Cyberpunk 2077 release date delayed again, now December 10
@Cyberpunk 2077: We have important news to share with you pic.twitter.com/qZUaD6IwmM
@Cyberpunk 2077: We have important news to share with you pic.twitter.com/qZUaD6IwmM
This is a bit of a silly challenge that came to mind when I saw a discussion about obfuscating mailto links on the unofficial Discord server. This challenge is intentionally meant to be ridiculous and encourages horrendous solutions that should never see the light of day in actual production code.
Some Background
On the internet, bots are an incredibly common. They may do anything from crawling through webpages to map out valid links on the web, to spamming forums with links to scam websites. Among some of the less ethical uses of bots is the collection of any email addresses that might be sitting around in a webpage's source code, either made visible to the user or hidden behind some alternative text. These bots collect these email addresses for any number of purposes, including phishing attempts to hijack accounts.
Commonly, these emails can be found sitting inside of so-called mailto links, which will open your default mail application and pre-populate the recipient's address, preparing you to send a new email in a single click. It's a safe bet that the vast majority of mailto link implementations aren't very sophisticated, simply providing a snippet that looks much like the following:
<a href="mailto:johnsmith@example.com">Contact Me</a>
Given the above, most bots will likely only ever scrape a webpage for a link containing href="mailto:
. A simple form of obfuscation to combat a bot could be to leave the href
attribute empty on initial page load, capture the on click event, dump the mailto email address into the href
attribute, and finally remove the on click event handler from the link before re-sending the click event.
We're not here for simple, however.
Challenge
As suggested in the title, the challenge is to over-engineer this obfuscation. There is only one hard requirement:
Clicking the "Contact Me" link should, to the user's perception, function (mostly) identically to a simple mailto link. Specifically, clicking the link should ultimately result in the user's mail application opening (or being prompted to open) with no further input from the user and the "to" field being correctly pre-populated with the intended email address. This means that captchas and the like are not allowed. Delays in triggering the mail application due to processing layers of obfuscation, however, are expected and acceptable (although "until well after the heat death of the universe" is not an acceptable delay, so let's be reasonable).
Apart from the requirement above, solutions that require increasingly more sophisticated methods of de-obfuscation for a bot to discover your email address are preferred. The more complicated a bot's design would need to be to discover your email address, and the more painful it is for other programmers to see the abomination you've created, the better.
CSS is not required. A functioning webpage is not required. An entire web server is not required. A full, working web project including a framework with defined routes, security features, a VM provisioning script, and whatever the fuck else you would need is not required. You can build an actual web project around this if you wish, but code snippets and some comments explaining what does what will be more than sufficient.
To simplify the title:
(Formatted text, no space. (Behind the arrows.) While it's expected for quote blocks to not separate with one 'line' between them, it's definitely not expected for the block to be the same size, even w/o text.)
(Formatted text, with a space. Added this one in to contrast with Preformatted w/ space and because it separates the code blocks.)
>
>
>
(Preformatted/Codeblock text, no space. The "quote trigger" arrow in the middle is the bug, since if you look at the "view markdown" option of this post you'll realize that arrow shouldn't be there.)
>
>
(Preformatted/Codeblock text, with a space. This is how I personally fix the bug, if it is that. You can also fix it by typing space into the phantom arrow.)
Now with text inside the quote blocks, for comparison. (And because quoteblocks have to quote something.):
qwerty
asdf
(Formatted text, no space. Here the block expands normally for the text.)
qwerty
asdf
(Formatted text, with a space.)
>qwerty
>
>asdf
(Preformatted/Codeblock text, no space. The arrow in the middle I never typed in is still there.)
>qwerty
>asdf
(Preformatted/Codeblock text, with a space.)
This is your chance to talk about what you might do, bounce ideas off one another, and solicit feedback in advance of the start of Timasomo 2020. You do NOT have to decide on your official Timasomo project(s) yet, but use this thread to share what you're thinking of (which many of you already started doing in the announcement thread)!
That said, do NOT start working on your project yet either! It is perfectly okay to plan what you will do this week, but the actual creative process toward your goal should not start until November 1st.
The Roll Call thread will go live on Sunday, November 1st. That will be the thread in which you will officially enroll in Timasomo 2020 and publicly commit to your goal!
Timasomo is "Tildes' Make Something Month": a creative community challenge that takes place in the month of November. It was inspired by NaNoWriMo, the National Novel Writing Month. The first ever Timasomo took place last year. You can see the threads for the previous Timasomo using the timasomo tag, and you can see the final showcase thread of creations here.
Though most will be participating individually, collaborations are welcome too!
Timasomo begins November 1st and ends November 30th. All creative output towards your goal(s) should be confined to this time. This week prior to the start of November is for planning, and there will be a few days at the beginning of December given to "finishing touches" before we have our final thread, which will be a showcase of all the completed works. Below are the dates that I will be posting weekly threads:
Sunday, October 18, 2020: Announcement Thread
Sunday, October 25, 2020: Planning Thread
Sunday, November 1, 2020: Roll Call Thread
Sunday, November 8, 2020: Update Thread #1
Sunday, November 15, 2020: Update Thread #2
Sunday, November 22, 2020: Update Thread #3
Sunday, November 29, 2020: Final Update Thread
Sunday, December 6, 2020: Timasomo Showcase Thread
This announcement will be posted in ~tildes. All Timasomo process threads will be hosted in ~creative. The final Timasomo Showcase thread will be posted in ~talk.
Yes! Timasomo is open to anyone on Tildes! The greater Tildes community is also encouraged to participate in discussion threads even if you are not actively working towards a creative goal. This is meant to be an inclusive community event -- all are welcome! If you are interested in participating but do not have a Tildes login, please e-mail the invite request address here for an invite to the community.
Participants will formally announce their plans to enter into Timasomo on Sunday, November 1st, in the Roll Call thread. If you are planning to participate or just want to follow the event, please make sure you are subscribed to ~creative where all of the update threads will be posted.
Please share them here! I am facilitating the event, but I am completely open to feedback and suggestions to make this the best event possible. I want this to be Tildes' event, not kfwyre's!
Have you watched any TV shows recently you want to discuss? Any shows you want to recommend or are hyped about? Feel free to discuss anything here.
Please just try to provide fair warning of spoilers if you can.
I'm attempting to provision two mirror staging and production environments for a future SaaS application that we're close to launching as a company, and I'd like to get some feedback on the provisioning script I've created that takes a default VPS from our hosting provider, DigitalOcean, and readies it for being a secure hosting environment for our application instance (which runs inside Docker, and persists data to an unrelated managed database).
I'm sticking with a simple infrastructure architecture at the moment: A single VPS which runs both nginx and the application instance inside a containerised docker service as mentioned earlier. There's no load balancers or server duplication at this point. @Emerald_Knight very kindly provided me in the Tildes Discord with some overall guidance about what to aim for when configuring a server (limit damage as best as possible, limit access when an attack occurs)—so I've tried to be thoughtful and integrate that paradigm where possible (disabling root login, etc).
I’m not a DevOps or sysadmin-oriented person by trade—I stick to programming most of the time—but this role falls to me as the technical person in this business; so the last few days has been a lot of reading and readying. I’ll run through the provisioning flow step by step. Oh, and for reference, Ubuntu 20.04 LTS.
First step is self-explanatory.
#!/bin/sh
# Name of the user to create and grant privileges to.
USERNAME_OF_ACCOUNT=
sudo apt-get -qq update
sudo apt install -qq --yes nginx
sudo systemctl restart nginx
Next, create my sudo user, add them to the groups needed, require a password change on first login, then copy across any provided authorised keys from the root user which you can configure to be seeded to the VPS in the DigitalOcean management console.
useradd --create-home --shell "/bin/bash" --groups sudo,www-data "${USERNAME_OF_ACCOUNT}"
passwd --delete $USERNAME_OF_ACCOUNT
chage --lastday 0 $USERNAME_OF_ACCOUNT
HOME_DIR="$(eval echo ~${USERNAME_OF_ACCOUNT})"
mkdir --parents "${HOME_DIR}/.ssh"
cp /root/.ssh/authorized_keys "${HOME_DIR}/.ssh"
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chown --recursive "${USERNAME_OF_ACCOUNT}":"${USERNAME_OF_ACCOUNT}" "${HOME_DIR}/.ssh"
sudo chmod 775 -R /var/www
sudo chown -R $USERNAME_OF_ACCOUNT /var/www
rm -rf /var/www/html
Installation of docker, and run it as a service, ensure the created user is added to the docker group.
sudo apt-get install -qq --yes \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo apt-key fingerprint 0EBFCD88
sudo add-apt-repository --yes \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
sudo apt-get -qq update
sudo apt install -qq --yes docker-ce docker-ce-cli containerd.io
# Only add a group if it does not exist
sudo getent group docker || sudo groupadd docker
sudo usermod -aG docker $USERNAME_OF_ACCOUNT
# Enable docker
sudo systemctl enable docker
sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
docker-compose --version
Disable root logins and any form of password-based authentication by altering sshd_config
.
sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
sed -i '/^PasswordAuthentication/s/yes/no/' /etc/ssh/sshd_config
sed -i '/^ChallengeResponseAuthentication/s/yes/no/' /etc/ssh/sshd_config
Configure the firewall and fail2ban.
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw reload
sudo ufw --force enable && sudo ufw status verbose
sudo apt-get -qq install --yes fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Swapfiles.
sudo fallocate -l 1G /swapfile && ls -lh /swapfile
sudo chmod 0600 /swapfile && ls -lh /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile && sudo swapon --show
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
Unattended updates, and restart the ssh daemon.
sudo apt install -qq unattended-upgrades
sudo systemctl restart ssh
You can assume these questions are cost-benefit focused, i.e. is it worth my time to investigate this, versus something else that may have better gains given my limited time.
ss
or lynis
(https://github.com/CISOfy/lynis) to perform server auditing? I don’t have to meet any compliance requirements at this point.
ssh
into our boxes, then the likeliest risk profile for unwanted access probably isn’t via the authentication mechanism I use personally to access my servers.
My aunt is moving to a smaller apartment and her piano does not fit there, so I offered to take it. Not because I intended to play, but she wanted to keep it in the family out of nostalgia and emotional attachment.
It is under renovation and should arrive perfectly tuned.
But now that I have it, I ask myself: why not play it? I had piano lessons as a kid, and I like classical music.
Is there a straightforward way to learn piano by myself that doesn’t feel like much of a chore? Otherwise, the piano will just linger in my living room.
General Programming Q&A thread! Ask any questions about programming, answer the questions of other users, or post suggestions for future threads.
Don't forget to format your code using the triple backticks or tildes:
Here is my schema:
```sql
CREATE TABLE article_to_warehouse (
article_id INTEGER
, warehouse_id INTEGER
)
;
```
How do I add a `UNIQUE` constraint?
What have you been playing lately? Discussion about video games and board games are both welcome. Please don't just make a list of titles, give some thoughts about the game(s) as well.
As part of a weekly series, these topics are a place for users to casually discuss the things they did — or didn't do — during their weekend. Did you make any plans? Take a trip? Do nothing at all? Tell us about it!
As part of a weekly series, these topics are a place for users to casually discuss the things they did — or didn't do — during their week. Did you accomplish any goals? Suffer a failure? Do nothing at all? Tell us about it!
I'm a Red Sox fan so don't have much invested in this WS but it has been AWESOME so far! I'm at a point where I really want the Rays to win but wouldn't be bummed to see Mookie and Joe Kelly get another ring. Also, redemption for the Astros shenanigans.
My favorite moment is likely a predictable one but I'll say it anyway... the walk-off hit in game four was just an emotional roller coaster.
Anyone else watching? If so, what are your thoughts so far?