Kidding (Attack Vector) - Age Verification

system

“Kidding” — coordinated abuse of age‑verification, attestation, and content‑filtering processes (such as malicious postings and file uploads) — is an attack vector that disrupts services, deanonymizes contributors, coerces maintainers, and erodes the public open internet. Here are some examples, attack chains, why copyleft/AGPL can’t practically prevent it, how OAuth/OIDC centralization enables corporate abuse. Please do share your thoughts and suggestions! My hope is to put a name to this threat.

Examples

False complaints: mass “underage” reports to a package registry cause automatic delisting.
Verification flooding: scripted bogus attestations swamp a small forum’s moderation queue, forcing signups off.
Malicious uploads/posts: attackers upload age‑restricted or borderline files to trigger automated quarantine or account suspension.
Mirror takedown: a host suspends a maintainer account after complaints, removing the primary mirror.
Deanonymization leak: an attestation vendor is breached or subpoenaed, revealing mappings from pseudonymous maintainers to real‑world identities.

Attack scenarios

Supply‑chain break: coordinated complaints + flagged uploads lead a registry to auto‑delist an AGPL package; downstream CI fails and projects break.
Solo/operator shutdown: verification flooding and upload abuse cause hosting/payment vendors to suspend a single‑operator forum that can’t afford legal defense.
Deanonymize‑and‑coerce: attester breach or subpoena links a pseudonymous maintainer to a real identity, enabling harassment, employer pressure, or lawsuits that force self‑censorship.
Corporate licensing abuse: a company uses false complaints, selective attestation revocation, and targeted uploads to allege licensing/regulatory noncompliance and neutralize rival maintainers.
Post/upload weaponization: mass posting of flagged content forces stricter verification rules that destroy anonymity and participation.

How this compares to swatting

Both weaponize institutional responses (emergency services vs. platform/verification workflows) to impose cost, disruption, and fear.
Swatting is an immediate physical‑safety attack; Kidding is scalable, automatable, creates persistent attestation/data trails, and produces long‑term structural harms through censorship and market control.

Why copyleft/AGPL can’t stop a Kidding attack in practice

License rights don’t compel third‑party registries/hosts to serve content; providers can suspend access pending review.
Procedural takedowns and vendor risk‑avoidance create de‑facto censorship long before any legal victory.
Deanonymization from attestation chains exposes maintainers AGPL can’t protect.
Volunteer maintainers are vulnerable to economic and social coercion; Legal defense is slow and costly
Friction between AGPL project parent companies and community contributors maintaining their projects will only increase hostility.

OAuth/OIDC centralization and corporate-level attack mechanics

Consolidation: dominant identity/attestation providers expand OAuth/OIDC with age/verified claims, concentrating power.
Abusable levers: selective attestation revocation, targeted rate‑limits/QoS, policy‑driven claim filtering, API/price changes.
Corporate abuse: throttling or denying attestations to rivals, using attestation logs for profiling/coercion, or forcing proprietary integrations.

Use against self‑hosting, RSS, wikis, and forums

Single operators are fragile: one admin, one account, no legal team are easy to force offline.
RSS/federation breakage: gated content and feed takedowns reduce discovery, syndication, and archival.
Wikis/forums lose contributors: requiring verified identities reduces anonymous/pseudonymous edits and fragments conversation into gated silos.
Uploads/posts become attack tools: file uploads can trigger quarantines or suspensions, and mass uploads exhaust moderation.

Example of how Kidding circumvents AGPL

1) Adversary runs coordinated complaints and upload abuse.
2) Registry/host suspends or delists project pending verification/legal review.
3) Mirrors/CI stop fetching artifacts; downstream systems fail.
4) Maintainer is deanonymized or coerced; community mirrors hesitate.
Result: effective censorship and distribution blockade despite AGPL rights.

Policy recommendations

Small‑actor exemptions: scale obligations so volunteer/FOSS projects aren’t forced into heavy verification.
Non‑discrimination & interoperability rules for attestation providers.
Due‑process: require evidence and quick appeals before takedowns of licensed works.
Antitrust oversight of dominant attesters used to foreclose competition.
Fund public attestation authorities, mirrors, and legal defense funds for maintainers.

Loss of the public open internet & anonymity conflation

Gatekeeping and gating transforms public, linkable resources into identity‑locked silos, reducing discoverability and remix culture.
Operators may equate “unverified” with “risky” or “underage,” producing automatic exclusion of anonymous/pseudonymous contributors and shrinking the commons.
Long term: fewer contributors, fewer mirrors, less auditability — weaker public infrastructure.

There is a lot more to this, including how implementation can be handled responsibly, but I hope this is enough to encourage conversation.