Blink and you could have missed it, but a viral sensation for a few weeks this summer was One Million Checkboxes, a web page with as you might expect, a million checkboxes. The cool thing about it was that it was interactive, so if you checked a box on your web browser, everyone else seeing that box also saw it being checked. You could do pixel art with it, and have some fun. While maintaining it, its author [eieio] noticed something weird, a URL was appearing in the raw pixel data. Had he been hacked? Investigation revealed something rather more awesome.
The display of checkboxes was responsive rather than fixed-width, on purpose to stop people leaving objectionable content. Any pixel arrangement would only appear as you made it to someone viewing with exactly the same width of checkboxes. But still, the boxes represented a binary bitfield, so of course people saw it and had fun hacking. The URLs appeared because they were ASCII encoded in the binary, and were left on purpose as a message to the developer inviting him to a forum.
On it he found a disparate group of teen hackers who’d formed a community having fun turning the game into their own version of a Pixelflut. If you’ve not seen the game previously, imagine a screen on which all pixels are individually addressable over the internet. Place it in a hackerspace or in the bar at a hacker camp, and of course the coders present indulge in a bit of competitive pixel-spamming to create a colorful and anarchic collaborative artwork. In this case as well as artwork they’d encoded the forum link in several ways, and had grown a thriving underground community of younger hackers honing their craft. As [eieio] did, we think this is excellent, and if any of the checkbox pixelflutters are reading this, we salute you!
Before he eventually took the site down he removed the rate limit for a while to let them really go to town, and predictably, they never gave up on the opportunity, and didn’t let him down.
Some people would call the activity discussed here antisocial, but in particular we agree with the final point in the piece. Young hackers like this don’t need admonishment, they need encouragement, and he’s done exactly the right thing. If you want to read more about Pixelflut meanwhile, we’ve been there before.
Pixelflut server plugins for smart TVs and popular STBs would be very handy.
I love it! How creatively playfully subversive users can get in ways you never thought of. The first (and only) time I designed an underwater robotics contest for MIT students, I assumed everyone would build a vehicle using propellers to move their waterproof vehicle in 3D. But one contestant proudly announced he was building a 2D, tracked robot that would crawl along the bottom (look ma, no propellers). But, but, but… (see jaw drop)… I had already published the rules. He hadn’t done anything illegal. So I had to let him compete.
While I never did any botting on the site itself (although I did of course still play manually), I was one of the 60 people to find the Discord server.
Normally, of course, I don’t join random Discord servers that have been obviously botted (that’s a very good way to get your Discord account stolen), but in this case it was obviously different because it wasn’t intended to be spammed to everybody like a typical scam would be. You had to be examining the data in the right way to even know it was there – and the server name, “checking boxes”, also made clear that it was an OMCB-specific thing.
Thank you for writing this article! I love seeing new takes on this.