At some point in the past crypto scammers used JSFiddle to host pages with a wallet code and posted links to that on Twitter.
Due to the nature of JSFiddle, anyone can post anything, so wallet codes are ok – we did implemented a content filter to shadow-ban these.
I asked Twitter if they they could help out and ban twitter accounts that were posting scam tweets that included links to the rouge fiddles.
Twitter just went the easy route and blocked all jsfiddle.net links instead of blocking spammer accounts on their platform.
Tried to contact Twitter many many times, with no reply whatsoever. They most likely have no-explanation-needed-policy, which is why they never replied.
There's nothing that can be done here unless somebody has contact to a higher op at Twitter who has the decision power to help out here.
That is to say, gullible people are found everywhere but I don't think people inclined to fall for fraud are the same as get-rich-quick tech-heads.
More to the point - there is a significant number of people who started learning about computer security precisely because they got some cryptocurrencies. And frankly, if someone wants to really understand the details, it's hard to miss all the frequent warnings and examples of scams, hacks, leaks.
"send me 1,000 isk and i'll send you 2,000 isk back!"
There's the theory that misspellings in a Nigerian email are meant to filter only the truly gullible, but IDK if that is true.
I think the crazier misspellings with wild character substitutions only started after bayesian spam filtering.
Nothing proves the scammers are not using those other alternatives for all you know.
Why is twitter bending over backwards to protect the former crowd?
And "loose" instead of "lose", but that one is just confusing.
rouge -> rogue
loose -> lose
lose -> loose
break -> brake
That isn't fair to those people because not everyone speaks English as a first language, and phones autocorrect a lot of things that should not be corrected.
In contrast, JSFiddle can take something down but that's where it ends unless the scammer used a dedicated IP which is easily traced to them.
JSFiddle is a pretty low tier target that most people won't miss. Github links aren't. Also, I'd imagine Github Pages is more responsive to taking down scamware, it at least requires an account, and has more of an interested in keeping malicious behavior off the platform.
>I think I saw some variant of this. It's one of those "send some ETH and receive 2x more back!" With fake "live" transaction listing and fake testimonials.
> Edit: if memory serves me correct, the transactions being listed are actually not fake, though the live aspect is. Same transaction always reappear as if they're new if you refresh, and those transactions is the 2x amount that got send back. It's all just the scammers trying to make the site look legit.
- From the above linked GitHub Issue
This is a huge problem with all the tech giants that needs to be addressed. I don't expect them to be perfect but I expect them to be open to communications on any level.
I also think Twitter is the Twitter today just because of the bots and fake accounts they have since those accounts were creating so much content and movement on the platform. I know people whose spending days by reading those fake accounts while they have no idea what's fake and what's real. So maybe -just may be- they may not want to get rid of all those fake accounts and bots.
And this isn't related at all to the bots and fake accounts (which I think is the bigger problem). But in the context of your argument, this is just non sequitur.
Thus any business decision isn't a problem? Whether it's their prerogative, it still a problem in tech.
> to ban content deemed unsafe
Like any links? Or even text itself? The only thing that makes JSFiddle "worst" is how easy it is, but even then almost anything else is just as easy. If there's money to be made too, unless you block everything that cost less than the money to be made, what you do won't stop it.
Why not just put that warning over EVERY single links and not block anything? Do a white list instead.
Thus any business decision isn't a problem?
Depends on your definition of "problem"... and thus your definition of who should care:
- legally (government): any business devising that comply with law are not a problem
- financially (investors): any decisions that increase profits are not a problem
- morally/ethically (users): any business decisions that you personally are okay with are not a problem.
Each of these has its own correction mechanism: persecution, lack of funding, customer outcry & abandonment.
In other words: there are ways to reverse bad decisions.
The only thing that makes JSFiddle "worst" is how easy it is
As pointed out in other comments, the problem is that anyone can anonymously create a malicious JSFiddle that runs undesired code. You could make a car that any website that similarly allows anonymous code execution should have that warning or be blocked. Most links, however, are better attributable. (Eg, require account creation).
I strongly disagree on that. The fact that you have an account behind it doesn't make it attributable at all. There's nearly no verification on 99% of the internet. Some studies consider that 9 to 15% of Twitter accounts are litteraly fake . TwitterAudit believe that 40-60% of Twitter accounts are fakes.
They aren't attributable to anyone except a username, which is worthless.
> You could make a car that any website that similarly allows anonymous code execution should have that warning or be blocked.
It was never about code execution but what they call "wallet code" which is what I did in another comment .
> Most links
You can easily register a domain anonymously. Most links are fine sure, most possible domains, aren't, which is my point. Show a warning (which they do on URL Shortener) instead of blocking a domain altogether on ALL links and use a white list (which would include MOST used domains) instead.
But if this was about getting people to click more ads, Twitter would be throwing enormous amounts of resources at it.
I mean, let's not pretend that this is an engineering problem.
That's not your point I think, but fake|bots accounts and subs are among the best things we got from twitter/reddit in my opinion.
Aside from the ones designed to be funny from the start, the nonsensical ones also blend perfectly with what we would call 'legit' users and serious posts/communities.
That's to a point where I find it really useful to purposefully inject fake and non sensical content in the timelines to get some daily critical training, but also an escape hatch for the mind when hitting some of the submissions that we think just can't be real.
It's extremely hard to coach non-technical users into making the right call when presented with a security warning box.
That said, if Twitter can assess whether a posted video contains "sensitive material" (i.e. exposed body parts), they can also assess whether a jsfiddle link (or any link, really) likely contains crypto miners.
And not presenting them with any call at all is guaranteed to keep them non-technical. We have to take the training wheels off at some point.
It's about whether they should trust their users and believe that the latter can take responsibility for their own choices, and figure these things out themselves.
You're just begging the question. Why should they do that?
Enlighten me. I could assume the worst of your intentions as you've done, but I'm honestly interested in why you think it makes sense for Twitter to "trust their users" to "take responsibility for their own choices".
You can already see some of this in things like DRM and adblocking, and of course the various walled gardens.
Mainstream software is all about keeping users blissfully ignorant and consuming.
You're making the user answer a question they (generally) don't know the answer to and don't want to answer anyway.
> You are leaving Steam.
> Never enter your Steam password on an untrusted website. Any login form on an official Steam site will display "Valve Corp." in green with a padlock icon in your browser’s address bar, as shown below:
For anything that looks malicious ("https://anyURL<h1>"):
> Link Blocked!
> This link has been flagged as potentially malicious.
> https://anyURL%3Ch1%3E has been flagged as being potentially malicious. For your safety, Steam will not open this URL in your web browser. The site could contain malicious content or be known for stealing user credentials.
>Twitter is rejecting posts with JSFiddle URL inside.
>If a URL shortener is used the unsafe page warning is displayed
I have my own problems with Twitter, but a social media site with a LOT of non-technical users blocking access to a site specifically designed to run anonymous code in their browser doesn't make me want to break out my pitchfork ...
That seems inherently bad.
I missed the days when it was just Google search results we had to worry about.
I can’t think of any legitimate reason for my cousins who are on Twitter would want to go to JSFiddle. I’m ok with Twitter taking this stance. I’m not ok with many of the other policies.
The bulk of the people I follow on Twitter would have no clue what it was or how to even begin to understand it.
I'm not sure that's a line that Twitter would draw, or is even accurate.
I also suspect that most content on twitter the bulk of twitter users / demographics wouldn't care about...
Doesn't really take much for a code sharing site to demand registration before you share code and to have a report button.
From my perspective it is just bots, "influencers", and propaganda.
I see very little social utility for using the network, especially when compared to the damage it is causing through the spread of misinformation and outright lies.
From my perspective it's the everyday chat of my friends, and interesting security-researchers posting their findings.
It's also a randomly acquired group of people I follow to improve my ability to read the Finnish language.
I wish this was true. I’ve struggled for years to keep my feed about the tech topics I’m interested in. Twitter keeps making that harder and harder.
Now twitter force feeds every viral anti-Trump or political outrage tweet, liked by some random user I followed 4yrs ago, into my main feed.
Their insistence on choosing what content I want to see for me, instead of just the feeds of the people I opted-in to follow, has made it nearly impossible to avoid the cancerous US political and other social issue outrage machine which is what 90% of Twitter’s popular content seems to be.
I had no choice but to abandon Twitter. Unfollowing people who post political stuff was hard enough, unfollowing people who use the like button on political/outrage stuff plus other viral content that surfaces the highest is near impossible.
I hope Twitter makes a ‘retro’ mode where I can just see the actual tweets of only the people I follow in semi-chronological order. With the same option to turn off retweets for certain users, with no "liked" or trending tweets forced in.
I think both of these exist? There's a way to turn off retweets for particular users (it's in the same menu you'd use to mute or block someone) and there's an option to show a plain timeline (uncheck "show the best tweets first").
The plain timeline option doesn't seem to consistently work on the mobile app, but many (most? all?) alternative Twitter clients show you the plain timeline.
Twitter is pretty simple fundamentally. It is just the feed with some notifications for 90% of the UX. I just want a different kind of primary feed that reflects what it used to be about. Even it's just a tab on the feed. Like how Reddit has "Home", "News", and "Popular" tabs, I just want the home tab.
I have very limited connectivity and spend minimal time online, twitter is time wasted for me.
Whole twitter culture honestly is quite saddening and it's leaking to alternative mediums as well (like mastodon.social has started to suffer from same problems).
We worked so hard to create easy and accessible way to micro blog and communicate through text via formatting, proper structures with rss feeds etc and twitter just threw all that through the window in favor of short unformated, unsorted and algorithmitized, toxic "chats".
Ugh, I'm excited to finally see it go the way of the dodo.
That's completely up to you; you need to create your own bubble (for better or worse).
What I find bad is that there's no "circles" concept (both incoming and outgoing). While the "incoming" part is not a problem for me, the "outgoing" part is (example: posting slightly conservative views will cause tech snowflakes among your followers to be upset; I'd like to restrict outgoing tweets to a subset of my followers).
But the particular meaning of snowflake as someone who is too sensitive and easily triggered is newer and more inflammatory.
> I asked Twitter if they they could help out and ban twitter accounts that were posting scam tweets that included links to the rouge fiddles.
So they basically sent a message to Twitter saying "We're knowingly hosting malware and we don't intend to remove it, here are some examples"?
> we did implemented a content filter to shadow-ban these
JSFiddle shadow-ban these scam accounts, and they asked Twitter to do the same but Twitter bans _all_ JSFiddle URLs instead.
If by shadow ban they mean the link is completely inaccessible to other users then I'll agree that they were doing their part and banning links to their site was excessive.
A shadow ban normally means that you, the creator, can see your content, but nobody else can. So them shadow banning people who post wallet codes is the direct opposite of allowing wallet codes.
Twitter clearly has taken the easy way out here, and instead of addressing the problem and tried to tackle it, just blanket banned JSFiddle with no regard to their users, or to the variety of similar services that provide the exact same functionality. If I was a crypto miner, I would simply copy paste into CodePen and continue on my way.
You can't even link on most of these websites without going through some intermediary URL forwarder.
It's also impossible for both jsfiddle or twitter to scan the code of each fiddle and determine if it's legitimate or an attack, so this looks like a good measure from Twitter.
What is surprising is how this was even allowed so far and still is in many social networks, as its such an obvious way to deliver exploits.
There are things they could do though - such as limiting the execution time of a fiddle to a couple of minutes, or limiting the size of the code, or blocking certain calls, and so on. Users are running code that's been saved to the JSFiddle server, so it's not unreasonable to suggest JSFiddle have some responsibility to their visitors. They could make it so the code runs fine if you're the owner or if you've explicitly said it's OK to take up more resources, but defaults to running with these limits if you've just browsed to a Fiddle from a link. They could block common mining scripts (which would only work against 'scriptkiddie' attacks rather than anything sophisticated, but whatever).
There are things the JSFiddle maintainers could do. They don't have to, and in their position I might not do anything either, but the cost of inaction in this case is Twitter blocking links to their site.
You do understand that they banned the malicious accounts and contacted Twitter, right? Them behaving responsibly is what caused this mess, not sure why you're implying they have no responsibility to their visitors...
I do not think so. If I insult another user on Hackernews, how is Ycombinator resposinble for that? I don‘t think platforms should be responsible for what their users do. That is a very slippery slope, leading to the horrendous way YouTube deals with copyright claims, Article 13, and similar censoring tools.
Your example is a difficult one because only the person who the derogatory comment is aimed at can decide whether or not they're insulted. Whether or not something is insulting is up to the person it's aimed at. The same goes for things like negative comments, stupid comments, copyright on a derivate work, etc. Whether those things are actually bad is a matter of opinion, and each party probably takes a different position. Consequently it's different situation, and not really relevant here.
A better analogy would be if I were to invent a piece of plain text malware and posted it in a Hackernews comment. Would YCombinator or HN have any responsibility to remove it, or should they just let it sit there? I contend that when something is actively harmful the publisher has a duty to protect visitors by removing the content or limiting it's impact. (And HN has some awesome moderators who do exactly that in very extreme cases, plus users here can flag things to hide them when there's a consensus, so it's not really like HN is completely free of 'censorship')
Plenty of people take the opposing view that platforms shouldn't get involved. There are two sides to most arguments. I'm slightly on the other side to your position.
"See JSviolin xxxxx"
If anyone gets confused, simply reply "replace violin with synonym starting with f"...
This reminds me of when YouTube banned URLs in comments (I don't think they do anymore), so people started posting pieces of them (like video IDs, the part after watch?v=...) with hints instead: "see video xxxx".
Likewise, I can refer to this page with "see HN 20122583".
The loss of being able to post a link is not good, but in no way does it absolutely stop communication. In fact, it will just cause "euphemisms" to appear, and further exercise human creativity.
I wonder when alternatives to today's big sites will take serious root. It used to happen much more often.
What prevents the scammers to post links to a website containing crypto miners, or any malware ?
About 70 days ago, I accidentally posted an anonymous submission to JSFiddle.
There was no excuse for this other than human error. I was working on development and production at the same time and copied a users personally identifiable from an email template that our production env sent out instead of development. The development is all sanitised but the prod contains the user's name, email and an order reference ID and what they ordered.
I submitted a take down request within 10 minutes of submitting at:
Every day for a week I altered the reason. It's still not been taken down.
I've tried the GDPR route, the copyright route.. I didn't get a single response from them and the page was still being hosted on their site despite many many _MANY_ attempts to have it removed.
Update/Edit: Been contacted by JSFiddle directly and appreciate contact in helping resolve above.
You, a software engineering professional copied a user'name, email and order reference ID, two of which are PII into an online service... on purpose.
Please just join the fediverse. It's broken too, but if you get banned, at least you can open an alt on another server.
Force Twitter to be irrelevant.
FWIW you can also use an account on i.e. Mastodon to follow twitter users. I suddenly realized because I was following a twitter users through a gateway, probably because someone had boosted a tweet from that account sometime and I had followed based on that.
That should take care of following at least.
Publish (on your) Own Site, Syndicate Elsewhere [ https://indieweb.org/POSSE ]
Publish Elsewhere, Syndicate (to your) Own Site [ https://indieweb.org/PESOS ]
Given your tone, I'm going to guess you're not asking the GP a question in earnest. You should try to think about why they might "give a shit".
Twitter's userbase is its primary feature. Not its shitty UI, not its awful character limit, and none of the stuff mastodon's various UIs are copying. Its userbase.
If you want the fediverse to succeed, you need to understand that. And you need to stop being so accusatory of people who don't use the internet the same way you do, FFS.
(And for the record, I want the fediverse to succeed, but I also use Twitter because userbase)
Edit: "Success" in our current world seems to be defined as the transition Reddit has gone through, where the userbase has exploded, its eaten Facebook's lunch to a fair degree, but the quality of discourse and interaction has dropped like a rock.
I've stopped using Reddit, and such a change would kill my use of the fediverse.
People are upset that others are taking screenshots of their public posts?
If you think about it, it's absurd to expect them not to: Even if the community keeps its member list exactly intact forever, and the members remain at their exact same activity level forever, those very members will change over time. Hell, you will change over time and get to appreciate different qualities of that community.
Same reason my guild's forum feels completely different today than it did 5, 10 years ago.
An analogy would be if HN was suddenly overrun with rude, non-technical people attacking other posters and causing drama, and outnumbering the thoughtful and constructive comments and links we come to the place for.
The "eternal september" is particularly sad if you go back and read the archived posts of early usenet - I would kill to get discussion of that quality on the net today.
Nethertheless, if the usefulness of something depends on it failing, something's wrong.
Mock them all you want, in private. Don't bully people because they take selfies, buy tourist gadgets, or follow people you're too good for.
Plan A: Use Twitter (or other media like it).
Plan B: Change human nature.
I wish you good luck in your endeavour with Plan B, djsumdog! :)
Not everyone has eating the world as a goal. Lance Ulanoff didn't understand this when he declared Mastodon DOA two years ago because he couldn't find William Shatner, and people continue to make the same mistake. I don't want to follow William Shatner or Lance Ulanoff, so they can stay on Twitter with people who do.
If your goal is to have Mastodon "catch on" and have people transition away from Twitter en masse, then yes, you need William Shatner on Mastodon.
Even the main Mastodon project instance is funded by a Patreon. I don't think Eugen would complain if he had a few more users, but growth doesn't seem to be the #1 goal. Only the tech press and its target audience seems to care about how fast Mastodon grows. They are free to start a growth-focused instance.
The instance I'm on has 800+ active users. The numbers on closely related instances are probably similar. That's plenty.
You can't get your Startup Founder porn from here or one of the other umpteen social sites? 60% of all social media seems to be from "successful founders" or "influencers". Hard to imagine anyone finds a dearth of that stuff.
If you do join choose your instance wisely, beware that many instances block mastodon.social, freespeechextremist.com and similar for being hot messes that have no moderation. The latter instance in particular has a very persistent hellthread spambot problem, where bots sling nudes without content warnings at people constantly.
Technically it doesn't solve the scam problem though:
"I'm definitely the real Elon Musk. No question about it. Click the link in my bio to get 40 ETH, but you need to send me 20 ETH first so that I can verify things."