(DNA Top 10 in 2014) Censorship 2.0: Shadowy forces controlling online conversations: Page 3 of 4
By A. Asohan April 30, 2015
Read all about it
In this era of information and misinformation overload, news sites are regaining some of their cachet as credible sources of information. Because content is controlled by the editorial teams – comprising professional journalists, at least for the most part – the actual stories cannot be influenced.
“But there are sections on the front page that you can control – most news sites have a panel that lists the most-read or most popular articles,” said Azhar.
“The question then was, can we influence this panel? Can we get articles on it or keep articles off it?” he added.
Thinkst went into South Africa’s popular Mail & Guardian site, which has a panel that features recent articles with the most page views.
“Now, pageviews we can control, and we did it here to spell out ‘HITB’,” said Azhar
In this era of information and misinformation overload, news sites are regaining some of their cachet as credible sources of information. Because content is controlled by the editorial teams – comprising professional journalists, at least for the most part – the actual stories cannot be influenced.
“But there are sections on the front page that you can control – most news sites have a panel that lists the most-read or most popular articles,” said Azhar.
“The question then was, can we influence this panel? Can we get articles on it or keep articles off it?” he added.
Thinkst went into South Africa’s popular Mail & Guardian site, which has a panel that features recent articles with the most page views.
“Now, pageviews we can control, and we did it here to spell out ‘HITB’,” said Azhar
Then the Thinkst team looked at The Wall Street Journal’s ‘Popular Now’ panel, which was harder to game because those rankings use a combination of metrics: Page views (30%), Facebook and Twitter (20% each), email shares (20%) and comments (10%).
“Pageviews? We know how to do that. Twitter? We still had our sock puppet accounts,” said Azhar. “By combining them, we got to control 50% [of the factors].”
For Twitter, the team just made sure their tweets were not identical:
“Pageviews? We know how to do that. Twitter? We still had our sock puppet accounts,” said Azhar. “By combining them, we got to control 50% [of the factors].”
For Twitter, the team just made sure their tweets were not identical:
Thinkst also looked into the New York Times (NYT), whose default panel was ‘Most Emailed.’ To do so, it needed accounts with the NYT, but those were easy to create – as at HITBSecConf, the team had created 30,000 accounts with the newspaper, Thinkst claimed.
“What’s interesting to note is that the New York Times spends millions on its news-gathering apparatus,” said Haroon.
“Based on quick calculations on how much machine time we were spending on Amazon Web Services, the cost to register 30,000 accounts was about 12 cents; the cost to share 30,000 stories was about 18 cents.
“To trivially manipulate the NYT front page? That was priceless,” he said.
“So again, it as a relatively simple attack, but we managed to do what we had set out to do: We can influence what people are most likely to see, even on these news sites. Even if we don’t own them, we can own them,” added Haroon.
Discussing Disqus
“What’s interesting to note is that the New York Times spends millions on its news-gathering apparatus,” said Haroon.
“Based on quick calculations on how much machine time we were spending on Amazon Web Services, the cost to register 30,000 accounts was about 12 cents; the cost to share 30,000 stories was about 18 cents.
“To trivially manipulate the NYT front page? That was priceless,” he said.
“So again, it as a relatively simple attack, but we managed to do what we had set out to do: We can influence what people are most likely to see, even on these news sites. Even if we don’t own them, we can own them,” added Haroon.
Discussing Disqus
Disqus is one of the most popular comments systems today, used in forums, blogs and news portals like CNN, Al Jazeera, Bloomberg, The Next Web, The Daily Telegraph and even Digital News Asia (DNA).
“To put it into context, Disqus has about 20 million comments a month, and says it has about 150 million users and about a billion pageviews a month,” said Thinkst lead researcher Marco Slaviero (pic above).
“They really are a big player in this space. They’ve really made it easy for users to upvote or downvote comments, rank them, and have a lot of slick tools for admins to moderate their pages.
“User profiles are visible across sites and your comments are gathered in your Disqus profile page, so you’re really establishing an online presence,” he added.
In the Web 2.0 and UGC era, a news story is not the entire story. Conversations and comments add value.
“The stories that these [news] organisations put out isn’t the entire narrative. If you come back to the notion of user-generated content, part of the page does not come from the editors of these sites, it comes from users of the site,” said Slaviero.
Just how much of the narrative comes from readers? Thinkst screen-captured an actual CNN page, flipped it on its side and separated the actual news story from the comments, which shows an approximate 30:70 split.
“To put it into context, Disqus has about 20 million comments a month, and says it has about 150 million users and about a billion pageviews a month,” said Thinkst lead researcher Marco Slaviero (pic above).
“They really are a big player in this space. They’ve really made it easy for users to upvote or downvote comments, rank them, and have a lot of slick tools for admins to moderate their pages.
“User profiles are visible across sites and your comments are gathered in your Disqus profile page, so you’re really establishing an online presence,” he added.
In the Web 2.0 and UGC era, a news story is not the entire story. Conversations and comments add value.
“The stories that these [news] organisations put out isn’t the entire narrative. If you come back to the notion of user-generated content, part of the page does not come from the editors of these sites, it comes from users of the site,” said Slaviero.
Just how much of the narrative comes from readers? Thinkst screen-captured an actual CNN page, flipped it on its side and separated the actual news story from the comments, which shows an approximate 30:70 split.
The team then coded a short Bash script for Disqus that allowed it to register 100 accounts, and do mass posting and voting. (Bash is a ‘shell’ for the Unix operating system that allows users to program commands).
“There are very little defences in Disqus. We pretty much got complete control of Disqus forums with a one-line Bash script,” said Slaviero.
“We could actually manipulate opinion on a bunch of news stories,” he added, then showed a video of how Thinkst upvoted comments that the team had planted on real-world events, and downvoted comments they ‘didn’t like’ – essentially taking over a CNN comments section.
“Disqus has some defence against sock puppetry, but it’s hopeless inadequate,” said Slaviero.
For instance, user registration isn’t limited by IP address; email verification isn’t a requirement; and while guest voting is IP-limited, open proxy lists can bypass this trivially.
The Thinkst team then tried the LiveFyre comments system, and the same techniques worked.
“The one difference is that by default, LifeFyre orders comments according to the newest rather than by votes, so it’s actually even easier – you don’t need to vote, just keep posting the same comment,” said Slaviero, playing another video to demonstrate.
“To remove a comment from the page, you can just keep flagging it as inappropriate and it will disappear until the admin has looked into it,” he added.
More worrying, his colleague Azhar then showed how you can download an actual user’s token from LifeFyre when he or she is logged into LiveFyre, and then impersonate that user on other sites and post comments on his or her behalf.
“We get to see your history, we get to vote for you, and we can do this with multiple accounts,” said Haroon. “Effectively, we get to do sock puppetry using real accounts.”
Next Page: Sock puppetry in the wild, next steps
“There are very little defences in Disqus. We pretty much got complete control of Disqus forums with a one-line Bash script,” said Slaviero.
“We could actually manipulate opinion on a bunch of news stories,” he added, then showed a video of how Thinkst upvoted comments that the team had planted on real-world events, and downvoted comments they ‘didn’t like’ – essentially taking over a CNN comments section.
“Disqus has some defence against sock puppetry, but it’s hopeless inadequate,” said Slaviero.
For instance, user registration isn’t limited by IP address; email verification isn’t a requirement; and while guest voting is IP-limited, open proxy lists can bypass this trivially.
The Thinkst team then tried the LiveFyre comments system, and the same techniques worked.
“The one difference is that by default, LifeFyre orders comments according to the newest rather than by votes, so it’s actually even easier – you don’t need to vote, just keep posting the same comment,” said Slaviero, playing another video to demonstrate.
“To remove a comment from the page, you can just keep flagging it as inappropriate and it will disappear until the admin has looked into it,” he added.
More worrying, his colleague Azhar then showed how you can download an actual user’s token from LifeFyre when he or she is logged into LiveFyre, and then impersonate that user on other sites and post comments on his or her behalf.
“We get to see your history, we get to vote for you, and we can do this with multiple accounts,” said Haroon. “Effectively, we get to do sock puppetry using real accounts.”
Next Page: Sock puppetry in the wild, next steps
