Trolls are spoofing commentariat and authors (Update: countermeasures!)

Thanks to the spate of trolls (who are, in fact, members of our rationalist community!) spoofing our users, owing mostly to their levels of immaturity and the realization that they can type other people’s identities in the comment fields, a few blogs are turning on comment registration. I strongly advise that, even if your primary hangout is a blog that does not require registration, you should consider registering your username/email address anyway.

If you’ve already registered your account, and you need to edit your profile because the display name or email address are no longer valid, the top bar shows a “Howdy, username” link on the right. Hover over it, then click on Edit My Profile. You should also be able to get to it by clicking here — but that link might change depending on your user access level and future WordPress changes. The top bar should always be right.

I have no intention of turning on comment registration at my blog. I am instead working on making changes on the network (via a plugin or via editing the core of WordPress) to ensure that anonymous users cannot use a username or email address of a registered user. If you want to protect your name here, I strongly advise you register your account.

The registration process can use Facebook, Twitter or WordPress as authentication tokens, so you don’t necessarily have to build an account unique to Freethoughtblogs. Our software will rely on those sites’ auth APIs, and won’t ever see your login information. However, if you use these options, I strongly advise that you also log into your profile per the above instructions before making a comment, and set all the options appropriately. Otherwise your display name will show as “sc_{random characters}”, which is dead ugly.

Update: I’ve installed a plugin network-wide that protects login names and email addresses from being spoofed by anonymous users. It doesn’t protect the display name though — if your display name is something different from your login name, this won’t help you much. On blogs where registration is required, people shouldn’t notice a difference. And I’m sure asshats can still spoof people with a fair degree of fidelity to casual outside observers (I can think of two ways myself — there might be more), but this at least gives us an idea of when it’s happening.

Regardless, register your accounts.

Trolls are spoofing commentariat and authors (Update: countermeasures!)

76 thoughts on “Trolls are spoofing commentariat and authors (Update: countermeasures!)

  1. 54

    I hardly ever post here at Lousy Canuck, but I do post at a couple of the other FtB sites.

    This is mostly just a test post.

    I can’t believe all this bullshit. I was on Youtube last night and saw that one of the people I subscribed to favorited a weird anti Jen video that addressed absolutely nothing she ever said. There were tons more in the “related videos” section. What is up with these people? Makes me sick.

    BTW, I went to edit my WordPress profile and everything seemed to be as it was before. I made no changes. Just posting this to see if it works.

  2. 56

    Ooh, /b/ is going to say mean things and make stupid, nasty pictures about us? How…original.

    You know what would be original? Managing to say something completely true, relevant, and nasty, all at the same time. Nobody’s done that yet that I’ve seen.

    I doubt they can manage it either, though.

  3. 57

    Heh. The utter lack of originality is how anyone knows about “double blowjobs”. Same dull idiot or another idiot just as dull left one of those fake comments on my blog today…on a comment thread Jason was subscribed to. Guess what it referred to.

    Damn. As someone else said to me today, “Like a conspiracy theory, but not as well thought out.” Has /b/ always been this laughable, or is this guy letting down the side?

  4. 58

    Welp. This is what an extinction burst looks like. They’ll troll us for a while then get bored and Battletoads some Gamestop instead. Or call up and slut-shame one of their members’ girlfriends since they’re evidently reduced to the level of “personal army” for every individual with a grudge.

  5. 59

    Jason, in regards to the requests for OpenID, here’s an example of what they’re asking for, implemented on another blog site I happened to see just now:
    Upon clicking the grey-O-around-an-orange-I button, a prompt is offered to “Enter the [any] OpenID Url to login with”.
    This happens to be ‘Powered by OneAll Social Login’, but I’ve seen that OI button on plenty of other sites before, probably using a variety of plugins.

  6. 60

    Also, what gets me the most about this is, they had to post instructions on how to spoof people.


    Jesus fuck. These are our enemies.

  7. 61

    Anonymous Atheist / Andrew G: yes, I realize that OpenID is more than the three provided by this plugin. I didn’t realize there were plugins that allow arbitrary URLs though. I will take it to the powers that be — but bear in mind it took a shitload of trolling before I got this plugin installed. There’s a lot of considerations that have to be made with regard to database usage. Adding another SQL query to each comment, for instance, might increase server load by half again. Which would be bad.

  8. 63

    They may be atheists and even skeptical of several things mainstream skeptics are rightly skeptical of, but I don’t really consider the troll hordes to be rationalists, at least in the strict sense in which I use the word.

    They keep failing the tests.

  9. 66

    Jason (18): Thanks, I have subscribed to comments on this thread and will check to see if I can get mail at all.

    F (19): I did check my spam folder, but thanks for the reminder.

  10. 68

    @Jason, seconding the request to allow use of arbitrary OpenID urls. I’m not sure if there’s some WordPress-specific issue that you’re wary of, but in general it should not increase database load to allow arbitrary URLs; you only need to look up email addresses in your own tables after getting a security confirmation from the identity provider, whether the user at your site typed in a URL themselves or some string that got transformed into a URL (the latter being the case for stuff like Google and Yahoo OpenID email logins).

  11. 69

    Kaguya #63

    They may be atheists and even skeptical of several things mainstream skeptics are rightly skeptical of, but I don’t really consider the troll hordes to be rationalists, at least in the strict sense in which I use the word.

    They also claim that we’re the bullies.

  12. 70

    Unless I messed up registration and forgot about it, someone who isn’t me seems to have registered my username (this one, without the space).

    Please can I have it back. I can collect a reset through the email address used on this comment (and every B&W one…).


  13. 71

    Sorry dir igible, no can do. That appears to be a user with comments on the site.

    However, here’s what you can do. Register a different username (modify your usual slightly). Then log in, go to the dashboard per the instructions above, change your name to first name “dir”, last name “igible”, and choose the Display Name that shows the name how you usually display it.

  14. 72

    Jason, unless one has checked the ‘enable toolbar’ field on the profile page, that Howdy, DisplayName won’t show up.

    I looked all over the page to confirm that I was registered, to no avail. I got to the profile by clicking on my display name in the Leave a Reply section.

    This brings back memories. I ran one of the first BBSs in Vancouver in the ’80s (300 bps). At first the software was totally open and trusting and anyone could use any signature and delete any message. That lasted a year. One vandal was all it took. After a steady escalation of passwords and security measures in the following years, we chucked in the towel.

    Some things don’t change.

Comments are closed.