Hacker News new | comments | ask | show | jobs | submit login
I built a screenshot API and some guy was mining cryptocurrencies with it (medium.com)
73 points by gregorymichael 9 months ago | hide | past | web | favorite | 31 comments



Don't ask someone else to DDoS your competitors, even in jest, especially not in writing. Besides being in bad taste, this can come back to bite you.

On a related note, though, is there a way to limit CPU time on the headless chrome API?

We're running our PDF generator on docker images, and we built https://github.com/RealImage/proxywall to run as a 'sidecar' container that sits in from like nginx / Apache would - it rejects request that don't match certain criteria. If you business model supports it you might want to have a whitelist of domains that each account can take shots of.


On a related note, though, is there a way to limit CPU time on the headless chrome API?

You can use cgroup limits for any process. Just set a high period and the quota you want: https://access.redhat.com/documentation/en-us/red_hat_enterp...


> Don't ask someone else to DDoS your competitors, even in jest, especially not in writing. Besides being in bad taste, this can come back to bite you.

That was my first thought when I read the chat. It just seems stupid to even remotely suggest something like this.


> Don't ask someone else to DDoS your competitors, even in jest, especially not in writing. Besides being in bad taste, this can come back to bite you.

I'm sure there's inspecific biting precedent about using an overabundance of caution in writing about any jokes you might have made to any other person, maybe especially in a legal system where even the risk of having legal proceedings can cripple you for the rest of your life, but the guy literally said "No, don't. I was just joking" a few moments later.


Usually, a joke is just that. But this transcript is a conversation between a business owner and a hacker, where the hacker is likely in violation of the CFAA, and the owner is threatening legal action if the hacker doesn’t cease and desist. Once you cover that ground in a conversation, resist the urge to be funny.


Interesting post, and glad it was resolved amicably!

There's lots of things you could do, but one idea is to have an approach where your service states it will use cached images for pages requested above a threshold in a particular timeframe - that would deter this kind of abuse, with minimal impact on genuine users.


> he was not that bad of a guy after all.

Debatable.


What makes him a bad guy? To me he seems like the curious hacker type who enjoys exploits.


I would consider intentionally trying to use someone elses CPU without their permission to mine cryptocoins to be an asshole move.


Possible deterrents -

1. Use cgroups to limit cpu usage on a process.

2. Block coinhive

3. Implement captchas

4. Cloudflare

5. Adblock

6. API throttling and 1 minute cache per URL

7. Disallow 1 IP from creating more than X accounts at a certain speed per day


Adblock?


If you were using Selenium to generate the screenshots (they weren't, they were using curl) you could add Adblock to the browser being used on your server (Selenium just automates a real browser) which will block Coinhive.


Thanks, I didn't know adblock blocked Coinhive.


> I think it’s one of the most pacific way I did mitigate an attack, and he was not that bad of a guy after all.

“Pacific”? Did you mean “specific” or “pacifistic”?


"pacific" also means "Peaceful in character or intent."


pa·cif·ic

/pəˈsifik/

adjective

peaceful in character or intent.


Definitely worth adding a captcha and verifying email.


Captcha is a lazy way out. Please take a superior solution for your users. Google's "I'm not a robot" variant positively detests VPN ip's. There are services i _pay_ for that have, unintentionally, all but locked me out while on a VPN because the captcha process is so prohibitive.


Make the service worse for everyone just because one guy abused it...


Make the service "worse" because the potential for wide abuse is present.

Finding a fine line is probably what's required. Having your tool suffer DDoS from known exploit vectors harms all the legitimate users at the expense of some bot-writer's pleasure.

Arguably this is the basis of many laws that govern our lives. Lots of rules are in place and enforced because individuals found ways to ruin things for everyone else


You have a lock on your front door and a password on your computer, right?


Yeah but if a neighborhood kid with a lockpick breaks into your house, installs cryptomining sw on your computers, laughs at how weak your lock is, admonishes you to spend more money in better security, what will you do? Take his advice and buy a better lock?


There was no lock in this case. We're metaphorically going from an open doorway to a conventional front door. Adding just a little friction means the tweaker poops on someone else's rug.


Similarly, couldn't an attacker visit a page with lots of Pay-Per-View ads (with whom he/she profits off of)?


When the javascript miners first came out I did this as a test. Worked great the few minuted I had available. I could collect as many cycles as running myself in my own browser for 12 hours.


dumb to not have a captcha


The easier you can make your service to use, the more likely I'll use it. This definitely needed a solution, and the best route would be one with minimal or no impact on UX.


If you're not a robot then captcha is rarely more than an extra click these days if you use recaptcha.


Not my experience; I usually have to go though several rounds of select all the road signs. I'm not sure on what basis they decide to haste some users vs others.


One extra click can make a lot of difference for someone performing that action 100s of times a day!


You'd just add it to the account creation.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: