(DNA Top 10 in 2014) Censorship 2.0: Shadowy forces controlling online conversations: Page 4 of 4
By A. Asohan April 30, 2015
The puppet army
Having verified how easy it was to use manipulate online conversations, the Thinkst team then set out to explore whether such techniques were actually being used.
“It’s obvious they are – the most obvious recent example was Common Dreams, a website for news and views from the progressive community,” said Haroon.
“They were getting a lot of anti-Semitic comments on their pages, and were in fact in danger of losing their funding because their funders were not comfortable with such comments.
“After a little investigation, they found it was all linked to a college kid – what he did was post these sock puppet comments, then sent email to organisations to say ‘We’re being seriously oppressed here,’ etc.
“As Marco [Slaviero] has shown, you can effectively mute a voice by flagging it enough times, and we see this all the time, with appeals to others to downvote a comment you don’t agree with, which is what the IDF (Israeli Defence Forces) has done,” he added.
Having verified how easy it was to use manipulate online conversations, the Thinkst team then set out to explore whether such techniques were actually being used.
“It’s obvious they are – the most obvious recent example was Common Dreams, a website for news and views from the progressive community,” said Haroon.
“They were getting a lot of anti-Semitic comments on their pages, and were in fact in danger of losing their funding because their funders were not comfortable with such comments.
“After a little investigation, they found it was all linked to a college kid – what he did was post these sock puppet comments, then sent email to organisations to say ‘We’re being seriously oppressed here,’ etc.
“As Marco [Slaviero] has shown, you can effectively mute a voice by flagging it enough times, and we see this all the time, with appeals to others to downvote a comment you don’t agree with, which is what the IDF (Israeli Defence Forces) has done,” he added.
Thanks to leaks by former US National Security Agency (NSA) contractor Edward Snowden, the world now knows that the Joint Threat Research Intelligence Group (JTRIG), a unit of the UK-based Government Communications Headquarters (GCHQ), has been performing such acts.
In 2011, the JTRIG conducted a denial-of-service attack (DoS) on the activist network Anonymous, and its other targets have included the Government of Iran, and the Taliban in Afghanistan.
“Their mandate is to ‘Deny, Disrupt, Degrade, Deceive.’ They’ve been using many of the techniques we have outlined,” said Haroon.
Thinkst then went out to identify these sock puppet armies, using an array of tactics. First, it picked a controversial topic (like the Palestine conflict), then looked into news organisations that cover this topic (like Al Jazeera).
It then used the Disqus API (applications programming interface) to get a list of popular stories; and for each story, used the API to pull user information, then linked users to stories they commented on.
But it was still hard to discern the pattern. So the team decided to focus on the voting metrics. It pulled all the comments for a random story; and for each comment, pulled out information on the non-guest voters. For each voter, Thinkst then retrieved their registration time, then calculated the variation in voter age on each comment.
“What stood out was that accounts had been registered within minutes of each other, and that their usernames and profile names had a regular pattern: Username: <Firstname><Surname>; Profile name: <Firstname><Surname>,” said Slaviero.
“It is a signal, but not completely convincing,” he added. “So we thought, what about email addresses?”
One shouldn’t be able to retrieve a Disqus user’s email address, but Thinkst found an ‘unmask attack’ that returns an email address for a profile name. An unmask attack reveals what should be hidden information. Slaviero said that the attack has been been reported and Disqus has since fixed it, however.
The team found that the suspected puppets had similar email addresses, in the form of <Firstname><Surname>@gmail.com.
“We had our suspicions … so the next step was to enumerate,” he added.
Disqus users get a unique ID (identification) in the form of a counter, and there are unrestricted APIs to query user information which allowed the Thinkst team to look up email addresses for each enumerated user with its unmask attack.
When it had drilled down to 5,000 users, it pulled details on them, then filtered them according to the username, profile name and email address patterns above.
“Disqus lets us map usernames to forums where they’re active, and also lets us map usernames to comments (including private profiles),” said Slaviero.
And the team found accounts with patterned profile names; patterned usernames; patterned emails; had similar registration times; exhibited regular inter-registration delays; showed an alphabetical progression in usernames; were active on the same set of sites; shared duplicate comments across accounts; and which vote for each other’s comments to push them up.
In 2011, the JTRIG conducted a denial-of-service attack (DoS) on the activist network Anonymous, and its other targets have included the Government of Iran, and the Taliban in Afghanistan.
“Their mandate is to ‘Deny, Disrupt, Degrade, Deceive.’ They’ve been using many of the techniques we have outlined,” said Haroon.
Thinkst then went out to identify these sock puppet armies, using an array of tactics. First, it picked a controversial topic (like the Palestine conflict), then looked into news organisations that cover this topic (like Al Jazeera).
It then used the Disqus API (applications programming interface) to get a list of popular stories; and for each story, used the API to pull user information, then linked users to stories they commented on.
But it was still hard to discern the pattern. So the team decided to focus on the voting metrics. It pulled all the comments for a random story; and for each comment, pulled out information on the non-guest voters. For each voter, Thinkst then retrieved their registration time, then calculated the variation in voter age on each comment.
“What stood out was that accounts had been registered within minutes of each other, and that their usernames and profile names had a regular pattern: Username: <Firstname><Surname>; Profile name: <Firstname><Surname>,” said Slaviero.
“It is a signal, but not completely convincing,” he added. “So we thought, what about email addresses?”
One shouldn’t be able to retrieve a Disqus user’s email address, but Thinkst found an ‘unmask attack’ that returns an email address for a profile name. An unmask attack reveals what should be hidden information. Slaviero said that the attack has been been reported and Disqus has since fixed it, however.
The team found that the suspected puppets had similar email addresses, in the form of <Firstname><Surname>@gmail.com.
“We had our suspicions … so the next step was to enumerate,” he added.
Disqus users get a unique ID (identification) in the form of a counter, and there are unrestricted APIs to query user information which allowed the Thinkst team to look up email addresses for each enumerated user with its unmask attack.
When it had drilled down to 5,000 users, it pulled details on them, then filtered them according to the username, profile name and email address patterns above.
“Disqus lets us map usernames to forums where they’re active, and also lets us map usernames to comments (including private profiles),” said Slaviero.
And the team found accounts with patterned profile names; patterned usernames; patterned emails; had similar registration times; exhibited regular inter-registration delays; showed an alphabetical progression in usernames; were active on the same set of sites; shared duplicate comments across accounts; and which vote for each other’s comments to push them up.
These accounts had consistent multi-faceted views: They were generally pro-Palestine and anti-Israel; they wrote “We (USA)” to present themselves as Western; were aginst Syria and US President Barrack Obama, and attempted to project themselves as pro-Islam with derogatory comments against Christianity.
“Who is this sock puppet army? It’s difficult to speculate – it’s a simplistic attack, so we’re not sure if this is because they lack the skills set, or if they were intending to be found,” said Slaviero.
“You could shut down this puppet army, but they’ll just re-register. Disqus is thinking of limiting its API, but we think it’s a bad idea because puppetry is very likely happening in other places, and without the same amount of data, we can’t tell.
“In fact, Disqus’ open data approach is great for identifying these relationships and patterns, and we want to give them a shout-out for it,” he added.
Tools to fight puppets
“We want to be absolutely clear: We saw a super-simplistic attack on Reddit that even the Reddit admins couldn’t identify,” said Haroon (pic).
“With just a few days’ worth of work, we managed to uncover, pretty comprehensively, a botnet army on CNN, Al Jazeera and the Jerusalem Post, and mainly because of good access to data, so it’s actually something we want to encourage.
“In summary, without exception, all user-generated content sites have been fairly easy to game, and fairly trivial to manipulate, so it’s pretty clear this abuse has already been going on in a whole bunch of places.
“What’s important for us is that we’re aware of it, and that we start building tools that can detect and counteract it. Our biggest tool is good access to open data,” he added.
Haroon later told DNA that part of OTF grant includes Thinkst building tools that would allow others to detect such sock puppetry on their sites, and to counteract it. The company is in the process of doing so.
Related Stories:
Net censorship: BBC story on kangkung fiasco blocked?
The kangkung block: Denial seems to be the best defence
Internet censorship: What you allow is what will continue
Internet censorship: You’ve already won, Dr Mahathir
Evidence Act, censorship, control issues and other #facepalms
“Who is this sock puppet army? It’s difficult to speculate – it’s a simplistic attack, so we’re not sure if this is because they lack the skills set, or if they were intending to be found,” said Slaviero.
“You could shut down this puppet army, but they’ll just re-register. Disqus is thinking of limiting its API, but we think it’s a bad idea because puppetry is very likely happening in other places, and without the same amount of data, we can’t tell.
“In fact, Disqus’ open data approach is great for identifying these relationships and patterns, and we want to give them a shout-out for it,” he added.
Tools to fight puppets
“We want to be absolutely clear: We saw a super-simplistic attack on Reddit that even the Reddit admins couldn’t identify,” said Haroon (pic).“With just a few days’ worth of work, we managed to uncover, pretty comprehensively, a botnet army on CNN, Al Jazeera and the Jerusalem Post, and mainly because of good access to data, so it’s actually something we want to encourage.
“In summary, without exception, all user-generated content sites have been fairly easy to game, and fairly trivial to manipulate, so it’s pretty clear this abuse has already been going on in a whole bunch of places.
“What’s important for us is that we’re aware of it, and that we start building tools that can detect and counteract it. Our biggest tool is good access to open data,” he added.
Haroon later told DNA that part of OTF grant includes Thinkst building tools that would allow others to detect such sock puppetry on their sites, and to counteract it. The company is in the process of doing so.
Related Stories:
Net censorship: BBC story on kangkung fiasco blocked?
The kangkung block: Denial seems to be the best defence
Internet censorship: What you allow is what will continue
Internet censorship: You’ve already won, Dr Mahathir
Evidence Act, censorship, control issues and other #facepalms
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.
Pages
- « first
- ‹ previous
- 1
- 2
- 3
- 4
