How To Google Bomb Someone

A Google search for the phrase Google Bomb.

or, Rick Santorum’s Sticky Situation

Re-Published with permission from the 2600 Hacker Quarterly, Autumn 2016.

I'm writing this just a couple hours after Governor Rick Santorum has announced his bid in the 2016 presidential race. Political commentary aside, many of you may remember a frothy mess he got tossed into during his last presidential run. For those who don't remember or don't know: there was a period of time where you could type "Santorum" into a Google search and the SERPS (Search Engine Results PageS) would return something...erm...Not Safe For Work.

Whether you use Google, Bing (seriously?), DuckDuckGo, or another search engine (Tumblr, Facebook, YouTube, and other websites have built in search engines), the order of display is not arbitrary. Each search engine has its own super secret algorithm that decides what websites are so good that they deserve to be first, and what sites suck so bad that they’re not even allowed in the top ten pages. Some sites even get “sandboxed”, which usually happens when you get busted trying to game the system. It’s pretty difficult to come back from that ban-hammer.

In this article, we’ll be discussing Google’s methods, hence the term “Google Bomb”, mostly because Google still holds above 68% of the search market share (at the time of writing this).

What Is A Google Bomb?

A Google bomb is when you use techniques to optimize a page, image, video, or other media to appear in the SERPS even if it doesn’t belong there. This act is actually a skill that can be a career, called Search Engine Optimization (SEO), which is what I’ve been doing professionally the last eight or more years of my life. This is generally a skill that takes years to develop as it changes pretty frequently, and so you’ll need to develop the ability to recognize the kind of things that will work, won’t work, and how to utilize new tools and websites in your favor, and adapt quickly. However, once you learn the skill set, it will no doubt benefit anyone who uses the internet and also has something they want other people to see, on the internet. So, I’m going to break it down to the basic principles in this article.

This is pretty dangerous as you could get your website sandboxed or possibly sued for defamation depending on what you do with this knowledge. I recommend you do nothing with it but shelve it away into your mind as amusing information. A lot of these techniques have been considered very bad by the big G (Google, not God or Government) and I do not personally do them (anymore, I’ve gone straight), but they do or have worked at one time.

Doing The Deed

Plan Ahead

Whatever it is that’s being Google Bombed, you need to figure it out ahead of time. For the sake of example, we’ll Google Bomb the search term “The 2600 Hacker Quarterly” with a video of Rick Astley singing our favorite song: Never Gonna Give You Up (I’m not going to actually do this).

Setting Up The Media

Since we’re using a video for this example, the first thing I need to do is make sure the video is properly titled after the term I want it to rank for. The term is “The 2600 Hacker Quarterly” so I changed the name of rickroll_youtuber5468541654ip.mp4 to The-2600-Hacker-Quarterly.mp4. This is called an SEO-Friendly file name. If we were doing an image, it would be The-2600-Hacker-Quarterly.jpg (or whatever file type). Were it a webpage, we would want the URL to be SEO-Friendly, so it would be http://www.examplesite.com/The-2600-Hacker-Quarterly/. What’s important is that the filename has the entire search term in it, with hyphens where the spaces would be, and nothing else.

Uploading To The Web

So we’ve got our 2600 Rick Roll video set up for success. Next is to upload the video to the web so it can be viewed and shared. YouTube is currently the second most popular search engine on the internet (at the time of writing this) so that’s going to be our primary source. Also, they make sharing really easy.

You go to YouTube (or other video website) and upload as normal. You want to make sure the title of the video has the keyphrase in it, but also be something clickable (we want people to want to view and share the video). Feel free to use clickbait. You may hate it, but the fact of the matter is it works. A good example would be “You Won’t Believe What The 2600 Hacker Quarterly Published THIS Time!”. Ideally, you want the keyphrase to be as close to the front of the title as possible, but that’s not the most important thing. What’s more important is that the title reads legibly and makes sense, and is also enticing to the potential reader. Part of the ranking metric in YouTube and Google is how many people view your video, and how long they watch it for. Being that this is a bait-and-switch prank, it’ll probably have a high bounce rate (people hitting the back button after only a few seconds), which is bad, but we’ll use other metrics to help us rank it regardless. Were you working to rank a legitimate video, you presumably wouldn’t have any issues with bounce rate unless your video just absolutely sucks or is not what you advertised.

In the description, you also want to make sure you have the keyphrase close the beginning, and some more content describing the video. Since we’re doing a bait-and-switch prank, you’ll have to make some stuff up. You don’t want to just cram a bunch of lorem ipsum in there, but you want as much information as possible. Were you doing a legit video, one thing you can do is throw in the content that will be used as closed captioning, too. We don’t have that option here because our video isn’t actually related to our keyphrase, so we’ll have to make up some stuff. Shoot for a minimum 100 words, but the more the better. Make sure it’s keyword-rich, meaning it uses the keyphrase enough that it’s clear what the paragraphs are talking about, but not so much that it seems unnatural.

You’ll also want to add in closed captioning if you’re working on ranking a legit video about a topic. This adds accessibility to those who are not privileged with the ability to hear as well as the rest of us, and accessibility helps a lot in ranking. If you take time to care about other (less privileged) people, turns out you get rewarded for that. Who would have thought being a decent human being would pay off? Anyway, if you were working on ranking an image on a website, you would use the “alt” HTML tag to put in a description of your image, with the keyphrase, so that blind people will know what the image is.

Then we’ve got tags we can add. You want to type in every single possible tag you can think of. All of them. We’re going to put in our keyphrase first, obviously, every variation of that, and then short and long keywords like “2600” and “the 2600 hacker quarterly magazine digital format”. Anything you can think of that you assume will be searched. Now, if we were doing this professionally, we should do a strong level of keyword research first, but that’s another thing that I don’t have enough room to write about here.

Throwing it in a playlist helps too, if the playlist title is applicable. Better yet, let’s make a new playlist with a similar, but slightly different, keyphrase. Let’s title the new playlist “2600 Hacker Magazine”. That should do the trick.

Hit publish and wait for the embed code.

For an added bonus, repeat these steps on as many public video sharing websites as you can think of. Vimeo is another good one that comes to mind.

[BLACK HAT TIP: I don’t want to get into the difference between black hat SEO and white hat SEO (and grey hat SEO) because that’s an entire article in itself (trust me, I’ve written that article before), but here’s a tip that is most certainly a black hat technique. At the time of writing this, YouTube has been promoting their new live streaming service, which has a flaw in regards to ranking. The trick is that you skip the above SEO techniques about the file name and closed captions and stuff, and instead of uploading your video to YouTube the normal way, you set up a broadcasting software like Wirecast or Open Broadcaster Software, and then play the recorded video as if it were live. Put your key phrase in the title, description, and tags section as normal. For some reason, Google thought it would be great to give these types of videos an overpowering amount of leverage in the SERPs for ranking higher. Not only that, but they tend to stick for months (I’ve got videos I “uploaded” 8 months ago still ranking on the first page of Google).]

Post It Everywhere

We’ve got a link to the video, and the embed code, so the next step is to post it everywhere. Search engines, especially Google, rank things based on how many other websites are talking about it (that’s a very vague explanation and a lot more goes into it, but that’s really the most basic principle). There are different ways this could happen. There are backlinks, which is a link from a website, and there are social signals, which would be a Like on Facebook, an RT on Twitter, or an UpVote on Reddit (among other things such as comments and replies). These backlinks and social signals tell the search algorithm that people around the internet like the thing, whatever it is.

A link to the video is going to help a lot, but what’s even better (and this is unique to Google Bombing videos) is the embed code! You want to use the embed code anywhere you can to get it out there, and preferably on relevant pages. For example, I’ll make a page on my own personal website with an SEO friendly URL like we discussed earlier, embed the video, and below the video have a new, unique, short description of the video. We want it to be unique because duplicate content is bad and will hurt our rankings. It’s worth noting that making 100 pages on the same website and embedding the video on each one is not going to help, and could possibly hurt your rankings. We want variation, so post on lots of different websites. Some social networks, such as Tumblr, allow you to post the embed code.

Speaking of Tumblr, let’s talk about social media websites. Tumblr is my favorite tool for marketing (I wrote a book about this, but I’m not here to promote myself) because it provides both backlinks and social signals, and is a great way to get your content shared around by other users with its quick and easy reblog feature. Other great social media websites to post on: Twitter, Reddit, public Facebook pages, and even public Facebook groups. Use tags/hashtags where appropriate, and anywhere you can, write a new and unique keyword rich description for the video.

IMPORTANT!!! When you’re linking to the video without the embed code, you’ll need the text of the hyperlink (known as “anchor text”) to be your keyphrase, variations of, or variations of the URL itself. It’s important to have variety, but I usually go with the 60/40 rule: 60% of the links will have the anchor text be the main keyphrase, and 40% will be variations of the keyphrase as well as variations of the URL. When I say variations of the URL, here are some examples: http://youtube.com/video, youtube.com/video, http://www.youtube.com/video, www.youtube.com/video.

While you’re linking this around the web, lets close up by hitting some forums. Throw a link to your video in your forum signature (public forums preferable as private forums are rarely indexed by search engines) and go about using the forum as usual. The link will automatically and naturally be spread. You can also do something similar by commenting on articles/blog posts through out the web. Usually when you comment on a website, such as a WordPress or Blogger built website, the comments section asks for your Name, Email, and Site. In the Site text box, you would put a link to the video.

[BLACK HAT TIP: There is also “black hat” software that creates backlinks and social signals for you, but this software is mostly expensive for various reasons. Thankfully, there are a few websites out there where you can hire people for very cheap, say, five dollars, and they already own the software and would be thrilled to help you build up links and social signals. Not only that, but you can also hire people to write out all those unique video descriptions you need. Hiring a writer is not a black hat technique, but it seemed to fit in this paragraph since we’re already talking about hiring people to do stuff for us.]

And...that’s it. Now we wait for the rankings to come. If you repeat the steps as much as possible, you’ll rank higher, and possibly faster, but if you do it too much you’ll be seen as spam and lose your rankings. It’s hard to find that balance and it’s going to be different for every keyphrase you try to rank. One technique is to set a goal of links built per day, and then do that consistently until you rank where you want to, and then continue to do it consistently for as long as you want to stay in that spot (or move up higher).

That, my friends, is how you hack search engine results pages.

Is ProtonMail Trustworthy?

protonmail logo

Today I was reading an article about a hacker kid who made fake bomb threats and ran a DDoS-for-hire group that attacked protonmail servers at least once. They were also ProtonMail users.

The Problem

It turns out ProtonMail, my encrypted mail service of choice (and vpn) colluded w/ government(s) to catch him.

ProtonMail got angry because he was fsking with them, too.

I'm all for them going after anyone who messes w/ them, but I'm not sure how I feel about working with government(s) to do it, especially considering it seems like they handed over some information related to what they knew about him.

So, I sent ProtonMail an email:

Hey there I was just reading an article about how ProtonMail helped catch some hacker that was causing trouble. The article mentioned that ProtonMail said

"Our mission is to bring privacy, security, and freedom of information to citizens around the world. However, this does not extend to protecting individuals who are engaged in criminal activities. That’s why we will investigate to the fullest extent possible anyone who attacks ProtonMail or uses our platform for crime. We will also cooperate with law enforcement agencies within the framework of Swiss law."

I'm concerned about the bit about "crime". I don't plan on committing any crimes, but my concern is not now but the future. What happens if an unjust law is instated in the U.S.A.? With the way things have been going it concerns me that some day something as innocuous as simply attending a protest could become a crime.

How do I know ProtonMail will have my best interests at heart if a government instates unjust laws?

Thanks for your time.

What We Found

Our friend and freaquent collaborator J did some digging.

I actually went back through ProtonMail's privacy policy a few times. They straight up say in there if you are EFFing with them, they will take you out. This dude was. They also have a WARRANT CANARY page where they put up what info they can about how they react. There are several cases where they have colluded, others where they haven't. Case-by-case international law crap. Sheesh...

>> ProtonMail transparency report <<

Here were some of his favorite excerpts:

In August 2017, we received a request for assistance from the government of Turkey that was passed to us through the Swiss Federal Police. We rejected the request on account of the Turkish government's human rights record and will take the case to Swiss courts if the Turkish government files for an international proceeding.
In January 2018, we received two requests for assistance from US law enforcement, regarding bomb threats made with ProtonMail. We rendered assistance to Swiss law enforcement working on this case without having yet received a court order, but with the understanding that an approved court was on its way to us. Update: The court order was indeed received soon after we rendered assistance
In March 2018, we received a police request from Austria involving a politician who was accused of sexual harassment. The authorities are trying to identify the person who reported the accusation. Since the person who made the report is likely entitled to certain privacy protections, we have rejected the request even though it was approved by a Swiss court, and have requested that the Geneva prosecutor's office review the facts of the case again and provide Proton legal with additional information.

J also outlined each one for simplicity while we analyze:

  1. [some government] wants info, PM don't like their [history] and said "No." They will go to court if needed.
  2. [some government] wants info, went to Swiss law enforcement first. PM said "Yes." even before a court order was in place.
  3. [some government] wants info, went to Swiss law enforcement first. PM said "No." even though court said to do it.

The ProtonMail Privacy Policy says:

IP Logging: By default, ProtonMail does not keep permanent IP logs. We also don't record your login IP address unless this feature is specifically enabled by the user. However, IP logs are sometimes kept to combat abuse and fraud, and your IP address may be retained if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against ProtonMail infrastructure, brute force attacks, etc).

...and...

The Company is domiciled in Switzerland and all data storage infrastructure is also located solely within Switzerland, and thus governed by the laws and regulations of Switzerland.

At least we know they acted within accordance of their privacy policy. We can't say they caught us by surprise here. It's in the policy. They did not betray anyone, so to speak.

But, something still doesn't feel right.

If you have an account with ProtonMail, they can't see your email content. It's encrypted client-side. However, J pointed out that they could just delete your account.

Like I said in the email, I'm not concerned w/ right now but I am concerned with the possible future. Where is the line drawn? And is it drawn clearly?

J pointed out:

Looking at their warrant canary page, it is super fuzzy!

I mean, what happens if sending encrypted email becomes illegal in the US?

They have _some_ IP logs (although not permanent). Would they give those up?

Like a digital prohibition.

Opinions

These are scary times, which is why I've been working on decentralizing and encrypting everything I can.

I just don't trust where this is all headed, and I would rather have it and not need it than need it and not have it.

I will update if/when I hear back from ProtonMail.

Update:

Here's the canned response I got from ProtonMail:

Please note that all user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and corporations. As ProtonMail is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.

You can find read a more detailed explanation in the following article: https://protonmail.com/blog/switzerland/.

Our Verdict:

For now, ProtonMail is fine as long as you don't fsck with them yourself. If you do, you probably deserve whatever you get.