These type of posts have become a cancer on the gaming subreddits. "What's your favorite classic game?" The number of people who just answer away, not realizing they're building giant data-sets, just kind of disappoints me.
posted by deadaluspark at 7:53 AM on October 24, 2021 [1 favorite]

I've started to use my password manager to generate random strings for security questions. Let's see someone guess "qj21@Qkf!Paj" for the name of my childhood pet.

The above is a keysmash, not actually something I use.
posted by SansPoint at 8:02 AM on October 24, 2021 [25 favorites]

That’s… a really weird coincidence. Because we named our first dog qj21@Qkf!Paj.

Got a lot of funny looks calling his name at the park that time he ran away.
posted by caution live frogs at 8:19 AM on October 24, 2021 [34 favorites]

Without telling me your age, what was your Social Security number in the year you were born?
posted by delfin at 8:22 AM on October 24, 2021 [35 favorites]

Hey there, fellow Metafilter users! What’s your favorite Dilbert comic?
posted by snofoam at 8:22 AM on October 24, 2021 [27 favorites]

These things clog gaming Twitter too. They’ve become just noise as everyone goes to bat for the big overrated stuff time and again. Yes, yes, Final Fantasy VII and all that, but who’s going to cheer for Aero the Acro-bat or Plok?
posted by Servo5678 at 8:26 AM on October 24, 2021 [1 favorite]

I'm fairly certain it's bots trying to harvest your birthday information with the "what was your favorite video game that came out when you were twelve?" posts.

Or the "what is your fantasy Tolkein name?" with two charts of 12 and 31 options for you to put together. People replying "lol, my name is Burly Ent" don't realize their also announcing their birthday to the data harvesters and then retweeting it for their followers to reply to.
posted by AlSweigart at 8:27 AM on October 24, 2021 [12 favorites]

You see a ton of this with actual humans in social media and YouTube too, not even necessarily because anyone cares about the answers but simply because people are a lot more likely to comment if they're answering a question.
posted by Foosnark at 8:49 AM on October 24, 2021 [8 favorites]

I think these are just designed to generate engagement for a page. For some reason the Facebook algorithm likes them, and for some reason people love commenting on them.
posted by BungaDunga at 8:52 AM on October 24, 2021 [6 favorites]

On tumblr it's astrology posts. "Reblog and put in the tags your sun sign, moon sign and rising sign!" which tells them the day, month, and year of your birth.

Or there's a list of days, then a list of months and each one has a short phrase. By combining them, you get your porn star name or which final girl you'd be in a slasher movie or what kind of character you'd be in a fantasy novel.

I used to feel too much paranoia to do these but recently I've realized it doesn't matter. It doesn't matter if the bots know my birthday. It is already in my bio on goodreads. LOL.
posted by subdee at 8:54 AM on October 24, 2021 [5 favorites]

I think what used to make me scoff about this kind of stuff was the idea that there's anything useful a Cambridge Analytica type could learn about me that isn't already out there. But that's not really the point. Maybe they haven't figured out how a very granular portrait of me would allow them to do something, but it's reallllly creepy that they are collecting it anyway and I don't want to help them.
posted by emjaybee at 8:55 AM on October 24, 2021 [6 favorites]

One reason why I don't think these are being used to build up datasets is that they're public. It's not a competitive advantage if your competitors have access to the exact same data! These are just pushing people's buttons to get them to engage, and someone found a shortcut. I think that's all it is- engagement is directly valuable to pages because it juices their metrics and maybe gives them an advantage in the algorithm on their other posts.
posted by BungaDunga at 8:56 AM on October 24, 2021 [16 favorites]

(that said, because they're public, anyone else with a scraper can come along and see what they want to make of it. So both theories could be true, I just don't think the people running the pages and designing the posts are actually doing the scraping)
posted by BungaDunga at 8:58 AM on October 24, 2021 [1 favorite]

BungaDunga , just what I was sitting down to say. The Algorithm loves you if you get engagement. These generate enormous amounts of engagement, and with relatively little crazy negativity that other engagement generation gets. Pages do it deliberately for wuffie, pages do it accidentally and it gets out of hand.
posted by wotsac at 8:58 AM on October 24, 2021 [2 favorites]

The things I still don't trust are the uquizzes that come out around (US) election time and ask questions designed to determine your political affiliation. Like it's a "What character from HxH are you?" quiz and the questions are:

Which is more important, freedom or safety?

How likely are you to trust strangers?

How important is being generous to you?

Which for the record, these are real questions from a real ""What character from HxH are you?" quiz that i really saw posted in the run up to the 2020 presidential election.

https://subdee.tumblr.com/post/616185410075361280/subdee-actually-ill-go-ahead-and-say-it-i

I think these are way worse and more malicious than the birthday posts.
posted by subdee at 9:00 AM on October 24, 2021 [11 favorites]

(Other examples of the genre: how do you do a math problem in your head, and deliberately ambiguous math-like riddles.)
posted by wotsac at 9:00 AM on October 24, 2021

I never answer these because they're basic A.F.

Turns out my snobbery was actually an instinctive distrust of data harvesters.
posted by signal at 9:18 AM on October 24, 2021 [21 favorites]

Signal-password-guess.exe

SnobsRule1971!
DataHarvestersSuck1971!
Instinctive1971!
posted by lalochezia at 9:37 AM on October 24, 2021 [3 favorites]

Chances are your passwords are already circulating on the dark web, sold in batches of millions for as little as a few thousand dollars. Unless you hold the password to something wildly valuable, like major corporate or government assets, nobody cares except kids playing around.

That's ... just not true and I'm sort of grossed out that this post is laced with references to "mommies" as a signifier of trivial or mundane -- the polar opposite of the very important things the writer is considering. It's in line with a sort of security or paranoia machismo I dealt with among security bloggers when I was paying their invoices, and in the software industry among security devs who enjoy the status that comes from being security-adjacent somehow. There's this recurring need to belittle or discount people ... to tell them "the hackers don't care about you" or "don't worry ... state actors aren't coming for your gmail." Noted in passing is all.

And maybe my pull quote is true from a consumer protection point of view? Where your conception of the target is "Joe Grudd, drone enthusiast and Hearthstone player" or "Marty Flort, cat fancier and gardener" and their password to a cat fancy board or the DJI support community isn't doing anyone any good.

But it's not true from a "cat fanciers also work in large enterprises with major corporate assets" point of view, where Joe or Marty down in accounting or marketing may be eight hops away from the assets, but they're still one hope closer than when you started looking to piece together the collection of lateral and incremental upward hops you need to get close enough to the asset you're after. If you're really lucky, Marty is the CFO or Joe is an Anaplan architect with extensive privileges, and it's awesome that Facebook was the rosetta stone that connected where they work and their title there with all the other metadata out there. Suddenly it might mean something that you have this cat fancy forum password tied to this email address with this Facebook account where the user has helpfully told you "Anaplan architect at SpumCo" that is also tied to this email address. If nothing else, you've got more material for a spearphish than you had going in. Suddenly your condescending little "they don't care about you and your trivial little concerns" is a liability.

Anyhow, I know none of this is the real point of this article. Just found the tone, examples, and blithe assumptions on the way to the (condescending, not particularly original) "real threat" irritating.
posted by mph at 9:40 AM on October 24, 2021 [31 favorites]

If it's true (as per OP) that these pages do very little overt marketing, I wonder if they might be one half of an ad-targeting setup. Like if you want to target people for whom grandparenting is a significant part of their identity, "people who will respond to a 'What do your grandchildren call you?' post" could be a pretty good proxy, and there wouldn't need to be any customer-visible connection between the page and the ads.

Or for some types of questions you might filter by only people who gave a particular type of answer (or who engaged with such an answer from someone else). All pretty easy to set up, and probably a lot more trustworthy than whatever FB's built-in targeting offers.

Either way, you'll be able to filter out the great majority of fake and bot accounts, and you can be confident you'll be (mostly) engaging with real people who are at least potentially interested in your sales pitch.
posted by Not A Thing at 10:02 AM on October 24, 2021 [4 favorites]

Also signing on to mph's point. When people say "it's all out there anyway" it's true those facts exist in public, but it's about being gathered into specific datasets as a specific person. That particular certainty that you are *that* Mary Sue Blogs wasn't really there until you added a birthday (for example). Plus these are the people assembling their own data to try and match you too other datasets, or who won't pay to match you with an existing one.

On that note, I've just realized I need to start engaging with these using the wrong answers.
posted by cult_url_bias at 10:10 AM on October 24, 2021 [9 favorites]

The above is a keysmash, not actually something I use.

Based on the dataset I just looked at of your historical keysmashing you have some weakness in the third finger on your left hand that leads to some very predictable non-randomness so now you definitely cannot keysmash any future passwords without knowing they are at least an order of magnitude weaker than you'd assume.
posted by srboisvert at 10:32 AM on October 24, 2021 [10 favorites]

the ugly reality is that your passwords are nearly worthless. Chances are your passwords are already circulating on the dark web, sold in batches of millions for as little as a few thousand dollars.

Anybody can believe those things about my passwords if it pleases them. I don't have to care.

I've started to use my password manager to generate random strings for security questions. Let's see someone guess "qj21@Qkf!Paj" for the name of my childhood pet.

For people who use competent password management software (which should be everybody, and if it isn't you, stop making excuses and just start) there's never a need to recover a password and "security" questions are a pure pain in the arse that can only ever make online accounts less secure, not more so.

Australia's MyGov single-sign-on portal for government services is particularly annoying: it wants me to answer a security question every time I log in. This is wish-it-was-two-factor authentication and the fact that it's still being used in 2021, by IT infrastructure that my taxes helped pay for, is infuriating.

My standard workaround depends on whether the site allows me to create my own questions (MyGov does, and it won't allow the answers to be the same). If so, I set them to "Second password with 'a' appended?", "Second password with 'b' appended?" and "Second password with 'c' appended?" (there are usually three, for some reason) and have KeePassXC's auto-type enter my username, then my password, then prefill the security answer box with cwulx.cfpgm.zmhdo.dvrli.hvpia. and wait for me to finish it with the letter specified in the question.

For sites that insist on having me pick questions from a preset list, I do much the same thing but use the last word of the question as the thing that makes the answers different. So all that anybody can learn by scraping an exfiltrated credentials database that a site operator has been stupid enough to keep in plaintext is that according to this site, my first car was a
bswru lylqk bkeba vmoqn ngqrc car, the name of my favourite childhood pet was bswru lylqk bkeba vmoqn ngqrc pet, and my first job was bswru lylqk bkeba vmoqn ngqrc job.

Fuck "security" questions. They're a pointless hoop-jumping exercise and ought to be treated as such.
posted by flabdablet at 10:37 AM on October 24, 2021 [18 favorites]

what is the defense system father

https://twitter.com/OmarNajam/status/935626720408768512
posted by user92371 at 10:52 AM on October 24, 2021 [2 favorites]

What’s your favorite Dilbert comic?

The one where they're in the office and the boss says something clueless, the woman is angry, and the bald guy avoids work. Although the one where the dog comes up with a plan for a callous money-grab is a close second.
posted by Greg_Ace at 10:58 AM on October 24, 2021 [13 favorites]

Ooh ooh ooh, and the one where the artist tries to anonymously convince an online discussion site of what a genius the guy who draws 'Dilbert' is.
posted by Greg_Ace at 11:22 AM on October 24, 2021 [25 favorites]

What’s your favorite Dilbert comic?

If someone replies with "mauve database", they're a target on so many different levels.
posted by sukeban at 11:40 AM on October 24, 2021 [3 favorites]

I wouldn't be surprised by data harvesting being the goal of the Facebook stuff -- isn't that what Cambridge Analytica was doing? But as far as Reddit goes, those sorts of posts are more about building up easy karma for accounts which can in turn be sold to spammers and other influence peddlers.
posted by Rhaomi at 11:47 AM on October 24, 2021 [4 favorites]

Just found the tone, examples, and blithe assumptions on the way to the (condescending, not particularly original) "real threat" irritating.

I think what they were clumsily trying to get at is that the articles/posts that alarmingly claim that those memes are being used to comprise accounts are the razorblade in Halloween candy stories of infosec. I'm deeply involved with fighting credential validation and stuffing attacks at substantial scale (including the types of accounts the article claims doesn't matter) and I've not seen credible evidence that anyone is using Facebook memes to get KBA answers at any scale.

You are correct that targeted attacks may use OSINT including checking out social media for pretexts for social engineering or passwords to guess, just I've never seen any evidence that anyone is intentionally setting up these memes to do so or that it's happening in anything other than targeted attacks on very specific targets.
posted by Candleman at 12:04 PM on October 24, 2021 [7 favorites]

You can't even win the game by not playing.
posted by Oyéah at 2:02 PM on October 24, 2021

caution live frogs: "That’s… a really weird coincidence. Because we named our first dog qj21@Qkf!Paj.

Got a lot of funny looks calling his name at the park that time he ran away."

I got around that with my first dog by insisting the @ and the ! were silent.
posted by chavenet at 2:09 PM on October 24, 2021 [1 favorite]

Because we named our first dog qj21@Qkf!Paj

Cool name; my dog's only named '"; DROP TABLE answers; --".
posted by acb at 2:10 PM on October 24, 2021 [6 favorites]

On multiple accounts in my feed in the past few weeks, I’ve seen some variation of “tag your favourite band/musician in this thread and see if they respond”. Not sure if that is some kind of bot-driven harvester but the sameness of the post asking a question that could be someone’s password hint strikes me as weird.
posted by dr_dank at 5:42 PM on October 24, 2021

I cancelled my Facebook account during the last Presidential election when they would not stop folks posting false information. I do not miss it. I started spending time on Clubhouse. I can listen to conversations on topics I am interested in and participate if I want to. You must be invited to Clubhouse. If anyone here needs an invite let me know. If you agree to these guidelines you will be welcome on Clubhouse.
posted by duseattle at 5:58 PM on October 24, 2021

Clubhouse is not precisely a haven of civility, fwiw: Doctors Are Being Forced Off Clubhouse by Anti-Vax Harassment
posted by BungaDunga at 7:01 PM on October 24, 2021 [2 favorites]

Anyway, remember when extremely weird kids YouTube videos were being churned out and people had various theories on it, but it turned out it was just that that sort of glurge worked to keep kids watching? Even the titles are similar ("Something Weird Is Happening on Facebook" vs "Something is wrong on the internet").

There's something off about these posts and I think it's just a milder version of the offness of those kids YouTube videos.
posted by BungaDunga at 7:09 PM on October 24, 2021 [4 favorites]

My inclination is that yes, these pages and accounts are harvesting data. The weird similarities between posts, the kind of information that appears to be sought, and other linking factors described in TFA do seem to indicate that. We know that it's possible with the machine learning and data analysis tools that have already had their proof-of-concept time on Facebook and other social networks. What I think we're wrong about is the purpose of the harvesting. The reason we're sitting around here going "Well, yes, but why would you use this data? How would you use it?" is that it is, essentially useless. The data gathered from responses to these kinds of spammy posts would be so full of noise and the kind of poor language skills demonstrated by average social media users that any product would be hopelessly compromised or so vast in scope that it would take far more work than it's worth to interpret.

The user data isn't the grift, though. Or it's not the whole grift: the datasets may be useless, but they're still a saleable product. Consider this:

1. Data harvester uses FB post engagement to harvest data nominally containing age, location, and preference information from 1.4M user comments on a post.
2. Data harvester bundles this data set and advertises it on a forum for wannabe grifters as '1.4M FB USER INFO.zip' or some such.
3. Inexperienced/unscrupulous/stupid proto-grifters purchase and download. Some might complain about the quality of the data, but what are they going to do? Get their bitcoin back?
4. Rinse & repeat.

We know that this kind of scam goes on with passwords, credit card numbers and other leaked or stolen data - old datasets are still sold as new and functional to people who don't know any better. People will take advantage of the relative lack of data verification that occurs in low-level/amateur criminal enterprise (how many fake Metallica mp3's did Napster host?) It's still bad, because otherwise clueless social media users are potentially giving away personally identifying information or material for social engineering attacks, but the data is minimally useful for any large-scale scam.
posted by prismatic7 at 10:55 PM on October 24, 2021 [2 favorites]

Yeah, I kinda saw them like the white vans with the guys selling speakers. A pure bi-product of capitalism.
posted by From Bklyn at 4:07 AM on October 25, 2021 [1 favorite]

What was your favorite MetaFilter politics mega-post?
posted by MtDewd at 5:31 AM on October 25, 2021 [4 favorites]

As always there's a relevant xkcd.
posted by flabdablet at 6:57 AM on October 25, 2021 [4 favorites]

On that note, I've just realized I need to start engaging with these using the wrong answers.

(oops - I missread that - I thought you mean engaging with people... As to your suggestion, I have noticed a few FaceBook friends who have started slowly borking their profiles... changing their name to be slightly misspelled, changing their gender, location and work information to be incorrect, etc...)

I have been (whenever FB tells me a 'friend' replies to one of these comments) - for the last several years, mostly extended in-law family members, the responses have been;
"I have nothing to hide/steal"
"It's all out there anyways / I am an open-book"
"Oh you worry too much, these are just silly things to waste time and entertain me"
"You are wrong / Don't be obnoxious/paranoid"
"You are such a nerd/geek"
posted by rozcakj at 8:21 AM on October 25, 2021 [1 favorite]

Anyhow, I know none of this is the real point of this article. Just found the tone, examples, and blithe assumptions on the way to the (condescending, not particularly original) "real threat" irritating.

My opinion is that this info is good for political hacking, not IP SEC hacking, which happens at the corporate level due to systemic weakness, not due to lost passwords for individuals, even if that guy happens to be the CFO.

Political hacking in that if they build a complete profile they can identify people they can target to sway voting via targeted twitter and facebook ads.
posted by The_Vegetables at 8:54 AM on October 25, 2021 [1 favorite]

Politics and product sales by the way, not just politics.
posted by The_Vegetables at 8:56 AM on October 25, 2021

This is from my FB account October 25th, 2010.

Me: I dedided the Greeks were way ahead and speaking of a future more grim than they could accurately describe. This smart phone, this is Pandora's box! But hey, I got that little "hope" deceptor with a fly swatter. Just give it to me straight.

Me: See what I mean y'all Google Play just offered me a free breast exam, I just have to take a picture with my phone! How 'bout that?

Me: After the exam, Google Play offered me a digital martini and a date with the love of my life, whose identity was calculated from the contents of my bank account, my personal debt to income ratio, the car I drive, and the last five songs I listened to, on any web media. They sent a picture, my love is holding a sign, just off the 201, at Sugarhouse. He owns a pit bull, and has obviously bruxed away most of his teeth. He used to spend his afternoons in the Marriott Library. They closed the whole floor after that.
posted by Oyéah at 9:46 AM on October 25, 2021

Just have to note it here: I just got one that was literally: what type of password-person are you?
posted by mumimor at 10:19 PM on October 25, 2021

In my view, the most valuable extract of these "surveys" is the networks. You can have your Facebook profile locked down to the point where "only you" can see who's on your friends list. But with these easily-answered questions, the people who fall into the "answer trap" can quickly become aggregated into networks of friends who probably share similar demographic info.
It's my opinion that the 5600-or however many data-points of every elligible voter from Cambridge Analytica have already been dispersed. What might be more valuable for the price, at this time, could be who those people are connected to. And these posts easily skip past the FB Privacy facade once Alice shares it with Bob who shares it with Charlie who shares it with D'arcy, etc etc etc
posted by onehalfjunco at 11:17 PM on October 25, 2021 [1 favorite]

Here's an example of one of these question posts that I saw the other day: "My least favorite smell is ______". It was a jpegged screenshot of a text post, so it was obviously recycled from elsewhere. I think it was posted by a mom-themed page.

It had thousands of comments.

I struggle to think of a reason why anyone would post such a thing for datamining purposes. Does anyone do psychometric analysis on bad smells? Probably not. The parsimonious explanation to me is that these posts work. They get engagement. And then Facebook (for some reason) puts these posts in my feed when my friends comment on them, which helps them spread through sets of friends who each see their friends engaging with it without anyone having to actively share the post.

My guess is that sometime recently, Facebook started showing "Your friend commented on this page's post" a lot more, which meant that these sorts of bait posts that encourage commenting (rather than "liking" or reposting) started working really well for pages, so they all started copying each other.
posted by BungaDunga at 9:53 AM on October 27, 2021

Does anyone do psychometric analysis on bad smells? Probably not.
There's been a fair amount of study on disgust as being politically indicative, but I think the simple answer of "it juices engagement" is probably most true, agreed.
posted by CrystalDave at 9:57 AM on October 27, 2021

Ryan Broderick tracked down the owner of one of these pages: "Facebook flipped a switch, favoring comments and reactions over shares, and suddenly a food blogger from Utah became the largest publisher in the country, if not the world."
posted by BungaDunga at 12:30 PM on November 22, 2021