Once, out of the kindness of my foolish heart, I ran a server with a
lot of great sound effects for all and sundry to download.<p>Eventually the bandwidth was getting hammered by a huge number of
leechers seemingly from some apps that had simply hard-linked to the
resources.<p>After replacing said resources [0] they soon ceased but not without a
slew of abusive and entitled emails demanding I restore the SFX.<p>Oh fun times!<p>[0] <a href="https://fukpig.bandcamp.com/track/all-of-you-are-cunts-and-i-hope-you-fucking-die" rel="nofollow noreferrer">https://fukpig.bandcamp.com/track/all-of-you-are-cunts-and-i...</a>
Ah, I had a similar idea. There were too many bots or vulnerability scanners hitting /wp-admin.php on my blog. It was flooding my access logs with 404s because I don't rock wordpress. Irksome stuff.<p>So I threw up a little 'surprise' for the <i>ahem</i> penetration testers <i>ahem</i>, if you feel brave: <a href="https://www.thran.uk/wp-login.php" rel="nofollow noreferrer">https://www.thran.uk/wp-login.php</a>
I formerly worked for a small RealEstate aggregation/publication software company with large market adoption, and a well-known competitor started deep linking to the images within our custom-written resizing image cache server, and continued to do so after several polite requests to stop. Image traffic is the bulk of network traffic for RealEstate data, and their stollen traffic was very significant, cutting into our own available bandwidth and costs.<p>We slyly added referrer-based logic which would, with 1/20 probability, serve the Goatse.cx image instead.<p>Needless to say, within 48hrs we never received another deep link request from that competitor.
I don't know why I checked but uhh yup. It's working. There are at least 6 sites on the first page of Google results that now render goatse. Thankfully, the first link is the original one for me.
I run three word games, this stuff happens for all of them. It sucks but I would never do what they did, it's abusive to the people who just googled your game and ended up on the wrong site.<p>I've had teachers and students reach out to me to say they play my game in class every day together. And parents who play with their kids every day, and adult who text their results to each other every day.<p>It sucks if they end up doing it on an ad-ridden site when I built an experience that asks nothing of them. But it would suck even more to goatse them.
I am absolutely not a lawyer, but I wouldn't do something like this for fear of falling afoul of anti-obscenity laws.<p>For instance, the UK has a cyberflashing law which allots a two year custodial sentence for sending a graphic image (by any means) with intent to cause distress.
Why not just "out" them and provide a link to the original domain?<p>"To play Sqword, please visit <domain> directly. You are currently visiting a site that has put ads around the original game without the game creator's consent."<p>By replacing it with goatse, a number of people will think, "I wanted to play Sqword but now it's pornographic" and never play again.
Alternatively, you could just make it so that people are taken to sqword.com instead: <a href="https://stackoverflow.com/questions/580669/redirect-parent-window-from-an-iframe-action" rel="nofollow noreferrer">https://stackoverflow.com/questions/580669/redirect-parent-w...</a>
It’s really pathetic that Google is happy to profit off of these theft sites. They will never fix their search results because they are the ones selling the ads on behalf of the scammers. Break up the monopoly.
This is hilarious, but I think the most mature thing to do would have been to detect if the site is inside an iframe and if so add a polite link saying "click here to go to sqword.com and play this game ad free".
In 2003 or so, I was really amused by the ORLY owl memes, so I collected them and stuck them in a public directory on my webserver. I have no idea how it was found, but at some point my open directory got indexed by google.<p>I found out because my host emailed me saying I had hit my bandwidth quota for the month... 2 days into said month. So digging through logs I found the biggest offenders, there were forums where people linked just about every image I had.<p>A little htaccess magic later, any request that came from a non-allowist referer was instead served a rather crude message I quickly put together in MS paint.<p>No one contacted me about it, but it was amusing watching these threads where people were getting upset when they thought they were going to see funny owl pics.
I had a similar problem with freeloaders, though my project was a backend service that didn't have a UI.<p>My solution (safe for work, not harmful): <a href="https://wordstream.freeloader.wtf/" rel="nofollow noreferrer">https://wordstream.freeloader.wtf/</a>
Just to play devil's advocate here:<p>* The people you're hurting with the goatse image are mostly not the people wrapping your game in an iframe, but rather the people playing games on the game aggregator sites. Probably includes many teenagers and children.<p>* The game aggregator sites are bringing your game to a wider audience. For gamers who don't know the name of a specific game they want to play, it's nice to be able to browse through a directory of games. The game aggregator sites aren't competing with you in terms of Google search results, they're adding your game to their collection and sharing their collection with everyone. Yes, they're supported by advertising, but I'd argue game aggregator sites are still generating a ton of consumer surplus. (For example, many users are blocking ads.)<p>If you still want to hurt the game aggregator sites for some reason, just include a message on the game loading screen that says "play without ads at sqword.com". Easy.
Back in the early 2000s my secondary DNS server was getting slammed with MX requests from some spammer. I set up a BIND view for just that requesting IP that returned the IP of the FBI mail server for every MX request. I then contacted the spammer’s ISP and told them what I had done. I’ve never seen an ISP take their customer down so quickly.
Kind of reminds me of the guy who owned graphics.com who would get requests from people who wrote //graphics/foo.gif instead of /graphics/foo.gif (Netscape and/or IE would, in those days, transform graphics into graphics.com when it couldn’t find the domain graphics). He set it up so that he would serve up an image informing the consumer that they had a malformed link and would get angry emails from webmasters (remember that term?) claiming he had hacked their sites.
Just keep in mind some kids might be playing these games. So while it might be satisfying to stick it to the sites that are stealing your code, you might traumatize a child.
I had a dream once, in about 2000 or so, that I was touring a "smart home" that featured display panels on the walls, cabinet faces, etc. that could be reconfigured to display whatever you wish: flowers in the spring, foliage in the fall... a complete change of décor at the touch of a button.<p>While I was touring it, the smart home was hacked. And suddenly... goatse. In every room, on every surface, that same gaping orifice.<p>I woke up sure of one thing: Smart homes... not even once.
This just jogged my memory of a fun site from ca. 2006 that did something similar - stealing bandwidth from fake bank and lottery scam sites:<p><a href="http://web.archive.org/web/20060113021154/http://aa419.org/vampire/ladvampire.php" rel="nofollow noreferrer">http://web.archive.org/web/20060113021154/http://aa419.org/v...</a> (SFW)
Very much NSFW lol<p><a href="https://wordlewebsite.com/sqword" rel="nofollow noreferrer">https://wordlewebsite.com/sqword</a>
Another fun thing to do would be showing an infinite "loading..." indicator and fetch as many resources as possible from the parasitic website in a tight loop with a cachebreaker. That should inflate their bandwidth costs quite a bit.
I'm not sure everyone who sees the graphic image might fully understand what's going on. They might just think there's something wrong with sqword, not the site that's stealing it, and repelling potential players as a result.
This is pretty funny and reminded me of the first website I had ever made (probably sometime around 6th grade, back when <marquee> was cool). I’d found that most of the flash games I enjoyed had either embed codes or could just be embedded manually using an iframe. So I made a library of my favorite embedded games in a small folder of HTML files, which I FTP’d onto some server I had access to for some reason. If this goatse alternative to CSP had been used I am sure I would have gotten in a lot of trouble, which is funny to think about today.
Somebody is doing something similar to my Chrome extension. They stole the (minified) code, slapped their own logo on top of it and started selling it. I filed a DMCA takedown request at Google and they removed the extension. Then the guy reuploaded the extension again with a slightly different UI. But I can still see that the underlying code is all mine!
I did a similar thing almost 20 years ago. The Swedish National Pensioners' Organisation was hotlinking an image from my server. I can't really remember exactly what it was, but it was something harmless, like a picture of a cat. Teenage me thought it was super fun to change this image to something more explicit.
Can you still break out of iframes (like <a href="https://stackoverflow.com/a/25871549" rel="nofollow noreferrer">https://stackoverflow.com/a/25871549</a>) and make the parent page redirect or do newer browsers prevent stuff like that?
I wonder if there is a way to host known (ideally known-but-disabled) malware, and get the parent frame site on browser blocklists, without getting the sqword domain blocked?<p>Probably not, but that would be even better than a goatse troll.. actually hit them where it hurts; their ad revenue.
There is a similar kind of anti-scraping technique, where you serve fake data that looks very realistic, but a part of it is modified in some way that renders it useless.<p>Of course the challenge there is good bot detection to not accidentally serve fake data to a legitimate user.
This method primarily attacks innocent people. If someone is playing the author's game on another website then they likely don't know what the official website is. He has hurt his own players more than the people trying to make money off of his work.
And here I thought goatse was just for trolling and arp- and IP-spoofing <a href="http://" rel="nofollow noreferrer">http://</a> on unprotected Wi-Fi.<p>PS: NSFW in case the casual observer never encountered the horror that was goatse.cx:<p>NSFW <a href="https://web.archive.org/web/20010518002205/http://www.goatse.cx/" rel="nofollow noreferrer">https://web.archive.org/web/20010518002205/http://www.goatse...</a> NSFW
What is going on with that URL? Does it encode the entire post?<p>...Yes, it does. What an odd decision. I'd link to the page where he explains it, but it also has a half-page URL.
> the early 2000s internet shock image Goatse<p>The images of Kirk Johnson’s feat of butthole stretching started circulating in 1997.<p><a href="https://www.gawker.com/finding-goatse-the-mystery-man-behind-the-most-disturb-5899787" rel="nofollow noreferrer">https://www.gawker.com/finding-goatse-the-mystery-man-behind...</a>
When I lived in Melbourne, I found someone's car with GOATSE as the personalised licence plate and of course took a photo. This was only about 10 years ago. I've got the photo still. It was a fantastic rude word filter reach-around against the registration office, so to speak.
It’s a bit of a stretch to use the term “theft” in the headline (and “steal” in the image) to describe this situation, no?<p>Neither unauthorized hotlinking nor iframe embedding are “theft” or “steal”ing.
On my book it's fair, but I suspect in some countries it may lead to legal complications. So I recommend not to replicate the approach before making sure it won't backfire.
What is with the crazy URL to this blog post? I was going to share it with some friends, but then I copy/pasted the link and I'm not sharing that monster with anyone.
So someone who plays the game and who doesn't know it's embedded in an iframe and the site is actually stealing the game is shown a shock image?<p>In my opinion that's wrong.
The world we live in: people somehow feel more comfortable posting shock/traumatic images than regular consensual porn.<p>This is one of the few parts of internet culture I hope to see the end of. We can be edgy and offensive <i>without</i> traumatizing each other.
> The mature and responsible thing to do would have been...<p>You were triggered, and so you lashed out with an attack aimed at bystanders.<p>"mature and responsible" have nothing to do with it. The word is: immoral.
No comment on how instead of retaliating against the thieving website, he's retaliating against the –probably unknowing– users that just happened on those websites through Google?<p>(Some among whom are probably children)
> This made me angrier than it should have - not because Sqword is a cash cow - we don't run ads on the site and don't make money from it, it's just for fun, but because it was a passion project with friends, something pure and intentionally free to play WITHOUT ads.<p>If the site is for fun and doesn't make money, then how is what these aggregators are doing considered "theft"? Theft of credit for making the app, I guess? I dunno--I'm surprised the article OP is so bent out of shape if it's just a fun throwaway project. I wouldn't care but maybe that's just me.