#securitybug | Explore Tumblr posts and blogs

uncleasad · 3 months ago

Text

On zero-days, shades of grey, and digital mobs

This week has been a month, hasn’t it?

I hope you are all holding up as best as you can and have safe spaces and support systems to lean back on.

Over the course of this week, I’ve had a front-row seat to witness digital mobs come after people and rip apart two extremely different online communities, and it’s disheartening to witness how quickly everything snowballed into hellfire, whether it was deserved or not.

I wish that in online spaces there were a way for a concerned party to contact a trusted third party that the victim/concerned party and the accused both felt would be fair and have that party mediate between them, instead of resorting to direct confrontation and call-outs.

Everyone is at their worst in this initial stage—angry, defensive, scared, embarrassed, ashamed, hurt—and fight-or-flight takes over. The person who believes themselves to be a victim is fighting mad, and the person who has been accused—whether they truly screwed up, made an innocent mistake, or it was all a misunderstanding—either wants to run and hide in their shame, or they stand their ground, also fighting mad. No good can come from a situation like this. Even less good can come from it if it all takes place in public, in front of everyone, and mobs start to form, piling on one or the other.

Mob justice is not justice.

No one will want to admit they were wrong, screwed up, made a mistake, if they know a mob is coming after them. If our goal is to have a good and just community, where people can learn from their mistakes, errors, and other screwups, become better people, and strengthen the community in the end, mobs are not the answer. (Few things, especially online, should be something that someone can’t come back from.) Mobs are the unleashing of anger at anyone and everyone in their path. They’ve burned down the town before anyone can hear other sides to the story, much less establish an objective truth. (I know; I’ve been part of one. I felt completely justified.)

We want to see everything in binary, in clean, clear black and white. The truth is, the world and most situations fall in shades of grey. Some things are fuzzy, and others we should evaluate on a sliding scale…did they know that X was wrong or hurtful? Was it intentional? Have they done Y repeatedly? (I don’t know if that person knew it was wrong. I do know they had done it to dozens of fics. I don’t know if they’ve done it again after being told it was wrong. It was 100% presenting unchanged works of others as theirs, out and out theft.* But because no one ever talked to the person or an intermediary, all we know is the account was…deleted? closed? put in time out? We don’t even know that, just that their page and the fics no longer loaded after a couple of days of reporting the stolen fics. But we got our blood and pound of flesh, so…)

If we could slow things down, we have a better chance of learning all the relevant information. If we keep things outside of the public eye initially, we have a better chance of a just and peaceful resolution that keeps our communities together, helps people learn and grow and become better contributors to society/the community. (Again, this outcome might not be possible in all cases. It also might not be a just result in all cases; some cases may call for more severe consequences, such as removal from the community.)

I know some of you are out there shouting “But what about accountability!? If everything’s kept quiet, no one knows/N is gonna do it again.” I have a process for that, too. Let’s switch gears in our analogies for a moment.

In software (and occasionally hardware) security, the usual process for reporting a security bug goes like this:

You report the security bug to the vendor via their security bug submission procedure (e.g., you email securitybugs AT tumblr.com [dunno if that is real] and tell them you’ve discovered a bug that lets you see someone else’s Inbox, and how to cause it)

The vendor acknowledges your report and you might go back and forth about how to trigger the bug, or, in some cases, whether it really is a security bug (our example bug really is, if it were real!), or how serious/easily exploitable it is, which is a proxy for how quickly it needs to be fixed

The vendor fixes the bug

The vendor ships the fix to everyone (in our example, updates the tumblr website or tumblr app, depending on where the bug was)

The vendor announces there was a bug and they’ve fixed it, and thanks the reporter

This is called responsible disclosure. It works great, and everyone is happy (except the bad actors who were using the bug to access other people’s inboxes!).

The opposite of responsible disclosure is known as a zero-day (or 0-day). That’s when a security bug is announced without a fix available. This happens in 3 cases: 1) when the bug is so serious that everyone needs to know NOW so they stop using the piece of software (or delete their information from the software, or whatever) to secure their information/lives, 2) after working with the vendor for some period of time following the established process, the bug reporter feels the vendor is taking too long to fix the problem or doesn’t feel the vendor is taking the bug as seriously as the reporter believes they should, or 3) the person who found the bug doesn’t believe in responsible disclosure (sadly, there are some security researchers in that camp).

(A Zero-Day, and especially Case 3, is basically unleashing a digital mob.)

Back to our online community situations.

In an ideal case, after the intervention of the trusted third party, both the victim/concerned party and the accused release statements. If the accused did indeed do P, their statement should be an apology, what they have learned, and so forth, and the victim probably will acknowledge the apology and note that the two parties have talked and they consider the matter settled, no need for mobs—but also forgiveness is not forced. If things were a misunderstanding, both parties might explain their sides, note they’ve talked it out and consider the matter settled, no need for mobs. Obviously, this varies by case—it’s not all black and white, one size fits all. As an alternative, the trusted third party might also make a report of the facts as best they can tell and the evidence presented.

To ensure things don’t get swept under the rug when a mediated solution is not possible, there are 2 failsafe options. First, our Case 2 from the Zero-Day; after a week or two—remember, we’re trying to slow things down and calm everyone down to allow for better understanding and reflection—the victim/concerned party can then publicly announce the situation and the failed mediation, and/or ask the trusted third party to make a report, perhaps including a transcript of the back-and-forth.

I feel like our online communities would be a lot healthier if we were able to inject just a little bit of real-world processes…a little bit of humanity, of deliberation, of mediation. Everything online is so toxic, and it doesn’t have to be.

I know this is a pipe dream, but maybe by putting it out there, it can do some good somewhere, in some community. After all, if we don’t have hope, what do we have left?

* All theft and plagiarism is wrong, full stop. But the degree of my anger depends on factors such as the extent, intent, and taking responsibility—and not doing it again. And, of course, are you an individual, a fan…or a scummy fic-hoovering AI company?

#online communities #fandom #dispute resolution #accountability #digital mobs

12 notes · View notes