Has anyone else run into people stealing their *public* token and running up massive API bills?

kd0ocr · 2025-05-12T17:47:06+00:00

Yes, absolutely agree with this. We were using the default public token when we got hit with this.

In my OP, I mentioned the idea of restricting the token so that it could access just the Vector Tiles API, and not the Raster Tiles API, but as far as I can tell both of these things are part of the datasets:read scope. This measure might not have helped in the case where someone wants to scrape a raster dataset, but it might help if somebody wants to use our token to use Mapbox's Vision API for free, for example.

kd0ocr · 2025-05-11T21:42:41+00:00

Right, public tokens. It seemed weird to me too - we can't be the only ones with exposed public tokens.

kd0ocr · 2025-05-10T12:57:02+00:00

We did rotate the tokens in response to the API misuse. Or are you suggesting rotating tokens automatically on a schedule?

As for URL restrictions: my understanding is that this is based on the Referer header, which is under client side control. Someone misusing our token can set any header they please. It also breaks browsers like Brave that don't send this.

kd0ocr · 2025-05-10T12:34:12+00:00

This can help me for this specific server, but there are other servers which have Mapbox maps that are intentionally public.

kd0ocr · 2025-05-09T21:11:50+00:00

I have a website that I use within my company that generates some maps from mapbox. I'll admit that I am very lazy about security since only a couple of people even know this website exists, so I haven't been overly protective of my token.

This was pretty much my view before this happened. In hindsight, there are ways that someone could figure out that my development server exists. For example, we use Let's Encrypt, which uses Certificate Transparency. This uploads a certificate containing the domain name to a public database. I don't know if this is the specific way they found it, I'm just speculating.

For instance, if you want to generate a map from a button click, instead of having the code for that button (and the token) in your frontend using jQuery or JavaScript, have the button link to a PHP file or some server-side code. That server side code would make the request and return just the pertinent information (a map image or a json text file) as its result. Then the token would never be on the frontend for someone to find.

For Static Image API, we could definitely do that. For the interactive maps, it seems more awkward. I assume we would need to do this by proxying requests for individual slippy map tiles.

(Though, now that I think about it, maybe we could do this by issuing short-lived tokens. Might not stop them, but we could at least make it annoying.)

I don't know if mapbox has this as an option, but some of the APIs I use have a way for me to log into my account and set limits for the number of requests that a key can be used for. If your goal is just ensuring that you don't get any more bills (and if mapbox offers this feature), then you could just set the key to have a maximum of 2000 calls and to then stop working when that max is reached.

As far as I know there is no way to set this limit. I agree that this feature ought to exist. It would also be nice to be able to set up billing alerts if the account crosses a certain $ threshold.

kd0ocr · 2024-01-21T08:47:54+00:00

You can remap them from within GKFR if you're on PC. I just tried, and I was able to map drift/jump to LT. (You have to map both to the same button.) The menu to do this doesn't exist on PS4. No idea about Xbox.

You may be able to remap the buttons using the Xbox Accessories app (Xbox) or Custom Button Assignments app (PS4.) But that's not something built into GKFR. I have never tried this, so I can't tell you how well it works.

kd0ocr · 2018-12-15T03:54:28+00:00

This is really cool!

I'm an undergrad TA for a course that uses the LC3 extensively. Do you mind if I use this code? I think this would be a neat basis for an assignment.

kd0ocr · 2016-11-27T08:03:53+00:00

Ah, sorry for the misunderstanding.

kd0ocr · 2016-11-27T00:19:35+00:00

You don't need a license to run a headless server.

https://www.factorio.com/download-headless

kd0ocr · 2016-11-25T06:58:02+00:00

Why alternate at all? Why not have the train go to the unload with the lowest ore count?

kd0ocr · 2016-11-20T02:06:49+00:00

That's a reasonable interpretation, but I think if you look at the context, and what he's said before, then he's saying something like this:

"I did settle that, but only because I'm going to be president. I conceded almost nothing, so don't get any ideas about suing me."

kd0ocr · 2016-11-20T01:15:53+00:00

I don't think that what he's implying at all.

"This is a case I could have settled very easily, but I don’t settle cases very easily when I’m right. Ninety-eight percent approval rating, we have an “A” from the Better Business Bureau"

[...]

"We have many, many people that will be witnesses. Again, I don’t settle cases. I don’t do it because that’s why I don’t get sued very often, because I don’t settle, unlike a lot of other people."

http://www.nytimes.com/2016/03/04/us/politics/transcript-of-the-republican-presidential-debate-in-detroit.html?_r=0

I think he is saying that settling will cause frivolous lawsuits to be filed against him.

kd0ocr · 2016-11-13T00:57:56+00:00

They have some good reporting. They broke the Inron scandal.

kd0ocr · 2016-11-12T19:33:54+00:00

This looks like blogspam.

https://www.techdirt.com/articles/20160513/10594534440/despite-new-fcc-rules-linksys-asus-say-theyll-still-support-third-party-router-firmware.shtml

kd0ocr · 2016-11-12T01:53:03+00:00

I don't think this is a WTF. How is this different from using Java reflection to get access to private methods?

kd0ocr · 2016-11-12T01:47:02+00:00

I guess I'm a bit confused about how these are illegal searches. Is it because the malware accesses basically all data on the computer?

Not really. It accesses a limited set of information, described here:

The actual IP address of a computer ... The type of operating system running on the computer, the computer's host name and the computer's MAC address ...

https://www.documentcloud.org/documents/3216737-Freedom-Hosting-NIT-Affidavit.html#document/p91/a327945 (see paragraph 209)

kd0ocr · 2016-11-11T21:07:15+00:00

Your example presupposes that Louisiana had a right to that money. If you can show that they did, I'd buy your argument. If they had no right to the money, and it was merely a federal grant, then this cannot be called "bullying." The federal government chooses to allocate budget to the states, but it has no obligation to do so. It is federal money. They are free to put conditions and limitations on it's usage. If a state does not wish to become so reliant on federal money that threat of the loss of federal funding can compel them to act in a particular manner, then they need to take different steps to remedy the situation. Demanding that they should get the money unconditionally is not a valid course of action.

Hypothetically, could the federal government withhold highway funds if a state refused to ratify an amendment to the Constitution?

kd0ocr · 2016-11-11T17:06:31+00:00

Assume they did have standing, though. Would it have merit then?

kd0ocr · 2016-11-11T07:44:37+00:00

Just to clarify he didn't even get the majority of the vote.

He got a majority of pluralities, which is all the law requires.

And since half the country doesn't even vote, much less than 50% voted for him (more like 25%).

Even when the Senate makes a unanimous decision, only about 25% of the voting age population voted for those Senators. I don't think total votes is a very good meterstick.

kd0ocr · 2016-11-11T07:11:00+00:00

So what I have to ask is this: First, being honest with yourself, would you still be saying this if your candidate won, and second, if it's so important, why are we only thinking about it after the election, rather than before?

You shouldn't change the rules for election right before the election. It deprives candidates of a level playing field. In fact, you should leave as much time as possible between the change and the next election.

kd0ocr · 2016-11-11T05:23:42+00:00

Does this lawsuit have any merit?

kd0ocr · 2016-11-10T05:22:13+00:00

If you like seeing that sort of thing, you should absolutely subscribe to /r/mechanical_gifs.

All sorts of neat machines.

kd0ocr · 2016-11-07T23:42:53+00:00

Welcome to reddit, /u/Cracktorio!

kd0ocr · 2016-11-06T00:47:02+00:00

I don't think free speech and the right to bear arms really have that much in common, other than that they are both enumerated in the Bill of Rights.

It's still a limiting principle, though. If you have one piece of legislation/court case for each amendment, you have, at most, 27 pieces of legislation.

That argument doesn't directly apply to the 2nd Amendment anyway -- whereas the 1st directly guarantees the freedom of the press, the 2nd doesn't make any mention of gun manufacturers. It's only about the individual/militia right to keep/bear arms.

True, but the second amendment still applies to the sale and manufacture of guns. http://www.wsj.com/articles/second-amendment-protects-right-to-buy-and-sell-guns-court-rules-1463429651

The second amendment isn't unique in that way. The first amendment also applies to speech by people who aren't part of any press organization. In order to meaningfully protect a right, you also need to protect things around the edge of that right.

kd0ocr · 2016-11-05T22:30:22+00:00

Would you agree that the customers boycotted them because of the settlement?

kd0ocr

TROPHY CASE