On OSX: traceroute -m 64 http://bad.horse | sed "s/^....//g" | cut -d " " -f 1 | tr "." " " | xargs say -v Alex & and wait for it with the sound up.
posted by mhoye at 2:51 PM on September 25, 2015 [5 favorites]

on unix (linux at least) you probably need "-m 60" or similar with traceroute (which these days is in /usr/sbin) to get the full trace.
posted by andrewcooke at 2:56 PM on September 25, 2015

Pauls-iMac:newdown paul$ traceroute -m 64 http://bad.horse | sed "s/^....//g" | cut -d " " -f 1 | tr "." " " | xargs say -v Alex &
[1] 87035
Pauls-iMac:newdown paul$ traceroute: unknown host http://bad.horse

Strip out the

http://

and it works. Warning: don't have the sound too far up.

o.O
posted by djeo at 3:01 PM on September 25, 2015

this is fine.
posted by boo_radley at 3:21 PM on September 25, 2015 [1 favorite]

On OS X, if you feel sketchy typing in a bunch of punctuation-filled commands at the terminal, most of it is just processing the output in order to feed it to the speech synthesizer. You can get the gist with simply

traceroute bad.horse

which is a little more transparent.
posted by Wolfdog at 3:21 PM on September 25, 2015 [1 favorite]

Not that there's anything wrong with pasting punctuation-filled commands at the terminal though. It was on Twitter! So you can be sure it's safe.
posted by Wolfdog at 3:26 PM on September 25, 2015 [9 favorites]

Coincidentally, North America ran out of IPv4 addresses yesterday.
posted by straw at 3:31 PM on September 25, 2015 [7 favorites]

ELI5 - ? - ....
posted by growabrain at 3:43 PM on September 25, 2015

the "internet" is a bunch of connections between computers. so when you load a web page from a server, the contents of the page are passed, in a series of hops, from one computer to another, until they get to you.

traceroute is a command that shows the computers involved in such a series of hops. in this case, the computer names along the route to the site "bad.horse" contain the lyrics from the song in the youtube link (normally they're just a bunch of boring random names).

i don't know how it's done, but i suspect it's faked in some way (by receiving the messages traceroute uses and "lying" in response) - to do it "for real" you'd need a lot of computers and some odd domain names.
posted by andrewcooke at 3:47 PM on September 25, 2015 [1 favorite]

"And by hammer, I mean my penis."
posted by humboldt32 at 3:59 PM on September 25, 2015 [3 favorites]

Yeah, it's faked; .nation isn't a valid TLD, along with most of the others.

In other .horse related domain news though, http://chakra.horse.

All the cool kids use mtr these days.
posted by fragmede at 4:02 PM on September 25, 2015 [2 favorites]

So this doesn't look fake, at least, the IPs that traceroute travels through are real (and global), and the reverse DNS names are set properly (the reverse DNS name is what shows up in traceroute).

 % nslookup 162.252.205.155                                                                                             
Server:		127.0.1.1
Address:	127.0.1.1#53

Non-authoritative answer:
155.205.252.162.in-addr.arpa	name = there-s.no.recourse.

As an example from the middle of the traceroute. Of course, these aren't global DNS names; they won't resolve if you try to hit the name rather than the IP.

But it isn't really lying, a machine can set its rDNS record to whatever it wants, even a name that won't resolve. This is actually a pretty fun exploit of that. And who knows, maybe he has a local DNS server and actually has a machine named there-s.no.recourse that will resolve on each of the other machines in his network. Just because it's not a globally-resolvable name (ending in .com or another public TLD) doesn't necessarily imply that the hostname is fake. It just isn't global. In any case traceroute will happily report whatever is set in the rDNS record on the machine it's passing through.

It's more likely that it's a bunch of virtual ethernet devices all on the same box configured to have these rDNS names, though.
posted by unknownmosquito at 4:11 PM on September 25, 2015 [5 favorites]

Although he does have multiple machines purportedly named bad.horse so they're probably not resolvable names, even on the local network. However this is done, it's a great hack.
posted by unknownmosquito at 4:17 PM on September 25, 2015

actually, i'm pretty sure traceroute will deal in IP's, and not names, so the names have to be looked-up to be displayed. so ignore me there. but still, i don't think he'd really have a bunch of machines connected in order (or even VMs - i mean, wouldn't that be more work than doing this in software?). although, on his web page it say's he's working on a CDN so who knows?
posted by andrewcooke at 4:21 PM on September 25, 2015

Well, now we know why we've been running out of IPv4 addresses in recent years
posted by surazal at 4:23 PM on September 25, 2015 [1 favorite]

traceroute works by sending a packet to a destination (IP address) with a specified "time to live" value that defines when the packet should give up and be returned, defined as a number of "hops" from the machine running traceroute. It starts the time to live bit at 1 (so you'll see your router as the first hop) and then resends the packet each time increasing the time to live bit by 1 until the destination is reached.

At each hop where the packet dies and is returned, the host returning the packet includes its hostname / reverse DNS name, and that's what's shown by traceroute.

Since this value is only held by the host that is being queried by traceroute, it can be anything, and that's the core trick being exploited here. That and some clever routing, so that the packet always takes the same path, spelling out the lyrics of the song in reported hostnames.
posted by unknownmosquito at 4:29 PM on September 25, 2015 [3 favorites]

The key here seems to be that James Renken controls the "205.252.162.in-addr.arpa." zone (i.e., the DNS zone which controls IP-to-name resolution for 162.252.205.0/24, which is all 162.252.205.x addresses.)

$ dig -x 162.252.205.130 SOA
[...]
;; AUTHORITY SECTION:
205.252.162.in-addr.arpa. 3600 IN SOA a.sn1.us. n.sn1.us. 2015092510 1200 180 1209600 3600

Which is to say that the authoritative nameservers for the "205.252.162.in-addr.arpa." zone are "a.sn1.us" and "n.sn1.us".

$ whois sn1.us
Domain Name: SN1.US
[...]
Registrant Name: James Renken
Registrant Organization: Sandwich.Net, LLC

And James Renken owns the sn1.us domain.

I'm guessing that Sandwich.Net also owns the 162.252.205.0/24 public address space, since the last hop before the fun starts is "sandwichnet.dmarc.lga1.atlanticmetro.net", i.e., the demarcation point between his upstream ISP and his own network. So he can manipulate the network path within his network (policy routing on traceroute packets, I would think) to make it pass through the appropriate IPs, and he has appropriate funny entries in the reverse DNS zone to resolve those IPs.

No fakery here, just some clever manipulation of a public address range and a public reverse DNS zone that he legitimately controls.
posted by McCoy Pauley at 4:33 PM on September 25, 2015 [6 favorites]

he does have multiple machines purportedly named bad.horse
Well, I mean really, who doesn't?
posted by Wolfdog at 4:47 PM on September 25, 2015 [8 favorites]

oh wow. til. thanks.
posted by andrewcooke at 4:49 PM on September 25, 2015

Without getting dragged into a discussion for the semantics of the word 'fake', I'll point out that a DNS lookup for bad.horse points at 162.252.205.157, however there are 7 additional IPs[1] in the trace route that report reverse DNS names of bad.horse. THIS IS NOT SANE.

I also doubt that the other private TLDs[2] (which isn't recommended by the IANA) are being used internally by Mr. Renkin.

Anyway, if anyone else would like to set this up, you're looking for a DNS server you can set PTR records in, a netblock you control, and a machine to setup routing tables on.

[1] 162.252.205.130, 162.252.205.131, 162.252.205.132, 162.252.205.133, 162.252.205.143, 162.252.205.144, 162.252.205.145

[2] .nation, .sin, .application, .in, .evaluation, .begin, .crime, .force, .course, and .bad.
posted by fragmede at 5:02 PM on September 25, 2015 [1 favorite]

Actually, it is totally sane f you use a Round Robin load balancing server, fragmede. My Isilon does this (Isilon = clustered storage). It is tricky and does break some bad habits that developed by web programmers over the years, but it is a necessity for distributed systems.
posted by daq at 5:09 PM on September 25, 2015 [2 favorites]

Strip out the http:// and it works

Argh, sorry. Copy/paste error on my part.
posted by mhoye at 5:16 PM on September 25, 2015

A quick google search for .horse domain helpfully reveals that the answer is "eukaryote"
posted by Wolfdog at 6:10 PM on September 25, 2015 [1 favorite]

This is probably the nerdiest thing ever.
posted by ph00dz at 6:35 PM on September 25, 2015

on unix (linux at least) you probably need "-m 60" or similar with traceroute

Yep, traceroute -m 60 bad.horse

I enjoyed the o_o at 48.
posted by Aya Hirano on the Astral Plane at 6:37 PM on September 25, 2015 [1 favorite]

"And by hammer, I mean my penis."

I favorited it, but the actual quote is, "The hammer is my penis." I know this without looking because I've watched Dr. Horrible like 50 times and I'm going to watch it again right now.

Interestingly, Bad Horse was actually created by Ben Edlund, creator of The Tick, and pitched as a villain on Angel. He also wrote the Jaynestown episode of Firefly, and I just saw that he was a writer and exec producer on Supernatural so now I have to watch that, too.

I'm not sure what all the internety stuff up above is all about, but BAD HORSE! YEAH!
posted by Huck500 at 6:51 PM on September 25, 2015 [2 favorites]

Derail: one of the Top 10 Reasons I WANT to See a Sequel to Dr. Horrible is to see an encore from the Bad Horse Chorus.

Double Derail: Wouldn't they have to change the sequel title from "Sing-Along Blog"? Blogs are so-o-o-o 2008. So, "Dr. Horrible's Facebook"? (Would he have problems with the 'real name' policy?) "Dr. Horrible's Twitter"? (Every piece of dialogue under 140 characters?") "Dr. Horrible's Vine"? (every scene under 7 seconds?) "Dr. Horrible's Tumblr"? (now THERE he could make some trouble) "Dr. Horrible's LinkedIn?" (of course the Evil League of Evil would use it for recruiting)
posted by oneswellfoop at 6:51 PM on September 25, 2015 [2 favorites]

Agreed, I've only seen it about 40 times. Obviously not enough.
posted by humboldt32 at 6:56 PM on September 25, 2015 [1 favorite]

This is great, though it's no Walmart.horse... Sigh...
posted by Mr.Encyclopedia at 7:14 PM on September 25, 2015 [1 favorite]

Without getting dragged into a discussion for the semantics of the word 'fake'

Fair enough -- by "no fakery", I meant "no technical subversion of the network protocols involved". As far as "violating the accepted standards of how those protocols are to be used on the public Internet", yeah, that's a different matter entirely.
posted by McCoy Pauley at 7:49 PM on September 25, 2015

bad.horse seems to be down right now?
posted by atoxyl at 7:53 PM on September 25, 2015

A rich six-century tradition of lovingly crafted horse poetry, and this farce is the horse poem that finally breaks out. We're gonna stay filling up notebooks in the stable, thanks though - we'll pass.
posted by passerby at 7:56 PM on September 25, 2015

bad.horse seems to be down right now?
Check status.horse for updates on the situation.
posted by Wolfdog at 8:03 PM on September 25, 2015

Fixed! Sorry about that. The Linux netlink interface code I'm using isn't especially stable.
posted by Parade of Horribles at 8:13 PM on September 25, 2015 [8 favorites]

Anyone else remember Star Wars traceroute (now offline)?
posted by caaaaaam at 9:01 PM on September 25, 2015

finger @bad.horse
[bad.horse]
finger: connect: Connection refused

Lame.
posted by GuyZero at 9:36 PM on September 25, 2015 [5 favorites]

Saw the TLD. Scratched my chin and then did the obvious MetaThing.
Everything went as expected.
posted by drowsy at 6:57 PM on September 26, 2015 [3 favorites]

I found the song captivated me with the title "The Thoroughbred of Sin" in the original. There's something just so delightfully Rocky & Bullwinkle about that phrase.
posted by rum-soaked space hobo at 4:37 AM on September 27, 2015