> This blog is now STATELESS. The entire post is contained in the URL that you are visiting now. All my "blog" is now is a hard-coded main page that contains links to posts I claim authorship of. Of course the entire post is contained in each of these links.
> Anything can be generated here. You could even host your own blog that uses my website as a renderer if you really wanted to. It supports markdown.
> Every post that I want to publicly claim authorship of lives at the root of this site. If you are reading a post that I have claimed it will look like this page. Posts of unknown authorship have a disclaimer at the top of the page.
>Posts of unknown authorship have a disclaimer at the top of the page.
Problem is, the posts can contain <script> elements. So it's easy to just write a little JavaScript that removes the disclaimer at the top. See this hastily-made, immature example of mine:
The client-side XSS is mostly harmless (assuming you don't have any other sensitive services running with cookies scoped to this domain), although it's technically a persistent XSS, which means it could be indexed by search engines.
But is there a server-side component to this? I noticed that the "disclaimer" is added in the source returned by the server, so I assume there is some code that checks whether the post is present on the home page? If so, that could be dangerous, if there is a bug in that code such that a malicious payload in the URL could get RCE in your server process.
I've just added some defensive programming to the site. Sorry to say. Appreciate that you hacked it with your image onerror, pretty clever.
TBH I haven't thought about most of these things. Nobody typically reads my blogs when I've made them before and this is likely the only interest it will get for quite a while.
Watch out: virus/scam/spam sites can detect sites like yours and write tons of redirects, link them somewhere, and use your site's good reputation to get their scams on the home page. This is also a huge problem for redirect services.
If the wrong person publishes the wrong link, you can get your domain banned from Google and tons of other sites as a "security risk", which can spread to your email (if you use @joshcsimmons.com).
It's fine if you don't care about blacklists of course, but this kind of abuse can easily sneak up on you.
The only thing I can think of is if they want to share controversial posts while having the ability to deny that they wrote it (as long as they don’t actually create a link to it from their own site).
It’s not a good use case IMO, but that is all I can think of lol
So if the author fix a small typo in the post, they break all the links to it. The blog is not "stateless", it’s just that its state is stored in the homepage. Having all posts on that page with anchor links would achieve the same thing with shorter links that don’t depend on the content.
Huh, cool. I think it's a pretty terrible idea, but I'm glad people are still doing fun/creative things with websites. Keeping the spirit of the early web alive. haha :)
> Every post that I want to publicly claim authorship of lives at the root of this site. If you are reading a post that I have claimed it will look like this page. Posts of unknown authorship have a disclaimer at the top of the page.
for sure, there's awareness and then there's disregard of any basic web security.
the second they start hosting any application/backend/cookie-enabled thing on this domain name, anyone could inject a script via their /post/ gzip-base64 scheme, and do bad things...?
I don't think html sanitization would go against the principle of this idea. just... at the very least strip the tags! :-)
Very clever. For those wondering, this won't gunzip since it's compressed using zlib. you must do a chain like this: URL Decode -> Base64 Decode -> Zlib Inflate.
Isn't it the anti-anti-showing-buttholes-to-children community? Nobody wants to force you to show buttholes to children, but you should feel free to if desired
After tubgirl I vowed to never click on links people said I shouldn't. I've never seen goatse because of this rule. (I have been rickrolled a lot, but that's fine.)
I both find this hole thread interesting & entertaining, and I have yet to see the goatse image despite knowing about it since 2005 or so. I saw too many things as a child that are indelibly etched into my awareness and I practice filtering now so to minimize distractions.
However, context matters quite a bit! If someone Rick-rolled me with this I hope I'd have a good humor about it.
And there's always therapy, via whatever medium works.
Consider: what is it exactly that makes parents want to stop their children from bearing witness to swearing?
I can't imagine that it's that they think children can be be damaged in some way by knowing how to curse.
I imagine it's more that children will think these words are fun new toys and will constantly repeat them, enjoying how much of a reaction they provoke. And that the parent 1. will feel sad that the child now has this verbal crutch that they may end up leaning into in the future in place of learning how to speak eloquently; and 2. will feel ashamed when others in the community see the child swearing, and assume that it's a behavior that the parent inculcated into them by swearing constantly in front of them, rather than a behavior the parent tried their best to prevent — but which the child inevitably picked up somewhere outside the home.
There's probably something analogous here, right? Being exposed to "graphic imagery" is not really damaging per se. Rather, seeing such things just shifts a child's potential repertoire of behaviors/responses slightly (think: being desensitized enough to such imagery to find it funny to use to troll others in a school computer lab), in a way that might be assumed by others to have been a direct consequence of the parent's actions (e.g. by having sex / watching porn in front of their children.) Such behaviors by the child will reflect badly on the parent's parenting, even if they were actually purely the result of the child's self-motivated idle curiosity.
In short, these things — a child swearing, a child sending pictures of gross buttholes to other children — are conflationary triggers for community shaming of the parents: they cause behaviors in children that could well have been caused by bad parenting, and so tar the parents with the brush of being bad parents, whether or not the parent is actually bad.
Parents don't tend to like being shamed by the community for bad parenting, when they don't believe themselves to be bad parents; so they treat any such "conflationary triggers" for that shaming, as taboos, things to avoid their children witnessing, even if those things aren't "damaging."
You feel fine, but you don’t know what effect it can have on others.
This is a selection bias. By definition, all the survivors of the most atrocious things can say "I went through XYZ and I’m still alive". That doesn’t make this XYZ something you would recommend to anyone.
If seeing a mans butthole causes you serious psychological trauma, you probably have bigger problems to worry about than seeing a mans butthole.
Everyone has a butthole. Do kids never look in the mirror? Do kids never explore bodies? We spent 100k years or more looking at each other in the nude and somehow our species didn't all go insane.
What's the selection bias here? Is the claim that there's some huge population so emotionally scarred from seeing a shock image that they permanently left the internet? Or died?
Imagine you were distributing my work without permission and in retaliation I emailed you gross-out sexually explicit imagery. That would both be a crime and be unethical by current standards.
OP is not emailing people, but it is the same thing: revenge using explicit imagery. Except not only might the people behind the sites see the image but their visitors which probably include minors will too.
I can't answer to the law, which besides will vary - and I reject the implication that a puerile prank is immoral. But that aside, taking it on as if there was any moral dimension, moral clarity is straightforward here:
The parasite has to answer for the material it shows its visitors.
If a butcher delivers outdated meat to nowhere, knowing his van will be hijacked, how can he possibly be blamed when the hijackers sell it to their customers?
> If a butcher delivers outdated meat to nowhere, knowing his van will be hijacked, how can he possibly be blamed when the hijackers sell it to their customers?
An obvious corrolary to this is the prohibition on booby traps.
I am not sure that actually, the intermediate site is even technically sending the image.
As I understand it, the iframe is set up such that the users browser loads your site inside the frame and the intermediate site outside of the frame. If you serve a file then you are serving it directly to the browser. The intermediate site never sees it?
They could've also embraced it, see it as marketing, and replace it with a direct link to their website instead. Youtube doesn't care about people embedding their videos, they can make money regardless.
I don't know why I checked but uhh yup. It's working. There are at least 6 sites on the first page of Google results that now render goatse. Thankfully, the first link is the original one for me.
Came here to say the same thing. Unless you're one of today's "lucky 10,000"[0] who haven't ever encountered goatse before, there's no need to verify this :D
Cringeworthy? This is one of the more oft-linked XKCDs, I think because it makes a valid observation: everyone has a few things that "everyone knows" that they've randomly missed, and it's more fun to enjoy the discovery than to ridicule them for something that happens to all of us randomly.
This is a different twist on that xkcd - if you haven't seen goatse before, consider yourself truly lucky, and enjoy not experiencing this particular cognitohazard.
I've managed to never see goatse so far. Not because I'm new or innocent, but because I've learned my lessons. I don't think the 10,000 really applies to this situation. It's certainly not something that everybody needs to see at some point in their lives (or so I've been lead to believe).
In college my friend came over for a LAN party and when he went to the bathroom I quietly set his background to Goatse… I got quite the chuckle at 3am when he went to shut down his computer after a long night of gaming. Ah to be young again.
I think it doesn't appear at all if you have enhanced tracking protection turned on.
And the normal game shows up in the iframe if you have looked at the real game before, and have data in your localStorage. I assume to not arouse suspicion from people ripping off the game.
I disabled tracking protection, and deleted localstorage on the real site. Then it showed up.
That is so funny - I was just asking myself that same thing. Why did I just intentionally goatse myself? I knew what would be there and did it anyways…:)
which leads to the following error: "Uncaught DOMException: Failed to read the 'localStorage' property from 'Window': Access is denied for this document."
This is hilarious, but I think the most mature thing to do would have been to detect if the site is inside an iframe and if so add a polite link saying "click here to go to sqword.com and play this game ad free".
In a roundabout way, it likely would halt users unable to find the real domain from accessing the thieves' websites again. That narrows down the search for the real domain by one!
I get the sense that that isn't really his goal. He makes clear it's just a fun passion project, and this sounds like an equally fun (to him) way of retaliating against those taking advantage of it.
He mentioned that he found the imposters when a coworker happened across them on a search result page. Does Google apply penalties to the imposter sites’ search rankings when they serve shock content rather than what was being searched for?
It seems like that might reduce real users’ confusion as they try to find the real “sqword” puzzle.
On the other hand, they probably will get an influx of HN users now. If they had used a tamer approach, I doubt this post would have the amount of points it has now.
Ah, I had a similar idea. There were too many bots or vulnerability scanners hitting /wp-admin.php on my blog. It was flooding my access logs with 404s because I don't rock wordpress. Irksome stuff.
These attempts are almost entirely automated, so almost nobody will see it. But if you want to help, tarpitting any IP which requests that page will slow down the scanner with minimum resource usage on your side.
> There were too many bots or vulnerability scanners hitting /wp-admin.php on my blog
There are moments I'm about to deploy something similar and by now what's stopping me are laziness and other higher priorities. I'm staring at these aggravating items in server log and maybe someday.
My basic security measures for a simple wordpress site is to rename wp-admin to something else, rename the admin account to something else, and change the ssh port to something else. That already confuses 99% of login attempts / lazy bots.
Nice. I'd probably have settled for something simple like <form action="http://127.1/wp-login.php">. These days, you could serve a JS bitcoin miner instead.
In the days of P2P file sharing I used to share files with file names and metadata indicating they were rare Metallica live recordings of Metallica songs and other metal band's songs.... but instead https://www.youtube.com/watch?v=hwK_WOXjfc0
Hah, back in the flash days I did a similar thing. I ran a website, one of those one-page deals where the whole point of the site was a single button that played a sound. I too had a problem with people hotlinking my flash app, so I used the same trick to redirect it to a different applet that played loud horrific screams!
Oh I love stories like this - great retort! It reminds me of that time that some app (or apps) was hammering an image of a butterfly from Wikimedia because it was part of some sample code that was never removed. I couldn't find the story but it was a fun but upsetting source of abuse from unknowing devs.
Edit: It was a picture of a flower. I replied with some links.
hahah yeah years ago when i ran my web server in my home, some images got hotlinked to on forums.. welp, some pretty simple redirects based on referrer probably resulted in some pretty confused forum-goers. :)
The users of these apps probably don't even understand what it means to hotlink someone else's resources, and, rather than simply remove the resources, you replaced them with an overtly offensive message. I'm not saying you weren't within your rights to do that, but you can't at this point high-horse and complain about the abusive emails you got as a reaction.
The issue was hotlinking directly to resources, which has been a no-no on the web since day one. The fault is entirely on the side of the bad actors who misused a free resource and in so doing ruined it.
Well that's not quite what happened is it? It was never "popular". I
got my stuff abused and retaliated in a benign, schoolboy fashion for
laughs.
Though if shall own any blame it's for being naive and inexperienced
in the days before we all needed rate limiting against corporate bots.
As it goes, the whole shebang got archived on Wayback/Internet
Archive so all the goodies remain up there for people to enjoy and I
stopped needing to run a box and deal with misuse. God bless the
Internet Archive I guess.
If you offer a zap sound for a game maybe 3 devs download it if they use it on their games 30,000 people might download it. Its pretty obvious one is the intended use and one is not.
It's fairly surprising to see that approach from pretty large brands/companies. Some Indian ISPs are kinda notorious in that they'll just link to huge image files on third-party sites and just let their 300 million customers hammer the poor site into the ground. I guess it saves them bandwidth, but they also run a huge risk of pissing someone off and have that asset replaced by something nasty. When people use this kind of hard-linking/hot-linking of resource I don't think they do it to save money or to be evil, I think it mostly gross incompetence.
We had an issue where our product images would just be ruthlessly scraped, if there had been some rate-limiting in place we'd most likely just have allowed it or not noticed. Normally I just pointed the poor scraper to a multi-gigabyte file or funny and unrelated image, if you want to download the same image of a beaver 25.000 times go ahead.
But I also seen amateurishly search engines just pound a site to the point where it was easier to just deny all traffic coming from their crawler, as compared to try to reach out and figure something out. Say what you will about Google and Bing, their crawlers are well written and well behaved.
The isps can pretty easily set up a cache for things that are popular. There was a time when I worked for an ISP consultancy, where Netflix would literally give ISPs a prebuilt cache server iirc for free, and that was a win win for everyone. I shouldn’t be surprised that some shitty isp thinks it’s easier to hard link, but making a cache isn’t that hard.
A couple of years ago, the main submarine link connecting my country to the internet was damaged, and internet basically slowed to a crawl for a day. Could barely open anything.
But Netflix was running at full HD with no problem. So they must have had local cache's with the ISPs.
this is how CDNs make their money. They replicate popular content close to the users. They generally do that WITHOUT giving anyone hardware, but by renting hardware in smaller areas, and setting up their own data centers in popular areas.
source: I used to work at Akamai (it was a while ago). The myriad things they do with their edge servers is pretty amazing, but for simple CDN stuff, most of the time clients aren't shipping hardware to isps. That being said, if Netflix can convince an isp to pay its electricity and hardware maintenance costs for a popular isp's customers that's going to pay for itself very quickly. So, i can see why Netflix offers this. It's just not normal AFAIK.
I'm not defending the practice by any stretch of the imagination (it's wrong to hotlink, simple as) but I can remember in the heady halcyon days of the early internet (back when Windows 95 had yet to become a thing) hotlinking was done out of pure ignorance about the impact it had on the hosting site and most doing it knew no better nor of the impact it had on the hot-linked servers' resources.
Given that Eternal September remains a thing to this day, I wonder if that remains the case?
As for Google Bot being well behaved - I'm glad to hear that this has changed because at the turn of the century (which is the last time I dipped my toe in to self hosting) it certainly wasn't well behaved in the slightest and it would ruthlessly crawl away, happily ignoring any robots.txt limitations applied.
Yeah, if it were someone as important as an ISP doing it, you could easily be very petty and change it to an image that read "<isp> officially endorses <toxic political view>" (say, the statehood of Taiwan)
Honestly, I know that it's far too late to change now, but I think the ability of a web-page to silently request resources from other domains has proven to be a complete misfeature overall. What's it given us? Tracking cookies, spy-pixels, cross-site-scripting-attacks, hard-link-bandwidth-stealing, SSL mixed-content warnings, etc.
Yes, I know it's also given us CDNs and Single Sign-On, but there are ways to implement SSO as a more active action without that, and I'm not convinced that CDNs are worth the cost we paid.
Nah, this technique has been used to "pwn" other sites ever since dynamic web serving has been around. So very nearly from the beginning. Traditionally by looking at the referer header.
I run three word games, this stuff happens for all of them. It sucks but I would never do what they did, it's abusive to the people who just googled your game and ended up on the wrong site.
I've had teachers and students reach out to me to say they play my game in class every day together. And parents who play with their kids every day, and adult who text their results to each other every day.
It sucks if they end up doing it on an ad-ridden site when I built an experience that asks nothing of them. But it would suck even more to goatse them.
Yeah this is actually basically what YouTube does when you embed a video and their settings don't allow embedding for that particular video. "Video unavailable - Watch on YouTube"
Yeah I think basically the reason is they want to show you the various ads before/after/during the video and they won't work in the embed view (just guessing)
It is not this developer's job to parent someone's kids. It is a parent's responsibility to make sure their child only gets access to the appropriate websites when they are young.
Counterpoint: it takes a village. You're naive if you think parents have and can keep full oversight / control over their offspring's internet usage. You can have their devices and your at home internet locked tight, but then they go to a library, they go to a friend's place, they go to school where they get a laptop or tablet and school internet access, or a friend's hotspot.
You can't protect your kids from the internet, you can only warn and educate them. I'm not saying to give them unlimited access from the get go, of course not. But I'm just saying you can't stop them either.
Look, RJ Reynolds was perfectly within their rights to market cigarettes to young children, and shops were within their rights to sell to young children. It’s not their job to parent children.
And if I want to open up a strip club across the street from the neighborhood public school, why should I be prevented by zoning laws? It’s not my responsibility to parent someone else's kids.
So before clicking on a word game in their browser, all parents should know about the business relationship, or lack thereof, between the underlying content provider and the website running in the top-level browser frame?
I want to emphasise, again, that we're talking about clicking on a word game here.
Life is a meaningless crawl towards the heat death of the universe. Childish behavior is the most appropriate attitude one can have towards most things.
I found a link on HN a while ago that shows you just that, it's a randomizer (like the old StumbleUpon) that sends you to random "old internet" webpages: https://wiby.me/surprise/
It sent me to a 1998 page about phrenology, the 'science' of determining someone's mental traits based on indentations in their skull: https://www.phrenology.org/index.html
I totally agree with you, and there are definitely more whimsical ways to go about it than goatse. Even if I personally can find whimsy in getting randomly goatse'd I'm not gonna say that someone who finds it really disturbing deserves what's coming to them just because they are insufficiently chill.
If you were on forums in the aughts, it was unavoidable. I think every very online millennial knows what Goatse is. The youngest millennial is 27. Which begs the question: is Goatse what spreads Zoomers and millennials apart?
You could, however, easily block the game and render a message directing users to your actual site if you detect they are using the site in an iframe. What legitimate reason can there be for that?
Devil's advocate: OPs approach is a form of inoculation against the ad-powered Internet. The experience may not be pleasant, but drives the right message and quite memorably so.
100%, and not just as devil's advocate. Let the punishment fit the crime.
My sympathies are entirely on the side of the game's author. It's just an obscene image -- the "collateral damage" in this case is perfectly acceptable and imo fair because it damages the brands of the illegal hosters.
Goatse is a right of passage and when my chuldren will inevitably stumble upon it one day I will be there to talk to them about it if they feel a need to. At the end of the day it's just a man stretching out his anus in bad lighting.
I'm a little sympathetic to the author because I don't consider viewing the image all that damaging, but I'm not a fan of the general principle of hurting innocent bystanders in order to cause second-order pain to a third party.
I think you'd probably agree that, say, overwriting every file on the end user's computer with a text file complaining about how the iframe-wielding website steals content would be an unacceptable thing for the author to do. But the only difference would be the degree of suffering inflicted on the innocent bystander.
The difference is that I rate the amount of "hurt" to the viewers as essentially zero in this case, and I think the concern is misplaced pearl-clutching.
Also the phrase "you think this image is acceptable to show to young kids" subtly alters my position in a disingenuous and (I think) intentional way. My position is not that you should "show young kids goatse" but that "a young kid seeing a flash of goatse isn't really a big deal". They might laugh, they might be a little grossed out, they might be curious why someone would do something so strange. I think the idea that they would be "harmed" or "traumatized" is pure adult projection.
Some apparent dichotomies are false, but "viewing/not viewing an image" is the real deal. (Do you want to make the case that a small exposure time represents a genuine midpoint between these extremes, to justify treating "a flash" of goatse as a special case, distinct from "viewing" it? If so, then right now I disagree, but would be interested in hearing your reasons why.)
I think there is a genuine change in meaning, coming from your use of the word "should":
>My position is not that you should "show young kids goatse
I don't have a problem with OP's approach and I think he should be free to put whatever he wants on the content-stealing sites, but he didn't have to make it sexual.
A very annoying, loud, visually busy animation would've sufficed. Baby shark at maximum volume, or a continuous fart sound, or maybe just a high pitched beep would also sufficiently scare away people.
By showing porn in a place that he knows minors and other protected groups will visit, they violate decency laws in a whole bunch of countries. They probably wouldn't if this was accidental (i.e. they sold their domain to a third party that turned it into a porn site) but in this case they admit this was very much intentional.
OOP took a series of deliberate actions for the image file to show up. I'd be very surprised if any reasonable court wouldn't put the blame on them.
They may have had a defence if this hotlink prevention was already there from the beginning, but this post explicitly admits that this was added intentionally in response, and that there were plenty of other options that could've been taken.
When it comes to many laws, intent matters a lot. You can make technical arguments about the nature of all networking all you want ("technically HTTP is a request/response system so if I just requested the server to delete all customer data I didn't hack it the system just foolishly accepted my request") but the real world doesn't really care about CORS and iframe policies as it does about not being exposed to some guys erect penis and stretched out anus.
Definitely feels like a "report this website to google" button would be fantastic, if there was a way to automate/simplify such a thing for 1-3 clicks.
Its not copyright infringement to cause users to request the site and render in an iframe its closer to plugging yourself into someone else's electrical line
I've had the same with my word game. People will report a bug and then I find out they are on some ad-ridden copycat.
For my app it's reached multiple levels. One of the app thieves has embeded another app thief.
https://imgur.com/a/0qW0y1r
The most frustrating thing for me is fucking Google. Their search results are so bad these days I can't get my game to the top even though thousands play it every day and link to it on social media. I'm at the top of Bing, DDG, Kagi. These sites run links to each other and Google's dumb algo loves it.
Usually they don't use iFrame but proxy the whole request. Since using CloudFlare as my CDN a few of the app thieves have been defeated.
Yeah, my experience is also that they're mostly proxies and iframes are a minority. Some serve a cached version of the site (since like most of these, my sites are static - they do update to get the updated answer lists though, since I manually set the puzzles a bit in advance.)
Some of the sites that host their own cached copy even go out of the way to remove the credits and contact info from the page.
Just keep in mind some kids might be playing these games. So while it might be satisfying to stick it to the sites that are stealing your code, you might traumatize a child.
Kids are exposed to all sorts of things when they go to school, church, public playgrounds, or any other situation where groups are lightly supervised. I probably learned the word “fuck” in the fourth grade but my parents still haven’t heard me say it. Equating a shocking image with harm strikes me as naive at best.
>"won't someone think of the children!?!?!" is a meme for a reason.
Indeed, and it is well-represented here. In fact, I assumed we'd see some of it here and went looking for it. I was not disappointed. It means plenty of people missed the point entirely.
This method primarily attacks innocent people. If someone is playing the author's game on another website then they likely don't know what the official website is. He has hurt his own players more than the people trying to make money off of his work.
I'm not sure everyone who sees the graphic image might fully understand what's going on. They might just think there's something wrong with sqword, not the site that's stealing it, and repelling potential players as a result.
463 comments
[ 2.7 ms ] story [ 345 ms ] threadhttps://joshcsimmons.com/post/eJyVlD2PgzAMhvf8Cm8HlcD76dSlf8...
Created using
>Yesterday one of my collaborators googled "sqword" and to his surprise, there were tons of first-page results that weren't the sqword.com domain.
I'm not saying you're wrong. You're right, but at least it's for an interesting reason.
https://joshcsimmons.com/post/H4sIAAAAAAAA%2F3xV227cRgx911cQ...
> Every post that I want to publicly claim authorship of lives at the root of this site. If you are reading a post that I have claimed it will look like this page. Posts of unknown authorship have a disclaimer at the top of the page.
https://joshcsimmons.com/post/H4sIAAAAAAAA%2F3xV227cRgx911cQ...
(His permalinks are horrible, lol)
Problem is, the posts can contain <script> elements. So it's easy to just write a little JavaScript that removes the disclaimer at the top. See this hastily-made, immature example of mine:
https://joshcsimmons.com/post/H4sIABO8LmUC/3VT0W7aQBB85yu2QV...
As it stands, this really isn't the most secure system. Something much more malicious could be injected into this!
Either way, considering the submission we’re commenting on, the author of the blog may appreciate your humour.
https://joshcsimmons.com/post/H4sICIi6LmUAA3RtcC5odG1sADWMMQ...
https://joshcsimmons.com/post/H4sIAA6yLmUA/wVAwQnFIAxd5ZGL7c...
The client-side XSS is mostly harmless (assuming you don't have any other sensitive services running with cookies scoped to this domain), although it's technically a persistent XSS, which means it could be indexed by search engines.
But is there a server-side component to this? I noticed that the "disclaimer" is added in the source returned by the server, so I assume there is some code that checks whether the post is present on the home page? If so, that could be dangerous, if there is a bug in that code such that a malicious payload in the URL could get RCE in your server process.
TBH I haven't thought about most of these things. Nobody typically reads my blogs when I've made them before and this is likely the only interest it will get for quite a while.
Can't promise I won't circumvent it when I've got some time...
If the wrong person publishes the wrong link, you can get your domain banned from Google and tons of other sites as a "security risk", which can spread to your email (if you use @joshcsimmons.com).
It's fine if you don't care about blacklists of course, but this kind of abuse can easily sneak up on you.
EDIT: understand you are not the OP btw, just wondering out loud.
It’s not a good use case IMO, but that is all I can think of lol
Doesn't need to release tools... gzip, base64 and uri encode uh huh.
https://joshcsimmons.com/post/eNpTVlaoKC5WSEnNzefisilOLsosKL...
(this just injects a <script> alert but.... that's bad)
just tried contacting the author via linkedin (since I don't see an email address on their site)
@joshcsimmons are you around?
> Every post that I want to publicly claim authorship of lives at the root of this site. If you are reading a post that I have claimed it will look like this page. Posts of unknown authorship have a disclaimer at the top of the page.
https://joshcsimmons.com/post/H4sIAAAAAAAA%2F3xV227cRgx911cQ...
the second they start hosting any application/backend/cookie-enabled thing on this domain name, anyone could inject a script via their /post/ gzip-base64 scheme, and do bad things...?
I don't think html sanitization would go against the principle of this idea. just... at the very least strip the tags! :-)
Since the website is vulnerable to XSS, you could inject a script that removes the disclaimer.
https://joshcsimmons.com/post/eNqzKU4uyiwosUvJTy7NTc0r0UtPLX...
base64 generates slashes, so the site (and I) run encodeURIComponent in the devtools on the resulting base64 to make sure it's completely url-safe.
---
the poc "payload" is
eNqzKU4uyiwosUvJTy7NTc0r0UtPLXHNSQUxi50qnXMSi4v9EnNTNdRzMtMzStQ1ow1i9YpSc%2FPLUjU0bfShmrm4lBVKMjKLFYAoKTEFACeDHYg%3D
which uri-component-decodes to:
eNqzKU4uyiwosUvJTy7NTc0r0UtPLXHNSQUxi50qnXMSi4v9EnNTNdRzMtMzStQ1ow1i9YpSc/PLUjU0bfShmrm4lBVKMjKLFYAoKTEFACeDHYg=
which un-base64+gzip's to (using the site I posted above):
"Hey come check out this amazing magic eye". Boom!
I see what you did there.
I can't imagine that it's that they think children can be be damaged in some way by knowing how to curse.
I imagine it's more that children will think these words are fun new toys and will constantly repeat them, enjoying how much of a reaction they provoke. And that the parent 1. will feel sad that the child now has this verbal crutch that they may end up leaning into in the future in place of learning how to speak eloquently; and 2. will feel ashamed when others in the community see the child swearing, and assume that it's a behavior that the parent inculcated into them by swearing constantly in front of them, rather than a behavior the parent tried their best to prevent — but which the child inevitably picked up somewhere outside the home.
There's probably something analogous here, right? Being exposed to "graphic imagery" is not really damaging per se. Rather, seeing such things just shifts a child's potential repertoire of behaviors/responses slightly (think: being desensitized enough to such imagery to find it funny to use to troll others in a school computer lab), in a way that might be assumed by others to have been a direct consequence of the parent's actions (e.g. by having sex / watching porn in front of their children.) Such behaviors by the child will reflect badly on the parent's parenting, even if they were actually purely the result of the child's self-motivated idle curiosity.
In short, these things — a child swearing, a child sending pictures of gross buttholes to other children — are conflationary triggers for community shaming of the parents: they cause behaviors in children that could well have been caused by bad parenting, and so tar the parents with the brush of being bad parents, whether or not the parent is actually bad.
Parents don't tend to like being shamed by the community for bad parenting, when they don't believe themselves to be bad parents; so they treat any such "conflationary triggers" for that shaming, as taboos, things to avoid their children witnessing, even if those things aren't "damaging."
This is a selection bias. By definition, all the survivors of the most atrocious things can say "I went through XYZ and I’m still alive". That doesn’t make this XYZ something you would recommend to anyone.
Everyone has a butthole. Do kids never look in the mirror? Do kids never explore bodies? We spent 100k years or more looking at each other in the nude and somehow our species didn't all go insane.
Nakedness probably doesn't hurt anyone.
OP knows that
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...
https://wordlewebsite.com/sqword
OP is not emailing people, but it is the same thing: revenge using explicit imagery. Except not only might the people behind the sites see the image but their visitors which probably include minors will too.
If you email them explicit imagery and they automatically forward it, that's on them.
Not a crime, but a little crass in a funny way.
The parasite has to answer for the material it shows its visitors.
If a butcher delivers outdated meat to nowhere, knowing his van will be hijacked, how can he possibly be blamed when the hijackers sell it to their customers?
Edited to correct can (van!)
An obvious corrolary to this is the prohibition on booby traps.
As I understand it, the iframe is set up such that the users browser loads your site inside the frame and the intermediate site outside of the frame. If you serve a file then you are serving it directly to the browser. The intermediate site never sees it?
[0] - https://xkcd.com/1053/
edit: folks the xkcd lucky 10k reference was a joke, settle down
I've never understood that attitude.
That's not a large improvement.
But it was kind of a rickroll situation... yeah it sucks
Wasn’t it more like 3 hours to setup and get the network functioning, and hour of gaming?
Or goto a hosted one
https://www.flickr.com/photos/mrneutron/albums/1568481/
e.g. NSFW https://goatkcd.com/1053/
If you don't know what that is, you might not want to search it.
https://en.wikipedia.org/wiki/Lucky_Pierre
And the normal game shows up in the iframe if you have looked at the real game before, and have data in your localStorage. I assume to not arouse suspicion from people ripping off the game.
I disabled tracking protection, and deleted localstorage on the real site. Then it showed up.
https://wordlewebsite.com/sqword
@joshcsimmons it seems like sqword is reading local storage on this line:
this.localStorage = n.localStorage || globalThis.localStorage,
which leads to the following error: "Uncaught DOMException: Failed to read the 'localStorage' property from 'Window': Access is denied for this document."
you should do it in a try/catch.
But I guess it can happen on the original site if the user turns off cookies entirely.
His approach is much awesomer than the nature thing.
It seems like that might reduce real users’ confusion as they try to find the real “sqword” puzzle.
For example, use
To get gistfile1.txt shown in the page.So I threw up a little 'surprise' for the ahem penetration testers ahem, if you feel brave: https://www.thran.uk/wp-login.php
There are moments I'm about to deploy something similar and by now what's stopping me are laziness and other higher priorities. I'm staring at these aggravating items in server log and maybe someday.
Eventually the bandwidth was getting hammered by a huge number of leechers seemingly from some apps that had simply hard-linked to the resources.
After replacing said resources [0] they soon ceased but not without a slew of abusive and entitled emails demanding I restore the SFX.
Oh fun times!
[0] https://fukpig.bandcamp.com/track/all-of-you-are-cunts-and-i...
What an entitled bunch
So many downloads.
I'm downright shocked that this wasn't Rick Astley.
Or so he says, it may have been mostly copycats after a time.
Edit: It was a picture of a flower. I replied with some links.
- https://phabricator.wikimedia.org/T273741
- https://news.ycombinator.com/item?id=26072025
Though if shall own any blame it's for being naive and inexperienced in the days before we all needed rate limiting against corporate bots.
As it goes, the whole shebang got archived on Wayback/Internet Archive so all the goodies remain up there for people to enjoy and I stopped needing to run a box and deal with misuse. God bless the Internet Archive I guess.
It's fairly surprising to see that approach from pretty large brands/companies. Some Indian ISPs are kinda notorious in that they'll just link to huge image files on third-party sites and just let their 300 million customers hammer the poor site into the ground. I guess it saves them bandwidth, but they also run a huge risk of pissing someone off and have that asset replaced by something nasty. When people use this kind of hard-linking/hot-linking of resource I don't think they do it to save money or to be evil, I think it mostly gross incompetence.
We had an issue where our product images would just be ruthlessly scraped, if there had been some rate-limiting in place we'd most likely just have allowed it or not noticed. Normally I just pointed the poor scraper to a multi-gigabyte file or funny and unrelated image, if you want to download the same image of a beaver 25.000 times go ahead.
But I also seen amateurishly search engines just pound a site to the point where it was easier to just deny all traffic coming from their crawler, as compared to try to reach out and figure something out. Say what you will about Google and Bing, their crawlers are well written and well behaved.
But Netflix was running at full HD with no problem. So they must have had local cache's with the ISPs.
[0]: https://time.com/2866004/verizon-netflix/
source: I used to work at Akamai (it was a while ago). The myriad things they do with their edge servers is pretty amazing, but for simple CDN stuff, most of the time clients aren't shipping hardware to isps. That being said, if Netflix can convince an isp to pay its electricity and hardware maintenance costs for a popular isp's customers that's going to pay for itself very quickly. So, i can see why Netflix offers this. It's just not normal AFAIK.
And it's much harder now to have a caching server because everything is HTTPS, so you have to coordinate with both ends to make it work.
Given that Eternal September remains a thing to this day, I wonder if that remains the case?
As for Google Bot being well behaved - I'm glad to hear that this has changed because at the turn of the century (which is the last time I dipped my toe in to self hosting) it certainly wasn't well behaved in the slightest and it would ruthlessly crawl away, happily ignoring any robots.txt limitations applied.
Yes, I know it's also given us CDNs and Single Sign-On, but there are ways to implement SSO as a more active action without that, and I'm not convinced that CDNs are worth the cost we paid.
LOL
I've had teachers and students reach out to me to say they play my game in class every day together. And parents who play with their kids every day, and adult who text their results to each other every day.
It sucks if they end up doing it on an ad-ridden site when I built an experience that asks nothing of them. But it would suck even more to goatse them.
You can't protect your kids from the internet, you can only warn and educate them. I'm not saying to give them unlimited access from the get go, of course not. But I'm just saying you can't stop them either.
Look, RJ Reynolds was perfectly within their rights to market cigarettes to young children, and shops were within their rights to sell to young children. It’s not their job to parent children.
And if I want to open up a strip club across the street from the neighborhood public school, why should I be prevented by zoning laws? It’s not my responsibility to parent someone else's kids.
I want to emphasise, again, that we're talking about clicking on a word game here.
I'd guess the author is pretty young.
Definitely childish though.
It’s bad for their image and so for any business they may work on now or in the future.
It's very crude, but satire often is and is one effective way of driving change in society around us.
It sent me to a 1998 page about phrenology, the 'science' of determining someone's mental traits based on indentations in their skull: https://www.phrenology.org/index.html
I happen to run a directory of 'escapist/artistic' websites, if a second instance of self-promotion is permissible: https://wmw.thran.uk
I'd guess you're pretty old.
My sympathies are entirely on the side of the game's author. It's just an obscene image -- the "collateral damage" in this case is perfectly acceptable and imo fair because it damages the brands of the illegal hosters.
However as a gay nerd I'm not really interested in having children, so I'll just have to leave it up to the village.
I think you'd probably agree that, say, overwriting every file on the end user's computer with a text file complaining about how the iframe-wielding website steals content would be an unacceptable thing for the author to do. But the only difference would be the degree of suffering inflicted on the innocent bystander.
If you think this image is acceptable to show to young kids, are there any images you think are unacceptable to show them?
Also the phrase "you think this image is acceptable to show to young kids" subtly alters my position in a disingenuous and (I think) intentional way. My position is not that you should "show young kids goatse" but that "a young kid seeing a flash of goatse isn't really a big deal". They might laugh, they might be a little grossed out, they might be curious why someone would do something so strange. I think the idea that they would be "harmed" or "traumatized" is pure adult projection.
I think there is a genuine change in meaning, coming from your use of the word "should":
>My position is not that you should "show young kids goatse
But that's not a word I used (or intended).
ETA: Agree on images of violence.
A very annoying, loud, visually busy animation would've sufficed. Baby shark at maximum volume, or a continuous fart sound, or maybe just a high pitched beep would also sufficiently scare away people.
By showing porn in a place that he knows minors and other protected groups will visit, they violate decency laws in a whole bunch of countries. They probably wouldn't if this was accidental (i.e. they sold their domain to a third party that turned it into a porn site) but in this case they admit this was very much intentional.
For example a woman breast-feeding or a man peeing on a tree on the side of the road.
They may have had a defence if this hotlink prevention was already there from the beginning, but this post explicitly admits that this was added intentionally in response, and that there were plenty of other options that could've been taken.
When it comes to many laws, intent matters a lot. You can make technical arguments about the nature of all networking all you want ("technically HTTP is a request/response system so if I just requested the server to delete all customer data I didn't hack it the system just foolishly accepted my request") but the real world doesn't really care about CORS and iframe policies as it does about not being exposed to some guys erect penis and stretched out anus.
The most frustrating thing for me is fucking Google. Their search results are so bad these days I can't get my game to the top even though thousands play it every day and link to it on social media. I'm at the top of Bing, DDG, Kagi. These sites run links to each other and Google's dumb algo loves it. Usually they don't use iFrame but proxy the whole request. Since using CloudFlare as my CDN a few of the app thieves have been defeated.
Some of the sites that host their own cached copy even go out of the way to remove the credits and contact info from the page.
OP you should follow this up by reporting all the said websites to google.
Indeed, and it is well-represented here. In fact, I assumed we'd see some of it here and went looking for it. I was not disappointed. It means plenty of people missed the point entirely.
Those children over there… sending each other lemonparty (oh wait that was us)
Nah the kids now are watching cartel and Ukraine videos while going “bruh on god based uhuhuh”