security research, software archaeology, geek of all trades
394 stories
·
7 followers

softlyfiercely: pervocracy: dysgraphicprogrammer: pervocracy: How to hack any hospital...

1 Share

softlyfiercely:

pervocracy:

dysgraphicprogrammer:

pervocracy:

How to hack any hospital computer

-Use the password taped to the monitor

How to hack any hospital computer (L337 version for advanced security systems)

-Use the password taped to the back of the monitor

As a computer guy: This is what happens when you have too much security. It reaches a tipping point and then suddenly you have none.

Security at the cost of convenience comes at the cost of security.  

This is true of so many things in healthcare.  Example: our software is designed to automatically alert the doctor if a patient’s vital signs are critically out of range.  If someone has a blood pressure of 200/130, the doc gets a pop-up box that they have to acknowledge before doing anything else.  It makes sense, in our setting.

But then some mega-genius upstairs realized something: the system was only alerting for critical vital signs, but not for all vital signs that could possibly be bad.  Like, yeah, 200/130 is potentially life-threatening, but 130/90 is above ideal and can have negative effects on health.  Should the doctors be allowed to just ignore something that could negatively affect a patient’s health?  Heavens no!

So now the system generates a pop-up for any vital signs that are even slightly abnormal.  A pressure of 120/80 (once considered textbook normal, now considered slightly high) will create the pop-up.  We have increased our vigilance!

Well, no, what we’ve actually done is train doctors to click through a constant bombardment of pop-ups without looking.  We’ve destroyed their vigilance and made it much easier for them to accidentally skim past life-threatening vital signs.

But you can’t tell that to management, because you’d have to confess that you are a flawed human with limited attention resources.  They’d tell you “well, all the other doctors take every abnormal vital sign seriously, it sounds like you’re being negligent.”  And if you’re smart, you back down before you start telling the big boss all about your habit of ignoring critical safety alerts.

The end result is exactly the same as if we had no alerts at all, except with more annoying clicking.

this here is an absolutely fascinating overview of how and why this happens

Read the whole story
zwol
2 days ago
reply
Pittsburgh, PA
Share this story
Delete

Welcome to Voldemorting, the Ultimate SEO Dis

1 Comment
Welcome to Voldemorting, the Ultimate SEO Dis:

I’m now Wired’s Resident Linguist, writing a new column about internet language! 

My first column is about “birdsite”, “Cheeto” and other creative ways of hiding words in plain sight online. Excerpt: 

“I’m so tired of all the bad news on birdsite.”
“Yeah, there’s just too much about The Cheeto.”

Cheeto and birdsite might not be common vocabulary, but the phrases are strangely interpretable. It’s easy to jump from Cheeto to Donald Trump or from birdsite to Twitter. Even more understandable is the attitude that comes along for the ride: Somehow it’s clear that someone who uses ornate synonyms isn’t happy about either entity.

But how is it that we’re so quick to figure out the hidden meanings of these words? And what does it mean for communication in the internet age that we’re increasingly drawn to elaborate synonyms?

A recent paper by researcher Emily van der Nagel puts a name to this phenomenon of hiding a word in plain sight. She calls it Voldemorting. Van der Nagel traces Voldemorting back to the Harry Potter books, where most characters are too afraid of Voldemort to say the word directly, instead replacing his name with euphemisms like You Know Who and He Who Must Not Be Named. This practice starts as a superstition, but by the final book there’s a deeper purpose: The word Voldemort is revealed as a way of locating the resistance: “Using his name breaks protective enchantments, it causes some kind of magical disturbance.”

Read the whole thing

Read the whole story
zwol
5 days ago
reply
This comes up a bunch in my research: Voldemorting is also a great way to evade keyword censorship.
Pittsburgh, PA
Share this story
Delete

The interesting ideas in Datasette

3 Shares

Datasette (previously) is my open source tool for exploring and publishing structures data. There are a lot of ideas embedded in Datasette. I realized that I haven’t put many of them into writing.

Publishing read-only data
Bundling the data with the code
SQLite as the underlying data engine
Far-future cache expiration
Publishing as a core feature
License and source metadata
Facet everything
Respect for CSV
SQL as an API language
Optimistic query execution with time limits
Keyset pagination
Interactive demos based on the unit tests
Documentation unit tests

Publishing read-only data

Datasette provides a read-only API to your data. It makes no attempt to deal with writes. Avoiding writes entirely is fundamental to a plethora of interesting properties, many of which are expanded on further below. In brief:

  • Hosting web applications with no read/wrote persistence requirements is incredibly cheap in 2018 - often free (both ZEIT Now and a Heroku have generous free tiers). This is a big deal: even having to pay a few dollars a month is enough to dicentivise sharing data, since now you have to figure out who will pay and ensure the payments don’t expire in the future.
  • Being read-only makes it trivial to scale: just add more instances, each with their own copy of the data. All of the hard problems in scaling web applications that relate to writable data stores can be skipped entirely.
  • Since the database file is opened using SQLite’s immutable mode, we can accept arbitrary SQL queries with no risk of them corrupting the data.

Any time your data changes, you need to publish a brand new copy of the whole database. With the right hosting this is easy: deploy a brand new copy of your data and application in parallel to your existing live deployment, then switch over incoming HTTP traffic to your API at the load balancer level. Heroku and Zeit Now both support this strategy out of the box.

Bundling the data with the code

Since the data is read-only and is encapsulated in a single binary SQLite database file, we can bundle the data as part of the app. This means we can trivially create and publish Docker images that provide both the data and the API and UI for accessing it. We can also publish to any hosting provider that will allow us to run a Python application, without also needing to provision a mutable database.

The datasette package command takes one or more SQLite databases and bundles them together with the Datasette application in a single Docker image, ready to be deployed anywhere that can run Docker containers.

SQLite as the underlying data engine

Datasette encourages people to use SQLite as a standard format for publishing data.

Relational database are great: once you know how to use them, you can represent any data you can imagine using a carefully designed schema.

What about data that’s too unstructured to fit a relational schema? SQLite includes excellent support for JSON data - so if you can’t shape your data to fit a table schema you can instead store it as text blobs of JSON - and use SQLite’s JSON functions to filter by or extract specific fields.

What about binary data? Even that’s covered: SQLite will happily store binary blobs. My datasette-render-images plugin (live demo here) is one example of a tool that works with binary image data stored in SQLite blobs.

What if my data is too big? Datasette is not a “big data” tool, but if your definition of big data is something that won’t fit in RAM that threshold is growing all the time (2TB of RAM on a single AWS instance now costs less than $4/hour).

I’ve personally had great results from multiple GB SQLite databases and Datasette. The theoretical maximum size of a single SQLite database is around 140TB.

SQLite also has built-in support for surprisingly good full-text search, and thanks to being extensible via modules has excellent geospatial functionality in the form of the SpatiaLite extension. Datasette benefits enormously from this wider ecosystem.

The reason most developers avoid SQLite for production web applications is that it doesn’t deal brilliantly with large volumes of concurrent writes. Since Datasette is read-only we can entirely ignore this limitation.

Far-future cache expiration

Since the data in a Datasette instance never changes, why not cache calls to it forever?

Datasette sends a far future HTTP cache expiry header with every API response. This means that browsers will only ever fetch data the first time a specific URL is accessed, and if you host Datasette behind a CDN such as Fastly or Cloudflare each unique API call will hit Datasette just once and then be cached essentially forever by the CDN.

This means it’s safe to deploy a JavaScript app using an inexpensively hosted Datasette-backed API to the front page of even a high traffic site - the CDN will easily take the load.

Zeit added Cloudflare to every deployment (even their free tier) back in July, so if you are hosted there you get this CDN benefit for free.

What if you re-publish an updated copy of your data? Datasette has that covered too. You may have noticed that every Datasette database gets a hashed suffix automatically when it is deployed:

https://fivethirtyeight.datasettes.com/fivethirtyeight-c9e67c4

This suffix is based on the SHA256 hash of the entire database file contents - so any change to the data will result in new URLs. If you query a previous suffix Datasette will notice and redirect you to the new one.

If you know you’ll be changing your data, you can build your application against the non-suffixed URL. This will not be cached and will always 302 redirect to the correct version (and these redirects are extremely fast).

https://fivethirtyeight.datasettes.com/fivethirtyeight/alcohol-consumption%2Fdrinks.json

The redirect sends an HTTP/2 push header such that if you are running behind a CDN that understands push (such as Cloudflare) your browser won’t have to make two requests to follow the redirect. You can use the Chrome DevTools to see this in action:

Chrome DevTools showing a redirect initiated by an HTTP/2 push

And finally, if you need to opt out of HTTP caching for some reason you can disable it on a per-request basis by including ?_ttl=0 in the URL query string. - for example, if you want to return a random member of the Avengers it doesn’t make sense to cache the response:

https://fivethirtyeight.datasettes.com/fivethirtyeight?sql=select+*+from+[avengers%2Favengers]+order+by+random()+limit+1&_ttl=0

Publishing as a core feature

Datasette aims to reduce the friction for publishing interesting data online as much as possible.

To this end, Datasette includes a “publish” subcommand:

# deploy to Heroku
datasette publish heroku mydatabase.db
# Or deploy to Zeit Now
datasette publish now mydatabase.db

These commands take one or more SQLite databases, upload them to a hosting provider, configure a Datasette instance to serve them and return the public URL of the newly deployed application.

Out of the box, Datasette can publish to either Heroku or to Zeit Now. The publish_subcommand plugin hook means other providers can be supported by writing plugins.

License and source metadata

Datasette believes that data should be accompanied by source information and a license, whenever possible. The metadata.json file that can be bundled with your data supports these. You can also provide source and license information when you run datasette publish:

datasette publish fivethirtyeight.db \
    --source="FiveThirtyEight" \
    --source_url="https://github.com/fivethirtyeight/data" \
    --license="CC BY 4.0" \
    --license_url="https://creativecommons.org/licenses/by/4.0/"

When you use these options Datasette will create the corresponding metadata.json file for you as part of the deployment.

Facet everything

I really love faceted search: it’s the first tool I turn to whenever I want to start understanding a collection of data. I’ve built faceted search engines on top of Solr, Elasticsearch and PostgreSQL and many of my favourite tools (like Splunk and Datadog) have it as a core feature.

Datasette automatically attempts to calculate facets against every table. You can read more about the Datasette Facets feature here - as a huge faceted search fan it’s one of my all-time favourite features of the project. Now I can add SQLite to the list of technologies I’ve used to build faceted search!

Respect for CSV

CSV is by far the most common format for sharing and publishing data online. Almost every useful data tool has the ability to export to it, and it remains the lingua franca of spreadsheet import and export.

It has many flaws: it can’t easily represent nested data structures, escaping rules for values containing commas are inconsistently implemented and it doesn’t have a standard way of representing character encoding.

Datasette aims to promote SQLite as a much better default format for publishing data. I would much rather download a .db file full of pre-structured data than download a .csv and then have to re-structure it as a separate piece of work.

But interacting well with the enormous CSV ecosystem is essential. Datasette has deep CSV export functionality: any data you can see, you can export - including the results of arbitrary SQL queries. If your query can be paginated Datasette can stream down every page in a single CSV file for you.

Datasette’s sister-tool csvs-to-sqlite handles the other side of the equation: importing data from CSV into SQLite tables. And the Datasette Publish web application allows users to upload their CSVs and have them deployed directly to their own fresh Datasette instance - no command line required.

SQL as an API language

A lot of people these days are excited about GraphQL, because it allows API clients to request exactly the data they need, including traversing into related objects in a single query.

Guess what? SQL has been able to do that since the 1970s!

There are a number of reasons most APIs don’t allow people to pass them arbitrary SQL queries:

  • Security: we don’t want people messing up our data
  • Performance: what if someone sends an accidental (or deliberate) expensive query that exhausts our resources?
  • Hiding implementation details: if people write SQL against our API we can never change the structure of our database tables

Datasette has answers to all three.

On security: the data is read-only, using SQLite’s immutable mode. You can’t damage it with a query - INSERT and UPDATEs will simply throw harmless errors.

On performance: SQLite has a mechanism for canceling queries that take longer than a certain threshold. Datasette sets this to one second by default, though you can alter that configuration if you need to (I often bump it up to ten seconds when exploring multi-GB data on my laptop).

On hidden implementation details: since we are publishing static data rather than maintaining an evolving API, we can mostly ignore this issue. If you are really worried about it you can take advantage of canned queries and SQL view definitions to expose a carefully selected forward-compatible view into your data.

Optimistic query execution with time limits

I mentioned Datasette’s SQL time limits above. These aren’t just there to avoid malicious queries: the idea of “optimistic SQL evaluation” is baked into some of Datasette’s core features.

Consider suggested facets - where Datasette inspects any table you view and tries to suggest columns that are worth faceting against.

The way this works is Datasette loops over every column in the table and runs a query to see if there are less than 20 unique values for that column. On a large table this could take a prohibitive amount of time, so Datasette sets an aggressive timeout on those queries: just 50ms. If the query fails to run in that time it is silently dropped and the column is not listed as a suggested facet.

Datasette’s JSON API provides a mechanism for JavaScript applications to use that same pattern. If you add ?_timelimit=20 to any Datasette API call, the underlying query will only get 20ms to run. If it goes over you’ll get a very fast error response from the API. This means you can design your own features that attempt to optimistically run expensive queries without damaging the performance of your app.

Keyset pagination

SQL pagination using OFFSET/LIMIT has a fatal flaw: if you request page number 300 at 20 per page the underlying SQL engine needs to calculate and sort all 6,000 preceding rows before it can return the 20 you have requested.

This does not scale at all well.

Keyset pagination (often known by other names, including cursor-based pagination) is a far more efficient way to paginate through data. It works against ordered data. Each page is returned with a token representing the last record you saw, then when you request the next page the engine merely has to filter for records that are greater than that tokenized value and scan through the next 20 of them.

(Actually, it scans through 21. By requesting one more record than you intend to display you can detect if another page of results exists - if you ask for 21 but get back 20 or less you know you are on the last page.)

Datasette’s table view includes a sophisticated implementation of keyset pagination.

Datasette defaults to sorting by primary key (or SQLite rowid). This is perfect for efficient pagination: running a select against the primary key column for values greater than X is one of the fastest range scan queries any database can support. This allows users to paginate as deep as they like without paying the offset/limit performance penalty.

This is also how the “export all rows as CSV” option works: when you select that option, Datasette opens a stream to your browser and internally starts keyset-pagination over the entire table. This keeps resource usage in check even while streaming back millions of rows.

Here’s where Datasette gets fancy: it handles keyset pagination for any other sort order as well. If you sort by any column and click “next” you’ll be requesting the next set of rows after the last value you saw. And this even works for columns containing duplicate values: If you sort by such a column, Datasette actually sorts by that column combined with the primary key. The “next” pagination token it generates encodes both the sorted value and the primary key, allowing it to correctly serve you the next page when you click the link.

Try clicking “next” on this page to see keyset pagination against a sorted column in action.

Interactive demos based on the unit tests

I love interactive demos. I decided it would be useful if every single release of Datasette had a permanent interactive demo illustrating its features.

Thanks to Zeit Now, this was pretty easy to set up. I’ve actually taken it a step further: every successful push to master on GitHub is also deployed to a permanent URL.

Some examples:

The database that is used for this demo is the exact same database that is created by Datasette’s unit test fixtures. The unit tests are already designed to exercise every feature, so reusing them for a live demo makes a lot of sense.

You can view this test database on your own machine by checking out the full Datasette repository from GitHub and running the following:

python tests/fixtures.py fixtures.db metadata.json
datasette fixtures.db -m metadata.json

Here’s the code in the Datasette Travis CI configuration that deploys a live demo for every commit and every released tag.

Documentation unit tests

I wrote about the Documentation unit tests pattern back in July.

Datasette’s unit tests include some assertions that ensure that every plugin hook, configuration setting and underlying view class is mentioned in the documentation. A commit or pull request that adds or modifies these without also updating the documentation (or at least ensuring there is a corresponding heading in the docs) will fail its tests.

Learning more

Datasette’s documentation is in pretty good shape now, and the changelog provides a detailed overview of new features that I’ve added to the project. I presented Datasette at the PyBay conference in August and I’ve published my annotated slides from that talk. I was interviewed about Datasette for the Changelog podcast in May and my notes from that conversation include some of my favourite demos.

Datasette now has an official Twitter account - you can follow @datasetteproj there for updates about the project.

Read the whole story
zwol
10 days ago
reply
Pittsburgh, PA
acdha
10 days ago
reply
Washington, DC
Share this story
Delete

Transcript Lingthusiasm Episode 24: Making books and tools speak Chatino - Interview with Hilaria Cruz

1 Share

lingthusiasm:

This is a transcript for Lingthusiasm Episode 24: Making books and tools speak Chatino - Interview with Hilaria Cruz. It’s been lightly edited for readability. Listen to the episode here or wherever you get your podcasts. Links to studies mentioned and further reading can be found on the Episode 24 show notes page.

[Music]

Lauren: Hi Lingthusiasts, Lauren here. Before we get to Gretchen’s great interview with Hilaria Cruz today, I have two exciting pieces of news to share with you. The first is that we have a date for our Melbourne live show. We’ll be at the State Library of Victoria on Friday the 16th of November. Also, very excited to share with you that we are doing a live show in Sydney as well. We’ll be at GiantDwarf on Monday the 12th of November. For more details and links to tickets, go lingthusiasm.com/show. Our patrons will get a couple of free tickets. We’re looking forward to meeting them and all of you as well. We’re also super excited to be able to share with you some new Lingthusiasm merchandise that we’ve been working on, which was another Patreon goal of ours. We are very excited to bring you the space babies and space pigeon from Episode 1 of the show in full and glorious animated colour on a range of merchandise, available through our site. You can see the images, find out more about the illustrations, and our wonderful illustrator, Lucy Maddox, by visiting lingthusiasm.com/merch. And now, over to Gretchen.

[Music]

Gretchen: Welcome to Lingthusiasm, a podcast that’s enthusiastic about linguistics. I’m Gretchen McCulloch, and I’m here with Dr. Hilaria Cruz, who is a Neukom Fellow at Dartmouth College and just starting as an assistant professor in linguistics at the University of Louisville, and is a native speaker of Chatino who works with Chatino as well. Welcome, Hilaria.

Hilaria: Well, thank you. Hello, everyone!

Gretchen: Thank you so much for being here!

Hilaria: You are welcome.

Gretchen: I’m here because you invited me down for a workshop at Dartmouth, and so I’m going to talk about that as well. But first, let’s start with: How did you get into linguistics?

Hilaria: As a native speaker of Chatino, I grew up in a community where we all spoke Chatino, and then it came time for us to go to school, and then my father says, “Well, I would like you to get an education.” So my father then says, “We’re going to go to this other town named Juquila so you guys can go to school.” We came to Juquila and, at a time in the 1970s, the Mexican government wanted indigenous children to study, so they developed these, like, boarding schools – well, it was like a boarding house where indigenous children that came from the outskirts of the Spanish-speaking towns had room and board while they went to public school. So my family came to this, what is called “the houses” there, and I was sent to elementary school not knowing a word of Spanish. It was complete immersion.

Keep reading

Read the whole story
zwol
16 days ago
reply
Pittsburgh, PA
Share this story
Delete

The truth about false rape accusations — Quartz

1 Comment and 5 Shares

False rape accusations loom large in the cultural imagination. We don’t forget the big ones: The widely-read 2014 Rolling Stone article, later retracted, about a brutal gang rape at the University of Virginia; the 2006 accusations against innocent members of the Duke University lacrosse team. These cases are readily cited by defense attorneys and Republican lawmakers and anyone else who wants a reason to discuss the dangers of false allegations. What if a woman has consensual sex, and then regrets it the next day? What if a woman gets dumped by her boyfriend and decides to accuse him of rape as revenge? What if she’s just doing it for attention? Are false accusations reaching epidemic levels in today’s hard-drinking hookup culture, where the lines of consent have been blurred? Critics argue that reports of rape should be treated with more caution, since men’s lives are so often ruined by women’s malicious lies.

But my research—including academic studies, journalistic accounts, and cases recorded in the US National Registry of Exonerations—suggests that every part of this narrative is wrong. What’s more, it’s wrong in ways that help real rapists escape justice, while perversely making it more likely that we will miss the signs of false reports.

Innocent men rarely face rape charges

Let’s start with the idea that false rape accusations ruin lives, and are therefore a universal risk to men. Generally, feminists dismiss this idea by arguing that false accusations are rare—only between 2% and 10% of all reports are estimated to be false. What’s equally important to know, however, is that false rape accusations almost never have serious consequences.

It’s exceedingly rare for a false rape allegation to end in prison time.

This may be hard to believe, especially considering that rape is a felony, punishable with years of prison. However—to start with this worst-case scenario—it’s exceedingly rare for a false rape allegation to end in prison time. According to the National Registry of Exonerations, since records began in 1989, in the US there are only 52 cases where men convicted of sexual assault were exonerated because it turned out they were falsely accused. By way of comparison, in the same period, there are 790 cases in which people were exonerated for murder.

Furthermore, in the most detailed study ever conducted of sexual assault reports to police, undertaken for the British Home Office in the early 2000s, out of 216 complaints that were classified as false, only 126 had even gotten to the stage where the accuser lodged a formal complaint. Only 39 complainants named a suspect. Only six cases led to an arrest, and only two led to charges being brought before they were ultimately deemed false. (Here, as elsewhere, it has to be assumed that some unknown percentage of the cases classified as false actually involved real rapes; what they don’t involve is countless innocent men’s lives being ruined.)

So the evidence suggests that even in the rare case where a man is the subject of a false rape complaint, chances are that the charges will be dropped without him ever learning about the allegations. This raises an obvious question: Why would false accusers go through the trouble of making a report to police, only to instantly withdraw it?

The reasons for false reports

In every academic study, one of the most common kinds of false accuser is a teenage girl who tells her parents she was raped to avoid getting in trouble. Unwanted pregnancy is sometimes cited by such girls, but the reason can also be trivial; the phrase “missed curfew” shows up with disturbing frequency in these cases. As a rule, it’s the parents who insist on getting police involved. Two different studies have found that almost half of all false rape complaints are lodged by someone other than the alleged victim, usually a parent.

Another kind of case which evaporates rapidly is that of a person who falsely reports a rape in the hope of getting needed medical care or psychiatric medication; in one study, six of the 55 reports classified as false by a police department in one year fit this description. Like the teens who missed their curfew, these false accusers have no interest in pursuing charges after the lie has served its purpose.

Portrait of a false accuser

Some false accusers do press charges, however, and this brings us to an unpalatable point. Because real rape victims are often mistaken for false accusers, it can be uncomfortable to insinuate anything negative about either group. But these two groups are not at all alike. In fact, rape victims aren’t even a group; they have no unifying traits. They can be young or old, black or white, men or women, gay or straight, rich or poor—anyone at all. Even a 65-year-old man can be a victim of rape.

Almost invariably, adult false accusers who persist in pursuing charges have a previous history of bizarre fabrications or criminal fraud.

When one looks at a series of fabricated sexual assaults, on the other hand, patterns immediately begin to emerge. The most striking of these is that, almost invariably, adult false accusers who persist in pursuing charges have a previous history of bizarre fabrications or criminal fraud. Indeed, they’re often criminals whose family and friends are also criminals; broken people trapped in chaotic lives.

Crystal Mangum, the accuser in the Duke lacrosse case, was the archetypal false accuser. She had previously reported another brutal rape/kidnapping in which no one was ever charged. She had a previous felony conviction, and she ultimately went to prison for an unrelated crime (in her case, murdering her boyfriend). She had trouble keeping her stripping job because the combination of drugs she was on—including both anti-depressants and methadone—made her keep falling asleep at work. Tragically, she seems to have genuinely suffered sexual abuse as a child—another feature that often appears in adult false accusers.

Four motivations

But while false accusers often have similar histories, they have various motives. These can be divided into roughly four categories: personal gain, mental illness, revenge, and the need for an alibi.

Accusers motivated by personal gain are generally the same people who slip on the courthouse steps and sue the city. Sometimes their modus operandi is to claim to be raped on government property; sometimes it’s to claim to have been raped by a government employee. In either case, the resulting suit against the government will typically only be one in a series of fraudulent claims. One such false accuser turned out to have previously filed seven bodily injury insurance claims, including three identical claims against restaurants in which she claimed to have broken a tooth on a rock in her food. Occasionally, however, the gain is not financial, as in the case of a woman who lied about rape because she thought it might help her stay out of prison on a drug charge; or the man, already in prison, who was hoping to be moved into a cell with his boyfriend.

Mentally ill false accusers can be people with severe psychosis who genuinely believe they’ve been raped; one woman claimed to have been sexually assaulted every day for three years by “every gang member in the city.” More commonly, however, they have what is called a factitious disorder: a personality disorder related to (and often accompanied by) Munchausen’s syndrome, which compels them to claim they’ve been assaulted. One such accuser was Sara Ylen, who ultimately accused at least seven different men of rape; in the incident for which she was finally arrested, she appeared at a police station with her face painted in fake bruises that wiped off easily with gauze. Like many such accusers, Ylen also falsely claimed to have a terminal illness, and spent two years in hospice care for cancer, although no doctor had ever diagnosed her with the disease.

These accusers often compulsively change their stories, adding dramatic details without regard either for the account they originally gave or the physical evidence. (Note that more common mental health problems like anxiety, depression, or non-psychotic bipolar disorder are not associated with false rape accusations.)

Revenge is another common catalyst—either as a single motive, or as the reason a particular victim was chosen. Contrary to popular belief, however, relatively few such accusers are seeking revenge for getting dumped or rejected by former lovers. For instance, none of the 52 cases of documented wrongful conviction in the US feature women scorned—although there is one “man scorned”, a remarkably persuasive character who managed to convince his girlfriend to accuse a male roommate who’d rejected his sexual advances.

Other revenge cases include a woman trading sex for drugs who was disappointed in the quantity of drugs; a man who beat his wheelchair-bound girlfriend until she agreed to accuse a man of whom he was jealous; an 18-year-old boy living with an older man who threw the boy out after an argument about the man’s reneging on a promise to buy the boy a car in return for sex; and a woman who accused a man she thought had stolen her husband’s truck while the husband was in prison. There’s also the remarkable case of a woman who accused her gastroenterologist of performing oral sex on her after a colonoscopy, because she was angry at his refusal to act as an expert witness for her in a lawsuit. She then, of course, sued the gastroenterologist too.

Accusers who fabricate rapes as an alibi are mostly the already mentioned teens in trouble with parents, although some are adults, who are typically trying to cover up an infidelity. These are the only accusers who can sometimes seem ordinary, even sympathetic—like the 14-year-old girl with cognitive deficits whose mother found her in a compromising position with a boy, and who took four months to work up the courage to admit the sex was consensual. When charges are brought in these cases, the driving force is often a third party who believes the lie and naturally wants to see the perpetrator punished—and sometimes also to cash in with a lawsuit.

What we know

A final note about who makes false accusations: While popular conceptions of this issue center on female mendacity, clearly many of these stories involve male accusers. Given the fact that men, too, can crave revenge and have personality disorders, this should be obvious. If it’s counter-intuitive, it’s because the issue has consistently been framed as one of gender warfare. But the truth is that false rape accusations aren’t salvos in any political struggle. They’re crimes, mostly perpetrated by the same men and women who commit other categories of crime, and for similar reasons.

False accusers almost never tell stories that could, by any stretch of the imagination, be seen as an innocent misunderstanding.

Neither are false accusations the result of miscommunications taking place in a murky world of casual hook-ups and heavy drinking. False accusers almost never tell stories that could, by any stretch of the imagination, be seen as an innocent misunderstanding. In a study of false rape claims made to the Los Angeles Police Department, 78% involved claims of aggravated rape—assaults involving a gun or knife, gang rapes, and/or attacks resulting in injuries.

Most of all, it should be remembered that a false accuser is a person making up a story to serve some goal. Whether the impetus is personal gain, factitious disorder, the need for an alibi, or revenge, it’s crucial to the accuser that their story be taken seriously. For this reason, it’s radically unlikely—and in practice does not happen—that a false accuser would invent a story where the issue of consent could seem ambiguous.

It’s necessary to add an important caveat: The same kinds of people who are most likely to become false accusers are also frequently targeted by predators. Teenagers, people with severe mental illness, people with criminal records—all are vulnerable to rapists, who often have a very keen sense of which victims are most likely to be mistrusted by authorities. Although the accounts of these complainants need careful scrutiny, police should take them more seriously, not less seriously, than they currently do. The lesson to be drawn here is not that any individual’s story of sexual assault should be discounted; it’s that the vast majority of rape reports can be believed.

When a woman says she’s been brutally raped by seven men at a public party on a bed of broken glass, as the UVA accuser did, and when that woman has a history of strange lies, as the UVA accuser also did, there’s nothing wrong with being skeptical. But if a woman without any history of dramatic falsehoods says she went home with a man and, after they’d kissed a while consensually, he held her down and forced her into sex—in the absence of compelling evidence to the contrary, you can just assume it’s true. This is not because of any political dictum like “Believe women.” It’s because this story looks exactly like tens of thousands of date rapes that happen every year, and nothing at all like a false rape accusation.

Read the whole story
zwol
19 days ago
reply
Pittsburgh, PA
acdha
19 days ago
reply
Washington, DC
Share this story
Delete
1 public comment
fxer
27 days ago
reply
definitely right about the false allegations looming large like UVA, the Lena Dunham case also immediately comes to mind
Bend, Oregon

6/6 Time

5 Comments and 11 Shares
You know how einstein figured out that the speed of light was constant, and everything else had to change for consistency? My theory is like his, except not smart or good.
Read the whole story
zwol
20 days ago
reply
I earnestly want this.
Pittsburgh, PA
Share this story
Delete
4 public comments
Covarr
20 days ago
reply
I don't think this is what the song "Sunrise, Sunset" from Fiddler on the Roof meant.
Moses Lake, WA
HarlandCorbin
20 days ago
reply
Sounds like the time system that was used in the Arabian peninsula. Midnight was when the sun set, you adjusted your clocks to midnight when you saw the sun go down.
asaz989
20 days ago
I think the 6-6 convention was from medieval Europe.
bluegecko
20 days ago
Yep. They're called "variable hours" in Jewish law, and I'm hardly surprised Arabia as a whole used that system. I honestly think Rome did, too, but I forget.
alt_text_at_your_service
20 days ago
reply
You know how einstein figured out that the speed of light was constant, and everything else had to change for consistency? My theory is like his, except not smart or good.
alt_text_bot
20 days ago
reply
You know how einstein figured out that the speed of light was constant, and everything else had to change for consistency? My theory is like his, except not smart or good.
Next Page of Stories