-
6 votes
-
GNU LibreJS
11 votes -
A look through some of the new features and updates in Vue.js 3
9 votes -
What programming/technical projects have you been working on?
This is a recurring post to discuss programming or other technical projects that we've been working on. Tell us about one of your recent projects, either at work or personal projects. What's...
This is a recurring post to discuss programming or other technical projects that we've been working on. Tell us about one of your recent projects, either at work or personal projects. What's interesting about it? Are you having trouble with anything?
9 votes -
Modern IDEs are magic. Why are so many coders still using Vim and Emacs?
13 votes -
Researching the potential of using machine learning to predict random number generation
11 votes -
Fortnightly Programming Q&A Thread
General Programming Q&A thread! Ask any questions about programming, answer the questions of other users, or post suggestions for future threads. Don't forget to format your code using the triple...
General Programming Q&A thread! Ask any questions about programming, answer the questions of other users, or post suggestions for future threads.
Don't forget to format your code using the triple backticks or tildes:
Here is my schema: ```sql CREATE TABLE article_to_warehouse ( article_id INTEGER , warehouse_id INTEGER ) ; ``` How do I add a `UNIQUE` constraint?
6 votes -
EU Draft Council Declaration Against Encryption [pdf]
10 votes -
tixy - Creative code golfing
6 votes -
US Government Continues Encryption War
7 votes -
What programming/technical projects have you been working on?
This is a recurring post to discuss programming or other technical projects that we've been working on. Tell us about one of your recent projects, either at work or personal projects. What's...
This is a recurring post to discuss programming or other technical projects that we've been working on. Tell us about one of your recent projects, either at work or personal projects. What's interesting about it? Are you having trouble with anything?
8 votes -
Chrome will soon have its own dedicated certificate root store
8 votes -
Backing up e-mails from an IMAP server
12 votes -
MDN Web Docs is switching to a new platform where the content will be hosted and contributed to in a GitHub repository
15 votes -
Programming Challenge: Over-engineer obfuscation of a mailto link on a hypothetical webpage
This is a bit of a silly challenge that came to mind when I saw a discussion about obfuscating mailto links on the unofficial Discord server. This challenge is intentionally meant to be ridiculous...
This is a bit of a silly challenge that came to mind when I saw a discussion about obfuscating mailto links on the unofficial Discord server. This challenge is intentionally meant to be ridiculous and encourages horrendous solutions that should never see the light of day in actual production code.
Some Background
On the internet, bots are an incredibly common. They may do anything from crawling through webpages to map out valid links on the web, to spamming forums with links to scam websites. Among some of the less ethical uses of bots is the collection of any email addresses that might be sitting around in a webpage's source code, either made visible to the user or hidden behind some alternative text. These bots collect these email addresses for any number of purposes, including phishing attempts to hijack accounts.
Commonly, these emails can be found sitting inside of so-called mailto links, which will open your default mail application and pre-populate the recipient's address, preparing you to send a new email in a single click. It's a safe bet that the vast majority of mailto link implementations aren't very sophisticated, simply providing a snippet that looks much like the following:
<a href="mailto:johnsmith@example.com">Contact Me</a>
Given the above, most bots will likely only ever scrape a webpage for a link containing
href="mailto:
. A simple form of obfuscation to combat a bot could be to leave thehref
attribute empty on initial page load, capture the on click event, dump the mailto email address into thehref
attribute, and finally remove the on click event handler from the link before re-sending the click event.We're not here for simple, however.
Challenge
As suggested in the title, the challenge is to over-engineer this obfuscation. There is only one hard requirement:
Clicking the "Contact Me" link should, to the user's perception, function (mostly) identically to a simple mailto link. Specifically, clicking the link should ultimately result in the user's mail application opening (or being prompted to open) with no further input from the user and the "to" field being correctly pre-populated with the intended email address. This means that captchas and the like are not allowed. Delays in triggering the mail application due to processing layers of obfuscation, however, are expected and acceptable (although "until well after the heat death of the universe" is not an acceptable delay, so let's be reasonable).
Apart from the requirement above, solutions that require increasingly more sophisticated methods of de-obfuscation for a bot to discover your email address are preferred. The more complicated a bot's design would need to be to discover your email address, and the more painful it is for other programmers to see the abomination you've created, the better.
CSS is not required. A functioning webpage is not required. An entire web server is not required. A full, working web project including a framework with defined routes, security features, a VM provisioning script, and whatever the fuck else you would need is not required. You can build an actual web project around this if you wish, but code snippets and some comments explaining what does what will be more than sufficient.
11 votes -
In which a foolish developer tries DevOps: critique my VPS provisioning script!
I'm attempting to provision two mirror staging and production environments for a future SaaS application that we're close to launching as a company, and I'd like to get some feedback on the...
I'm attempting to provision two mirror staging and production environments for a future SaaS application that we're close to launching as a company, and I'd like to get some feedback on the provisioning script I've created that takes a default VPS from our hosting provider, DigitalOcean, and readies it for being a secure hosting environment for our application instance (which runs inside Docker, and persists data to an unrelated managed database).
I'm sticking with a simple infrastructure architecture at the moment: A single VPS which runs both nginx and the application instance inside a containerised docker service as mentioned earlier. There's no load balancers or server duplication at this point. @Emerald_Knight very kindly provided me in the Tildes Discord with some overall guidance about what to aim for when configuring a server (limit damage as best as possible, limit access when an attack occurs)—so I've tried to be thoughtful and integrate that paradigm where possible (disabling root login, etc).
I’m not a DevOps or sysadmin-oriented person by trade—I stick to programming most of the time—but this role falls to me as the technical person in this business; so the last few days has been a lot of reading and readying. I’ll run through the provisioning flow step by step. Oh, and for reference, Ubuntu 20.04 LTS.
First step is self-explanatory.
#!/bin/sh # Name of the user to create and grant privileges to. USERNAME_OF_ACCOUNT= sudo apt-get -qq update sudo apt install -qq --yes nginx sudo systemctl restart nginx
Next, create my sudo user, add them to the groups needed, require a password change on first login, then copy across any provided authorised keys from the root user which you can configure to be seeded to the VPS in the DigitalOcean management console.
useradd --create-home --shell "/bin/bash" --groups sudo,www-data "${USERNAME_OF_ACCOUNT}" passwd --delete $USERNAME_OF_ACCOUNT chage --lastday 0 $USERNAME_OF_ACCOUNT HOME_DIR="$(eval echo ~${USERNAME_OF_ACCOUNT})" mkdir --parents "${HOME_DIR}/.ssh" cp /root/.ssh/authorized_keys "${HOME_DIR}/.ssh" chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys chown --recursive "${USERNAME_OF_ACCOUNT}":"${USERNAME_OF_ACCOUNT}" "${HOME_DIR}/.ssh" sudo chmod 775 -R /var/www sudo chown -R $USERNAME_OF_ACCOUNT /var/www rm -rf /var/www/html
Installation of docker, and run it as a service, ensure the created user is added to the docker group.
sudo apt-get install -qq --yes \ apt-transport-https \ ca-certificates \ curl \ gnupg-agent \ software-properties-common curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - sudo apt-key fingerprint 0EBFCD88 sudo add-apt-repository --yes \ "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) \ stable" sudo apt-get -qq update sudo apt install -qq --yes docker-ce docker-ce-cli containerd.io # Only add a group if it does not exist sudo getent group docker || sudo groupadd docker sudo usermod -aG docker $USERNAME_OF_ACCOUNT # Enable docker sudo systemctl enable docker sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose docker-compose --version
Disable root logins and any form of password-based authentication by altering
sshd_config
.sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config sed -i '/^PasswordAuthentication/s/yes/no/' /etc/ssh/sshd_config sed -i '/^ChallengeResponseAuthentication/s/yes/no/' /etc/ssh/sshd_config
Configure the firewall and fail2ban.
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw allow http sudo ufw allow https sudo ufw reload sudo ufw --force enable && sudo ufw status verbose sudo apt-get -qq install --yes fail2ban sudo systemctl enable fail2ban sudo systemctl start fail2ban
Swapfiles.
sudo fallocate -l 1G /swapfile && ls -lh /swapfile sudo chmod 0600 /swapfile && ls -lh /swapfile sudo mkswap /swapfile sudo swapon /swapfile && sudo swapon --show echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
Unattended updates, and restart the ssh daemon.
sudo apt install -qq unattended-upgrades sudo systemctl restart ssh
Some questions
You can assume these questions are cost-benefit focused, i.e. is it worth my time to investigate this, versus something else that may have better gains given my limited time.
- Obviously, any critiques of the above provisioning process are appreciated—both on the micro level of criticising particular lines, or zooming out and saying “well why don’t you do this instead…”. I can’t know what I don’t know.
- Is it worth investigating tools such as
ss
orlynis
(https://github.com/CISOfy/lynis) to perform server auditing? I don’t have to meet any compliance requirements at this point. - Do I get any meaningful increase in security by implementing 2FA on login here using google authenticator? As far as I can see, as long as I'm using best practices to actually
ssh
into our boxes, then the likeliest risk profile for unwanted access probably isn’t via the authentication mechanism I use personally to access my servers. - Am I missing anything here? Beyond the provisioning script itself, I adhere to best practices around storing and generating passwords and ssh keys.
Some notes and comments
- Eventually I'll use the hosting provider's API to spin up and spin down VPS's on the fly via a custom management application, which gives me an opportunity to programmatically execute the provisioning script above and run some over pre- and post-provisioning things, like deployment of the application and so forth.
- Usage alerts and monitoring is configured within DigitalOcean's console, and alerts are sent to our business' Slack for me to action as needed. Currently, I’m settling on the following alerts:
- Server CPU utilisation greater than 80% for 5 minutes.
- Server memory usage greater than 80% for 5 minutes.
- I’m also looking at setting up daily fail2ban status alerts if needed.
9 votes -
Bytecode Alliance: One year update
4 votes -
Fortnightly Programming Q&A Thread
General Programming Q&A thread! Ask any questions about programming, answer the questions of other users, or post suggestions for future threads. Don't forget to format your code using the triple...
General Programming Q&A thread! Ask any questions about programming, answer the questions of other users, or post suggestions for future threads.
Don't forget to format your code using the triple backticks or tildes:
Here is my schema: ```sql CREATE TABLE article_to_warehouse ( article_id INTEGER , warehouse_id INTEGER ) ; ``` How do I add a `UNIQUE` constraint?
5 votes -
A case study on vanilla web development
10 votes -
What AWS services should have been called
8 votes -
Control Chromecasts from Linux
10 votes -
The surprising impact of medium-size texts on PostgreSQL query performance
5 votes -
Static imports in the runtime environment of Webpack 4
4 votes -
What programming/technical projects have you been working on?
This is a recurring post to discuss programming or other technical projects that we've been working on. Tell us about one of your recent projects, either at work or personal projects. What's...
This is a recurring post to discuss programming or other technical projects that we've been working on. Tell us about one of your recent projects, either at work or personal projects. What's interesting about it? Are you having trouble with anything?
11 votes -
The database is on fire
9 votes -
Fortnightly Programming Q&A Thread
General Programming Q&A thread! Ask any questions about programming, answer the questions of other users, or post suggestions for future threads. Don't forget to format your code using the triple...
General Programming Q&A thread! Ask any questions about programming, answer the questions of other users, or post suggestions for future threads.
Don't forget to format your code using the triple backticks or tildes:
Here is my schema: ```sql CREATE TABLE article_to_warehouse ( article_id INTEGER , warehouse_id INTEGER ) ; ``` How do I add a `UNIQUE` constraint?
3 votes -
Fortnightly Programming Q&A Thread
General Programming Q&A thread! Ask any questions about programming, answer the questions of other users, or post suggestions for future threads. Don't forget to format your code using the triple...
General Programming Q&A thread! Ask any questions about programming, answer the questions of other users, or post suggestions for future threads.
Don't forget to format your code using the triple backticks or tildes:
Here is my schema: ```sql CREATE TABLE article_to_warehouse ( article_id INTEGER , warehouse_id INTEGER ) ; ``` How do I add a `UNIQUE` constraint?
5 votes -
Real time communication at scale with Elixir at Discord
10 votes -
The Julia programming language is emerging as the tool of choice for large-scale numerical work in scientific research
12 votes -
Dendrite is entering Beta!
9 votes -
Hacking Apple for 3 months - 55 vulnerabilities discovered, with $288,500 in bug bounties awarded
10 votes -
Analyzing the limits of connection scalability in PostgreSQL
4 votes -
What programming/technical projects have you been working on?
This is a recurring post to discuss programming or other technical projects that we've been working on. Tell us about one of your recent projects, either at work or personal projects. What's...
This is a recurring post to discuss programming or other technical projects that we've been working on. Tell us about one of your recent projects, either at work or personal projects. What's interesting about it? Are you having trouble with anything?
7 votes -
Why most Hacktoberfest PRs are from India
18 votes -
Update: Hacktoberfest is Now Opt-In Only
16 votes -
DigitalOcean's Hacktoberfest hurts open-source maintainers by incentivizing low-quality, unsolicited pull requests
23 votes -
Why Java VM crashes are often caused by bad memory
10 votes -
Toward an API for the real numbers
8 votes -
What programming/technical projects have you been working on?
This is a recurring post to discuss programming or other technical projects that we've been working on. Tell us about one of your recent projects, either at work or personal projects. What's...
This is a recurring post to discuss programming or other technical projects that we've been working on. Tell us about one of your recent projects, either at work or personal projects. What's interesting about it? Are you having trouble with anything?
9 votes -
Simple anomaly detection using plain SQL
4 votes -
Recommend a self-host, open source URL Shortener
At my day job at a non-for-profit, I direct the digital services and platforms (among other things). One thing that I've seen in my org. is the widespread use of the Bitly URL shortener (free...
At my day job at a non-for-profit, I direct the digital services and platforms (among other things). One thing that I've seen in my org. is the widespread use of the Bitly URL shortener (free plan/tier) for the sharing of our many online and offline campaigns. The myriad departments in the org. for the most part operate quite autonomously, though I can influence the use of digital platforms (at least the majority of the time). I'd like to get away from using Bitly. Would anyone kindly recommend alternatives to Bitly? Self-host and open source options would be preferred, but not required if the price is right (read: low enough for a non-profit).
I've used YOURLs many years ago, and it worked great; did everything that I needed and was straight-forward to install and use. (The only cost was a cheap $5/month Digital Ocean droplet, that I happened to run other things on too.) However, I have also heard of - but never used - the following other options:
So...Are any of the above worth considering (or avoiding)? Are there any other, perhaps better alternatives not listed here? I'd appreciate any suggestions and recommendations! Thanks in advanced!
4 votes -
File Syncing Software in 2020
10 votes -
The failed promise of Web Components
4 votes -
Welcome to Apple: A one-party state
7 votes -
Toward a "modern" Emacs
14 votes -
I was wrong. CRDTs are the future
9 votes -
What's the deal with gemini?
Hi! I've heard tilderinos talking about the gemini-verse on some other posts; I tried it out this evening and it honestly felt strange browsing in terminal and even stranger navigating the web...
Hi! I've heard tilderinos talking about the gemini-verse on some other posts; I tried it out this evening and it honestly felt strange browsing in terminal and even stranger navigating the web without search engines. I was wondering if anyone had a gentler introduction than the official site? I feel like I've got a ship, but no map to this new verse.
26 votes -
Hacking a gopher client into the Alpha Micro
6 votes -
Is there a known image norm suitable for textured images?
Suppose I am trying to iteratively produce a completed image from some subset using a combination of convolutional/DNN methods. What Image norm is best? The natural (for me) norm to ascribe to an...
Suppose I am trying to iteratively produce a completed image from some subset using a combination of convolutional/DNN methods. What Image norm is best?
The natural (for me) norm to ascribe to an image is to take the bitmap as a vector with L2. If the input image is anime or something else, the uniform coloring makes this very likely to be a good fit in a low dimension - that is: no overfitting.
However: pictures of fur. Given a small square, the AI, set to extrapolate more fur from that single image, should be expected to get that stuff right next to the given subimage right, but further away, i want it to get the texture right, not the exact representation. So, if the AI shifts the fur far away from the image left by just the right amount, it could get an incredibly poor score.
If I were to use the naive L2 norm directly, I would be guaranteed to overfit, and you can see this with some of the demo algorithms for image generation around the web. Now, the answer to this is probably to use a fourier or a wavelet transform and then take the LN norm over the transformed space instead (correct me if I'm wrong.)
However, we get to the most complex class: images with different textures in them. In this case, I have a problem. Wavelet-type transforms don't behave well with discrete boundaries, while pixel-by-pixel methods don't do well with the textured parts of images. Is there a good method of determining image similarity for these cases?
More philosophically, what is the mathematical notion of similarity that our eye picks out? Any pointers or suggestions are appreciated. This is the last of two issues I have with a design I built for a Sparse NN.
Edit: For those interested, here is an example, notice how the predictions tend to blur details
7 votes -
Widgetsmith and the case of the missing App Store bunco squad
5 votes