
Hackers Are So Fed Up with Twitter Bots They’re Hunting Them Down Themselves - CrankyBear
https://theintercept.com/2018/03/16/twitter-bot-detector-software/
======
lorenzhs
I got fed up with Twitter's lack of enthusiasm in blocking these accounts so I
whipped up a quick proof of concept a while ago. The amount of trivial-to-
detect cryptocurrency scams in replies to popular accounts was so high that I
put together a hacky PoC:
[https://gist.github.com/lorenzhs/864353c202112a38de17ed054f3...](https://gist.github.com/lorenzhs/864353c202112a38de17ed054f31e67c)
\-- the scammers' messages have changed now, the messages no longer match that
particular filter, but it worked for _weeks_ without Twitter doing anything.

~~~
bigiain
I got fed up with Twitter's lack of enthusiasm in blocking all sorts of
shitposts that I stopped using it. I've been significantly less angry ever
since...

~~~
zeth___
Honest question: what's the point of twitter?

~~~
jsemrau
I tried to make Twitter work for me by only following people I am genuinely
interested in. (Founders, CEO's, etc) but even after that I am not engaged.

~~~
duxup
Same, my feed was still filled with inane posts no matter how much I tried to
mess with it.

I just gave up.

~~~
VectorLock
Embrace the banality.

~~~
duxup
[https://www.youtube.com/watch?v=Xd2OmVTKkbY](https://www.youtube.com/watch?v=Xd2OmVTKkbY)

------
downandout
The profile of fake porn accounts the guy in the first part of the story
developed is that they "liked more tweets than they retweeted, had fewer than
1,000 followers, and directed readers to click the link in their bios."

If that is the only criteria he's using, many legitimate accounts will be
falsely accused.

~~~
jeffwass
I’m a total Twitter n00b.

But are we really supposed to retweet more than we like? I was treating
retweets as a stronger version of ‘like’, in a sense. Assuming too much
retweeting will clog my followers’ feeds, and make them more likely to mute or
unfollow me.

So yeah, I like far more than I retweet. I also have well less than 1000
followers, being a n00b.

I DO have a link in my profile, but don’t actively request people visit. But
figure they eventually might (I do much tweeting within the aspiring author
community, mentioning my WIP, or Work In Progress, so figure potentially-
interested parties could click. But no, not actively marketing, yet...)

~~~
cookiecaper
> Assuming too much retweeting will clog my followers’ feeds, and make them
> more likely to mute or unfollow me.

If there's one thing I've learned about social media, it's that this totally
considerate, natural thought pattern is anathema to the platform vendors.

In the real world, you expect a high Signal-to-Noise ratio, and want to reward
people who speak less often because their words become more
weighty/significant. Social platforms work on the exact inverse of this
principle! They reward high Noise-to-Signal accounts because that keeps the
psychological engagement hooks going. The platforms _actively punish_ accounts
that aren't continuously, repetitively pushing those buttons. If you ever
wonder why the spammiest crap floats to the top, this is why.

We're all just flashing bulbs in the social media slot machine. If we're not
frantically flashing, blinking, or otherwise making it difficult for the
consumer-gambler to look away, we're not serving the platform's purpose, and
we'll be replaced with a bulb that does.

------
aphextron
This whole problem could be solved by opening account verification up to
everyone. Twitter would be amazing if every profile were guaranteed to be a
verified human being with government issued ID. Leave it open to those who
want to stay anonymous, but give users the option to filter those people out.

~~~
retox
I refuse to create accounts on site that require even a phone number, let
alone government ID. It will eventually get lost and things like passports
being faked can land you in prison or watchlists if someone like Israel
decides to steal your identity while committing an extra-legal assassination.

~~~
scottmf
Perfectly sane reason for not signing up with Twitter.

~~~
JonasJSchreiber
I want to downvote the person you replied to and upvote your comment. HN
apparently doesn't work like that so I'll stick with a single upvote :)

~~~
jonny_eh
Once you get enough karma you can downvote comments.

~~~
qu4z-2
But the delay is specifically so you can internalise the fact that downvoting
here is a stronger claim than on, say, reddit.

------
jtokoph
Forgive me, as I don't use twitter much, but what is the problem with twitter
bots? If I don't follow them, aren't they essentially invisible to me?

I guess they might pollute search results? Is there something else I'm
missing?

~~~
TheSmiddy
If you follow any billionaires and read their comments they are full of crypto
scams.

Things like @elommusk replying to @elonmusk saying "to celebrate this awesome
news I'm going to hand out some free bitcoins!, just send 0.1BTC to <address>
and i'll return 1BTC!" then 100 replies from other accounts saying "thanks
Elon, you're the greatest!"

~~~
always_good
And if you check the address, you can often see thousands of dollars scammed.

Not as lucrative as it seemed to be the first time I noticed them a month ago
where a Coinbase tweet had a spam response with an address that made 80k USD
in <1 hour, but it's still clearly lucrative.

This is going to force Twitter to finally do something about all the bots
since they'll have to deploy countermeasures that generalize across pretty
much all bots.

It's clear that Twitter has held a Laissez-faire or blind-eye philosophy
towards bots, but it's hard to keep procrastinating once you can trivially
verify that your platform is a lucrative tool for scammers.

Not to mention, the top N responses to every high profile tweet are now these
scammers and it makes their platform look absolutely uncontrolled.

~~~
21
> And if you check the address, you can often see thousands of dollars
> scammed.

Just like the fake "Thanks!" replies, I'm sure there are fake actual
transactions, meaning the scammer sends bitcoin to itself to make it look
legit. The fact that they pay transactions fees doesn't really change much.

So it's very hard to know how much of those thousands of dollars were actually
scammed.

~~~
russdill
They don't bother, it's not worth trying to target people who actually check
things. The scam tweet usually links to what amounts to a phishing page for
crypto transaction tracking sites. It looks very real.

------
obblekk
This is an interesting approach. Maybe Twitter shouldn't solve the fake
accounts problem directly, maybe they should come up with an evaluation
criteria and then create a market for identifying fake accounts.

If their evaluation criteria is good, they could get away with 0 cost to build
the best possible system (motivated by competition on a market).

~~~
johnc1231
I think Twitter's biggest problem with fake accounts is not that they are hard
to identify, but that if they do identify them and shut them down, it'll hurt
their "number of active users" stats

~~~
CM30
I suspect their big problem is more that their site is too big for the
moderation staff they have at the moment. Identifying bots is easy for people
sure, but it's hard to automate with AI and hiring people to proactively hunt
out and shut down bots is expensive.

Of course, the fact doing it too well hurts the stats doesn't help either.

~~~
heylook
> it's hard to automate with AI

I disagree. At least it shouldn't be that hard for a company with Twitter's
level of engineering and data science sophistication, and yes, I do realize
that most of their best technical talent is long gone.

------
kzrdude
> (“jakten” means “hunt” in Norwegian)

I don't mind the confusion, it's just a fact that we can use knowledge of
Norwegian to understand Swedish.

Fun fact, same word as yacht, which is borrowed from dutch jacht with the same
meaning as Swedish and Norwegian jakt.

~~~
gerdesj
Is it just a coincidence that jakten means both hunt and yacht in Norge? (I
think I unpicked that chain correctly)

Also, now I come to think about it, it is a bit embarrassing that we (en)
pronounce yacht as "yot". I look forward to reading a future man page
describing yacht as an archaic form of the correct usage. The man page for the
ls command used to describe colour as an archaic term for the "modern" form -
color!

~~~
yorwba
Wiktionary says that yacht stems from the Dutch word for a hunting ship (one
you use to pursue other ships), so various Germanic languages having similar
or identical pronunciations for the words for yacht and hunt is no
coincidence.

[https://en.m.wiktionary.org/wiki/yacht#English](https://en.m.wiktionary.org/wiki/yacht#English)

------
staticelf
I tried to start a twitter account, a few minutes later I got blocked:
[https://imgur.com/suSH1Qn](https://imgur.com/suSH1Qn)

I didn't tweet anything, just followed some people I found interesting.

I don't want to verify my phone number. Fuck you twitter.

~~~
nasredin
I haven't been able to create a Twitter account for over a year now. Home IP.

(Not giving Twitter my phone number)

I think it's deliberate b/c bots seem to be exempt from this phone number
requirement.

~~~
staticelf
Yeah exactly, is registering an account really automated behavior? It's so
obvious they just want my phone number and they are never getting it.

Twitter is dying anyway, at least that is the feeling I have about the
website.

------
extweep
In the early days of twitter, Trust&Safety was considered the second-lowest
team on the totem pole of engineering career advancement possibilities (sorry
Internal Tools aka Developer Productivity).

I'm sure that's changed recently, but IMO a lot of the trouble that
Twitter/FB/Reddit have had with bots has to do with trying to get good
engineers rationally interested in being part of T&S organizations.

Now T&S is sexy, but there's got to be lag time effectively changing the
leadership and team structures of these large, established teams.

------
jordan801
Isn't this self defeating? As everyone has pointed out, it's not hard to
detect a bot. So, why can't Twitter just do it? Maybe their review and
moderation team is just too backed up. In that case, instead of helping the
twitter team, these detection bots, are probably making it worse. Reviews and
considerations have to be more thorough, since most of the reports are from
automated systems. Systems, they probably have already engineered.

I built a chrome plugin that filtered out Facebook posts by a set of keywords.
It took less than an hour. Maybe these "hackers" should do it for Twitter. It
would reduce the load on the moderators, while making these bots far less
effective. Then, reach out to the Twitter team, and see if there's a way to go
about this, that isn't destructive.

~~~
Bartweiss
> _it 's not hard to detect a bot. So, why can't Twitter just do it?_

Presumably a significant part of that is that Twitter cares more about false
positives than random third parties do; they're going to get some vicious
criticism if they start flagging/closing real accounts as bots. They might
also worry more about false negatives, because as soon as they act on bots
they'll be accused of bias and only targeting certain positions. (That
accusation will hit regardless, but presumably they'd like it to not be
_true_.)

It's easy to whip up a tool that gets lots of true positives, but much harder
to get a success rate good enough to use.

------
dang
A related discussion from a couple days ago is
[https://news.ycombinator.com/item?id=16599802](https://news.ycombinator.com/item?id=16599802).

------
fabianhjr
I just hope something similar to a follow graph/follow range comes up as a
solution. It gives _way_ more control to individuals to limit the reach of bad
actors.

For example: [https://ssbc.github.io/scuttlebutt-protocol-guide/#follow-
gr...](https://ssbc.github.io/scuttlebutt-protocol-guide/#follow-graph)

------
Aissen
As I told @fs0c131y (cited in the article), they're very easy to find. My bot
found many of them without even looking: [https://anisse.astier.eu/what-do-
you-find-when-you-search-tw...](https://anisse.astier.eu/what-do-you-find-
when-you-search-twitter-for-hashes.html)

------
tracker1
I frankly don't use twitter much anyway... I mostly post things that I like,
and in the end use my own account to re-find stuff I posted later... it's a
bad bookmark manager is how I use it, but at least then other people might
find it useful to.

------
nkg
Hey I run a bot and people love it. It adds value and regularlt triggers
conversation. All bots are not about porn and mixtapes!

~~~
dmix
This whole bot thing is turning into a classic hysteria.

I really hope it doesn't end up harming a bunch of the 'good guys' like most
of the quickly assembled shoddy 'solutions' most public hysterias generate,
rather than stopping the legit 'bad guys'.

There have been countless examples of well-intentioned but heavy-handed
intervention being a net-negative for society [1].

There could very well be some really interesting legitimately useful bots that
will get swept up in this. Or platform limitations added which cripple the
utility of all bots...with some an unmeasurable potential loss via future bots
which were never created as a result. ....Meanwhile the 'bad guys' find a
hundred loop holes to keep operating.

The key is keeping this to a case-by-case enforcement...whether at an
individual or specific use-case based level. Not some overarching limitation
or stigmatization of bots (across all social media).

[1] See: the drug war, 1970s NYC/Toronto rent control laws resulting in a far
_lower_ supply of affordable housing and more dilapidated tenements, anti-oil
pipeline activism resulting in more environmental harm via rail and truck
transit, pro-poverty housing regulation creating isolated urban ghettos, wage
laws reducing total long-term net income for all low-income workers than it
gains employed workers in the short term, etc, etc.

------
goerz
I'm not sure I understand the point. So they identify bots. Then what? How can
one get rid of these accounts?

~~~
lokedhs
They report them. And then nothing happens because its in the interest of
Twitter's business to not do anything about it.

To be fair, I'm sure some will be blocked but the problem with Twitter bots is
that the only way to get rid of the problem is to ignore false positives. That
will fix the issue but replace it with a different problem, as it clearly
won't make for happy users.

I've been using Mastodon quite heavily recently and the "ban first" approach
is taken by many instances. They can do that since the network is
decentralised. Twitter, on the other hand can't do the same thing.

------
nsaaass
Hypocritical news from twitter.

------
tuespetre
LOUD NOISES

What’s with the all-caps title? Did they spit it out from the server using
ToUpperCase instead of using CSS text-transform?

~~~
dang
No, it's that some article titles use all-caps typography and then HN users
copy it.

We're going to write a bit of software to convert these, or at least ask
submitters to revise them. In the meantime we've edited the title above.

~~~
reificator
It's frustrating that the site markup is (almost) correct[1], because IMO the
browser is in the wrong here. I think it makes more sense for the browser to
copy the text as it is in the markup, because all-caps is a stylistic choice
not a content choice.

I can see the argument the other way around, where the text the user selects
should be the text they copy, and that makes sense. But I maintain that the
same article with different stylesheets should produce the same text content
on the page for the user to copy.

[1]: The markup is in something approaching title case, except that words like
`with` are also capitalized. Then the element is using `text-transform:
uppercase`.

~~~
smsm42
> I can see the argument the other way around, where the text the user selects
> should be the text they copy

This is almost never the case for headers and such. New York Times or CNN have
fancy logos/headlines, but we don't want to reproduce them each time we refer
to the company or specific article - we just want the content. text-transform
is a great way to achieve presentation need (bold headlines) without messing
up content. Copying - excepting cases of visual copying, e.g. screenshot -
should always have an option of content-only copying.

------
orbitingpluto
The obvious answer is to restrict some API usage, specifically posting, to
verified accounts.

This obviously conflicts with Twitter's incentive to maximize their profit and
brand. So the next obvious solutions are token measures.

edit: And apparently to downvote anyone who calls them out.

------
thinkloop
> finding these accounts is pretty easy, he used advanced google search and
> google reverse image search

All Twitter has to do is develop the most intelligent software ever created
and make sure it keeps inching towards generalized AI over time.

~~~
chrisweekly
FWIW I read gp as "_use_ Google", not "_be_ Google".

~~~
thinkloop
That's why the piece is cute, it presents some personal fiddling as a possible
solution. Twitter can't simply use a competitor's technology at scale, and if
they did they would be opening a massive risk vector to their core business.
The only takeaway is that Twitter has to replicate the most intelligent "ai"
in the world.

------
carlchenet
A real hacker move would be to just leave Twitter and go to Mastodon
[https://joinmastodon.org](https://joinmastodon.org)

~~~
westurner
Are you suggesting that Mastodon has a better system for identifying
harassment, spam, and spam accounts? Or that, given that they're mostly
friendly early adopters, they haven't yet encountered the problem?

~~~
r3bl
It seems to me like you don't understand the crucial difference between
Twitter and Mastodon.

There's no such thing as Mastodon, a singular social network. Mastodon is a
series of instances that talk to each other. A sysadmin running the instance
can do whatever he pleases in his instance, including closing the
registration, banning entire instances from communicating with his instance,
and enforcing whichever rules he wants to enforce.

Mastodon doesn't deal with such issues at all. It's sysadmins running Mastodon
instances that are supposed to deal with such issues.

It's more like reddit, where mods of subreddits have nearly complete authority
over their own space on the social network, than it is like Twitter, in which
a single entity is in charge.

~~~
philipwhiuk
You mean like how we defederate email servers that have lots of spammers but
also lots of legitimate users.

Oh wait no we don't.

