Don't use this for anything you view as important. I just checked and there is no collision detection for usernames. You can signup for an account using any name and your account will seemingly just replace the previous created account. That is a big enough and obvious enough flaw that it also makes we wonder if this is just a phishing expedition or a way to mine email addresses.
I just fixed it. It was a change I did last night to fix a save bug. My apologies about that, it wasn't a good bug, but hopefully it's the last security-related one. Probably goes without saying, but this is definitely a beta project. I'm doing a lot of other things to protect this kind of attack (filename scrubbing, bcrypt passwords), so I'm pretty red in the face about how dumb this one was.
If you find any other bad bugs, please let me know (@kyledrake on Twitter) instead of, you know, trashing other people's work. I'm finding the duplicate sites right now and taking care of it. Thanks, and again my apologies.
This is not an email phishing expedition. I don't even require you to enter your email address to make a site.
You are right, I should have reached out to you directly with this issue. I took the easy route and didn't put in any effort to track you down, for that I am sorry. However, I take exception to you categorizing my post as "trashing other people's work."
I feel that I also have a responsibility to publicize such a glaring security hole in your site. This is the number 1 link on HN at the moment. Thousands of people are going to be signing up. I think they have the right to know that a bug like this exists. Like I said in my initial post, a bug this big seemed to be a sign of a bigger problems. I had suspicions the site was malicious and at that point my priority was to point out those suspicions to the HN community.
Here, I'll do one better: If anyone is concerned about the nature/security of the site, here is the source code to NeoCities, ready for anyone to do a full security audit: https://github.com/kyledrake/neocities-web
I can't believe what I just witnessed. Something expressing a valid concern in a somewhat uncivilized manner, the developer answering in a nice way, the original poster apologizing and the developer linking to the source code to quench other similar concerns. WHAT HAS THE INTERNET COME TO?
Hey, I'll try to hunt this down for you but just to give you a heads up, the server gives me a 500 internal server error when I use characters like "ğ" or "ü".
great response. the bug's existence alone made me question the project intent and viability. even though i probably won't read your code, just making the source available mitigated my biggest concerns.
I think it's a pure joy to read the ruby source. Allthough ruby is not fast, it's got some of the simplest most elegant frameworks out there. Sinatra is not much more than a router config file with some logic. Sequel is the simplest database orm and migration tool around. And slim makes very readable templates. All frameworks perfect for the first minimum viable product. If this site takes off, I would perhaps pay someone to rewrite some bottlenecks of it in java.
I don't mean to pick on this project in particular. In fact, this project as a whole is quite possibly the cleanest Ruby code I've ever seen.
That being said, Ruby's syntax makes me want to gouge my eyes out. There's equal signs, unquoted regular expressions, exclamation points, absolute value bars, and at signs all over the above code. You can't even sort-of follow what this code is doing without searching through the manual every third character. Ruby syntax is worse than C++ and almost as bad as Perl.
Someone tried to explain Ruby syntax to me last week [2], and I'm not sure if I understood it more, or less, as a result, because my conclusion was that Ruby's syntax is so bad, the language shouldn't even be able to exist! I.e., there are a large number of syntactical ambiguities, so writing a parser for it should be completely impossible!
I fail to see how using equal signs for assignment (or for defining assignment methods) is a problem with syntax, rather than an enhancement to clarity.
> unquoted regular expressions
What's wrong with that? Regexes are a different type than strings. Why should they look like strings?
> exclamation points
...again, so, what?
> absolute value bars
vertical bars used to set off block argument lists aren't absolute value bars. (Neither are vertical bars used for logical-or.)
> at signs
Again, so?
> You can't even sort-of follow what this code is doing without searching through the manual every third character.
Yes, I can, and not just "sort-of follow" it.
> Ruby syntax is worse than C++ and almost as bad as Perl.
There's no accounting for taste, I suppose.
> there are a large number of syntactical ambiguities, so writing a parser for it should be completely impossible
As Ruby does exist, and is parsed, this is clearly not the case. That said, ruby's syntax is not optimized for machine parsing, its designed to be ruby-developer-friendly rather than ruby-parser-developer-friendly.
If you want something optimized for the developer of the language's parser, look to Lisp.
// Parse tags string.
// Example:
// "tag1, tag2" => {"tag1", "tag2"}
// "tag1, very long tag" => {"tag1", "very long"}
string[] NewTags(string tags_string)
{
//Allow only letters, numbers and spaces in tag.
tags_string = new string(tags_string.Where(c => char.IsLetter(c)
|| char.IsNumber(c) || c == ' ' || c == ',').ToArray());
//Separate multiple tags with commas.
string[] tags = tags_string.Split(',').Select(s => s.Trim()).ToArray();
//Two word per tag maximum (extra words in a tag will be removed).
for (int i = 0; i < tags.Length; i++)
{
List<string> validWords = new List<string>();
string[] wordsInTag = tags[i].Split(' ');
if (wordsInTag.Length > 2)
{
tags[i] = wordsInTag[0] + " " + wordsInTag[1];
}
}
return tags;
}
> there are a large number of syntactical ambiguities, so writing a parser for it should be completely impossible
Keep in mind that while your protest does sound intuitive - e.g. that Ruby can be syntactically ambiguous, ergo it is unparseable, it turns out that that doesn't stop us from writing a parser. We can parse most things even if we can't parse the "general case." When we DO encounter something unparseable, the compiler can a) guess or b) fail, hopefully with a message that will help us investigate and rectify the failure.
You point out that Perl's syntax may be worse than Ruby's, and I assume that implies that it is more syntactically ambiguous, ergo, writing a parser should also be impossible for Perl. It turns out that Perl is provably unparseable in the general case - in fact, it's been done rather rigorously: http://www.jeffreykegler.com/Home/perl-and-undecidability
Regardless of Perl's general unparseability, we have compilers for Perl and even large projects manage to compile to what appear to be functional executables. The same is true for Ruby.
I wrote this comment mostly a reminder that while something may appear to be insoluble, we may be able to solve for sufficient cases that we don't care about the rest, particularly if we have an oracle to fix the number of cases that we can't solve. (In this case, the oracle is the developer.)
Ruby's syntax is beautiful once you've realized two things:
1. How blocks work, and how their minimalist syntax is beautiful. You see absolute value bars but believe me, getting used to that barebones function syntax is a gift. (No other programming language that I know of has an absolute value operator with vertical bars so it is not as hard as you think.)
2. Every time you see a dot, do NOT think attribute access. Think message sending a la Smalltalk.
Suddenly then, things like the tags.collect! line become pretty for encapsulating a callback on one line unlike the ugly function() {} crud of JavaScript, and things like defining a newtags= method become sensible, because everything including traditional attribute getting and setting reduces to message passing.
What's difficult about that function? It's terse, but very understandable.
Oh, the inability to parse Ruby shouldn't be held against it. It has (at the least) a context-sensitive grammar. So do lots of languages, including HTML and perl.
Not being able to parse it doesn't really mean what you think it means. It just means that in order to figure out what it does programmatically, you have to evaluate it. Its unparseability makes certain things impossible, like writing a perfect syntax highlighter. Also makes building certain tools you'd normally see in an IDE difficult.
I don't know if this works for everyone, (and I hate to appeal to magic), but I'm pretty sure it was http://mislav.uniqpath.com/poignant-guide/book/chapter-3.htm... that gave me a visceral understanding of Ruby's syntax. For example, the slashes surrounding the Regexp are like pins that you stick the Regexp onto the paper with, and it lights up if the pattern matches. The at signs stand for "ATtribute". Exclamation/question marks have meanings analogous to their natural language counterparts. And the vertical bars form a little chute that the block variables slide down into the block through. It's really fun.
This is on the same league with arguing against Esperanto in favor of Interlingua. You'll never get anywhere with people with the "so what?" or "no it's just you" mindset as in their capacity, they're not capable of (or unwilling?) to entertain perspectives beyond their own.
That said, I do really enjoy reading this code. It's indeed very, very clean!
I don't think it's a smart idea to publish the source code to your site (especially while on the front page of Hacker News) until you've spent a significant amount of money on auditing the security internally to the point that others are comfortable with a public release.
Now it looks like something happened, and you've got no site, and thousands of people trying to access it!
That wasn't directed at you, it was a general comment. I was referring to the person(s) that defaced other people's sites. Sorry if it came off any other way. :)
I read the "trashing other people's work" comment as referencing smashing someone's site by registering an account over theirs, not publishing the bug on hacker news.
Responsible security disclosure would say you've got a responsibility to make the bug known. Making it public should only happen after you've made the creator aware.
I can understand why the developer viewed you as 'trashing' his work, you claimed it as a phishing expedition. That'd make the best of us upset. I see you've sorted it out between you which is great, and I hope others look at this exchange and get some good takeaway from it.
> I feel that I also have a responsibility to publicize such a glaring security hole in your site.
It's a static web site hosting, exactly what "security holes" could we be talking about? Not theoretical holes, that you could technically exploit on the 45th blue moon of the century, things that might actually happen.
I'd just like to point out that when he said "trashing other people's work," he was likely referring to people overwriting others' pages, not your comment.
Back then, this wasn't called collision detection, but proper database design. I can not even begin to fathom how you can inadvertently introduce this by fixing a save bug.
Proper database design does not mean the problem couldn't happen. Consider this scenario. The database has a unique constraint on the name but the code ignores the result and overwrites the directory anyways. It wouldn't cause this exact problem but it is similar.
Funny enough, that is exactly how I found the problem. I created a www account (I am almost ashamed to say that was my first instinct, try to break the system before you decide the system is worthy of your use). I ended up logging out and I couldn't log back in with the same password. In hindsight, someone must have created another www account after I did and before I tried to login again. I then tried creating another www account and it worked. I then logged out and tried registering with a different username twice just in case www was a special case. The same thing happened, the second account just replaced the first account.
Don't use this for anything you view as important. Hosting that doesn't use a domain name that you control means that when the donation bucket is empty and the service goes under, your traffic and pagerank and brand is now lost forever.
Check out my all-new website showing some oldskool JScripting skillz at http://cd.neocities.org/. You can trick your friends by directing them there.
P.S.: Just checked and it actually works with Internet Exploder 6.0 in an M$ Windoze 98 VM, which I had running in VMWare Player 5.0.2 with my PC's physical DVD drive connected. Should work as long as your Win9x or pre-SP2 XP has WMP 7 installed.
PEOPLE. This is clearly not intended as a business. Stop asking about the "business model." It strikes me as just being a cool side project that enables people to make websites. That's it.
As someone who has a 1gb/s flat rate at home, I have thought about doing something similar. It really isn't that expensive to have a bit of network and a server that gives out static content.
We were talking about the expenses of running the service, and not the legal space around hosting user generated content.
The legal questions are interesting, through it highly depend on the country and political tendencies from one year to the next. In theory, I could run this kind of service in Sweden, and only remove content on order by a judge. In theory. In practice, there might not be any difference between hosting user generated content and simply having a website up hosting in ones own name.
HN is supposed to be (partly) about the joy of building stuff, and yet this entire thread is all about people pointing out flaws, missing features and minor annoyances instead of saying, "Good job!".
Give the guy a break and a chance to get the project off the ground.
I wonder whether this 'negativity' is really negativity, or just well-meant criticism, testing and validating the idea, maybe even playing advocate of the devil. From what I've seen in the past years, the HN community is unlikely to produce a page with tons of similar 'Nice job!' postings.
Well the top post about a security flaw and the creator's superb response was what I was looking for to confirm some kind of semi-legitimacy before I post a link to facebook.
Haha, wow. It's like going to a civil war reenactment where everyone adhere strictly to period customs and vernacular.
Unfortunately they forgot center tags and to capitalize all of their HTML. I was going to say it's missing a table-based layout, but then I recalled that the height of geocities' popularity was earlier than I remember seeing table-based layouts everywhere.
It's really not very assuring when they state on the front page that they "hope" they can get enough money each month so they can pay the server bills.
The site will very easily pay for itself with donations. It's not that expensive to serve static HTML, especially when you are using Nginx and sendfile.
That wasn't really my point. It doesn't inspire confidence when the host says "hey! put your stuff here! I'm not sure that I can pay the bills each month but I sure hope we can. Oh--and I have no idea how this will scale."
It's all understandable. But even if it's free and even if my content is stupid, I'd still feel a little uncomfortable because of how much doubt the owner expresses over the viability of the service.
I have a lot of experience scaling web applications, I've been doing this for over 14 years. I should probably highlight that somewhere.
I've already gotten enough donations today to run the server as-is for 8 months! I also found a sweet deal with a reliable dedicated provider via a tip that will cost substantially less than my intial estimates.
There definitely needs to be some polish to the initial site I think. We have been talking about making something similar to Twitter Bootstrap that's designed for HTML newcomers, so that even really basic sites have a base-level good look to them. We're also talking about a WYSIWYG HTML editor, but we decided that we would launch to the tech crowds first, who have experience with HTML and are comfortable dealing with no initial boilerplate frameworks, and would appreciate the value of what we're trying to provider here (an open canvas).
That said, I don't care if people use it for Geocities parodies. I think Geocities sites are a lot more interesting than the bland, drab Facebook profile layout that everybody is forced into with no ability to change in any meaningful way.
Needs more <frame>s! And I count a grand total of zero <blink> and <marquee> tags. C'mon people, if you want to party like it's 1999 you've got to step up your game!
I've hacked a little script together[1] for uploading all the files in a directory into NeoCities. Handy if you are working on your site and want to upload everything in one go.
Set your username and password at the beginning of the script and run it with the path to the directory as an argument:
I think its a nice website, don't be discouraged by the comments you get here. HN can be awful with this, but if you parse through all the bad mouthers you may find some gold :)
It is very refreshing that a side project/start-up related post has made it to number 1 spot on HN. And this is coming from someone who posted a Bee article that made it to the front page today.
kyledrake if any negativity on this thread gets to you, something tells me it will not, just ask yourself how many others have posted their side project on HN that made it to #1, I know I have not and that is why I created this account to begin with - to share my start-up with a start-up community.
Add a premium tier, even something as simple as integrated web analytics. Donations are charity. If you want this to be a sustainable business, ask for people to pay for value.
I was thinking about this too. I agree that counting on donations in sufficient quantity and regularity is like buying lotto tickets to pay your electric bill.
And if they add a premium tier... well then that kind of kills their differentiation, doesn't it? They're aiming for the niche of free, modest, simple, laissez faire vis-a-vis content. When you take 'free' out of the mix then you're in the arena of commoditized cheap hosting; inertia would be the only reason for someone to upgrade their free account to a premium plan.
guys i just made mine here http://rozap.neocities.org/index.html and it is best so you all can stop making them because it will fail to surpass my creation.
A couple of years back there was a website I use that switched to usernames as sub domains and I managed to break it by using "webmail" as a username, another user took "ns1" and "ns2" and now my first port of call on sites like this always checking out "webmail", "ns1" and "ns2". So childish but good harmless fun.
I love the browser editor you made. Very easy to get up and running fast. It'll be a useful tool for teaching, and also for small js projects. Fun project- Thanks!
It's definitely an awesome project, but I just don't see the advantage of NeoCities over hosting a website on Github or BitBucket yet, especially since those sites offer unlimited space and store all the old versions of your website for you. Some differentiation with those services is needed - for example, a privacy policy guaranteeing true anonymity (no IP address stored, no cookies) or a more layperson-accessible website creator.
Those have significant learning curves to people who don't speak web-l337 yet. Remember before you knew how to code? What version control was, and documentation was scary? Angelfire & GeoCities is where I learned to code HTML
Next, enter a password. This will be used to allow you to login. Minimum 5 characters. If you don't make it a good password, Dade Murphy from the movie Hackers will come in and steal your "garbage files".
How are you moderating the content? Are you doing it yourself? Are you putting together a flagging system? Do you need help? I am looking for another side project to work on.
The sad thing is that now there are lots of squatters creating "under construction" pages and the like instead of actually putting content. Trying to emulate Geocities without actually doing so (a lot of them did have those banners, but they also had content).
Unfortunately, this means that I cannot click with the middle mouse button to bring up the page in a new tab. Please remove the extraneous target="_blank" code.
I like the idea, but GeoCities left a bad taste in my mouth. What makes this site any more maintainable than GeoCities was? The fact that it's donation based and not at the whims of a corporate entity is reassuring, but other than that it seems as if the footing would be even less stable. Am I wrong?
I like looking through the "Browse Existing Sites" and looking at all the emerging sites. I especially like the ambiguous "enter credit card and expiration date" sites that are nothing but a form and submission button.
Good luck with this. Just a minor comment on your animated favicon.ico icon ... it would look a lot better if you used a transparent colour for the outside of the globe. Currently its white, which looks a little bit crappy.
Hah! I've been playing with Jekyll and Pelican and other static site generators, and one of the thoughts I had was "if Geocities were still around, I could host pages there."
It doesn't mean the provider of neocities couldn't be ordered to remove the illegal content and hand over all details about the person who uploaded it.
"No censorship" doesn't mean criminals will be protected by neocities. It doesn't mean that child abuse images can't be dealt with in accordance with the law.
Remember that the internet is not classified like movies and TV. There is no requirement to put "Rated R18+" on a website. As it should be.
All he is saying is that Neocities basically has the same censorship rules as the internet itself. In other words, no censorship.
A murderer can turn their PC into a server and self-publish images of his victims for all to see. They will get caught, and the server shut down, but the point is he didn't need to go through a censorship body to get the images published. Exactly how it should be.
cool idea, but seems the server has some problems uploading (2-8kb) files? or is that the heavy traffic? anyway, get some error messages, but files are uploaded. savings seem to take a while...better keep your code in another editor, too
There are 61054 web site spaces remaining.
After that, we need your help to get another server.
Does that mean he's running 61k sites on a single server? Even if each site gets one single visitor per day, that 61k visitors for the Server. There is no way the server can manage that traffic.
Sorry, but do you really want a static site? Just pay for a good one.
A $20/month Linode can handle 4k static pages per second on Nginx. I've heard tell of people pumping the cheap Linode server up to 30k views/second, but I haven't been able to break 4k.
Assuming text pages, the full 61k sites could be accessed every 15 seconds. If the pages have nontrivial graphics, then you're (as others have mentioned) far more likely to be bandwidth-limited. If the site has an unmetered 10Mbps connection, then it could serve 1Mbyte per second: If each of those 61k pages contained 1MB of data, then it would STILL be able to serve (at most) 86k pages per day.
It's likely that most of the pages hosted will be accessed less than once a day, though. Power law distribution of the long tail [1] and all that. And a megabyte is a lot of data for a single web page; I would imagine that with a 10Mb limit on the entire site, it's not going to be a place to host sites with tons of images.
Assuming you're not being sarcastic: a small vps could serve an order of magnitude more visitors per day than that when it's just static files, many orders of magnitude more on a well configured server and many many many times more than that on a powerful server. The bottleneck for this will probably be bandwidth.
That is an amusingly small amount of traffic. A typical server should be able to handle thousands of requests per second. See the web framework benchmarks. When you add in the fact this is serving static pages you will likely blow out the bandwidth first. Put it behind cloudflare or another cdn and you should only need a second server for availability.
Aside from the other evidence that this is terribly thought out, serving 61,000 static pageviews (or if average pages per visitor is more like 2: 120,000) shouldn't be a problem on even a cheap server.
Even with uneven traffic that's probably 4-5 pageviews/second at most. The cheapest linode or AWS instance can handle that for serving static files.
