Share this page!

Zed A. Shaw, Writer Profile picture
Twitter logo
29 Jul, 8 tweets, 2 min read
Simulating someone hacking the input behind the slider to inject bad numbers. I gave a validation rule that limits to 20-50 to test how to disable the payments and show an error on both ends. Then on the backend I'll confirm it again. The reason for this limitation is carding.
For those of you who don't know, carding is the process of testing banks of stolen credit cards to see which ones are still valid and can be sold. They do this by finding unrestricted donation forms and use them to post a charge for $1. If it works they sell the card.
If you allow unrestricted donations then you can get hit by a huge whack of carders, then the chargebacks come rolling in, and you have to pay $15-30 to deal with each one, even if you just do a refund and don't contest it. Stripe is actually the *worst* for this.
It's also a devious attack vector. If you happen to piss off the wrong group of people they just roll in, charge 1000 charges at $1 each, then chargeback on them. Get 1000 angry people and you're now on the hook for $15-30k in fees which could easily wipe out some people.
Ultimately though this isn't your fault and you shouldn't be paying a fee. Companies like Stripe make big money on *not* preventing fraud, which is why they charge you even if you don't contest it, and why you never win them. They aren't doing jack to contest it.
The stupidest thing is, if companies like Stripe simply blocked known VPNs, Tor, and confirmed the IP is in the same *country* as the card, they could block 80-90% of fraud. Carders always either come in from outside the US or use VPNs/Tor.

But, there's big money in fraud.
The other stupid thing--which definitely should be made into law--is the credit card companies don't track or notify of bad cards. If companies simply registered cards and the chargebacks done you could block another huge chunk of fraud.

But, there's big money in fraud.
So, until companies start sharing fraudulent cards, chargeback counts, and doing even just basic fraud protection like "is IP in same country", I highly recommend you only allow donations > $10, or even $20 to at least deter carders.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Zed A. Shaw, Writer

Zed A. Shaw, Writer Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @lzsthw

Zed A. Shaw, Writer Profile picture
31 Jul
Given my recent Arch Linux debacle I think I should cover a few persistent FLOSS vs. Commercial software myths. These are usually put forward as some kind of defense when leaders of a FLOSS project screw over their users without consent.

#1) Commercial Whataboutism
"Commercial companies screw people over too. Why do FLOSS projects have to not screw people over?!"

That's whataboutism, and more importantly authoritarian whataboustism. I say there's two kinds of whataboutism:
You have whataboutism that is pointing out a bias that people in positions of authority have:

"Why do you punish this kind of person more than that kind?"

Then there's what I call Authoritarian Whataboutism:

"I'm allowed to harm that person because that other guy does too."
Read 14 tweets
Zed A. Shaw, Writer Profile picture
31 Jul
Oh I hate myself right now. I wrote all this code for learnjsthehardway.com before I had to stop because Sapper died and it wouldn't work for students.

Now I'm trying to bring over the good stuff and I'm on WebTorrent...and it's a nightmare. I have no idea what I wrote.
I may have to just sit down for two days and re-read all the old code, but I just want to get WT working. I'm trying to load the JSON data I generate, and for some reason I can't figure out where I generate this one torrent hash. I scour all of my code, I can't find it.
That's because I'm *not* generating it. I'm just writing it in a header of the .md files like a loser. LOL. I think I was manually making these hashes to get going and planned on generating them but never got around to it.
Read 4 tweets
Zed A. Shaw, Writer Profile picture
31 Jul
Alright, this is a *glorious* bug in Firefox and Chrome but not Safari.

The Scene: In my webapp I can type ctrl-alt-b to get the "bandolier". It's a dev tools/admin panel. This works just fine in safari, but fails in Firefox and Chrome on OSX only.

The code, with a log: Image
Now, safari reports the following when I press some keys: Image
But, Firefox and Chrome report *this* when I do the same keys. See that ∫ there? Image
Read 6 tweets
Zed A. Shaw, Writer Profile picture
30 Jul
Read this article, but replace every utterance of "Programming" with "Painting" and "Geek/Hacker/Developer" with "Creative/Artist/Painter":

cacm.acm.org/magazines/2021…

Arts education has the exact same "innate ability/difficulty" problem but oddly nobody seems to be upset about it.
For example, when I was learning to draw formally I had *numerous* people comment on how I'm a programmer and probably can't learn to draw. When it was obvious I could ('cause anyone can, just like programming) these "artists" with "innate ability" thought I was "cheating".
I literally had to start recording my painting sessions and taking side-by-side photos just so people wouldn't claim I "cheated" at art. Never mind that they were zooming in 50MP photos on their their iPads to do their paintings.

I had to be cheating! """cheating"""
Read 9 tweets
Zed A. Shaw, Writer Profile picture
20 Jul
I'll use this to do a running commentary on a "style checkbox" in CSS. First trick is to put the label *after* the checkbox so you can use + to select it if the checkbox is :checked. Clicking the label activates the hidden input, so the label changes red/green.
Here's a demo of that first part working. Now to make the label look like a checked/unchecked box that's different.
The next trick is to use the :after to add content, *but* if you give an :after that has no content it still creates a block you can style. Here I'm just making a little square.
Read 11 tweets
Zed A. Shaw, Writer Profile picture
18 Jul
Fixed images. I'm definitely going to recommend people start with a reset that removes the Andreessen Web from our CSS.

git.learnjsthehardway.com/zedshaw/zedsha…
I think the other thing that infuriates me about this kind of crap is how it happens randomly. Other places images showed just fine. Drop it in a random div somewhere else and suddenly I get phantom pixels I can't debug.

My biggest fix would be:

No more contextual footguns.
If I have an image, and in one place that image has no space on the bottom, then that image has no space *everywhere*.

If I set a position:absolute, then it's contained in its parent *everywhere*, no matter what the parent's position is.

This would be a vast improvement.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @lzsthw has new unrolls!

Check out other threads from @lzsthw!

Read all threads by @lzsthw

:(