
I built a screenshot API and some guy was mining cryptocurrencies with it - gregorymichael
https://medium.com/@timotheejeannin/i-built-a-screenshot-api-and-some-guy-was-mining-cryptocurrencies-with-it-cd188dfae773
======
sudhirj
Don't ask someone else to DDoS your competitors, even in jest, especially not
in writing. Besides being in bad taste, this can come back to bite you.

On a related note, though, is there a way to limit CPU time on the headless
chrome API?

We're running our PDF generator on docker images, and we built
[https://github.com/RealImage/proxywall](https://github.com/RealImage/proxywall)
to run as a 'sidecar' container that sits in from like nginx / Apache would -
it rejects request that don't match certain criteria. If you business model
supports it you might want to have a whitelist of domains that each account
can take shots of.

~~~
Confiks
> Don't ask someone else to DDoS your competitors, even in jest, especially
> not in writing. Besides being in bad taste, this can come back to bite you.

I'm sure there's inspecific biting precedent about using an overabundance of
caution in writing about any jokes you might have made to any other person,
maybe especially in a legal system where even the risk of having legal
proceedings can cripple you for the rest of your life, but the guy literally
said "No, don't. I was just joking" a few moments later.

~~~
sudhirj
Usually, a joke is just that. But this transcript is a conversation between a
business owner and a hacker, where the hacker is likely in violation of the
CFAA, and the owner is threatening legal action if the hacker doesn’t cease
and desist. Once you cover that ground in a conversation, resist the urge to
be funny.

------
nmstoker
Interesting post, and glad it was resolved amicably!

There's lots of things you could do, but one idea is to have an approach where
your service states it will use cached images for pages requested above a
threshold in a particular timeframe - that would deter this kind of abuse,
with minimal impact on genuine users.

------
jrochkind1
> he was not that bad of a guy after all.

Debatable.

~~~
HiroshiSan
What makes him a bad guy? To me he seems like the curious hacker type who
enjoys exploits.

~~~
jrochkind1
I would consider intentionally trying to use someone elses CPU without their
permission to mine cryptocoins to be an asshole move.

------
samhunta
Possible deterrents -

1\. Use cgroups to limit cpu usage on a process.

2\. Block coinhive

3\. Implement captchas

4\. Cloudflare

5\. Adblock

6\. API throttling and 1 minute cache per URL

7\. Disallow 1 IP from creating more than X accounts at a certain speed per
day

~~~
icebraining
Adblock?

~~~
bdcravens
If you were using Selenium to generate the screenshots (they weren't, they
were using curl) you could add Adblock to the browser being used on your
server (Selenium just automates a real browser) which will block Coinhive.

~~~
icebraining
Thanks, I didn't know adblock blocked Coinhive.

------
txsh
> I think it’s one of the most pacific way I did mitigate an attack, and he
> was not that bad of a guy after all.

“Pacific”? Did you mean “specific” or “pacifistic”?

~~~
notsosmart
"pacific" also means "Peaceful in character or intent."

------
diegorbaquero
Definitely worth adding a captcha and verifying email.

~~~
jakobegger
Make the service worse for everyone just because one guy abused it...

~~~
robotresearcher
You have a lock on your front door and a password on your computer, right?

~~~
ythn
Yeah but if a neighborhood kid with a lockpick breaks into your house,
installs cryptomining sw on your computers, laughs at how weak your lock is,
admonishes you to spend more money in better security, what will you do? Take
his advice and buy a better lock?

~~~
robotresearcher
There was no lock in this case. We're metaphorically going from an open
doorway to a conventional front door. Adding just a little friction means the
tweaker poops on someone else's rug.

------
illustrioussuit
Similarly, couldn't an attacker visit a page with lots of Pay-Per-View ads
(with whom he/she profits off of)?

------
wolco
When the javascript miners first came out I did this as a test. Worked great
the few minuted I had available. I could collect as many cycles as running
myself in my own browser for 12 hours.

------
williamxd3
dumb to not have a captcha

~~~
nefitty
The easier you can make your service to use, the more likely I'll use it. This
definitely needed a solution, and the best route would be one with minimal or
no impact on UX.

~~~
lwansbrough
If you're not a robot then captcha is rarely more than an extra click these
days if you use recaptcha.

~~~
meesles
One extra click can make a lot of difference for someone performing that
action 100s of times a day!

~~~
icebraining
You'd just add it to the account creation.

