Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
The Courts Government News

"Defacing" Sites Without Intruding? 42

Posted by Cliff from the weblinks:the-shell-game-of-the-21st-century dept.
clambert asks: "In putting the finishing touches on a recently launched site, I decided to place one of the many 'Powered By PHP' logos on the bottom of the page. Being tired, I carelessly put in a direct link to the file on the server offering the image. The next evening, I was informed that there was a large, offensive picture on the bottom of every page. Apparently, the webmaster of the remote server thought it would be funny to replace the 900 byte PHP logo with a 121KB 'photo' (I'll spare everyone from the details). This was done without contacting any of our admins first, and was clearly a move to deface our site's presentation. Would bandwidth have been their concern, they wouldn't of increased the size of the image being requested. Although we're not considering it, my question is who would have the upper hand if this were a high profile case brought to court. Intentionally defacing a site's appearance, but without breaking into the any of the site's servers." Publishing content on the web largely boils down to a matter of trust. If you are going to link from your homepage to an image, or another web page, you are trusting the author of the web page (and the administrator of that web server, assuming they aren't one and the same) to keep that content intact. So what should happen when that trust is broken, if anything?
This discussion has been archived. No new comments can be posted.

"Defacing" Sites Without Intruding? More

"Defacing" Sites Without Intruding?

Comments Filter:

  • What "trust"? (Score:2)

    by Anonymous Coward
    The way I look at it, unless the admin of the remote site you're linking to has *specifically* given you permission to link to their copy of the image, it's fair game to do whatever they please.

    This is akin to taking out an ad in the phone book for a resturant that you like (without permission or affiliation with said establishment), and a week later it's closed up shop and a beastaility pr0n bookstore has gone up in its place. Sad, unfortunate, and deceiving perhaps, but nothing illegal. After all, its THIER image that you were telling client browsers to load, and from my understanding it was without their permission.

    Just be glad they haven't come after you for using their bandwidth illegally, and learn from your mistakes.

  • Slashdot running out of ideas? (Score:3)

    by Anonymous Coward on Thursday June 28, 2001 @06:55AM (#123005)
    This is the most preposterous posting in recent memory. And that's saying a lot.

  • Re:You're kidding, right? (Score:5)

    by Anonymous Coward on Thursday June 28, 2001 @07:16AM (#123006)
    Come on; didn't you read the post? He was tired. I can sympathize with him. Once, I went to the store to buy several DVD players. It had been a long day, though, so I accidentally went to the loading dock instead of inside the store, and accidentally walked away with the DVD players without paying for them.
  • Or is this just a really poorly-thought-out troll?

    --

  • They have a right to change it, unless you have a contract that says they won't. If you link to an image on someone elses site and they change it then its your problem. If they are doing it to screw you then it might be rude, but it is kind of rude to just link to someone elses images without asking too.

    IANAL.
  • Do you guys even read the questions?

    Of course they read the questions. That's how they reject the questions I ask, which could really benefit from the combined knowledge of several thousand geeky people, and only accept questions that are laughable, like this one, or that could be answered by 30 seconds of googling.

    --
  • Looking at http://www.php.net/download-logos.php, you can see the text, highlighted in red so that even a moron can't miss it: Do not just include the graphic from our servers on your page! Copy the image to your site.


    Now explain to me again why you feel so hard done by? If it had been my server that was getting spammed by your link, I would have replaced it with the goatse image.

    --
  • Not only is the above post about smart tags not off-topic, it should have been modded up as both funny and insightful.

  • HA! (Score:3)

    by waldoj ( 8229 ) <waldo@@@jaquith...org> on Thursday June 28, 2001 @07:02AM (#123012) Homepage Journal
    That's great! I've done the same thing to people on several occasions, after they've remotely called quasi-random images off of my sites. A friend of mine had a site using his site's logo as their logo, through the same method. He served them a banner saying "this site blows goats," or something along those lines, for days.

    I'm guessing that, if you look at the terms of use of that "made with PHP" logo, it will stipulate that you can't call it off their site. Odds are, they saw you violating their terms, figured they'd have a little fun and pulled the old switcheroo. I know it sucks for you, but it seems fair to me. Once you start using other folks' bandwidth without their permission, I figure they've got the right to determine what data they're going to serve you.

    -Waldo
  • Was it an 'official' php logo, that you were given permission to link to, or just off some guys site?

    Can you demonstrate that the guy who ran the site did this specifically to deface your website? How do you know he wasn't defacing his OWN site, and yours just got defaced inadvertently?
  • Criminals physically robbing homes who were shot by the owner have actually won civil cases for the pain and suffering of the gunshot received while commiting a crime. (Which is why you should shoot to kill.)

    Good in theory, but if you killed some jerk that broke into your house you would probably be sued by the morons family instead.

  • Another funny example. (Score:3)

    by AtariDatacenter ( 31657 ) on Thursday June 28, 2001 @09:47AM (#123015)
    There was a well-known eBay dealer of arcade items. I say this person is well known, but well despised is probably a better way of saying it. In order to get a camera icon next to his auctions, he would link to an invalid URL. This invalid URL, in fact, existed on an unregistered domain.

    So what does a community do to an eBay dealer that they don't like? That's right. They registered the domain name, and placed a picture on that URL. It was a suitably blurred image of an ass crack, with some words about getting screwed by the particular seller.

    Well, all but one of that seller's items (and he constantly used that technique on all of his auctions) didn't get bids. Everyone got a good laugh that day. Maybe not the seller. Who knows if he had a case or not, but he wasn't about to pursue it.
  • You implied it was an accidental link, but the fact of the matter is, thats not YOUR image. Sure, you could copy it to your page and then it WOULD be your image, but as long as that image was hosted on someone else's site, it is theirs to do so as they please. If they want to change some random image on their site to a porno image, well, thats their business. If it causes you a problem, you shouldn't have been stealing it anyways.

    Of course, its not really a bandwidth drain on them, of course not. Its just a puny 900 bytes. Why would anyone care? Of course, if you weren't the ONLY one doing it, it might add up after a while. The owner did something that made it clear what his position on the issue was. Sure, he could have just changed the name or something benign like that, but instead he felt like making a point.

    He did not deface YOUR webpage. He changed HIS. The fact that you were lifing images off his site realtime and he decided to change one of those images to inflict you is besides the point.

    -Restil
  • Once he pulls the plug, the theft stops. What he does after that is a poorly considered act of vengence.

    Well put. What if, instead, he merely unplugs all of his own equipment from his own sockets, and then plugs the big, mean, nasty transformer into another one of his own outlets and sends the spike through his own wiring. Without unplugging my extension cord. That seems like a closer parallel to the case we're discussing anyway.

    Ain't this fun? ;)

  • You're kidding, right? (Score:4)

    by Lancer ( 32120 ) on Thursday June 28, 2001 @07:06AM (#123018) Homepage
    1. You create an image tag pointing to a resource on someone else's server.
    2. The administrator of the other server chooses to save another file with the same name on his server.
    3. You feel that you've been violated?
    I know this is going to come off harsh, but you're a moron! When you point to another resource on the net, you're always putting yourself at risk of what may change on that site. When you compound that error by allowing that resource to appear that it's actually part of your site, it's your own damn fault when you end up with egg on your face.

    Moral of the story? Download the image and put it on your own server - don't expect your laziness to be an excuse.

    Jeesh.

  • Hey Slashdot... (Score:4)

    by Lancer ( 32120 ) on Thursday June 28, 2001 @12:11PM (#123019) Homepage
    I was too lazy to call the electric company to set up the electric service at my house, so I decided to run an extension cord into the neighbor's house and that seemed to work alright.

    Well, the other day the jerk hooks my extension cord up to some big, mean, nasty transformer and sent 100,000 volts into all of my electronic equipment. He didn't contact me or anything!

    What do you think, fellow /.'ers, will I win the lawsuit?

  • Okay so this was only 900 bytes of his bandwidth everytime someone loaded your page. However if everyone who displayed a powered by php logo did this the traffic could potentially flood his webserver just to serve some stupid 900 byte image. So he took actions that would most certainly gain your attention so you would correct the problem. LEARN from YOUR mistake and don't do it again. Download the image and put it on your site. I can't believe you would even consider legal action. btw I think Ask Slashdot should be killed off after this post. Do you guys even read the questions?
  • microsoft windows xp with smart pages enabled.

  • One of the big free hosting site(i think it was xoom.com) did exactly what you are suggesting, lot of people started to use them just for image hosting, that cost them money for bandwidth, but they didnt get any revenues for ad views. So when the http refer was not from there domain name, you got there logo, instead of the image you wanted.
  • Doesn't this kind of behavior risk breaking the HTTP standard?

    A lot of sites do things like this:

    1) incoming request for .mp3 file?
    2) serve a page instead
    3) displays lots of ads
    4) provide a link to self
    5) referr tag is self?
    6) serve content

    Having obvious binary data be replaced by webpages, or worse, having them effectively be changed from static to dynamic content, makes sites a horrible mess for multimedia search engines and the like. This is the same sort of behavior as making pages only linked through javascript, so smaller browsers, search engines, or browsers that haveed javascript disabled aren't able to get to those pages.

    Of course, one guy did that on purpose, because he paid for his bandwidth and his page got popular; he wanted to have as few hits as possible...
  • What do you think, fellow /.'ers, will I win the lawsuit?

    I agree with your sentiment, and realize you're joking, but in the hypothetical example you pose, you would probably win. Sure, you've stolen from him, but that doesn't give him the right to damage your equipment. He could file criminal charges for the theft and might even be able to make you pay his entire electric bill. You could still sue him in civil court for damaging your stuff (maybe even press charges as well.) Once he pulls the plug, the theft stops. What he does after that is a poorly considered act of vengence.

    Criminals physically robbing homes who were shot by the owner have actually won civil cases for the pain and suffering of the gunshot received while commiting a crime. (Which is why you should shoot to kill.)
  • I agree, that is a closer analogy. Assuming he was smart enough to explain that he was seeing an unexplained energy drain and figured he'd find the cause with 10,000 volts (follow the boom.)

    Ain't this fun? ;)

    I guess once we've bit into this flamebait of an "Ask Slashdot", might as well run with it.
  • When did humor become offtopic? "Oh, he mentioned Microsoft, he must be away from the center of the thread." Yeah, and just because I say that *nix is more stable than Windows, I'm bashing MS. Sheesh.

    Louis Wu

    "Never, ever, EVER trust a telepath. I'm going to have that tattooed on my eyelids."

  • Once, a long long time ago, I was checking out the stats for my webpage with the Webalizer [mrunix.net] and was noticing an awful lot of referrals from eBay. Manually parsing my Apache log files I found the auction number and looked it up...

    Imagine my surprise when I found it was some lamer selling burned CD's of encoded anime fansubs. Being friends with people who encode fansubs (freely) I was most put out by the fact that some scumbag was attempting to profit from it. There was only one thing I could do...

    Since the lamer had linked to a (huge) wallpaper image on my site to use as his page background I did the sensible thing: renamed the wallpaper, downloaded the picture of Sting3r (the goatse guy) and stuck it in place of the wallpaper's original filename.

    Needless to say eBay pulled the auction in short order, something they wouldn't have done if I'd simply cried "copyright infringement!"
  • What comes next? Ask slashdot from VA Linux management complaining that the lights are being turned off for non-payment?

    If you are going to steal someone's content, at least copy the goddamn image.

  • So you're telling me.... (Score:5)

    by ZanshinWedge ( 193324 ) on Thursday June 28, 2001 @11:54AM (#123029)
    That you were too lazy to copy an 800 byte image to your own server and link to that? Yes, I recognize that such tasks are a huge chore. Hell, it would probably take an hour just to download the image, and another hour reading through documentation and sending emails to support lists to figure out how to move the image to a directory you can link to, and then probably at least half an hour (again, slogging through that documentation) to figure out how to change the image link in your html document. And then there's the cost issue. Hard drives aren't cheap, and 800 bytes is almost two full sectors! Plus you have the inconvenience of having 800 bytes of storage space on your system no longer available for other uses. All around it is just a day long pain in the ass ordeal. But, once you are finally finished the good news is that your site won't be able to be defaced like that anymore.
  • It's their website, and they can do whatever the fuck they want to with it, whether or not this defaces your website by association. Even if that was their intent, so what? Its their site, and whether or not they've given u permission to linkt to their site, they can change it however they want. As a site developer, its your job to make sure that you link to sites that represent you and your site desireably, and eliminate those links if they cease doing so. Stop your whining.

    Besides, you don't have the right "not to be defamed/defaced/insulted/accused/". There is, however, the right to free speach. This means that I can say right here, that your site is pornographic, innappropriate, or illegal, irrelevant of whether or not it is true. If the right to free speach only applies in so far as YOU or some other person thinks people are speaking the truth, it doesn't mean shit.
  • You already know the first one...

    1) Shoot

    ...but you forgot

    2) Shovel
    3) Shut up

    ---
    nuclear presidential echelon assassination encryption virulent strain
  • I do the same thing on my site [jraxis.com] when people embed my images in their pages. They get this image [jraxis.com]* instead, once I find out. :) Once my web host upgrades Apache, I can also play around with checking referrers to do this globally instead of manually finding out and renaming the image file.

    * Warning: Don't click that unless you know what you're doing; you probably know what's there already anyway.

  • I do both [slashdot.org] when I find out people are using my images.
  • Unless it was a site that said "here, link to these images" I don't think you have much to complain about.
  • it still seems a bit ridiculous that he would replace the file with pornographical content rather than just slapping a "STOP STEALING MY CONTENT" image or something similar.

    I don't know about that. I think that's a damned amusing way to handle the situation. I mean, which would get your attention faster:

    1. A image that says "STOP STEALING MY CONTENT"
    2. A image so lewd that your users start emailing you and letting you know that there is some weird porn on the page you're serving up.

    I think the porn was a great solution. ;-)

  • >figured he'd find the cause with 10,000 volts (follow the boom.)

    Follow the boom? more like smell the smoke

    ONEPOINT

  • Re:If its on their web site (Score:4)

    by onepoint ( 301486 ) on Thursday June 28, 2001 @08:38AM (#123037) Homepage Journal
    I think there is a case about this. It's under the terms of deep linking. Zackary ( post # 3) is correct. Your only secure about the image if you have a contract for that image. Otherwise you will be subject to the other parties mood ( in your case not so good )

    Also you could consider the bigger problem. Bandwidth theft. I'm not sure of the following ( i don't know of any legal cases ) but from what I have learned is: I can not take an image from your server without your permision. Even if the image is free to use ( public domain). I have to copy it from your site to mine. then I can have it on my site.

    ONEPOINT


  • I said: if (defined referrer_header && referrer_header not =~ /.+http:\/\/www.mysite.com\/.+/i) { image = "goatsex.jpg" } else { image = "logo.jpg" } So if your proxy or firewall strips out the referrer header you still get logo.jpg and not goatsex.jpg. This only subtracts slightly from the overall punitive effect because most firewalls and proxies do not strip out the referrer header and a large percentage of surfers on the net don't use them anyway. Major free web space providers (tm) like fortunecity do this so that they're not abused as image repositories for other websites. User pages that rely on stealing other people's bandwidth get fucked up so bad that they're unuseable and that's a good thing.

  • Use the referrer http header (Score:3)

    by gd23ka ( 324741 ) on Thursday June 28, 2001 @12:33PM (#123039) Homepage
    Oh boy, you've been caught red handed and you have the nerve to complain! I double dare you to steal bandwidth from one of my sites, it'll be my pleasure to _really_ humiliate you.

    BTW.. there's a way to automate that kind of behavior, i.e. remind people not to link directly by changing the image, kind of like an anti-theft device: Use the referrer http header field, check whether it's present and if it is and it's not your site then serve whatever you deem should go on their thiefing sites.
  • Criminals physically robbing homes who were shot by the owner have actually won civil cases for the pain and suffering of the gunshot received while commiting a crime. (Which is why you should shoot to kill.)

    If you kill someone for breaking into your home, you will find yourself in front of a judge explaining how you knew the intruder was trying to rob you. Killing someone to protect yourself is an affirmative defense. The burden of proof is on the defendend.

    It is entirely possible that the intruder was there to report an accident, call an ambulance, or thought they were walking into their friend's new house, but were really just lost.

  • make some JavaScript to do naughty things.

    Make a javascript that opens a window of itself! while(true) { window.open("evilscript.html") } muhuhahaha! No one would ever go to their site again! They would also call M$ for tech support.

    D/\ Gooberguy
  • ...moderate a story as flamebait? (Up, that is.) 'Cause this story sure fits the bill. Cliff must have decided to have some fun with this moron.
  • It was a great solution in respects to convincing the offending webmaster not to link to his material rather than asking permission and save the file locally for use on his web presence.

    It was no a great solution in respects to the defacement of the person(s) web site whom decided to link to the image. While it seems a bit harsh, I agree that it was a great way to convince the webmaster to discontinue the links to the image's location. However, I just don't see it as a reasonable way for someone to convince another developer to stop linking to their images.

  • Well, the administrator of the web site, to which you have linked to, is in charge on this subject. It is his file to modify, wether or not anyone has linked to it. So, a possible remedy for this situation would have been to simply save the file and load/link it from your server/hosting account.

    Either way, it is entirely the administrator's call on how to modify his/her files. While this case makes it very apparent that the admin didn't appreciate people using his bandwidth, it still seems a bit ridiculous that he would replace the file with pornographical content rather than just slapping a "STOP STEALING MY CONTENT" image or something similar. After all, 900 bytes wouldn't exactly crush his bandwidth (assuming the network is on broadband connectivity), unless multiple developers were linking to it.

    Now, if this defacement had been something similar to the defacement of the NASA site (article [macworld.com]), then you would have a case.

    Well, in conclusion: I suggest that anyone linking to web site files (namely images) save them onto hard disk and upload them to their own hosting account or server. There's no legitimacy in using someone else's bandwidth. Of course, make sure the administrator gives you explicit rights to use the image in the event it is copyrighted.

  • Defacement 101 (Score:3)

    by Ferd Lamarche ( 463454 ) on Thursday June 28, 2001 @06:29PM (#123045) Homepage

    There are other ways to deface websites even if you aren't fortunate to have the administrator link to one of your images. For example, if the website has a search feature and lists the "top-10 search queries", just search for "fuck you" or "this website sucks" over and over.

    Websites with open submission queues for stories allow easy defacement by filling them with profanity.

    Open discussion boards like Slashdot but without Slashdot's antitrolling features (the lameness filter) are big targets:

    1. post a long string of M's or W's (or any character) to force the browser to display a horizontal scrollbar and possibly make the discussion hard to follow
    2. if HTML is enabled, or the title or your account name aren't filtered, enter HTML <IMG> tags to link to disgusting images, or if you're really clever, make some JavaScript to do naughty things. Don't forget style sheets! Try <P STYLE="background-image: url(http://goatse.cx/hello.jpg);"> or just obnoxiously large text using <P STYLE="font-size: 250px;">.
    3. Post the same thing over and over [slashdot.org].
    4. Post HTML to disrupt the tables containing the comments (like "Last post!! </TD></TR></TABLE>
    5. Obscene ASCII art
    Basically, if the Slashdot lameness filter traps it, make sure your target board doesn't!

    Linking to an image another site is unwise for another reason -- the administrator of the other site can delete the image. If it's not a commonly-found image, you've lost it! But if you copy it locally, you may get into copyright-related trouble. So it's kind of a dilemma. But in your case, you should have definitely copied it locally...

Slashdot Top Deals

To do nothing is to be nothing.

Close