Twitter widens its view of bad actors to fight election fiddlers

Twitter has announced more changes to its rules to try to make it harder for people to use its platform to spread politically charged disinformation and thereby erode democratic processes. In an update on its “elections integrity work” yesterday, the company flagged several new changes to the Twitter Rules which it said are intended to provide “clearer […]

Twitter has announced more changes to its rules to try to make it harder for people to use its platform to spread politically charged disinformation and thereby erode democratic processes.

In an update on its “elections integrity work” yesterday, the company flagged several new changes to the Twitter Rules which it said are intended to provide “clearer guidance” on behaviors it’s cracking down on.

In the problem area of “spam and fake accounts”, Twitter says it’s responding to feedback that, to date, it’s been too conservative in how it thinks about spammers on its platform, and only taking account of “common spam tactics like selling fake goods”. So it’s expanding its net to try to catch more types of “inauthentic activity” — by taking into account more factors when determining whether an account is fake.

As platform manipulation tactics continue to evolve, we are updating and expanding our rules to better reflect how we identify fake accounts, and what types of inauthentic activity violate our guidelines,” Twitter writes. “We now may remove fake accounts engaged in a variety of emergent, malicious behaviors.”

Some of the factors it says it will now also take into account when making a ‘spammer or not’ judgement are:

  •         Use of stock or stolen avatar photos
  •         Use of stolen or copied profile bios
  •         Use of intentionally misleading profile information, including profile location

Kremlin-backed online disinformation agents have been known to use stolen photos for avatars and also to claim accounts are US based, despite spambots being operated out of Russia. So it’s pretty clear why Twitter is cracking down on fake profiles pics and location claims.

Less clear: Why it took so long for Twitter’s spam detection systems to be able to take account of these suspicious signals. But, well, progress is still progress.

(Intentionally satirical ‘Twitter fakes’ (aka parody accounts) should not be caught in this net, as Twitter has had a longstanding policy of requiring parody and fan accounts to be directly labeled as such in their Twitter bios.)

Pulling the threads of spambots

In another major-sounding policy change, the company says it’s targeting what it dubs “attributed activity” — so that when/if it “reliably” identifies an entity behind a rule-breaking account it can apply the same penalty actions against any additional accounts associated with that entity, regardless of whether the accounts themselves were breaking its rules or not.

This is potentially a very important change, given that spambot operators often create accounts long before they make active malicious use of them, leaving these spammer-in-waiting accounts entirely dormant, or doing something totally innocuous, sometimes for years before they get deployed for an active spam or disinformation operation.

So if Twitter is able to link an active disinformation campaign with spambots lurking in waiting to carry out the next operation it could successfully disrupt the long term planning of election fiddlers. Which would be great news.

Albeit, the devil will be in the detail of how Twitter enforces this new policy — such as how high a bar it’s setting itself with the word “reliably”.

Obviously there’s a risk that, if defined too loosely, Twitter could shut innocent newbs off its platform by incorrectly connecting them to a previously identified bad actor. Which it clearly won’t want to do.

The hope is that behind the scenes Twitter has got better at spotting patterns of behavior it can reliably associate with spammers — and will thus be able to put this new policy to good use.

There’s certainly good external research being done in this area. For example, recent work by Duo Security has yielded an open source methodology for identifying account automation on Twitter.

The team also dug into botnet architectures — and were able to spot a cryptocurrency scam botnet which Twitter had previously been recommending other users follow. So, again hopefully, the company has been taking close note of such research, and better botnet analysis underpins this policy change.

There’s also more on this front: “We are expanding our enforcement approach to include accounts that deliberately mimic or are intended to replace accounts we have previously suspended for violating our rules,” Twitter also writes.

This additional element is also notable. It essentially means Twitter has given itself a policy allowing it to act against entire malicious ideologies — i.e. against groups of people trying to spread the same sort of disinformation, not just any a single identified bad actor connected to a number of accounts.

To use the example of the fake news peddler behind InfoWars, Alex Jones, who Twitter finally permanently banned last month, Twitter’s new policy suggests any attempts by followers of Jones to create ‘in the style of’ copycat InfoWars accounts on its platform, i.e. to try to indirectly return Jones’ disinformation to Twitter, would — or, well, could — face the same enforcement action it has already meted out to Jones’ own accounts.

Though Twitter does have a reputation for inconsistently applying its own policies. So it remains to be seen how it will, in fact, act.

And how enthusiastic it will be about slapping down disinformation ideologies — given its longstanding position as a free speech champion, and in the face of criticism that it is ‘censoring’ certain viewpoints.

Hacked materials

Another change being announced by Twitter now is a clampdown on the distribution of hacked materials via its platform.

Leaking hacked emails of political officials at key moments during an election cycle has been a key tactic for democracy fiddlers in recent years — such as the leak of emails sent by top officials in the Democratic National Committee during the 2016 US presidential election.

Or  the last minute email leak in France during the presidential election last year.

Twitter notes that its rules already prohibit the distribution of hacked material which contains “private information or trade secrets, or could put people in harm’s way” — but says it’s now expanding “the criteria for when we will take action on accounts which claim responsibility for a hack, which includes threats and public incentives to hack specific people and accounts”.

So it seems, generally, to be broadening its policy to cover a wider support ecosystem around election hackers — or hacking more generally.

Twitter’s platform does frequently host hackers — who use anonymous Twitter accounts to crow about their hacks and/or direct attack threats at other users…

Presumably Twitter will be shutting that kind of hacker activity down in future.

Though it’s unclear what the new policy might mean for a hacktivist group like Anonymous (which is very active on Twitter).

Twitter’s new policy might also have repercussions for Wikileaks — which was directly involved in the spreading of the DNC leaked emails, for example, yet nonetheless has not previously been penalized by Twitter. (And thus remains on its platform so far.)

One also wonders how Twitter might respond to a future tweet from, say, US president Trump encouraging the hacking of a political opponent….

Safe to say, this policy could get pretty murky and tricky for Twitter.

“Commentary about a hack or hacked materials, such as news articles discussing a hack, are generally not considered a violation of this policy,” it also writes, giving itself a bit of wiggle room on how it will apply (or not apply) the policy.

Daily spam decline

In the same blog post, Twitter gives an update on detection and enforcement actions related to its stated mission of improving “conversational health” and information integrity on its platform — including reiterating the action it took against Iran-based disinformation accounts in August.

It also notes that it removed ~50 accounts that had been misrepresenting themselves as members of various state Republican parties that same month and using Twitter to share “media regarding elections and political issues with misleading or incorrect party affiliation information”.

“We continue to partner closely with the RNC, DNC, and state election institutions to improve how we handle these issues,” it adds. 

On the automated detections front — where Twitter announced a fresh squeeze just three months ago — it reports that in the first half of September it challenged an average of 9.4 million accounts per week. (Though it does not specify how many of those challenges turned out to be bona fide spammers, or at least went unchallenged).

It also reports a continued decline in the average number of spam-related reports from users — down from an average of ~17,000 daily in May, to ~16,000 daily in September.

This summer it introduced a new registration process for developers requesting access to its APIs — intended to prevent the registration of what it describes as “spammy and low quality apps”.

Now it says it’s suspending, on average, ~30,000 applications per month as a result of efforts “to make it more difficult for these kinds of apps to operate in the first place”.

Elsewhere, Twitter also says it’s working on new proprietary systems to identify and remove “ban evaders at speed and scale”, as part of ongoing efforts to improve “proactive enforcements against common policy violations”.

In the blog, the company flags a number of product changes it has made this year too, including a recent change it announced two weeks ago which brings back the chronological timeline (via a setting users can toggle) — and which it now says it has rolled out.

“We recently updated the timeline personalization setting to allow people to select a strictly reverse-chronological experience, without recommended content and recaps. This ensures you have more control of how you experience what’s happening on our service,” it writes, saying this is also intended to help people “stay informed”.

Though, given that a chronological timeline remains not the default on Twitter, with algorithmically surfaced ‘interesting tweets’ instead being most actively pushed at users, it seems unlikely this change will have a major impact on mitigating any disinformation campaigns.

Those in the know (that they can change settings) being able to stay more informed is not how election fiddling will be defeated.

US midterm focus

Twitter also says it’s continuing to roll out new features to show more context around accounts — giving the example of the launch of election labels earlier this year, as a beta for candidates in the 2018 U.S. midterm elections. Though it’s clearly got lots of work to do on that front — given all the other elections continuously taking place in the rest of the world.

With an eye on the security of the US midterms as a first focus, Twitter says it will send election candidates a message prompt to ensure they have two-factor authentication enabled on their account to boost security.

“We are offering electoral institutions increased support via an elections-specific support portal, which is designed to ensure we receive and review critical feedback about emerging issues as quickly as possible. We will continue to expand this program ahead of the elections and will provide information about the feedback we receive in the near future,” it adds, again showing that its initial candidate support efforts are US-focused.

On the civic engagement front, Twitter says it is also actively encouraging US-based users to vote and to register to vote, as well as aiming to increase access to relevant voter registration info.

“As part of our civic engagement efforts, we are building conversation around the hashtag #BeAVoter with a custom emoji, sending U.S.-based users a prompt in their home timeline with information on how to register to vote, and drawing attention to these conversations and resources through the top US trend,” it writes. “This trend is being promoted by @TwitterGov, which will create even more access to voter registration information, including election reminders and an absentee ballot FAQ.”

5 takeaways on the state of AI from Disrupt SF

The promise of artificial intelligence is immense, but the roadmap to achieving those goals still remains unclear. Onstage at TechCrunch Disrupt SF, some of AI’s leading minds shared their thoughts on current competition in the market, how to ensure algorithms don’t perpetuate racism and the future of human-machine interaction. Here are five takeaways on the […]

The promise of artificial intelligence is immense, but the roadmap to achieving those goals still remains unclear. Onstage at TechCrunch Disrupt SF, some of AI’s leading minds shared their thoughts on current competition in the market, how to ensure algorithms don’t perpetuate racism and the future of human-machine interaction.

Here are five takeaways on the state of AI from Disrupt SF 2018:

1. U.S. companies will face many obstacles if they look to China for AI expansion

Sinnovation CEO Kai-Fu Lee (Photo: TechCrunch/Devin Coldewey)

The meteoric rise in China’s focus on AI has been well-documented and has become impossible to ignore these days. With mega companies like Alibaba and Tencent pouring hundreds of millions of dollars into home-grown businesses, American companies are finding less and less room to navigate and expand in China. AI investor and Sinnovation CEO Kai-Fu Lee described China as living in a “parallel universe” to the U.S. when it comes to AI development.

“We should think of it as electricity,” explained Lee, who led Google’s entrance into China. “Thomas Edison and the AI deep learning inventors – who were American – they invented this stuff and then they generously shared it. Now, China, as the largest marketplace with the largest amount of data, is really using AI to find every way to add value to traditional businesses, to internet, to all kinds of spaces.”

“The Chinese entrepreneurial ecosystem is huge so today the most valuable AI companies in computer vision, speech recognition, drones are all Chinese companies.”

2. Bias in AI is a new face on an old problem

SAN FRANCISCO, CA – SEPTEMBER 07: (L-R) UC Berkeley Professor Ken Goldberg, Google AI Research Scientist Timnit Gebru, UCOT Founder and CEO Chris Ategeka, and moderator Devin Coldewey speak onstage during Day 3 of TechCrunch Disrupt SF 2018 at Moscone Center on September 7, 2018 in San Francisco, California. (Photo by Kimberly White/Getty Images for TechCrunch)

AI promises to increase human productivity and efficiency by taking the grunt work out of many processes. But the data used to train many AI systems often falls victim to the same biases of humans and, if unchecked, can further marginalize communities caught up in systemic issues like income disparity and racism.

“People in lower socio-economic statuses are under more surveillance and go through algorithms more,” said Google AI’s Timnit Gebru. “So if they apply for a job that’s lower status they are likely to go through automated tools. We’re right now in a stage where these algorithms are being used in different places and we’re not event checking if they’re breaking existing laws like the Equal Opportunity Act.”

A potential solution to prevent the spread of toxic algorithms was outlined by UC Berkeley’s Ken Goldberg who cited the concept of ensemble theory, which involves multiple algorithms with various classifiers working together to produce a single result.

We’re right now in a stage where these algorithms are being used in different places and we’re not even checking if they’re breaking existing laws.

But how do we know if the solution to inadequate tech is more tech? Goldberg says this is where having individuals from multiple backgrounds, both in and outside the world of AI, is vital to developing just algorithms. “It’s very relevant to think about both machine intelligence and human intelligence,” explained Goldberg. “Having people with different viewpoints is extremely valuable and I think that’s starting to be recognized by people in business… it’s not because of PR, it’s actually because it will give you better decisions if you get people with different cognitive, diverse viewpoints.”

3. The future of autonomous travel will rely on humans and machines working together

Uber CEO Dara Khosrowshahi (Photo: TechCrunch/Devin Coldewey)

Transportation companies often paint a flowery picture of the near future where mobility will become so automated that human intervention will be detrimental to the process.

That’s not the case, according to Uber CEO Dara Khosrowshahi. In an era that’s racing to put humans on the sidelines, Khosrowshahi says humans and machines working hand-in-hand is the real thing.

“People and computers actually work better than each of them work on a stand-alone basis and we are having the capability of bringing in autonomous technology, third-party technology, Lime, our own product all together to create a hybrid,” said Khosrowshahi.

Khosrowshahi ultimately envisions the future of Uber being made up of engineers monitoring routes that present the least amount of danger for riders and selecting optimal autonomous routes for passengers. The combination of these two systems will be vital in the maturation of autonomous travel, while also keeping passengers safe in the process.

4. There’s no agreed definition of what makes an algorithm “fair”

SAN FRANCISCO, CA – SEPTEMBER 07: Human Rights Data Analysis Group Lead Statistician Kristian Lum speaks onstage during Day 3 of TechCrunch Disrupt SF 2018 at Moscone Center on September 7, 2018 in San Francisco, California. (Photo by Kimberly White/Getty Images for TechCrunch)

Last July ProPublica released a report highlighting how machine learning can falsely develop its own biases. The investigation examined an AI system used in Fort Lauderdale, Fla., that falsely flagged black defendants as future criminals at a rate twice that of white defendants. These landmark findings set off a wave of conversation on the ingredients needed to build a fair algorithms.

One year later AI experts still don’t have the recipe fully developed, but many agree a contextual approach that combines mathematics and an understanding of human subjects in an algorithm is the best path forward.

“Unfortunately there is not a universally agreed upon definition of what fairness looks like,” said Kristian Lum, lead statistician at the Human Rights Data Analysis Group. “How you slice and dice the data can determine whether you ultimately decide the algorithm is unfair.”

Lum goes on to explain that research in the past few years has revolved around exploring the mathematical definition of fairness, but this approach is often incompatible to the moral outlook on AI.

“What makes an algorithm fair is highly contextually dependent, and it’s going to depend so much on the training data that’s going into it,” said Lum. “You’re going to have to understand a lot about the problem, you’re going to have to understand a lot about the data, and even when that happens there will still be disagreements on the mathematical definitions of fairness.”

5. AI and Zero Trust are a “marriage made in heaven” and will be key in the evolution of cybersecurity

SAN FRANCISCO, CA – SEPTEMBER 06: (l-R) Duo VP of Security Mike Hanley, Okta Executive Director of Cybersecurity Marc Rogers, and moderator Mike Butcher speak onstage during Day 2 of TechCrunch Disrupt SF 2018 at Moscone Center on September 6, 2018 in San Francisco, California. (Photo by Kimberly White/Getty Images for TechCrunch)

If previous elections have taught us anything it’s that security systems are in dire need of improvement to protect personal data, financial assets and the foundation of democracy itself. Facebook’s ex-chief security officer Alex Stamos shared a grim outlook on the current state of politics and cybersecurity at Disrupt SF, stating the security infrastructure for the upcoming Midterm elections isn’t much better than it was in 2016.

So how effective will AI be in improving these systems? Marc Rodgers of Okta and Mike Hanley of Duo Security believe the combination of AI and a security model called Zero Trust, which cuts off all users from accessing a system until they can prove themselves, are the key to developing security systems that actively fight off breaches without the assistance of humans.

“AI and Zero Trust are a marriage made in heaven because the whole idea behind Zero Trust is you design policies that sit inside your network,” said Rodgers. “AI is great at doing human decisions much faster than a human ever can and I have great hope that as Zero Trust evolves, we’re going to see AI baked into the new Zero Trust platforms.”

By handing much of the heavy lifting to machines, cybersecurity professionals will also have the opportunity to solve another pressing issue: being able to staff qualified security experts to manage these systems.

“There’s also a substantial labor shortage of qualified security professionals that can actually do the work needed to be done,” said Hanley. “That creates a tremendous opportunity for security vendors to figure out what are those jobs that need to be done, and there are many unsolved challenges in that space. Policy engines are one of the more interesting ones.”

DiDi’s Fengmin Gong and Duo’s Mike Hanley to talk future of security at Disrupt

Cyber security has never gone away as a hot topic in the technology sphere and in 2018 it remains an enormous issue. As the next 3 billion or so of the planet’s people come online, it’s never been more important to secure their safety, their privacy and the security of their personal data. As the […]

Cyber security has never gone away as a hot topic in the technology sphere and in 2018 it remains an enormous issue. As the next 3 billion or so of the planet’s people come online, it’s never been more important to secure their safety, their privacy and the security of their personal data. As the same time we are already in the process of building the infrastructure of the future. The smart cities and the autonomous cars-to-come will all have to be secure from cyber attack, from private or state actors.

It’s therefore salient that TechCrunch Disrupt feature the work of two of the key players in this space.

Machine learning can help companies better protect their networks, but it also provides attackers with new tools. DiDi Labs Security VP Fengmin Gong and Mike Hanley of Duo are both are the forefront of this sector. On stage at Disrupt they will discuss how their companies use these new technologies to keep hackers at bay and how others can do the same to keep their systems secure.

Hanley leads all security research, development and operations functions at Duo. Prior to Duo, he was a senior member of the technical staff at CERT/CC, working on applied R&D programs for the US Department of Defense and the Intelligence Community.

Hanley recently pointed out that it’s a a myth that most hackers are using sophisticated tactics to access data.

It’s his view that the vast majority of cyber security attacks start with phishing – where people respond to fraudulent emails and reveal their own personal information.

The problem is, he thinks, is that the security industry has been slow to offer simple, efficient solutions to protect companies’ and individuals’ digital information. He thinks the industry is too focused “on complexity and not necessarily effectiveness” and that “complexity really does breed insecurity.”

He’ll be joined on stage by Fengmin Gong of DiDi Labs, part of the Chinese ride-hailing startup.

Gong is a well-respected cybersecurity technologist with more than 30 years of industry experience. As head of DiDi Labs, Dr. Gong currently drives R&D innovation and strategy for safety, security and user experience on DiDi platforms, and works on developing the next generation of security tools

Gong has held chief scientist and R&D VP roles in a variety of large security corporations, including McAfee and Symantec JV, and served as chief security content strategy officer for FireEye, where he led the development and management of the company’s security initiatives. He is also a serial entrepreneur, having founded several leading security companies, including Palo Alto Networks and Cyphort Inc., and is an angel investor in more than half a dozen startups.

Didi was recently given the go-ahead to start testing self-driving cars in California, as it looks to catch up with its Silicon Valley rivals’ earlier start in autonomous systems.

Check out the full agenda here. Tickets are still available even though the show is less than two weeks away. Grab one here.

Duo Security researchers’ Twitter ‘bot or not’ study unearths crypto botnet

A team of researchers at Duo Security has unearthed a sophisticated botnet operating on Twitter — and being used to spread a cryptocurrency scam. The botnet was discovered during the course of a wider research project to create and publish a methodology for identifying Twitter account automation — to help support further research into bots […]

A team of researchers at Duo Security has unearthed a sophisticated botnet operating on Twitter — and being used to spread a cryptocurrency scam.

The botnet was discovered during the course of a wider research project to create and publish a methodology for identifying Twitter account automation — to help support further research into bots and how they operate.

The team used Twitter’s API and some standard data enrichment techniques to create a large data set of 88 million public Twitter accounts, comprising more than half a billion tweets. (Although they say they focused on the last 200 tweets per account for the study.)

They then used classic machine learning methods to train a bot classifier, and later applied other tried and tested data science techniques to map and analyze the structure of botnets they’d uncovered.

They’re open sourcing their documentation and data collection system in the hopes that other researchers will pick up the baton and run with it — such as, say, to do a follow up study focused on trying to ID good vs bad automation.

Their focus for their own classifier was on pure-play bots, rather than hybrid accounts which intentionally blend automation with some human interactions to make bots even harder to spot.

They also not look at sentiment for this study — but were rather fixed on addressing the core question of whether a Twitter account is automated or not.

They say it’s likely a few ‘cyborg’ hybrids crept into their data-set, such as customer service Twitter accounts which operate with a mix of automation and staff attention. But, again, they weren’t concerned specifically with attempting to identify the (even more slippery) bot-human-agent hybrids — such as those, for example, involved in state-backed efforts to fence political disinformation.

The study led them into some interesting analysis of botnet architectures — and their paper includes a case study on the cryptocurrency scam botnet they unearthed (which they say was comprised of at least 15,000 bots “but likely much more”), and which attempts to syphon money from unsuspecting users via malicious “giveaway” links…

‘Attempts’ being the correct tense because, despite reporting the findings of their research to Twitter, they say this crypto scam botnet is still functioning on its platform — by imitating otherwise legitimate Twitter accounts, including news organizations (such as the below example), and on a much smaller scale, hijacking verified accounts…

They even found Twitter recommending users follow other spam bots in the botnet under the “Who to follow” section in the sidebar. Ouch.

A Twitter spokeswoman would not answer our specific questions about its own experience and understanding of bots and botnets on its platform, so it’s not clear why it hasn’t been able to totally vanquish this crypto botnet yet. Although in a statement responding to the research, the company suggests this sort of spammy automation may be automatically detected and hidden by its anti-spam countermeasures (which would not be reflected in the data the Duo researchers had access to via the Twitter API).

Twitter said:

We are aware of this form of manipulation and are proactively implementing a number of detections to prevent these types of accounts from engaging with others in a deceptive manner. Spam and certain forms of automation are against Twitter’s rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections. When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter’s API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related.

Twitter’s spokeswoman also make the (obvious) point that not all bots and automation is bad — pointing to a recent company blog which reiterates this, with the company highlighting the “delightful and fun experiences” served up by certain bots such as Pentametron, for example, a veteran automated creation which finds rhyming pairs of Tweets written in (accidental) iambic pentameter.

Certainly no one in their right mind would complain about a bot that offers automated homage to Shakespeare’s preferred meter. Even as no one in their right mind would not complain about the ongoing scourge of cryptocurrency scams on Twitter…

One thing is crystal clear: The tricky business of answering the ‘bot or not’ question is important — and increasingly so, given the weaponization of online disinformation. It may become a quest so politicized and imperative that platforms end up needing to display a ‘bot score’ alongside every account (Twitter’s spokeswoman did not respond when we asked if it might consider doing this).

While there are existing research methodologies and techniques for trying to determine Twitter automation, the team at Duo Security say they often felt frustrated by a lack of supporting data around them — and that that was one of their impetuses for carrying out the research.

“In some cases there was an incomplete story,” says data scientist Olabode Anise. “Where they didn’t really show how they got their data that they said that they used. And they maybe started with the conclusion — or most of the research talked about the conclusion and we wanted to give people the ability to take on this research themselves. So that’s why we’re open sourcing all of our methods and the tools. So that people can start from point ‘A’: First gathering the data; training a model; and then finding bots on Twitter’s platform locally.”

“We didn’t do anything fancy or investigative techniques,” he adds. “We were really outlying how we could do this at scale because we really think we’ve built one of the largest data sets associated with public twitter accounts.”

Anise says their classifier model was trained on data that formed part of a 2016 piece of research by researchers at the University of Southern California, along with some data from the crypto botnet they uncovered during their own digging in the data set of public tweets they created (because, as he puts it, it’s “a hallmark of automation” — so turns out cryptocurrency scams are good for something.)

In terms of determining the classifier’s accuracy, Anise says the “hard part” is the ongoing lack of data on how many bots are on Twitter’s platform.

You’d imagine (or, well, hope) Twitter knows — or can at least estimate that. But, either way, Twitter isn’t making that data-point public. Which means it’s difficult for researchers to verify the accuracy of their ‘bot or not’ models against public tweet data. Instead they have to cross-check classifiers against (smaller) data sets of labeled bot accounts. Ergo, accurately determining accuracy is another (bot-spotting related) problem.

Anise says their best model was ~98% “in terms of identifying different types of accounts correctly” when measured via a cross-check (i.e. so not checking against the full 88M data set because, as he puts it, “we don’t have a foolproof way of knowing if these accounts are bots or not”).

Still, the team sounds confident that their approach — using what they dub as “practical data science techniques” — can bear fruit to create a classifier that’s effective at finding Twitter bots.

“Basically we showed — and this was what we were really were trying to get across — is that some simple machine learning approaches that people who maybe watched a machine learning tutorial could follow and help identify bots successfully,” he adds.

One more small wrinkle: Bots that the model was trained on weren’t all forms of automation on Twitter’s platform. So he concedes that may also impact its accuracy. (Aka: “The model that you build is only going to be as good as the data that you have.” And, well, once again, the people with the best Twitter data all work at Twitter… )

The crypto botnet case study the team have included in their research paper is not just there for attracting attention: It’s intended to demonstrate how, using the tools and techniques they describe, other researchers can also progress from finding initial bots to pulling on threads, discovering and unraveling an entire botnet.

So they’ve put together a sort of ‘how to guide’ for Twitter botnet hunting.

The crypto botnet they analyze for the study, using social network mapping, is described in the paper as having a “unique three-tiered hierarchical structure”.

“Traditionally when Twitter botnets are found they typically follow a very flat structure where every bot in the botnet has the same job. They’re all going to spread a certain type of tweet or a certain type of spam. Usually you don’t see much co-ordination and segmentation in terms of the jobs that they have to do,” explains principal security engineer Jordan Wright.

“This botnet was unique because whenever we started mapping out the social connections between different bots — figuring out who did they follow and who follows them — we were able to enumerate a really clear structure showing bots that are connected in one particular way and an entire other cluster that were connected in a separate way.

“This is important because we see how the bot owners are changing their tactics in terms of how they were organizing these bots over time.”

They also discovered the spam tweets being published by the botnet were each being boosted by other bots in the botnet to amplify the overall spread of the cryptocurrency scam — Wright describes this as a process of “artificial inflation”, and says it works by the botnet owner making new bots whose sole job is to like or, later on, retweet the scammy tweets.

“The goal is to give them an artificial popularity so that if i’m the victim and I’m scrolling through Twitter and I come across these tweets I’m more likely to think that they’re legitimate based on how often they’ve been retweeted or how many times they’ve been liked,” he adds.

“Mapping out these connections between likes and, as well as the social network we have already gathered, really gives is us a multi layered botnet — that’s pretty unique, pretty sophisticated and very much organized where each bot had one, and really only one job, to do to try to help support the larger goal. That was unique to this botnet.”

Twitter has been making a bunch of changes recently intended to crack down on inauthentic platform activity which spammers have exploited to try to lend more authenticity and authority to their scams.

Clearly, though, there’s more work for Twitter to do.

“There are very practical reasons why we would consider it sophisticated,” adds Wright of the crypto botnet the team have turned into a case study. “It’s ongoing, it’s evolving and it’s changed its structure over time. And the structure that it has is hierarchical and organized.”

Anise and Wright will be presenting their Twitter botnet research on Wednesday, August 8 at the Black Hat conference.

Heads-up: 2FA provider Duo Security to be acquired by Cisco (ugh)

Both companies insist nothing will change, but this former Cisco customer has doubts.

Enlarge / Artist's impression of how this deal feels from this author's chair. (credit: Getty Images / Gary Hanna / Lee Hutchinson)

US-based two-factor authentication provider Duo Security announced this morning that it is in talks to be acquired by networking giant Cisco. According to Duo’s press release, Duo will become a “business unit” under Cisco’s Security Business Group, and current Duo CEO Dug Song will become the unit’s general manager.

Ars is a happy Duo customer, and we use the product extensively to apply 2FA to a variety of our internal services; beyond that, several Ars staffers (myself included) use Duo’s free tier to wrap 2FA around our own personal stuff, like Linux PAM authentication and Mac/Windows logins. Duo’s flexibility and ease of use has been a huge driver of success for the company, which says it has about 12,000 customers.

But the worry here is that Cisco is going to murder the golden goose—and, as a former Cisco customer, I’m struggling to feel anything but dread about all the ways in which this acquisition might kill everything that’s good about Duo.

Read 18 remaining paragraphs | Comments

Cisco is buying Duo Security for $2.35B in cash

Cisco today announced its intent to buy Ann Arbor, MI-based security firm, Duo Security. Under the terms of the agreement, Cisco is paying $2.35 billion in cash and assumed equity awards for Duo. Duo Security was founded in 2010 by Dug Song and Jonathan Oberheide and went on to raise $121.M through several rounds of […]

Cisco today announced its intent to buy Ann Arbor, MI-based security firm, Duo Security. Under the terms of the agreement, Cisco is paying $2.35 billion in cash and assumed equity awards for Duo.

Duo Security was founded in 2010 by Dug Song and Jonathan Oberheide and went on to raise $121.M through several rounds of funding. The company has 700 employees with offices throughout the United States and in London, though the company has remained headquartered in Ann Arbor, MI.

Co-founder and CEO Dug Song will continue leading Duo as its General Manager and will join Cisco’s Networking and Security business led by EVP and GM David Goeckeler. There’s no word if Duo will continue to operate out of Ann Arbor if the deal closes.

The acquisition feels like a good fit for Cisco. Duo’s security apparatus lets employees use their own device for adaptive authentication. Instead of issuing key fobs with security codes, Duo’s solution works securely with any device. And within Cisco’s environment, the technology should feel like a natural fit for CTOs looking for secure two-factor authentication.

“Our partnership is the product of the rapid evolution of the IT landscape alongside a modernizing workforce, which has completely changed how organizations must think about security,” said Dug Song, Duo Security’s co-founder and chief executive officer. “Cisco created the modern IT infrastructure, and together we will rapidly accelerate our mission of securing access for all users, with any device, connecting to any application, on any network. By joining forces with the world’s largest networking and enterprise security company, we have a unique opportunity to drive change at a massive scale, and reshape the industry.”

Over the last few years, Cisco has made several key acquisitions: OpenDNS, Sourcefire, Cloudlock, and now Duo. This latest deal is expected to close in the first quarter of Cisco’s fiscal year 2019.


Duo Security’s Dug Song On Company Priorities | Disrupt NY 2017