
Show HN: Extension-blocking domains removed by threat from other blacklists - paulgb
https://github.com/paulgb/BarbBlock
======
cyphar
As the author notes, the Streisand effect at work. But more importantly, I am
quite happy that someone actually decided to stand their ground and call the
bluff of future malware distributors (sorry, _advertising companies_ ). I've
seen the chilling effects the DMCA has had on reasonable discourse in the
YouTube community, but it extending it to what people can block in their
browsers is absolute insanity.

~~~
reificator
Youtube's setup, where anyone can claim any video, and the first line of
defense creators have is to plead innocent to the same party making the claim,
is the most user hostile (creator hostile?) thing I've ever seen.

~~~
spaceribs
I've always found it funny that piracy still totally exists on youtube, but
the pirates just add obfuscation techniques to prevent immediate takedowns.

Then you watch the "Important Videos" playlist
([https://www.youtube.com/playlist?list=PL7XlqX4npddfrdpMCxBnN...](https://www.youtube.com/playlist?list=PL7XlqX4npddfrdpMCxBnNZXg2GFll7t5y))
and half the videos are taken down because the account had too many strikes.
It's really sad.

~~~
_jal
Funny in a terrible sort of way. The legacy copyright industry follows the
same logic as various drug war participants - winning means a loss of leverage
to ask for more power.

~~~
ethbro
Same discrepancy between reality and rhetoric. Stated goal: eliminate all of a
thing for moral reasons. Actual goal: eliminate the easiest majority of a
thing for economic reasons.

------
AdmiralAsshat
I'm a fan of "Code as protest", but it seems like the more practical solution
would be to simply have a separately maintained domain list that could be
easily integrated into the adblockers that already used EasyList.

~~~
paulgb
I'm not sure how that would be done but I'm open to pull requests!

~~~
maxerickson
You just publish a set of rules like [https://easylist-
downloads.adblockplus.org/easylist.txt](https://easylist-
downloads.adblockplus.org/easylist.txt)

~~~
paulgb
Does this work for you?
[https://raw.githubusercontent.com/paulgb/BarbBlock/master/Ba...](https://raw.githubusercontent.com/paulgb/BarbBlock/master/BarbBlock.txt)

~~~
contravariant
That should work, you might want to add a link to
"abp:subscribe?location=h||ps://raw.githubusercontent.com/paulgb/BarbBlock/master/BarbBlock.txt&title=BarbBlock"
in your readme to allow people to easily install the list by clicking that
link.

Edit: replaced https with h||ps to prevent it from showing up as a link (which
are apparently cut off if they're too long).

~~~
paulgb
Thanks, will do
([https://github.com/paulgb/BarbBlock/issues/15](https://github.com/paulgb/BarbBlock/issues/15))

------
dweekly
FYI there appear to be a much longer set of Domains owned by this company, all
of the same format of nonsensical word pairings.

[https://www.google.com/amp/s/amp.reddit.com/r/uBlockOrigin/c...](https://www.google.com/amp/s/amp.reddit.com/r/uBlockOrigin/comments/6swfvi/ad_domain_taken_down_from_easylist_due_to_dmca/)

~~~
jwilk
Direct link:

[https://www.reddit.com/r/uBlockOrigin/comments/6swfvi/ad_dom...](https://www.reddit.com/r/uBlockOrigin/comments/6swfvi/ad_domain_taken_down_from_easylist_due_to_dmca/)

------
JackC
As a legal fine point: the list I want isn't just "sites which have used DMCA
takedowns to force removal from other blacklists," but more like "sites which
allege that they are legally required to be loaded if embedded in other
sites."

This would include all Admiral-owned domains (including those that haven't
been included in DMCA takedowns yet), and all domains owned by any other
companies that believe there is some legal obligation to load their trackers.
It's an important list to have.

Echoing other comments, this list should be in a standard .txt form so it can
be included by other extensions, so I can pick an extension that does what I
want when it encounters such a site (e.g., decline to visit the page that
embeds the site).

~~~
Retr0spectrum
"sites which allege that they are legally required to be loaded if embedded in
other sites."

In that case, maybe the best technical and legal solution is to block any
sites that _contain_ their domains completely. I.e. boycott anyone who does
business with these people, without "violating" someone's interpretation of
DMCA.

------
0x10101
Next step is to just build a script that parses the DMCA takedown notices
here[1] and automatically builds a block list out of those domains.
[https://github.com/github/dmca](https://github.com/github/dmca)

~~~
chii
you'd have to differentiation between a legitimate DMCA takedown vs a false
claim...may be some NLP on the work being taken down to see if it falls under
fair use?

~~~
kerkeslager
I don't think this needs to be that complicated. If I'm understanding
correctly, the DMCA takedowns in this case are against pages blocked by
EasyList. You would just have to correlate DMCA takedowns with historical
EasyList filters.

------
josteink
Firefox also supports webextensions.

Please consider publishing a version at addons.mozilla.org too.

The tool web-ext makes this almost effortless.

[https://github.com/mozilla/web-ext](https://github.com/mozilla/web-ext)

~~~
paulgb
Thanks, I plan to, the main reason I targeted Chrome at first is that I've
heard the review period is in months for Firefox.

~~~
josteink
That's FUD. It's automated and takes minutes at tops.

Edit: in my experience.

~~~
anon1385
As far as I can see it takes over 5 days at least 50% of the time:
[https://discourse.mozilla.org/t/queue-weekly-
status-2017-08-...](https://discourse.mozilla.org/t/queue-weekly-
status-2017-08-11/17992)

(E: and that's currently; go back a few months and it's nearly 90% taking over
10 days. Possibly well over 10 days. [https://discourse.mozilla.org/t/queue-
weekly-status-2017-05-...](https://discourse.mozilla.org/t/queue-weekly-
status-2017-05-12/15564))

~~~
josteink
I'm curious. Does this statistic mix old XUL based add-ons with the new web
extension standard addins?

As far as I can see the new web extensions based approached has much better
tooling with automatic analysis and reviewing.

------
acdjuiamadfn
Can we go one step further and block websites which serve contents from these
domains? This would be good first step towards eliminating toxic
advertisements.

We'll give up a bit first but may win eventually.

~~~
bitshiffed
I've put together a list of sites using Admiral's services (the domains this
extension blocks) here:
[https://gist.github.com/daumiller/114989e6967eb0d4c54b9ab9ff...](https://gist.github.com/daumiller/114989e6967eb0d4c54b9ab9ffe63bb5)
.

I do not know how complete it may be. It was interesting putting the list
together to see how most (but not all) of the users appear just as sleezy as
Admiral itself.

(Blocking these sites automatically should be done based on requests pointing
to the original list, rather than this derived one, but it's here for
reference.)

------
loeg
Why not just distribute a list, like easylist, that can be added to existing
extensions like uBlock Origin?

------
snakeanus
I wonder, why is it an extension for a specific browser instead of a blacklist
that can be used in any browser that has a blocker?

------
est
> used DMCA takedowns to force removal from other blacklists

Could a hashed tld blacklist help? Each person downloads a unique hashed tld
blacklist. Browser would calculate tld against list of hashes (or bloomfilters
for what's worth)

>
> [https://github.com/easylist/easylist/commit/a4d380ad1a3b33a0...](https://github.com/easylist/easylist/commit/a4d380ad1a3b33a0fab679a1a8c5a791321622b3)

In this case, what if a rule says

\- domain starts with "functio"

\- domain ends with "onalclam.com"

\- domain is no longer than 18 bytes.

Instead of cleartext?

~~~
stordoff
As the claim is regarding circumventing access control, I doubt the specific
technical means by which it is blocked is relevant - Admiral's interpretation
of the DMCA considers the outcome (the domain is blocked), not that the list
includes a domain which they own.

~~~
est
How about split the blacklist into multiple entities (like Shamir's Secret
Sharing) with absolute no affiliation with each other.

Each one downloaded can not block anything

But if a user combines some of the data, certain website gets blocked.

~~~
zb3
This time I really don't understand why you've been downvoted. Now it feels
like some powerful users know something I don't, but they won't tell

~~~
khedoros1
Because it was a response to a statement that the result matters more than the
implementation details that consisted of achieving the same effect by cleverly
modifying the implementation..

~~~
zb3
Result matters, but who's to attack when it's in fact the user who mixes some
theoretically unrelated things to achieve such result? Sadly I know it
wouldn't work in practice, but that's how I understood that comment

~~~
khedoros1
Three separate services, each hosting segments of a file that have to be put
back together in some way. Either those three sites will have information on
how to rebuild the file (revealing the reason they're hosting it in the first
place), or there'll be a 4th party involved that provides the information. It
starts looking like an organized conspiracy, if a court ends up looking at it.
And that's the answer: The target companies file suit against whatever sites
seem to be involved in the conspiracy.

Either that, or it ends up being so obscure that the target company(ies) never
notice.

------
2ion
Hosting such a project on Github, a US-based company which responds to DMCA
requests, is perhaps not the most sensible choice.

~~~
aaron_m04
Are there any good non-US Git hosting companies?

~~~
gruez
Self hosted gitlab?

~~~
gsich
gitea

------
visarga
What if Samsung issues another bogus DMCA? Would you dare blacklist Samsung?
If the inconvenience level is high enough, almost nobody would use the
blacklist. This only works for small players.

~~~
michaelmrose
Its not the businesses primary website that would normally be the target of
blacklists. Its domains serving undesirable content like ads.

For samsung.com to be added to the list first an ad-blocker would have to list
samsung.com THEN Samsung would have to use legal shenanigans to get
samsung.com removed from blacklists THEN it would get added.

It seems pretty unlikely. Its likely in fact that if samsung had content
worthy of blocking it would be served in a way that would be easy to block
without blocking samsung.com. Example nonsense.samsung.com or
samsung.com/whatever.

------
discreditable
This seems to be a list of other admiral-owned domains:
[https://pgl.yoyo.org/adservers/admiral-
domains.txt](https://pgl.yoyo.org/adservers/admiral-domains.txt)

~~~
tofof
As I note in the Github for this project, that list is woefully incomplete.

See my analysis at the Anti-Adblock Killer repo for more detail -
[https://github.com/reek/anti-adblock-
killer/pull/2502#issuec...](https://github.com/reek/anti-adblock-
killer/pull/2502#issuecomment-277863986)

Admiral has thousands of domains across Google Cloud and AWS hosts.

~~~
ksrm
Presumably they don't all point to unique IP addresses, so would blocking
their IPs be more effective?

------
suresh70
This is one of the many situations where website owners,content creators and
individuals being intimidated by using DMCA take down notice. Sometimes there
are even fake notices as in
here([https://www.eff.org/deeplinks/2016/10/samsung-sets-its-
reput...](https://www.eff.org/deeplinks/2016/10/samsung-sets-its-reputation-
fire-bogus-dmca-takedown-notices?page=174)).There should be proper checks to
avoid misuse of DMCA take down notice.

------
appleflaxen
the original DCMA take-down was against a uBlock Origin list.

why make an entirely new plugin when you can simply make a new list? As cool
as your idea is, I don't need two browser extensions to manage when the first
one will happily incorporate your list.

~~~
paulgb
To be honest? Because I was on a plane without internet, and I didn't know how
to create a blacklist but I had another extension I'd created to use as
reference :)

I'm not opposed to doing both, once I have an hour to sit down and figure out
what is actually involved. There's an issue to track it here:
[https://github.com/paulgb/BarbBlock/issues/5](https://github.com/paulgb/BarbBlock/issues/5)

~~~
appleflaxen
congratulations on using your flight so productively :) Thanks for filing the
issue! I considered it, but didn't want to be pushy.

~~~
paulgb
Someone has now contributed a list:
[https://raw.githubusercontent.com/paulgb/BarbBlock/master/Ba...](https://raw.githubusercontent.com/paulgb/BarbBlock/master/BarbBlock.txt)

------
ishitatsuyuki
DMCA is targeted at service provider. Unless the code is self hosted, there's
a risk that GitHub can take it down to avoid lawsuits.

~~~
paulgb
Yep, but I can file a counter-takedown. I know the process from past
experience.

~~~
chii
awesome - it would be good to publicize this process, and also to post about
those experiences. Far too many are intimidated into compliance without
knowing their rights.

~~~
notyourday
[https://news.ycombinator.com/item?id=14992858](https://news.ycombinator.com/item?id=14992858)

I'm rather shocked HN is not well versed in this.

------
ajarmst
This seems to beg an important question: are people who use legal means to
remedy their inclusion on a blocklist necessarily doing so for nefarious
reasons? Not everyone who's used a cease-and-desist or the DMCA process is a
bad actor.

This extension isn't necessarily bad---if its purpose is simply to ensure that
DMCA takedowns and cease-and-desist orders are properly supported and enforced
only with good cause, then that seems valuable. If it ends up as a tool that
starts making people who are legitimately trying to protect their livelihood
or interests give up by making their legal remedies unenforceable or too
onerous to undertake, then maybe we need something a little less cavalier.

~~~
mholt
You would only use a DMCA takedown on a blacklist if you want to force your
content to be viewed by others. That is bad acting. DMCA is to protect the
rights of content owners from their content being spread maliciously, not for
it to be blocked from viewing in an individual's private home or device.

~~~
ajarmst
Fair enough. But I was just accepting the OP's conflation of DMCA takedowns
and cease-and-desist orders. The concern remains valid in the latter case (I'm
not sure the DMCA could even legitimately be used in this rather odd, inverted
way, and agree that it's hard to imagine a valid use). My point is that
nothing I do to a blacklist could "force" anyone to view my content---but I
might have a legitimate interest in correcting a blacklist's
mischaracterization or miscategorization of my content.

------
jrwr
Why not just switch to something like md5 for matching some domains that do
this

~~~
Grollicus
The argument is not "they are spreading our trademark" but "they are
circumventing our copy protection" and that would happen regardless of the way
it is technologically done.

This is a huge attack on the way we all consume the web, because in the end it
leads to a society where we are forced to consume ads to participate in the
society.

------
dvfjsdhgfv
Kudos to the author for this. I wonder what the reaction of Admiral will be.

~~~
marksomnian
"Well, s __t. "

~~~
jwilk
I think your comment fell victim to an asterisk eating monster.

~~~
marksomnian
Well, st.

------
tlavoie
Besides web browser extensions, this sort of thing works nicely in firewalls
that support DNSBL (DNS block lists). I've got pfSense running pfBlockerNG,
and it whacks both incoming (known malicious) and outbound requests. As a
result, anyone on my home network gets the same ad-blocking and other
protection, including guests on the Wi-Fi. Nobody has to do anything special,
it Just Works.

------
CodeWriter23
I take it as a good sign a player in the online ad industry is starting to
squirm.

------
rocky1138
A much easier solution is to just add those domains to your hosts file. Then
it'll work across any program or browser you use.

------
ezoe
They tried to use DMCA to censor non-copyright-able information such as this?
Ridiculous.

------
smegel
Thank you good Sir.

------
jwilk
> This is not my first DMCA-takedown rodeo

What's the story?

~~~
paulgb
tl;dr I found a major ticketing vendor was vulnerable to data interception
because of a faulty HTTPS setup. They issued a DMCA takedown of a private
video I had sent them. I fought it and they threatened to sue but they backed
down after the EFF sent a response on my behalf.

~~~
jlgaddis
Things like this is why I continue to give to the EFF.

------
k__
doesn't stuff like privacy badger generate these lists on the fly locally?

~~~
preinheimer
I'm a privacy badger user and I just checked my list, I don't see this domain
listed.

Privacy badger will only block a domain if it appears that it's tracking you.
Sites linking to this JS, that don't try to send tracking info will not be
blocked.

------
atomical
What is functionalclam?

~~~
lost-theory
It looks like an anti-adblock measure:

[https://github.com/reek/anti-adblock-
killer/pull/2502](https://github.com/reek/anti-adblock-killer/pull/2502)

> after the page finished loading. It removed the real page content and
> replaced it with a box asking me to whitelist the site.

The reason why they're using so many domains is to circumvent blacklisting,
and then the DMCA takedowns are another layer of circumvention on top of that.

------
dvl
Not first time, it's stupid how GitHub accepts anything as DMCA request.

~~~
paulgb
Don't blame GitHub, blame the DMCA!

~~~
dvl
I blame both. Even without any copyright violation GitHub takes the DMCA
request.

~~~
WillPostForFood
You have to take the DMCA request or else you lose safe harbor.

~~~
chii
the problem is when the safe-harbour entity doesn't actually try to protect
their content creators, but blindly accepts any takedown. Youtube is
notoriously obedient - to the point where it can threaten content creator's
livelihood (see
[https://www.youtube.com/watch?v=QfgoDDh4kE0](https://www.youtube.com/watch?v=QfgoDDh4kE0)
for a famous one).

~~~
WillPostForFood
Doesn't matter - they have to accept the requests and sort it out later to
retain safe harbor. That's just the way the law was set up. The whole point is
that they claim neutrality - they are the carrier of the information, not
screeners or judges of it. The legal back and forth is between the the entity
posting the content and the entity submitting the DMCA takedown. After the
fact, YouTube to Github can and should and sometimes do help fight back
against abuse.

------
oelmekki
Wouldn't put those domains in a blockchain be the proper answer? It could not
be "took down", then (if it's a solid one, like btc or eth).

~~~
drraid0
That's a stupid idea. What if you ever wanted to start a revocation list, when
a domain is added genuinely by mistake? You'd have to use the same priv key
for signing those as well, at which point you might as well have a single text
file with provenance (aka git)

~~~
oelmekki
Well, maybe that if it sounds stupid to you, you didn't think about it enough
(that's usually the case).

Make a address which creates transactions containing the domains blocked. To
find the list, check the transactions from this address. If an error is made,
then you can just use an other address to build the list again without the
domains you want to remove, and make adblocks look for transactions from this
address. The adblockers only reference an address so they have no illegal
content. Domains can't be removed from transactions. Adblockers can use an
other address as basis if they agree too.

~~~
jlgaddis
I wonder if there's ever been a better real-world illustration of Maslow's
hammer at work.

~~~
yadenoyad
So is your use of the term "Maslow's hammer". Using the block chain for
maintaining a list of domains that is not subject to the whims of DMCA seems
like a good use of the technology to me.

