Wednesday, June 28, 2017

Christopher Ambler is a Principal Architect at GoDaddy who writes sleek, performant, low-overhead Java and Scala code. In his copious spare time he can be found playing poker or listening to progressive music not in 4/4 time. He recently relocated to sunny California from Seattle.

The Tiki Bar

The Tiki Bar

Work on the Tiki Bar got a big boost this past weekend, when the roof and much of the internal framing was completed. With the help of a friend, the rafters were cut and installed, roof panels put on, and asphalt felt put down on the roof. The plan is to now cover it with palm fronds for looks. I then got some help from J to install the bar framing and start putting up shelves. We also installed the mounting bracket for the television and a pair of outdoor speakers.

The next work session will see the walls cut and mounted. The idea here is to do them with OSX and then cover that with distressed wood for looks. Once the walls are on I will be able to apply sealer and then put in the electronics, including TV, sound and lights. At that point, even though the bar top itself won't be done, the Tiki Bar will be complete enough that I can start the process of making the video podcasts. The first couple will have the bar in an unfinished state, which should be interesting.

It's nice to make progress! The last five weekends were rained out!

663 Hits

$#!& Happens

$#!& Happens

The failure at the Oscars demonstrates a good point to remember: $#!& Happens. My take is that after much analysis, we will find that there were duplicate stacks of envelopes on both sides of the stage, and the wrong envelope was given to the presenters (Warren Beatty and Faye Dunaway). Clearly, Mr. Beatty was confused and hoping someone would notice the problem and correct it. Unfortunately, it took a little longer. 

It's interesting to note that there is a protocol for such things, and in an article from 2015, that protocol is outlined. It's also interesting to see that this has, indeed, happened before, albeit not for the "top" award. 

The bottom line is that a mistake was made, it was spotted, it was corrected. It was embarrassing, but what in life isn't? People will be held accountable, apologies will be made, and everyone handled it with as much poise and grace as possible. Nobody died. I say Bravo.

If only every failure in life could go so well.

620 Hits

You're Being Treated Like a Child

You're Being Treated Like a Child

My son likes to think he's a lawyer and, unlike many children who ask the same question over and over will often ask the same question multiple times but with different angles. At some point, usually pretty early (I like to think I'm a smart guy), I realize he's doing this, and I shift into giving a response that I've found works well. I can't claim credit for it, I read it on a parenting blog.

In short, when a child persists with the same question, simply respond, "Asked and Answered." It quickly shuts down the repeated questions because you're giving a repeated answer instead of trying to craft a new response to a repeated query.

This past weekend, White House Senior Advisor Stephen Miller was asked, time and again, about claims of rampant voter fraud. But it wasn't a case of being asked the same question multiple times, but simply asking for any evidence, much less proof, every time he made a new claim. And every time he made a new (and often different) claim, and was pressed for evidence, he simply responded

Asked and Answered

As if he were dealing with a petulant child. Or, more accurately, as if he was treating the media like a petulant child.

Because he was.

Welcome to the new Ministry of Propaganda. They seem to be finding their legs.

642 Hits

Your Mother

Your Mother

The .mom registry is now open - thousands of new top level domains, and .mom is one of them.

Your.Mom is available, as it turns out. Of course, it's a premium name and the first year fee is a steep $2,600. Tell you what, if someone wants to drop that coin on the name, I'll do the content and we'll split the revenue. What do you say?

Oh, and I note that Stacys.Mom is also available, but she will cost $1,300. That said, I hear she's got it going on!

1825 Hits
Featured's Fake Problem's Fake Problem

A Little About Me

Before I dive in, let me note that I'm a software architect. I've been designing systems and writing code for almost 30 years (no, I'm not that old, I started in junior high school - if you want to get serious, I've been a professional developer since about 1990). The design of secure systems is something I know more than a little about. I'm not above admitting that in my youth I was what you'd call a hacker. Seen War Games or Hackers? It's not like that, but you get the idea. So when I see systems that have flaws, I tend to geek out on them. When those flaws affect me directly, I geek out even more. This issue has become the fingernails-on-the-chalkboard of my geek cred. I'll own that. Let me also start by saying that I met my girlfriend on, so I have no gripe with the idea of online dating and Match's business in general. Indeed, I'm a shareholder. But getting that out of the way, I need to blog about a problem the site had when I was active, and appears to still have. And I have to comment on the absolute lack of concern the site's administration seems to have regarding the problem, to the point of appearing to actively ignore it. So... what's got me all frothy?

The Problem

The problem I have is with the vast number of fake accounts and fake activity, and how Match profits from this and, thus, has no incentive to remedy the situation even in the face of obvious steps that could be taken. Let's dive in. When one first signs up at Match, the activity and interactions begin. Presuming you've actually gone to the trouble to create a reasonable profile and filled out the demographics, you will begin to show up in the searches that others do. Once you start looking at other profiles and liking their photos or stating that you're interested by clicking on the checkmark of your "daily matches," you will start to interact with others. Unfortunately, many of these interactions come from fake accounts. Why fake accounts? Simple - those looking for love are vulnerable. Strike up a conversation with someone and you have a motivated target that is much more liable to fall for whatever pitch you're throwing. This avenue has a much higher success rate for the scammer than does simple spam. So if you're looking to profess love and then ask for money ("I need $500 for a plane ticket to come see you!"), plea hardship ("I'd love to come to the United States but I need $750 for a visa"), or even make a few bucks peddling porn ("I have sexy pictures, but they're on a site that requires you pay $20 to prove you're an adult."), you've got a much higher chance of success on a dating site. Scammers know this, so they make tons of fake accounts and lure people in. It's a thing.

The Analysis and Solution

The source of my angst is that it's dead simple to spot these accounts both through their content as well as activity, and Match seems to make no effort to remove them short of customer complains. After this analysis, I'll show why this policy is actually a money-maker for them and then also allows them to state that they do their best based on complaints, a position that is somewhat disingenuous. So how easy is it to spot these fake accounts? Blindingly-so. First, let's take the easy attributes. Given a decent match on these, one could filter out fake accounts based on this alone (note that I consider fake females, since that's what I see):
  • The age being picked lately is 29. While fake accounts use many ages, this one is picked most often.
  • The profile has one paragraph. It is comprised of a few sentences, typically picked randomly from a list of about 30 as far as I can tell.
  • The profile has one picture.
  • The age range of the men the profile is looking for is typically in the early 30s to 50s. This clearly gets it in the right searches for its purpose.
  • The requirements for the profile's match are never filled in except the height, which is set at the maximum range. I suspect this is because the bots only fill in the first field.
But it gets even easier when you actually pattern match on the written profile. As I pointed out, they're typically just one paragraph. Given that, one could find duplicate sentences and create candidate filters based on that alone. But the real kicker comes in that all of these fake accounts have the same sentence embedded, which is a call to email. The email is split up to apparently avoid a pattern match that doesn't exist (if it did, Match would be using it on the known patterns). In all cases, the emails look like "username g mail com" or some broken variant thereof. A simple regular expression match of the known patterns would have 100% of the fake accounts identified as they are created. Here's an actual example:
Unfortunately I am unable to read messages on this site so you can emal me at nnak06 a gmal and send me a wink so I know who I'm taking to.
So let's presume for sake of argument that Match decided to get serious and implemented a solution based on my above observations. As a developer, I can tell you that I could code this up in a weekend. That's not hyperbole. And that's not an idle note - Match? I'll come into your San Francisco offices any weekend you like and do it. Free. So let's imagine that Match did this and the fake account folk got wise. That means they'd have to have humans mixing it up, which is more work than they want to do. But let's further presume that they did. What then? Simple - Any account that doesn't fill out all the fields, or at least go through the clicks to choose a "decline to answer" with appropriate human-necessary interaction (use the ReCaptcha x/y algorithm, guys) can't send winks or likes until they do. They can do everything else. They can even receive interactions, so in the rare case that they're a real person, that creates more incentive to finish their profile or even pay for a subscription. One other clear solution would be to throttle notifications. Many times a member will receive an email telling them that they got a wink or a like, only to find, when clicking through, that the profile no longer exists. Match did, indeed, remove it after the abuse happened. But why wait until after? (I answer this, below). When the account sends a lot of winks and likes (and thus gets reported in a spike of activity), it is removed. So why not just throttle those notifications for a small period of time and trigger a warning when an account goes over a threshold. Watching the activity would clearly identify an automated system as opposed to a human looking at profiles and liking lots of them. If this pattern is seen, the account is suspended and flagged for further scrutiny.

The Smoking Gun: Top Spot

Another metric is sheer site activity. Match has a feature called "top spot" that artificially places a profile in the top search results. You pay for this, of course. I was curious when I was using Match last year, so I paid for a couple tries at it to see how it worked. Sure enough, the views on my profile went way up and, with that, so did the activity from fake accounts. One benefit of "top spot" is that it shows you who has viewed your profile in an interesting real-time timeline. The difference here is that whereas you usually see who has viewed you in a grid of accounts, in the case of "top spot," you see the timeline which includes duplicate views. So if someone clicks to view you and then does it again 30 seconds later, you see them twice. Sure enough, fake accounts come up ten, twenty or even thirty times in a few-minute span. Clearly it's automated, scraping the search results multiple times per second. When you pay for the top spot, you artificially show up at the top and these automated scripts pick you up each time. If I, as a customer, can see this, Match's code could see it even better. There is simply no way that Match cannot see, based on usage metrics, when automated scripts are being used. It's just not possible that they don't know that this goes on and could prevent it if they chose.

My Plea

Yes, I wrote Match about this. I even went as far as to state, specifically, that I would like my mail sent to senior management and not handled by a customer service representative. Of course that was ignored and I got a canned response, including (apparently to pacify me?) an offer of free subscription time. As you can see, my concern was not addressed at all, but the hand-waving is pretty good:
I appreciate the time you've taken to contact Match about your general concerns with the site. Please be assured, does not send members misleading notifications, e-mails or winks professing romantic interest. We have too much respect for our members to ever compromise their trust. I can assure you that we are absolutely interested in pursuing any situation involving those who attempt to use our site in dishonest ways. We have a dedicated team that works diligently to identify and remove these kinds of members. Unfortunately, though, some of them still manage to get a few emails out, which is why we appreciate it so much when you take the time to let us know about the situations you see that we may not have caught. In the future, you're welcome to streamline your reports by using the "Report a Concern" link on the member's profile. This will send your report directly to our security team that can open a case immediately and take the right action. Unfortunately, privacy policies stop us from being able to share with you what actions we take, but this really is the fastest way to ensure that the situation is addressed appropriately. Thank you so much for what you are doing to help us in this area. For more information, feel free to review our Online Dating Safety Tips.
I didn't expect otherwise, frankly. For all the protestations to the contrary, Match doesn't really seem to care or listen to their paying customers.

The Reasons

So why, if this problem is so easy to solve, does it persist? The reason is likely clear - metrics and activity and, ultimately, paying subscribers. These fake accounts still increase the number of members. From a sheer numbers game, Match can say, "Hey, we remove them when we can, so don't worry about it." Indeed, I've gotten this response from them when I've brought it up. The point remains that these fake accounts artificially increase the membership numbers. But the real heft comes when you realize that these fake accounts are sending winks and likes and even emails. Why is this important if they're clearly fake? Because if you don't pay for Match, the notification you get tells you that "She is interested!" and asks you to subscribe (read: pay) to see who she is. You plunk down your $60 for three months of subscription and find that the love of your life is a fake. You complain. Match sends a canned response saying that they're removing fake accounts as they find them, and hey, check out these other profiles. But the bottom line is that you paid. They have your money and you're now a customer.
The fake accounts generate revenue for Match. It's that simple. They have no incentive to remove them, and thus, they never will.
20011 Hits