine pieces of content. Three of them were romance scam posts.
Problem 10: Quora is remarkably tolerant of sexual abuse
Amazon AWS is one of the largest Web hosts and storage engines on the planet. A staggering amount of content, including Quora itself, runs on AWS.
Whatever you may think of Amazon (and there’s plenty to dislike about Amazon), Amazon is fanatical about dealing with ch*ld p*rn. Amazon despises child abuse.
Amazon donates a tremendous amount of money, millions a year, to support the National Center for Missing and Exploited Children (NCMEC).
Amazon maintains an internal team, separate from their normal abuse team, to deal solely with reports of child sexual abuse on their networks.
Amazon, as a matter of policy, logs and tracks every single child abuse report it receives. This information, again as a matter of policy, is forwarded to Amazon contacts within the FBI, and to NCMEC.
Amazon maintains a database of child abusers, and hashes of child abuse images, which it makes available to law enforcement.
Amazon does not fuck around when it comes to child abuse. They have an ultra-strict policy, and they will strike down with great vengeance and furious anger anyone who uses their network for child sexual abuse. Hosting CP on Amazon is like calling down a targeted missile strike on your own location.
Quora, which is hosted on Amazon AWS…does not.
If you create a profile, or five profiles, or a hundred and fifty profiles, on Quora offering child sex abuse materials for sale, Quora will (well, I say will, Quora might) ban your account. It will not do anything beyond that.
The sellers of child abuse materials on Quora know that they need fear no repercussions beyond having their accounts banned…and maybe not even that. They operate brazenly and boldly on Quora, even posting profiles that literally say “CP for sale here, all ages available!”, because they know nothing will happen to them.
Why the pizza emoji? The slice of pizza emoji has become something of a universal signifier of those selling child abuse images. CP: Cheese Pizza. CP: Ch*ld P*rn. Get it?
How did Quora get here? What systemic failures led Quora to be the Internet’s hotspot for romance scammers and ch*ld p*rnographers?
Problem 11: Ayn Rand
Adam D’Angelo, Quora’s cofounder and absentee CEO, is the kind of Big-L Libertarian who mainlines Ayn Rand directly into his veins.
He’s one of those techbro Libertarians who believes, I mean really truly believes, that the solution to bad speech is more speech, as if more speech is a magic wand that somehow magically erases bad actors, scammers, spammers and ch*ld p*rnographers.
His fundamental worldview is one where acting against any speech, even “we have pictures of toddelers being raped and would you like to buy them?”, is anethema.
I believe this is why Quora has no built-in mechanisms to prevent any Tom , Dick, and Harry from creating an account called “Elon Musk” and putting up posts offering free Bitcoin if you just deposit money into an account to, you know, pay for “fees.” It’s why you can create an account called Keanu Reeves or Sandra Bullock and the system will just let you do it, because hey, we wouldn’t want to risk the real Keanu Reeves making an account and running into some kind of barrier, right? It’s why there are thousands of fake Keanu Reeves and thousands of fake Elon Musks and so on, and why Quora’s moderation, what’s left of it, is purely reactive and not proactive.
The problem is, we’ve seen over and over and over again that this approach does not work. It’s empirically not true. But it’s a religious idea among a certain kind of techbro; they want it to be true, so they treat it as Revealed Gospel, never to be questioned.
I spend a certain amount of my time each week tracking down spammers, scammers, and phishers. I use a lot of tools for this: Spamcop, wget, other things. One of the tools I occasionally use is the suite of site reputation sites all over the internet, sites that can tell you how long a particular domain has been in use, whether it’s blacklisted anywhere, the site’s overall reputation score.
Occasionally, because I’m curious, when I find myself looking up a site’s reputation score, I’ll look at my own sites’ scores, just because.
So it was that I looked up xeromag.com on one of these sites, when lo and behold:
Just for the record:
No part of xeromag.com uses AI generated text. It’s all written by me, most of it years (or decades!) before LLMs and genAI were even a thing. I first set up Xeromag on January 4, 1997, a time long before ChatGPT was a gleam in Sam Altman’s eye.
In fact, Xeromag has been scraped by genAI bots, which probably explains why AI checkers think it’s AI generated; AI LLMs were trained on what I wrote on Xeromag.
And on my books as well; I’ve been informed by lawyers for the class-action suit against Anthropic that several of my books were fed into the devouring maw of Anthropic’s LLM, as a result of which I’m apparently due thousands of dollars in settlement money if and when the courts approve the settlement.
There’s something deeply offensive about pouring decades of effort into writing, only to have your writing lifted to train AI models, then be accused of using genAI because, well, the AI models produce output that looks like yours, on account of, you know, being trained on your words.
(In fact, most LLMs know me by name; as an experiment, I went to Gemini and asked it to explain fluorine chemistry in the style of Franklin Veaux, which it did, though rather more, I think, in the style of a high school student who read some of my stuff once and tried to mimic it.)
By way of comparison, here’s the real deal:
So, to be clear:
I wrote this blog, every word of it, without the use, direct or indirect, of genAI.
I wrote all my sites, every word of them, without the use, direct or indirect, of genAI (as a trip to the Wayback Machine will show; much of the content on all my sites predates ChatGPT and its ilk).
I am, as one might gather, getting a little sick of people and, now, machines telling the world I am something I’m not.
I have added “Not by AI” tags to my blog and I’m in the process of adding them to my other sites as well.
A few years back, I dropped a kettle of boiling water on my foot. The burns sent me to the ER, where I was given a shot of morphine, and then to the burn clinic, where I was prescribed oxycodone. (I have pictures of the burn. They’re not pretty.)
The morphine was awful. I could feel it coming on, like an unpleasant prickly hot surge that passed over my body in a wave. It was a bit like…it’s hard to describe, but imagine being cocooned in a malfunctioning electric blanket that keeps shocking you—a sense of flushed warmth accompanied by extremely unpleasant little zaps like touching a badly grounded electrical appliance with an intermittent short.
Then came the vomiting: vigorous, profuse, and enthusiastic, as if my body, not content with throwing up in a more pedestrian fashion, had decided to twist the spacetime continuum to expel food I hadn’t even eaten yet.
What didn’t happen was pain relief. At all. I was still in exactly as much agony as I was before the shot (and believe me, boiling water burns are awful, the only pain I’ve ever experienced worse than kidney stones).
The oxycodone? Same deal. Spectacularly, implausibly vigorous vomiting, fuckall pain relief.
Finally, in desperation, I tried a cannabis edible, and lo, it was as if a chorus of angels did sing, saying, “let this man’s pain be erased.” It also made me high, which was unpleasant, but every silver lining has a cloud around it, amirite?
Quite a bit of systematic experimentation later, I learned that the sweet spot for pain management for me is 2.5mg of THC and 2.5mg of CBD. That dosage is effective at pain management without leaving me incapable of functioning or unpleasantly high.
I’m probably unusual in that regard. I can definitely feel 1mg of THC. 2.5mg leaves me a little high, but it’s tolerable. 5mg of THC leaves me high AF and not in a good way. 10mg of THC, the one time I tried it, left me curled up on my side hallucinating vigorously.
I use it when ibuprofen doesn’t work, which isn’t very often. This:
is about a three-year supply for me; I cut the gummies into quarters and take a quarter if nothing else works.
I was able to try cannabis edibles thanks to a senator named Mitch McConnell, known to his friends as “that sour old turtle-faced motherfucker,” who in 2018 introduced legislation into an appropriations bill legalizing hemp.
Senator McConnell in an undated Senate photo
Fast forward to 2025, when a senator named Mitch McConnell, known to his friends as “that sour old turtle-faced motherfucker,” has introduced language into an appropriations bill that would ban hemp products across the board.
Now, we’ve all known for many years that Old Turtle-Face has no integrity, shame, scruples, or backbone. This is not new.
What’s new is that his motivations, usually as transparent as the film wrap over a styrofoam tray of ground meat at a discount supermarket, are completely opaque.
When he first said yay to hemp, before his about-face flip-flop, he raved on and on about how it would help Kentucky farmers…farmers he’s now shot, stabbed, and tossed under a bus.
My take on that is someone with a financial interest in cannabis farming offered him a lot of money, then somehow the deal soured.
My Talespinner disagrees. She deals with chronic pain and, like me, has found cannabis a godsend for pain management…only to have it yanked away, leaving few options between, you know, addictive opioids and over-the-counter pain relievers. Her take: it’s intentional, calculated cruelty. Turtleface gets off on it.
And the thing is, either of those two explanations—political crony corruption or deliberate, calculated cruelty—fits. They’re both within Senator Turtledick’s wheelhouse. They both fit his pattern of observed behavior; the man has never met corruption he doesn’t embrace or pointless sadism he doesn’t indulge. He’s basically a walking encyclopedia of the worst impulses of humanity, a case study in unscrupulous, dishonorable barbarism.
So what say you? Is it merely greed, or is he letting slip is inner spite?
I don’t know when it happened. I know when I noticed it. I was using the Facebook app on my phone while I was in Florida working on getting a solar battery setup in my wife’s RV.
“Huh, what’s this?” I thought as I looked through the posts on my profile. “There are a bunch of buttons beneath each post, asking followup questions.” So I clicked one.
Dear God.
So you know how ChatGPT will spout the most absolutely flat-out bonkers bullshit in this weird, bland, “corporate email meets the Institute of Official Cheer” voice? Like asserting with confidence that Walter Mondale graduated from Princeton University (he didn’t), or inventing hyperlinks to imaginary reviews of a Honda motorcycle that doesn’t exist?
Meta, in its ongoing effort to cram LLMs into every orifice of the great throbbing pustulent Facebook experience, is wedging LLM chatbots, often with the aid of a crowbar, onto the bottom of Facebook posts (but only, at least so far, in the app; I don’t see this on the browser).
And the things it imagines are sometimes…weird.
I was called for jury duty a couple of weeks ago. The waiting room featured a stash of complimentary fidget spinners (yes, seriously). Something Facebook’s AI insisted wasn’t the case.
It got way weirder, though, when I posted that the first drft of my first novel with my talespinner was done:
AI invented a question that it couldn’t answer, then answered it with nonsense. “I don’t know who Kitty Bound is, so let me ramble about unrelated authors who go by ‘Kitty.’” And the thing is, the question buttons are invented by the AI.
It doesn’t know who Kitty Bound is (understandably, this is the first novel we’re attempting to get published together), but it will cheerfully say “click here to learn more about Kitty Bound” and then say “Kitty Bound’s work isn’t well-represented in search results, so ima go Hal 9000 with ADHD and tell you things about completely unrelated people.”
Would you like to know how to make an omelet? Yes? Well, I can’t tell you how to make an omelet, but here’s a paragraph about maintaining gas-powered wood chippers.
And the thing is, Facebook is the shining example of AI success.
Facebook is one of the very few companies doing more than forklifting venture capital dollars into a furnace by the pallet. The proponents of AI say it’s going to change the world, and they’re right…just not with hallucination engines designed to pass the Turing test. (I used to think the Chinese room critique of AI was nonsense; now I’m not so sure. I might write an essay about that at some point, check this space.)
AI is making crazy money for Facebook, but not in chatbots. They’re using AI engines to drive ad placement, consumer segments, and demographic analysis of their ads, and it works. About two or three years ago, Facebook suddenly started showing me ads that I’ve never seen before, for products I’ve never shown any interest in as far as I know…and I, get this, started buying from Facebook ads.
AI, in the right context, works.
But that sort of AI isn’t sexy. It doesn’t get column inches in newspapers. Chatbots do…but for all the wrong reasons.
My Talespinner and I may have invented the genre of hyperurbanized retrofuturist court-intrigue gangster noir. Do a search for that phrase and you’ll get three results, of which (checks notes) three are by us. Chatbots can be forgiven for not knowing what that is, but hot damn, it doesn’t stop them from spouting confident-seeming nonsense about what it is. This is some classic Chinese room shit.
And don’t get me started on whatever this fresh bucket o’ slop is:
If that’s not silly enough, try this:
Want even sillier? How about this:
“I was cranky because I had to drive overnight.” AI: “Why was I cranky? You were cranky because you had to drive overnight.”
This would be silly if it weren’t for the fact that GenAI is almost unbelievably expensive, needing a trip through the entire neural network for each token generated. The server farms that ooze this pap are warmed by furnaces that burn hundred-dollar bills.
It’s not worth $2,7700,000,000,000 to tell people “why were you cranky when driving overnight made you cranky? Because you get cranky when you drive overnight.”
On top of the economic cost, there’s a social cost as well. Scammers, spammers, fraud artists, conmen, and political adversaries use LLMs to refine and hone their message for maximum emotional manipulation. Political activists use GenAI to create deepfakes. We as a society do not have a cognitive immune system that can deal with this, and I think it will be generations before we do.
But hey, in that brief moment before they go bankrupt, 498 people will be paper billionaires.
I’ve now been in Florida for over a month and a half, helping joreth get her new (to her) RV set up and situated…a project that involved gutting the entire inside, adding 600 watts of solar to the roof, and replacing the house batteries with a very large lithium battery bank.
As we’ve run bto and fro between Winter Haven and Orlando, mainly along I-4, a wretched hive of scum and poor civil engineering, I noticed a very peculiar thing:
Florida has given up on the idea of advancing your station through hard work.
Drive across Florida on Interstate 4. Drive around in downtown Winter Haven, Orlando, or Lakeland. Notice anything peculiar?
I’m talking, of course, about billboards. But not just any billboards. Florida is, to an extent I’ve not seen in any other state, littered with billboards…for accident lawyers. Billboards as far as the eye can see, all advertising how much money you can make if you are in an accident.
Billboard after billboard after billboard, all for accident attorneys. On the stretch of I-4 we’ve been driving regularly, most of the billboards—54%, by my count—are advertising accident attorneys.
They’re everywhere. It’s absolutely uncanny.
I took these photos from inside a moving car, so I know the quality isn’t the greatest, but they just go on and on. We would drive down stretches of road where every single billboard for miles advertised accident attorneys, one after another after another.
Florida has long been legendary for the staggering numbers of terrible drivers on the roads, the result of snowbirds coming down from all over the country without being accustomed to the rain, a olice force focused on making money over protecting public safety, and lax licensing laws.
But I think there’s another part of it as well:
In Florida, there’s a cultural attitude that says getting in a car accident that you can blame on someone else is like winning the lottery.
They even have lawyers who specialize in going after semi owner/operators and trucking companies.
And, of course, language is no barrier to your payday.
But the absolute freakiest thing?
Remember when I said that getting in a car wreck is like winning the lottery? I meant that literally, not figuratively.
Accident lawyers put up shiny happy billboards with shiny happy accident victims wearing shiny happy smiles under headlines trumpeting how much money they made.
(There’s something so very very Florida about this little scene: an “I won $500,000 in an injury lawsuit, isn’t that awesome?” billboard over a strip mall with a pawn and gun shop, an acupuncturist, a martial arts center, an MMA arena, and a weird Evangelical church, all sharing a roof.)
The way these billboards are designed, they’re exactly like state lottery billboards.
“Dude! You got hit by a car and smashed into rubble? Awesome! Cha-CHING!!!”
Every time you pull into traffic in Florida, you’re sharing the road with people who sincerely hope you hit them because that’s the way you get ahead in this world.
It’s really deeply creepy…and perversely, it incentivizes the exact opposite of driving defensively. Coming up to a light and it looks like someone might be about to run the red? Gun it! Get in that intersection and hope he slams into you. Then maybe you’ll be one of the shiny happy people with a big payday, baby!
I sleep in a loft bed, to make more room for my computers and one of my 3D printers, which I keep under the bed.
I needed a new floor lamp, and because I’m lazy, I wanted something I could turn on and off remotely without climbing out of bed. So I found a floor lamp on Amazon that advertised remote control capability.
Imagine my surprise when I opened the box and found no remote, just a QR code to download a smartphone app.
Buckle up, because this story is about to take a turn that would make William Gibson cringe.
My first hint something was wrong came when the app forced me to create an account on the manufacturer’s server before I could pair pair with the lamp.
But hey, I wanted to see how deep the rabbit hole went, so I made an account. The answer is “pretty deep.”
Once you pair over Bluetooth, the next thing you do is download your WiFi password to the lamp. You also must enable location services, so the lamp knows your location. (The software won’t work if you don’t.)
Once the lamp knows your location, you have a choice to make. It asks if you’d rather use the microphone in your phone, or the one built into the lamp.
Yes, you read that right. The lamp connects to your WiFi and your phone, knows where you are, and has a built in microphone.
Once you’ve made that particular Hobson’s choice, the app asks you to upload a selfie, so it can—get this—run facial recognition and AI expression analysis.
Why? So it can suggest a lighting scheme based on your mood.
The Terms of Service allow the manufacturer to store your face and do both facial recognition and AI analysis.
I uploaded a photo of a cat rather than my selfie.
You’re then connected to a community of other lamp users, so you can exchange lighting patterns and such…because, of course, it is a truth universally acknowledged that a person in possession of a floor lamp must be in want of a way to exchange lighting suggestions with complete strangers.
Here’s the light it suggested based on AI analysis of a cat.
The lamp was originally slated to arrive from Amazon on Monday, but when Monday came I got an email telling me that delivery was delayed and it would arrive on Tuesday.
Were I of a paranoid bent, I might believe that the delay allowed a government three-letter agency to intercept the shipment so they could do a supply chain attack, rerouting the lamp’s connection to the host servers (which is a really weird thing to say, if you think about it) through them as well.
George Orwell believed in a future where the government constantly watched the citizens, recording every detail of their lives. George Orwell didn’t know about outsourcing.
It all started when I accidentally clicked on Facebook Marketplace.
I was trying to click on my notifications. On the iOS app, the Marketplace button is next to the Notifications button, and, well…
As God is my witness, I do not know why Facebook Marketplace thought I would be interested in a gigantic human-sized pod. I mean, it was absolutely 100% right, but how did it know?
And so it came to pass that I, after much back and forth with the seller (who owns a clinic that was moving, and didn’t have space for it any more) and some absolutely heroic efforts from my friend Stan to move the damn thing, came into possession of a Bod Pod, a medical scanner originally, I gather, designed to calculate body mass.
Of course, when I saw that listing on Facebook on that fateful day, my mind immediately, as it is wont to do, went to images of the alien eggs from the Alien movies.
What if, thought I, I could cover this Bod Pod in silicone, making an alien egg large enough for a person? And what if, I continued as my brain inevitably rode this train to the last station, I could make a whole bunch of gigantic silicone tentacles—say, just for the sake of argument, nine and a hald feet long or so—that might explode from the pod, dripping with slime, trying to drag a Helpless Victim™ into the egg-thing? And what if, I continued on, having at this point reached the last station, crashed through the wall, and sailed on into the Beyond Space where anything is possible, I did a photo shoot, in which this poor Helpless Victim™ was molested by tentacles from this giant alien pod?
Now, of course, getting from pod to giant alien egg with tentacles is a Project, one I have only just barely embarked upon.
The first step to a pod with tentacles is, of course, the pod. The second step is the tentacles, and so it was, Gentle Reader, that I set about designing a Giant Tentacle in a 3D modeling program.
From this Giant Tentacle, I created a mold that could be printed in 15-inch segments, which is the maximum print size on my 3D printer, with an overall length of over 9 feet.
Of course, I didn’t really quite imagine how long a 9-foot mold is, so it turned out that once the mold was complete—something that took days of printing—I didn’t have enough space for it without rearranging furniture.
Seriously, nine-feet-plus of mold is more mold than you think it is.
It’s also a lot harder to cast silicone in an open-face mold this size than I expected it to be. Like, a lot harder. In this much space, silicone doesn’t behave the way you’d expect it to. It’s kind of like lava—it doesn’t flow to fill the entire mold. (It doesn’t help that my vacuum chamber also isn’t big enough to degas this much silicone all at once, either.)
So I had to make the pour in a bunch of steps, which created all sorts of weird problems. I’d planned to have the suckers lighter than the rest, with bands of color through the tentacles. That…didn’t work. The coloring pigment actually migrated up through the silicone, something it doesn’t do in a smaller mold.
The mold is just a liiiiitle teensy bit more than half the diameter of the tentacle, so it just barely starts to pinch inward at the top. This is so that I could cast half the tentacle, remove it from the mold, fill it with silicone again, then put the half I’d already cast on top, and that slight bit of pinch would grab the bit I’d already cast.
The result worked out pretty well, though it uses a lot of silicone—I made two tentacles, and together they’re about $100 worth of body-safe platinum-cure silicone alone, not including the cost of printing the mold.
When I flew to Springfield to see my Talespinner, I brought the tentacles (of course), which caused some degree of consternation at TSA (of course). We trialled the tentacles as a means of violation of Helpless Victims™, at which they excelled, but we (by which I mean she and her other lover, as I looked on) also gave them a try as an impact toy, at which they also excelled.
In fact, this may be the thuddiest impact toy ever conceived by man, more thuddy even than the Dread Koosh Flogger, a flogger made (as the name suggests) from Koosh balls.
I’m considering making an impact tentacle toy that’s basically a short length of this tentacle with a handle on the end.
When I returned from Springfield, armed with more information to allow the Great Tentacle Pod Project to move forward, I unpacked my suitcase and tossed the tentacles over the pod, lacking a better place to put them (and nine-foot tentacles are both heavier and take up more storage space than you may realize).
It struck me yesterday that visitors to my home, upon walking into my living room and seeing this, might be subject to some discomfiture.
First up in today’s game of “who fed it and who ate it:” Artificial Intelligence.
AI is everywhere. AI chatbots! AI image generators! And now, AI code assistants, that help developers write computer programs!
Only here’s the thing: AI doesn’t know anything. A lot of folks think these AI systems are, like, some sort of huge database of facts or something. They aren’t. They’re closer to supercharged versions of the autocomplete on your phone.
Which means if you ask an AI chatbot or code generator a question, it does the same thing autocomplete does: fills in syntactically correct words that are likely to come after the words you typed. There is no intelligence. There is no storehouse of facts it looks up.
That’s why AI is prone to “hallucinations”—completely imaginary false statements that the AI systems invent because the words it uses are somehow associated with the words you typed.
AI Fembot says: The Golden Gate Bridge was transported for the second time across Egypt in October of 2016. (Image: Xu Haiwei)
So, code generation.
AI code generation is uniformly terrible. If you’re asking for anything more than a simple shell script, what you get likely won’t even compile. But oh, it gets worse. So, so much worse.
AI code generators do not understand code. They merely produce output that resembles the text they were trained on. And sometimes, they hallucinate entire libraries or software packages that do not exist.
Which is perfectly understandable once you get how AI LLMs work.
In February, then again in March, the developer released updates to a library called “XZ Utils.” The update contained weird, obfuscated code—instructions that were deliberately written in a manner to conceal what they did—but because he was a trusted dev, people were just like 🤷♂️. “We don’t know what this code he added does, but he seems an okay guy. Let’s roll this into Linux.”
He seems a decent fellow. We don’t know what this code does, but what’s the harm? (Image: Zanyar Ibrahim)
Fortunately it was spotted quickly, befure it ended up widely used, so only a handful of bleeding-edge Linux distros were affected, but still:
What the actual, literal fuck, people??!
“This library contains obfuscated code whose purpose has been deliberately concealed. What’s the worst that can happen?”
Jesus. And it’s only March.
Developers should never be allowed near anything important ever.
Back in March 2016, eight years and one day ago, I published an analysis of a spam ring advertising phony pay-for-play scam “dating sites.” This particular group was responsible for about 90% of the “Hot Lady Wants to F*ck You” spam in circulation. The spam contained links to hacked sites that the spammers placed malicious redirectors on, that would redirect to other sites that redirected to other sites that redirected to a site that would promise sex and ask you a bunch of questions about what you were looking for, then take you to the actual scam site.
I called these guys “the Lads from Cyprus” because invariably the scam dating sites were registered to a shell company organized in Cyprus.
Times have changed, and the Lads from Cyprus have changed with them. While they still do send spam emails, I rarely see them any more—perhaps six or eight times a year, where I used to see them multiple times per day.
Instead, they’ve moved on…to Quora.
The Quora Connection
I spend most of my time on Quora these days. A few years back, I started noticing a certain type of profile: large number of profiles with consistent behavior: a profile pic of a hot woman in a kind of blandly generic Instagram pose, answering questions at an enormous rate (sometimes once a minute or more), with the answers all being a sentence or so that might or might not be related to the question, but that always included a photo of a scantily-dressed woman.
The profiles look like this:
The links (“Latest Nude Videos and Pics,” “Hookup [sic] with me now”) all lead to domains that are registered on Namesilo, usually with ultra-cheap TLDs like “.life,” that—rather amazingly—are still using the exact same templates I saw in 2016.
Go with what works, eh?
Anyway, these sites ask you a bunch of questions, tell you you’re about to see nude photos, then redirect you to a scam dating site—in this case, one called onlylocalmeets.com”—where you will immediately see a direct message request the moment you connect, though of course you’ll need to pay if you want to receive it.
It’s actually kind of amazing to me that they’re still running the same scams essentially unchanged, using the same templates they used eight years ago. They’ve clearly got this down to an art—the redirection sites even do some spiffy geolocation and collect as much information from your browser fingerprint as they can before sending oyu off to the scam site.
There are at least hundreds, possibly thousands, of these fake profiles on Quora, all of which use stolen photos of Instagram models, and all of which link back, through various intermediaries, to the same scam dating site.
I started recording the scam profiles in a Notes file. I deliberately didn’t go out searching for them; instead, I just browsed Quora as I normally do, and made a note whenever I encountered one of these scam profiles (and if I was in the mood, did a reverse image search to see whose photos were stolen for that profile).
There are…a lot of them.
Based on what I’ve seen, I’d say probably 800 on the low end and 1,500 on the high end.
One of them even used stolen Instagram photos of pro golfer and model Paige Spiranac. When I reverse image searched the photos, I looked up the email address of her agent (who was easy to find) and sent an email saying “hey, just so you know, your client’s photos are being used in a catfishing scam, here’s the link.” The profile was banned a few days later, so maybe she or her agent filed a DMCA takedown request.
I find it interesting that this organized spam gang is still at it, still running the same scam they’ve been running for at least ten years, but always looking for new ways to find fresh crops of victims.
I also find it interesting that it works. These scam profiles quickly end up with thousands, sometimes tens of thousands, of followers.
And finally, if you’ve ever wondered what it’s like to be a woman online, just look at the comments to the spam posts, which range from the drearily predictable:
To the completely unhinged:
(And what is it with these people not knowing the difference between “your” and “you’re”? You can be a completely deranged psycho who abuses women online or you can spell, but not, it seems, both.)
To the…well, I don’t know what the fuck this is. I’ve deliberately cropped off this fellow’s username.
Jesus, I do not understand why any woman would ever voluntarily go online.
On the one hand, it’s kinda hard to feel sorry for some of these blokes, who will no doubt be fleeced of all their money. That particular combination of toxic entitlement toward access to women’s bodies and aggressive stupidity makes it really hard to sympathize with the folks being ripped off here.
On the other, any scam is wrong, regardless of the victims it targets.
