I know there are a number of headers used to control cross-site access to websites, and the linked blog post shows archive.today's denial-of-service script sending random queries to the site's search function. Shouldn't there be a way to prevent those from running when they're requested from within a third-party site?
However, browsers will first send a preflight request for non-simple requests before sending the actual request. If the DDOS were effective because the search operation was expensive, then the blog could put search behind a non-simple request, or require a valid CSRF token before performing the search.
Mostly these headers are designed around preventing reading content. Sending content generally does not require anything.
(As a kind of random tidbit, this is why csrf tokens are a thing, you can't prevent sending so websites test to see if you were able to read the token in a previous request)
This is partially historical. The rough rule is if it was possible to make the request without javascript then it doesn't need any special headers (preflight)
Both sides look like they have been bullied in the past and not found their way out of reproducing the pattern yet.
Context matters. Which is why also different rules apply, and laws exist to guard these rules. DDoS is not an acceptable response in any jurisdiction, no matter what triggered them. We’re not in the Middle Ages, even if some behave like we are. Violence does not justify violence. Unjust action does not justify unjust responses.
The blog has a lot of more posts on random topics. Why do you imply that the owner of the bloh is part of a harassment campaign and "only" that is the reason for this years old blog to exist?
There are only two posts about archive.today on the blog, and one of them only exists because archive.today started DDoSing them. I fail to see how you could consider the entire blog to be a "harassment campaign", especially considering that the original blog post isn't even negative, it ends with a compliment towards archive.today's creator.
But it's not? This was published between the two posts about archive.today: https://gyrovague.com/2025/02/23/anatomy-of-a-boarding-pass-...
Writing about being ddos'd seems eminently reasonable. So if you elide that, you are talking about a single article in four years.
It's genuinely nothing.
What is the purpose of the DDoS JS in the archive website then? Not DDoS?
Easy stuff, no?
Neither of those is an attack.
That's not how the judicative system works.
Doxing? Yes.
It's clear that the person running archive.today does not actively publicize their identity.
> As far as I read the tone of the post is full of admiration
Exactly like an unhinged fan stalking a celebrity.
Thinking about it, I think we might need better platform rules, maybe even regulations on this. There seems to be pretty much no line of defense, which might explain the rather desperate DoS. If you take anonymity as a right, discussion like ours here on HN are dangerous as well, as they easily make otherwise difficult to find knowledge easily visible. So while a single fan page might go unnoticed, in case of doxing amplification is also a problem. Just my spontaneous thought.
Edit: one afterthought. The story about hacking together a response to the GDPR takedown request quoting press rights and freedom of speech using an LLM shows actually the deeper problem. Actually rights come with obligations (at least ethical ones). At least in Europe press standards are typically rather aware of doxing risks. While actually celebraties also successfully use legal defenses, i still think the defenses for activist are weak balancing interest here (at least if you made something of public interest)
Jani Patokallio runs gyrovague.net in order to harass people who provide useful public services.
It's not surprising that the owner of archive.today does not like being exposed, archiving is a risky business.
So public services should DDoS is your argument?
> Jani Patokallio runs gyrovague.net in order to harass people who provide useful public services.
I scrolled pretty far through the blog and didn't find anything of that sort. Just a bunch of travel stuff. Now I'm curious what sort of "harassment" you hallucinated in the sites that were previously targeted by archive.today's DDoS attacks.
That's a pretty small sin in my book. To be written off as wildly unsuccessful but entirely justified self defense.
DDoSing gyrovague.com is silly, not evil.
The content on gyrovague.com which targets archive.today is evil, plain and simple.
The ‘small sin’ of wielding your userbase as a botnet is only palatable for HN’s readers because the site provides a desirable use to HN’s readers. If it were, say, a women’s apparel site that archived copies of Vogue etc. (which would see a ton of page views and much more effective takedown efforts!) and pointed its own DDoS of this manner at Hacker News, HN would be clamoring for their total destruction for unethical behavior with no such ‘it’s just a evil for so much good’ arguments.
Maintaining ethical standards in the face of desire for the profits of unethical behavior is something tech workers are especially untrained to do. Whether with Palantir or Meta or Archive.today, the conflict is the same: Is the benefit one derives worth compromising one’s ethics? For the unfamiliar, three common means of avoiding admitting that one’s ethics are compromised: “it’s not that bad”, “ethics don’t apply to that”, and “that’s my employer’s problem”. None of those are valid excuses to tolerate a website launching DDoS attacks from our browsers.
Just my 2 ¢, not that it really matters anymore in this current information-warfare climate and polarization. :/
Wow, I had no idea. Thanks.
It allows website owners and third parties to tamper with archived content.
Look here, for example: https://web.archive.org/web/20140701040026/http://echo.msk.r...
Archive.today is by far the best option available.
1) The act of archive.today archiving stories (and thus circumventing paywalls) is arguably v low level illegal (computer miss-use/unauthorized access/etc) but it is up for interpretation whether a) the operator or the person requesting the page carries the most responsibility b) whether it's enforceable in third party countries neither archive.today or the page requester reside in
2) DDoSing a site that writes something bad about you is fundamentally wrong (and probably illegal too)
I think you're missing that circumventing paywalls is unlawful in most parts of the world.
And a necessity if you want to archive the content correctly, also necessary if you want the archives to be publicly available.
Not really, no. It's not unlikely to result in the service ceasing to exist.
As an individual, keeping their identity private is the only way to prevent oppression.
Edit: I misread the comment initially as from someone with more insight. However, I guess it is obvious that anyone can see the JavaScript and participates involuntarily in the DoS.