This how-to shows what you can do to keep your on-line trolling under cover. It goes from the low tech to the high tech, and it is written with the corporate user in mind.
Social networking has turned the Internet into a big gab-fest, and corporations want to shape the conversation. In chatrooms and discussion boards, shilling runs rampant. As we have seen a few days ago, this is not without risks. You will be found out eventually, unless you take precautions.
Of course, this article IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. If you get caught, don’t complain to me. You probably should not do what you are about to do anyway. Getting caught is a cardinal sin, and you will roast in hell for it. When it happens, please let us know, and we will gladly cover the story.
First, a few pro tips, straight from my rich experience in the Ministry of Propaganda:
Pro Tip #1: If you can’t afford getting caught, never ever do any trolling, sock puppeteering, or anonymous shilling from your company’s premises. Don’t. Never ever. Even the most sophisticated technical means cannot prevent you from eventually getting caught in flagrante. People talk. Having done it for years undetected does not guarantee that you never will get found out. Companies, don’t try this at home.
Pro Tip #2: Beware of the evil email address. Sites usually want an email address from you for registration. Of course you don’t want to use your private or company email while operating subrosa. You can’t trust Hotmail, Yahoo mail, Gmail, et al either. They won’t rat on you unless the police is after you, however, one doesn’t have to be the NSA to hack into your supposedly anonymous email account. There are countless sites that explain how it’s done, and you probably don’t want to visit them, the risk of catching social digital diseases is high.
Throw-away email accounts provide a minimum of security. They are also in favor with spammers, many blogs have them banned. By using a throw-away email address, you would attract attention anyway. Try to log on with a bogus email address first, you will be amazed how many blogs do NOT send you an automatic email verification link. If they send you one, don’t click on the link from your office.
From buying a gun to getting a prepaid SIM card, the “acquisition phase” is always risky.
Pro Tip #3: One computer per sock puppet. Your web browser, and you need one for trolling, is giving away an awful lot about you. Your marketing department loves it that individual customers can be targeted. So can you, and you will hate it. Most large blogs put a bunch of cookies on your computer to track you. (If you really want to freak out, download the handy Collusion Diagram to your Firefox browser to see who’s tracking you.)
Therefore, unless you are a highly skilled hacker (and even they do make mistakes as the video shows,) it is best to use one dedicated computer per alternate persona, and to use the machine only for that persona, and never from the same IP number as a machine used to send email, or to do business. Of course, needing a special machine per sockpuppet does not scale very effectively, but in the trolling business, you don’t need hundreds of puppets at the same time. A few consistent ones should suit your nefarious purposes. Give them their own machine.
Pro Tip #4: Beware of correlations. If someone vandalizes your Wikipedia page from the assumed anonymity of an IP, you don’t know who the vandal is. If someone sent you or someone else an email from the same IP, you know who it is. It has happened before, and it could happen to you. Beware of the low-tech gumshoe.
If the world’s most notorious hackers can slip up that badly, how badly will rank amateurs fail? Careful, very robust language.
Having covered the bases, now let’s try to cover your tracks, going from the simple to the highly technical. A lot of the techniques necessarily are the same as used by hackers and spies, and they might attract attention to you.
Step 1: Do it from home. This is a very low-tech, but effective approach, even if it may sound counter-intuitive. It would be best to have two internet connections, and to use one exclusively to nurture a trolling persona, whereas the other connection is used by you and the family. As long as you don’t tell anyone, and as long as you don’t slip up, it will be very hard to detect you. Use Whatismyip.com to check on your IP address.
Sure, if you work in Detroit, your IP number shows up as being in the Detroit vicinity, but what does that prove? If you are on ADSL, you usually can change the IP address by resetting the ADSL box. Pull the plug and pop it back in. Use Whatismyip.com again to check whether the IP did change. That trick usually won’t work if you have Internet via cable where you are stuck with the same sticky IP for a long time. In any case, logging in from many different IP addresses would look suspicious. It is better to stay consistent and low key.
Drawback: If you are found out, they know where you live.
Step 2: Use a cell phone. This is a variation on rule 1. Unless the police is after you, you will be reasonably safe shilling from your smartphone. Again, use that cell phone only for one persona, and for nothing else. Use another phone to conduct business, and to call your girlfriends. Mobile phone IPs change a lot. Switch to airplane mode, switch back to on-line. You will get a new IP. Check Whatismyip.com to make sure. Being a mobile phone IP, they don’t raise suspicion when they change.
Drawback: If you are found out, you may get nasty phone calls.
Step 3: Use a proxy. The IP number shows which computer was used to contact a website, but you can hide behind another computer. This is what a proxy does. It is a computer somewhere else. You log into it, and it acts like it is you. Using a proxy, you can work from Detroit, and, as Whatismyip.com will prove, you will show up at the website as coming from Los Angeles, Kiev, Ulan Bator, or wherever the proxy may sit. This is quite efficient in throwing off pursuers.
Drawbacks: Whatismyip.com will tell that you are using a proxy, and anybody else can find out as well. This could cause suspicion. Some sites, for instance Wikipedia, will not let you work through a proxy, due to the high level of abuse.
You need to be able to trust the operator of the proxy, they will know who dials in. If you are a large corporation doing nefarious things, you may not want to put a lot of trust into a nerd in Ulan Bator. The biggest problem with proxies is that they need to be set up in your browser, and it is easy to get confused. If you are not highly careful, you suddenly contact the website straight from your naked office PC. You don’t want to do that. Because proxies are used to hide things, free proxies are often set up by criminals, and by the police.
Step 4: Use a VPN. In layman’s terms, a VPN (Virtual Private Network) is similar to a proxy, except that it cloaks all network traffic from your device. No setup of browser etc. are necessary.
Drawbacks: Similar to proxy. You need to be able to trust the operator. Your IP will show up as belonging to a data center in Ulan Bator, or wherever your VPN has its endpoint. This might raise suspicions.
As imperfect as they may be, steps one through four work reasonably well to throw off all but the most determined pursuers. That’s usually more than enough, because as we learned yesterday, your pursuers are not determined at all. TTAC’s parent company Verticalcope owns and operates some 800 websites with a technical team that says that it is highly competent. It didn’t notice the thousands of comments from GM’s netblock.
The danger inherent to all of the techniques above is sloppiness. Forget to engage Proxy or VPN, and you can be found out. If proxy or VPN break down, you can be found out. Don’t heed the rule of never to use the same machine and the same IP for the true and made-up persona, and you can be found out.
Step 5: Remote Desktop. With simple Remote Desktop, which comes as standard equipment with all but the cheapest version of Windows, you can dial into a remote computer and operate it as if you are sitting in front of it. If Ed Niedermeyer would set up an RDP machine in Portland, OR, I could access it from Tokyo, and all websites, including Wikipedia, and the obsessive charge card processor that doesn’t like it if I use an American credit card from Tokyo, would think that I am in Portland. This is pretty failsafe. If the connection breaks down, it breaks down, and there is no seepage. If someone traces the connection, they find a real live person in a private home.
Drawbacks: I am at the mercy of the people where the RDP box sits. They better don’t get mad at me, or show friends “the computer that is being used by a big multinational.”
Step 6: TOR. Now it gets nerdy and spooky, as in spooks. TOR, as in The Onion Router, is a network of computers through which data bounce like in a huge echo chamber until trackers lose all orientation. This can be quite efficient in masking the whereabouts of the common troll.
Drawbacks: TOR is used other people who want to hide stuff, such as hackers, criminals, and if we believe the NSA, terrorists. This is not the crowd a large automaker usually wants to associate with. Using TOR not only can raise suspicion of website operators, it also can attract attention from the alphabet soup of spooks.
Step 7: IP Rental Services. Wouldn’t it be great if the corporate troll could outsource the dirty and risky business of acquiring private IP numbers for traffic that would look like coming from concerned citizens from all over the country? There is a huge demand for large-scale astroturfing, and there are companies that fulfill the demand.
Aptly named IPrental.com is one such company. On its website, it proudly says that its customers leased “4,276,937 unique IPs since December 4th, 2008.” The offerings are industrial-strength, and at $300 per month for the highest tier are targeted squarely at the corporate customer. The service comes with technology that cleanses your traffic from traceable data.
Drawbacks: The system’s IP numbers change every few seconds or minutes, depending on membership level. This, along with stripped-off user agent and cookies, would be a dead give-away that someone is trying to hide something. Again, this assumes that someone wants to find out.
Step 8: Outsource everything. Web 2.0 consultants, always on the lookout for new lucrative business fields to plow, will happily agree to do large scale astroturfing. Most Washington, DC, based PR agencies have farmed astroturf for decades, and they enthusiastically embrace the new technologies. Instead of trying their necessarily amateurish hands on the game, companies should entrust their agencies with the farming of sod 2.0 . Doing so puts a few layers of plausible deniability between client and agency. With outsourced shilling, you can say with a straight face that “nobody in the PR department would ever do that.” If someone should be found red-handed, it can always be said that they acted on their own, and that they were immediately fired.
Drawbacks: None. It costs a bit more, but it’s worth it.