Hacker News new | past | comments | ask | show | jobs | submit login
Twitter is rejecting posts containing JSFiddle URLs (github.com)
417 points by NikxDa 9 days ago | hide | past | web | favorite | 193 comments

It’s due to crypto scammers using it. From the founder’s post:

At some point in the past crypto scammers used JSFiddle to host pages with a wallet code and posted links to that on Twitter.

Due to the nature of JSFiddle, anyone can post anything, so wallet codes are ok – we did implemented a content filter to shadow-ban these.

I asked Twitter if they they could help out and ban twitter accounts that were posting scam tweets that included links to the rouge fiddles.

Twitter just went the easy route and blocked all jsfiddle.net links instead of blocking spammer accounts on their platform.

Tried to contact Twitter many many times, with no reply whatsoever. They most likely have no-explanation-needed-policy, which is why they never replied.

There's nothing that can be done here unless somebody has contact to a higher op at Twitter who has the decision power to help out here.

I don't understand how posting a "wallet code" is dangerous. Is it mining coins while you are browsing the code? Then it just a minor annoyance. Also, browsers should block cryptominers when they are in the background tab.

I don’t think it’s mining code, I think it’s wallet addresses posted by scammers. Here’s an example of the scam I think this is intended to curb: https://s3.amazonaws.com/aws-website-staticfiles-25g9k/elon_...

I don't understand how someone could be tech-savvy enough to know about ETH and actually own some, while at the same time falling for such scams.

I would wager most of the people dealing in crypto currencies are actually precisely the kind of people that would fall for pretty much anything. I don't think it's a stretch to say that the fact that they deal in crypto currencies is actually a pretty good indication that they would.

I think you're conflating categories. Here's what I think: https://i.imgur.com/d4ocNXa.png

That is to say, gullible people are found everywhere but I don't think people inclined to fall for fraud are the same as get-rich-quick tech-heads.

Responding by a Venn diagram, love it.

More to the point - there is a significant number of people who started learning about computer security precisely because they got some cryptocurrencies. And frankly, if someone wants to really understand the details, it's hard to miss all the frequent warnings and examples of scams, hacks, leaks.


The people speaking at events as experts on crypto mostly don’t know what they are doing.

Avoiding scams requires being people-savvy. Tech-savvy is unrelated.

I saw one of those fake Elon Musk posts in my stream and my first thought was "Wow! Is Elon pushing shady blockchain money things now?" It wasn't until a few seconds later that I realized there was no blue-check and it wasn't him....

Almost all people who know about bitcoin and ETH are looking for that cheap buck.

It is a numbers game. It is basically free and if you get 1 in a million than hey that's money. Same with Nigerian email spam I suppose.

These are probably the people who jumped on the hype train and bought at the previous peak.

holy shit Jita scammers have come out into the real world now.

"send me 1,000 isk and i'll send you 2,000 isk back!"

Oldest scam in the book. o7

o7 same thought occured to me m8. Fly safe!

Eh, at least it's not CODE

ok sent.

Paul is your Resume template open sourced anywhere , I like that time-line style?

I visited that page. I didn't check but I don't think any of my satoshis were stolen. Don't see what's dangerous there.

The page itself is not the scam. It's a page showing tweets where somebody is scamming people on Twitter, pretending to be Elon Musk giving out ETH.

Blocking cryptominers or other script isn't possible because of JavaScript's nature as Turing-complete language, much less with new shiny WebWorkers/PWAs. It's also not just a minor annoyance when miners, trackers, and all kinds of other nefarious or just plain garbage scripts drain your batteries and consume power/bandwidth for no other reason than browser vendors being busy to develop webapp platforms and world domination schemes rather than declarative and privacy-focussed content consumption/authoring ... browsers.

You can detect crypto miners pretty easily by their behavior.

I think Digital Ocean shared your view, until recently, when false positives caused them to shutdown a customer business, and a broken support procedure caused them to keep it down. Search HN archives for Digital Ocean from the last week or two and you should be able to find that story.

I don't know the terminology well, but further down in the discussion, it looks like it was some kind of scam rather than "just" mining.

Couldn't you do the same thing with github.io, S3 Websites, Netlify, the list goes on? Why would they single out JSFiddle among numerous services where one can upload arbitrary code?

The laziness of scammers never ceases to amaze.

There's the theory that misspellings in a Nigerian email are meant to filter only the truly gullible, but IDK if that is true.

> There's the theory that misspellings in a Nigerian email are meant to filter only the truly gullible, but IDK if that is true.

I think the crazier misspellings with wild character substitutions only started after bayesian spam filtering.

in this case is laziness another word for efficiency?

lazyness of the people trying to stop those scams should amaze you.

Nothing proves the scammers are not using those other alternatives for all you know.

So: the amount of people who own crypto and lose it in a free-money-just-give-me-money-first scam > legit developers who want to share code.

Why is twitter bending over backwards to protect the former crowd?

On a complete tangent, I think "rogue" might be the most misspelled word for those that otherwise have good spelling. It's still jarring every time I see it, decade after decade.

And "loose" instead of "lose", but that one is just confusing.

I see "break" ALL THE TIME where "brake" should be used.

    rouge -> rogue
    loose -> lose
    lose  -> loose
    break -> brake
And many more that I can't recall at the moment... In my youth I spent an absolutely obscene amount of energy correcting these people, bit now I just automatically lower the veracity of what they're saying each time I see some literacy problem.

That isn't fair to those people because not everyone speaks English as a first language, and phones autocorrect a lot of things that should not be corrected.

Some of these are actually mistakes native speakers are prone to make, since they didn't learn the language from text first.

"lead -> led" (past tense of the verb "to lead") is also a pretty common one for native speakers.

on the other hand, if nobody had corrected my use of "loose" I wouldn't know it.

I legitimately thought we were talking about reddish colored fiddles for a moment.

"Tounge" really grinds my gears, I don't know why.

The take away here is to never do anything nice for Twitter because they won't reciprocate and won't even return your emails.

Crypto scammers can simply switch to GitHub Pages. Can Twitter ban github links?

There's a fairly big difference: JSFiddle is completely anonymous but GitHub Pages and similar services require accounts and at least in the case of GitHub they have a functional abuse team.

In contrast, JSFiddle can take something down but that's where it ends unless the scammer used a dedicated IP which is easily traced to them.

And even then, scammers can always switch to custom domains. It seems futile to block arbitrary code execution unless they only allow whitelisted domains.

Why not ? They did it for JSFiddle. They own the platform, so technically they do what they want.

The backlash from banning GitHub links would be magnitudes larger than JSFiddle.


Please don't post unsubstantive comments or shallow dismissals here.


The low-effort snark is unnecessary and weakens the conversation. At least make it witty.

JSFiddle is a pretty low tier target that most people won't miss. Github links aren't. Also, I'd imagine Github Pages is more responsive to taking down scamware, it at least requires an account, and has more of an interested in keeping malicious behavior off the platform.

What demographic does twitter like to hire? Probably people who use github a lot, huh?

What is "a wallet code"?

I assume they mean a mining script - so that the person running the jsfiddle would be mining cryptocurrencies, and the proceeds would go to the scammers wallet address.

If that is true, Twitter should also block every newspaper out there. Their bloated websites max out my CPU too.

Get uMatrix and block scripts.

I am thinking code that would leverage browser extension wallets like Metamask and access the wallet of the user and steal the crypto.

It should just be an address, the scam would be to try convince you to send money there.

>> By wallet code you mean a crypto mining script yes?

>I think I saw some variant of this. It's one of those "send some ETH and receive 2x more back!" With fake "live" transaction listing and fake testimonials.

> Edit: if memory serves me correct, the transactions being listed are actually not fake, though the live aspect is. Same transaction always reappear as if they're new if you refresh, and those transactions is the 2x amount that got send back. It's all just the scammers trying to make the site look legit.

- From the above linked GitHub Issue

What's next? Banning QR codes containing wallet address?

Banning all links whatsoever because any web page can contain a miner, a malware or just offensive material.

Videos and images can contain offensive material and twitter is full of them.

Twitter is full of offensive anything.

It is pretty remarkable that no matter who you are, Twitter will find a way to piss you off.

> Twitter just went the easy route and blocked all jsfiddle.net links instead of blocking spammer accounts on their platform.

This is a huge problem with all the tech giants that needs to be addressed. I don't expect them to be perfect but I expect them to be open to communications on any level.

I also think Twitter is the Twitter today just because of the bots and fake accounts they have since those accounts were creating so much content and movement on the platform. I know people whose spending days by reading those fake accounts while they have no idea what's fake and what's real. So maybe -just may be- they may not want to get rid of all those fake accounts and bots.

I just don't agree with this sentiment. I don't work for twitter or any social media company, but it strikes me as their prerogative to ban content deemed unsafe if they don't have the means or wherewithal to properly police the content. From an engineering standpoint, how exactly do you propose to scan fiddles for objectionable content. With an image link, you could throw a neural net at it and at least tag it as nsfw (or scan a few images in a linked page).

And this isn't related at all to the bots and fake accounts (which I think is the bigger problem). But in the context of your argument, this is just non sequitur.

> their prerogative

Thus any business decision isn't a problem? Whether it's their prerogative, it still a problem in tech.

> to ban content deemed unsafe

Like any links? Or even text itself? The only thing that makes JSFiddle "worst" is how easy it is, but even then almost anything else is just as easy. If there's money to be made too, unless you block everything that cost less than the money to be made, what you do won't stop it.

Why not just put that warning over EVERY single links and not block anything? Do a white list instead.

> their prerogative

Thus any business decision isn't a problem?

Depends on your definition of "problem"... and thus your definition of who should care:

- legally (government): any business devising that comply with law are not a problem

- financially (investors): any decisions that increase profits are not a problem

- morally/ethically (users): any business decisions that you personally are okay with are not a problem.

Each of these has its own correction mechanism: persecution, lack of funding, customer outcry & abandonment.

In other words: there are ways to reverse bad decisions.

The only thing that makes JSFiddle "worst" is how easy it is

As pointed out in other comments, the problem is that anyone can anonymously create a malicious JSFiddle that runs undesired code. You could make a car that any website that similarly allows anonymous code execution should have that warning or be blocked. Most links, however, are better attributable. (Eg, require account creation).

> Most links, however, are better attributable.

I strongly disagree on that. The fact that you have an account behind it doesn't make it attributable at all. There's nearly no verification on 99% of the internet. Some studies consider that 9 to 15% of Twitter accounts are litteraly fake [1]. TwitterAudit believe that 40-60% of Twitter accounts are fakes.

They aren't attributable to anyone except a username, which is worthless.

> You could make a car that any website that similarly allows anonymous code execution should have that warning or be blocked.

It was never about code execution but what they call "wallet code" which is what I did in another comment [2].

> Most links

You can easily register a domain anonymously. Most links are fine sure, most possible domains, aren't, which is my point. Show a warning (which they do on URL Shortener) instead of blocking a domain altogether on ALL links and use a white list (which would include MOST used domains) instead.

[1] https://aaai.org/ocs/index.php/ICWSM/ICWSM17/paper/view/1558...

[2] https://news.ycombinator.com/item?id=20124667

Ok, but they’re not blocking CodePen etc. And furthermore, you don’t even need a JSFiddle/CodePen whatever, you can run it on any website that you can edit code on! Is github.io next to be blocked? How about any unrecognized website? That JSFiddle has been targeted by this action is absurdity.

It is a problem. YouTube throwing off content makers. Facebook banning campaigns. playstore banning Dev accounts. iOS store banning apps. Google search removing search results. Twitter banning people. In a lot these cases the businesses and people behind these are victim without ever doing something wrong. Bad or no communication is something they have to deal with. Yes, in a lot of cases there is a justified reason. But the good should not suffer from the bad. And that is what's happening right now. Same with this Twitter link ban.

>> From an engineering standpoint, how exactly do you propose to scan fiddles for objectionable content.

But if this was about getting people to click more ads, Twitter would be throwing enormous amounts of resources at it.

I mean, let's not pretend that this is an engineering problem.

Engineering and cost to me are intricately intertwined, so yes it is an engineering problem. If they could solve it without affecting the bottom line (or even better improving the bottom line), I'm sure they would.

> I know people whose spending days by reading those fake accounts while they have no idea what's fake and what's real

That's not your point I think, but fake|bots accounts and subs are among the best things we got from twitter/reddit in my opinion.

Aside from the ones designed to be funny from the start, the nonsensical ones also blend perfectly with what we would call 'legit' users and serious posts/communities.

That's to a point where I find it really useful to purposefully inject fake and non sensical content in the timelines to get some daily critical training, but also an escape hatch for the mind when hitting some of the submissions that we think just can't be real.

You're right, I was aiming the spammers by fake/bot accounts. Not the ones that are useful or fun.

It doesn't even look like it's blocked, you just get a interstitial page warning. I think this was their best route. Shouldn't be up to tech companies to build logic for each site that can't get a handle on their users content. Twitter can barely do it themselves

What I find strange how this is presented as an either-or option between banning and not banning. You can also have an intermediate warning page. YouTube does this to any third-party website for example. Something like "Warning: JSFiddle has been abused by spammers to run crypto mining scripts. We recommend that you that you do not continue to this JSFiddle page unless you trust the source of the link" should work just fine, no?

Twitter doesn't exactly target the kind of demographic that understands what "to run crypto mining scripts" even means, let alone how to assess whether they "trust the source". I mean, it was retweeted by someone I follow and it has a funny picture of Trump with a dancing turd emoji on his head, what's there not to trust?

It's extremely hard to coach non-technical users into making the right call when presented with a security warning box.

That said, if Twitter can assess whether a posted video contains "sensitive material" (i.e. exposed body parts), they can also assess whether a jsfiddle link (or any link, really) likely contains crypto miners.

> It's extremely hard to coach non-technical users into making the right call when presented with a security warning box.

And not presenting them with any call at all is guaranteed to keep them non-technical. We have to take the training wheels off at some point.

And it's Twitter's job to train them?

It's not about whether it's Twitter's job to "train" them, a warning page before continuing a link is hardly that.

It's about whether they should trust their users and believe that the latter can take responsibility for their own choices, and figure these things out themselves.

> It's about whether they should trust their users and believe that the latter can take responsibility for their own choices, and figure these things out themselves.

You're just begging the question. Why should they do that?

Not really, this is turning into the equivalent of a six year old replying with "why?" to every answer, except you're adults pretending to be oblivious.

You're free not to reply, but I'm not sure why you're calling me childish to ask for an actual reason you think it makes sense for Twitter to do all these things you're asking them to do.

Enlighten me. I could assume the worst of your intentions as you've done, but I'm honestly interested in why you think it makes sense for Twitter to "trust their users" to "take responsibility for their own choices".

The companies don't want that, because they are afraid of losing control over their "users" as the latter become more technologically literate and realise there are better alternatives.

You can already see some of this in things like DRM and adblocking, and of course the various walled gardens.

Mainstream software is all about keeping users blissfully ignorant and consuming.

There's a UX problem with this:

You're making the user answer a question they (generally) don't know the answer to and don't want to answer anyway.

I do agree that there is a UX problem and that it matters a lot how this is presented, bu I'm not sure if I agree that it's a real problem here. The question is basically "do you know if you can trust this source?", which means it should "round down" to no.

Steam does this:

> Notice:

> You are leaving Steam.

> Never enter your Steam password on an untrusted website. Any login form on an official Steam site will display "Valve Corp." in green with a padlock icon in your browser’s address bar, as shown below:


For anything that looks malicious ("https://anyURL<h1>"):

> Link Blocked!

> This link has been flagged as potentially malicious.

> https://anyURL%3Ch1%3E has been flagged as being potentially malicious. For your safety, Steam will not open this URL in your web browser. The site could contain malicious content or be known for stealing user credentials.

> Never enter your Steam password on an untrusted website. Any login form on an official Steam site will display "Valve Corp." in green with a padlock icon in your browser’s address bar, as shown below:


This isn't even true anymore, though. Chrome doesn't display TLS as green, and I believe EV certs are on the way out. (Because anyone can register a company called "Valve Corp." and be issued an EV certificate.)

This is inside of steam's browser

They could use the same warning for fake news websites or for anything they deem worth warning or are ordered to. Could be interesting at least.

[Edit: whoops, misread the issue. Sorry!]

Thanks for clarifying that you misread, but please keep the text or at least enough contextual information so we know what the replies to you are talking about. Which link did you edit out? Because I missed it.

Per the text, the screenshot you are seeing is what happens when someone links to a jsfiddle using a url shortner but posts linking directly to jsfiddle are rejected.

>Twitter is rejecting posts with JSFiddle URL inside.

>If a URL shortener is used the unsafe page warning is displayed[1]

I think that screenshot was from a link posted with a URL shortener. Weird that it makes a difference.

How many people are actually linking to valid JSFiddle links from Twitter? This might have just been a math decision (X% malware > x% good links).

I have my own problems with Twitter, but a social media site with a LOT of non-technical users blocking access to a site specifically designed to run anonymous code in their browser doesn't make me want to break out my pitchfork ...

I think the math would then lead to only big sites being "good enough" to pass the twitter test as to who gets a whole domain filtered or not, and if you're running a site that someone does a bad thing on ... so much for anyone linking to you anymore on Twitter.

That seems inherently bad.

Twitter et al have already decided to become the self-anointed gatekeepers of what’s okay to post on the internet.

I missed the days when it was just Google search results we had to worry about.

Agreed. I just think this isn’t an example, or at least not an example of the worst of it.

I can’t think of any legitimate reason for my cousins who are on Twitter would want to go to JSFiddle. I’m ok with Twitter taking this stance. I’m not ok with many of the other policies.

That’s not entirely my point. The whole point of JSFiddle (which I love) is at odds with the bulk of the demographic of Twitter. If your content sharing site inadvertently has malware you can remove it, JSFiddle will always be risky.

The bulk of the people I follow on Twitter would have no clue what it was or how to even begin to understand it.

>The whole point of JSFiddle (which I love) is at odds with the bulk of the demographic of Twitter.

I'm not sure that's a line that Twitter would draw, or is even accurate.

I also suspect that most content on twitter the bulk of twitter users / demographics wouldn't care about...

This is all true, I guess I just come down to supporting twitter’s calculus on this one.

It shouldn't be twitters job to clean up after jsfiddle, who don't seem to put any effort whatsoever into mitigating malicious code beings shared on their site.

Doesn't really take much for a code sharing site to demand registration before you share code and to have a report button.

At what point is the tech community going to abandon twitter?

From my perspective it is just bots, "influencers", and propaganda.

I see very little social utility for using the network, especially when compared to the damage it is causing through the spread of misinformation and outright lies.

From your perspective it is just bots, "influencers", and propaganda.

From my perspective it's the everyday chat of my friends, and interesting security-researchers posting their findings.

It's also a randomly acquired group of people I follow to improve my ability to read the Finnish language.

> From my perspective it's the everyday chat of my friends, and interesting security-researchers posting their findings.

I wish this was true. I’ve struggled for years to keep my feed about the tech topics I’m interested in. Twitter keeps making that harder and harder.

Now twitter force feeds every viral anti-Trump or political outrage tweet, liked by some random user I followed 4yrs ago, into my main feed.

Their insistence on choosing what content I want to see for me, instead of just the feeds of the people I opted-in to follow, has made it nearly impossible to avoid the cancerous US political and other social issue outrage machine which is what 90% of Twitter’s popular content seems to be.

I had no choice but to abandon Twitter. Unfollowing people who post political stuff was hard enough, unfollowing people who use the like button on political/outrage stuff plus other viral content that surfaces the highest is near impossible.

I hope Twitter makes a ‘retro’ mode where I can just see the actual tweets of only the people I follow in semi-chronological order. With the same option to turn off retweets for certain users, with no "liked" or trending tweets forced in.

> I hope Twitter makes a ‘retro’ mode where I can just see the actual tweets of only the people I follow in semi-chronological order. With the option to turn off retweets for certain users.

I think both of these exist? There's a way to turn off retweets for particular users (it's in the same menu you'd use to mute or block someone) and there's an option to show a plain timeline (uncheck "show the best tweets first").

The plain timeline option doesn't seem to consistently work on the mobile app, but many (most? all?) alternative Twitter clients show you the plain timeline.

Yes I'm sure there's some workaround way to do it either through custom lists or using Tweetdeck (or some other app) but I've tried those and unless it's the primary feed with full native mobile support the UX is awful and Twitter still finds ways to force content on you.

Twitter is pretty simple fundamentally. It is just the feed with some notifications for 90% of the UX. I just want a different kind of primary feed that reflects what it used to be about. Even it's just a tab on the feed. Like how Reddit has "Home", "News", and "Popular" tabs, I just want the home tab.

Just sounds like way more effort than is worthwhile to curate that information and filter out the garbage.

I have very limited connectivity and spend minimal time online, twitter is time wasted for me.

Speak for yourself I guess. I get a lot of quality content from following engineers and projects - big and small - on twitter.

I think you're preaching to the wrong platform here. HN is one of few corporate tech forums out there and twitter is a very corporate medium.

Whole twitter culture honestly is quite saddening and it's leaking to alternative mediums as well (like mastodon.social has started to suffer from same problems).

We worked so hard to create easy and accessible way to micro blog and communicate through text via formatting, proper structures with rss feeds etc and twitter just threw all that through the window in favor of short unformated, unsorted and algorithmitized, toxic "chats".

Ugh, I'm excited to finally see it go the way of the dodo.

You're right about this being the wrong forum. However I used to work in corporate tech and even then I found it to be an inefficient time sink.

Those are only things that get media attention, Twitter is much more than bots and propaganda.

Try unfollowing the bots, influencers, and propaganda pushers.

it is easier to just stop using twitter.

> From my perspective it is just bots, "influencers", and propaganda.

That's completely up to you; you need to create your own bubble (for better or worse).

What I find bad is that there's no "circles" concept (both incoming and outgoing). While the "incoming" part is not a problem for me, the "outgoing" part is (example: posting slightly conservative views will cause tech snowflakes among your followers to be upset; I'd like to restrict outgoing tweets to a subset of my followers).

Avoiding deliberately inflammatory alt-right language like "snowflake" would probably go a long way in getting people to engage in good faith with you, for whatever that's worth.

That phrase has a long history of use way before alt-right was even a thing. I've never heard of it being co-opted by any particular group. Other than in extreme cases, that's just not how words work. Just because one group uses a word doesn't mean it's taken out of the lexicon for everyone else. In fact, I think you are giving a group unneeded power by suddenly categorizing certain words as their language that should only be used by them.

Prior use of the word snowflake just means somebody who thinks they're uniquely special. Just like everybody else. And I'd say you can continue using it in that sense.

But the particular meaning of snowflake as someone who is too sensitive and easily triggered is newer and more inflammatory.

Most words have a history of use before their current use. Führer was just German for "leader," but it still has some very specific connotations nowadays. In this particular case, the word snowflake, when used in a context similar to how that poster used it, is very strongly associated with far-right "political correctness" grievances these days.

> Due to the nature of JSFiddle, anyone can post anything, so wallet codes are ok – we did implemented a content filter to shadow-ban these.

> I asked Twitter if they they could help out and ban twitter accounts that were posting scam tweets that included links to the rouge fiddles.

So they basically sent a message to Twitter saying "We're knowingly hosting malware and we don't intend to remove it, here are some examples"?

Twitter was being used to disseminate malware and addressed it in a way that hurt another platform without fixing their own. JSFiddle took a reasonable approach that did not affect Twitter and left their product offering intact while punishing bad actors. Twitter slapped a “JSFiddle bad” band-aid on the problem that does nothing to address the problem of Twitter being used to spread malicious content. Instead of using their size to do more Twitter uses it to do less.

I don’t think this was mining malware, I think it was just the wallet address. Twitter has been (badly) playing a cat-and-mouse game with a Cryptocurrency version of a classic 419 scam (i.e. send me money so I can send you back more). Twitter has been fighting it by flagging tweets that post wallet IDs, so the scammers have been finding other ways to obfuscate the wallet IDs, like this.

Did you read the actual block quote?

> we did implemented a content filter to shadow-ban these

JSFiddle shadow-ban these scam accounts, and they asked Twitter to do the same but Twitter bans _all_ JSFiddle URLs instead.

I may be misinterpreting them but from the "wallet codes are ok" part it sounded like they weren't banning them.

If by shadow ban they mean the link is completely inaccessible to other users then I'll agree that they were doing their part and banning links to their site was excessive.

"Due to the nature of JSFiddle, anyone can post anything", therefore "wallet codes are ok" since "anyone can post anything".

A shadow ban normally means that you, the creator, can see your content, but nobody else can. So them shadow banning people who post wallet codes is the direct opposite of allowing wallet codes.

This reminds me of how Russia banned Reddit because of one post of some dude describing how to grow shrooms at home.

Twitter is crazy. Recently I tried to change my gmail account to a more secure encryted email on my Twitter account but they never let me confirm that email to my account. It always remained pending even though I clicked confirmation links several times. When I went ahead and reverted the email to original gmail account, everything was done seamlessly within seconds. I've had many similar problems with Twitter for years. The Spam Accounts, getting locked for apparently following 'too many' people in a short period of time, clicking confirmation links multiple times, etc and now this.

Out of curiosity, I went onto Twitter and tried to post a link with one of the similar sites as JSFiddle. It seems that CodePen URLs are still allowed. This seems very strange to me, as unless I'm missing something, CodePen has the same inherent faults as JSFiddle.

Twitter clearly has taken the easy way out here, and instead of addressing the problem and tried to tackle it, just blanket banned JSFiddle with no regard to their users, or to the variety of similar services that provide the exact same functionality. If I was a crypto miner, I would simply copy paste into CodePen and continue on my way.

Any website can have a miner, outside of some safe content only sites. It may as well be, that in some distant future, users of social sites will be able to link only to other pre-approved major social sites.

You can't even link on most of these websites without going through some intermediary URL forwarder.

Given the nature of the product, there is no way for the maintainers of Js fiddle to prevent it from being used to run arbitrary code, because that is what it's meant to do.

It's also impossible for both jsfiddle or twitter to scan the code of each fiddle and determine if it's legitimate or an attack, so this looks like a good measure from Twitter.

What is surprising is how this was even allowed so far and still is in many social networks, as its such an obvious way to deliver exploits.

Given the nature of the product, there is no way for the maintainers of Js fiddle to prevent it from being used to run arbitrary code, because that is what it's meant to do.

There are things they could do though - such as limiting the execution time of a fiddle to a couple of minutes, or limiting the size of the code, or blocking certain calls, and so on. Users are running code that's been saved to the JSFiddle server, so it's not unreasonable to suggest JSFiddle have some responsibility to their visitors. They could make it so the code runs fine if you're the owner or if you've explicitly said it's OK to take up more resources, but defaults to running with these limits if you've just browsed to a Fiddle from a link. They could block common mining scripts (which would only work against 'scriptkiddie' attacks rather than anything sophisticated, but whatever).

There are things the JSFiddle maintainers could do. They don't have to, and in their position I might not do anything either, but the cost of inaction in this case is Twitter blocking links to their site.

>it's not unreasonable to suggest JSFiddle have some responsibility to their visitors

You do understand that they banned the malicious accounts and contacted Twitter, right? Them behaving responsibly is what caused this mess, not sure why you're implying they have no responsibility to their visitors...

> Users are running code that's been saved to the JSFiddle server, so it's not unreasonable to suggest JSFiddle have some responsibility to their visitors.

I do not think so. If I insult another user on Hackernews, how is Ycombinator resposinble for that? I don‘t think platforms should be responsible for what their users do. That is a very slippery slope, leading to the horrendous way YouTube deals with copyright claims, Article 13, and similar censoring tools.

If I insult another user on Hackernews, how is Ycombinator resposinble for that?

Your example is a difficult one because only the person who the derogatory comment is aimed at can decide whether or not they're insulted. Whether or not something is insulting is up to the person it's aimed at. The same goes for things like negative comments, stupid comments, copyright on a derivate work, etc. Whether those things are actually bad is a matter of opinion, and each party probably takes a different position. Consequently it's different situation, and not really relevant here.

A better analogy would be if I were to invent a piece of plain text malware and posted it in a Hackernews comment. Would YCombinator or HN have any responsibility to remove it, or should they just let it sit there? I contend that when something is actively harmful the publisher has a duty to protect visitors by removing the content or limiting it's impact. (And HN has some awesome moderators who do exactly that in very extreme cases, plus users here can flag things to hide them when there's a consensus, so it's not really like HN is completely free of 'censorship')

Plenty of people take the opposing view that platforms shouldn't get involved. There are two sides to most arguments. I'm slightly on the other side to your position.

Should Twitter also ban links to Amazon S3 or any other cloud storage? It can also be used to host arbitrary JavaScript.

By the nature of the product JsFiddle also can't do anything more than what any website set up by an attacker could do. The only thing making JsFiddle unique is that it is lower friction. Any attacker could also set up a github pages link, or use any free webhoster, or rent webspace for $5/year under a false name.

Couldn't any link point to anything that runs arbitrary code? Does it matter if it's on jsfiddle or xyz.com?

It makes sense to ban a website that is 100% mining, but blanket-banning jsfiddle is like banning the whole internet because there might be a crypto miner on any website. Probably 99% of jsfiddle links are not miners.

Then Twitter should ban all links externally, because other websites can run arbitrary code.

The difference is that those sites don't let anonymous users run arbitrary code on their servers, unlike Jsfiddle.

A reminder that you don't need to technically link in order to refer to a link, nor even mention the site directly:

"See JSviolin xxxxx"

If anyone gets confused, simply reply "replace violin with synonym starting with f"...

This reminds me of when YouTube banned URLs in comments (I don't think they do anymore), so people started posting pieces of them (like video IDs, the part after watch?v=...) with hints instead: "see video xxxx".

Likewise, I can refer to this page with "see HN 20122583".

The loss of being able to post a link is not good, but in no way does it absolutely stop communication. In fact, it will just cause "euphemisms" to appear, and further exercise human creativity.

That workaround reminds me of phpBB Forums that blocked URLs, so users would spell them like "hxxp://www..."

Speaking of removing links... in Overwatch there is a character called D.va. The Overwatch League twitch chat removes all links, meaning that if you mention her, other users see it as "" instead of "d.va". It's amazing.

I think these euphemisms are healthy. better than posting the entire link. Similar to the @ and # handles.

I find messages like this frustrating. Facebook will show a generic 'this action could not be completed at this time' page, which is very vague and attempts to deflect their decision onto a nonexistent technical problem.

> They most likely have no-explanation-needed-policy

I wonder when alternatives to today's big sites will take serious root. It used to happen much more often.

I don't understand the difference with any other website.

What prevents the scammers to post links to a website containing crypto miners, or any malware ?

It doesn't stop scammers in their tracks, it just makes it harder. With dedicated scam websites, there is an actual cost to procuring new site addresses to evade domain blacklists, and they can't piggyback off jsfiddle's domain credibility.

This is a little offtopic, although I suppose there's a tangential link to JSFiddle getting no response from Twitter.. I too have failed in getting a response from JSFiddle..

About 70 days ago, I accidentally posted an anonymous submission to JSFiddle.

There was no excuse for this other than human error. I was working on development and production at the same time and copied a users personally identifiable from an email template that our production env sent out instead of development. The development is all sanitised but the prod contains the user's name, email and an order reference ID and what they ordered.

I submitted a take down request within 10 minutes of submitting at:


Every day for a week I altered the reason. It's still not been taken down.

I've tried the GDPR route, the copyright route.. I didn't get a single response from them and the page was still being hosted on their site despite many many _MANY_ attempts to have it removed.

Update/Edit: Been contacted by JSFiddle directly and appreciate contact in helping resolve above.

So, let me get this right...

You, a software engineering professional copied a user'name, email and order reference ID, two of which are PII into an online service... on purpose.

Yes, and they admitted error and the issue they're describing is that it was very difficult to rectify the error.

I feel it's actually pretty fair. Not perfect, but keeps users safe

There are tons of other websites you can host a crypto script. If Twitter really wants to keep users safe, they should implement a mandatory warning (I've seen this being referred as a "cushioning" page) instead of having a questionable blacklist.

Except they will now use github pages; and if they block all github pages (github.io) they will use codepen or repl.it or tumblr (custom templates), and so on until thousands of page are blocked.

Sounds somewhat like a "Win" to me. Twitter will die in doing so, I don't see anything getting lost there anymore.

So is Net Neutrality. Ensures that random sites (new sites) doesn't distract you.

JSFiddle is big. They tried. They voiced concerns. They asked foe help. They got a ban with no explanation.

Please just join the fediverse. It's broken too, but if you get banned, at least you can open an alt on another server.

Force Twitter to be irrelevant.

The problem is: I have yet to find a person in the fediverse that interests me. I like to read tweets from accomplished people. Successful startup founders for example. Is there anybody out there? Any links to people of significance in the fediverse?

Drew DeWalt is there and a number of others, especially the creators of the fediverse like Eugene and others ;-)

FWIW you can also use an account on i.e. Mastodon to follow twitter users. I suddenly realized because I was following a twitter users through a gateway, probably because someone had boosted a tweet from that account sometime and I had followed based on that.

That should take care of following at least.

I didn't realize this was a feature, and I haven't been able to find any information on how to follow Twitter users in this way. How do you go about doing it? If I can follow select Twitter users on Mastodon, that would really incentivize me to use it further.

This isn't an official feature. People run bots to syndicate tweets. Some people use crossposters.

Mind sharing more information on this? I have a Mastodon account but never even noticed this.

Maybe the real problem is people of "significance" have no simple way of duplicating their posts there? Many seem to desire the biggest audience possible.

The indie web folks have thought about this. Relevant reading:

Publish (on your) Own Site, Syndicate Elsewhere [ https://indieweb.org/POSSE ]

Publish Elsewhere, Syndicate (to your) Own Site [ https://indieweb.org/PESOS ]


> why do you give a shit?

Given your tone, I'm going to guess you're not asking the GP a question in earnest. You should try to think about why they might "give a shit".

Twitter's userbase is its primary feature. Not its shitty UI, not its awful character limit, and none of the stuff mastodon's various UIs are copying. Its userbase.

If you want the fediverse to succeed, you need to understand that. And you need to stop being so accusatory of people who don't use the internet the same way you do, FFS.

(And for the record, I want the fediverse to succeed, but I also use Twitter because userbase)

I don't want the fediverse to "succeed", frankly its the only space for us LGBTQ+ to not be harassed, reply guyed, and screen-capped online that isn't a corporate hellhole.

Edit: "Success" in our current world seems to be defined as the transition Reddit has gone through, where the userbase has exploded, its eaten Facebook's lunch to a fair degree, but the quality of discourse and interaction has dropped like a rock.

I've stopped using Reddit, and such a change would kill my use of the fediverse.

> screen-capped

People are upset that others are taking screenshots of their public posts?

That’s the eternal September. Almost all online communities ultimately either die out or become overflowed by the masses.

I don't understand why that's not okay, though. I get people get attached to communities they're a part of, but just like people, they change and/or die.

If you think about it, it's absurd to expect them not to: Even if the community keeps its member list exactly intact forever, and the members remain at their exact same activity level forever, those very members will change over time. Hell, you will change over time and get to appreciate different qualities of that community.

Same reason my guild's forum feels completely different today than it did 5, 10 years ago.

The problem isn't change per se, but change for the negative brought on by mainstream exposure leading to an influx of new members who don't learn the ettiquette of the community before joining in.

An analogy would be if HN was suddenly overrun with rude, non-technical people attacking other posters and causing drama, and outnumbering the thoughtful and constructive comments and links we come to the place for.

The "eternal september" is particularly sad if you go back and read the archived posts of early usenet - I would kill to get discussion of that quality on the net today.

You can ban people, from instances that you disagree with, from replying/following people on your instance if you like. You can also completely isolate your instance or only federate with a whitelisted cluster of instances.

The person I'm replying to clearly does.

Nethertheless, if the usefulness of something depends on it failing, something's wrong.

The person your replying to explicitly states that you should follow random people off main (the federated timeline) and have a sense of wanderlust rather than following a handful of #thoughtfluencers.

Please see earlier reply: stop being so accusatory of people who don't use the internet (or live their life) the same way you do.

Mock them all you want, in private. Don't bully people because they take selfies, buy tourist gadgets, or follow people you're too good for.

> Why do you give a shit? Why do people have to be famous to be relevant? Follow random people.

Plan A: Use Twitter (or other media like it).

Plan B: Change human nature.

I wish you good luck in your endeavour with Plan B, djsumdog! :)

Because the whole point is that I get insights from people I admire, man. I want to listen to John Carmack, not some random fool. _I'm_ some random fool and if I wanted those opinions I can cook them up myself.

If you want influencers, Mastodon isn't for you. The fediverse is for humans, not celebrities.

Unfortunately, a lot of people do. In order to obtain the critical mass you need for a functioning social network, you need content that a lot of people will want to look at. In this case, that means influencers.

I don't know what your basis is for this assertion, but it's not true in the case of Mastodon. It functions just fine. I don't need some random checkmark bearer on there to enjoy my little corner of the fediverse. The instance I'm on covers its costs with a Patreon. That's true of most I interact with. There is no need for massive scale. Only ad-supported centralized services require that to function.

Not everyone has eating the world as a goal. Lance Ulanoff didn't understand this when he declared Mastodon DOA two years ago because he couldn't find William Shatner, and people continue to make the same mistake. I don't want to follow William Shatner or Lance Ulanoff, so they can stay on Twitter with people who do.

That's for you.

If your goal is to have Mastodon "catch on" and have people transition away from Twitter en masse, then yes, you need William Shatner on Mastodon.

Okay. That's not my goal. I don't who has that as a goal. Is it your goal? Maybe you should talk to Shatner about Mastodon. He's fairly responsive on Twitter.

Even the main Mastodon project instance is funded by a Patreon. I don't think Eugen would complain if he had a few more users, but growth doesn't seem to be the #1 goal. Only the tech press and its target audience seems to care about how fast Mastodon grows. They are free to start a growth-focused instance.

The instance I'm on has 800+ active users. The numbers on closely related instances are probably similar. That's plenty.

>I like to read tweets from accomplished people. Successful startup founders for example.

You can't get your Startup Founder porn from here or one of the other umpteen social sites? 60% of all social media seems to be from "successful founders" or "influencers". Hard to imagine anyone finds a dearth of that stuff.

Avoid the fediverse please, the point is to have a more humane environment, not follow #thoughtfluencers.

If you do join choose your instance wisely, beware that many instances block mastodon.social, freespeechextremist.com and similar for being hot messes that have no moderation. The latter instance in particular has a very persistent hellthread spambot problem, where bots sling nudes without content warnings at people constantly.

Or just host your own instance where you yourself decide what you want to see or not see, and what you want to write or not to write.

>Please just join the fediverse.

What would you recommend to start with? Joining the fediverse is like picking a javascript framework; There are a myriad of instances connected to a multitude of networks which are implementing a bunch of protocols. See https://fediverse.party/

https://mastodon.social an obvious choice as the majority of fediverse is there (so for example hashtags return the most relevant posts).

All links should be blocked IMHO. If you have something to say (in 280 characters) say it. If you have more to say, I'll find it on your blog.

How will you show me where your blog is?

I was going to make a joke, but actually a good answer to this is that users could just direct people to checkout their blog linked in their bio. This is assuming the person you are responding to didn't mean block all URLs from the site; just from tweets.

Technically it doesn't solve the scam problem though:

"I'm definitely the real Elon Musk. No question about it. Click the link in my bio to get 40 ETH, but you need to send me 20 ETH first so that I can verify things."

It's in your bio

How is "go to my bio for a link" better than just providing the link?

Avoids the slippery slope of those links. I say ban them.

What if I want to link to somebody else's blog? Or a hacker news comment?

It troubles me that something as well known as JSFiddle can't get a response from Github. I understand they can't reply to every question from Johnny Developer but JSFiddle must have thousands of users.

They didn't get a response from Twitter. Github isn't really part of this.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact