Wednesday, September 11, 2013

I forked oolon's repo and stored it on a dongle...

As a software professional, I was interested to learn that the source code for The Block Bot is open source and freely available for anyone to look at and copy. I downloaded it and looked over it, but I haven't had time to examine it in detail, nor can I say for sure that the code on Github is the same as the code running on oolon's server. However I would like to make a couple of points.

Firstly, my understanding is that there is a list of people with admin privileges including oolon, Aratine Cage and an unknown number of other people who can add twitter users to the list. One of the ways they can do this is by sending a tweet to the block bot, specifying the person to be blacklisted and the level the person is to be added to. In addition, if the hashtag "spam" is included in the tweet, the target is not only added to the block-list but is also reported to Twitter as a spammer.

So while it's not the case that anyone blocked is also automatically reported for spam (as has been erroneously stated on some web pages), that capability exists and is open to abuse. Personally I think Twitter screwed up by adding the "report spam" functionality to the API and allowing bots to use it. A captcha should be required to report spam, at a minimum, to reduce abuse of this feature.

Oolon claims that just getting blocked will not in itself lead to your account being suspended. Of course he can't state that as a definite fact unless he's privy to the internal workings of Twitter, but even if he's technically correct, I think he's being disingenuous. What you have to understand is that Twitter's procedure for suspending accounts is highly automated and based on heuristics which Twitter keeps tweaking. Meanwhile, other people are busy reverse-engineering the system and figuring out how to game it to get people they don't like suspended. Do a google search for "twitter gulag" and "reply trap", and you will get an idea of the type of games that go on.

One tactic I've seen very often is that someone is added to the block bot and then some atheism-plus person - quite often oolon himself, or his sidekick Aratina Cage - will then start bombarding the blockee with tweets, and encourage other block bot users to do the same. This happened recently with @tkmlac being dogpiled on out of the blue by A. Cage and cronies. This looks a lot like classic "reply trap" behavior - the point being to provoke the target into replying. If you have been blocked but send more than a certain number of tweets to the people who have blocked you, it triggers a Twitter heuristic and you get suspended.

While we can't prove the block bot is being used with malicious intent, based on the observed pattern of behavior this seems quite likely. The bot certainly lends itself to such underhanded activities and automates them to a degree. In a way it's ingenious what oolon has done - he's succeeded in getting hundreds of people to give him control over their twitter accounts, to do with as he pleases. He can not only block on other people's behalf, he can post or delete their tweets, or basically do anything he likes.

Here again oolon is exploiting a shortcoming of the Twitter API. Not to get too technical, but when you authorize an app to access your twitter account, you have to give it a certain level of privileges. Some apps can post tweets on your behalf, others can't, depending on how much privilege you authorize. The problem is that the set of possible privileges is way too coarse-grained - it's pretty much all or nothing. Ideally (if I were running the block bot and wanted to use it in good faith) there should be a privilege level that specifically allowed an app to block on your behalf but do nothing else, and the block bot would only need to request this level of access.

So to sum up, there are worrying indications that the bot is being used in ways other than advertised, and people who sign up for it are giving away much more control of their account than probably most of them realize. This is why I would never use it nor encourage anyone else to use it, quite apart from the problem of letting someone else (whose agenda may not be the same as yours) control what you can and can't see on Twitter.

1 comment:

  1. Look forward to you pulling it apart. Another propeller head had a brief look and said it was full of dumbness. Discussion -

    The consensus was that yes, ool0n actually is as dull-witted as he sounds. No doubt he is shameless enough to show up and comment here. His life consists of little more than trawling the whole web for any mention.