Hacker Remix

A Console-Friendly Pastebin with binary support

94 points by goranmoomin 9 months ago | 50 comments

daniel-s 9 months ago

> This is a console friendly pastebin that allows binary files. No fancy website, no intermediate pages to click through, and no CAPTCHAs.

The site is cool, but is it not just going to be abused?

p4bl0 9 months ago

I ran a very similar service for years. And yes it will be abused. I stopped when russian and chinese bots where sending many messages per seconds containing AI generated marketing bullshit with links to scammy sites in various format (html, bb code, markdown, …) and it became GB of text… :/. I still haven't finish to clean things up. The service is now discontinued because of this: https://paste.fulltxt.net/

The full code for the service is here: https://paste.fulltxt.net/42

The command-line paste tool was this simple script: https://paste.fulltxt.net/txtp

In another distant past, I ran an URL minification service at http://uzy.me/, and there too because of spams, I had to discontinue it.

Spam is really killing the internet… This actually saddens me.

stavros 9 months ago

I run https://pastery.net, and yep, exact same deal.

egeozcan 9 months ago

It will be. Any time you offer something that allows anonymous uploads & shares (hell, sometimes even if you don't allow share, people will share accounts), it will be a silo 95% full of material that's illegal in practically every corner of the world.

If you play the good citizen and encrypt the files, giving the key to the owners, then you also don't have any means to preemptively detect and delete that stuff, you just keep waiting on some law agency knocking at your door. Also, if you openly say "hey I'll peek into your files to see if they are legal", then they will be the ones encrypting. Disallow that? It's a nightmare to detect and abusers are really, really creative! So much dedication too!

And it's not just CSAM, there will be detailed instructions on practically any illegal thing you couldn't even imagine.

It's bad, really bad, and I've grown to accept that small, closed community services (best with real-world connections) are the only way forward.

fragmede 9 months ago

Hell, there's an active post about Google drive being blocked in Italy for content being hosted on it.

https://news.ycombinator.com/item?id=41901168

alias_neo 9 months ago

I wrote something similar as a toy project a while back, it's open source, and I host a "demo" version of it, but for fear of all of this, I limited it to only kilobytes of data and have the links expire after an hour.

I run it on my LAN for my own use, which is what I think it's best for, but I really don't like having something like this on the web.

Luckily, I've never advertised or shown it off so nobody but myself uses it, but I'll probably take down the demo site too, soon.

EDIT: Typo

fragmede 9 months ago

It's sad that you don't have Internet friends that you trust enough to share that with after writing all that code. Maybe open source it but don't link to your demo instance? It's more sad that the Internet is like that. There are a couple of really neat quirky projects out there that I only know about through word of mouth because the open Internet is not to be trusted. The projects are behind a login wall, so it's not like they're discoverable either.

alias_neo 9 months ago

The name of the project is its domain so I'd have to separate them out, which is why I've kept the demo site online for years now, despite basically no usage, I'm also a big fan of being able to try something before you go through the effort of deploying it yourself.

The project is already open-source on Github, but I don't actively link to it in public forums because I don't want to have to deal with it being used for questionable/illegal content, which is also the reason I haven't added some of the features I'd like to, and severely limited the size and duration for the demo site.

It's been a nice toy project, I added multiple architectures support for the Docker image builds when I was working out how to do that, manifests to deploy it in Kubernetes when I was first learning that and even made it a Nix flake when I first started playing with NixOS; The code itself is written in Go with a goal of using zero external (outside of standard library) dependencies, keeping the code small and clean for non-programmers to be able to understand and uses some Go features that were new/interesting to me at the time they were added.

It'd need to grow a lot and forgo some of those goals for me to add the features I would like to see, but for something nobody will use, and I use quite sparingly myself, there's no need.

guerrilla 9 months ago

> It's bad, really bad, and I've grown to accept that small, closed community services (best with real-world connections) are the only way forward.

Our first technology, community, serves a purpose after all.

xg15 9 months ago

This. The reason why we don't have an un-siloed, general-purpose means of file transfer after 40 years of internet is probably more a legal than a technical one...

hnlmorg 9 months ago

Usually youll find vendor lock ins because the actual hard part of this isn’t legal, it’s building a user base from non-technical users. And that usually requires having your standard included with platforms they already use.

This is why (for example) Google Drive and OneDrive have become so popular despite Dropbox being first to market.

There’s plenty of other file transfer solutions out there too but you’ll find the un-siloed ones will be lesser known than the siloed ones simply because of the power of $$$

GoblinSlayer 9 months ago

bittorent

derefr 9 months ago

It very likely will be, yes.

I would personally suggest that this site probably "wants" accounts. Yes, with CAPTCHAs (on registration.) If you want to be able to ban people who abuse your service, you'll need some thing-that-is-costly-to-get-multiple-of to ban them by. Otherwise they just keep coming back.

To still be a "console-friendly pastebin", the result of doing that costly registration process, could just be a page that gives you a (private) URL, that works like the base URL does now. https://paste.c-net.org/b/{bucket} or something, where {bucket} is a UUIDv4, or anything else with enough entropy to not be able to brute-force enumerate your way into someone else's account URL.

The uploaded files themselves could still have short human-writable top-level paths, for ease of repeating them over the phone.

Though, I notice that when you upload a file, you get a "delete key" as well as a URL. IMHO the "delete key" shouldn't be a weird nonstandard header you send with an HTTP DELETE; it should just be a URL — e.g. https://paste.c-net.org/b/{bucket}/{delete_key} — that you can HTTP DELETE directly.

In other words, make /b/{bucket}/{delete_key} the file's "true name", and /{link} a "read-only view" of the file.

daniel-s 9 months ago

I have heard good things about https://www.stopforumspam.com/.

t-3 9 months ago

When you say abused, I assume you mean either CSAM or copyrighted material?

Is there a hash database or something that could be queried to block known bad stuff? (would probably fail in the face of compression or encryption, but catching the low-hanging fruit would at least probably handle any potential legal liability?) Seems like something useful AI would actually work well for, if FBI/publishers/etc., would train a model and release it or host a service with an API.

j16sdiz 9 months ago

> catching the low-hanging fruit would at least probably handle any potential legal liability?

Actually No. It take 5 minutes to create a script to randomize a password, encrypt and upload.

Abusers have been doing the same for 20+ years and it is very effective.

ttyprintk 9 months ago

I think the question is not about the persistence of uploaders but the safe harbor of innocent hosters.

For example, hosting a password-protected binary with a cleared hash is one thing. The bad actor posting a password (any password) might be another.

dgl 9 months ago

I made a similar thing: https://waste.st/waste.1

If you run curl waste.st you also get the “manpage”

The goal was to make it do uploads without a ton of frameworks. The front page is around one request under 20K. It also has a special emoji url: https://[waste bin emoji].st that HN doesn’t support.

arjvik 9 months ago

I love using 0x0.st for something similar - sharing files (not the purpose of a pastebin, where the file is to be viewed, not downloaded). Curl-based access is perfect :)

xyz_ielh 9 months ago

Check out https://txtd.cc it supports raw data for curl and custom urls & other stuff like markdown formatting.

GoblinSlayer 9 months ago

A blogging platform?

captn3m0 9 months ago

punycode encoded: https://xn--108h.st/

Timwi 9 months ago

Thank you. I tried the emoji URL but Fennec on Android doesn't accept it and just runs a web search.

derefr 9 months ago

I like it, but this could do with being just the slightest bit more specific:

> Don't break the law, don't post illegal shit, don't be an asshole.

The law in which country? All countries? Do I have to avoid uploading depictions of Mohammed, or insulting statements about the president of Turkiye?

egeozcan 9 months ago

President of Turkiye? Many years ago, a person I know got arrested for calling that guy "clueless" on Twitter under a nickname.

Disclaimer: Erdogan is the ultimate ruler, he's totally the best. That guy I know totally deserved it!!11

ps. I like my vacations in south Turkey.

userbinator 9 months ago

When someone assumes you know what English-speaking country they're referring to, it is likely to be the US.

blooalien 9 months ago

> userbinator: "When someone assumes you know what English-speaking country they're referring to, it is likely to be the US."

I normally take a bit of a "dim" view of generalizing certain behaviors to an entire nation's population, but this one's spot-on for certain, and I say this as an English speaking U.S.-born citizen that's lived here all my life, and pretty much grew up "online" (had Internet access since the early days, and even before that I was on local and "long-distance" BBSs quite frequently).

When this specific sort of assumption is made online or in writing / speech, it's almost always "The U.S." Totally too many folks here have a "weird world" inside their mind where there is only "here" and "everywhere else", and "everywhere else" only really matters at all if it somehow "infringes" upon the personal-space of their social-media mandated "rage button".

ttyprintk 9 months ago

This is unrelated to website content like social media. The legal jurisdiction of where you choose to host is relevant, not the relationship between user-agent locale and politeness.

defrost 9 months ago

'ken oath mate, whenever I see people typing the queens I always reckon they're one of US.

Wowfunhappy 9 months ago

I would assume it means "the law in whatever country you're in." By definition, I can't break the North Korean law against criticizing their leader, it doesn't apply to me.

derefr 9 months ago

Remember that extradition treaties exist. Kim Dotcom, founder of Megaupload, is a New Zealand citizen who has never lived in the United States, who was nevertheless pursued by the United States for breaking US copyright law (through acts that were — as far as any lawyer has been able to ascertain — not illegal according to NZ law!) According to the NZ supreme court, Dotcom can (will?) be extradited to the US to face those charges.

In effect, in a world where extradition treaties exist, the law you're subject to is the sum of the laws of all the countries your country has agreed to mutual extradition with.

(And strangely enough, I believe this is even transitive. Presuming countries {A,B,C} which have extradition treaties AB and BC, if country B can get you extradited from country A for crime 1, then country C can get you double-extradited during your detainment in country B for crime 2 — even though country A may have never signed any treaties with country C!)

But even ignoring extradition... when speaking of international diplomatic relations, the law-in-practice of "whatever country you're in" is often not the law-as-written, but rather "whatever it takes to make a foreign country happy." I.e. if a foreign country wants you punished — and your own country isn't so powerful as to be able to just tune them out — then often you will be slapped with whatever local law your own country can make fit, to get the other country to calm down.

I brought up the president of Turkiye for a specific reason: the https://en.wikipedia.org/wiki/B%C3%B6hmermann_affair , where a German who wrote an insulting poem about Erdoğan, was charged with a [rarely used, archaic] crime by the German government, after the Turkish government basically sent a strongly-worded letter to the German government implying that their relations would be damaged unless they "did something."

(Though, pleasantly, after much outcry from the German populace, the law they used to try to punish Böhmermann was challenged and repealed: https://www.npr.org/sections/thetwo-way/2017/01/25/511611581...)

RamVasuthevan 9 months ago

This is a really cool tool that I think I'd use, but I am a bit concerned about link rot. It'd be nice to self-host it. Is the code open source?

I can't seem to find out anything about Cathedral Networks (https://cathedral-networks.org/). They do host a cygwin mirror (https://cygwin.cathedral-networks.org/) and a GLaDOS Voice Generator (https://glados.c-net.org/)

hn111 9 months ago

This website has possibly the worst alternative to horizontal scrollbars I’ve ever seen: horizontal scrolling per paragraph.

Timwi 9 months ago

Yep, that's what happens on mobile when each paragraph is in a <pre> tag of its own.

blueflow 9 months ago

... this website are two monospaced texts in a <pre>. It does not use paragraphs.

RealStickman_ 9 months ago

My browser (Firefox Mobile) somehow does turn it into scroll bars per paragraph.

https://paste.c-net.org/CartsTroops

(Cool that it works btw)

johnisgood 9 months ago

Happens to me, too, on desktop with Chromium, just gotta resize the window to reproduce.

tomaskafka 9 months ago

Excellent! I’ll know where to upload my botnet payloads and CSAM!

anthk 9 months ago

      cat file.txt | nc termbin.com 9999

Sephr 9 months ago

I self-host OFTN Zerodrop as a pastebin with CAPTCHA support along with binary uploads and conditional routing.

Unfortunately I still ended up taking down my publicly accessible demo to not have to deal with the legal risk of potential abuse, but this software is free for others to host and is written in Go.

betaby 9 months ago

https://github.com/dutchcoders/transfer.sh/ is a similar project for self-hosting.

sans_souse 9 months ago

https://paste.c-net.org/ImproperAttacked

crancher 9 months ago

https://paste.c-net.org/HanukkahDisplays

bxio 9 months ago

https://paste.c-net.org/HurtingJunior

frays 9 months ago

Fun and possibly useful project. Lots of other alternatives (including open source with source code) in this thread too.

visil 9 months ago

Nice! I used a similar site, termbin.com, for some time now, though it uses netcat to upload files. Definitely useful!

mmooss 9 months ago

Very nice, and the urls use random words instead of random strings. Thank you.

disappeardev 9 months ago

disappear.net uses mnemonics (bespoke or securely generated). No cli support yet, but I think I'll work on a cli client for it in the coming days. The nice thing about using mnemonics or passwords instead of deep links is that you never expose the url anywhere and it's easier to pass along the files or notes using non-digital channels.

chrsw 9 months ago

This rules. Hope it stays up.

ranger_danger 9 months ago

Not open source as far as I can tell?