McAfee SiteAdvisor Blog

Over the last few weeks, prominent blogger Kathy Sierra has been making headlines when she was the recipient of a series of increasingly violent threats on her blog and other websites. Internet pundits gathered together to try to promote civility online. Tim O'Reilly and others have proposed a blogger code of conduct.

It's an extreme example of an issue the Web has long struggled with -- how to deal with trolls: people who derive a special joy in annoying, offending, disrupting, and threatening other people online. One (non-violent) kind of trolling is called crapflooding -- joining a blog or forum to provoke controversy or just crowd out conversation by posting nonsense. The sheer volume of comments can sometimes overwhelm servers.

In other words, they're jerks.

SiteAdvisor's take on shock sites

SiteAdvisor flags trolls as "red," not for obnoxious behavior, but for noxious coding. In a favorite tactic, trolls trick people into visiting shock sites, web pages designed to horrify. For example, someone might join a technical discussion to say "I've found a relevant whitepaper on the topic over here..." and then link to the shock site instead. The best-known is "goatse" which prominently features a man's distended anus. Links to the goatse page were so common in Slashdot discussions that the site owners had to develop a series of countermeasures aimed at making it more obvious where links were headed. They were only somewhat effective.

Perhaps the most ambitious shock site yet was produced in 2005 by the trolling group GNAA. Called "Last Measure," it combines JavaScript, Java, and Flash exploits to open hundreds or thousands of browser windows which move around the screen. Each window displays a randomly selected medical or sexual anomaly from around the world, and a dozen or so embedded media players which scream "Hey everybody! I'm looking at gay porno!" If you've accidentally clicked on it at work, and happen to have speakers on, expect everyone to come see just what you've done. Then be prepared to try to undo some damage: it's probably gotten into your registry. On some systems, Last Measure will also attempt to start email and IRC clients. Even on our relatively secure Windows XP test machine, with popup-blocking turned on, we had to reboot to get rid of the page.

Want to see what it looks like? Here's a video. We've clipped the porn out, but left in the unsettling medical photos and screaming.

Taking the Last Measure to MySpace

Mirrors of the Last Measure code have cropped up on a few sites around the web, including this one, flagged as red by SiteAdvisor. Message-board pranksters have been playing the same games with it as usual: we spotted a MySpace group where all the links are switched to Last Measure sites (click here if you really want to see it). They achieved this not through some secret hack, but with relatively simple HTML: MySpace lets users post linked images in messages. GNAA posted a message with a transparent image set to cover the entire page, and linked that image to Last Measure.

Images on this MySpace Forum re-direct to a Last Measure mirror site

Note in particular the "u=" argument on the linked URL. It allows the GNAA member "timecop" to take credit for everyone who clicks through to Last Measure from this page.

What's the motivation of the Last Measure gang? It's hard to tell. There might be a financial angle: if the registry changes create security holes, GNAA members could come back later and install adware or spyware, or simply sell the addresses of compromised systems to third party attackers. On the other hand, they could be doing it because they enjoy ruining it for everyone else. Taking credit in the URL argument seems to point to some kind of a contest between timecop and other GNAA members over who can trick more people into visiting the shock sites.

Whatever the motivation, the losers in this battle are clear -- forums and blogs that become unusable and the consumers, often kids, who are exposed to hateful content. SiteAdvisor will continue to flag these kinds of sites red.