
Twitter is rejecting posts containing JSFiddle URLs - NikxDa
https://github.com/jsfiddle/jsfiddle-issues/issues/1417
======
vermontdevil
It’s due to crypto scammers using it. From the founder’s post:

 _At some point in the past crypto scammers used JSFiddle to host pages with a
wallet code and posted links to that on Twitter.

Due to the nature of JSFiddle, anyone can post anything, so wallet codes are
ok – we did implemented a content filter to shadow-ban these.

I asked Twitter if they they could help out and ban twitter accounts that were
posting scam tweets that included links to the rouge fiddles.

Twitter just went the easy route and blocked all jsfiddle.net links instead of
blocking spammer accounts on their platform.

Tried to contact Twitter many many times, with no reply whatsoever. They most
likely have no-explanation-needed-policy, which is why they never replied.

There's nothing that can be done here unless somebody has contact to a higher
op at Twitter who has the decision power to help out here._

~~~
codedokode
I don't understand how posting a "wallet code" is dangerous. Is it mining
coins while you are browsing the code? Then it just a minor annoyance. Also,
browsers should block cryptominers when they are in the background tab.

~~~
paulgb
I don’t think it’s mining code, I think it’s wallet addresses posted by
scammers. Here’s an example of the scam I think this is intended to curb:
[https://s3.amazonaws.com/aws-website-
staticfiles-25g9k/elon_...](https://s3.amazonaws.com/aws-website-
staticfiles-25g9k/elon_musk_eth_scam.html)

~~~
MasterScrat
I don't understand how someone could be tech-savvy enough to know about ETH
and actually own some, while at the same time falling for such scams.

~~~
59nadir
I would wager most of the people dealing in crypto currencies are actually
precisely the kind of people that would fall for pretty much anything. I don't
think it's a stretch to say that the fact that they deal in crypto currencies
is actually a pretty good indication that they would.

~~~
libria
I think you're conflating categories. Here's what I think:
[https://i.imgur.com/d4ocNXa.png](https://i.imgur.com/d4ocNXa.png)

That is to say, gullible people are found everywhere but I don't think people
inclined to fall for fraud are the same as get-rich-quick tech-heads.

~~~
trickstra
Responding by a Venn diagram, love it.

More to the point - there is a significant number of people who started
learning about computer security precisely because they got some
cryptocurrencies. And frankly, if someone wants to really understand the
details, it's hard to miss all the frequent warnings and examples of scams,
hacks, leaks.

------
Timucin
> Twitter just went the easy route and blocked all jsfiddle.net links instead
> of blocking spammer accounts on their platform.

This is a huge problem with all the tech giants that needs to be addressed. I
don't expect them to be perfect but I expect them to be open to communications
on any level.

I also think Twitter is the Twitter today just because of the bots and fake
accounts they have since those accounts were creating so much content and
movement on the platform. I know people whose spending days by reading those
fake accounts while they have no idea what's fake and what's real. So maybe
-just may be- they may not want to get rid of all those fake accounts and
bots.

~~~
banachtarski
I just don't agree with this sentiment. I don't work for twitter or any social
media company, but it strikes me as their prerogative to ban content deemed
unsafe if they don't have the means or wherewithal to properly police the
content. From an engineering standpoint, how exactly do you propose to scan
fiddles for objectionable content. With an image link, you could throw a
neural net at it and at least tag it as nsfw (or scan a few images in a linked
page).

And this isn't related at all to the bots and fake accounts (which I think is
the bigger problem). But in the context of your argument, this is just non
sequitur.

~~~
dwild
> their prerogative

Thus any business decision isn't a problem? Whether it's their prerogative, it
still a problem in tech.

> to ban content deemed unsafe

Like any links? Or even text itself? The only thing that makes JSFiddle
"worst" is how easy it is, but even then almost anything else is just as easy.
If there's money to be made too, unless you block everything that cost less
than the money to be made, what you do won't stop it.

Why not just put that warning over EVERY single links and not block anything?
Do a white list instead.

~~~
Beldin
_> their prerogative

Thus any business decision isn't a problem? _

Depends on your definition of "problem"... and thus your definition of who
should care:

\- legally (government): any business devising that comply with law are not a
problem

\- financially (investors): any decisions that increase profits are not a
problem

\- morally/ethically (users): any business decisions that you personally are
okay with are not a problem.

Each of these has its own correction mechanism: persecution, lack of funding,
customer outcry & abandonment.

In other words: there are ways to reverse bad decisions.

 _The only thing that makes JSFiddle "worst" is how easy it is_

As pointed out in other comments, the problem is that anyone can anonymously
create a malicious JSFiddle that runs undesired code. You could make a car
that any website that similarly allows anonymous code execution should have
that warning or be blocked. Most links, however, are better attributable. (Eg,
require account creation).

~~~
dwild
> Most links, however, are better attributable.

I strongly disagree on that. The fact that you have an account behind it
doesn't make it attributable at all. There's nearly no verification on 99% of
the internet. Some studies consider that 9 to 15% of Twitter accounts are
litteraly fake [1]. TwitterAudit believe that 40-60% of Twitter accounts are
fakes.

They aren't attributable to anyone except a username, which is worthless.

> You could make a car that any website that similarly allows anonymous code
> execution should have that warning or be blocked.

It was never about code execution but what they call "wallet code" which is
what I did in another comment [2].

> Most links

You can easily register a domain anonymously. Most links are fine sure, most
possible domains, aren't, which is my point. Show a warning (which they do on
URL Shortener) instead of blocking a domain altogether on ALL links and use a
white list (which would include MOST used domains) instead.

[1]
[https://aaai.org/ocs/index.php/ICWSM/ICWSM17/paper/view/1558...](https://aaai.org/ocs/index.php/ICWSM/ICWSM17/paper/view/15587)

[2]
[https://news.ycombinator.com/item?id=20124667](https://news.ycombinator.com/item?id=20124667)

------
vanderZwan
What I find strange how this is presented as an either-or option between
banning and not banning. You can also have an intermediate warning page.
YouTube does this to any third-party website for example. Something like _"
Warning: JSFiddle has been abused by spammers to run crypto mining scripts. We
recommend that you that you do not continue to this JSFiddle page unless you
trust the source of the link"_ should work just fine, no?

~~~
luu
[Edit: whoops, misread the issue. Sorry!]

~~~
vanderZwan
Thanks for clarifying that you misread, but please keep the text or at least
enough contextual information so we know what the replies to you are talking
about. Which link did you edit out? Because I missed it.

------
Ensorceled
How many people are actually linking to valid JSFiddle links from Twitter?
This might have just been a math decision (X% malware > x% good links).

I have my own problems with Twitter, but a social media site with a LOT of
non-technical users blocking access to a site specifically designed to run
anonymous code in their browser doesn't make me want to break out my pitchfork
...

~~~
duxup
I think the math would then lead to only big sites being "good enough" to pass
the twitter test as to who gets a whole domain filtered or not, and if you're
running a site that someone does a bad thing on ... so much for anyone linking
to you anymore on Twitter.

That seems inherently bad.

~~~
dmix
Twitter et al have already decided to become the self-anointed gatekeepers of
what’s okay to post on the internet.

I missed the days when it was just Google search results we had to worry
about.

~~~
Ensorceled
Agreed. I just think this isn’t an example, or at least not an example of the
worst of it.

I can’t think of any legitimate reason for my cousins who are on Twitter would
want to go to JSFiddle. I’m ok with Twitter taking this stance. I’m not ok
with many of the other policies.

------
diveanon
At what point is the tech community going to abandon twitter?

From my perspective it is just bots, "influencers", and propaganda.

I see very little social utility for using the network, especially when
compared to the damage it is causing through the spread of misinformation and
outright lies.

~~~
_pmf_
> From my perspective it is just bots, "influencers", and propaganda.

That's completely up to you; you need to create your own bubble (for better or
worse).

What I find bad is that there's no "circles" concept (both incoming and
outgoing). While the "incoming" part is not a problem for me, the "outgoing"
part is (example: posting slightly conservative views will cause tech
snowflakes among your followers to be upset; I'd like to restrict outgoing
tweets to a subset of my followers).

~~~
sfkdjf9j3j
Avoiding deliberately inflammatory alt-right language like "snowflake" would
probably go a long way in getting people to engage in good faith with you, for
whatever that's worth.

~~~
gmanley
That phrase has a long history of use way before alt-right was even a thing.
I've never heard of it being co-opted by any particular group. Other than in
extreme cases, that's just not how words work. Just because one group uses a
word doesn't mean it's taken out of the lexicon for everyone else. In fact, I
think you are giving a group unneeded power by suddenly categorizing certain
words as their language that should only be used by them.

~~~
tedunangst
Prior use of the word snowflake just means somebody who thinks they're
uniquely special. Just like everybody else. And I'd say you can continue using
it in that sense.

But the particular meaning of snowflake as someone who is too sensitive and
easily triggered is newer and more inflammatory.

------
tveita
> Due to the nature of JSFiddle, anyone can post anything, so wallet codes are
> ok – we did implemented a content filter to shadow-ban these.

> I asked Twitter if they they could help out and ban twitter accounts that
> were posting scam tweets that included links to the rouge fiddles.

So they basically sent a message to Twitter saying "We're knowingly hosting
malware and we don't intend to remove it, here are some examples"?

~~~
a012
Did you read the actual block quote?

> we did implemented a content filter to shadow-ban these

JSFiddle shadow-ban these scam accounts, and they asked Twitter to do the same
but Twitter bans _all_ JSFiddle URLs instead.

~~~
tveita
I may be misinterpreting them but from the "wallet codes are ok" part it
sounded like they weren't banning them.

If by shadow ban they mean the link is completely inaccessible to other users
then I'll agree that they were doing their part and banning links to their
site was excessive.

~~~
Ravengenocide
"Due to the nature of JSFiddle, anyone can post anything", therefore "wallet
codes are ok" since "anyone can post anything".

A shadow ban normally means that you, the creator, can see your content, but
nobody else can. So them shadow banning people who post wallet codes is the
direct opposite of allowing wallet codes.

------
blauditore
This reminds me of how Russia banned Reddit because of one post of some dude
describing how to grow shrooms at home.

------
polymath_potato
Twitter is crazy. Recently I tried to change my gmail account to a more secure
encryted email on my Twitter account but they never let me confirm that email
to my account. It always remained pending even though I clicked confirmation
links several times. When I went ahead and reverted the email to original
gmail account, everything was done seamlessly within seconds. I've had many
similar problems with Twitter for years. The Spam Accounts, getting locked for
apparently following 'too many' people in a short period of time, clicking
confirmation links multiple times, etc and now this.

------
aquova
Out of curiosity, I went onto Twitter and tried to post a link with one of the
similar sites as JSFiddle. It seems that CodePen URLs are still allowed. This
seems very strange to me, as unless I'm missing something, CodePen has the
same inherent faults as JSFiddle.

Twitter clearly has taken the easy way out here, and instead of addressing the
problem and tried to tackle it, just blanket banned JSFiddle with no regard to
their users, or to the variety of similar services that provide the exact same
functionality. If I was a crypto miner, I would simply copy paste into CodePen
and continue on my way.

~~~
megous
Any website can have a miner, outside of some safe content only sites. It may
as well be, that in some distant future, users of social sites will be able to
link only to other pre-approved major social sites.

You can't even link on most of these websites without going through some
intermediary URL forwarder.

------
vfc1
Given the nature of the product, there is no way for the maintainers of Js
fiddle to prevent it from being used to run arbitrary code, because that is
what it's meant to do.

It's also impossible for both jsfiddle or twitter to scan the code of each
fiddle and determine if it's legitimate or an attack, so this looks like a
good measure from Twitter.

What is surprising is how this was even allowed so far and still is in many
social networks, as its such an obvious way to deliver exploits.

~~~
onion2k
_Given the nature of the product, there is no way for the maintainers of Js
fiddle to prevent it from being used to run arbitrary code, because that is
what it 's meant to do._

There are things they could do though - such as limiting the execution time of
a fiddle to a couple of minutes, or limiting the size of the code, or blocking
certain calls, and so on. Users are running code that's been saved to the
JSFiddle server, so it's not unreasonable to suggest JSFiddle have _some_
responsibility to their visitors. They could make it so the code runs fine if
you're the owner or if you've explicitly said it's OK to take up more
resources, but defaults to running with these limits if you've just browsed to
a Fiddle from a link. They could block common mining scripts (which would only
work against 'scriptkiddie' attacks rather than anything sophisticated, but
whatever).

There _are_ things the JSFiddle maintainers could do. They don't have to, and
in their position I might not do anything either, but the cost of inaction in
this case is Twitter blocking links to their site.

~~~
Hendrikto
> Users are running code that's been saved to the JSFiddle server, so it's not
> unreasonable to suggest JSFiddle have some responsibility to their visitors.

I do not think so. If I insult another user on Hackernews, how is Ycombinator
resposinble for that? I don‘t think platforms should be responsible for what
their users do. That is a very slippery slope, leading to the horrendous way
YouTube deals with copyright claims, Article 13, and similar censoring tools.

~~~
onion2k
_If I insult another user on Hackernews, how is Ycombinator resposinble for
that?_

Your example is a difficult one because only the person who the derogatory
comment is aimed at can decide whether or not they're insulted. Whether or not
something is insulting is up to the person it's aimed at. The same goes for
things like negative comments, stupid comments, copyright on a derivate work,
etc. Whether those things are _actually_ bad is a matter of opinion, and each
party probably takes a different position. Consequently it's different
situation, and not really relevant here.

A better analogy would be if I were to invent a piece of plain text malware
and posted it in a Hackernews comment. Would YCombinator or HN have any
responsibility to remove it, or should they just let it sit there? I contend
that when something is actively harmful the publisher has a duty to protect
visitors by removing the content or limiting it's impact. (And HN has some
awesome moderators who do exactly that in very extreme cases, plus users here
can flag things to hide them when there's a consensus, so it's not really like
HN is completely free of 'censorship')

Plenty of people take the opposing view that platforms shouldn't get involved.
There are two sides to most arguments. I'm slightly on the other side to your
position.

------
userbinator
A reminder that you don't need to technically link in order to refer to a
link, nor even mention the site directly:

"See JSviolin xxxxx"

If anyone gets confused, simply reply "replace violin with synonym starting
with f"...

This reminds me of when YouTube banned URLs in comments (I don't think they do
anymore), so people started posting pieces of them (like video IDs, the part
after watch?v=...) with hints instead: "see video xxxx".

Likewise, I can refer to this page with "see HN 20122583".

The loss of being able to post a link is not good, but in no way does it
absolutely stop communication. In fact, it will just cause "euphemisms" to
appear, and further exercise human creativity.

~~~
rchaud
That workaround reminds me of phpBB Forums that blocked URLs, so users would
spell them like "hxxp://www..."

~~~
jrockway
Speaking of removing links... in Overwatch there is a character called D.va.
The Overwatch League twitch chat removes all links, meaning that if you
mention her, other users see it as " __ __" instead of "d.va". It's amazing.

------
code_duck
I find messages like this frustrating. Facebook will show a generic 'this
action could not be completed at this time' page, which is very vague and
attempts to deflect their decision onto a nonexistent technical problem.

------
yahwhatev
> They most likely have no-explanation-needed-policy

I wonder when alternatives to today's big sites will take serious root. It
used to happen much more often.

------
elcomet
I don't understand the difference with any other website.

What prevents the scammers to post links to a website containing crypto
miners, or any malware ?

~~~
themacguffinman
It doesn't stop scammers in their tracks, it just makes it harder. With
dedicated scam websites, there is an actual cost to procuring new site
addresses to evade domain blacklists, and they can't piggyback off jsfiddle's
domain credibility.

------
chrisacky
This is a little offtopic, although I suppose there's a tangential link to
JSFiddle getting no response from Twitter.. I too have failed in getting a
response from JSFiddle..

About 70 days ago, I accidentally posted an anonymous submission to JSFiddle.

There was no excuse for this other than human error. I was working on
development and production at the same time and copied a users personally
identifiable from an email template that our production env sent out instead
of development. The development is all sanitised but the prod contains the
user's name, email and an order reference ID and what they ordered.

I submitted a take down request within 10 minutes of submitting at:

[https://airtable.com/shrm1ACZfg5PsTaUa](https://airtable.com/shrm1ACZfg5PsTaUa)

Every day for a week I altered the reason. It's still not been taken down.

I've tried the GDPR route, the copyright route.. I didn't get a single
response from them and the page was still being hosted on their site despite
many many _MANY_ attempts to have it removed.

Update/Edit: Been contacted by JSFiddle directly and appreciate contact in
helping resolve above.

~~~
WrtCdEvrydy
So, let me get this right...

You, a software engineering professional copied a user'name, email and order
reference ID, two of which are PII into an online service... on purpose.

~~~
code_duck
Yes, and they admitted error and the issue they're describing is that it was
very difficult to rectify the error.

------
ecares
I feel it's actually pretty fair. Not perfect, but keeps users safe

~~~
mattigames
Except they will now use github pages; and if they block all github pages
(github.io) they will use codepen or repl.it or tumblr (custom templates), and
so on until thousands of page are blocked.

~~~
martin_a
Sounds somewhat like a "Win" to me. Twitter will die in doing so, I don't see
anything getting lost there anymore.

------
djsumdog
JSFiddle is big. They tried. They voiced concerns. They asked foe help. They
got a ban with no explanation.

Please just join the fediverse. It's broken too, but if you get banned, at
least you can open an alt on another server.

Force Twitter to be irrelevant.

~~~
FreeHugs
The problem is: I have yet to find a person in the fediverse that interests
me. I like to read tweets from accomplished people. Successful startup
founders for example. Is there anybody out there? Any links to people of
significance in the fediverse?

~~~
reitanqild
Drew DeWalt is there and a number of others, especially the creators of the
fediverse like Eugene and others ;-)

FWIW you can also use an account on i.e. Mastodon to follow twitter users. I
suddenly realized because I was following a twitter users through a gateway,
probably because someone had boosted a tweet from that account sometime and I
had followed based on that.

That should take care of following at least.

~~~
aquova
I didn't realize this was a feature, and I haven't been able to find any
information on how to follow Twitter users in this way. How do you go about
doing it? If I can follow select Twitter users on Mastodon, that would really
incentivize me to use it further.

~~~
Kye
This isn't an official feature. People run bots to syndicate tweets. Some
people use crossposters.

------
intrasight
All links should be blocked IMHO. If you have something to say (in 280
characters) say it. If you have more to say, I'll find it on your blog.

~~~
celeritascelery
How will you show me where your blog is?

~~~
intrasight
It's in your bio

~~~
Retra
How is "go to my bio for a link" better than just providing the link?

~~~
intrasight
Avoids the slippery slope of those links. I say ban them.

------
andybak
It troubles me that something as well known as JSFiddle can't get a response
from Github. I understand they can't reply to every question from Johnny
Developer but JSFiddle must have thousands of users.

~~~
akuji1993
They didn't get a response from Twitter. Github isn't really part of this.

