pentacles, magic

A nice cup of rabies

Rantings with occasional art.

  • 1
As I mentioned elsewhere... This was a really reallllllllly stupid thing to do. Inserting an obsufcated blob of javascript from a third party into every page on a high profile website? We're *lucky* it wasn't a password or credit card scraper.

I would hope that LJ deobfuscated the code before plugging it in. It was the work of maybe an hour once I decided to just sit down and do it; there's not that much code involved. And they did host it on LJ, rather than pulling it off of outboundlink/drivingrevenue's servers where it could be modified at any time in the future.

I've been doing my best to construct narratives for this incident that are only due to bureaucratic complexity and inertia, rather than malign intent. *grin* Mostly I've just been trying to figure out what's going on at a technical level rather than a social/financial one!

I imagine it goes something like this:

Manager: Hello, tech people, our marketing department has made a deal with this Driving Revenue company. We need you to work with them so we can make affiliate money off of as many pages of our site is possible.
Driving Revenue's Contract: Put this JS code on your site. Please do not be peeking behind the curtains of our code, thanks, this is our intellectual property.
Tech people: ...okay then.

Yeah, I was imagining much the same story. Except maybe with it ending like this:

Tech: Hmm, this looks like a fake ID number. Should this get changed into a real one? *leaves a comment in the source*
Manager: I have a new pet project that must be implemented yesterday!
Tech: *forgets about the drivingrevenue ID question while putting out the manager's latest fire*

Entering (sans quotes) "set opt_exclude_stats 1" from should effectively opt you out.

Only for my eyes. As presently implemented, LJ will still be inserting this stuff into the pages it serves up for other people to see - it doesn't care if the author of the page opted out, only the person looking.

Ach, scheisse. Bastards.

I assume you've seen the response on kylecassidy's LJ. Occam's stupidity / malice explanation, as usual - but it's still a fuckup, and it's one more thing pushing me to look for tools to break the social trap of network effects.

I had not, though I'd seen the stuff she's working from.

I've been trying to attribute this to stupidity rather than malice as I dug into the technical details of what's going on, but I can't help but feel like "let's stick an affiliate ID on every unaffiliated e-commerce link we can find, and not tell any of our users about this" is a bit malicious. Even if it was being done with code that didn't have false positives on what it affected, and being done by altering the links when the page was served from LJ, rather than with this sneaky obfuscated JS that tries its best to hide its link-twiddling.

(Deleted comment)
*checks source* Ain't gone yet, hack away!

If you look at the source of dRev.js now, it just says:

/* this code is removed until we can get it off all our pages */

Just here to let you know that I'm linking to you on this issue and directing other people here, because you seem to be really on top of things.

If you want a Dreamwidth invite code, just say the word.

I had more important things to do today, but lounging in bed with the laptop chasing this was a compelling way to goof off. *grin*

And thanks! If I leap to DW (and LJ's handling of this so far is not helping) I'll probably just be buying a year of paid time off the bat; I've been a paid user for LJ for most of my time here and can certainly afford to do the same for a site I'm supporting for Not Being What LJ Is Turning Into.

Just so you know, DW's payments are currently down because of trolls in the system:

That means right now only check or money order can be accepted. However, they're making good progress on implementing a system that's not vulnerable to the same attacks.

In any case, if you decide to make a leap and have any questions/concerns about crossposting, importing, setting up, layout CSS/styles, things that sucked and could be made better, or anything like that, feel free to bug me about it! I do a lot of DW volunteer work, so I can usually answer or find out what's going on.

  • 1

Log in