Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Defacing" Sites Without Intruding?

Posted by Cliff on from the weblinks:the-shell-game-of-the-21st-century dept.

clambert asks: "In putting the finishing touches on a recently launched site, I decided to place one of the many 'Powered By PHP' logos on the bottom of the page. Being tired, I carelessly put in a direct link to the file on the server offering the image. The next evening, I was informed that there was a large, offensive picture on the bottom of every page. Apparently, the webmaster of the remote server thought it would be funny to replace the 900 byte PHP logo with a 121KB 'photo' (I'll spare everyone from the details). This was done without contacting any of our admins first, and was clearly a move to deface our site's presentation. Would bandwidth have been their concern, they wouldn't of increased the size of the image being requested. Although we're not considering it, my question is who would have the upper hand if this were a high profile case brought to court. Intentionally defacing a site's appearance, but without breaking into the any of the site's servers." Publishing content on the web largely boils down to a matter of trust. If you are going to link from your homepage to an image, or another web page, you are trusting the author of the web page (and the administrator of that web server, assuming they aren't one and the same) to keep that content intact. So what should happen when that trust is broken, if anything?

13 of 42 comments (clear)

  1. Slashdot running out of ideas? by Anonymous Coward · · Score: 3

    This is the most preposterous posting in recent memory. And that's saying a lot.

  2. Re:You're kidding, right? by Anonymous Coward · · Score: 5

    Come on; didn't you read the post? He was tired. I can sympathize with him. Once, I went to the store to buy several DVD players. It had been a long day, though, so I accidentally went to the loading dock instead of inside the store, and accidentally walked away with the DVD players without paying for them.

  3. If its on their web site by Zachary+Kessin · · Score: 3

    They have a right to change it, unless you have a contract that says they won't. If you link to an image on someone elses site and they change it then its your problem. If they are doing it to screw you then it might be rude, but it is kind of rude to just link to someone elses images without asking too.

    IANAL.

    --
    Erlang Developer and podcaster
    1. Re:If its on their web site by onepoint · · Score: 4

      I think there is a case about this. It's under the terms of deep linking. Zackary ( post # 3) is correct. Your only secure about the image if you have a contract for that image. Otherwise you will be subject to the other parties mood ( in your case not so good )

      Also you could consider the bigger problem. Bandwidth theft. I'm not sure of the following ( i don't know of any legal cases ) but from what I have learned is: I can not take an image from your server without your permision. Even if the image is free to use ( public domain). I have to copy it from your site to mine. then I can have it on my site.

      ONEPOINT


      --
      if you see me, smile and say hello.
  4. You're a moron who got exactly what you deserved by ptomblin · · Score: 4

    Looking at http://www.php.net/download-logos.php, you can see the text, highlighted in red so that even a moron can't miss it: Do not just include the graphic from our servers on your page! Copy the image to your site.


    Now explain to me again why you feel so hard done by? If it had been my server that was getting spammed by your link, I would have replaced it with the goatse image.

    --

    --
    The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
  5. HA! by waldoj · · Score: 3

    That's great! I've done the same thing to people on several occasions, after they've remotely called quasi-random images off of my sites. A friend of mine had a site using his site's logo as their logo, through the same method. He served them a banner saying "this site blows goats," or something along those lines, for days.

    I'm guessing that, if you look at the terms of use of that "made with PHP" logo, it will stipulate that you can't call it off their site. Odds are, they saw you violating their terms, figured they'd have a little fun and pulled the old switcheroo. I know it sucks for you, but it seems fair to me. Once you start using other folks' bandwidth without their permission, I figure they've got the right to determine what data they're going to serve you.

    -Waldo

  6. Another funny example. by AtariDatacenter · · Score: 3

    There was a well-known eBay dealer of arcade items. I say this person is well known, but well despised is probably a better way of saying it. In order to get a camera icon next to his auctions, he would link to an invalid URL. This invalid URL, in fact, existed on an unregistered domain.

    So what does a community do to an eBay dealer that they don't like? That's right. They registered the domain name, and placed a picture on that URL. It was a suitably blurred image of an ass crack, with some words about getting screwed by the particular seller.

    Well, all but one of that seller's items (and he constantly used that technique on all of his auctions) didn't get bids. Everyone got a good laugh that day. Maybe not the seller. Who knows if he had a case or not, but he wasn't about to pursue it.

  7. You're kidding, right? by Lancer · · Score: 4
    1. You create an image tag pointing to a resource on someone else's server.
    2. The administrator of the other server chooses to save another file with the same name on his server.
    3. You feel that you've been violated?
    I know this is going to come off harsh, but you're a moron! When you point to another resource on the net, you're always putting yourself at risk of what may change on that site. When you compound that error by allowing that resource to appear that it's actually part of your site, it's your own damn fault when you end up with egg on your face.

    Moral of the story? Download the image and put it on your own server - don't expect your laziness to be an excuse.

    Jeesh.

    --
    Outside of a dog, a book is man's best friend. Inside a dog it's too dark to read. - Groucho Marx
  8. Hey Slashdot... by Lancer · · Score: 4
    I was too lazy to call the electric company to set up the electric service at my house, so I decided to run an extension cord into the neighbor's house and that seemed to work alright.

    Well, the other day the jerk hooks my extension cord up to some big, mean, nasty transformer and sent 100,000 volts into all of my electronic equipment. He didn't contact me or anything!

    What do you think, fellow /.'ers, will I win the lawsuit?

    --
    Outside of a dog, a book is man's best friend. Inside a dog it's too dark to read. - Groucho Marx
  9. I've done this myself on eBay.... by Echo|Fox · · Score: 4

    Once, a long long time ago, I was checking out the stats for my webpage with the Webalizer and was noticing an awful lot of referrals from eBay. Manually parsing my Apache log files I found the auction number and looked it up...

    Imagine my surprise when I found it was some lamer selling burned CD's of encoded anime fansubs. Being friends with people who encode fansubs (freely) I was most put out by the fact that some scumbag was attempting to profit from it. There was only one thing I could do...

    Since the lamer had linked to a (huge) wallpaper image on my site to use as his page background I did the sensible thing: renamed the wallpaper, downloaded the picture of Sting3r (the goatse guy) and stuck it in place of the wallpaper's original filename.

    Needless to say eBay pulled the auction in short order, something they wouldn't have done if I'd simply cried "copyright infringement!"

  10. So you're telling me.... by ZanshinWedge · · Score: 5

    That you were too lazy to copy an 800 byte image to your own server and link to that? Yes, I recognize that such tasks are a huge chore. Hell, it would probably take an hour just to download the image, and another hour reading through documentation and sending emails to support lists to figure out how to move the image to a directory you can link to, and then probably at least half an hour (again, slogging through that documentation) to figure out how to change the image link in your html document. And then there's the cost issue. Hard drives aren't cheap, and 800 bytes is almost two full sectors! Plus you have the inconvenience of having 800 bytes of storage space on your system no longer available for other uses. All around it is just a day long pain in the ass ordeal. But, once you are finally finished the good news is that your site won't be able to be defaced like that anymore.

  11. Use the referrer http header by gd23ka · · Score: 3

    Oh boy, you've been caught red handed and you have the nerve to complain! I double dare you to steal bandwidth from one of my sites, it'll be my pleasure to _really_ humiliate you.

    BTW.. there's a way to automate that kind of behavior, i.e. remind people not to link directly by changing the image, kind of like an anti-theft device: Use the referrer http header field, check whether it's present and if it is and it's not your site then serve whatever you deem should go on their thiefing sites.

  12. Defacement 101 by Ferd+Lamarche · · Score: 3

    There are other ways to deface websites even if you aren't fortunate to have the administrator link to one of your images. For example, if the website has a search feature and lists the "top-10 search queries", just search for "fuck you" or "this website sucks" over and over.

    Websites with open submission queues for stories allow easy defacement by filling them with profanity.

    Open discussion boards like Slashdot but without Slashdot's antitrolling features (the lameness filter) are big targets:

    1. post a long string of M's or W's (or any character) to force the browser to display a horizontal scrollbar and possibly make the discussion hard to follow
    2. if HTML is enabled, or the title or your account name aren't filtered, enter HTML <IMG> tags to link to disgusting images, or if you're really clever, make some JavaScript to do naughty things. Don't forget style sheets! Try <P STYLE="background-image: url(http://goatse.cx/hello.jpg);"> or just obnoxiously large text using <P STYLE="font-size: 250px;">.
    3. Post the same thing over and over.
    4. Post HTML to disrupt the tables containing the comments (like "Last post!! </TD></TR></TABLE>
    5. Obscene ASCII art
    Basically, if the Slashdot lameness filter traps it, make sure your target board doesn't!

    Linking to an image another site is unwise for another reason -- the administrator of the other site can delete the image. If it's not a commonly-found image, you've lost it! But if you copy it locally, you may get into copyright-related trouble. So it's kind of a dilemma. But in your case, you should have definitely copied it locally...