463 comments

[ 2.7 ms ] story [ 345 ms ] thread
Rest assured that the article linked here does not include any images, goatse or otherwise.
Luckily it's not rendered in an iFrame!
This site allows anyone to inject content, you don't need an iframe.

https://joshcsimmons.com/post/eJyVlD2PgzAMhvf8Cm8HlcD76dSlf8...

Created using

    wget "https://gist.githubusercontent.com/snipe/5512408/raw/db9f4051eeb1079de436ec5ae9ba9aff2a99549c/gistfile1.txt"
    python3
    >>> base64.b64encode(zlib.compress(b"<pre>" + open('gistfile1.txt', 'rb').read())).replace(b'/',b'%2F')
But there are instructions in the article:

>Yesterday one of my collaborators googled "sqword" and to his surprise, there were tons of first-page results that weren't the sqword.com domain.

(comment deleted)
Your website has the worst permalinks ever.
Agreed. Went to share the link and it was such a wall of text I deleted it.
Did the same thing. I guess it's fine if he doesn't want anybody to share his website, but in that case ... Why have a website
Apparently the post data is encoded in the URL.

I'm not saying you're wrong. You're right, but at least it's for an interesting reason.

> This blog is now STATELESS. The entire post is contained in the URL that you are visiting now. All my "blog" is now is a hard-coded main page that contains links to posts I claim authorship of. Of course the entire post is contained in each of these links.

https://joshcsimmons.com/post/H4sIAAAAAAAA%2F3xV227cRgx911cQ...

doesn't this mean I could embed salacious material into a link and fool people into thinking the person who owned this website wrote it?
(comment deleted)
(comment deleted)
> Anything can be generated here. You could even host your own blog that uses my website as a renderer if you really wanted to. It supports markdown.

> Every post that I want to publicly claim authorship of lives at the root of this site. If you are reading a post that I have claimed it will look like this page. Posts of unknown authorship have a disclaimer at the top of the page.

https://joshcsimmons.com/post/H4sIAAAAAAAA%2F3xV227cRgx911cQ...

(His permalinks are horrible, lol)

>Posts of unknown authorship have a disclaimer at the top of the page.

Problem is, the posts can contain <script> elements. So it's easy to just write a little JavaScript that removes the disclaimer at the top. See this hastily-made, immature example of mine:

https://joshcsimmons.com/post/H4sIABO8LmUC/3VT0W7aQBB85yu2QV...

As it stands, this really isn't the most secure system. Something much more malicious could be injected into this!

I was halfway expecting goatse
Shouldn’t it be “shat”?

Either way, considering the submission we’re commenting on, the author of the blog may appreciate your humour.

This gave me a pretty good laugh. I have some sanitization and guards set up now. TBH I never really expected anyone to visit my blog.
Yep, Josh has given everyone (apparent) write access to his site.
Awesome - and the first time I've actually had someone "post" on my site.
You're welcome. :D

The client-side XSS is mostly harmless (assuming you don't have any other sensitive services running with cookies scoped to this domain), although it's technically a persistent XSS, which means it could be indexed by search engines.

But is there a server-side component to this? I noticed that the "disclaimer" is added in the source returned by the server, so I assume there is some code that checks whether the post is present on the home page? If so, that could be dangerous, if there is a bug in that code such that a malicious payload in the URL could get RCE in your server process.

I've just added some defensive programming to the site. Sorry to say. Appreciate that you hacked it with your image onerror, pretty clever.

TBH I haven't thought about most of these things. Nobody typically reads my blogs when I've made them before and this is likely the only interest it will get for quite a while.

lol :) nice fix

Can't promise I won't circumvent it when I've got some time...

Watch out: virus/scam/spam sites can detect sites like yours and write tons of redirects, link them somewhere, and use your site's good reputation to get their scams on the home page. This is also a huge problem for redirect services.

If the wrong person publishes the wrong link, you can get your domain banned from Google and tons of other sites as a "security risk", which can spread to your email (if you use @joshcsimmons.com).

It's fine if you don't care about blacklists of course, but this kind of abuse can easily sneak up on you.

If you're going to do that, you should at least generate shortened URLs as well.
But then it’s not stateless anymore.
It's not stateless at all because of the main page, so this is more of a weird anti-optimization.
I don't understand how this helps ownership of content? What situation is this trying to avoid? You already "own" your URL if you own your domain?

EDIT: understand you are not the OP btw, just wondering out loud.

The only thing I can think of is if they want to share controversial posts while having the ability to deny that they wrote it (as long as they don’t actually create a link to it from their own site).

It’s not a good use case IMO, but that is all I can think of lol

Tranlsation: This guy is insufferable
(comment deleted)
So if the author fix a small typo in the post, they break all the links to it. The blog is not "stateless", it’s just that its state is stored in the homepage. Having all posts on that page with anchor links would achieve the same thing with shorter links that don’t depend on the content.
It won’t break any existing links. It just means that existing links will still have the typo.
Huh, cool. I think it's a pretty terrible idea, but I'm glad people are still doing fun/creative things with websites. Keeping the spirit of the early web alive. haha :)
But how does it know whether it should print the pretext?
oh no -- it's actually vulnerable to xss...!!!

https://joshcsimmons.com/post/eNpTVlaoKC5WSEnNzefisilOLsosKL...

(this just injects a <script> alert but.... that's bad)

just tried contacting the author via linkedin (since I don't see an email address on their site)

@joshcsimmons are you around?

The author is aware.

> Every post that I want to publicly claim authorship of lives at the root of this site. If you are reading a post that I have claimed it will look like this page. Posts of unknown authorship have a disclaimer at the top of the page.

https://joshcsimmons.com/post/H4sIAAAAAAAA%2F3xV227cRgx911cQ...

for sure, there's awareness and then there's disregard of any basic web security.

the second they start hosting any application/backend/cookie-enabled thing on this domain name, anyone could inject a script via their /post/ gzip-base64 scheme, and do bad things...?

I don't think html sanitization would go against the principle of this idea. just... at the very least strip the tags! :-)

> The author is aware.

Since the website is vulnerable to XSS, you could inject a script that removes the disclaimer.

Very clever. For those wondering, this won't gunzip since it's compressed using zlib. you must do a chain like this: URL Decode -> Base64 Decode -> Zlib Inflate.
right on! I used https://bugdays.com/gzip-base64 to go back and forth.

base64 generates slashes, so the site (and I) run encodeURIComponent in the devtools on the resulting base64 to make sure it's completely url-safe.

---

the poc "payload" is

eNqzKU4uyiwosUvJTy7NTc0r0UtPLXHNSQUxi50qnXMSi4v9EnNTNdRzMtMzStQ1ow1i9YpSc%2FPLUjU0bfShmrm4lBVKMjKLFYAoKTEFACeDHYg%3D

which uri-component-decodes to:

eNqzKU4uyiwosUvJTy7NTc0r0UtPLXHNSQUxi50qnXMSi4v9EnNTNdRzMtMzStQ1ow1i9YpSc/PLUjU0bfShmrm4lBVKMjKLFYAoKTEFACeDHYg=

which un-base64+gzip's to (using the site I posted above):

  <script>document.getElementsByClassName('light')[0].remove()</script>

  # this is bad
Hah this is clever. Mixed feelings on patching this but I patched it for now.
s/removes the disclaimer/exploits a browser 0-day/
There are much less weird links you can give someone if you have 0-day. I don't think that's a problem worth worrying about for the author.
It’s a problem worth worrying about for users who maintain whitelists of domains they allow JavaScript from.
Similar idea to itty.bitty.site, smolsite.zip, or parameter.page
This is reckless and irresponsible. Think of the children. They don’t deserve to see such a picture
I saw it the first time as a kid. My friends and I tried to trick each other to see it too. I'm fine. We're fine.
That's right, this is a pro-showing-buttholes-to-children community.
Strictly speaking it's anti-not-showing-buttholes-to-children community but that's a distinction to debate at the next Libertarian conference.
Isn't it the anti-anti-showing-buttholes-to-children community? Nobody wants to force you to show buttholes to children, but you should feel free to if desired
Goatse, like Michelangelo's David, should be an exception to normal rules of censorship, due to its status as part of our shared cultural heritage. /s
Just wait until you see what my friends can do with one cup.
Didn’t Andres Serrano do a version of it?
You can't unsee it. You know exactly what it looks like. It etches into long-term memory like a scar that never fades.
Haha yes. We even found a magic eye/autostereogram of goatse once. Was pretty epic.

"Hey come check out this amazing magic eye". Boom!

That’s half the fun. The other half is what the OP did.
Does it though? Maybe we should run a survey asking various questions (which side is the ring? etc) and see if collective memory is actually correct.
After tubgirl I vowed to never click on links people said I shouldn't. I've never seen goatse because of this rule. (I have been rickrolled a lot, but that's fine.)
It's a butthole. It's not some traumatic thing.
It's a picture of "a butthole" in the same way that a picture of a shotgun wound to the gut is "a stomach."
I both find this hole thread interesting & entertaining, and I have yet to see the goatse image despite knowing about it since 2005 or so. I saw too many things as a child that are indelibly etched into my awareness and I practice filtering now so to minimize distractions. However, context matters quite a bit! If someone Rick-rolled me with this I hope I'd have a good humor about it. And there's always therapy, via whatever medium works.
> hole thread

I see what you did there.

Consider: what is it exactly that makes parents want to stop their children from bearing witness to swearing?

I can't imagine that it's that they think children can be be damaged in some way by knowing how to curse.

I imagine it's more that children will think these words are fun new toys and will constantly repeat them, enjoying how much of a reaction they provoke. And that the parent 1. will feel sad that the child now has this verbal crutch that they may end up leaning into in the future in place of learning how to speak eloquently; and 2. will feel ashamed when others in the community see the child swearing, and assume that it's a behavior that the parent inculcated into them by swearing constantly in front of them, rather than a behavior the parent tried their best to prevent — but which the child inevitably picked up somewhere outside the home.

There's probably something analogous here, right? Being exposed to "graphic imagery" is not really damaging per se. Rather, seeing such things just shifts a child's potential repertoire of behaviors/responses slightly (think: being desensitized enough to such imagery to find it funny to use to troll others in a school computer lab), in a way that might be assumed by others to have been a direct consequence of the parent's actions (e.g. by having sex / watching porn in front of their children.) Such behaviors by the child will reflect badly on the parent's parenting, even if they were actually purely the result of the child's self-motivated idle curiosity.

In short, these things — a child swearing, a child sending pictures of gross buttholes to other children — are conflationary triggers for community shaming of the parents: they cause behaviors in children that could well have been caused by bad parenting, and so tar the parents with the brush of being bad parents, whether or not the parent is actually bad.

Parents don't tend to like being shamed by the community for bad parenting, when they don't believe themselves to be bad parents; so they treat any such "conflationary triggers" for that shaming, as taboos, things to avoid their children witnessing, even if those things aren't "damaging."

You feel fine, but you don’t know what effect it can have on others.

This is a selection bias. By definition, all the survivors of the most atrocious things can say "I went through XYZ and I’m still alive". That doesn’t make this XYZ something you would recommend to anyone.

If seeing a mans butthole causes you serious psychological trauma, you probably have bigger problems to worry about than seeing a mans butthole.

Everyone has a butthole. Do kids never look in the mirror? Do kids never explore bodies? We spent 100k years or more looking at each other in the nude and somehow our species didn't all go insane.

Nakedness probably doesn't hurt anyone.

Everyone has a butthole but most people's buttholes don't look like that guy's butthole. I hope.
That’s not simple nakedness, otherwise the HN discussion on this entry would have been much less heated.
Presuming every conceivable avenue for surprise will lead to trauma, what's left for anyone to enjoy?
None. You must be a perfect model of boring corporate mediocrity, or else you're harming the children.
Selection bias of one data point versus no data at all.
What's the selection bias here? Is the claim that there's some huge population so emotionally scarred from seeing a shock image that they permanently left the internet? Or died?
(comment deleted)
My bad; it’s a survivor bias, not a selection bias.
Wide open insight into our human nature.
I'd be worried about the risk of a misfire. Like if someone had a weird browser plug in or something.
Ah, like the good old days when people "hot-linked" your images and you would replace them :)
When the internet was still fun and creative.
There’s an HTTP header you can add that prevents a page being in an iframe, but go off, king.
(comment deleted)
Yup. The article mentions it was an “explicit” decision to use this approach instead. Seems much more effective than CSP headers.
> The mature and responsible thing to do would have been to add a content security policy to the page

OP knows that

They explicitly mention that in the famous article, but concede that they are not mature enough for that.
(comment deleted)
maybe OP tried it's exploit in internet explorer 5.0, but I doubt it'll work in any recent (read: less than 5 years old) browser.
Oh it works. Just Google sqword if you don’t believe.
Modern browsers will straight up tell the server the resource is being loaded from an iframe via Sec-Fetch-Dest.
I would argue showing nonconsentual explicit imagery is worse than iframing someomes app. Just show a non nsfw troll meme or block it outright.
How would you argue that, exactly?
Imagine you were distributing my work without permission and in retaliation I emailed you gross-out sexually explicit imagery. That would both be a crime and be unethical by current standards.

OP is not emailing people, but it is the same thing: revenge using explicit imagery. Except not only might the people behind the sites see the image but their visitors which probably include minors will too.

Better example is if someone is automatically forwarding your email newsletter and claiming it as their own.

If you email them explicit imagery and they automatically forward it, that's on them.

Not a crime, but a little crass in a funny way.

Additionally, the image is I presume, used without permission from the creator.
Kirk is an exhibitionist, he wouldn't mind.
The parasitic website is displaying the image. No iframe, no image.
Both legally and morally, intent matters far more than these technical details.
I can't answer to the law, which besides will vary - and I reject the implication that a puerile prank is immoral. But that aside, taking it on as if there was any moral dimension, moral clarity is straightforward here:

The parasite has to answer for the material it shows its visitors.

If a butcher delivers outdated meat to nowhere, knowing his van will be hijacked, how can he possibly be blamed when the hijackers sell it to their customers?

Edited to correct can (van!)

But he can. He is clearly attempting to poison someone.
Yeah, it is for similar reasons that you (legally) shouldn't set booby traps against burglars.
> If a butcher delivers outdated meat to nowhere, knowing his van will be hijacked, how can he possibly be blamed when the hijackers sell it to their customers?

An obvious corrolary to this is the prohibition on booby traps.

I am not sure that actually, the intermediate site is even technically sending the image.

As I understand it, the iframe is set up such that the users browser loads your site inside the frame and the intermediate site outside of the frame. If you serve a file then you are serving it directly to the browser. The intermediate site never sees it?

They could've also embraced it, see it as marketing, and replace it with a direct link to their website instead. Youtube doesn't care about people embedding their videos, they can make money regardless.
I would argue what toning down everything and protecting everyone from any harm is the way to the safe new world.
I don't know why I checked but uhh yup. It's working. There are at least 6 sites on the first page of Google results that now render goatse. Thankfully, the first link is the original one for me.
Came here to say the same thing. Unless you're one of today's "lucky 10,000"[0] who haven't ever encountered goatse before, there's no need to verify this :D

[0] - https://xkcd.com/1053/

edit: folks the xkcd lucky 10k reference was a joke, settle down

I'm opening myself up to criticism by saying this, but this is unusually cringeworthy even for XKCD
Did you read the xkcd? It's not about goatse
goatse isn't cringeworthy
I mean, the subject's face probably did resemble a cringe.
Cringeworthy? This is one of the more oft-linked XKCDs, I think because it makes a valid observation: everyone has a few things that "everyone knows" that they've randomly missed, and it's more fun to enjoy the discovery than to ridicule them for something that happens to all of us randomly.
the observation is sound, it's the presentation that irks me
You’re not the only one. It’s an XKCD comic made for LinkedIn and it annoys me every time it’s referenced.
I guess you're one of those people who thinks that any sincere emotional expression is cringe?

I've never understood that attitude.

you guessed wrongly
That's what you're doing, though.
it's the "any" that makes it wrong. I reserve the right to pick and choose what expressions I find cringeworthy
So you only sometimes find things cringey just because they're sincere?

That's not a large improvement.

This is a different twist on that xkcd - if you haven't seen goatse before, consider yourself truly lucky, and enjoy not experiencing this particular cognitohazard.
I've managed to never see goatse so far. Not because I'm new or innocent, but because I've learned my lessons. I don't think the 10,000 really applies to this situation. It's certainly not something that everybody needs to see at some point in their lives (or so I've been lead to believe).
I didn't want to see it

But it was kind of a rickroll situation... yeah it sucks

In college my friend came over for a LAN party and when he went to the bathroom I quietly set his background to Goatse… I got quite the chuckle at 3am when he went to shut down his computer after a long night of gaming. Ah to be young again.
> after a long night of gaming.

Wasn’t it more like 3 hours to setup and get the network functioning, and hour of gaming?

That was part of the fun at lan parties.

Or goto a hosted one

Anyone who was a freshmen in college circa y2k saw it about 4000 times. It was one of the first images to which I became desensitized.
Yeah it checks out. Good thing I'm on slow internet.
Doesn't work in Firefox.
It does. (NSFW evidently) hxxps://thepasswordgame.io/sqword
I think it doesn't appear at all if you have enhanced tracking protection turned on.

And the normal game shows up in the iframe if you have looked at the real game before, and have data in your localStorage. I assume to not arouse suspicion from people ripping off the game.

I disabled tracking protection, and deleted localstorage on the real site. Then it showed up.

Curiosity kills the cat. Can confirm.
I hadn't been goatsed in a very long time. Don't know why I intentionally broke that streak
That is so funny - I was just asking myself that same thing. Why did I just intentionally goatse myself? I knew what would be there and did it anyways…:)
At least 12 different domains from the top Kagi results. My poor eyes...
It did improve my blocklist however
it doesn't work in an incognito window (first thing I tried) but does in a regular window.

@joshcsimmons it seems like sqword is reading local storage on this line:

this.localStorage = n.localStorage || globalThis.localStorage,

which leads to the following error: "Uncaught DOMException: Failed to read the 'localStorage' property from 'Window': Access is denied for this document."

you should do it in a try/catch.

I'll note that this is a side effect of incognito blocking third party cookies, and I wouldn't bother changing it for that purpose.

But I guess it can happen on the original site if the user turns off cookies entirely.

I saw it and i can confirm that this is true! ^^
This is hilarious, but I think the most mature thing to do would have been to detect if the site is inside an iframe and if so add a polite link saying "click here to go to sqword.com and play this game ad free".
The author said he’s not mature.

His approach is much awesomer than the nature thing.

His approach is "funny" if you want, but it doesn’t help real users finding the real domain.
In a roundabout way, it likely would halt users unable to find the real domain from accessing the thieves' websites again. That narrows down the search for the real domain by one!
I get the sense that that isn't really his goal. He makes clear it's just a fun passion project, and this sounds like an equally fun (to him) way of retaliating against those taking advantage of it.
He mentioned that he found the imposters when a coworker happened across them on a search result page. Does Google apply penalties to the imposter sites’ search rankings when they serve shock content rather than what was being searched for?

It seems like that might reduce real users’ confusion as they try to find the real “sqword” puzzle.

I don’t think it’s meant to help users. I think it’s meant to punish iframers.
On the other hand, they probably will get an influx of HN users now. If they had used a tamer approach, I doubt this post would have the amount of points it has now.
The WWW does not limit one into taking either the high or low road. Both at the same time!
Is the whole goatse.jpg b64-encoded in that URL?
No, just the blog post itself. But you could put a goatse jpg there and it would get hosted.

For example, use

    base64.b64encode(zlib.compress(b"<pre>" + open('gistfile1.txt', 'rb').read())).replace(b'/',b'%2F')
To get gistfile1.txt shown in the page.
Ah, I had a similar idea. There were too many bots or vulnerability scanners hitting /wp-admin.php on my blog. It was flooding my access logs with 404s because I don't rock wordpress. Irksome stuff.

So I threw up a little 'surprise' for the ahem penetration testers ahem, if you feel brave: https://www.thran.uk/wp-login.php

This is absolutely amazing. More people should do this.
These attempts are almost entirely automated, so almost nobody will see it. But if you want to help, tarpitting any IP which requests that page will slow down the scanner with minimum resource usage on your side.
yeah, a quick failtoban rule is (as a server operator) every bit as satisfying.
does it respond with 42.zip upon submitting admin-admin?
I'm working on maximising flow control of the payload.
That will make for a lot of sewage.
42.gzip served directly as a response with Content-Encoding: gzip would be funnier :D
How about a JS fork bomb, on rotation with 42.zip?
omg! That scared the shit out of me!
This is fabulous and I intend to steal your idea.
> There were too many bots or vulnerability scanners hitting /wp-admin.php on my blog

There are moments I'm about to deploy something similar and by now what's stopping me are laziness and other higher priorities. I'm staring at these aggravating items in server log and maybe someday.

if you filter out requests that don't have a host defined that clears up pretty much all of those requests
Risky click of the day. No regrets.
This made me nostalgic of the old ytmnd days
Even in the source as a comment :)
if you watch this at work, mute your speakers to avoid any furrowed brows.
My basic security measures for a simple wordpress site is to rename wp-admin to something else, rename the admin account to something else, and change the ssh port to something else. That already confuses 99% of login attempts / lazy bots.
Omg! One random comment that did not only made my day, but my WEEK :-P
(comment deleted)
Nice. I'd probably have settled for something simple like <form action="http://127.1/wp-login.php">. These days, you could serve a JS bitcoin miner instead.
Once, out of the kindness of my foolish heart, I ran a server with a lot of great sound effects for all and sundry to download.

Eventually the bandwidth was getting hammered by a huge number of leechers seemingly from some apps that had simply hard-linked to the resources.

After replacing said resources [0] they soon ceased but not without a slew of abusive and entitled emails demanding I restore the SFX.

Oh fun times!

[0] https://fukpig.bandcamp.com/track/all-of-you-are-cunts-and-i...

You're selflessly trying to get people to appreciate new music styles and get in touch with their anger and they respond with contempt.

What an entitled bunch

In the days of P2P file sharing I used to share files with file names and metadata indicating they were rare Metallica live recordings of Metallica songs and other metal band's songs.... but instead https://www.youtube.com/watch?v=hwK_WOXjfc0

So many downloads.

Hopefully you've since grown up a bit and discovered some hobbies that don't involve being a dick to annoy strangers?
You are stealing from musicians so I think you are the dick and you are annoying me, a stranger!
If you’re pirating music I would hope you could enjoy a good joke…
This is part of how Soulja Boy became famous initially, by uploading his song "Crank That" with the metadata from various top-40 tracks of the time.

Or so he says, it may have been mostly copycats after a time.

Hah, back in the flash days I did a similar thing. I ran a website, one of those one-page deals where the whole point of the site was a single button that played a sound. I too had a problem with people hotlinking my flash app, so I used the same trick to redirect it to a different applet that played loud horrific screams!
Oh I love stories like this - great retort! It reminds me of that time that some app (or apps) was hammering an image of a butterfly from Wikimedia because it was part of some sample code that was never removed. I couldn't find the story but it was a fun but upsetting source of abuse from unknowing devs.

Edit: It was a picture of a flower. I replied with some links.

hahah yeah years ago when i ran my web server in my home, some images got hotlinked to on forums.. welp, some pretty simple redirects based on referrer probably resulted in some pretty confused forum-goers. :)
The users of these apps probably don't even understand what it means to hotlink someone else's resources, and, rather than simply remove the resources, you replaced them with an overtly offensive message. I'm not saying you weren't within your rights to do that, but you can't at this point high-horse and complain about the abusive emails you got as a reaction.
I was under the impression the emails came from the app developers. Surely it's reasonable to complain about their entitled demands, unconditionally?
I don't think its possible to create a website without understanding linking.
"I ran a server for free sound effects for all and when it got popular I fucked over my users" lolwut.
You know that is not in the spirit of the website. They were taken advantage of.
Old mate probably doesn't know, as a lot of people have been conditioned that if its online it's free.
The issue was hotlinking directly to resources, which has been a no-no on the web since day one. The fault is entirely on the side of the bad actors who misused a free resource and in so doing ruined it.
Should've cached the responses!
Well that's not quite what happened is it? It was never "popular". I got my stuff abused and retaliated in a benign, schoolboy fashion for laughs.

Though if shall own any blame it's for being naive and inexperienced in the days before we all needed rate limiting against corporate bots.

As it goes, the whole shebang got archived on Wayback/Internet Archive so all the goodies remain up there for people to enjoy and I stopped needing to run a box and deal with misuse. God bless the Internet Archive I guess.

If you offer a zap sound for a game maybe 3 devs download it if they use it on their games 30,000 people might download it. Its pretty obvious one is the intended use and one is not.
> simply hard-linked to the resources

It's fairly surprising to see that approach from pretty large brands/companies. Some Indian ISPs are kinda notorious in that they'll just link to huge image files on third-party sites and just let their 300 million customers hammer the poor site into the ground. I guess it saves them bandwidth, but they also run a huge risk of pissing someone off and have that asset replaced by something nasty. When people use this kind of hard-linking/hot-linking of resource I don't think they do it to save money or to be evil, I think it mostly gross incompetence.

We had an issue where our product images would just be ruthlessly scraped, if there had been some rate-limiting in place we'd most likely just have allowed it or not noticed. Normally I just pointed the poor scraper to a multi-gigabyte file or funny and unrelated image, if you want to download the same image of a beaver 25.000 times go ahead.

But I also seen amateurishly search engines just pound a site to the point where it was easier to just deny all traffic coming from their crawler, as compared to try to reach out and figure something out. Say what you will about Google and Bing, their crawlers are well written and well behaved.

The isps can pretty easily set up a cache for things that are popular. There was a time when I worked for an ISP consultancy, where Netflix would literally give ISPs a prebuilt cache server iirc for free, and that was a win win for everyone. I shouldn’t be surprised that some shitty isp thinks it’s easier to hard link, but making a cache isn’t that hard.
A couple of years ago, the main submarine link connecting my country to the internet was damaged, and internet basically slowed to a crawl for a day. Could barely open anything.

But Netflix was running at full HD with no problem. So they must have had local cache's with the ISPs.

this is how CDNs make their money. They replicate popular content close to the users. They generally do that WITHOUT giving anyone hardware, but by renting hardware in smaller areas, and setting up their own data centers in popular areas.

source: I used to work at Akamai (it was a while ago). The myriad things they do with their edge servers is pretty amazing, but for simple CDN stuff, most of the time clients aren't shipping hardware to isps. That being said, if Netflix can convince an isp to pay its electricity and hardware maintenance costs for a popular isp's customers that's going to pay for itself very quickly. So, i can see why Netflix offers this. It's just not normal AFAIK.

I think they're referring to the famous Wikimedia flower - https://phabricator.wikimedia.org/T273741

And it's much harder now to have a caching server because everything is HTTPS, so you have to coordinate with both ends to make it work.

I'm not defending the practice by any stretch of the imagination (it's wrong to hotlink, simple as) but I can remember in the heady halcyon days of the early internet (back when Windows 95 had yet to become a thing) hotlinking was done out of pure ignorance about the impact it had on the hosting site and most doing it knew no better nor of the impact it had on the hot-linked servers' resources.

Given that Eternal September remains a thing to this day, I wonder if that remains the case?

As for Google Bot being well behaved - I'm glad to hear that this has changed because at the turn of the century (which is the last time I dipped my toe in to self hosting) it certainly wasn't well behaved in the slightest and it would ruthlessly crawl away, happily ignoring any robots.txt limitations applied.

Yeah, if it were someone as important as an ISP doing it, you could easily be very petty and change it to an image that read "<isp> officially endorses <toxic political view>" (say, the statehood of Taiwan)
Hey, this is a proper banger!
Honestly, I know that it's far too late to change now, but I think the ability of a web-page to silently request resources from other domains has proven to be a complete misfeature overall. What's it given us? Tracking cookies, spy-pixels, cross-site-scripting-attacks, hard-link-bandwidth-stealing, SSL mixed-content warnings, etc.

Yes, I know it's also given us CDNs and Single Sign-On, but there are ways to implement SSO as a more active action without that, and I'm not convinced that CDNs are worth the cost we paid.

I was browsing the source of Cookie Clicker and noticed that it blocks sounds from soundjay.com (which third-party mods used) for similar reasons.
> "One day instead of looking into an iFrame, you might be looking at an entirely different kind of portal."

LOL

What if some elementary school used sqword inside an iframe? :(
I agree. This is a really gross and wreckless way of dealing with the situation.
I saw my first goatse in elementary school. Just continuing the tradition.
i don't want to relive the shock the first time i wondered into goatse
This is perhaps the most novel usage of a supply chain attack I've yet seen.
Nah, this technique has been used to "pwn" other sites ever since dynamic web serving has been around. So very nearly from the beginning. Traditionally by looking at the referer header.
I run three word games, this stuff happens for all of them. It sucks but I would never do what they did, it's abusive to the people who just googled your game and ended up on the wrong site.

I've had teachers and students reach out to me to say they play my game in class every day together. And parents who play with their kids every day, and adult who text their results to each other every day.

It sucks if they end up doing it on an ad-ridden site when I built an experience that asks nothing of them. But it would suck even more to goatse them.

agreed - it for sure would have been easier/cleaner/safer to just show a message that said "please play the official game on whatever.com"
Yeah this is actually basically what YouTube does when you embed a video and their settings don't allow embedding for that particular video. "Video unavailable - Watch on YouTube"
Thank you. I've been wondering why that feature exists for years now.
Yeah I think basically the reason is they want to show you the various ads before/after/during the video and they won't work in the embed view (just guessing)
It is not this developer's job to parent someone's kids. It is a parent's responsibility to make sure their child only gets access to the appropriate websites when they are young.
Counterpoint: it takes a village. You're naive if you think parents have and can keep full oversight / control over their offspring's internet usage. You can have their devices and your at home internet locked tight, but then they go to a library, they go to a friend's place, they go to school where they get a laptop or tablet and school internet access, or a friend's hotspot.

You can't protect your kids from the internet, you can only warn and educate them. I'm not saying to give them unlimited access from the get go, of course not. But I'm just saying you can't stop them either.

Exactly!

Look, RJ Reynolds was perfectly within their rights to market cigarettes to young children, and shops were within their rights to sell to young children. It’s not their job to parent children.

And if I want to open up a strip club across the street from the neighborhood public school, why should I be prevented by zoning laws? It’s not my responsibility to parent someone else's kids.

So before clicking on a word game in their browser, all parents should know about the business relationship, or lack thereof, between the underlying content provider and the website running in the top-level browser frame?

I want to emphasise, again, that we're talking about clicking on a word game here.

+1 - this is a childish move and bad business imo.

I'd guess the author is pretty young.

It can't be bad "business" because they aren't making the game for money.

Definitely childish though.

> It can't be bad "business" because they aren't making the game for money.

It’s bad for their image and so for any business they may work on now or in the future.

Why would you want to do business with someone who prefers your content being used and monetized without your consent?
I don't think it's childish.

It's very crude, but satire often is and is one effective way of driving change in society around us.

OP is merely gripping onto the Old Internet
On the other hand, visitors to the freebooting websites will see other things being gripped
Life is a meaningless crawl towards the heat death of the universe. Childish behavior is the most appropriate attitude one can have towards most things.
I wish there was still more of a genuine whimsical side to the Internet or even businesses. The attention economy isn't the same.
I feel like there used to be. Was 1990s and early '00s Internet really the peak?
(comment deleted)
I found a link on HN a while ago that shows you just that, it's a randomizer (like the old StumbleUpon) that sends you to random "old internet" webpages: https://wiby.me/surprise/

It sent me to a 1998 page about phrenology, the 'science' of determining someone's mental traits based on indentations in their skull: https://www.phrenology.org/index.html

I totally agree with you, and there are definitely more whimsical ways to go about it than goatse. Even if I personally can find whimsy in getting randomly goatse'd I'm not gonna say that someone who finds it really disturbing deserves what's coming to them just because they are insufficiently chill.
Anyone today familiar with goatse is likely to be well into their thirties at least.
If you were on forums in the aughts, it was unavoidable. I think every very online millennial knows what Goatse is. The youngest millennial is 27. Which begs the question: is Goatse what spreads Zoomers and millennials apart?
yes, everything done on the Internet must be deadly serious and professional AT ALL TIMES.

I'd guess you're pretty old.

Or very young. Young people never experienced what the Internet was like before the corporations destroyed it.
You could, however, easily block the game and render a message directing users to your actual site if you detect they are using the site in an iframe. What legitimate reason can there be for that?
I think my strict privacy settings on Firefox are preventing the goatse, perhaps it needs a cookie or something
Devil's advocate: OPs approach is a form of inoculation against the ad-powered Internet. The experience may not be pleasant, but drives the right message and quite memorably so.
(comment deleted)
100%, and not just as devil's advocate. Let the punishment fit the crime.

My sympathies are entirely on the side of the game's author. It's just an obscene image -- the "collateral damage" in this case is perfectly acceptable and imo fair because it damages the brands of the illegal hosters.

You’ll feel different about collateral damage when you have children of your own.
Goatse is a right of passage and when my chuldren will inevitably stumble upon it one day I will be there to talk to them about it if they feel a need to. At the end of the day it's just a man stretching out his anus in bad lighting.
Yeah, I wouldn't allow my children unfettered access to the Internet and I certainly wouldn't be using an iPhone or tablet as a babysitter.

However as a gay nerd I'm not really interested in having children, so I'll just have to leave it up to the village.

I'm a little sympathetic to the author because I don't consider viewing the image all that damaging, but I'm not a fan of the general principle of hurting innocent bystanders in order to cause second-order pain to a third party.

I think you'd probably agree that, say, overwriting every file on the end user's computer with a text file complaining about how the iframe-wielding website steals content would be an unacceptable thing for the author to do. But the only difference would be the degree of suffering inflicted on the innocent bystander.

The difference is that I rate the amount of "hurt" to the viewers as essentially zero in this case, and I think the concern is misplaced pearl-clutching.
Agree for adults. Don't agree for young kids.

If you think this image is acceptable to show to young kids, are there any images you think are unacceptable to show them?

Images of violence.

Also the phrase "you think this image is acceptable to show to young kids" subtly alters my position in a disingenuous and (I think) intentional way. My position is not that you should "show young kids goatse" but that "a young kid seeing a flash of goatse isn't really a big deal". They might laugh, they might be a little grossed out, they might be curious why someone would do something so strange. I think the idea that they would be "harmed" or "traumatized" is pure adult projection.

Some apparent dichotomies are false, but "viewing/not viewing an image" is the real deal. (Do you want to make the case that a small exposure time represents a genuine midpoint between these extremes, to justify treating "a flash" of goatse as a special case, distinct from "viewing" it? If so, then right now I disagree, but would be interested in hearing your reasons why.)

I think there is a genuine change in meaning, coming from your use of the word "should":

>My position is not that you should "show young kids goatse

But that's not a word I used (or intended).

ETA: Agree on images of violence.

I don't have a problem with OP's approach and I think he should be free to put whatever he wants on the content-stealing sites, but he didn't have to make it sexual.

A very annoying, loud, visually busy animation would've sufficed. Baby shark at maximum volume, or a continuous fart sound, or maybe just a high pitched beep would also sufficiently scare away people.

By showing porn in a place that he knows minors and other protected groups will visit, they violate decency laws in a whole bunch of countries. They probably wouldn't if this was accidental (i.e. they sold their domain to a third party that turned it into a porn site) but in this case they admit this was very much intentional.

The fact that you think it is sexual says more about you than them.
If I intentionally expose myself publicly but it’s not sexually arousing for the recipient, does that mean it’s not sexual assault?
Correct.

For example a woman breast-feeding or a man peeing on a tree on the side of the road.

Who is showing porn here? OP or the company they would probably quite like to get shut down due to local censorship laws?
OOP took a series of deliberate actions for the image file to show up. I'd be very surprised if any reasonable court wouldn't put the blame on them.

They may have had a defence if this hotlink prevention was already there from the beginning, but this post explicitly admits that this was added intentionally in response, and that there were plenty of other options that could've been taken.

When it comes to many laws, intent matters a lot. You can make technical arguments about the nature of all networking all you want ("technically HTTP is a request/response system so if I just requested the server to delete all customer data I didn't hack it the system just foolishly accepted my request") but the real world doesn't really care about CORS and iframe policies as it does about not being exposed to some guys erect penis and stretched out anus.

The abuser here is Google.
Definitely feels like a "report this website to google" button would be fantastic, if there was a way to automate/simplify such a thing for 1-3 clicks.
I hate to say the word, and especially because HN hates it, but this is effectively what DMCA notices are.
Its not copyright infringement to cause users to request the site and render in an iframe its closer to plugging yourself into someone else's electrical line
Google taking down a result from their site doesn't stop theft on a third-party's site.
Just to say, thanks for xordle. And for not serving obscenity on it.
I've had the same with my word game. People will report a bug and then I find out they are on some ad-ridden copycat. For my app it's reached multiple levels. One of the app thieves has embeded another app thief. https://imgur.com/a/0qW0y1r

The most frustrating thing for me is fucking Google. Their search results are so bad these days I can't get my game to the top even though thousands play it every day and link to it on social media. I'm at the top of Bing, DDG, Kagi. These sites run links to each other and Google's dumb algo loves it. Usually they don't use iFrame but proxy the whole request. Since using CloudFlare as my CDN a few of the app thieves have been defeated.

Yeah, my experience is also that they're mostly proxies and iframes are a minority. Some serve a cached version of the site (since like most of these, my sites are static - they do update to get the updated answer lists though, since I manually set the puzzles a bit in advance.)

Some of the sites that host their own cached copy even go out of the way to remove the credits and contact info from the page.

Never thought is say it but uhm... the world needs more goatse apparently

OP you should follow this up by reporting all the said websites to google.

Google won’t fix this, they actively profit from the theft sites because Google is the one selling the ads on those pages. Break them up.
Google may or may not be the ad network on the ripoff pages. If the pages are really that shady I'm gonna err on the side of not.
As I mentioned elsewhere in this thread, filing DMCA notices with Google does take care of it.
Just keep in mind some kids might be playing these games. So while it might be satisfying to stick it to the sites that are stealing your code, you might traumatize a child.
"won't someone think of the children!?!?!" is a meme for a reason.
But it's usually used ironically in situations where there is obviously no actual harm to children present. This is not one of those situations.
Kids are exposed to all sorts of things when they go to school, church, public playgrounds, or any other situation where groups are lightly supervised. I probably learned the word “fuck” in the fourth grade but my parents still haven’t heard me say it. Equating a shocking image with harm strikes me as naive at best.
>"won't someone think of the children!?!?!" is a meme for a reason.

Indeed, and it is well-represented here. In fact, I assumed we'd see some of it here and went looking for it. I was not disappointed. It means plenty of people missed the point entirely.

No one is traumatized by seeing goatse. It is a right of passage for children to become true internet denizens, in fact.
Woof. What an alternate universe you occupy.
What alternate universe? I saw goatse as a child and turned out fine.
Won’t somebody please think of the children!!!?

Those children over there… sending each other lemonparty (oh wait that was us)

Nah the kids now are watching cartel and Ukraine videos while going “bruh on god based uhuhuh”

This method primarily attacks innocent people. If someone is playing the author's game on another website then they likely don't know what the official website is. He has hurt his own players more than the people trying to make money off of his work.
I'm not sure everyone who sees the graphic image might fully understand what's going on. They might just think there's something wrong with sqword, not the site that's stealing it, and repelling potential players as a result.