---

One of the things I lamented a lot growing up was an inability to find anyone else to do Game Boy link cable games with. I had a few games which would work with the setup, but very few of my friends had Game Boys themselves and when my younger brother received a Game Boy Pocket (I had the black-coloured original), it used a different cable all together, making it impossible for us to play Pokémon together.

My Game Boy was always on its own little island, never to see any real interaction any other device. It wasn’t until I was much older that I would have the ability to hook it up with other Game Boys since I now own a Game Boy Advance (GBA), Game Boy Player, and Super Game Boy 2.

But everything is online now and starting with the handheld’s successor, the Nintendo DS: it’s also wireless. There are a lot of gems for the Game Boy out there which relied on this cable that have since become largely forgotten or at least cannot have the full extent of their capabilities realized.

The GameCube and Game Boy Advance

One of the features of the GameCube was the ability to attach to a GBA via a controller port. This wasn’t meant to output from a handheld to a TV necessarily (such as with the Super Game Boy on the Super Nintendo), but instead to act as an alternate controller or to transfer content between. This same cable also works on Wii consoles with the appropriate controller ports.

My rather beat-up GameCube attached to a Game Boy Advance

One other benefit of this cable is when using the Game Boy Player, you can use the GBA as a controller instead of the awkwardly-shaped one provided with the console. And if you want to go further, you can also attach the cable to another GameCube if you want to make use of the Player on there instead.

As weird as this looks, it’s entirely possible to use your Wii and GameCube this way.

Or you can go all “chaotic evil” and use this configuration, which too works, but not for the purposes of I am discussing here — I just thought it was neat to share! Two friends of mine gave me a SGB2 after returning from Japan and it’s a far better device than the original Super Game Boy.

One of the features of the GBA is the ability to load software on it without having to insert a cartridge. This made the handheld rather powerful as a game loaded on a GameCube could load content on to a handheld without additional copies of software.

This was taken advantage of games such as PacMan Vs., Final Fantasy Crystal Chronicles, and importantly for this article, The Legend of Zelda: Four Swords Adventure. All of these games required the use of a GBA to be attached for multiplayer action and acted a lot like what you’d see in some Wii U games.

However, this required you to have multiple GBA handhelds, the cables themselves (sold separately), and the appropriate copy of the GameCube game.

A ridiculous dream

One of the consequences of the ongoing pandemic is the inability to not only safely play some games in the comfort of our own homes, but to travel to see each other when we have shared interests. I’ve been wanting to play one of the aforementioned games with a few friends, but safety is important.

So on and off I’ve been thinking about just playing these games over the Internet. It was more or less an idle thought in 2020, but then in early 2021, someone released an adapter which allowed you to make use of a Raspberry Pi Pico to allow a desktop computer to interface with a link cable. I quickly ordered one and assembled it.

No. This doesn’t work. Yes. That is my Game Boy from childhood.

There’s now no reason that physically a GameCube couldn’t attach to the Internet if I had at least three of these USB adapters attached to the console with three of those appropriate link cables, and then three other people with GBAs with the same adapters attached to their PCs.

And that is where the problems started: it required everyone to have the hardware. Unfortunately, that wasn’t going to be the only issue.

The adapter itself was intended purely to trade Pokémon, which itself should work even with the latency the Internet creates. It was designed around the idea that it should be fine for pure Game Boy to Game Boy connectivity, which is forgiving due to how the protocol is supposed to work.

Since the link protocol is synchronous and bits are sent and received simultaneously, that means the master device requires the slave to send its response at a rate equal to the clock speed. In non-Game Boy Color mode, the master Game Boy supplies an 8KHz clock (data transfer speed of 1KB/s). This means that there is only a ~120μs window to respond! The Game Boy Color can operate at even higher speeds. No internet connection could possibly satisfy this latency requirement. However, the slave device has no such constraints. It just responds when it receives data!

Unfortunately, it doesn’t appear that this is the case with the GBA. Based on what I am reading in some excellent documentation, the clock rate is even tighter with its tolerances (256 KHz to 2 MHz for the GBA as opposed to the original Game Boy’s 8 KHz). As a result, the hardware is unlikely to accept being a GameCube controller once you are of significant distance, which in the GBA’s case is more than a few metres.

But maybe the hardware being a problem is a non-issue. What if we just scrapped the hardware idea and do this using software instead?

Luck would have it that a few months after the USB adapter was released, the team behind the GameCube (and Wii) emulator, Dolphin announced a new feature: Game Boy Advance netplay.

This was no small feat for the team, but they’re also known for being rather meticulous and talented with their software. It wasn’t fool-proof and was rife with problems as evident from this excerpt from their blog:

These games in particular loved to spam tons of commands, sometimes sending over 200 commands a frame. This exposed a rather serious flaw in the TCP GBA protocol. Namely, they could get tripped up if they received a command while they were still emulating forward to catch up to the point from the previous command.

When I casually brought up in the fall of that year that I wanted to do this, someone linked the above blog piece, which then led to some organization.

Getting a crew together

Eventually my friends, authorblues, tinahacks, Aetyate, and I got together to go over playing this game online. We kept testing brief as we wanted to play the chosen game mostly obscured from us aside from “does it work”.

Once we were assured, we set up a night to play and thus The Legend of Zelda: Four Swords Adventures was being played on Twitch with all four Game Boy Advance displays on stream alongside the GameCube game itself.

You have to go back and forth between the GameCube screen and the Game Boy Advance you’re playing on in order to complete this game in multiplayer. In single player mode, this is not required.

While Aetyate and authorblues are in the eastern United States, tinahacks herself is in Finland. With my being in Vancouver, we effectively had two 4,000 KM (2,500 mi) connections and an 11,000 KM (6,800 mi) one going to my PC, playing a game which originally used a two metre (6 ft) cable itself — these distances are approximations and not based on the actual connections between us.

A single button press would find itself travelling 15,000 KM (9,300 mi) one-way, meaning that we’re approaching at least 3/4ths of the circumference of the whole planet considering the nature of of both TCP and the link cable protocols. The emulator was required to do this in order to keep everything in sync and consequently we had to endure somewhere of a 1/5th of a second delay on our individual inputs just to make it manageable.

But it was possible and we were playing it.

Two people in the eastern United States, one in northern Europe, and myself in Western Canada were about to do something that would have been seen as absurd when the game initially came out

Reducing the latency was something I had considered. I looked at options for acquiring a virtual machine with a GPU located somewhere in eastern North America close to fibre links across the Atlantic to Europe, but the costs for such systems have become quite expensive.

For example, one large cloud computing service was quoting me US$800 for a single month’s use of a machine meeting these requirements. Even with a discount I had available plus US$450 in credits I had with them, it just didn’t seem worth it.

One thing we learnt quick to do was test our controllers by using the battle mode within the game just to make sure that nothing found itself remapped.

This was something another streamer had done in order to host fighting games online and had a great deal of success, but we didn’t feel that the cost was worth it for what we were playing. Four Swords Adventure is an action role playing game and with two streams of this game under our belt, we were feeling that latency would not hinder us too much.

Or so we thought.

When the lag caught up with us

The latency in Four Swords Adventures was largely manageable for us and often was comical. In fact, the latency was the least of our concerns for the most part as we had other issues to deal with.

During one of our streams, tinahacks’ copy of Dolphin suddenly ran into problems and started to spew all sorts of errors on her computer. Fortunately, we were not too far past the last save point so we all opted to just restart Dolphin and carry on.

When the game broke, the stream broke.

On average, I was seeing about 60–80 ms of latency between Aetyate and I, 110–130 ms for authorblues, and unsurprisingly, 180–220 ms for tinahacks.

This is where the whole 1/5th of a second from earlier comes from. We were restricted by the laws of physics to what options we had available.

Dolphin includes an adjustable buffer setting in its netplay feature and we can adjust it based on what feels right. I kept it at ‘20’ the whole time as reducing it any further started to introduce audio choppiness and that is just not good “stream content”. It was fine for the first two streams, but towards the middle of our third night of playing the game, it reared its ugly head.

The game wanted us to walk in-step to get to the other side and failing to do so would result in us having to circle back to where we began on the screen.

Walking into this square without care will lead to you falling into a pit and having to come around back. You can see Aetyate falling into a pit on the bottom-right with myself and authorblues right — tinahacks is presently dashing across on the far right.

Typically if you run across a pit in a Zelda game, you can use your “Pegasus Boots” item to quickly dart across large gaps. However, the game developers placed what appears to be potato-pineapple hybrids in the way so if you were to dash across, you’d collide with them and then fall down the pit.

The game requires you to walk parallel to each other in formation in order to keep the platform balanced and then upon approaching the blocked items, simultaneously pull them off of the ground and then toss them. If you can pull off the second part successfully, then the pit is resolved so all we need to worry about is just getting at least one of us across.

With the current buffer settings, we probably made a dozen and a half if not more attempts. It was starting to look dire as the input latency combined with the latency that a Discord audio call produces made it impossible for us to just get the timing down right. It was beginning to look like this might be the end of this fun experiment until we tried one idea.

Let’s just make the buffer not exist and play the game frame-by-frame.

You absolutely should watch the video in this tweet to understand how everything went because while we were successful, someone decided to be a “bother” once it was known that we made it.

Each frame we progressed was progress in itself and when we made it to the other side, almost all of us managed to remember to pick up the object on the other end — I inadvertently hit my sword button instead (oops).

What proceeded was pure comedy because once one of us successfully got over, another went and attempted to sabotage everything because it was possible to get away with that now and I found myself and that saboteur at the bottom of the pit.

However, this was no longer a problem as now the boots I had put on earlier were now possible as an option across this pit.

At least two of us were on the other side despite someone’s best efforts.

This wasn’t the only obvious latency problem we had to contend with as a prior boss battle during this stream was proving difficult due to a need to time certain actions, but this was the first time we had to adjust the emulation in order to actually make any meaningful progress.

What’s next?

We have a few more streams of this game left with plans for this upcoming Sunday and Tuesday (February 6 and 8, 2022), with the second day being a hopeful completion of what has been a rather fun experience. This will be on authorblues’ Twitch channel.

If you’re interested in watching the past broadcasts, you can view the VODs on Twitch here (I will do my best to update this with the other streams once we are done):

• February 1, 2022 (Part 3)
• January 25, 2022 (Part 2)
• January 20, 2022 (Part 1)

After completing our misadventures, we intend to play Final Fantasy Crystal Chronicles, which is another game I have never played.

This is likely to be after the upcoming Frost Fatales 2022, an all-women speedrunning marathon I contribute my spare time to. I hope you’ll check out as we’re raising money for Malala Fund and lots of talented women will show how fast they can play games!

---

Just a warning: if you are playing Wordle and don’t want any hints, this is not the Medium entry for you. Also, I am not a mathematician or statistician, so everything is just based on my knowledge of cryptanalysis and nothing more.

One other thing to note is that the word list I am working with is not Wordle’s as I intentionally wanted to avoid looking at its source code.

Okay. So I had one remaining question from my last entry on Wordle: what is the most efficient starting word overall?

“Cares” has a word score of 967.4, whereas “audio” gets 288.4 and “ports” has 796.6. The point of the game is to produce an answer in as few steps as possible and while you will knock off a lot of vowels and consonants with those two, you are likely reducing the chances of answering in the fewest attempts.

My choice of word also includes the letter “e”, which is the most common letter used in the English language. On average, you should see that letter appear about 10–13% of the time, with the letter “a” being about 7–9%, and “s” being 6–9%.

You can also order it as “scare” or “races” too if you desire, but I believe that with “s” at the end and putting “r” in the middle, you cover all initial possibilities quite effectively here.

I did not like what I wrote here, but at the time I didn’t really run numbers on outcomes. However, I was working on this because you cannot really automate Wordle without a good starting word.

Methodology

Using the same logic from before, the process to find the winning word was fairly simple.

For each starting word, we then ran through each possible five letter word other than itself. It would run each guess against an implementation of Wordle in my own code with the same hints and correct guesses. Once it got to an answer, it would then record all attempts into a set and then move on to the next word.

The word “bases” was guessed with a starting word of “caves” and made five other guesses before coming to an eventual answer. This obviously would have failed if I used it against Wordle.

Unlike Wordle, there was no guess limit as I wanted to know how many attempts it would take using the methodology I did before where I came up with a list based on efficiency. So the first word based on possibilities made by the hints and correct letter guesses available from the list was the word chosen.

There are flaws with this list sorting as discussed on Twitter, but I wanted to stick to my current methodology, so we’ll proceed forward.

The worst words

Defining the worst word can be achieved one of two ways. We can either look for a group of words or a single word that has the most guess attempts or we can look at them on average.

A minimum of the number of guesses is quite simple: one if you’re lucky, but if the word doesn’t match, then two. Guessing what the largest number of guesses will be took a little bit of magic.

The words that managed to hit a the maximum-seen attempts of 14 were: “agile”, “anile”, “dells”, “duels”, “dulls”, “dully”, “exile”, “gaily”, “guile”, “gulls”, “gully”, “jails”, “jello”, “jells”, “jelly”, “jinns”, “jolly”, “keels”, “kelly”, “lolls”, “lolly”, “lulls”, “nails”, “ninny”, “nulls”, “quell”, “rails”, “rials”, “villa”, “ville”, “villi”, “yella”, “yells”, and “yield”. If you are to notice a pattern here, almost all of them have the letter ‘l’ in them, but this isn’t really the reason why they performed badly.

Word scores are all over the place with these words, which leads me to believe that it is not necessarily indicative of a good start. For example, “quells” is amongst that list and had a score of 307.4, but then “rails” received 768.6. The average score for all of the words was 531.1, so I’m not confident all that much in using that as a metric for a good starting word.

So then what about averages? This gives us a better picture because Wordle limits us to six guesses. I would suggest if a word has a minimum average of 4 or higher that it should not be used at the start.

The worst performing word had an average of 4.26 attempts, which was “jujus”. This was followed by “wheee” at 4.23, and “yukky” at 4.21. There were three tied for 4.2, and they were “vexes”, “sexes”, and “esses”.

The word score “jujus” was 506.6, but interestingly, “sexes” received 888.6.

Is there a guaranteed winner?

The short answer is: no.

All words with this methodology ranged from 8 to 14 maximum attempts. No single word went below 8 attempts, meaning there are starting words which will lead to failure.

There is a silver-lining, the number of words with the smallest maximum is only slightly larger than the number of words with the largest maximum.

There are 1,764 words of which had 12 maximum attempts, 2,085 with 11, 984 with 10, and 411 with 9. However, with 8, there are only 39 words, and all of them might justifiably be the best candidates.

The words that performed the best were “blest”, “deism”, “doest”, “durst”, “feist”, “heist”, “least”, “liest”, “merse”, “midst”, “obese”, “pseud”, “sebum”, “sedan”, “sedge”, “sedgy”, “sedum”, “seize”, “sepia”, “serge”, “serif”, “serum”, “sheaf”, “sheik”, “sherd”, “siege”, “sieve”, “skein”, “skirt”, “slept”, “speck”, “spend”, “sperm”, “steal”, “suede”, “swell”, “swift”, “welsh”, and “wrist”.

“Obese” has a word score of 277.8 and “pseud” is 281.6.

Going back to word scores, we arrive upon something curious: the range of scores is between 277.8 and 526, with the average being 398.4. Perhaps the way to look at the word score is not at whether it is strong at the start, but instead if it eliminates all of the least likely? This would suggest that words such as “obese” or “pseud” could be good starting candidates.

Could we find a most-likely?

This is where I want to deviate: a maximum does not imply that it is the worst choice. And in this case, I am willing to believe this because I did find something amongst all of the words that allows me to suggest that there is either a flaw in my methodology or I am looking at this all wrong.

The words “estop”, “epsom”, and “serum” had an average attempt count of 2.74, 2.77, and 2.79 each respectively. When I looked at their word scores, “estop” had 160.4, “epsom” had 165.8, and “serum” had 418.

I decided to look at all words of which were lower than 2.9, and within the the 54 words, the minimum score was 106.6 and the maximum was 496, with an average of 336.3. I think I know where the word score’s usefulness may lie: it’s better to start with a lower than a higher one.

When I spoke about maximums earlier, “estop” found itself with a maximum of 9 attempts. In fact, “serum”, which had a slightly higher average than “estop” found itself with a maximum of 8 — “epsom” received 9.

But this is still an incorrect approach.

We’re looking at the average and what I’d like to know is what has the highest percentage of wins within the limitations imposed by the game. We have six guesses, so what word is best suited on average to produce an outcome.

With these parameters in mind, we can then use the following methodology: which word is most likely to get a guess correct within those six attempts and then not consider the steps beyond that point since they’re not indicative of what would be considered a success.

Of the 5,756 words tested, one word managed to achieve a win in three moves 69.4% of the time: “verso”. It also achieved a win in two moves 10.8% of the time, four was 13.1%, five was 4.6%, and six was 1.5% — a 99.4% successful starting word.

But this is not the best word even though it is the best word for the quickest win — fortunately we already know the best one to use in order to win.

As mentioned before, “estop” had an average of 2.74 attempts before a win, but importantly it has the highest success rate. It edged out “verso” by achieving a 99.6% win rate with 46% of all attempts being achieved in its first two guesses and then three in 40% — four was 9.4%, five was 3.2%, and six was 0.9%.

With a failure on only 19 words from the word list — compared to 30 for the other word I was testing with — starting with just “estop” should net you a win most of the time.

So in my opinion: “estop” is by far the best word.

From January 30th’s Wordle: “estop” showed that despite failing the first two guesses, the algorithm did it in four tries whereas “verso” had to make an extra guess.

The data

I’m happy to share the data I have made and I welcome you to demonstrate anything you have done with it. However, I must reiterate that I am not a statistician nor do I consider myself adept with mathematics. What I will say that I was out to have fun to solve this challenge and I feel like I have.

I wanted to play this game unconventionally and I think I accomplished that goal. There are some further ideas to achieve a 100% success rate or at least get extremely close to it, but being that I am at 99.6% successful on just this algorithm alone, it does make me think that this little project can be considered “ended”.

---

Recently, a game called Wordle has exploded in popularity with its simple five-letter guessing game. I’ve been playing it for a few weeks but have also been musing over how to automate this all using my knowledge of classical cryptography.

So let’s dive in!

Patterns in the English language

While English is a very complicated language, it is also rather predictable and it is because of this we can play around with statistics. Letter frequency is often spoken about in cryptanalysis and is often a basis for solving cryptographic puzzles I release periodically.

With Wordle, we’re limited to five-letter words, so what I wanted to do is figure out what are the most common letters per position. The use of letter frequency is helpful, but because we’re dealing with restrictions, the base statistics are merely a guide and not a rule.

Using a list of five-letter words, I generated some statistics and came up with some answers for each position. In order, the first position had the most common letter of “s”, the second “a”, the third “a”, the fourth “e”, and the last being “s”. Now obviously, the word “saaes” does not exist in this word list, but we can use this knowledge to build a score for each word.

By going through the list, we can use the counts of each position to its letter within that position and then come up with a score. For example, the word “sores” in a set of the highest word score and has the values of 724, 911, 475, 1228, and 1764. If we create an average of those numbers, we come up with an answer of 1,020.4.

Using these averages to create a score for each, we can then order a list. That is all right? Well, not exactly, because there’s one other hiccup.

Of the 5,756 words I am working with, 38% of them end in the letter “s”. This is not really all that surprising seeing that four-letter words made plural should not be uncommon. However, I don’t want them to be dominant when I go to automate this later on, so I need to fix this.

While maybe not the best way to do this, I sorted the list in to two halves. The first half were words with all unique letters and the second not. In both halves, the order was kept from earlier, so once we finished the first half starting from the highest score to lowest, the same would repeat on the second.

At this point I decided I was done and felt that I had the most “efficient” list.

Where to start

Now that we have this list, we need to know what word to start off with. I’ve seen a lot of people suggest words like “audio” and “ports”, but the one I seem to find works best is “cares”.

“Cares” has a word score of 967.4, whereas “audio” gets 288.4 and “ports” has 796.6. The point of the game is to produce an answer in as few steps as possible and while you will knock off a lot of vowels and consonants with those two, you are likely reducing the chances of answering in the fewest attempts.

My choice of word also includes the letter “e”, which is the most common letter used in the English language. On average, you should see that letter appear about 10–13% of the time, with the letter “a” being about 7–9%, and “s” being 6–9%.

You can also order it as “scare” or “races” too if you desire, but I believe that with “s” at the end and putting “r” in the middle, you cover all initial possibilities quite effectively here.

Writing code to deal with this

Wordle’s rules are very straight forward: you have five letters and six attempts. On each attempt, the game will inform you on whether or not each letter is valid based on colour. If the letter in a position is valid, it’ll give it a background colour of green, if invalid then grey, and if invalid but elsewhere in the word, amber.

With this knowledge, I went and created a Python script to churn through a word list and find words based on inputs I give. I am solely responsible for the starting word, but the script itself will use my inputs and produce an answer based on the first hit in a list of words which matches the patterns.

The script works by dynamically generating a regular expression pattern for words that are not valid and then goes through to confirm that the letters that are suggested to be anywhere in the word are then only included. It then spits out the first word from the list created which itself is based off of the scoring method I wrote earlier.

It’s fairly simple and runs from a command line.

Testing it out

One hiccup is that Wordle only allows one guess per day. Now, while I could just erase my browser session data to test this out, there is fortunately a clone which not only allows for the same five-letter words, but can also be used on words of which are much longer — and my script can be used on words of any length provided there is a word list.

This clone allows you to keep playing to your hearts content so it became my test bed.

Feeding letters to the script to find the word

Even if the first guess is completely incorrect, we can do it in three steps

The positional arguments in the script are simple. You supply a wordlist (“words_efficient_er.txt”), the letters you wish to completely discard (“c”, “a”, “r”, “e”, “s”, “o”, and “l”), the letters you want to find anywhere (“d” and “i”, or just “_” for none), and then for each position you either put “_” as a wildcard, the known letter, or you precede letters in that position with a “.”, so if you want to exclude “r”, you can do “.r”, or if you wanted “h” and “y” to be exempted, you just do “.hy”.

Because we have the list ordered in a way that allows us to find the most likely word based on positional letter placement scores, it’s entirely possible to have an answer in just two guesses if your first guess isn’t correct. This has in fact happened with my attempts.

Two attempts and we have our answer

This is of course not fool-proof and I have had it take six attempts.

It came very close to not winning here

The placement of “V” and starting with “L” demonstrates that the scoring isn’t exactly fool-proof because it doesn’t take into account the prevalence of the word in the English language. I’d argue that “loves” is more common than the preceding two, but maybe in the case of a random word choice it does not matter?

But sometimes it seems like it won’t get it and then it suddenly it has an answer.

“Girls”

I guess what may have happened on the last one is that the scores for the other words being higher gave it precedence, but ultimately it came across “girls”. This is why I am only so confident in the efficiency of the list because there might be a way to do this better, but it is beyond my knowledge of statistics.

Closing

You can grab the script from this gist here and any five-letter list from a Google search should suffice should you wish to try this all out.

---

Back in March, I wrote about harassment on Twitch towards individual streamers via its chat function. Then, a few months ago, I followed up with a small piece on them admitting to using machine learning when they filed a lawsuit against known bot users on their service.

Finally, in late November, Twitch announced this machine learning feature and I have this short review: it’s absolutely useless.

After its launch, there were still new bots

Twitch has been dealing with a persistent and never-ending bot problem for a very long time. With a number of Black, persons of colour, LGBTQ+, and women streamers taking a stand and the media taking notice, the company finally relented and admitted that they were not meeting their end of the bargain.

It should be repeated here: the only reason why Twitch has made any response is not because of streamers making an issue of this but because the media took notice of the streamers and asked Twitch about it.

So now we have them admitting to using machine learning to track ban evasion and we also have them providing tools to verify users through their mobile phones, but even with all of that it appears that they haven’t dealt with the elephant in the room: they still have massive numbers of accounts being registered to engage in harassment.

The thing about these hate raids is that the bots used them often have been known to have a pattern. With the case of the “hoss” bots, we saw them follow a rather consistent pattern. These bots ceased to exist a few months before the new feature, so did it stop similar patterns from emerging?

The short answer is: no.

On December 3rd, just a few days after Twitch made a big deal about machine learning, 472 accounts were registered in a small time frame. Each of these accounts started with the same 12 characters resembling a popular streamer and were then followed with four integers with the first one being a 0 and then the last three varying.

The first account was registered at 18:58:10 UTC and the last account was registered at 20:01:06 UTC. However, the first 27 accounts were all registered within 2.5 minutes with the remaining 445 all being registered every few seconds starting from 19:47:28 UTC.

How did Twitch’s machine learning not capture such a pattern of account registrations when this pattern was repeating itself nearly every two seconds?

Why I know

I lead moderation for two events run by one of Twitch’s largest channels. My day job is running a cyber security team, so I have a keen interest in knowing how to contend with the nonsense that streamers (including myself) face and how to mitigate the inadequacies the service has automatically.

Twitch’s API is absolutely garbage to deal with when it comes to automating moderation and they make it spectacularly worse for trying to do anything useful that also flirts with violating their developer terms of service.

So here’s the reality: want to know who followed you or another account? You have to have to have a web service receiving pushed messages. Want to ban or timeout a user account? You have to use their IRC-esque service and issue the same commands a human would. Want to pull the user profile? You have to use their REST API.

These are the official ways to perform these tasks and the rate limiting around them is abysmal. The REST API by default limits you to 800 queries per minute and the IRC one is just over 200. If you wanted to ban every single account from one of the hate raid lists out there, it would take 16-hours to just get through 200,000 of them — there is one list that is almost 1.4 million accounts, which would take almost five days.

There are unofficial ways but you raise the possibility of finding your account access suspended or a legal threat being sent your way. There’s an undocumented API that every Twitch user interfaces with all the time, but if you perform an action with it from outside of a browser, you’re violating those terms.

Nonetheless I’ve endured and come up with ways to do all of these things in a way that is fast, doesn’t violate their terms of service, and can be flexible. It has sucked and Twitch hasn’t been helpful, but a year later and I know more about their developer tools than any non-Twitch employee should.

So when these bots come up, I often notice that there are patterns. These patterns more often than not remain consistent and are predictable. In fact, some of these patterns are predictable enough that I literally can anticipate the accounts existing in the future and be aware of their existence within the minute they’re registered.

When that example from before was made aware to me, I put the pattern into the prediction engine and look at that, hundreds of accounts. I am certain that the number I reported may be inaccurate because it’s possible that some were already suspended, but what the hell is Twitch doing when they see these reports? Do they not themselves look for patterns?

If my report from March is indicative of anything, the answer is pretty obvious!

And you know what? It’s ridiculous because everything I have been doing has been largely automated and is performing things faster than whatever machine learning feature Twitch has put out.

And that is just one example. The hate raid lists that have been floating around have patterns too. When I examined one particular set, I was able to cover approximately 40% of them with just one single definition (of a sample set of 480,000 bots, 192,000 were covered). A simple regular expression was able to do that and it wasn’t even that complicated or computationally expensive.

Yet here we are with some poorly implemented machine learning nonsense that could have been done with much simpler techniques. Making it worse, this whole security theatre they’ve put on isn’t even addressing the other problems the site faces.

Spam bots are still around

Here’s a line many streamers will know: want to become famous?

The BigFollows spam bots themselves are indicative of Twitch’s machine learning really not working the way it should. The bots which spam the URLs inviting people to buy up followers, subscribers, and “actual” viewers are all tied together and can be tracked.

Recent example of a bot spamming a URL which redirects to the BigFollows service.

The service offers customers followers, viewers, and subscribers at varing prices. Need 200 followers? That’s $2.10 US. 30,000? That’s going to be $100.

BigFollows showing available plans for gaining new followers. For as little as less than one penny per new follower, you can get 30,000 of them.

The subscriber services they provide is very damning however.

For $2, you can get a $5 subscription given to you. For $70, you can get 50 of them. Each subscription can pay out a customer about $2.50 US each if they’ve reached affiliate status.

For $2, you can get a new Twitch subscriber. For $70, you can get 50. When you take into account that a Twitch subscription itself is typically $5, you can easily come to the same conclusion I am here. The problem is, I have already pointed this out and Twitch is aware of these things, but has done nothing.

Based on my research, BigFollows has about 80,000 accounts available to be used for following customers or spamming its services with a sizeable number available to offer subscriptions.

On October 31st of this year, the service registered 11,107 new accounts between 13:43:46 and 15:22:19 UTC. Every 3/4ths of a second, the service was registering new accounts and this is not just a single blip.

I was able to find the same sort of mass account registrations in 2021 on October 19th, August 26th, and August 14th. For the 14th, we can see 3,700 accounts were all registered in a three hour period, so it has only become worse since.

Personally, I do not care about who’s behind the scenes of this service because I can make a professional guess and say it’s likely affiliated with or linked to organized crime.

However, the fact that this service persists on Twitch and is engaging in what cannot be anything other than fraud leaves me wondering what the hell is going on with Amazon’s audit, risk, and legal teams when it comes to Twitch.

Looking at a buyer

A recent user of BigFollows is Twitch user, yonkukaido. Between their account registration in mid-2018 and until just before last month (November 2021), the account had just 489 follows with just one in 2020 and most being in 2018.

However, with zero activity until November, the account gained over 77,000 new follows starting on the 14th. This is of course for an account with what appears to be zero activity leading up to that point and with a Twitter account in their bio that was registered just this month (December 2021) and has no real activity.

Profile of Twitch user, yonkukaido showing 78,200+ followers with links to the person’s Twitter, Instagram, and Facebook.

Twitter account, yoku123414 which is linked from from the previous Twitch example.

Their Instagram and Facebook accounts appear to indicate a man possibly living somewhere in the Middle East. The Instagram profile in particular implies that they’re “a gamer”.

Previous videos by Twitch user, yonkukaido showing streams of Fortnite being played as recent as December 14th, 2021.

When reviewing the video on demand (VOD) streams on the account, the amount of interaction in the saved chat is quite small for someone who has 78,200 followers. Even a streamer with 500 users is going to have a lot more interaction in chat in their hour-long stream than what was shown for this streamer here.

Towards the tail-end of this streamer’s VOD, it shows a grand total of five chat messages in just one and a half hours. With 78,200 legitimate followers, this would be significantly more active.

In reviewing some of these videos, there is little to suggest that they’re even talking on stream. However, evidence shows that they’re streaming from a desktop computer as their are using a Streamlabs progress bar on the bottom, something not possible when using console-based streaming.

Overall, the content they’re streaming and how they interact with their stream plus the lack of progress on their on-screen donation bar should be enough to suggest that their sudden explosion in popularity is falsified.

What is the problem?

Twitch has requirements for becoming an affiliate and also a partner.

To become an affiliate, you require a minimum of 500 minutes of stream time, 7 unique broadcasts, at least 3 average viewers per broadcast, and a minimum of 50 followers all across a block of 30 days.

With partner, it’s 25 hours, 12 different broadcasts, and at least 75 average viewers per stream.

In the case of the Twitch streamer example, they have already achieved affiliate status as their profile permits subscriptions, meaning that they can earn money from streaming on the service. When reviewing the view counts for their streams, it’s apparent that they’re also likely buying up viewers and may have achieved enough to meet partner.

The wildcard in all of this is the subscriber count as unless the streamer divulges that information, it remains unknown. However, we can at least confirm that they’re just an affiliate as Twitch provides a purple checkmark in a user profile for anyone who achieves this status.

The consequences of this manipulation on this user’s part are the same as I wrote back in March: it puts the whole affiliate and partner programs Twitch provides into question.

Twitch’s inaction on this despite knowing about it seems to suggest that it is going to continue regardless of their ineffective machine learning components they keep promoting.

The approach is misplaced and incorrect

Here’s a question: how many Twitch users are going to know what machine learning is?

If you’re me, then yeah, you understand it and you also groan whenever you hear it. But if you’re just someone who plays video games and doesn’t have any knowledge of computing programming, you’re going to see the term “machine learning” and see it as a buzzword.

And that is just it: I don’t see a reason for why Twitch is going on about this because it’s simply all show. The extended moderation tools they’ve put out that allows you to “watch” and “restrict” suspicious users relies on the moderators themselves to engage with them. Twitch barely explains what they do and when I have used them personally, I don’t see their effectiveness especially when dealing with ban evasion.

Twitch needs to investigate further these spam bots, they need to actually do research on these hate raids, and they also need to make meaningful tools that do the basics first.

Give users the ability to ban people from their chats by allowing wildcards (similar to IRC) and make it clear that whatever moderation or reporting decisions are made are given a follow up and an outline of what has actually happened.

Email excerpt showing a report has been sent to Twitch.

To close out, I went and checked my inbox to see how many times I’ve reported accounts to Twitch and in 2021 alone I reported 152 users and of those 38 received a follow up. This meant that for every four reports I would make, only one would get actioned on and unfortunately Twitch doesn’t make it clear who you reported or who was actioned upon.

This excerpt contains as much information as the whole email itself on what has actually occurred.

I report not because I expect Twitch to do anything but because I wanted to know how often they actually bothered to enforce their terms of service.

Twitch hasn’t done better.

---

God. I hated and enjoyed the stories and wrong opinions which came out on October 4th, 2021, as Facebook and all of its associated services effectively “disappeared” from the Internet for a half-day. Some of them were the type I wanted to believe, some of them were outlandish, and some of them came from folks who probably need to learn a bit about Hanlon’s razor.

This is probably my favourite tweet. It would have been pretty funny to have had the new Matrix movie release on the same day as this incident.

A good primer on what actually happened can be read from CloudFlare and Facebook for their part posted a fairly reasonable explanation as well. I won’t dive into these two any further, but I do want to talk about some of the silliness I saw on Twitter, the only working social media outlet that day.

Facebook could not get into their offices as a result of this

Turn-key LDAP systems such as Active Directory are so yesterday.

I want to believe this so bad because it would read as both funny and so many movie scenarios coming to life, but it isn’t true.

Runner up for my favourite tweet.

My last visit to Facebook’s Menlo Park campus (on “1 Hacker Way” no less) was a surreal experience because it was very much high-tech in terms of how you signed in, how you got around, and how people worked. Much has likely changed since my mid-2016 speaking engagement there, but advances in access control and so forth have not fundamentally changed.

The company is in fact married to their ID badges. Everything from ordering food, getting office and computer supplies, booking and using conference rooms, and just opening doors is tied to the ID badge. However, at no point did it ever appear that there were no workarounds.

Many came out to say that they had spoken with people who work at Facebook. It is likely that this messed with many of its internal systems, but the disruption was probably not as severe as many made it out to be.

It is possible this whole incident disrupted physical access, but I don’t think that it lasted anywhere as long as some may suggest. Internal tools were disrupted and it likely affected access control systems, but I imagine they still had physical keys somewhere.

I know that the Bay Area is rife for flaunting local municipal and state code, but nobody running physical security for a company as high-profile as Facebook is going to overlook the need to override the digital controls. It is likely that nobody could fix this remotely (as in working from home) as Facebook was “gone”, but it would be spectacularly unlikely to have completely locked everyone out.

Many large corporations use IoT devices to operate their conference rooms. They’re not new at all and often are synchronized with the internal lighting, telephony, video conferencing, and electronic displays.

The company also doesn’t have a data centre in its Menlo Park offices. In fact, the closest data centre to them is 800 KM north in Bend, Oregon. Additionally, they have multiple data centres, with at least a dozen in the United States, a few in Europe, and one in Asia — this is via unofficial sources I will add. If someone had to do this on site, it was likely at one of these locations.

Lots of data was stolen and a panic button was hit

A now deleted tweet from Twitter user, vx-underground: “At 19:07UTC a RaidForum account under the name ‘CBT’ released 600TB of Facebook data. They are claiming responsibility for the Facebook, Instagram, and WhatsApp outage.”

600 TB is a lot. How much is 600 TB?

From a practical standpoint, let’s look at a 4K movie on Blu-Ray. In this scenario, a movie could be anywhere between 50 and 100 GB in size. On my 940 Mbps Internet connection, it can transfer about 117 MB every second at its maximum capacity. Assuming the maximum size of 100 GB (or 102,400 MB) was being used for the movie, it would take me under 15 minutes to download it via the Internet.

The tweet about data being made available on a “popular hacking-related forum” made its rounds and spread like wildfire without taking into account the absurdity of the claim.

600 TB is 614,400 GB which is 629,145,600 MB. That’s 6,144 of those aforementioned Blu-Ray 4K movies. That means that it would take my connection approximately two months to transfer the data, assuming I could do it at peak and without disruption.

Physically, to store all of that 600 TB on Blu-Ray discs alone would result in the discs alone being just over 7 metres tall. For reference, I am about 1.7 metres in height and as a result those discs would dwarf me.

If we were to use hard drives, the largest capacity on the market today runs at 18 TB, meaning you’d just need 33 of them if redundancy is not important.

At a minimum, you’re looking at about $600 (Canadian dollars) for just one drive, so that comes to just under $11,000 before taxes and recycling fees — maybe you can get a bulk discount. You’d also need somewhere to put those hard drives too, so it will then cost you at least another $10,000 more since you cannot stuff that many into your computer.

And I guess physically speaking, the hard drives would be shorter than the Blu-Ray discs themselves as they’d just be a metre tall all combined.

Since I am not fond of mechanical hard drives, solid state drives run you $1,100 for 8 TB each. We’d need 75 of those (again without redundancy), running you $82,500. Height wise, it wouldn’t be much different than the previous storage medium, but it would be considerably less noisy. You’d still have to add the cost of housing that many drives.

Mirror it on the cloud then? Using Amazon Glacier, you can store data there at $0.004 (US dollars) per GB per month, or $2,460 for the whole 600 TB, assuming you have managed to get it into there. However, making use of the data would then cost you a lot more, as retrieval of the data will likely cost you $0.01 per GB. If you wanted to grab it all after storing it, it could set you back about $6,150, setting aside the costs of storing it locally to begin with.

So no. Someone doesn’t have 600 TB of data for sale — at least not in this situation. If anything, it’s likely that they could have been packaging scraped data and some data floating about that connects Facebook users to their telephone numbers, but even then it doesn’t get close to a single terabyte and I know this first-hand.

Why did I initially use Blu-Ray discs to demonstrate this then? Aside from their storage density, Facebook was reported to have used them to store data long-term as early as 2014. Whether or not it is still the case is uncertain.

To add to this: moving 600 TB out of Facebook’s data centre should hopefully not go without notice despite the amount of data they move typically.

There was a thought popped into my head where someone could walk out with a whole bunch of discs, but I don’t think that can and will happen as 10,000 discs would weigh about 160 KG and would be almost 12 metres if stacked high.

You may as well steal a storage array, which would be needed for all of those hard drives I mentioned.

It was all a “security reset”

I am obscuring this tweet because the person in question has faced enough harassment in their life, but nonetheless, their tweet was so incredibly misinformed that it irritated the hell out of me.

Quoting a tweet by Brian Krebs: “She downloaded tons of company data to use against the company. Any other employee can do the same. My guess is they took it all down to reset their security, cover their tracks and prevent people from whistleblowing.”

The day before, former Facebook Product Manager, Frances Haugen revealed allegations (of which I do believe) of the company amplifying content that would be considered hateful, likely fuelling the fascist fervour surrounding the 2020 American presidential election and the subsequent January 6th failed coup (and let’s not mince words here, it was an attempt) on the U.S. Capitol building.

This is of course incredibly damning for the company as they had continuously denied this in press releases and through its own founder and CEO, Mark Zuckerberg in front of congressional hearings.

Why this person’s tweet is so incorrect is quite simple: why would you go about “resetting security” the day after? Nuking any way for people to get to any of the company’s services does not ease “resetting” in whatever form this persons believes and is also incredibly expensive.

Facebook is a for-profit, service-oriented business and consequently downtime of any significance is going to cause them to incur financial penalties from their customers let alone their own revenue streams. Their business is in providing a functional service and data from its users. Being out of commission for a half-day means a loss of that data and in turn a loss in profit.

So what if Facebook actually did do this? Well, the legal hot water they may presently face over these believable allegations would become significantly worse if it came to light that this downtime was all a ruse to get their “ducks in order” in the event that they were requested to provide information to law enforcement. Digital forensics would be all over this because there would have to be communications between higher ups and everyone required to pull off a such a ridiculous stunt.

To add to this, it likely would result in another whistleblower situation. I would imagine that this would all bubble to the surface much faster than the time between Haugen’s departure from the company in May and her appearance on CBS’s 60 Minutes just this past Sunday. Someone in the chain who would have the ability to do all this would likely make noise.

Assuming it were somehow successful and were to come to light, it would likely be a bigger corporate story than the Enron scandal, which coincidentally occurred almost twenty years ago prior.

This would not be a financial crime of course (maybe a Sarbanes-Oxley violation due to a messing with controls perhaps — I am not a lawyer), but seeing that it would be an blatant attempt to erase evidence and there are already enough within Washington D.C. who have a bone to pick with the company, I don’t think they’d ride this one out with the same ease Microsoft did when they faced anti-trust suits the same year as Enron broke.

Now that we are at the end: it was aliens. That, or sun spots.

So no. I don’t see it at all possible as hitting a “reset switch” here as the ramifications would be enormous. In truth and all likelihood, someone coincidentally committed code that messed up production, which then cascaded to catastrophic collapse of vital systems. It fits in with Hanlon’s razor as mentioned at the start of this piece and there is just no evidence to suggest otherwise.

The one theory I did have is maybe a “white knight” situation, where someone opted to fall on their own sword for some misguided reason, but even then I don’t buy that possibility.