221 comments

[ 0.20 ms ] story [ 245 ms ] thread
How do you plan on keeping out spam?
Ya, looks like most of the pages are garbage right now.
Maybe that's because it was made public basically an hour ago
Don't worry, Dade Murphy will clean up.

  Next, enter a password. This will be used to allow you to login. Minimum 5 characters. If you don't make it a good password, Dade Murphy from the movie Hackers will come in and steal your "garbage files".
Through the captcha on the registration page?

Recaptcha might not be enough in the long run, but it will be enough in the short run.

Add a premium tier, even something as simple as integrated web analytics. Donations are charity. If you want this to be a sustainable business, ask for people to pay for value.
I was thinking about this too. I agree that counting on donations in sufficient quantity and regularity is like buying lotto tickets to pay your electric bill.

And if they add a premium tier... well then that kind of kills their differentiation, doesn't it? They're aiming for the niche of free, modest, simple, laissez faire vis-a-vis content. When you take 'free' out of the mix then you're in the arena of commoditized cheap hosting; inertia would be the only reason for someone to upgrade their free account to a premium plan.

Yep, services that are about uncensorship generally don't do paid tiers. See: 4chan, Rizon, groups that release pirated videos, etc.
I think donating a dollar for a custom visitor counter would be the perfect option... doesn't really set apart anyone, still provides a bit of fun.
I think people are aiming to create the original geocities experience too: Examples:

http://poeks.neocities.org/

http://skry.neocities.org/

http://jeremy.neocities.org/

Haha, wow. It's like going to a civil war reenactment where everyone adhere strictly to period customs and vernacular.

Unfortunately they forgot center tags and to capitalize all of their HTML. I was going to say it's missing a table-based layout, but then I recalled that the height of geocities' popularity was earlier than I remember seeing table-based layouts everywhere.

It's really not very assuring when they state on the front page that they "hope" they can get enough money each month so they can pay the server bills.

The site will very easily pay for itself with donations. It's not that expensive to serve static HTML, especially when you are using Nginx and sendfile.
Does Nginx use sendfile under the hood or is it something you would use separately?
That wasn't really my point. It doesn't inspire confidence when the host says "hey! put your stuff here! I'm not sure that I can pay the bills each month but I sure hope we can. Oh--and I have no idea how this will scale."

It's all understandable. But even if it's free and even if my content is stupid, I'd still feel a little uncomfortable because of how much doubt the owner expresses over the viability of the service.

Really, that's what all startups are doing. At least he's being honest about it.
Fair. Sorry about that.

I have a lot of experience scaling web applications, I've been doing this for over 14 years. I should probably highlight that somewhere.

I've already gotten enough donations today to run the server as-is for 8 months! I also found a sweet deal with a reliable dedicated provider via a tip that will cost substantially less than my intial estimates.

There definitely needs to be some polish to the initial site I think. We have been talking about making something similar to Twitter Bootstrap that's designed for HTML newcomers, so that even really basic sites have a base-level good look to them. We're also talking about a WYSIWYG HTML editor, but we decided that we would launch to the tech crowds first, who have experience with HTML and are comfortable dealing with no initial boilerplate frameworks, and would appreciate the value of what we're trying to provider here (an open canvas).

That said, I don't care if people use it for Geocities parodies. I think Geocities sites are a lot more interesting than the bland, drab Facebook profile layout that everybody is forced into with no ability to change in any meaningful way.

Needs more <frame>s! And I count a grand total of zero <blink> and <marquee> tags. C'mon people, if you want to party like it's 1999 you've got to step up your game!
"HACKED site down." kyledrake do you see this?
sigh
cool idea, but seems the server has some problems uploading (2-8kb) files? or is that the heavy traffic? anyway, get some error messages, but files are uploaded. savings seem to take a while...better keep your code in another editor, too

edit: ps: internal server error

Same here. Internal Server Error. That's a huge nostalgia strike ;)
"uncensored"

Good luck with that.

Just make sure you don't sleep with a girl without wearing a condom and you should be fine.
It's never too early for scams.

http://secure.neocities.org/

"Security page. Please enter your password here."

A couple of years back there was a website I use that switched to usernames as sub domains and I managed to break it by using "webmail" as a username, another user took "ns1" and "ns2" and now my first port of call on sites like this always checking out "webmail", "ns1" and "ns2". So childish but good harmless fun.
(comment deleted)
login.neocities.org payment.neocities.org
I'm guessing pointing a CNAME to this is not supported?
(comment deleted)
Don't use this for anything you view as important. I just checked and there is no collision detection for usernames. You can signup for an account using any name and your account will seemingly just replace the previous created account. That is a big enough and obvious enough flaw that it also makes we wonder if this is just a phishing expedition or a way to mine email addresses.
(comment deleted)
I'm logged in as "www" right now.
Sorry, I probably overwrote your stuff :/
Funny enough, that is exactly how I found the problem. I created a www account (I am almost ashamed to say that was my first instinct, try to break the system before you decide the system is worthy of your use). I ended up logging out and I couldn't log back in with the same password. In hindsight, someone must have created another www account after I did and before I tried to login again. I then tried creating another www account and it worked. I then logged out and tried registering with a different username twice just in case www was a special case. The same thing happened, the second account just replaced the first account.
haha I created www account, too.
Ah, that explains why my password stopped working ;)
I thought david.neocities.org should have been taken, now that you point it out.
(comment deleted)
It appears now people have caught on quick - and are replacing sites that people actually worked on with "SITE HACKED" messages.

That is pretty frigging mean to exploit such an obvious problem!

I just fixed it. It was a change I did last night to fix a save bug. My apologies about that, it wasn't a good bug, but hopefully it's the last security-related one. Probably goes without saying, but this is definitely a beta project. I'm doing a lot of other things to protect this kind of attack (filename scrubbing, bcrypt passwords), so I'm pretty red in the face about how dumb this one was.

If you find any other bad bugs, please let me know (@kyledrake on Twitter) instead of, you know, trashing other people's work. I'm finding the duplicate sites right now and taking care of it. Thanks, and again my apologies.

This is not an email phishing expedition. I don't even require you to enter your email address to make a site.

Not only does this trigger GeoCities nostalgia, it calls back to the days when betas were really betas.
Just wait until one unknown day without notice or fanfare it disappears from the 'net forever!
slg: just make sure you back up your site to multiple floppies and you'll be fine.
You are right, I should have reached out to you directly with this issue. I took the easy route and didn't put in any effort to track you down, for that I am sorry. However, I take exception to you categorizing my post as "trashing other people's work."

I feel that I also have a responsibility to publicize such a glaring security hole in your site. This is the number 1 link on HN at the moment. Thousands of people are going to be signing up. I think they have the right to know that a bug like this exists. Like I said in my initial post, a bug this big seemed to be a sign of a bigger problems. I had suspicions the site was malicious and at that point my priority was to point out those suspicions to the HN community.

That wasn't directed at you, it was a general comment. I was referring to the person(s) that defaced other people's sites. Sorry if it came off any other way. :)
Here, I'll do one better: If anyone is concerned about the nature/security of the site, here is the source code to NeoCities, ready for anyone to do a full security audit: https://github.com/kyledrake/neocities-web

Pull requests welcome!

Can you put up a license for it?
Good to see. This is the way to respond to these type of mistakes, be completely transparent. Now if only the NSA subscribed to the same plan...

And since it wasn't directed toward me, I guess we all can forget my little rant regarding the "trashing" comment.

Hey, I'll try to hunt this down for you but just to give you a heads up, the server gives me a 500 internal server error when I use characters like "ğ" or "ü".
Why did you choose Ruby as the language?
I think it's a pure joy to read the ruby source. Allthough ruby is not fast, it's got some of the simplest most elegant frameworks out there. Sinatra is not much more than a router config file with some logic. Sequel is the simplest database orm and migration tool around. And slim makes very readable templates. All frameworks perfect for the first minimum viable product. If this site takes off, I would perhaps pay someone to rewrite some bottlenecks of it in java.
> it's a pure joy to read the ruby source

If you like it so much, here's a copy-paste from the project for your edification [1]:

  def new_tags=(tags_string)
    tags_string.gsub! /[^a-zA-Z0-9, ]/, ''
    tags = tags_string.split ','
    tags.collect! {|c| (c.match(/^\w+\s\w+/) || c.match(/^\w+/)).to_s }
    @new_tag_strings = tags
  end
I don't mean to pick on this project in particular. In fact, this project as a whole is quite possibly the cleanest Ruby code I've ever seen.

That being said, Ruby's syntax makes me want to gouge my eyes out. There's equal signs, unquoted regular expressions, exclamation points, absolute value bars, and at signs all over the above code. You can't even sort-of follow what this code is doing without searching through the manual every third character. Ruby syntax is worse than C++ and almost as bad as Perl.

Someone tried to explain Ruby syntax to me last week [2], and I'm not sure if I understood it more, or less, as a result, because my conclusion was that Ruby's syntax is so bad, the language shouldn't even be able to exist! I.e., there are a large number of syntactical ambiguities, so writing a parser for it should be completely impossible!

[1] https://github.com/kyledrake/neocities-web/blob/933c3549264e...

[2] https://news.ycombinator.com/item?id=5872899

> equal signs

I fail to see how using equal signs for assignment (or for defining assignment methods) is a problem with syntax, rather than an enhancement to clarity.

> unquoted regular expressions

What's wrong with that? Regexes are a different type than strings. Why should they look like strings?

> exclamation points

...again, so, what?

> absolute value bars

vertical bars used to set off block argument lists aren't absolute value bars. (Neither are vertical bars used for logical-or.)

> at signs

Again, so?

> You can't even sort-of follow what this code is doing without searching through the manual every third character.

Yes, I can, and not just "sort-of follow" it.

> Ruby syntax is worse than C++ and almost as bad as Perl.

There's no accounting for taste, I suppose.

> there are a large number of syntactical ambiguities, so writing a parser for it should be completely impossible

As Ruby does exist, and is parsed, this is clearly not the case. That said, ruby's syntax is not optimized for machine parsing, its designed to be ruby-developer-friendly rather than ruby-parser-developer-friendly.

If you want something optimized for the developer of the language's parser, look to Lisp.

What's difficult about that function? It's terse, but very understandable.

Oh, the inability to parse Ruby shouldn't be held against it. It has (at the least) a context-sensitive grammar. So do lots of languages, including HTML and perl.

Not being able to parse it doesn't really mean what you think it means. It just means that in order to figure out what it does programmatically, you have to evaluate it. Its unparseability makes certain things impossible, like writing a perfect syntax highlighter. Also makes building certain tools you'd normally see in an IDE difficult.

    // Parse tags string.
    // Example:
    // "tag1, tag2" => {"tag1", "tag2"}
    // "tag1, very long tag" => {"tag1", "very long"}
    string[] NewTags(string tags_string)
    {
        //Allow only letters, numbers and spaces in tag.
        tags_string = new string(tags_string.Where(c => char.IsLetter(c)
            || char.IsNumber(c) || c == ' ' || c == ',').ToArray());

        //Separate multiple tags with commas.
        string[] tags = tags_string.Split(',').Select(s => s.Trim()).ToArray();

        //Two word per tag maximum (extra words in a tag will be removed).
        for (int i = 0; i < tags.Length; i++)
        {
            List<string> validWords = new List<string>();
            string[] wordsInTag = tags[i].Split(' ');
            if (wordsInTag.Length > 2)
            {
                tags[i] = wordsInTag[0] + " " + wordsInTag[1];
            }
        }
        return tags;
    }
This is on the same league with arguing against Esperanto in favor of Interlingua. You'll never get anywhere with people with the "so what?" or "no it's just you" mindset as in their capacity, they're not capable of (or unwilling?) to entertain perspectives beyond their own.

That said, I do really enjoy reading this code. It's indeed very, very clean!

I don't know if this works for everyone, (and I hate to appeal to magic), but I'm pretty sure it was http://mislav.uniqpath.com/poignant-guide/book/chapter-3.htm... that gave me a visceral understanding of Ruby's syntax. For example, the slashes surrounding the Regexp are like pins that you stick the Regexp onto the paper with, and it lights up if the pattern matches. The at signs stand for "ATtribute". Exclamation/question marks have meanings analogous to their natural language counterparts. And the vertical bars form a little chute that the block variables slide down into the block through. It's really fun.
Ruby's syntax is beautiful once you've realized two things:

1. How blocks work, and how their minimalist syntax is beautiful. You see absolute value bars but believe me, getting used to that barebones function syntax is a gift. (No other programming language that I know of has an absolute value operator with vertical bars so it is not as hard as you think.)

2. Every time you see a dot, do NOT think attribute access. Think message sending a la Smalltalk.

Suddenly then, things like the tags.collect! line become pretty for encapsulating a callback on one line unlike the ugly function() {} crud of JavaScript, and things like defining a newtags= method become sensible, because everything including traditional attribute getting and setting reduces to message passing.

> Every time you see a dot, do NOT think attribute access. Think message sending a la Smalltalk.

Huh. You just rekindled my interest in learning Ruby. Learning Smalltalk was pretty mind-expanding.

> there are a large number of syntactical ambiguities, so writing a parser for it should be completely impossible

Keep in mind that while your protest does sound intuitive - e.g. that Ruby can be syntactically ambiguous, ergo it is unparseable, it turns out that that doesn't stop us from writing a parser. We can parse most things even if we can't parse the "general case." When we DO encounter something unparseable, the compiler can a) guess or b) fail, hopefully with a message that will help us investigate and rectify the failure.

You point out that Perl's syntax may be worse than Ruby's, and I assume that implies that it is more syntactically ambiguous, ergo, writing a parser should also be impossible for Perl. It turns out that Perl is provably unparseable in the general case - in fact, it's been done rather rigorously: http://www.jeffreykegler.com/Home/perl-and-undecidability

Regardless of Perl's general unparseability, we have compilers for Perl and even large projects manage to compile to what appear to be functional executables. The same is true for Ruby.

I wrote this comment mostly a reminder that while something may appear to be insoluble, we may be able to solve for sufficient cases that we don't care about the rest, particularly if we have an oracle to fix the number of cases that we can't solve. (In this case, the oracle is the developer.)

It's what I know. And very productive in general. Nginx and the kernel (sendfile) does all the heavy lifting of serving the static files.
great response. the bug's existence alone made me question the project intent and viability. even though i probably won't read your code, just making the source available mitigated my biggest concerns.
I don't think it's a smart idea to publish the source code to your site (especially while on the front page of Hacker News) until you've spent a significant amount of money on auditing the security internally to the point that others are comfortable with a public release.

Now it looks like something happened, and you've got no site, and thousands of people trying to access it!

Disagree! Publishing is laudable. Paying customers might tip the scales otherwise, but apparently that's not yet an issue.
You are the man for doing this. If only others, including myself, were so brave for every web project that they attempt.
I can't believe what I just witnessed. Something expressing a valid concern in a somewhat uncivilized manner, the developer answering in a nice way, the original poster apologizing and the developer linking to the source code to quench other similar concerns. WHAT HAS THE INTERNET COME TO?

Cheers to you, fine folks!

Honestly, the way your first post is worded is harsh enough to come across as 'trashing'.
I don't think he was saying you were trashing his work, more that people were using that exploit to trash other people's sites on NeoCities.
I'd just like to point out that when he said "trashing other people's work," he was likely referring to people overwriting others' pages, not your comment.
You really attributed the duplication/overwrite bug to malice?
> I feel that I also have a responsibility to publicize such a glaring security hole in your site.

It's a static web site hosting, exactly what "security holes" could we be talking about? Not theoretical holes, that you could technically exploit on the 45th blue moon of the century, things that might actually happen.

I read the "trashing other people's work" comment as referencing smashing someone's site by registering an account over theirs, not publishing the bug on hacker news.
Responsible security disclosure would say you've got a responsibility to make the bug known. Making it public should only happen after you've made the creator aware.

I can understand why the developer viewed you as 'trashing' his work, you claimed it as a phishing expedition. That'd make the best of us upset. I see you've sorted it out between you which is great, and I hope others look at this exchange and get some good takeaway from it.

> hopefully it's the last security-related one

Guaranteed not.

I don't mean for you in particular, security requires constant vigilance.

Correction: the last one that's that bad. That was pretty bad.
On the issue of security, any possibility for HTTPS in the future?
hopefully it's the last security-related one

Not to nit-pick, but it's never the last security-related bug :)

> Probably goes without saying, but this is definitely a beta project.

It indeed goes without saying, since you don't mention this on the site.

What are you doing to make sure your site (and your users' URLs) will be around in five years? How about fifteen?

(I'm not just being snarky, I have run a freenet out of pocket for sixteen years because people's urls and email addresses are important to not lose.)

Open source your code and you may get some extra eyeballs to avoid this kind of issues.
Back then, this wasn't called collision detection, but proper database design. I can not even begin to fathom how you can inadvertently introduce this by fixing a save bug.
Proper database design does not mean the problem couldn't happen. Consider this scenario. The database has a unique constraint on the name but the code ignores the result and overwrites the directory anyways. It wouldn't cause this exact problem but it is similar.
(comment deleted)
Clearly you are inexperienced in database design. There are plenty of explanations which if you had a clue would spring to mind.
Out of curiosity, can you give an example?
This is not for anything important. It is for blink tags and under construction graphics.
Don't use this for anything you view as important. Hosting that doesn't use a domain name that you control means that when the donation bucket is empty and the service goes under, your traffic and pagerank and brand is now lost forever.
It's definitely an awesome project, but I just don't see the advantage of NeoCities over hosting a website on Github or BitBucket yet, especially since those sites offer unlimited space and store all the old versions of your website for you. Some differentiation with those services is needed - for example, a privacy policy guaranteeing true anonymity (no IP address stored, no cookies) or a more layperson-accessible website creator.
Those have significant learning curves to people who don't speak web-l337 yet. Remember before you knew how to code? What version control was, and documentation was scary? Angelfire & GeoCities is where I learned to code HTML
Marissa Mayer just offered $9 million for this -- and they are holding out for more.
(comment deleted)
oops, look like someone else took it from you already. Should probably send them a bill
this reminds me GeoCities :')
Hosted in the US. At least geocities didn't live long enough to make it into prism
There are 61054 web site spaces remaining. After that, we need your help to get another server.

Does that mean he's running 61k sites on a single server? Even if each site gets one single visitor per day, that 61k visitors for the Server. There is no way the server can manage that traffic.

Sorry, but do you really want a static site? Just pay for a good one.

Assuming you're not being sarcastic: a small vps could serve an order of magnitude more visitors per day than that when it's just static files, many orders of magnitude more on a well configured server and many many many times more than that on a powerful server. The bottleneck for this will probably be bandwidth.
Aside from the other evidence that this is terribly thought out, serving 61,000 static pageviews (or if average pages per visitor is more like 2: 120,000) shouldn't be a problem on even a cheap server.

Even with uneven traffic that's probably 4-5 pageviews/second at most. The cheapest linode or AWS instance can handle that for serving static files.

Nginx can handle 61k views/day easily. Now if each of those sites get 61k views each...
That is an amusingly small amount of traffic. A typical server should be able to handle thousands of requests per second. See the web framework benchmarks. When you add in the fact this is serving static pages you will likely blow out the bandwidth first. Put it behind cloudflare or another cdn and you should only need a second server for availability.
A $20/month Linode can handle 4k static pages per second on Nginx. I've heard tell of people pumping the cheap Linode server up to 30k views/second, but I haven't been able to break 4k.

Assuming text pages, the full 61k sites could be accessed every 15 seconds. If the pages have nontrivial graphics, then you're (as others have mentioned) far more likely to be bandwidth-limited. If the site has an unmetered 10Mbps connection, then it could serve 1Mbyte per second: If each of those 61k pages contained 1MB of data, then it would STILL be able to serve (at most) 86k pages per day.

It's likely that most of the pages hosted will be accessed less than once a day, though. Power law distribution of the long tail [1] and all that. And a megabyte is a lot of data for a single web page; I would imagine that with a 10Mb limit on the entire site, it's not going to be a place to host sites with tons of images.

[1] https://en.wikipedia.org/wiki/Long_Tail

That's probably a marketing ploy.

Quick, sign up right now or you'll miss out!

Get it?

it can probably serve anywhere from 20k to 200k view per second. 61k per day sounds kinda easy. lol. Even my laptop can do it in that range.

its static pages.

PEOPLE. This is clearly not intended as a business. Stop asking about the "business model." It strikes me as just being a cool side project that enables people to make websites. That's it.

Yeesh.

I'm pretty sure that's exactly what it is. This is just for fun, I don't think they are looking for VC money or anything crazy.
As someone who has a 1gb/s flat rate at home, I have thought about doing something similar. It really isn't that expensive to have a bit of network and a server that gives out static content.
Til someone puts something copyright or worse on it.
We were talking about the expenses of running the service, and not the legal space around hosting user generated content.

The legal questions are interesting, through it highly depend on the country and political tendencies from one year to the next. In theory, I could run this kind of service in Sweden, and only remove content on order by a judge. In theory. In practice, there might not be any difference between hosting user generated content and simply having a website up hosting in ones own name.

In other words, Yahoo! will eventually end up buying it.
I think you're underestimating the lucrative "disoriented time-traveler" market.
No API? Sigh. It could be a nice backing host for a through-the-browser CMS – a little OAuth, a little CORS, and it could work pretty nicely.
Maybe there will be an API. The project is one month old.
What's with all the FBI seizure images?