
This JPEG is also a webpage - cocoflunchy
http://lcamtuf.coredump.cx/squirrel/
======
daeken
I abused this concept to compress demo code in PNG files, with great success.
[http://demoseen.com/blog/2011-08-31_Superpacking_JS_Demos.ht...](http://demoseen.com/blog/2011-08-31_Superpacking_JS_Demos.html)

This is, at present, the most efficient way to pack demos on the web; a few
characters of uncompressed bootstrap code, then the rest is deflated.

~~~
aleksanb
My democrew (Ninjadev) has used this technique for multiple WebGL/Javascript
productions over the last few years now.

You can see the final packed .PNG results here: Crankwork Steamfist
[https://stianj.com/crankwork-steamfist/](https://stianj.com/crankwork-
steamfist/), Everything is Fashion
[https://stianj.com/fashion/](https://stianj.com/fashion/), and Inakuwa Oasis
[http://arkt.is/inakuwa-oasis/](http://arkt.is/inakuwa-oasis/).

The tool used for creating both the demos and the packed .PNG is made by us
and available on GitHub here
[https://github.com/ninjadev/nin/](https://github.com/ninjadev/nin/).

~~~
sigvef
Also a Ninjadever. Daeken's blog post was one of the inspirations that led us
to implementing this in our toolchain. p01's Matraka [1] was another. The PNG
trick is pretty common in the js scene nowadays, with packing tools such as
JsExe [2] readily available.

[1]:
[http://www.pouet.net/prod.php?which=59403](http://www.pouet.net/prod.php?which=59403)

[2]:
[http://www.pouet.net/prod.php?which=59298](http://www.pouet.net/prod.php?which=59298)

------
loudmax
You can see this in action for yourself on a unix cli:

    
    
      $ curl -o squirrel.html http://lcamtuf.coredump.cx/squirrel/
      $ file squirrel.html
      squirrel.html: JPEG image data, JFIF standard 1.01, comment: "<html><body><style>body { visibility: hidden; } .n { visibilit"
    

Open the file in a browser and read the page. Then:

    
    
      $ mv squirrel.html squirrel.jpg
    

Open the renamed file in a browser and only the image appears.

I'm not sure what the security implications are. I'm not creative or devious
enough to think of anything offhand, but a lot of attack vectors start off
with this sort of misdirection.

~~~
lisper
> I'm not sure what the security implications are.

You can use this technique to phish signatures. Send someone a document that
reads "X" in format A and "Y" in format B. The victim signs file.A thinking
they are endorsing X but you can plausibly claim that they signed file.B
(because it's the same file) and hence endorsed Y. This is why digital
signature standards need to include meta-data, e.g.:

[https://github.com/Spark-
Innovations/SC4/blob/master/doc/fil...](https://github.com/Spark-
Innovations/SC4/blob/master/doc/file_formats.md)

Scroll down to "bundle files"

~~~
mseebach
> but you can plausibly claim

And anyone else can plausibly claim that you carefully forged a file to get a
victim to sign it -- the signature will be of the whole file, not just a
single view of it.

But that said, you shouldn't sign binary files unless you have a reasonable
understanding of what is in it (or trust the party presenting it to you).

~~~
lisper
> And anyone else can plausibly claim that you carefully forged a file to get
> a victim to sign it

Yes, of course, but by the time someone realizes this the damage may already
have been done.

> you shouldn't sign binary files

There are a lot of things that people shouldn't do that they do nonetheless.

------
kbenson
Prior discussion, years ago, many comments:
[https://news.ycombinator.com/item?id=4209052](https://news.ycombinator.com/item?id=4209052)

~~~
xyclos
which begs the question: where are all the "essential squirrel facts" that
were promised?

~~~
mistersquid
Maybe a product manager realized it didn't make sense to provide "essential
squirrel facts" to a page featuring the image of a chipmunk. :-)

~~~
f-
Author here. Rookie mistake! It's actually a golden-mantled ground squirrel.

[https://en.wikipedia.org/wiki/Golden-
mantled_ground_squirrel](https://en.wikipedia.org/wiki/Golden-
mantled_ground_squirrel)

A chipmunk would have a stripe going across the eye.

(Today, you learned your first squirrel fact!)

~~~
mistersquid
I did learn something new, not just about squirrels but about chipmunks, too.

Thank you.

And here I was impressed merely by the delivery of image data in the HTML
stream. Little did I realize your page is practically an Encyclopedia
Rodentia.

Kudos and hats off.

------
slice-beans
Interestingly, this page is intercepted by my router which then just sends me
a redirect to one of its settings pages. Odd.

~~~
alanh
Well now, that _is_ interesting… deep packet inspection? or just a truly
insane bug?

What router is it?

~~~
slice-beans
Here's the request and response from router:
[http://pastebin.com/e7rxLsGJ](http://pastebin.com/e7rxLsGJ)

The router itself is a BT Internet (UK) branded one. Not sure of the exact
model but I'll try to find out...

~~~
fosk
Besides the model number, can you also tell us the firmware version?

~~~
slice-beans
BT Home Hub 5 (Type A) Software version 4.7.5.1.83.8.204.1.11

But, false alarm anyway, nothing interesting is happening. The firmware had
updated and reset parental control settings on the router. The domain is on
some blacklist apparently so it was redirecting to a page to finalise parental
control preferences.

Sorry it wasn't any more interesting than that.

Edit: the reason it took me a while to figure this out was that the settings
page it was redirecting to was nothing to do with parental controls!

~~~
neom
So how did you figure it out?

~~~
slice-beans
I visited some other black listed sites <.< >.> and discovered the pattern,
then dug around in the router settings to see what had changed. Disabling
parental controls sorted it and I can now see the
squirrel/chipmunk/unidentified rodent.

Lesson learned: just use a VPN.

~~~
Jaruzel
> I visited some other black listed sites <.< >.>

Is that an ASCII representation of what I think it is? (a well known .cx site)

~~~
slice-beans
It was shifty eyes. But good imagination skills +1

------
hardmath123
Some _PoC||GTFO_ PDFs are also valid in other formats—"polyglots". They
usually do PDF+HTML+ZIP, though sometimes they get (even more) creative.

[https://www.alchemistowl.org/pocorgtfo/](https://www.alchemistowl.org/pocorgtfo/)

~~~
Dylan16807
Keep in mind that combining most normal formats with most archive formats is
trivial, because normal formats start at the beginning, and archive formats
have a table of contents at the end. Concatenate both files and you're done.

Combining with PDF is also on the easy end of things, because the PDF header
just has to be somewhere vaguely near the start.

------
danbruc
A testament to one of the worst decisions in computing history - not to fail
displaying a web page with an error message in case it is not a valid HTML
document.

~~~
TazeTSchnitzel
Being flexible about what markup is accepted has meant the web could gain new
features and gracefully degrade, and has made it more fault-tolerant. It's not
at all a failing.

Compare that to JavaScript, which will happily fail if you use new syntax or a
missing function, and thus web pages which rely on JS often show up as just a
full screen of white when something goes wrong, which it frequently does.
That's not to say JS _should_ be as flexible as HTML is here, but it provides
an interesting contrast.

~~~
witty_username
> Compare that to JavaScript, which will happily fail if you use new syntax or
> a missing function, and thus web pages which rely on JS often show up as
> just a full screen of white when something goes wrong, which it frequently
> does.

Isn't that more due to failure to handle exceptions and display errors to
users?

~~~
cbsmith
> Isn't that more due to failure to handle exceptions and display errors to
> users?

You could describe it that way.... or you could describe it as failing to have
reasonable default logic for handling faults & gracefully degrade.

------
imurray
Right-clicking on the image and selecting "View Image" (Firefox), or "Open
image in a new tab" (Chromium), gives the webpage, not the image. I can see
why that happens: the menu items just open a URL and don't force it to be an
image. However, it was a bit disorienting.

~~~
coding123
I did this too, repeatedly, until I was smiling a very big smile.

------
nashashmi
I didn't know what he was talking about until I tried this:

    
    
      data:text/html, <html><img src="http://lcamtuf.coredump.cx/squirrel/"></html>
    

Put that in the url of the browser.

------
SmellyGeekBoy
I'm surprised nobody in this thread has mentioned PICO-8, a "virtual console"
which compresses its "cartridges" in the form of a PNG file. When viewed in a
browser or on a computer the file is displayed as a neat stylised image of a
cartridge with a description, box art etc but when opened in the PICO-8
executable reveals all of the game code, art and music/sound assets in fully
uncompressed editable form. The cartridges can be shared freely on sites that
leave the original file intact without re-compressing. Nifty!

[http://www.lexaloffle.com/pico-8.php](http://www.lexaloffle.com/pico-8.php)

------
amavisca
This site uses the xmp tag (deprecated in HTML 3.2, removed in HTML5) which I
found interesting and had never seen!

[https://developer.mozilla.org/en-
US/docs/Web/HTML/Element/xm...](https://developer.mozilla.org/en-
US/docs/Web/HTML/Element/xmp)

It's similar to the pre tag but doesn't require the escaping. I guess you just
have to make sure you don't have a closing xmp tag :)

~~~
krapp
<xmp> is great when you absolutely, positively, do not want any entities
rendered under any circumstances. It's unfortunate that it's being deprecated,
since it has its uses.

~~~
gioele
> <xmp> is great when you absolutely, positively, do not want any entities
> rendered under any circumstances. It's unfortunate that it's being
> deprecated, since it has its uses.
    
    
      <![CDATA[ here &entities; or <angle|<brackets>> will not interpreted ]]>
    

There is no need for special-casing xmp, when SGML and XML already define
CDATA escapes.

------
tomw1808
> Pretty radical, eh? Send money to: lcamtuf@coredump.cx

How to send money to your email address? Not that I would send you some, but I
wondered how you want to have that money received?

~~~
mrb
1\. Most Gmail users can receive money by email
([https://support.google.com/mail/answer/3141103](https://support.google.com/mail/answer/3141103)
and coredump.cx MX records point to Gmail)

2\. Ask him his Bitcoin address

3\. Paypal to this address

:)

~~~
qz_
Isn't Google Wallet ded?

~~~
smhenderson
No, just pining for the fjords!

But seriously, no, it's alive and kicking...
[https://www.google.com/wallet/](https://www.google.com/wallet/)

Page Info shows the last modification was: Thu 31 Mar 2016 01:02:44 PM EDT

I don't personally use it much but I have an account to pay for my domain name
though them that I use for Google Apps.

------
blahpro
I like this bit: <img src="#" [...]>

------
tarball
Here is a similar experimental project I made, between image and web page :
[http://raphaelbastide.com/guropoli/](http://raphaelbastide.com/guropoli/)

------
aioprisan
So in theory, can analytics platforms be compromised so that JPEG tracking
pixels could turn into full-fledged sites interfering with the parent page at,
say, a bank website? Firing off credentials in the background?

~~~
yathern
No, because if parsed as a JPEG, arbitrary code wont be run. If the jpeg was
somehow parsed as JS, then possibly yes.

~~~
aioprisan
The image reference tag is for an image. As stated previously, if you look at
the JPEG itself, it starts off with a JPEG comment, which embeds the entire
html block, then starts a comment block for the remainder of the JPEG data.
Browsers are very liberal in what they accept, so that initial 20-byte header
is ignored, although you can see it if you inspect the page's elements.

~~~
yathern
Yes, I get that - but if a tracking pixel is downloaded and interpreted as a
jpeg, then it will parse anything in the COM section as a comment, and not
execute anything in it, unless there was some sort of vulnerability in the
JPEG implementation

------
ComodoHacker
>No server-side hacks involved

I doubt this. In request with Accept:"image/png,image/ _;q=0.8,_ /*;q=0.5"
server souldn't respond with something with Content-Type:"text/html"

~~~
eriknstr
mkdir -p ~/tmp/squirrel

cd ~/tmp/squirrel

wget -O index.htm
[http://lcamtuf.coredump.cx/squirrel/](http://lcamtuf.coredump.cx/squirrel/)

firefox index.htm

Alternately, using an actual webserver instead of opening a file://

python3 -m http.server &

firefox [http://127.0.0.1:8000/](http://127.0.0.1:8000/)

Also works.

Note that the actual img tag has src="#" so when you are looking at the file
opened locally, the image is also from local disk, not from his server, so
it's legit.

However, the fact that it needs to be identified as a HTML file by the server
implies to me that the idea others had ITT of abusing image hosting sites
using this trick probably won't work.

------
d33
...how is that possible?

~~~
d33
...this is probably a hint:

00000000 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 01 2c |......JFIF.....,|

00000010 01 2c 00 00 ff fe 03 72 3c 68 74 6d 6c 3e 3c 62 |.,.....r<html><b|

$ file index.html index.html: JPEG image data, JFIF standard 1.01, resolution
(DPI), density 300x300, segment length 16, comment: "<html><body><style>body {
visibility: hidden; } .n { visibilit", baseline, precision 8, 1000x667, frames
3

I wonder what are the security implications of that.

~~~
deathanatos
> _I wonder what are the security implications of that._

At least any terminal escape sequence can be executed if you run `file` on a
JPEG, it seems, since this:

    
    
        curl -s 'http://www.imagemagick.org/image/fuzzy-magick.png' | convert - -set comment "$(printf 'asdf\x1b[1;31mTest?\x1b[0m hmm')" test2.jpg
        file test2.jpg
    

Results in red text on my terminal for me.

(It also results in file writing a 0xff 0xdb to the terminal, which the
terminal turns into the unicode fallback character since it's not valid text…)

~~~
michaelmior
I just get the following so it seems like my version of file has been patched
to handle this case.

    
    
        test2.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 72x72, segment length 16, comment: "asdf\033[1;31mTest?\033[0m hmm", baseline, precision 8, 320x85, frames 3

~~~
throwanem
Same here with file(1) version 5.22 from the Debian jessie package repo. I'd
be interested to know in which versions this kind of thing actually works.

~~~
cesarb
My first guess would be "the MacOS one", since from what I have heard, MacOS
tends to have older (sometimes much older) versions of basic system utilities.
I don't have a MacOS machine nearby to check, so this is just a guess.

~~~
kalleboo
Well that and they have BSD rather than GNU versions

------
tambourine_man
Previously, on HN:

[https://news.ycombinator.com/item?id=4209052](https://news.ycombinator.com/item?id=4209052)

------
throwawayReply
I appreciate the technical trickery in this version, but has it not been
possible to do this since at least 1996[1] by having the server serve
different files based on the "Accept" http header?

[1]
[https://www.w3.org/Protocols/HTTP/1.0/spec.html#Accept](https://www.w3.org/Protocols/HTTP/1.0/spec.html#Accept)

~~~
aioprisan
That's for the initial resource itself, not subsequent asset requests. For
instance, an asset request is a separate request on a different domain, such
as one for a customer service analytics tag, which is requested without any
accept resource type request filter.

~~~
throwawayReply
So if the initial request comes with "Accept: text/html" then you serve a
webpage. The request when linked as img comes as "Accept: _/_ " and you serve
an image.

Perhaps caching or other schemes would break this, I'll try to knock up a PoC.

------
EGreg
Can someone explain in simple English how this works?

~~~
alanh
1\. HTML is very forgiving. HTML also provides a comment mechanism <!-- -->
between which anything will be ignored from a browser perspective.

2\. JPEG also allows for comments and other embedded metadata which won't show
up in the displayed image.

3\. Start the file with a JPEG header and metadata section, then switch
between HTML and JPEG using the comment functionality mentioned above

Essentially!

"But wait, why is it shown as an image in one context and as a web page in
another?"

The answer is in the question: Context. If you expect a JPEG you will get a
JPEG, and same for HTML.

------
fsiefken
great hack, could you get javascript working inside a jpeg as well? Or
obfuscate the javascript and decrypt in the browser for steganographic
purposes?

~~~
StavrosK
No, the JPEG header is at the start of the file, unlike the PNG which is at
the bottom.

~~~
fizzbatter
Pardon my ignorance, but what does that matter?

There's an important note in that the HTML is _not_ at the true start of the
JPEG file, it's slightly after. You can even view some of the JPEG format
bytes if you view source of the HTML.

So if the browser ignores some of the JPEG file, why not most of the PNG file?
Perhaps you run the risk of some random byte screwing up the HTML though.. not
sure.

~~~
StavrosK
Oh, you're right. I was thinking of the combined zip/png, and it's the _zip_
file that has the header at the bottom, so my previous comment is completely
wrong. The article seems to be adding the HTML in the EXIF data (thus making
it a completely valid JPEG) and the browser tries to be very accommodating in
what it accepts, thus ignoring the junk data (or what it thinks is junk data)
at the start of the HTML file.

Whether JS would work or not depends on how much the browser tries to recover
from errors there. I would guess not much, but what would you gain from a
combined JS/JPEG file anyway?

------
pdkl95
[https://media.ccc.de/v/31c3_-_5930_-_en_-
_saal_6_-_201412291...](https://media.ccc.de/v/31c3_-_5930_-_en_-
_saal_6_-_201412291400_-_funky_file_formats_-_ange_albertini)

Funky File Formats

------
peterburkimsher
Nice trick! I'm interested in encoding other kinds of data in images in order
to share apps/music/etc between mobile devices.

Unfortunately, your HTML gets lost I try to save the picture on my phone.

iPhone > Safari > Save to Camera Roll

Copy off the picture; it's been re-encoded and has no JPG comment field.

Any solutions to this are welcome! The re-encoding makes patterns impossible
to decode as well (they degrade after being shared a couple of times). See
Cemetech's jsTified emulator for an example of a ROM file as a JPG - he uses
B/W and it still requires the file to be synced from a computer, not saved
from the browser.

------
metrognome
You could do the same thing with a .wav file, embedding the HTML after the
data sub-chunk. Adobe Audition uses this method to embed application-specific
metadata for the file (marker and sub-marker locations, for example).

~~~
jschwartzi
WAV is actually a specialization of an old container format called RIFF. RIFF
allows for extensibility by allowing the embedding of arbitrary data.

So this is technically a legitimate use of RIFF because it's designed to
support multi-purpose contents, not just PCM data.

~~~
voltagex_
Aha! This is how Beatport were putting title/artist data in WAVs.

I'm not sure why they did that instead of just sending FLACs, though...

------
tgarma1234
Well this will certainly appeal to Steganography enthusiasts and perverts who
have clumsily been loafing around .onion sites for years and who now finally
have a way to share content in the clear. And of course the NSA, FBI and CIA
are suddenly stuck trying to figure out why this goofy squirrel is so popular
in Yemen.

mv squirrel.html squirrel.jpg sudo apt-get install steghide steghide embed -cf
squirrel.jpg -ef secret.txt mv squirrel.jpg squirrel.html

And voila...

------
tannerc
Curious, how do search engine crawlers interpret this? Would it be the same as
a browser, i.e. the bot would treat the requested img url respectfully?

------
voltagex_
I'm a big fan of Ange Albertini's work with this kind of stuff -
[https://github.com/corkami/](https://github.com/corkami/)

There's a talk called "Funky File Formats" but there's (fittingly) multiple
versions of it so you're best off searching for it.

------
antmldr
Saumil Shah released a framework for producing images using this technique to
deploy browser exploits (but could potentially be used for anything).

Worth a look if you'd like to make your own!
[http://stegosploit.info/](http://stegosploit.info/)

------
pix64
Neat idea. Here is a BMP I just threw together that is also a webpage.

[https://mega.nz/#!49MnjKCJ!7HShAESfmM2R450x4z-zLmtCDotOhsLze...](https://mega.nz/#!49MnjKCJ!7HShAESfmM2R450x4z-zLmtCDotOhsLzemQHcYuTINY)

------
koytch
Along similar lines:
[https://www.alchemistowl.org/pocorgtfo/](https://www.alchemistowl.org/pocorgtfo/)

Some of the PDFs also happen to be valid images, audio files, zip archives,
etc.

------
grimmdude
This is cool. Though the 133kb download size for the html isn't great.

~~~
blahpro
Yeah but the image comes straight out of cache.

~~~
grimmdude
Good point, well on the second load anyway.

------
pjf
[https://www.w3.org/Bugs/Public/show_bug.cgi?id=29771](https://www.w3.org/Bugs/Public/show_bug.cgi?id=29771)

------
OR13
[https://ipfs.pics/QmRcm8yiCYmQ1jDxhUVtsjvps4XjtjSTziVSdQsszu...](https://ipfs.pics/QmRcm8yiCYmQ1jDxhUVtsjvps4XjtjSTziVSdQsszuiRfw)

------
chrischen
This would be a unique way to make downloading images harder.

~~~
MikeTV
Just what I was thinking. It doesn't actually prevent the user from
downloading the image, just makes them _think_ that they failed to download
the image (since it saves with a .htm extension).

The HTML file could be one that admonishes the user for attempting to scrape
the file, all the while the file they wanted is sitting right there. A modern
day Purloined Letter.

~~~
goda90
I just right clicked on the image and saved it in Firefox and it gave me a
.jpg. I was still able to change it into a working .html file by renaming it.
I imagine some systems for downloading would get it messed up, but Firefox at
least treats it as a JPEG when you're interacting with the image tag.

------
rcthompson
I wonder if browsers are smart enough to only download the file once for the
html and then cache it for the embedded image.

~~~
kalleboo
It looks like Safari is at least, and it even de-duplicates it in the Web
Inspector so it only lists a single resource (which gets listed as "type:
image"

~~~
thomasfoster96
Yep, Safari doing the same for me. Although I'm seeing it as an image with
type "text/html", which is odd.

------
haddr
Can I upload such image for instance to facebook and intent to run it as html
(with some JS inside)?

~~~
nickfrostatx
They usually set the content type to that of an image so the browser won't
execute the JS.

They've messed this up in the past, see this legendary bug bounty report [1]

1\. [https://whitton.io/articles/xss-on-facebook-via-png-
content-...](https://whitton.io/articles/xss-on-facebook-via-png-content-
types/)

------
akash0x53
Should i expect the same behavior in Facebook? I didn't get image though.

------
govindpatel
well I just thought that it is some bug in html img tag. But still nice
finding

------
pschastain
No explanation of what's going on?

------
soheil
Can you make it play a video too?

------
hughbetcha
Cette jpg est pas une pipe.

------
ausjke
You can use URI to embed images too, not sure how this is done though, why not
just use URI?

~~~
chriswarbo
Data URIs are useful for embedding resources in a page (e.g. a single HTML
file containing all of its own CSS, JS, images, etc.)

This is different: it's a single file which can be parsed as _either_ a HTML
page _or_ a JPEG. Hence, when a program expects a HTML page (like a browser
loading a Web page), it will be parsed and displayed as a HTML page. When a
program expects a JPEG file (like a browser loading the "src" of an "img"
element) it will be parsed and displayed as a JPEG.

The trick is to use each format's comment syntax to hide the other format. Not
sure if the HTTP headers need to be set differently for each request or not.

~~~
TazeTSchnitzel
I think it may only work if you omit a Content-Type header. Checking Firefox's
Network tab, it looks like the server isn't serving one for that page.

~~~
286c8cb04bda
It's sending the "wrong" one --

    
    
        $ curl -I http://lcamtuf.coredump.cx/squirrel/
        HTTP/1.1 200 OK
        Date: Thu, 11 Aug 2016 05:18:00 GMT
        Server: Apache
        Last-Modified: Mon, 19 Sep 2011 23:31:49 GMT
        Accept-Ranges: bytes
        Content-Length: 135938
        Content-Type: text/html

~~~
TazeTSchnitzel
Oh. Huh. My bad.

I guess browsers only forbid ignoring Content-Type for stuff like JS, then.
For JPEG it's probably not a security concern.

------
caub
anchors are not interpreted as html

------
kessiler
nice trick!

------
pritianka
Reminds me of Pied Piper for some reason :-)

------
gkya
C'mon, don't be so stingy, give him a Ben at least :)

    
    
       _____________________________________________________________________
      |                                                                      |
      |  =================================================================== |
      | |%/^\\%&%&%&%&%&%&%&%&{ Federal Reserve Note }%&%&%&%&%&%&%&%&//^\%| |
      | |/inn\)===============------------------------===============(/inn\| |
      | |\|UU/              { UNITED STATES OF AMERICA }              \|UU/| |
      | |&\-/     ~~~~~~~~   ~~~~~~~~~~=====~~~~~~~~~~~  P8188928246   \-/&| |
      | |%//)     ~~~_~~~~~          // ___ \\                         (\\%| |
      | |&(/  13    /_\             // /_ _\ \\           ~~~~~~~~  13  \)&| |
      | |%\\       // \\           :| |/ ~ \| |:  3.21  /|  /\   /\     //%| |
      | |&\\\     ((iR$)> }:P ebp  || |"- -"| ||        || |||| ||||   ///&| |
      | |%\\))     \\_//      sge  || (|e,e|? ||        || |||| ||||  ((//%| |
      | |&))/       \_/            :| `._^_,' |:        || |||| ||||   \((&| |
      | |%//)                       \\ \\=// //         || |||| ||||   (\\%| |
      | |&//      R265402524K        \\U/_/ //   series ||  \/   \/     \\&| |
      | |%/>  13                     _\\___//_    1932              13  <\%| |
      | |&/^\      Treasurer  ______{Franklin}________   Secretary     /^\&| |
      | |/inn\                ))--------------------((                /inn\| |
      | |)|UU(================/ ONE HUNDERED DOLLARS \================)|UU(| |
      | |{===}%&%&%&%&%&%&%&%&%a%a%a%a%a%a%a%a%a%a%a%a%&%&%&%&%&%&%&%&{===}| |
      | ==================================================================== |
      |______________________________________________________________________|
    

source:
[http://chris.com/ascii/index.php?art=objects/money](http://chris.com/ascii/index.php?art=objects/money)

~~~
sctb
We detached this comment from
[https://news.ycombinator.com/item?id=12262995](https://news.ycombinator.com/item?id=12262995)
and marked it off-topic.

~~~
gkya
Why? I mean as if the parent was on topic... and this is a little joke, jokes
don't kill.

~~~
voltagex_
There's low tolerance for jokes on HackerNews. I'm not entirely sure why, but
it is what it is.

~~~
tomelders
To stop the place becoming like reddit, where all insightful comments are
buried under a torrent of jokes. I've had my fingers burnt a few times and
then sulked for a few days after one of my many hilarious quips was down-voted
into oblivion.

But ultimately I think it's for the greater good.

~~~
gkya
My comment stays at 12 upvotes. Certainly nobody would want jokes to surpass
serious comments, but this is not achieved by killing every single joke. Also,
there's another joke on that thread.

Sth. that one needs to get used to on HN I think... Randomly picking on
arguably off-topic and arguably offending posts proactively. Also, I'm shocked
seeing that the mod here has so low karma and so short history of HN usage.

~~~
tomelders
The system is far from perfect, but I've never got the impression that the
rules are applied malevolently. I wouldn't like the job of moderating
comments, it's really hard and ironically people tend to have a zero tolerance
policy if they feel hard done to by an error in judgement on behalf of the
mods.

------
a1k0n
That's a chipmunk, not a squirrel.

~~~
tikhonj
I'm not an expert on squirrels, but that could be a ground squirrel[1] of some
sort. Some varieties of ground squirrel look a lot like chipmunks.

[1]:
[https://en.wikipedia.org/wiki/Ground_squirrel](https://en.wikipedia.org/wiki/Ground_squirrel)

~~~
brlewis
A quick search for "striped ground squirrel" turned up only one variety, the
thirteen-lined ground squirrel. The animal in the photo has stripes like a
chipmunk.

~~~
gmfawcett
Look for stripes on the face: without them, it's probably a squirrel. Both
ground squirrels and chipmunks have body stripes, so the face is a better
indicator.

[http://naturemappingfoundation.org/natmap/facts/chipmunk_vs_...](http://naturemappingfoundation.org/natmap/facts/chipmunk_vs_squirrel.html)

[http://www.differencebetween.info/difference-between-
squirre...](http://www.differencebetween.info/difference-between-squirrel-and-
chipmunk)

~~~
a1k0n
You're right, there's no stripes on its face. I stand corrected.

Sadly, that was my most upvoted comment in ~9.5 years on this site.

~~~
eridius
Ahh, I was about to unvote you, but now I can't bear to do it. Keep my upvote.

------
webXL
DO NOT run Chrome's Timeline dev tool on this when reloading. Crashed a couple
tabs.

Good edge case for browser tests!

~~~
voltagex_
Works for me, 50.0.2661.94 on Windows 7 x64.

