Well mystery solved. I did a bit of sleuthing and noticed they have a scratch card at the bottom of the page. I had written a scratchpad plugin so I did a quick search for "wScratchPad" and sure enough it's there. They copied my sample code from http://wscratchpad.websanova.com, div's css and all and, you can even see the same `id` and `class` names.
Parent comment should be at the top of this submission. The response from MLB about "our CI creating randomly generated GA codes" is kind of ridiculous, when the truth is someone there did an excessive cut and paste from someone else's JS.
He did not release the Analytics code as part of the plugin, it was only placed on his demo site. MLB.com copied code from the demo site instead of downloading the plugin itself.
There is a comment on my blog from a developer from MLB.com for anyone who is interested:
"Hi -
Engineer from mlb.com here. It appears this goes a bit deeper down the rabbit hole than meets the eye. Apparently there’s some code laying around in our tests run by a CI setup that randomly generates a tracking code to mock third party scripts (Google analytics, ad tracking, etc) instead of using our actual IDs as to not mess with our marketing guys’ numbers (we run a LOT of tests on CI).
The strange thing is that your IDs aren’t being pulled from your site, but have randomly been generated the same way many, many times and then been shipped out to our production server by mistake.
We can’t figure out why this is happening, but are looking into the build system and how it caches data. Luckily I read HN or we might have never caught this!"
cough bullshit cough, The statically probability that you would generate an actual AND proper tracking code that also just happens to be used by a site that shares all you code is less than can be described. Your team got caught outsourcing jobs to code copy/paste firms.
"Wow, what a coincidence... we just happened to randomly generate a google analytics ID that was the exact same as the one used on a scratchpad plugin that we copied the code from..."
I don't see any reason for the guy to lie. He could just have not responded, or quietly changed the code, but he came to the blog and posted a publicly viewable comment about it ... maybe his diagnosis is wrong and something different is happening, but I'm very willing to believe it was an honest mistake given the circumstances.
I don't think he's lying, but I do think he's mistaken. They probably do generate random codes, but this was not one of them. It looks/smells like a copy/paste.
That aside, though, why not just create a different Google Analytics account and use that one consistently for testing?
This is exactly the reason they responded. By changing the code quietly, they would implicate themselves. An official PR statement like this is obligatory.
What is more probable, that they a lying, or that the random generator generated not a single code that matched, which is very(!) improbable by itself, but two codes that belong to the same account, generated at the same iteration.
This is not an official PR statement, it's an engineer responding at 11 PM (MLB is based on the east coast) with the information he/she had available. I don't think there's an intent to decieve here, just a mistaken guess of the probabilities involved. Hanlon's razor applies.
The thing that most inclines me to believe it is that, by my reading of the article (which admittedly might be reading to much into it), only a subset of MLB pages are using the ID. Hard to imagine why that would be the case if someone was simply copying code wholesale from the "victim" site.
One day Microsoft (msn.com) to be exact hotlinked a small gif from one of my servers. Support did not respond at all to my inquiries to please have it removed (the msn.com homepage had a lot more traffic than I was used to dealing with) so I replaced the gif on my server with the "netscape now" button.
I once hired an offshore developer on ODesk who stole my code and resold it. I discovered he was doing this because he left my analytics code in. Same deal; I woke up one day to analytics showing traffic on a domain I didn't own, so I went to look and it was basically a mirror of my site.
Happened (or rather still happens) to me too. My game X-Type[1] was stolen by a Chinese company called Leiyoo[2], who tout themselves as pioneers of HTML5 gaming.
They copied everything[3], including my tracking code, but at least changed the name to "Thunder Fighter"[4]. I receive about 20k visits per day from their domain. All my efforts trying to contact them amounted to nothing.
Btw.: is there a way to ignore certain domains in GA? This pollutes all my stats and I have no way to turn it off, other than getting a new tracking code.
Note that this doesn't apply retrospectively to your data, so it will only apply to data collected after you make a change. You might want to create an advanced segment which filters out these domains, or only includes the ones that you want.
I had the same thing happen. I had a contractor working for me for about a year who, when we decided to not renew his contract, took all of the code that I'd been building for the past 6 years and offered a nice little side business to clients in his area.
I found out because he kept emailing me with support related questions whenever he'd run into issues with it.
Nothing. I left soon after myself and had no interest in moving forward with the product or codebase. Didn't figure it was worth my time to challenge him about it.
He didn't get any support from me though and, if I got to know him well enough in that year, I'd say he didn't get much further with it. Google brings up nada so I'm probably right.
I contacted ODesk explaining what happened with all the evidence. By the next day the guy I had hired was contacting me saying that ODesk suspended his account indefinitely.
He continued contacting me for about a year saying that he could no longer feed his family after "what I did". It was kind of a nightmare, but I think ODesk had pretty swift judgement because that's the kind of press they don't want. I also talked to the company that was using my code. They explained that they had hired him on ODesk and had no idea. They wanted nothing to do with the stolen code, and were very apologetic for their accidental involvement.
I'm not convinced the greater good was served in this case.
edit as I'm being downvoted rapidly. All I'm saying is that oDesk typically connect a westerner with a developer in somewhere like India who thinks that being paid $3/hour is fantastic, and who's other options for a job are basically hard manual labour.
Obviously I don't know the details of this situation which is why I just said I wasn't convinced.
It seems very plausible to me that the worker really was unable to feed his family after having his account terminated, and it seems like a bit more lenience on the part of oDesk would be more reasonable.
In the western world, if you steal code you expect to get fired. I totally understand that and that's why I just said it wasn't clear-cut to me that the right thing happened here. It might be, but I'm not sure. In the western world if you get fired you have a lot more options.
Maybe situations that involve basically exploiting workers in other countries need a bit more sensitivity. I don't know. Maybe not.
I'd appreciate a discussion instead of just downvoting.
The OP did not hire this developer who stole his work. The OP did not exploit this developer. The OP is not responsible for the personal situation of this developer.
The developer stole code without understanding it, happened to be in India, and then attempted to play for sympathy by saying he couldn't feed his family - there are a lot of tech jobs in India, and the vast majority are not on odesk, if he is any good, he could easily feed his family, and furthermore, the fault was his, the offence was his, and then he has the gall to complain to the person he stole code from, who did not even punish him or pursue him, but simply reported what he did. Workers in India with an education have a lot of options which are nothing to do with manual labour, it's a vast and increasingly rich society.
The person reporting a crime is neither responsible for the original crime, nor for the punishment decided on by a third party (odesk in this case), nor for the situation of the criminal, and the dev ejected from odesk should have thought about the consequences of breaching their terms.
He was bound to get caught when being so sloppy, it was just a question of time, and he could have fared far worse (been sued by a client for example). Hopefully this experience will make him question his methods and pursue his career but without carelessly copying work.
Hmm, you ever been to India? Alot of developers there are forced into development by their families and don't get paid much while taking care of not only their immediate family but their retired father and his family. Granted what he did was wrong, I do understand this developer's plight. 10K people per square mile is alot of competition where good work is.
Yes I have. There are plenty of middle class people and most technically educated developers are among them. There are also a lot of tech companies hiring.
I apologize for implying you didn't understand the culture by asking if you have been there, I didn't mean that in any way.
In any case, alot of my family are middle class and can't find decent jobs. The competition is very high and programmers are a dime a dozen. Technically educated doesn't mean they enjoy it. Most consider it a job to get by. Some find it to be a passion. The ones who see it as a paycheck are far more likely to rip a site off and the culture is such that it doesn't seem wrong. "Someone else's problem."
I guess now it's his problem... ripping someone off and then complaining about being called on it is pretty silly in my opinion, regardless of what your motivations are for working, particularly in a competitive environment such as the one you describe.
I was going to down vote but decided to reply instead. The problem is that although it's possible he couldn't feed his family after having his account terminated there is no way to know. I've worked with and for a lot of people on sites like oDesk and unfortunately discovered there are a lot of assholes in the world. I've had 'westerners' rip me off just as much as low paid workers. So although it's possible this guy was now broke it's also possible he was just an asshole.
>> Maybe situations that involve basically exploiting workers in other countries need a bit more sensitivity.
I disagree that he was being exploited. Yes, he was being paid a lot less than someone in the US but the cost of living where he is is probably much, much lower. And like you say he has a nice job as a computer programmer. He's obviously a smart guy. He can create another account, or use a different site.
I think everyone deserves a chance, and thanks to the internet this developer got the chance to work for a paying customer in a country with a higher pay rate and higher standard of living. Then he stole and got caught.
There are a lot of people living in poor conditions in the world, and a programmer in any country is near the middle-to-upper end of the spectrum. His situation is unfortunate, but he messed up.
On a similar note: my current lab-mate lives in a pretty bad apartment in Boston right now. It is habitable and up to code, but run down and occasionally the heat goes out... He provided me some prospective by telling me about the one-room, dirt-floor house he grew up in where his parents raised 11 children while working as subsistence farmers in Nepal. That makes luke-warm water and 5Mbps internet seem much fancier.
I pray that some day everyone can live the life of a poor to middle class American, but we are not there yet. I also don't think that being fired is an excessive punishment for fraud/theft at work. I would feel much differently if the story ended with hime being jailed or abused by the police, but the whole point of Odesk is to give everyone a chance and I feel that he got one.
LOL, keep telling yourself that. Having a 'lower cost of living' doesn't excuse paying a software developer a much lower rate than the rest of the world.
Why? It's like that with all jobs, it's how the market works. Not to mention the fact that he works online and can accept jobs all over the world - in other words he can charge what he wants.
At the higher wage you seem to want me to pay, I can hire a more qualified developer, so now I won't pay the original developer at all. Exploitation eliminated FTW!
These "workers" that are being "exploited" are just copying and pasting code, in this situation. In this case, the code doesn't even work properly, since it's calling someone else's analytics callback. No work has gone into this, just willingness to steal code.
That's called cheating the customer...fuck these guys. Even if they need the money.
I admire your certainty. Maybe it is as simple as that and I'm overthinking it.
I can't quite express the difficulty I'm having in a comment so I'll try to write it up some time.
I can't argue it yet, but my intuitive feeling is that it's socially irresponsible to create this economy for them and then pull the plug like this. The bigger picture, I think, is that OP got his code stolen which sucks, but the contractor (or one like him) may have to sell a kidney or go back to working 18 hour shifts in the factory with toxic fumes now. That doesn't seem proportionate.
The market your talking about (software-mediated freelance development) only works if the participants trust each other. If Odesk allowed the Indian programmer to steal IP, that creates a precedent, our at least a perception, that theft is OK. This perception discourages western customers from using the system.
This shrinks the market, reducing demand for programmers in India. Now MANY Indian programmers can't find work, even ones who were honest and efficient.
I think this effect is very important to keep in mind if you're concerned about the morality of the situation. The thief is hurting his fellow Indian programmers just as much as his western customer.
I watched a dilemma like this unfold first hand when my landlord had his bike stolen by an illegal immigrant. He didn't want a drunk stealing the bike off of his porch, but he didn't want him to get in so much trouble that he got deported either.
I believe the point is some of us have aspirations for a society that minimizes the number of people in terrible situations. The idea being that some of us feel many of these terrible choices are as much the result of circumstance as otherwise.
Particularly for someone like me who doesn't believe in immigration control at all, deportation (or even subjecting someone to the horrible abuses of ICE without actual deportation occurring) constitutes a cruel and unusual punishment for a crime that should be punished by a fine or a few days in jail.
If I knew a drunken bicycle thief-citizen would be imprisoned for years, I wouldn't report them, either.
>It seems very plausible to me that the worker really was unable to feed his family after having his account terminated
Why? Does ODesk have zero competition? He could switch over to one of them and probably already did. If it is somewhere like India then there is a thriving non virtual market for software developers. Why couldn't he get a job at one of the big body shops? It certainly isn't ODesk or the salt mines. If it really is ODesk or the salt mines, why take the risk?
>All I'm saying is that oDesk typically connect a westerner with a developer in somewhere like India who thinks that being paid $3/hour is fantastic, and who's other options for a job are basically hard manual labour.
While thier might be some anecdotal evidence where this is true it's mostly just you being prejudice.
I had a friend who had this happen to her -- some SEO spammer picked up the complete text of her blog and posted it under a bunch of different domains, full of hidden links.
It was reasonably easy to deal with, though; all you need to do is figure out where the sites are hosted, and then submit a DMCA complaint to the host's abuse address indicating they're hosting illegally copied copyrighted material. Legitimate hosts will take stuff like that down pretty quick.
There's two things the DMCA requires that they'll look for in your complaint before they'll take action, though, so make sure you include them:
1) The statement "I swear under penalty of perjury" that you hold the copyright for the material, or that you are representing the person who does; and
2) A list of filenames that contain the infringing content.
(If the host won't take action, you can file the complaint at whichever registrar the domain was registered through, too.)
For anyone else experiencing this problem what you can do is simply setup a filter in Google Analytics to only allow your domain to add traffic to your google analytics profile.
Inside google analytics goto filter,
create new filter,
select custom filter,
select include filter,
Enter hostname in the filter field,
enter your websitename\.com in the filter pattern box,
Apply this filter to your profiles for websitename.com and you should be good to go
That's most of the way there, but if there's sufficient amount of combined traffic, ad hoc reports will start populating from sampled data instead of showing exact results. This might prevent getting any meaningful data about e.g. how A/B test is performing when filtered to a specific segment.
oniTony not sure what you mean exactly since this would just filter traffic to your own domain. This only works moving forward and usually is setup when a profile is created. Filters will not work retroactively with Google Analytics.
Would be happy to discuss if you could clarify your statement regarding A/B testing.
I went back to the Analytics Admin panel to double check, and it indeed looks like filters are applied to specific views. The tracking code collects data at the property level.
> If the number of visits/sessions to the property in the given date range exceeds 250K visits/sessions, GA will employ a sampling algorithm...
> It is important to note that session sampling occurs at the property level, not the view level.
So it sounds like reports will sample 250K from total traffic first, and apply the view filter after. This has the potential to be left with reports generated on too small of a sample.
I wrote an example for graduate students in the US to create a webpage and directed them to look at my webpage for an example template. Now they all copy my analytics tracking code, and I have like tens of student websites that I'm tracking me. It annoys me. I think we should have some sort of two-way authentication or atleast a way to "mute" certain domains or only whitelist certain domains in the reporting side of GA. Perhaps it exists?
Actually it's so you can track multiple domain with one code. I do this with subdomains so that I can see all my traffic as well as by individual subdomain.
You can set-up a hostname filter in the admin section of GA. Best to do this in a separate view so that you can still access unfiltered data if you ever need to do so
Back in 2003 Sony Pictures hotlinked some javascript code I had created for handling Flash->javascript communication. Back then all I could think of was using it to float a dancing robot over their content. These days I guess you can get away with a lot more.
Well it's not THAT much of a spike, at least not so far. Although the number has increased significantly since the screen shot. Right now I'm just curious to see how long it will take them to notice.
One morning, we woke up to see Google Analytics sending us data from an external site. When we opened that link, it turned out to be a clone of our website.
They had crawled the entire site (which was designed by our partners) and replaced the logos and text. The GA code was still there.
Hilarious. You probably aren't seeing a huge traffic spike because it's a microsite that hasn't been launched yet. It also appears to be outsourced or in some sort of BETA since the script management is atrocious. Run a Chrome audit - it's only a landing page and still makes 37 different JS file requests & 13 different CSS file requests, none of which are minified. Granted many "professional" sites ignore client-side asset performance but regardless, 120+ HTTP requests for a landing page is laughable.
Edit: Might be same shop as mlb.com, they don't appear to care about asset performance either.
Doesn't Google Analytics cost money after a certain amount of hits per day/month? If that is the case and the gap was hit, would MLB.com be liable to pay the fees?
Google limit tracking to 10 million recorded events per month. Funny thing is almost know-one knows this of the analysts/developers/marketeers I work with and take GA as gospel. If you have a site with large tracking requirements you should look at paying or manually adjusting your sampling rates (if you have consistent traffic) otherwise results will be skewed to the earlier part of the month.
This is common knowledge for the marketers/analysts that I work with.
Have you ever run GA on a high traffic site or app?
Google gives you warnings. They're small at first, but when you're really hammering them and aren't paying for premium there are big red warnings about your data is getting heavily sampled. We have a relationship with Google, so they also personally reached out to us to ask us to fix the issue before they shut us off. I work at $BIGCORP so going through the procurement process is a lengthy process.
And then you can do nothing about it because MLB.com has outsourced their site and they stole your analytics codes. I guess you could change them, but still the question is: are companies that outsource to shady firms liable for copyright/damages that will result from said decision.
The Paid version is called Google Analytics Premium and requires a contract in place between the client and Google or a reseller. You won't get a bill out of the blue just for being over limit.
People usually steals my designs. Well, I stole better but that's another story.
I once had my site's design stolen complete with my CSS, Javascript errors, the Analytic and the Adsense Code. I think I have the screenshots somewhere on Flickr.
The irony was that, mine was powered by a WordPress theme that I designed and was available as a free download.
Meta comment: This thread has seemed to attract more nonsense comments -- many are almost entirely whited-out -- than usual. Why? Whatever happened to the endorsement idea?
I've had this issue too with some of my old, Open Source jQuery plugins and even keeping the scripts separated (into the document head and at the end of the body) and commented didn't seem to work. Developers looking for the cheap and easy copy and paste I guess don't recognize the difference. Fortunately GA supports simple filtering to mitigate it.
I've created an open source project and forgot to remove my tracking code too. The only thing was, I was hosting my own analytics with piwik, so the tracking code came from my domain. Although I marked the code with comments lots of people still left it there.
If I was a bad guy this would be an easy and subtle XSS attack vector
I have seen something similar, when three companies stolen award-winning design of digital agency I used to work for. They just copied whole code (including comments in javascript) and changed logos/texts but they haven't change our ga code.
Reviewing the comments made regarding this and other "Stackoverflow is down" kinda threads I start to wonder... are there so many so-called developers that just copy-paste 9-5?
Nope. GA is based on UA numbers (UA-12345 etc). You can reuse a number across multiple domains, so that you can (for example) aggregate a network of sites.
Interesting, I was serious. Sure the OA says, "Too bad they didn’t copy my adsense codes, that would have been a nicer surprise." which makes sense since Analytics and Ad inserts are completely different but if you can get someone to do that you are "golden." (not really though since everytime your adsense revenue changes suddenly you get put on fraud watch) And of course to do that you have to have your styling JS go down and re-write things in the ad fetching JS. Not impossible I suppose but well beyond my js-foo.
Well actually it's two sets of codes I use which is custom script I put together to track two ids since I have a lot of subdomains. Not how Google gives it to you, which leads me to believe it was copy and pasted. Still not sure how that could happen though.
If it is a typo in the ID number, thats understandable. But the social tracking id seems to be wrong too and that also points to the authors id. Can't be wrong twice and have both mistakes point to the same person
Sergei knew about the potential for a problem with crc32 so they went with crcgoogol instead. Clearly the 1 in 10^42 eventuality happened, improbable as it seemed.
Everyone should want analytics. Better numbers can mean less work, or more focused work. You can prioritize improvement of features people use the most, drop ones that nobody cares about, or decide you're in a good place to spend less time on features and more time working off technical debt.
No way. I absolutely want to know how my users are interacting with my sites and site speed is definitely one of the analytic numbers that I look at whenever new builds go out. We test this stuff of course, but dealing with prod loads and usage patterns (how do you know what they are without analytics?) is not something that it is feasible for us to do.
I guess they copied a little too much.