I've been accused of shilling a product I genuinely enjoyed, because of the english I used. :) I think it seemed too exaggerated. But I'm no native, so what do I know. In the end who cares about upvotes.
I shilled my own product once and it didn't get downvoted, but that day people started signing up with thousands of stolen credit cards. Dealing with the fraud that was a result of that post was probably one of the most interesting things in my career though, so I dunno, I guess HN delivered as always.
just be sure you don't know of any way it can be hacked. It will be hacked, and that's what you'll learn from the experience. But HN is like putting out to sea in a canoe. You can't go back, and it's going to leak, so be more than ready.
What's amazing to me is that you can't pay someone $8 to find weaknesses in your system that let people mine crypto for free, but people are happy to do it and mine $8 in crypto before they get shut down. I don't really understand it.
What surprised me about this incident was how many script kiddies are out there. The sophistication of the attacks were so low. Very poor opsec (using compromised machines as jump boxes, but still logging into the site with their desktop browser with no VPN or Tor), very poor understanding of attack tools (LD_PRELOAD to make certain processes not show up in "ps", except we don't use a dynamically-linked binary to do that, so it has no effect), etc. I feel like I never converse with that type of person on HN, so I just forgot they existed.
I kind of assumed that whole field of specialization died off when people started getting aggressively prosecuted for this sort of thing, but apparently not. If anything, the crypto craze has really increased the demand for hacked Linux systems. I was very surprised to see thousands of compromised machines on major cloud providers attacking us, as well as a long tail of tiny hosting companies that I assumed didn't exist in the world of Linode and Digital Ocean. Like you can get a server in a rack somewhere and sell it to someone, and there are customers that buy that service. Mind blown!
Not to get into the weeds here, but were you actually funneling credit cards through your site to a card gateway like Verisign, as opposed to just hosting a Stripe form or something? I used to write shopping carts. To me it smells like disaster these days if any card transaction is hosted onsite in anyway whatsoever.
We used Stripe. The problem was that our product was initially pre-pay, but we changed it to post-pay at some point. However, that's a different Stripe API (SetupIntents), and so you basically don't see the risk score until invoice charge time (instead of at card entry time). Thus people can use a lot of CPU before you notice that the card is stolen. (Stripe's risk stuff is great. I love how it shows how many other Stripe properties the card or user has been declined on. I wish things like Auth0 gave you this kind of data.)
Honestly the stolen credit cards were interesting, but overall not that big of a deal. We had free trials which were equally effective for crypto mining. Post-pay is always a drag. Lots of people that sign up with cards that have a spending limit well below what we claim the price is going to be. Other people issue chargebacks months later with excuses like "oh, I forgot I was using that" or "I didn't feel like I got the value for what you charged".