The Button is down

As some of you have already noticed, The Button is down and not coming back anytime soon, for several reasons.

First, and most obviously, it was in part an April Fools’ Day prank making fun of Twitter: a microblogging platform with a zero-character limit. I was hoping that “femtoblogging” would be a unique name, but as it turns out for each of the sub-micro SI prefixes, there are plenty of hits for prefixblog, from nanoblog down to yoctoblog.

Second, and primarily, I wrote it to get a feel for developing web apps in Happstack, a Haskell-based application server development framework. The Button was trivial enough to be implemented over a weekend (plus a little polishing the following Monday evening), but nontrivial enough to let me play around with several features and get a better understanding of why the examples are organized the way they are. I definitely learned some things in writing The Button, which I’ll regale you with in the next few posts.

Third, and most pragmatically, the actual hosting of The Button was an ugly ugly hack. Happstack requires GHC 6.10 (the Haskell compiler), and although my web host does indeed have GHC pre-installed, it only had version 6.6. I tried compiling the latest version of GHC from source, but that failed once it exhausted the remaining 200 MB of my disk quota. Downloading precompiled binaries was also impossible since the unpacked tarballs for those also required more than 200 MB of disk. While I don’t foresee any issues in getting my quota increased, since I was trying to do this the evening of March 31, I couldn’t count on the turnaround time of the request being quick enough.

In short, The Button was running off queeg, my laptop. The domain was pointing to my home connection. (It doesn’t anymore; it’s currently acting as a synonym for, which I need to fix.) In case you were wondering why it was running on a high-numbered port, that’s why — there’s no way I was going to run a largely untested server as root on my home machine and open it to the world! Naturally, using my laptop as a web server was hardly a long-term solution, so once April 1 passed I took it down.

Fourth, and most security-consciously, The Button’s password security was a joke. Other than storing them with strong, randomly salted, strengthened hashes, it was bad. Passwords were transmitted to the server in the clear. There were no checks whatsoever for strong passwords. Nor was there any protection against online brute force attacks (which, incidentally, Twitter fell victim to earlier this year, with little “happiness” to be had by that compromised admin account).

So, I hope those of you who did actually register accounts with The Button didn’t use the same password you use for anything important.

If I had had more than a weekend to work on The Button, I would’ve addressed those issues, but I simply ran out of time. I couldn’t in good conscience continue running a server with that many security vulnerabilities once the joke had passed. That’s also why I’m reluctant to post the code that implemented The Button unless someone really wants to see it. It’s not of good enough quality for someone to use as the basis of something real.

If for some reason you actually think The Button, or femtoblogging in general, actually has potential (I can actually think of one or two legitimate use cases for it, though I can also come up with better solutions for those use cases), I’ve demonstrated you can implement the core functionality over a weekend, even if you aren’t particularly well-versed in the framework or the language you’re using.