Our holiday advice: don’t leave your stuff unattended. (image via kalebdf)
The Breakdown: Rachel shares a holiday tale about the first time she encountered the downside of the “wisdom of the crowd.” Luckily, the same Internet that brought the attackers to her door also gave her a window on what they were thinking and doing.
The holidays: so much to do, so many memories. For me, one of the things I find myself reminiscing about at this time of year is my first professional run-in with the trolls. Today the cautionary tales of social media mishaps are reported, analyzed, and reanalyzed almost as they happen. But in 2001 – almost a decade ago – we were so much more innocent about the possibilities. I learned my lessons the hard way, but I’m glad I learned them when the playground was a lot less crowded, and a lot less rough than it is today. Here’s what happened.
In 2001 I was the manager of the developers and producers at a website for a national entertainment publication. Our editors decided to put up a write-in poll for Entertainer of the Year, right before Thanksgiving. We had never done a write-in a poll before. A write-in poll, where people can type in whatever answer they want. There was no login required to submit an answer to this poll, but we were assured that the “robot protection” features of the in-house polling system were in good standing. Nonetheless, I was very wary of having this go live right before a four-day weekend, and I strongly advised against it. But the editors were determined to get it posted so that they would have a good set of responses by the end of the month, in time to do a follow-up poll of just the finalists by mid-December.
I checked in on the poll over the weekend, and it was immediately evident that it was being hit by robots. A script was voting for Janet Jackson hundreds of times a minute. Most of these duplicate votes were detected and removed, but many of them still got through. Similar efforts were weighting the tallies for Joss Whedon, Christina Aguilera, and others.
In the early hours of the poll’s victimization, the names showing up in the top 10 were still well-known, mainstream entertainers. But it wasn’t long before several online communities started to mobilize, most notably Fark.com and SomethingAwful.com, and things started to shift. On the discussion boards they conspired to elect their favorite geek-hero personalities, and people posted scripts that others could run locally to rapidly submit votes. The readers of Something Awful backed the site’s founder, Rich “Lowtax” Kyanka, as well as several of its other contributors. Fark readers mostly backed their patron saint, Wil Wheaton.
On Friday at 6pm, the only names most people would recognize in the top 10 were Wil Wheaton and Joss Whedon, and you’d kind of have to be a real entertainment nerd even to recognize those two. Kyanka had over 200,000 votes, almost twice as many as the person in second place (who was also someone you’ve never heard of), with a pretty steep drop-off after that. By 5pm on Sunday, Kyanka had 561,895 votes. Believe me, this poll was not getting that much legitimate traffic on Thanksgiving weekend.
On Monday we came in and the IT folks scrubbed the results, but the discussion on the various communities ramped up, and they renewed their robot activity with even more vigor. Luckily, these discussions were happening in such localized places on the web that I could actually follow along with them in real time– a fact which seemed to baffle the people who were publicly discussing their attempts to rig the vote.
When their votes stopped being counted (either because their IP had been identified as a source of robot votes, or because they and others were running scripts that were overloading the system, essentially causing a partial denial of service), the tenor of discussion on the boards became paranoid and indignant. They seemed to think we were somehow identifying them and singling them out to ignore their votes. They started saying things like “Why do they even bother having an open vote if they are just going to fix the results?” and “We should all email them to complain about the rigging (I did).”
I couldn’t tell if comments like these were outright hypocritical or just naïve. On the same boards, people were not only sharing code for various voting scripts, they were also posting information about how to use IP spoofers. And still they acted like it was terribly unjust that we would “rig” our poll to deflect their attempts to hijack it. At the same time, they made fun of us when we failed to deflect the attempts. We were being portrayed both as ignorant chumps who deserved to be messed with because we should have known better and as evil media bullies who were tricking the innocent public into being interested in something that was really just a thin marketing ploy for the entertainment industry.
Eventually I started to feel frustrated with these people who seemed to think that they were performing some kind of righteous social action by messing with a meaningless entertainment poll. That’s when I did something that I really shouldn’t have done. I sent the trolls a message.
At around 5:30 Monday evening, after a full day of trying to fight this thing as it played out in public, we changed the results page so that it no longer showed the running tally. It said something along the lines of “Thanks for voting. Come back later to find out the results.” In a brief show of very poor judgment, I hid the following comment in the HTML of the new “results-less” results page:
You run a bunch of scripts that vote hundreds of times a minute for some geek with a superiority complex, and then you complain because *we* rigged the poll by dropping those votes?
The only way to see this was to look at the source code of the page, something that most normal people would never think to do. Around midnight someone noticed it. In their discussion board, they posted a message that said, “I looked at the source code of the “Thanks for voting” page… Think the guy is bitter?”
The next day my boss came to see me and asked if I had put some comment in the code. He asked me to take it out, it was only aggravating things. To his credit, he was probably really pissed, but he didn’t yell at me, he just seemed exhausted. What I didn’t know at the time is that members of another community who had been thwarted in their attempts to mess with the poll – a community that shall remain nameless – had become so irate that many of them had emailed my boss death threats. Security and the legal department had gotten involved, and I imagine it must have been pretty nerve-wracking for him.
So, I took the comment out and by that afternoon the communities started posting about that, too. “Hmm… now that comment is gone… I wonder if they get paid for reading Fark at work?” (Of course I was! They were publicly discussing how they were sabotaging our poll!) Luckily the whole game was starting to lose steam, and it didn’t go anywhere. But I realized later that baiting the trolls like this can be really dangerous, and the backlash could easily have been much worse.
If the same thing happened today, I suspect that their response would have been more aggressive, swift, and distributed. Having that visibility on the unfolding drama taught me to expect the unexpected when it comes to inviting user participation online. And while it’s true that some people will mess with things just because they can, there are others that feel they have a moral imperative to shine a light on the gaps in your security. Don’t let this scare you off from incorporating audience contributions, but make sure you’re aware of where the weaknesses are. You may not be able to anticipate everything that the Internet-abusing segment of the public might throw at you, but you can be prepared to react and adapt.