2026-04-07 01:36:44
At least three people warned Quittr, an app that wants to help men stop masturbating, about serious security issues for months, but the creators of the app didn’t fix them until weeks after 404 Media reached out for comment multiple times.
“I emailed the founders and explained the vulnerability. A developer responded, said he was ‘looking into ways to make our security better,’ and asked how I found it. I walked him through it step by step, even explained that the API key being client-sided is normal for Firebase and that they just needed to implement security rules,” an independent researcher who goes by Kaeden, said on her personal blog. “Then nothing. I followed up. No response. I followed up again. Nothing.”
I first wrote about Quittr’s security vulnerability in January after hearing about the app’s security problems from a different independent security researcher. At the time, I did not name the app because Quittr did not fix the issue despite reaching out to the developers about it multiple times. That security researcher found that Quittr had a misconfiguration issue in its use of the mobile development platform Google Firebase, which by default makes it easy for anyone to make themselves an “authenticated” user who can access the app’s backend storage where in many instances user data is stored.
That researcher originally contacted Quittr about the issue in September. Quittr’s founder, Alex Slater, acknowledged the issue, thanked the researcher, and said he would fix it in a matter of hours. When the researcher saw the issue still wasn’t fixed months later, they contacted 404 Media. I reached out to Slater and Quittr multiple times. Slater initially denied there was a security vulnerability, but then fixed the issue sometime before March 10. After this, I saw Quittr finally fixed the vulnerability and published another story naming the app.
Slater was also recently profiled in New York Magazine, which detailed the opulent lifestyle the success of Quittr has afforded them, including driving exotic super cars and living in a Miami mansion. Slater shares videos about his lifestyle on his personal YouTube channel as well.
Some of the data the researcher could access included users’ age, how often they said they watched porn, and written confessions about their porn watching habits. Many of the users self-identified as minors, according to the data.
In March, Kaeden provided me with emails showing he contacted Quittr about the same vulnerability on July 3, 2025.
“Your firebase (Database) is misconfigured its possible to read/write to anything, one of the things its possible to do for example is list all users and their info, which is pretty bad for an app of this nature,” Kaeden said in her email to Quitter. Kaeden also told Quittr exactly how to fix the issue and said that a bug bounty “would be highly appreciated” but he never received one.
A Quittr developer who identified as Caio emailed Kaeden asking for more information and thanked her for responsibly disclosing the issue. Kaeden provided that information, but never heard back.
Since publishing my story about Quittr in March, yet another independent security researcher, who asked to remain anonymous, contacted me to say they also notified Quittr about a similar vulnerability in August 2025. Altogether, three different security researchers told Quittr it was jeopardizing sensitive user data before 404 Media reached out to the app for comment about the issue not being fixed.
2026-04-06 23:30:47
Across most of the U.S., if you want to watch porn online, you have to hand over a government ID or submit to a biometric scan to determine you’re over 18 years of age. But people in Wisconsin can keep freely accessing porn sites—and any other website that hosts more than one third adult content—after Governor Tony Evers vetoed the state’s age verification bill on Friday.
A copycat of the dozens of bills that have passed in the U.S. since 2022, Wisconsin’s Assembly Bill 105 would have forced sites with more than one third “material harmful to minors,” defined as “depictions of actual or simulated sexual acts or body parts including pubic areas, genitals, buttocks, and female nipples,” to verify visitors’ ages by “using any commercially reasonable method that uses public or private transactional data gathered about the individual.” This means uploading an ID, showing their face for a biometric scan, uploading their credit card information, or combinations of these.
“I am vetoing this bill in its entirety because I object to this bill's intrusion into the personal privacy of Wisconsin residents,” Evers wrote in a letter to the members of the assembly, dated April 3. “While I agree that we should protect children from harmful material, this bill imposes an intrusive burden on adults who are trying to access constitutionally protected materials.”
Evers wrote that the bill doesn’t prevent platforms from giving collected personal data to third parties, such as the government or data brokers. “This is a violation of personal privacy,” he wrote.
“Additionally, I am concerned about data security and the potential for misuse of personally identifiable information. Identifiable information could be intercepted by or transmitted to a third party and used as the basis for blackmail or identity theft. Further, although the bill includes penalties for a business entity who violates the prohibition on retention of personal information, those penalties cannot undo the harm that may occur to an individual who is the victim of actions like blackmail or identity theft as a result of a bad actor obtaining their identity.”
Last year, after the UK’s Online Safety Act started requiring websites and platforms to verify users’ ages, Discord users’ age verification data—including selfies and identity documents—was exposed in a security breach. The hack was just one instance where users’ personal data has been required by a platform and then exposed to the whole internet: also last year, similar data was exposed by the Tea app, which made users provide selfies and identity documents to prove they’re women.
An earlier version of the bill attempted to ban Wisconsinites from accessing sites using virtual private networks (VPNs); lawmakers are increasingly pushing to restrict VPNs, but so far have faced pushback from citizens and civil liberties groups. Wisconsin state Sen. Van Wanggaard moved to delete that provision in the legislation, and the state assembly agreed to remove the VPN ban in February.
The adult advocacy group Free Speech Coalition wrote following the veto that Director of Public Policy Mike Stabile flew to Madison “to meet with legislators to discuss the legal and technological issues with the bill, including a ban on VPN traffic, and to advocate for device-based verification solutions.”
“Put simply, AB-105 raises significant concerns around privacy, surveillance, and the First Amendment,” the ACLU of Wisconsin wrote in testimony submitted in March. “While the ACLU of Wisconsin is sympathetic to the overarching goal of this legislation, we do not believe an appropriate trade-off is compromising the civil liberties of all Wisconsinites.”
Wisconsin is now one of only a handful of states left that allows access to porn without requiring users jump through invasive age verification hoops. “We can and should work to prevent minors from accessing adult content, but there are better solutions than the one offered by this bill,” Evers wrote in his veto letter. “For example, we can work with tech companies to implement device-based age verification that takes place on a user's phone or computer, which can be a more secure and effective method. Other states have been moving toward device-based solutions, and major tech companies are adopting these options as well.”
2026-04-06 21:53:56
Florida’s Fish and Wildlife Conservation Commission (FWC) police are performing dozens of license plate lookups on Flock cameras for Immigrations and Customs Enforcement (ICE), according to public records that show details of the searches.
The practice highlights how ICE, which does not have a contract with Flock, continues to get access to Flock’s AI-powered license plate scanning cameras through local and state police, and often in ways that are unusual, unexpected, and difficult for the public to track or hold the agency accountable for. In this case, ICE has gained access to Flock data through a law enforcement agency that is nominally supposed to be focused on conservation, protecting endangered species, and investigating boating and maritime issues. 404 Media initially reported on how ICE was getting side-door access to Flock data via local police in May 2025.
That reporting led to a series of reforms and safeguards that are supposed to make it easier for law enforcement agencies that use Flock to opt out of having their surveillance camera data passed to federal agencies; a blog post by Flock called “Does Flock Share Data With ICE?” now states plainly “No. Flock does not work with U.S. Immigration and Customs Enforcement or any other sub-agency of the Department of Homeland Security.” But in practice, the public records show that as of the end of January (the most recent data available) thousands of agencies around the country were sharing their camera data with the Florida Fish and Wildlife Conservation Commission police, which was then regularly performing lookups for ICE.
Flock cameras continually scan the license plate, brand, and color of every vehicle that drives by. Law enforcement can then search the Flock system to see where else a vehicle has travelled. Crucially, Flock maintains a national lookup tool where agencies in one state can search data generated by cameras in another, even if those cameras are on the other side of the country. Law enforcement typically do this without a warrant.
A January Flock network audit for Ball State University, a public university in Indiana that has a contract with Flock, shows that the Florida Fish and Wildlife Conservation Commission police performed 38 different Flock searches for reasons that were listed as “immigration.”
Flock network audits are spreadsheets that have a separate entry for each time a police department’s Flock data is queried by another agency. Each entry contains information about how many different networks and cameras were searched, the time of the search, and the stated “reason” for the search. The searches performed by the Florida Fish and Wildlife Conservation Commission had reasons that ranged from “Immigration (civil/administrative) - I.C.E.” to “Immigration (criminal) - General Criminal Investigation” to “Immigration (criminal) - I.C.E.” The network audit indicated that more than 5,000 different Flock networks were searched in each case, indicating that, as of January, thousands of towns and cities were still sharing data with agencies that ultimately work with ICE despite new safeguards put in place by Flock.
“This highlights when you do mass surveillance, you really can’t control the data,” Jay Stanley, a senior analyst with the American Civil Liberties Union’s (ACLU) Speech, Privacy, and Technology Project, told 404 Media. “I doubt there were many cities that were debating the Florida Fish and Wildlife Services doing searches for ICE when they were talking about whether they should get Flock. It shows these searches can come from really any direction.”
The records in question were obtained from Ball State University by the journalist David Covucci, who covers college sports for his website FOIABall. Covucci shared the documents with 404 Media. The documents showed that, beyond the Florida Fish and Wildlife Conservation Commission police, the Texas Department of Public Safety, Grant County Indiana Sheriff's Office, Lake County Indiana police, Sarasota County Florida police, Brevard County Florida Sheriff's Office, Nebraska State Patrol, Tennessee Highway Patrol, Fort Pierce Florida Police Department, and Mississippi Department of Public Safety had all done immigration-related Flock searches in January. This means that all of these agencies ultimately searched Flock cameras on Ball State’s campus (and thousands of others across the country) for immigration-related purposes.
Police with the Florida Fish and Wildlife Conservation Commission are able to do these lookups for ICE because in August, Florida Gov. Ron DeSantis enrolled nearly 800 of its officers in 287(g), a Department of Homeland Security (DHS) program that gives state and local police certain immigration enforcement powers. DeSantis has essentially turned many state police into an extension of ICE: “Florida is setting the example for states in combating illegal immigration and working with the Trump Administration to restore the rule of law,” DeSantis said in a press release announcing the move. “By allowing our state agents and law enforcement officers to be trained and approved by ICE, Florida will now have more enforcement personnel deputized to assist federal partners. That means deportations can be carried out more efficiently, making our communities safer as illegal aliens are removed.”
The ACLU published a report in February about how the expansion of the 287(g) program has vastly increased the Trump administration’s deportation force. “While in recent months the nation’s attention has rightly focused on the violence and abuse perpetrated by ICE and Border Patrol agents in places like Minneapolis, in Florida and around the country, communities are experiencing another kind of terror: Their own law enforcement agencies, working hand in glove with the Trump administration, are the perpetrators of blatant racial profiling, harassment, and even violence,” the report says.
The report specifically notes that “Florida appears to have devoted more state and local law enforcement resources to immigration enforcement than any other state, resulting in numerous cases of harassment and profiling of U.S. citizens and noncitizens alike, a climate of extreme fear in communities, and reports of serious civil rights violations.”
The ACLU’s Stanley said that the expansion of 287(g) has made a lot of the debates that communities are having about federal access to Flock data feel outdated, because they may fail to grapple with the fact that local police around the country are now doing work on behalf of federal authorities. “A lot of the focus in communities and elsewhere where Flock is controversial have focused on this question of ‘Will the feds be able to access this data?,’” Stanley said. “This is a reminder that the sharp expansion of 287(g) has made that almost moot because a lot of local authorities are working so closely with ICE.”
Flock has in recent months attempted to distance itself from ICE, in part with the “Does Flock Share Data With ICE?” blog post and with numerous media appearances and LinkedIn posts by its executives. Flock has repeatedly leaned on the idea that its customers own and control their data, and that Flock has made numerous changes to comply with several states’ laws that forbid the use of license plate reader data for immigration or abortion enforcement, or which ban the transfer of license plate camera data out of the state altogether.
“As we've shared with your organization many times, all our customers own their data and choose how to use it, provided it complies with local laws and statutes,” a spokesperson for Flock told 404 Media. “In cities and states where cooperating with federal immigration is against the law, we block that from happening within the product itself. In states where cooperation is legal, customers and their local values determine how they choose to enforce the law.”
The Florida Fish and Wildlife Conservation Commission did not respond to multiple requests for comment. A spokesperson for Gov. DeSantis’s office, however, told 404 Media that the Fish and Wildlife Conservation Commission continues to work with ICE. “Please note that it is NOT out of the ordinary for FWC to work alongside ICE as they have a 287 (g) agreement with them-as do all State of Florida law enforcement agencies,” they said.
404 Media, other reporters, and transparency advocates have been reporting on the use of Flock cameras primarily by obtaining network audits through public records requests. But the utility of those network audits is rapidly deteriorating; as we reported earlier this year, Flock has made changes to its network audits that makes each individual entry more vague, and authorities have warned police to be “as vague as permissible” about the reasons why they are using Flock. Many Flock search reasons simply say “investigation” or another blanket term, making it impossible to know why the system was really used. Because of this change, it may become harder to track which agencies are working with ICE, and how often it’s happening.
“I think everybody using Flock knows you can get away with putting something like a generic descriptor that won’t tip off communities to what’s going on,” Stanley said. “This window of visibility is closing, even this very limited flawed, manipulable window of visibility is closing.”
2026-04-04 21:00:42
Welcome back to the Abstract! Here are the studies this week that rolled with it, went out on a limb, gravitationally waved, and spotted relics in our midst.
First, hundreds of prehistoric dice sets shed light on the dawn of gambling. Then: these disembodied arms are horny, the forbidden fruits of supernovae, and baby food for the Milky Way.
As always, for more of my work, check out my book First Contact: The Story of Our Obsession with Aliens or subscribe to my personal newsletter the BeX Files.
Thousands of years before prediction markets, sports betting, and poker nights, Native Americans were playing the odds with dice and other games of chance.
An analysis of nearly 300 ancient artifacts related to gambling—especially two-sided dice known as “binary lots”—has revealed that Native Americans have played games of chance for at least 12,000 years, many millennia before any other known cultures in the world.
“Historians of mathematics frequently identify the invention of dice and games of chance as a crucial early step in humanity’s evolving discovery and understanding of randomness and the probabilistic nature of the universe,” said study author Robert Madden of Colorado State University.
“The findings presented here suggest that some of the earliest steps on this intellectual journey were taken not by complex societies in the Near East and Eastern Europe around 5,500 years ago but rather by Native American hunter-gatherers in western North America in the waning centuries of the Pleistocene, no later than 12,000 years ago,” he continued.
Scholars have marveled at the prevalence of Native American games of chance for more than a century, but Madden is the first to systematically trace their origins. He set out to study prehistoric dice in museum collections at the Smithsonian Institution, the University of Wyoming Archaeological Repository, and the Denver Museum of Nature and Science, which were documented in a landmark compendium called Games of the North American Indians published in 1907 by the ethnographer Stewart Culin.
The most common dice games involved players taking turns throwing sets of binary lots, with a score that was assigned based on a count of the “up”-facing side thrown by each player on their turn. Cumulative scores were tracked with counting sticks; the first to reach a predesignated number were the winners.
Madden identified dice at 57 archaeological sites across 12 states, with the oldest appearing in the territories of western Great Plains cultures. The finds clearly indicate a complex understanding of probability, which played a role not only in social cohesion, but also in cosmologies.
“Numerous ethnographic accounts of Native American traditions depict dice playing as a sacred activity that was inherently pleasing to the gods and celestial powers (who were themselves dice players), with ceremonial and secular dice games being played at festivals and seasonal events,” Madden said.
The study chronicles many fascinating myths and legends about gods playing dice on the surface of Earth and the creation of humans as the outcome of a cosmic dice game. Albert Einstein famously remarked that god “does not throw dice” in response to the probabilistic realm of quantum physics. It would seem these prehistoric cultures were way ahead of the game on this point.
In other news…
Villar, Pablo S., Jiang, Hao et al. “A sensory system for mating in octopus.” Science.
Male octopuses are real suckers for sex, reports a new study about the “hectocotylus,” which is a special arm that serves a dual purpose as both sensory and mating organ.
During copulation, males use the hectocotylus to probe the female’s intricate oviducts in order to deposit sperm, but the mechanisms behind this strategy have been shrouded in tentacled mystery. To get a better handle on the process, scientists coated tubes with different substances and discovered that octopuses only released sperm when sucker cups on the hectocotylus made contact with progesterone, a female hormone produced in the ovaries.
“Whereas nonmating arms are used for chemotactile exploration and predation, the hectocotylus is almost exclusively used for mating and often even protected during hunting,” said researchers co-led by Pablo S. Villar of Harvard University and Hao Jiang of the University of California San Diego.
In a wild twist, the hectocotylus can even work its magic when it is entirely severed from the male’s body, allowing detached arms to autonomously inseminate females! It’s proof that romance is not dead, it’s just occasionally dismembered.
Tong, Hui et al. “Evidence of the pair-instability gap from black-hole masses.” Nature.
You’ve heard of forbidden planets, but what about forbidden black holes? For years, scientists have theorized that black holes with masses between approximately 50 and 130 times the mass of the Sun fall into a “forbidden range” that cannot exist.
The reason is that colossal stars that are 100 to 260 times more massive than the Sun experience a special kind of stellar death known as “pair‑instability supernovae” in which they completely self-destruct, preventing the formation of black holes. Stars that are both bigger and smaller than this range, in contrast, explode in supernovae that do collapse into black holes.
Now, scientists have discovered evidence for this gap using dozens of gravitational waves, which are ripples in spacetime formed by cataclysmic events such as mergers of black holes. In binary black holes—systems where two of these massive objects orbit each other—the smaller objects never fell into this range. Some of the larger black holes had forbidden masses, but that’s likely because they had merged with other black holes in the past, not because they were initially at that mass after the deaths of their progenitor stars.
“We interpret these findings as evidence for a subpopulation of hierarchical mergers: binaries in which the primary component is the product of a previous black-hole merger and thus populates the gap,” said researchers led by Hui Tong of Monash University. “As the number of detections increases, it will be possible to gain new insights into the pair-instability gap.”
From my perspective, all black holes are forbidden, because they are terrifying cosmic death traps. But it’s nice to know that the universe has limits, too.
Last, it’s time to pay respect to our stellar elders. A new study reveals that a weird population of 20 stars orbiting within a few thousand light years of the Sun have basically no metals, the astronomical term for elements that are heavier than hydrogen and helium. Since new generations of stars become more enriched with metals over time, these stars must be extremely ancient relics. So where did they come from?
Scientists think they have the answer: These metal-light Methusalehs are the last remnants of an ancient dwarf galaxy, which the team dubs “Loki.” Despite its powerful Norse namesake, Loki appears to have been swallowed by the Milky Way early on in our galaxy’s 13-billion-year history. While it is common to find very metal-poor (VMP) stars orbiting all around our galaxy’s core, it’s much rarer to find them all the way out here in the galactic exurbs, hidden in the “plane” (the flattened disk of a galaxy).
“This work provides, for the very first time, a dedicated detailed chemical abundance analysis of a sample of VMP stars with orbits close to the Milky Way plane,” said researchers led by Federico Sestito of the University of Hertfordshire. “A plausible scenario, supported by cosmological zoom-in simulations, is the early accretion of a single system.”
It goes without saying that eating a whole galaxy is pretty metal, even if the stars within it are not.
Thanks for reading! See you next week.
2026-04-04 00:55:57
This is Behind the Blog, where we share our behind-the-scenes thoughts about how a few of our top stories of the week came together. This week, we discuss crypto, journalists using AI, and a cool photo of Earth.
JOSEPH: I can’t talk about the story just yet, but recently I had to acquire some cryptocurrency quickly for research purposes. I was not anticipating quite how dramatically the world of cryptocurrency and getting it has changed.
I first became aware of cryptocurrency, or more specifically Bitcoin, when I was an intern at VICE. Someone on my table (they put all the unpaid interns on a medium sized table in the London office) was talking about it. They were pretty deep into it as I recall, and covered it a fair bit. I then was asked to work on a collaborative documentary between VICE, Raw, and the BBC about the Silk Road drug marketplace because I already knew more than most about message encryption. I then had to learn more about Bitcoin.
2026-04-02 23:04:11
Minnesota photojournalist Rob Levine and the Reporters Committee for Freedom of the Press are suing the Federal Aviation Administration over a recently issued restriction that prevents drones from flying within 3,000 feet of Department of Homeland Security buildings and vehicles, an amorphous no-fly zone that encompasses Immigrations and Customs Enforcement agents.
The FAA issued the temporary flight restriction (TFR) in January as ICE agents flooded the streets of Minneapolis. The rule established a no fly zone of 3,000 feet around “Department of Homeland Security facilities and mobile assets,” a restriction that Levine and his lawyers argue is impossible to follow and is aimed at curtailing the First Amendment rights of journalists.
“Because there is no means of verifying in advance whether DHS vehicles—such as unmarked cars driven by Immigration and Customs Enforcement agents—are operating in a given location, the practical consequence is that drone pilots nationwide cannot know whether a flight will expose them to liability,” Levine’s lawyers argued in a court document.
Levine lives in Minneapolis and spent the early days of Operation Metro Surge using his drone to capture footage of protests and ICE agents. Then the TFR hit. “It sent a shiver down my spine,” he told 404 Media. “I’m like ‘Oh my god.’ In a city like Minneapolis at the time with, I don’t know, three or four thousand DHS agents in various stages of uniform or undercoverness or civilian cars that they had switched license plates on? Masquerading as delivery men? They were everywhere here. I immediately grounded myself because there was no way you could know in advance whether or not you were violating that [flight restriction]. And when you’re flying they could drive by and you might not even know it.”
Grayson Clary, a lawyer with Reporters Committee for Freedom of the Press who is representing Levine, told 404 Media that the FAA has previously used flight restrictions in ways that seem designed to prevent newsgathering. “The FAA has a long history of imposing these temporary flight restrictions over newsworthy events in ways that frustrate journalists' ability to cover protests, law enforcement's response to protests, you name it, and this is sort of the newest escalation in that story,” he said.
This new no fly zone is a modification of an old TFR from 2025 that restricted drone pilots from operating within 3,000 feet of Department of Defense and Department of Energy bases.
“When you think about the old restriction, it’s essentially don’t fly within 3,000 feet of an enormous Naval vessel or a Department of Energy convoy that’s ferrying nuclear weapons around,” Clary said. “They just sort of added DHS to the end of that without taking stock of just how much more difficult it is to know whether you’re within 3,000 feet of a DHS ground vehicle as opposed to within 3,000 feet of a destroyer sitting in a Naval base.”
DHS isn’t forthcoming about the number of ICE agents in a given city or where they are operating. They often wear plainclothes, patrol cities in unmarked vehicles, and don’t announce themselves to people in the neighborhoods they patrol. Clary and Levine argued that the secretive nature of DHS has made it impossible for journalists to comply with the FAA’s no fly zone.
The penalties for violating the FAA restriction are severe. “They can take your drone and destroy it. They could shoot it down if they wanted to. They can arrest you and throw you in jail…and they can also make it so you can never fly a drone again,” Levine said. “It seems purely to prevent photo journalism and to chill photo journalists because the rule is so vague they could even charge you after the fact if they determined that you were somewhere and they had been near there.” The FAA has a history of trying to enforce drone restrictions against operators after the fact, based on footage or images posted on YouTube or social media sites.
Clary agreed. “That’s part of what makes this such a First Amendment problem is that it has a real chilling effect. When you don't know where exactly the line is, you're going to play it more carefully to make sure that you don't accidentally cross it,” he said.
Levine has fought the FAA before on this issue and won. In 2016, just as he was first learning how to pilot drones for his photojournalism work, he traveled to North Dakota to cover the anti-oil pipeline protests at Standing Rock. At the time, the FAA had issued a TFR over the area but Levine was able to push the agency into granting him a waiver on First Amendment grounds.
DHS operates its own drones to aid its surveillance efforts. Last year it flew Predator drones above protests in Los Angeles and Minneapolis residents have taken a lot of footage capturing drones flying above homes in Minnesota.