from Hacker News

A Gov.uk site dedicated to porn?

by asadhaider on 11/25/21, 5:12 PM with 88 comments

  • by bongoman37 on 11/25/21, 5:53 PM

    It seems to have been taken offline now. Here's the archive[1] link for uh.. research. Obviously, NSFW.

    [1]: https://web.archive.org/web/20211125154944/http://charts.dft...

  • by benbristow on 11/25/21, 6:54 PM

    Since the site is down - https://archive.ph/tCgnL
  • by notatoad on 11/25/21, 5:31 PM

    Wow.

    I thought this was going to be about some sneaky exploit where they'd manage to get a gov.uk to forward links to porn or something. But no, it's really a whole subdomain just taken over by some sketchy porn site.

    I'm wondering if the porn site operators even know it's happening? Seems the most likely thing is the DfT had a site at that URL, hosted on AWS. And then they shut it down without removing the DNS record and Amazon assigned that IP to somebody else.

  • by nneonneo on 11/25/21, 5:44 PM

    The site in question is charts.dft.gov.uk (VERY NSFW). It resolves to the CNAME charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com, which is quite clearly hosting a porn site of some kind.

    I suppose there's a few possible explanations here: (1) the original site was hosted on S3, and at some point the bucket was dropped and someone else picked it up, (2) it was originally hosted on S3 and the bucket got hacked, (3) someone with access to the DNS has decided to go rogue and point it at a somewhat-legit-looking but fake domain. If there are historical DNS records floating around it might help to narrow down what happened here.

  • by Firefishy on 11/25/21, 8:05 PM

    Sub-domain takeover attack. The sub-domain was CNAME'ed to a S3 bucket and the S3 bucket had likely been deleted. The porn purveyor, re-created a new S3 bucket with pr0n.

    A scanner that would have caught the vulnerability: https://tech.ovoenergy.com/how-we-prevented-subdomain-takeov...

    Or a grey hat scanner for finding sub-domains vulnerable to takeover: https://github.com/m4ll0k/takeover

  • by qeternity on 11/25/21, 5:36 PM

    > This site is hosted on a Raspberry Pi 4B in the author's living room (behind the couch).

    Holding up quite well despite HN frontpage. I love what a bit of caching can do.

    EDIT: appears I jinxed it. I get the allure of hosting something in your home, but these days when you can get a decent VPS for $10/yr it doesn’t really make sense.

  • by tentacleuno on 11/25/21, 5:37 PM

    > Visit [redacted], and you’ll be redirected to a subdomain for EU exit hauliers - except the site isn’t there. Instead it’s a WordPress login page. There’s no username field and we feel confident that a brute force attack would be super effective!

    > Elsewhere we have the Department for Transport careers page, which sort of does what it says. Clicking on the ‘see all vacancies’ button will redirect you to the civil service jobs site. This isn’t weird in itself, what is weird is that it uses t.co - Twitter’s redirection and domain obscuring tool to do it. Don’t ask us why, we have no idea why they would do this.

    This sounds like someone inexperienced with the system is somehow managing it. How can you use a t.co link for... this? I'm surprised this edit got past anyone.

    EDIT: Redacted the link just to be on the safe side. It's in the article if anyone's curious.

  • by necovek on 11/25/21, 6:01 PM

    December 2018 snapshot refers to Department of Transport: https://web.archive.org/web/20181227091013/http://charts.dft....

    The CNAME of charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com still works, but the reverse DNS of that IP is simply s3-website-eu-west-1.amazonaws.com: I am not sure how does one gain control of an s3-website subdomain when "abandoned" (bucket name only?), but someone did.

    So the scenario someone described below is pretty likely: DoT drops it, and drops AWS use of the name, but leaves the DNS record in. I wouldn't attribute this to anyone in the DoT.

    It would still require intentional action to do so, though, so I wonder if anyone has any clue how do people find out about spurious, unused S3 subdomains that still have DNS pointing at them? Scan the entire internet for domains pointing to s3-website, and check AWS API to see if it's available? Or did someone run into this by accident and decided to poke fun at it while earning some cash along the way?

  • by arpa on 11/25/21, 5:35 PM

    A great read in a tongue-in-cheek british style, a welcome change of pace for mind and eyes!
  • by rbanffy on 11/25/21, 7:01 PM

    > Best of British Porn? Not Quite

    That's not a very fair assessment. The same way as it's difficult to find British dishes better than, say, minced beef and onion pie, it's challenging to find authentically British porn that's better than this govermnent office provides its people. We should commend the Tory government for its dedication.

  • by belval on 11/25/21, 5:22 PM

    The title should be changed to reflect that the article is actually about .gov.uk domain being used for non-governmental websites.
  • by dddavid on 11/25/21, 7:49 PM

    Both my own site (on a Pi behind the couch) and the gov site were subjected to the hug of death. I've moved thecrow.uk onto a VPS for now and it's back up. Hurray!
  • by iso1631 on 11/25/21, 7:13 PM

    British Government Porn? That the one where we all get screwed by Rishi in the budget?
  • by osrec on 11/25/21, 6:28 PM

    Looks like someone forgot to delete a DNS entry after decommissioning a server. Bad on behalf of gov.uk, however you'd think AWS would at least auto-delete the CNAME (charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com) after the server was released, so that it points to nothing...
  • by Terry_Roll on 11/25/21, 7:57 PM

    I don't know if this is laziness and ineptitude on the govt's part or not. You see the design team for UK gov websites have been getting a lot of attention and praise for their efforts, the most recent being here just ten days ago on the subject of check boxes: https://news.ycombinator.com/item?id=29238968 .

    Now anyone with a rudimentary handle of the English language would probably have noticed the misspelling of carcasses on the blogpost https://designnotes.blog.gov.uk/2021/11/15/letting-users-tic... and Yorwba highlighted this on 17 November 2021 as seen in the comments. The team duly acknowledge this as seen with the updated image here https://designnotes.blog.gov.uk/wp-content/uploads/sites/53/... and the original misspelling can still be seen here https://designnotes.blog.gov.uk/wp-content/uploads/sites/53/...

    Anyway, it would seem their commenting system will not allow links to be posted to them or they choose to ignore links or didn't understand the comment posted when comments like "https://www.bing.com/search?q=plural+of+carcass" come through to them which is metadata for the type of filtering being employed on their comments section.

    I think its worth looking at their design principles which can be seen here https://www.gov.uk/guidance/government-design-principles "#1 Start with user needs Service design starts with identifying user needs. If you don’t know what the user needs are, you won’t build the right thing. Do research, analyse data, talk to users. Don’t make assumptions. Have empathy for users, and remember that what they ask for isn’t always what they need."

    It would seem Grant Shapps Secretary of State for Transport is perhaps actually meeting the public's needs or maybe its what he thinks of the public. Are we solitary handy manipulators of parts of the body?

  • by globalise83 on 11/25/21, 6:20 PM

    Hope Hacker News didn't set fire to the couch!
  • by mlaretallack on 11/25/21, 5:38 PM

    I am now taking bets on how long it will last.

    'This site is hosted on a Raspberry Pi 4B in the author's living room (behind the couch)'

  • by necovek on 11/25/21, 6:05 PM

    Btw, it would have been hilarious if the site owner had set up LetsEncrypt SSL certificate for the charts.dft.gov.uk domain :)
  • by max1cc on 11/25/21, 6:11 PM

  • by adav on 11/26/21, 9:12 AM

    I’m only disappointed that the squatting site didn’t conform to GDS’s GOV.UK Design System.
  • by user5994461 on 11/25/21, 10:17 PM

    For reference, it's 5 hours later now and it's still online.
  • by globular-toast on 11/25/21, 10:05 PM

    How was this discovered and do we know how long it was in this state?
  • by 2-718-281-828 on 11/25/21, 6:59 PM

    american of course, russian always, japanese, chinese and thai - sure why not, heck, even danish or swedish ... but british or english - no way - not even once
  • by aj7 on 11/25/21, 6:11 PM

    Hacker News crashed the website.