It's fairly surprising to see that approach from pretty large brands/companies. Some Indian ISPs are kinda notorious in that they'll just link to huge image files on third-party sites and just let their 300 million customers hammer the poor site into the ground. I guess it saves them bandwidth, but they also run a huge risk of pissing someone off and have that asset replaced by something nasty. When people use this kind of hard-linking/hot-linking of resource I don't think they do it to save money or to be evil, I think it mostly gross incompetence.
We had an issue where our product images would just be ruthlessly scraped, if there had been some rate-limiting in place we'd most likely just have allowed it or not noticed. Normally I just pointed the poor scraper to a multi-gigabyte file or funny and unrelated image, if you want to download the same image of a beaver 25.000 times go ahead.
But I also seen amateurishly search engines just pound a site to the point where it was easier to just deny all traffic coming from their crawler, as compared to try to reach out and figure something out. Say what you will about Google and Bing, their crawlers are well written and well behaved.
I'm not defending the practice by any stretch of the imagination (it's wrong to hotlink, simple as) but I can remember in the heady halcyon days of the early internet (back when Windows 95 had yet to become a thing) hotlinking was done out of pure ignorance about the impact it had on the hosting site and most doing it knew no better nor of the impact it had on the hot-linked servers' resources.
Given that Eternal September remains a thing to this day, I wonder if that remains the case?
As for Google Bot being well behaved - I'm glad to hear that this has changed because at the turn of the century (which is the last time I dipped my toe in to self hosting) it certainly wasn't well behaved in the slightest and it would ruthlessly crawl away, happily ignoring any robots.txt limitations applied.
The isps can pretty easily set up a cache for things that are popular. There was a time when I worked for an ISP consultancy, where Netflix would literally give ISPs a prebuilt cache server iirc for free, and that was a win win for everyone. I shouldn’t be surprised that some shitty isp thinks it’s easier to hard link, but making a cache isn’t that hard.
Yeah, if it were someone as important as an ISP doing it, you could easily be very petty and change it to an image that read "<isp> officially endorses <toxic political view>" (say, the statehood of Taiwan)
Oh I love stories like this - great retort! It reminds me of that time that some app (or apps) was hammering an image of a butterfly from Wikimedia because it was part of some sample code that was never removed. I couldn't find the story but it was a fun but upsetting source of abuse from unknowing devs.
Edit: It was a picture of a flower. I replied with some links.
Hah, back in the flash days I did a similar thing. I ran a website, one of those one-page deals where the whole point of the site was a single button that played a sound. I too had a problem with people hotlinking my flash app, so I used the same trick to redirect it to a different applet that played loud horrific screams!
In the days of P2P file sharing I used to share files with file names and metadata indicating they were rare Metallica live recordings of Metallica songs and other metal band's songs.... but instead https://www.youtube.com/watch?v=hwK_WOXjfc0
Honestly, I know that it's far too late to change now, but I think the ability of a web-page to silently request resources from other domains has proven to be a complete misfeature overall. What's it given us? Tracking cookies, spy-pixels, cross-site-scripting-attacks, hard-link-bandwidth-stealing, SSL mixed-content warnings, etc.
Yes, I know it's also given us CDNs and Single Sign-On, but there are ways to implement SSO as a more active action without that, and I'm not convinced that CDNs are worth the cost we paid.
hahah yeah years ago when i ran my web server in my home, some images got hotlinked to on forums.. welp, some pretty simple redirects based on referrer probably resulted in some pretty confused forum-goers. :)
The users of these apps probably don't even understand what it means to hotlink someone else's resources, and, rather than simply remove the resources, you replaced them with an overtly offensive message. I'm not saying you weren't within your rights to do that, but you can't at this point high-horse and complain about the abusive emails you got as a reaction.
Well that's not quite what happened is it? It was never "popular". I
got my stuff abused and retaliated in a benign, schoolboy fashion for
laughs.
Though if shall own any blame it's for being naive and inexperienced
in the days before we all needed rate limiting against corporate bots.
As it goes, the whole shebang got archived on Wayback/Internet
Archive so all the goodies remain up there for people to enjoy and I
stopped needing to run a box and deal with misuse. God bless the
Internet Archive I guess.
The issue was hotlinking directly to resources, which has been a no-no on the web since day one. The fault is entirely on the side of the bad actors who misused a free resource and in so doing ruined it.
If you offer a zap sound for a game maybe 3 devs download it if they use it on their games 30,000 people might download it. Its pretty obvious one is the intended use and one is not.
Ah, I had a similar idea. There were too many bots or vulnerability scanners hitting /wp-admin.php on my blog. It was flooding my access logs with 404s because I don't rock wordpress. Irksome stuff.
My basic security measures for a simple wordpress site is to rename wp-admin to something else, rename the admin account to something else, and change the ssh port to something else. That already confuses 99% of login attempts / lazy bots.
> There were too many bots or vulnerability scanners hitting /wp-admin.php on my blog
There are moments I'm about to deploy something similar and by now what's stopping me are laziness and other higher priorities. I'm staring at these aggravating items in server log and maybe someday.
These attempts are almost entirely automated, so almost nobody will see it. But if you want to help, tarpitting any IP which requests that page will slow down the scanner with minimum resource usage on your side.
Nice. I'd probably have settled for something simple like <form action="http://127.1/wp-login.php">. These days, you could serve a JS bitcoin miner instead.
I formerly worked for a small RealEstate aggregation/publication software company with large market adoption, and a well-known competitor started deep linking to the images within our custom-written resizing image cache server, and continued to do so after several polite requests to stop. Image traffic is the bulk of network traffic for RealEstate data, and their stollen traffic was very significant, cutting into our own available bandwidth and costs.
We slyly added referrer-based logic which would, with 1/20 probability, serve the Goatse.cx image instead.
Needless to say, within 48hrs we never received another deep link request from that competitor.
I don't know why I checked but uhh yup. It's working. There are at least 6 sites on the first page of Google results that now render goatse. Thankfully, the first link is the original one for me.
Came here to say the same thing. Unless you're one of today's "lucky 10,000"[0] who haven't ever encountered goatse before, there's no need to verify this :D
I've managed to never see goatse so far. Not because I'm new or innocent, but because I've learned my lessons. I don't think the 10,000 really applies to this situation. It's certainly not something that everybody needs to see at some point in their lives (or so I've been lead to believe).
This is a different twist on that xkcd - if you haven't seen goatse before, consider yourself truly lucky, and enjoy not experiencing this particular cognitohazard.
I run three word games, this stuff happens for all of them. It sucks but I would never do what they did, it's abusive to the people who just googled your game and ended up on the wrong site.
I've had teachers and students reach out to me to say they play my game in class every day together. And parents who play with their kids every day, and adult who text their results to each other every day.
It sucks if they end up doing it on an ad-ridden site when I built an experience that asks nothing of them. But it would suck even more to goatse them.
Devil's advocate: OPs approach is a form of inoculation against the ad-powered Internet. The experience may not be pleasant, but drives the right message and quite memorably so.
100%, and not just as devil's advocate. Let the punishment fit the crime.
My sympathies are entirely on the side of the game's author. It's just an obscene image -- the "collateral damage" in this case is perfectly acceptable and imo fair because it damages the brands of the illegal hosters.
I don't have a problem with OP's approach and I think he should be free to put whatever he wants on the content-stealing sites, but he didn't have to make it sexual.
A very annoying, loud, visually busy animation would've sufficed. Baby shark at maximum volume, or a continuous fart sound, or maybe just a high pitched beep would also sufficiently scare away people.
By showing porn in a place that he knows minors and other protected groups will visit, they violate decency laws in a whole bunch of countries. They probably wouldn't if this was accidental (i.e. they sold their domain to a third party that turned it into a porn site) but in this case they admit this was very much intentional.
Yeah this is actually basically what YouTube does when you embed a video and their settings don't allow embedding for that particular video. "Video unavailable - Watch on YouTube"
It is not this developer's job to parent someone's kids. It is a parent's responsibility to make sure their child only gets access to the appropriate websites when they are young.
You could, however, easily block the game and render a message directing users to your actual site if you detect they are using the site in an iframe. What legitimate reason can there be for that?
I've had the same with my word game. People will report a bug and then I find out they are on some ad-ridden copycat.
For my app it's reached multiple levels. One of the app thieves has embeded another app thief.
https://imgur.com/a/0qW0y1r
The most frustrating thing for me is fucking Google. Their search results are so bad these days I can't get my game to the top even though thousands play it every day and link to it on social media. I'm at the top of Bing, DDG, Kagi. These sites run links to each other and Google's dumb algo loves it.
Usually they don't use iFrame but proxy the whole request. Since using CloudFlare as my CDN a few of the app thieves have been defeated.
Yeah, my experience is also that they're mostly proxies and iframes are a minority. Some serve a cached version of the site (since like most of these, my sites are static - they do update to get the updated answer lists though, since I manually set the puzzles a bit in advance.)
Some of the sites that host their own cached copy even go out of the way to remove the credits and contact info from the page.
Definitely feels like a "report this website to google" button would be fantastic, if there was a way to automate/simplify such a thing for 1-3 clicks.
Life is a meaningless crawl towards the heat death of the universe. Childish behavior is the most appropriate attitude one can have towards most things.
I am absolutely not a lawyer, but I wouldn't do something like this for fear of falling afoul of anti-obscenity laws.
For instance, the UK has a cyberflashing law which allots a two year custodial sentence for sending a graphic image (by any means) with intent to cause distress.
Yup, copyright law is a civil matter (you as copyright holder have to pursue it), obscenity / pornography is something else (the government will go after you).
I’m not a lawyer, but there are all kinds of extremely broad computer crime statutes on the books. No prosecutor would bring this case. This would flagrantly violate the spirit of the law, which was intended to stop unsolicited dick pics and other forms of targeted harassment. It would certainly not merit extradition to the UK, or the UAE for that matter.
It’s not worth worrying about such extreme what-if cases. If the Feds were so determined to destroy an innocent person in a kangaroo court, there’s easier ways of doing so. They could plant CSAM on the server. They could coerce an informant to accuse you of SA (like they did to Assange).
Realistically, the worst sanction this dev could reasonably expect, is to have their domain taken down. That’s what happened to the OG .cx domain, after all…
And I'm sure the British courts will rule in the author's favour when the lawsuit is filed, but that doesn't make flashing other users legal.
Then again, I doubt someone is going to file a police report, especially when the URL of the page would bring the reports to an entirely different web page in the first place.
Third party site asks user's browser to request an image from the author. User requests an image from the author. Author says "sure thing", distributes an image of goatse to the user.
And, especially in the context where the same result could have been achieved as easily without resorting to law-breaking, how does that constitute a license to break other laws?
Why not just "out" them and provide a link to the original domain?
"To play Sqword, please visit <domain> directly. You are currently visiting a site that has put ads around the original game without the game creator's consent."
By replacing it with goatse, a number of people will think, "I wanted to play Sqword but now it's pornographic" and never play again.
Not only this, but I imagine some of the less tech savvy end users (kids, grandparents) would be the ones who found the game from one of these parasitic sites inundated with ads. The goatse image doesn’t help those users. They probably won’t realize what that’s about and then just stop playing altogether.
Readit News
Eventually the bandwidth was getting hammered by a huge number of leechers seemingly from some apps that had simply hard-linked to the resources.
After replacing said resources [0] they soon ceased but not without a slew of abusive and entitled emails demanding I restore the SFX.
Oh fun times!
[0] https://fukpig.bandcamp.com/track/all-of-you-are-cunts-and-i...
It's fairly surprising to see that approach from pretty large brands/companies. Some Indian ISPs are kinda notorious in that they'll just link to huge image files on third-party sites and just let their 300 million customers hammer the poor site into the ground. I guess it saves them bandwidth, but they also run a huge risk of pissing someone off and have that asset replaced by something nasty. When people use this kind of hard-linking/hot-linking of resource I don't think they do it to save money or to be evil, I think it mostly gross incompetence.
We had an issue where our product images would just be ruthlessly scraped, if there had been some rate-limiting in place we'd most likely just have allowed it or not noticed. Normally I just pointed the poor scraper to a multi-gigabyte file or funny and unrelated image, if you want to download the same image of a beaver 25.000 times go ahead.
But I also seen amateurishly search engines just pound a site to the point where it was easier to just deny all traffic coming from their crawler, as compared to try to reach out and figure something out. Say what you will about Google and Bing, their crawlers are well written and well behaved.
Given that Eternal September remains a thing to this day, I wonder if that remains the case?
As for Google Bot being well behaved - I'm glad to hear that this has changed because at the turn of the century (which is the last time I dipped my toe in to self hosting) it certainly wasn't well behaved in the slightest and it would ruthlessly crawl away, happily ignoring any robots.txt limitations applied.
Dead Comment
What an entitled bunch
Edit: It was a picture of a flower. I replied with some links.
- https://phabricator.wikimedia.org/T273741
- https://news.ycombinator.com/item?id=26072025
So many downloads.
I'm downright shocked that this wasn't Rick Astley.
Or so he says, it may have been mostly copycats after a time.
Dead Comment
Yes, I know it's also given us CDNs and Single Sign-On, but there are ways to implement SSO as a more active action without that, and I'm not convinced that CDNs are worth the cost we paid.
Though if shall own any blame it's for being naive and inexperienced in the days before we all needed rate limiting against corporate bots.
As it goes, the whole shebang got archived on Wayback/Internet Archive so all the goodies remain up there for people to enjoy and I stopped needing to run a box and deal with misuse. God bless the Internet Archive I guess.
Dead Comment
So I threw up a little 'surprise' for the ahem penetration testers ahem, if you feel brave: https://www.thran.uk/wp-login.php
There are moments I'm about to deploy something similar and by now what's stopping me are laziness and other higher priorities. I'm staring at these aggravating items in server log and maybe someday.
Deleted Comment
Dead Comment
We slyly added referrer-based logic which would, with 1/20 probability, serve the Goatse.cx image instead.
Needless to say, within 48hrs we never received another deep link request from that competitor.
[0] - https://xkcd.com/1053/
edit: folks the xkcd lucky 10k reference was a joke, settle down
e.g. NSFW https://goatkcd.com/1053/
I've had teachers and students reach out to me to say they play my game in class every day together. And parents who play with their kids every day, and adult who text their results to each other every day.
It sucks if they end up doing it on an ad-ridden site when I built an experience that asks nothing of them. But it would suck even more to goatse them.
My sympathies are entirely on the side of the game's author. It's just an obscene image -- the "collateral damage" in this case is perfectly acceptable and imo fair because it damages the brands of the illegal hosters.
A very annoying, loud, visually busy animation would've sufficed. Baby shark at maximum volume, or a continuous fart sound, or maybe just a high pitched beep would also sufficiently scare away people.
By showing porn in a place that he knows minors and other protected groups will visit, they violate decency laws in a whole bunch of countries. They probably wouldn't if this was accidental (i.e. they sold their domain to a third party that turned it into a porn site) but in this case they admit this was very much intentional.
Deleted Comment
The most frustrating thing for me is fucking Google. Their search results are so bad these days I can't get my game to the top even though thousands play it every day and link to it on social media. I'm at the top of Bing, DDG, Kagi. These sites run links to each other and Google's dumb algo loves it. Usually they don't use iFrame but proxy the whole request. Since using CloudFlare as my CDN a few of the app thieves have been defeated.
Some of the sites that host their own cached copy even go out of the way to remove the credits and contact info from the page.
I'd guess the author is pretty young.
Definitely childish though.
I'd guess you're pretty old.
For instance, the UK has a cyberflashing law which allots a two year custodial sentence for sending a graphic image (by any means) with intent to cause distress.
That's not to say that Goatse wasn't the correct option in this case.
It’s not worth worrying about such extreme what-if cases. If the Feds were so determined to destroy an innocent person in a kangaroo court, there’s easier ways of doing so. They could plant CSAM on the server. They could coerce an informant to accuse you of SA (like they did to Assange).
Realistically, the worst sanction this dev could reasonably expect, is to have their domain taken down. That’s what happened to the OG .cx domain, after all…
Then again, I doubt someone is going to file a police report, especially when the URL of the page would bring the reports to an entirely different web page in the first place.
He's the one specifically replacing one thing with another under some circumstance. Not the person embedding it or the one hosting the image.
as there is no cyberflashing on the source website, when you go to verify
that how it ought to be, dunno uk law
Dead Comment
"To play Sqword, please visit <domain> directly. You are currently visiting a site that has put ads around the original game without the game creator's consent."
By replacing it with goatse, a number of people will think, "I wanted to play Sqword but now it's pornographic" and never play again.
https://joshcsimmons.com/post/eJyVlD2PgzAMhvf8Cm8HlcD76dSlf8...
Created using
>Yesterday one of my collaborators googled "sqword" and to his surprise, there were tons of first-page results that weren't the sqword.com domain.
Deleted Comment