Don't ask someone else to DDoS your competitors, even in jest, especially not in writing. Besides being in bad taste, this can come back to bite you.
On a related note, though, is there a way to limit CPU time on the headless chrome API?
We're running our PDF generator on docker images, and we built https://github.com/RealImage/proxywall to run as a 'sidecar' container that sits in from like nginx / Apache would - it rejects request that don't match certain criteria. If you business model supports it you might want to have a whitelist of domains that each account can take shots of.
> Don't ask someone else to DDoS your competitors, even in jest, especially not in writing. Besides being in bad taste, this can come back to bite you.
That was my first thought when I read the chat. It just seems stupid to even remotely suggest something like this.
> Don't ask someone else to DDoS your competitors, even in jest, especially not in writing. Besides being in bad taste, this can come back to bite you.
I'm sure there's inspecific biting precedent about using an overabundance of caution in writing about any jokes you might have made to any other person, maybe especially in a legal system where even the risk of having legal proceedings can cripple you for the rest of your life, but the guy literally said "No, don't. I was just joking" a few moments later.
Usually, a joke is just that. But this transcript is a conversation between a business owner and a hacker, where the hacker is likely in violation of the CFAA, and the owner is threatening legal action if the hacker doesn’t cease and desist. Once you cover that ground in a conversation, resist the urge to be funny.
Interesting post, and glad it was resolved amicably!
There's lots of things you could do, but one idea is to have an approach where your service states it will use cached images for pages requested above a threshold in a particular timeframe - that would deter this kind of abuse, with minimal impact on genuine users.
If you were using Selenium to generate the screenshots (they weren't, they were using curl) you could add Adblock to the browser being used on your server (Selenium just automates a real browser) which will block Coinhive.
Captcha is a lazy way out. Please take a superior solution for your users. Google's "I'm not a robot" variant positively detests VPN ip's. There are services i _pay_ for that have, unintentionally, all but locked me out while on a VPN because the captcha process is so prohibitive.
Make the service "worse" because the potential for wide abuse is present.
Finding a fine line is probably what's required. Having your tool suffer DDoS from known exploit vectors harms all the legitimate users at the expense of some bot-writer's pleasure.
Arguably this is the basis of many laws that govern our lives. Lots of rules are in place and enforced because individuals found ways to ruin things for everyone else
Yeah but if a neighborhood kid with a lockpick breaks into your house, installs cryptomining sw on your computers, laughs at how weak your lock is, admonishes you to spend more money in better security, what will you do? Take his advice and buy a better lock?
There was no lock in this case. We're metaphorically going from an open doorway to a conventional front door. Adding just a little friction means the tweaker poops on someone else's rug.
When the javascript miners first came out I did this as a test. Worked great the few minuted I had available. I could collect as many cycles as running myself in my own browser for 12 hours.
The easier you can make your service to use, the more likely I'll use it. This definitely needed a solution, and the best route would be one with minimal or no impact on UX.
Not my experience; I usually have to go though several rounds of select all the road signs. I'm not sure on what basis they decide to haste some users vs others.
On a related note, though, is there a way to limit CPU time on the headless chrome API?
We're running our PDF generator on docker images, and we built https://github.com/RealImage/proxywall to run as a 'sidecar' container that sits in from like nginx / Apache would - it rejects request that don't match certain criteria. If you business model supports it you might want to have a whitelist of domains that each account can take shots of.