dear lj: plz to stop being dicks, kthx
Sit down, one and all, and let me tell you a story about something that happened a few months ago on LJ. It is a triumphant tale, full of corporate villains and a scrappy coder resistance that wins the day in the end. It also has a sad ending that is very relevant to your interests, because they're trying to do it again.
There are sites on the internet that will give you money if you refer people to them. For example, "I just bought this great book at amazon.com, and here's the link". Amazon gives you a special number ('affiliate number'), and if you add that number to the end of your links, Amazon knows that it's you who referred the people buying their books and will give you money.
Well, it turned out that LJ wanted money too. Lots and lots of money.
So they came up with a clever plan. They wrote a java script that looked for links to sites that give out money, and *if there was no affiliate number on the end*, they modified the link to add their OWN affiliate number. So if I put an innocent link to Amazon on my journal, LJ would see that it had no affiliate number and add their own, so that if anyone bought books after clicking my link, LJ would get a kickback from Amazon.
Or that was how it was supposed to work.
In reality, what happened was that the script stripped off all affiliate numbers and added LJ's own. So even if I wanted to use my number, I couldn't. LJ would steal my money from me by rewriting my links. Now, this is shady and underhanded, but it's not the only thing that the script did.
You see, the company that wrote the script, "Driving Revenues" was not so smart with the code-fu. So what the script did was look at the end of URLs to determine if an affiliate number should be added. The problem with this is that 'sanfranciscobay.com' and 'ebay.com' both end in bay.com, so the script would add a bunch of gobbledygook to the sanfranciscobay.com link as well. This breaks the link. It had no way of distinguishing amazon.com from fucklikeacrazyamazon.com, or target.com from crossbowandtarget.com. And since the script had over three hundred websites on its list of links to mess with, understandably a lot of links got broken. Users were pissed.
LJ immediately realized that they'd fucked up when someone called Amazon about how LJ was stealing their affiliate money, and they took the script out of the next code roll-out, thus deactivating it. So all in all people only lost money for about three days, but imagine how much money you could get if every Amazon link posted to LJ was affiliated with you! A lot, that's how much. And LJ seems to have gotten greedy.
Because they're doing it again. Oh, this time they've actually had someone who can code write the script, so it's not doing the stupid things like redirect anything ending in 'bay.com'. And they fixed the part where it actively strips off the affiliate numbers that users add to their links, so hopefully no one actually loses money this time. But it's still modifying all unaffiliated links to certain websites to add the LJ affiliate number.
The way it does this is an enormous security risk. What the script does is wait until you mouse over a link. Then, it activates and sends information about that URL to a company called outboundlink.me. This outboundlink site parses the URL the script sent it, compares it to a list of sites that LJ is affiliated with, and decides whether or not the URL needs to be modified. If it does need to be modified, then the site adds/adjusts it accordingly and sends the user on to the newly readjusted URL. If it doesn't need to be modified, then it simply bounces the user without doing anything else.
The problem is that this process involves sending information about these URLs to an outside company as soon as you mouse over the link. Every link you mouse over gets sent. Which means that an enterprising script kiddie with some time on his or her hands could pretty easily intercept the 'GET' requests that the script sends to the outside site, and would know what people linked in f-locked or private entries. Depending on the entry and the URL, the link could have other account information associated with it, which makes scripts like these perfect backdoors if you really want to screw with someone and you know a little code.
The good news is, there's a partial solution. To get the script to stop showing up on LJ pages when you view them, go to the LJ admin console (bet you didn't even know that existed!) and copy/paste this line into the box:
set opt_exclude_stats 1
Then hit 'execute'. This takes advantage of a loophole in an opt-out LJ included for a previous ad-tracking script, and also opts you out of the script I've been talking about above. It won't be active for you anymore, when you're looking at your own or someone else's journal, but it will be active for other people looking at your journal who haven't set the opt-out for themselves.
All of this is extremely sketchy on LJ's part. It's terrible policy to go modifying your users content (and altering links is modifying content) without telling them you're doing it, and while trying your best to hide the fact that you're doing it. It's even worse to make that policy, screw it up, take the script down, then go right back to your old tricks. Ugh, LJ, I am disappoint.
In other news, if you're not currently using Firefox with the Adblock Plus and NoScript extensions, may I suggest that now would be a great time to start?
In other, other news, I recently signed up as Antumbral over at Dreamwidth, so that if I ever get so fed up with LJ that I can't take it any more, I won't lose my fic archive.
There are sites on the internet that will give you money if you refer people to them. For example, "I just bought this great book at amazon.com, and here's the link". Amazon gives you a special number ('affiliate number'), and if you add that number to the end of your links, Amazon knows that it's you who referred the people buying their books and will give you money.
Well, it turned out that LJ wanted money too. Lots and lots of money.
So they came up with a clever plan. They wrote a java script that looked for links to sites that give out money, and *if there was no affiliate number on the end*, they modified the link to add their OWN affiliate number. So if I put an innocent link to Amazon on my journal, LJ would see that it had no affiliate number and add their own, so that if anyone bought books after clicking my link, LJ would get a kickback from Amazon.
Or that was how it was supposed to work.
In reality, what happened was that the script stripped off all affiliate numbers and added LJ's own. So even if I wanted to use my number, I couldn't. LJ would steal my money from me by rewriting my links. Now, this is shady and underhanded, but it's not the only thing that the script did.
You see, the company that wrote the script, "Driving Revenues" was not so smart with the code-fu. So what the script did was look at the end of URLs to determine if an affiliate number should be added. The problem with this is that 'sanfranciscobay.com' and 'ebay.com' both end in bay.com, so the script would add a bunch of gobbledygook to the sanfranciscobay.com link as well. This breaks the link. It had no way of distinguishing amazon.com from fucklikeacrazyamazon.com, or target.com from crossbowandtarget.com. And since the script had over three hundred websites on its list of links to mess with, understandably a lot of links got broken. Users were pissed.
LJ immediately realized that they'd fucked up when someone called Amazon about how LJ was stealing their affiliate money, and they took the script out of the next code roll-out, thus deactivating it. So all in all people only lost money for about three days, but imagine how much money you could get if every Amazon link posted to LJ was affiliated with you! A lot, that's how much. And LJ seems to have gotten greedy.
Because they're doing it again. Oh, this time they've actually had someone who can code write the script, so it's not doing the stupid things like redirect anything ending in 'bay.com'. And they fixed the part where it actively strips off the affiliate numbers that users add to their links, so hopefully no one actually loses money this time. But it's still modifying all unaffiliated links to certain websites to add the LJ affiliate number.
The way it does this is an enormous security risk. What the script does is wait until you mouse over a link. Then, it activates and sends information about that URL to a company called outboundlink.me. This outboundlink site parses the URL the script sent it, compares it to a list of sites that LJ is affiliated with, and decides whether or not the URL needs to be modified. If it does need to be modified, then the site adds/adjusts it accordingly and sends the user on to the newly readjusted URL. If it doesn't need to be modified, then it simply bounces the user without doing anything else.
The problem is that this process involves sending information about these URLs to an outside company as soon as you mouse over the link. Every link you mouse over gets sent. Which means that an enterprising script kiddie with some time on his or her hands could pretty easily intercept the 'GET' requests that the script sends to the outside site, and would know what people linked in f-locked or private entries. Depending on the entry and the URL, the link could have other account information associated with it, which makes scripts like these perfect backdoors if you really want to screw with someone and you know a little code.
The good news is, there's a partial solution. To get the script to stop showing up on LJ pages when you view them, go to the LJ admin console (bet you didn't even know that existed!) and copy/paste this line into the box:
set opt_exclude_stats 1
Then hit 'execute'. This takes advantage of a loophole in an opt-out LJ included for a previous ad-tracking script, and also opts you out of the script I've been talking about above. It won't be active for you anymore, when you're looking at your own or someone else's journal, but it will be active for other people looking at your journal who haven't set the opt-out for themselves.
All of this is extremely sketchy on LJ's part. It's terrible policy to go modifying your users content (and altering links is modifying content) without telling them you're doing it, and while trying your best to hide the fact that you're doing it. It's even worse to make that policy, screw it up, take the script down, then go right back to your old tricks. Ugh, LJ, I am disappoint.
In other news, if you're not currently using Firefox with the Adblock Plus and NoScript extensions, may I suggest that now would be a great time to start?
In other, other news, I recently signed up as Antumbral over at Dreamwidth, so that if I ever get so fed up with LJ that I can't take it any more, I won't lose my fic archive.