61 comments

[ 3.1 ms ] story [ 119 ms ] thread
This last week I've been isolating due to contracting COVID at Christmas. Not fun... With my time recovering in bed, I finished off learning about WebSockets by building https://www.walloftext.art and uploaded the code to https://github.com/g105b/text with a description of how it works and what I've learnt.

The intention was to make the most minimal project that tested the bidirectional communication of WebSockets. The end product is a scrollable grid that allows users to type anonymous comments. Of course this is already getting abused, but that's part of the fun! Anyway, I'd appreciate your feedback on the code, and if there are any ideas of how to make the end product any better/more fun/less crude.

My first thought was “I could stake my life that I’ll see some ASCII penises on this”. Was amused to see just how right that assumption was.
Is this perchance inspired by https://www.yourworldoftext.com/? I remember reading an interesting technical writeup when that went out -- it was early days for websocket. It might be interesting to compare how both are built.
My first thought was "vintage Facebook" actually — back when it was called _the_ Facebook and open only to university students. The wall was a beautifully chaotic thing, basically a text file to which all your friends had read/write access. Definitely no web sockets involved, though.
I don't see any messages being sent across the websocket. Is it down?
yeah :( the hacker news hug of death...
what broke?
I think it's the server here:

wss://www.walloftext.art/ws.php

Doesn't seem to be accepting connections when I try.

WebSockets in PHP huh? That's a pretty cool approach, although it naturally scales terribly (sadly D:).
You can get it to scale (for a certain definition of scale, of course), though man it was far too much effort.
I empathize and relate.

Out of curiosity, were you actually handling each WebSocket connection using an independent PHP-FPM instance? If so (wow), how many concurrent connections did you manage to sustain at peak?

The only experience I've had using WebSockets with PHP is with using stream_socket_server() et al, and then multiplexing everything. (Then you just get handed the problem of restarting the server(s) to keep runaway GC in check...)

Edit: Have realized you aren't OP - but that's fine, I'm interested to hear war stories from multiple sources!

OP here. There were no scaling issues while this was getting hammered. PHP has native support for sockets, so can handle thousands of connections, no better or worse than any other language. The system buffers up incoming messages and your can read them in an infinite loop. Take a look at the code, and one day I'll put this back online.
Seeing the URL end in .php gave me the wrong impression - I thought it was running a separate PHP interpreter for each connection... which is naturally insane, and why I was curious.

I should've just gone and looked at the code before piping up... and I'm really glad I finally did, because I honestly have to say I'm learning a lot from how succinct this is (while still incorporating PHP 8.x type boilerplate, which I can't deny is an excellent habit to get into!) - I still have How Do I Even Structure This syndrome despite tinkering around for a good decade sadly.

Looking forward to seeing this back online.

If you put it behind a simple account system, only a limited subset of people would be able to access it, and you could tinker and iterate with a real-world user base.

I'm still curious what led to you shutting it down. Something overstepped a boundary, I'm presuming; depending on what that was I might not want to know exact specifics :<

From the site:

> I've had to take this project offline!

> I was expecting it to be abused and violated, but was completely naive to what the internet people were capable of.

> Wow. That's all I can say. It was fun while it lasted, and it'll be back... some time.

I guess it became a test that, as expected, part of the human race failed.

Vaguely reminds me of my own web sockets project from years ago, https://quibbler.co.
very cool. would be nice to be able to spin separate rooms for meeting Q and A, or in the moment commenting. it's an interesting take on commenting.

like comment threading, timeouts, mental map like comment grouping.

like evernote and visual programming, but for short lived comments,

RIP. Well it was fun while it lasted.
After an hour? Not bad for another 4chan isomorph submitted to HN.
I can't write letters like è using the normal composition method (altGr) on Linux; I guess it's grabbing keystrokes directly. No big deal.

What'd you write it in?

I worked on a similar little project about 10 years ago. We called it 300 Lines. It was a shared public canvas which displayed only the last 300 lines drawn.

We used socket.io to sync between the client and a NodeJS backend. (The whole thing was really an experiment to get to grips with the then-nascent Node v0.4)

Of course it was horribly abused, and we took it down after only a few days.

A valiant effort: one that has me thinking the New Years' weekend may be the time for me to refresh my own WebSockets knowledge. Thanks much for the inspiration!
Great! Thank you. Feel free to use my code, or fork the repo. I will put this back online at some point after re-thinking the way it persists.
So what'd The Internet People™ do to it, exactly?

DDoS the WebSocket server? Write Very Bad URLs? Worse? :(

I wanted to see. Not fair, takers away of nice things. >:/

Also curious. I thought the last thing up would be a screenshot.
let me see. I open a page and text that other people enter in real time is rendered as html on that page?

what could possibly go wrong.

I saw people had written things like "Hitler did nothing wrong", "Biden is a pedophile", etc. Basically the kind of stuff that makes one root for a meteor to come and wipe out humanity.
I'd recommend watching the film "don't look up" for an optimistic view on a likely future for humanity (or the lack thereof).
optimistic? did we watch the same film? imo it couldn't have been more sardonic.

absolutely second the recommendation of watching it!

Depends on whether you root for a meteor to come and wipe out humanity.
The meteor did (or will do) nothing wrong
actually, i watched a video about it after this that also said it was optimistic, and now i understand what you meant.

it's optimistic in that it's not yet a realized future and we still have the opportunity to change course.

i agree, and i hope we make strong moves together as a society to curb climate disaster. admittedly i'm not holding my breath.

track record of films with too many A-list actors/actresses is terrible
Well good thing I've watched it then and can recommend it on more information than "who's in it".
If that's the case then HN has a surprising number of 14-16 year old edgelords...
It really does. Every time a project like this is posted, the professional facade seems to drop and the community here reverts back to their primal 4chan posting selves. It's fascinating (if sad)
Every ycombinator project involved with the creation, moderation, infrastructure, management, or sourcing of content for platforms makes use of hn as a source. Everyone in those circles follow suit, HN is beautifully curated and wonderfully crafted to be open.

HN content is "fresh," mirrored on dozens of sites within minutes of showing up on the front page. 4chan and reddit get the links within about 20 minutes of it showing up here. Slashdot, dailydot, and other aggregators lag about an hour. Within 3 hours, most links here have probably hit the eyeballs of at least a few hundred million people, and there's probably a good 50k legitimately insane people in that crowd.

I found HN when I started looking for where the aggregators and forums were sourcing stuff I was interested in. I'd love to see Google's rankings and see what other sites are similar to HN in this regard.

Those words make you want to wipe out humanity?
Note that I'm kind of joking in my comment. That said, it shouldn't be terribly surprising that the comments I quoted would, at the least, reduce someone's faith in humanity.
The writer must meant another poor feller, Michael Hitler. It's a surname from his parents for Christ's sake! And he is older than the evil Hitler! The most dark thing that he ever did in his entire life was kicking a cat in the butt while the cat was taking a dump on his doormat. And now everybody wants to pet his head with this weird hand gesture, and then kick his butt. Come on! Cut Michael Hitler a break, he did nothing wrong!
4chan reenactment I’d imagine
While I didn't get to see what the site originally looked like. If it was just 'submit anonymous comments that websocket subscribers can see', there's a golang example leveraging the gorilla/websocket package that does just that[0].

Edit: I see from the OP's link to the github project that persisting the chats to a DB was included with this.

[0] https://github.com/gorilla/websocket/tree/master/examples/ch...

Anyone who saw what it was before it was taken down (which is just what I saw when I opened it now for the first time), what exactly was it?
Very early on in my journey learning to write software, I wrote a “guestbook” feature for my personal site (also in PHP). Prior to that, the only code I’d successfully written and actually shipped (beyond PHP templating of data I fully controlled, even if I didn’t understand it) read ID3 metadata from MP3s (my own music). Point is I had never written anything that handled user input.

I was also proud of my accomplishment and shared it with my nearest tech community. It was, if I recall, less than an hour before someone had exploited the obvious XSS vulnerability. At the time I was aghast and felt like it was a cruel thing to do. And while I know better than that now…

Here’s the thing: that tech community, even the whole internet, was a lot smaller then. The person who exploited my naive first program accepting user input claimed responsibility and explained why. The other people around were both knowledgeable enough and kind enough to help me understand that that person was a friendly who meant no harm.

Folks trying to learn new things now won’t be in a community like that by default, and probably won’t know to look for it. And the people who take advantage of that are clearly more malicious and not friendlies.

I don’t know what the takeaway from my “here’s the thing” is, for HN, but I do think we’d all be better off if we pay close attention to being welcoming/supportive for noobs, and also strive to make learning tech less of a risk when inevitably first steps go wrong.

And to g105b, I’m also sorry if I’ve implied any inappropriate noobness, it sounds like what you built was pretty cool. Please take whatever abuse you received in stride, and keep building cool stuff!
hey, with web sockets I am a noob. I'm generally quite ok with internet security as a concept, but I was massively naive in my implementation here, and one very obvious vulnerability in my code was allowing to store anything the connection received, rather than forcing to just a single character. It tempted someone to upload binary content. After only a few minutes, the server was full of random binary data. Curious, I inspected the content, and after finding a massive dump of illegal content I thought it was best to turn off the server for a bit while I think about improvements to the code and wash my eyes out.
I had the same security support for my guestbook (took 24h). After fixing I came back 3 months later because of a physical letter¹, the guestbook was filled with very specific slander. Years later I found this https://www.penny-arcade.com/comic/2004/03/19 and thought about how different we interpret peoples action when we know them and not.

[1] When the Whois DB worked, and people thought about sending letters.

Yes it definitely seems like it could be a form of hazing inspired by people advertising themselves as noobs, or just by opening up a service.

I've posted many show HNs over the past 7 years and many provided some ways for people to do computation on the server (by design) but not some form of limiting that (by my inexperience).

I know everyone's experience can be different, and I know that sometimes, and for me personally, other things that people do on ShowHNs are particularly hurtful--Like being cruel or dismissive...I mean you're bearing your soul right? Your work; a little embryonic thing you're contributing to the world... And some people seem like they just want to try to kill that--but for me, that's been different to the security "hazing" my posts received. I've been personally grateful for those security hazings, because it gave me opportunities to test and improve those projects. Seriously the best free security audit you could get.

Sometimes it felt annoying .. because I thought I'd patch something but then I checked the server I found people found a way through or found a way to circumvent that.

But I saw it as a challenge and I imagined it was like a way to redteam and anticipate and prevent things that would end up happening in the real world anyway so it was incredibly valuable actually in hardening the products I made. Good learning experience too. :)

My favorite event to solve was people using my remote browser product to run cryptocurrency mining javascript. And overcoming that challenge was quite tricky at first, because cpulimit is more of a suggestion than a hard limit. And also because the cloud where I originally ran this (and most clouds have this rule too), disallowed using the compute resources for mining crypto so I almost got a strike on my account because other people were using this thing I had opened up to mine with. After discussing with the contact window everything was cool, but I still needed a way to block this. While there are CPU throttling apis I could use on a per tab basis via Chrome remote debugging protocol (and I may look into that more in future), there's also a chance that under high CPU load the debugging protocol becomes unresponsive and so you can't intervene via that route anyway.

What I went with was just operating system process monitoring and cgroups (now v2 in the latest kernels which are unfortunately for now more limited) plus killing processes that violated too many monitoring intervals. A cool thing about Google Chrome is it's pretty robust to killing some of its processes off so you can kill off the processes of a couple of tabs that are involved in cryptocurrency mining but it doesn't kill the entire browser.

The whole thing was a great way to learn more operating system internals as well as to discover the plethora of tools available for resource control in linux. Particularly impressive are the networking and bandwidth control options like iptables. So instead of dockerizing my apps I basically created these custom sandboxes by using operating system apis that's been incredibly effective at preventing abuse.

Off topic: what is the deal with people writing “learnt”? I might use that instead of learned if I was trying to be funny but I’m seeing people use it all over the place unironically.
That's just how it's _spelt_ in the UK.

But this is why it's somewhat dangerous to infer tone from text without knowing more about the context.

I can’t imagine this was bad enough to take it offline. Certainly everything written on there exists elsewhere on the net already?
My poor script allowed binary content to be shoveled in. I took it down for my own sake. I'll put it online again some time.
Why was it taken down?
Illegal content uploaded via my naive websocket implementation. I thought it was best to turn it off than fix while it was "hot".