
4chan source code leaked (2010) - NotUncivil
http://pastebin.com/a45dp3Q1
======
ANTSANTS
Not much to see here, folks. Someone took an _old_ leak of the source code and
commented out a few lines for a giggle. Only moot and the developers know what
the site looks like now, but given the significant addition of functionality
in the past few years, it's pretty much impossible that that would be the only
difference in the source.

The original leak, from 2010 at least, possibly older:
[http://pastebin.com/4JVjS02b](http://pastebin.com/4JVjS02b)

4chan _was_ hacked the other day, so the current source code _could_ have been
leaked, but if it was, this sure isn't it.

~~~
brador
Wouldn't the ideal solution for 4Chan be an external data/processing server
that dials in to the hosting server to dump out static files? That way the
location of the external server remains, at least partially, a mystery, even
after the main box is hacked?

~~~
pearjuice
Why? 4chan is not a high target. There is no reason to over engineer it.
Mostly it will be prepubescent teenagers throwing a fit and bombarding the
server with bandwidth.

The hack of earlier today was due to an obsession over a female 4chan
moderator. That should say enough.

~~~
nwh
CloudFlare was hacked with the sole intention of taking over 4chan.org's
domain. They're a huge target.

~~~
valarauca1
Okay lets say they are a massive target. There is still a monetary issues.

4chan is a cultural and ideological landmark on the American internet. Not
only are their clones, but "Cloning 4chan" is almost a business in and of
itself. And they fail. 4chan's month to month profits are barely to not-at-all
existent. In a purely dollars and cents way, 4chan is a failure.

So their is very little monetary motivation for discovering _the secrets of
the 4chan 's operation_.

Security is a trade off of Financial Risk vs Financial Investment. There is no
Financial Risk in 4chan being hacked. They have no user accounts, they have no
financial data. They have no overly complex-secret-sauce-search algorithm.

The only thing to 'steal' is a collection of Japanese/American Pop cultural
referential gif, jpg, and webm files.

~~~
nwh
They have tens of thousands of "passes" (basically accounts) and the payment
information associated with them.

------
treehau5
I mean,

Yes I hate PHP more than the next guy,

Yes this code is terrible,

But you know what? I can read it, and follow along. And that's actually more
to say than other "beautiful" code that was obfuscated behind 3 or 4 levels of
unnecessary levels of abstraction or indirection.

------
wfn

      if ($sectrip != "") {
        $salt = "LOLLOLOLOLOLOLOLOLOLOLOLOLOLOLOL"; #this is ONLY used if the host doesn't have openssl
                                                    #I don't know a better way to get random data

~~~
slipstream-
I saw that. "LOLLOLOLOLOLOLOLOLOLOLOLOLOLOLOL" was my reaction, too.

------
dewey
And yet, despite the horrible code, it's still powering an Alexa Top 500 page
without any huge problems I've heard of.

~~~
roryhughes
Crazy. I knew PHP was bad, but this is just terrible.

~~~
dewey
I know hating on PHP is en vogue but you could probably write the same ugly
code with another language too.

~~~
harryf
Not possible. Other languages have features to prevent this.

~~~
shocks
I highly doubt you have anything else to add because I'm sure you're just
another person jumping on the "hate php" bandwagon - but go on, entertain me.

Please elaborate.

~~~
camus2
Most languages dont have extract($_POST) and hop,everything's overwritten...
PHP has a lot of shit like this.Yeah you dont have to use them,but they
shouldnt be here at first place,if PHP core devs cared about a sane API. PHP
doesnt have a sane API. PHP core devs dont give a damn. That's why facebook
developped Hack and HHVM.

------
TheAceOfHearts
I think this just goes to show that you can have a lot of popularity even if
your code is just sorta glued together.

Don't they get a few million users? I'd say it's definitely nothing to scoff
at.

It makes me wonder how many big profile websites might look like this or
worse.

~~~
wirelessest
Having worked at a couple, I think I wouldn't be too far off to say all of
them.

I still remember a week into the first job fresh-from-college me marching into
the VPs office to tell him the source code was terrible and they were only
still running due to luck. It was not well received (or right)

~~~
philtar
I almost did the same thing. But then calmed down and said maybe I have no
idea what I'm talking about. I was right. I had no idea what I was talking
about.

------
goshx
Ask HN: Would you rather have a beautiful source code with 1000
pageviews/month or an ugly source code with millions of pageviews/month?

~~~
NotUncivil
>millions of pageviews/month

That is technically correct but does not covey the scale at which 4chan
operates. According to
[http://www.4chan.org/advertise](http://www.4chan.org/advertise),

    
    
        Page impressions per month: 575,000,000;
        Unique visitors per month: 25,000,000;
        Posts per day: 1,000,000; 
        Alexa Traffic Rank: 836 (Global) & 371 (US)
        Quantcast Rank: 305 (US)
        Google PageRank: 6
    

Makes me wonder if WebM will increase or reduce 4chan's total traffic (when
measured in bytes, not clicks).

~~~
Igglyboo
I can't imagine WebM impacting 4chan anytime soon, it will probably reduce
4chan's load when(if) WebM takes off but I highly doubt more than a small
fraction will choose WebM over a .gif in the immediate future.

------
pearjuice
This is not leaked recently but spread today which caused people to believe it
was looted during the 4chan hack earlier today. The 4chan administration has
been awkwardly silenced about the compromised 4chan website, but this isn't
one of the reasons.

[http://9ch.in/overscript/](http://9ch.in/overscript/)
[http://9ch.in/overscript/files/yotsuba.txt](http://9ch.in/overscript/files/yotsuba.txt)

~~~
mr_vile
yes, I actually added that leaked code to overscript in 2012, previously there
was another leak in 2010.

------
Villodre
It seems that it's too terrible to be the true code.
"if($_COOKIE['4chan_auser']",

"extract($_POST); extract($_GET); extract($_COOKIE);"

~~~
spoiler
> It seems that it's too terrible to be the true code.

1\. It's written in PHP. Finding a good PHP developer is nigh impossible
(there are exceptions, like always). 2\. I expected worse, to be honest.

~~~
ledneb
No serious, modern PHP developer writes code like this. If it were a code
sample for any respectable PHP job, it would be a massive "do not hire" flag.

~~~
ihsw
Confirmation bias. 99% of PHP developers out there are in fact absolute shit,
and they're happy with it because they're developing "websites" instead of
"applications."

Right tool for the right job. You can use qualifiers like "serious" and
"modern" but you're deluding yourself if you think they mean anything when the
pool of PHP developers is so staggeringly high.

~~~
ledneb
I'm under no delusion. Admittedly this is the wrong place to be debating
anything PHP, but I wouldn't suggest that the average skill level of
"everybody who writes PHP" is anything better than incompetent. The people I'm
sitting next to now and have worked with in the past are as real as I am - the
1% you recognise are the serious and modern PHP developers. We exist and we're
the pool you hire from.

Of course, right tool for the right job. PHP has specific use cases but that's
another discussion entirely.

------
Vaskivo
I thought the *chan code was open.

Or is this some critical bit? (I noticed it handles cookies, but I'm too
unexperienced with web, php or web-security to explore this wall of code)

~~~
rossy
4chan's code (Yotsuba) has always been a closed source fork of Futaba, though
there are several open source Futaba clones, like Kusaba X.

------
kaivi
I wonder what is the site's infrastructure_cost/ad_revenue ratio, because I
have long had a feeling that it could be greatly improved. Moot has always
been skeptical about innovating the board, even the iOS layout is still
incomprehensible since the CSS shim has been added.

Imageboard is dead easy in it's essence, so why not rebuild it from scratch,
instead of feeding new bells and whistles to the existing spaghetti monster?

------
Fuxy
Well at least it's neatly organized into functions :P

------
lispm
My eyes, the goggles do nothing!!!

------
kevin818
How can code be "leaked"? Wouldn't this imply someone was able to terminal
into one of their servers?

~~~
n1c
Any number of things could happen; maybe someone got access to a code
repository, or a stray flash drive, or the web server was mis-configured and
served the file as plain text (happened to fb once) etc.

------
NewsReader42
if(isset($_COOKIE['4chan_auser'])&&isset($_COOKIE['4chan_apass'])){ $user =
mysql_real_escape_string($_COOKIE['4chan_auser']); $pass =
mysql_real_escape_string($_COOKIE['4chan_apass']); }

HAHAHAHAAHAHAHAHAA

Steal a cookie, gain access.. WTF

~~~
Kiro
How do you "steal" a cookie?

~~~
exDM69
Get on the same WiFi as your target, open up Wireshark and grab their HTTP
communications.

To make this easier, there was/is a tool called Firesheep that can be used to
hijack session cookies. The popularity of Firesheep caused many sites to
enable HTTPS by default (e.g. Facebook did so).

~~~
Kiro
If you need to be on the same WiFi as your target I really don't see the big
problem, realistically speaking.

~~~
terminado
Common, shared wired LANs at offices and workplaces are a problem. Home LANs,
where family members need privacy from one another, is also a problem.

------
freshyill
<font>? <table>?

Man, 4chan is worse than I thought.

~~~
mkoryak
whats wrong with <table> ?

~~~
freshyill
<table> is for tables of information, not for layout.

But seeing as how I was downvoted, the important thing to remember is that any
hint of levity strictly forbidden on Hacker News.

~~~
dang
[https://news.ycombinator.com/item?id=7609289](https://news.ycombinator.com/item?id=7609289)

------
pan69
F* me. No wonder PHP has a bad rap..

~~~
onion2k
I think the fact that you can drive a multi million user website that was once
valued at $1.2b (by a VC admittedly) on 2600 lines of pretty bad PHP code
_when most of the users are exactly the sort of people who 'd try to hack it_
is actually a testament to how good PHP is.

Redeveloping the site in Go, Dart, Python or Node, or whatever language you
like best, wouldn't increase 4Chan's value in any discernible way.

At the end of the day, _it works_.

~~~
aaronem
Please, _please_ tell me you're joking about 4chan having been valued at $1.2
billion dollars by _anyone_.

~~~
aaronem
This itched me -- I've never gotten the impression that Christopher Poole was
particularly stupid, and I couldn't imagine him reacting to a genuine offer of
$1.2 billion for 4chan in any other fashion than by demanding cash on the nail
and then _taking_ it -- so I scratched it.

The only thing I could find was a year-old thread from 4chan itself [1], in
which the supposed VC never identifies himself, and in which (someone who is
probably) Poole had the following to say:

>>this thread

>>my sides

>>the stratosphere

>

>If this is actually your profession, you should probably find a new job.

The advice never to believe everything you read is good advice in general;
with regard to anything you read on, from, or about 4chan, it's indispensable.

[1] [http://4chandata.org/q/VC-estimates-4chan-
worth-1-2-billion-...](http://4chandata.org/q/VC-estimates-4chan-
worth-1-2-billion-a367656)

