Attacker Has Techdirt Reclassified As Phishing Site, Proving Masnick’s Impossibility Law Once Again
from the oh-hey,-that's-us dept
Here on Techdirt, we write a lot about content moderation and even did a whole big series of content moderation case studies. However, here’s an interesting one that involves Techdirt itself from a couple weeks ago. It’s also a perfect example of Masnick’s Impossibility Theorem in action and a reminder of how the never-ending flood of spam and scams provides cover for bad actors to sneak through abusive reports.
This case should also be a giant red flag to policymakers working on content moderation laws. If your policy assumes everyone reporting content has pure motives, it’s not just naive, it’s negligent. Bad actors will exploit any system that gives them power to take down content, full stop.
Here’s what happened:
We were off on the Friday after Thanksgiving, and I went for a nice hike away from the internet. After getting home that evening, I saw an email saying that when the sender had tried to visit Techdirt, they received a warning from Cloudflare that the site had been designated a “phishing” site.
I logged into our Cloudflare account and found that we had been blocked for phishing.
I did have the ability to request a review:
But, this all seemed pretty damn silly. Then I remembered that a couple days earlier, I had received a very odd email from another security provider, Palo Alto Networks, telling me that it had rejected my request to reclassify Techdirt as a phishing site. Somewhat hilariously, it said that the “previous” category was “computer and internet info” and that I had requested it be reclassified as phishing (I had not…) and instead they had “reclassified” it back to computer-and-internet info.
It seemed fairly obvious that some jackass was going around to security companies trying to get Techdirt reclassified as a phishing site. It didn’t work with Palo Alto Networks, but somehow it did with Cloudflare. It’s unclear if it was tried anywhere else, and how well it worked if it was tried elsewhere.
Thankfully, Cloudflare was quick to respond and to fix the issue. On top of that, the company was completely open and apologetic about how this happened. There was no hiding the ball at all. In fact, Cloudflare’s CEO Matthew Prince noted to me that this kind of thing might be worth writing about, given that it was a different kind of attack (though one he admitted the company never should have fallen for).
So how did this happen? According to Cloudflare, their trust & safety team were trying to go through a backlog of phishing reports and bulk processed them without realizing there was a bogus one (for Techdirt!) in the middle.
I understand that some people in my shoes would be pretty mad about this. However, I’ve spent enough time with trust & safety folks to know that this kind of shit happens all the time. And it kind of has to. The vast, vast majority of trust & safety work is processing just obvious bad stuff: spam and scams. If you’re dealing with hundreds or thousands of those at once, it’s totally possible for a legitimate one to slip through the cracks. If a company actually hand-reviewed every single possible report, then the backlog would grow larger and larger, leaving actual spam and scam sites online.
This is the impossible bind that trust & safety teams find themselves in. Trust & safety teams obviously feel compelled to remove actual spam and scams relatively quickly to protect users. But going too quickly sometimes means making some mistakes.
We were just caught in the crossfire on this one. That’s not to say that this kind of nonsense would work for anyone else. Cloudflare tries to review such reports, but sometimes mistakes happen. I mean, we get the same thing (on a smaller scale) with our spam filter here at Techdirt. If we get 2000 spam comments a day (which happens most days) and one false positive gets caught, we might not spot it. We actually have a separate system that tries to catch those mistakes and shunt them to a separate queue, so I think we still find the vast majority of falsely flagged comments, but I’m sure we miss some.
This is always going to be a challenge for trust & safety teams, and not something that some new regulation can realistically help with. If the law mandated a human review, you’d get problematic results with that too. Backlogs would grow. And even with a human, there’s no guarantee they’d have spotted this bogus request, since they’d probably be rapidly reading through hundreds of other similar reports, without the time or the capacity to go check each site carefully.
Cloudflare told me that the message they received was obvious bullshit. Someone sent them a report about Techdirt, saying “There is malware that they spread to their visitors.” The problem was just that, in this case, no human read it. We just got bulk processed with a bunch of other reports, most of whom I’m sure were really pushing malware or phishing.
Yes, it may be mildly annoying that visitors were warned away from Techdirt for a few hours. But to me, it’s even more fascinating to see someone trying this attack vector and having it work, if only briefly.
It’s a reminder that bad actors will try basically anything to try to find weaknesses in a system. So many of the laws around content moderation around the globe, such as the DSA, often seem to assume that basically everyone is an honest broker and well-meaning when it comes to moderation decisions. But, as we see here, that assumption can help allow bad actors to wreak havoc.
Policymakers need to start from the premise that some people will abuse any system that lets them take down content as they consider new content moderation laws. Laws that assume good faith are doomed. There are inherent tradeoffs in any approach, and even with the best system, mistakes are inevitable. The DMCA teaches us that any system that enables content removal will be abused. Policymakers must factor that in from the start, and yet they almost never acknowledge this.
Anyway, I appreciate Cloudflare’s quick response, apology, and willingness to be quite open about how this happened. And thanks for giving us another interesting content moderation case study at the same time.
Filed Under: content moderation, malicious actors, masnick's impossibility theorem, phishing
Companies: cloudflare, techdirt
Comments on “Attacker Has Techdirt Reclassified As Phishing Site, Proving Masnick’s Impossibility Law Once Again”
This comment has been flagged by the community. Click here to show it.
Speaking of bad actors, is Jesse Singal gonna be banned from Bluesky or not?
Re:
Speaking of bad actors, will you stop acting like your pet issue justifies spamming unrelated comments?
Re:
Probably not. It’s run by libertarians. The main selling point is that there’s no algorithm shoving far-right bullshit in your face, and you can actually block them without having them shoved in your face anyway.
This comment has been flagged by the community. Click here to show it.
Re: Re:
Singal is blatantly violating Bluesky’s ToS by going around looking for ways to evade blocks so he can spy on trans people on Bluesky and brigade against them. Bluesky banned LibsOfTikTok, why can’t they ban this dirtbag? This is one case where content moderation at scale is actually pretty fucking easy. But I guess you’re right, Bluesky is run by technolibertarians and thinks that people blocking him will be enough to stem the harassment that he wants to cause, even though it actually won’t.
All the staff at Bluesky being radio-silent about Singal is really damning.
Re: Re: Re:
Take it up with them numbnuts.
Re: Re: Re:2
You mean like I did with the Bluesky Board Member who wrote this article?
Re: Re: Re:3
No, what you did here was shit up a comment thread on an unrelated website. Take it up with their moderation people, you fucking tool.
Re: Re: Re:4
“Unrelated” is doing a lot of heavy lifting here.
Re: Re: Re:5
No, not at all. If your cheating spouse works at a coffeeshop, you don’t bring up adultery when ordering your grande latte.
Re: Re: Re:6
I do if I’m ordering my latte from people who wrote the whitepaper for my wife’s cheating.
Re: Re: Re:7
That seems rude.
Re: Re: Re:7
In this analogy, your wife’s cheating is Singal’s behavior. Mike didn’t write a whitepaper for Singal’s behavior.
Re: Re: Re:2
This is one of those rare instances where I agree with the troll and not the Techdirt commentariat. By not giving Jesse Singal the same treatment that Chaya Raichik and Laura Loomer got when they made BlueSky accounts, and the way Trust and Safety defended their inaction put their trans users (such as myself) at risk and showed they don’t care about us.
Re: Re: Re:3
I agree that Singal’s behavior is abhorrent and the issue should be addressed by the appropriate people. I just think spamming comments about it on multiple articles that aren’t the platform where it’s occurring is obnoxious and not the best way to seek redress. Not every Techdirt reader is on Bluesky or has heard of Singal. Not every comment section should be fair game for off-topic comments. We have to deal with disingenuous, spammy trolls already, so having well-intentioned trolls that just add to the noise isn’t productive.
Re: Re: Re:4
They should go complain somewhere we can ignore them.
Re: Re: Re:3
It’s always fun when the TD rank-and-file wave their privilege in our faces.
Re: Re: Re:
If your post being posted elsewhere bothers you, sounds like you don’t stand behind what you are saying.
If you aren’t willing to own it, don’t post it.
Re: Re: Re:2
Reading comprehension, che… Oh, wait. No.
Re: Re: Re:
You say “spy” like it’s not a publicly scrapeable API. Have you not heard of clearsky?
I don’t know if the idea that this is how the trolls spend their holidays is fucking hilarious or deeply sad.
Re:
Two things can be true.
Re:
You say that as if it can not be both?
Re:
One country in the world had a holiday on that day. 194 didn’t.
Hah, Koby finally managed to pull it!
Jokes aside, I like how Cloudflare responded. This should be the standard procedure.
This comment has been flagged by the community. Click here to show it.
Re:
Naaa, I would never do that to you comrades.
In any case, if the number of reports exceeds the capacity for human review, and at least SOME bulk processing is inevitable, then there needs to be a priority system. Established sites ought to be immune to takedown until human review occurs. For example, a website in good standing, which has been around for 27 years, called techdirt.com enjoys immunity. While another site which was established only 5 days ago, with 50 spam reports, called totallylegaldrugs-usashipping.af qualifies for bulk processing.
Re:
OH COME ON!
Like k-dawg is smart enough to pull that off…
You mean that it could happen that few of theses 2000 daily posts of Matthew M Bennet are false positives?
I hate to get off-topic here, but the next actual article on the site (the one about ShotSpotter) is the third or fourth article this week where commenting is unavailable because something in the HTML prevents the comment box from even showing up. Might wanna look into that, yo.
Re:
I had noticed that as well, but had thought “surely someone’s sent them a feedback note or something about it”. … alternately, “they look at comments to the articles regularly, don’t the?
Perhaps I was wrong on both counts?
Re:
If I’m not mistaken the
<iframe>tag is closed incorrectly — it’s self-closed (<iframe />), which you’d think would work for iframes, but it doesn’t; it has to be<iframe></iframe>.Re:
It’s present for me. I would comment, but a “I was here and can comment” comment sounds like it would be spam.
You might try disabling javascript (also it’s good hygiene). Though I would be interested to know if it’s already been fixed (and thus I never looked at it at the right time).
Re: Re: still borken
So it is, but that breaks things like preview and flag. They worked on the old platform, so I presume it is possible for them to work, but somehow the upgrade broke them.
I presume that the techs have been furiously trying to find the code from the old platform so they can see what they broke. I also presume that swine can fly so as to reduce delivery costs on bacon.
Re:
In my case it’s the cookie notification (bottom bar). It tells me to click “Got it”, but doesn’t go away.
Re: Re: yeah, that too
Yes, that is another bug. How hard is it to make the ``got it” button send something to either remember or set a cookie? It is not as though this is a new problem.
It is also not as though the warning with failed ``got it” button is a useful feature.
There's nothing "impossible" about this UNLESS you're a mere novice
And that’s much of the problem: that people on these T&S teams are mere novices, because the companies that employ them are far too cheap to hire seasoned, experienced professionals with decades of experience in networks, systems, attacks, abuse, etc.
And that in turn is why they fail to use well-known tactics to reduce to scale of the problem to a manageable scope. Here’s one of them:
Suppose that you receive a report from Joe Cool that site XYZ presents issues. You investigate. You reach conclusions. You resolve the report. And it turns out that Joe Cool was right. So one of the things you do it note that Joe Cool has filed (1) report and that it was (1) accurate report.
Meanwhile, Joe Scumbag has filed three reports, and you figure out — after investigation — that all three are nonsense. You resolve those reports, and you note that Joe Scumbag has filed (3) reports and that these were (3) bogus reports.
See where this is going? You accumulate knowledge about reporters, and you use that to prioritize your investigations. Done correctly, over time this means that you’ll do more effective work more quickly, and that will reduce the volume of reports you receive — because you will have solved a substantial number of problems before other reporters notice them.
This is easily done using standard open-source tools that have been around for decades. It’s not the only such technique — there are many others. But what all of them have in common is that they leverage careful work (done in the past) to reduce the volume of work (that needs to be done in the future). This is baseline competence in the field 101, and anyone who isn’t doing all this stuff has no business working in this area.
Re: Great comment
And yes, there are so many tools you can use to score and vet these reports, that you should use. I’m sympathetic to mistakes – and good on Cloudflare for resolving it quickly – but I hope they also examined closely what tells were on this report and what they can teach their tools to look for, with agency and power to get those changes to their tools.
Putting smart people in your Trust & Safety instead of trying to make it cheap and commoditized is the better way. And those people aren’t always (only) engineers, sometimes they’re people trained in sociology, history, journalism, etc.
The other thing I want to say is, I can’t see how regulation is a workable answer and even as a practitioner, I don’t know how you’d regulate it in a way that gives people the flexibility to use their expertise and knowledge to adapt to whatever the bad actors are doing next, while simultaneously forcing ethics on the stupid. Every attempt at rulemaking I’ve seen only seems to inadvertently hand the bad actors more tools. I’d love to meet or hear from someone who has figured that out.
Re: Re: Masnick's Impossibility Theorem at work
As long as you realize that the cost of human intervention does not scale the same way profit (or acceptable costs) do. Thus, there will always be automation. Automation can always be gamed. Humans can be gamed as well, just not quite as easily as automation.
Note, for example, how difficult it is to get Youtube or Facebook to respond with a human. Scaling.
And in some cases, the appeals mechanism breaks as well: example. IE “You aren’t able to get online? Go to our web page and …”
Re:
It works to a degree, but, really, hosters shouldn’t be taking sites down without evidence anyway. Like, open up the provided URL and ask “does anything here look like phishing?”; for most actual phishing site, that’d take literally two seconds.
One might also note that the site’s been hosted for years, with a lot of traffic and no confirmed phishing, and use that for reputation.
As for reporter reputations, what tends to happen there is that people will “farm karma”. Create a reporting account, have a bot mine for phishing from an existing email account, and (legitimately) report all of it. Then “turn bad” or just sell the account. One can also hack old accounts, especially abandoned ones.
There’s also the possibility that most reports come from “new” reporters (really, how often are you gonna report stuff to Cloudflare?), in which case reputation doesn’t mean much.
Re: Re:
I’m no moderator, but I understand the time and resources behind building trusted identities enough to understand hoe the above solution would weed out most low-investment trolls. For one, takedowns rarely rely on just one reporter.
I guess this is part of the content creator's job along with creating content, not just moderators.
If you 100% rely on moderators to protect you from false takedown accusation, you have surly mistaken. Therefore content creators are the last line of defense against false takedown accusation.
Re:
WTF are you talking about?
Re: Re:
The joy of being unburdened
Re: Re: Re:
Unburdened by reason for sure.
Re:
lolwut?
This could be legit if their backlog is old enough. Remember way back when this site had ads? There were some which would forcibly redirect the browser to malware sites.
The DMCA does acknowledge this. It just made some fatal mistakes in actually enforcing it, but you can very clearly see the elements that are supposed to be there. The counterclaim process, the perjury, etc. They don’t always get it right, and it gets overshadowed a lot, but “almost never” is massively hyperbolic.
Eh, I mean, I would say Cloudflare is in fact doing it well. It’s just not doing it perfect. And that’s fine. If anything, it’s a counterexample- it’s doing just fine, despite the massive flood of bullshit. The occasional fuck up, especially one responded to promptly, is perfectly fine. If other companies ran moderation this tightly, it’d be much less of an issue. They don’t.
For all the times and past
Who remembers the old Forums on the net..
Filled with Tons of this and that and the other things.
Being a Forum monitor was interesting.
I wonder thru FB, and pointed out the Fake Adverts and FB, decided NOT to Disco them. All those sites trying to Sell Gold/silver/Rare coins, and NOT one of them had a real Address. And a few were the same locations as others, Just Copy paste. You could tell very quickly but the Styles of the pages.
Interesting part was Tracking thru Whois. And finding 1 company fronting for Most of the sites trying to Fake advert on FB.
The ones that get me, are those that REQUIRE you to Give your Info before you can see their page. Esp. When I can go somewhere else and see the page with no problems.
Re: best part on this site
is Upsetting Someone, and waiting to see how they react.
Not it.
You’ll never get my login information!